Set up network integration

Set up network integration with the customer environment
Read time 2 minutesLast updated 6 days ago

To set up network integration, complete these steps:

1. Grant access to the MongoDB instance

If access from the solution VNet to the MongoDB instance was not available at deployment time, grant it now. Monitor the initialization of the solution to ensure it completes successfully. To find the outbound IP address of the AKS cluster that Azure has deployed as part of the solution, go to the properties of the public load balancer that Azure has deployed in the Azure Kubernetes Service (AKS) infrastructure resource group. The name is hard coded as kubernetes. The outbound IP address is the public IP of the load balancer frontend. You might need this IP to restrict access to the MongoDB instance if it's publicly available.

2. Create a private endpoint to the target Azure Private Link service

Create a private endpoint to the Azure Private Link service that is attached to the AKS load balancer frontend. Attach this private endpoint to a VNet that is in the customer Azure environment and that is accessible from the corporate network, so that end users can reach it. To locate the target Private Link service, look in the infrastructure resource group of the deployed AKS cluster. Alternatively, search for Private Link service resources in the subscription. Create the private endpoint resource in a resource group that is different from the solution resource group and from the AKS infrastructure resource groups. These resource groups are managed and must not contain customer-created resources.

3. Create a DNS record for the domain name

Create a DNS record for the domain name of the solution, which you have entered when configuring Azure Marketplace offer:
  • This record must be a DNS A record.
  • The record must point to the IP address of the private endpoint to the Azure Private Link service, which you have created at the previous step.

4. Create a private endpoint for the workspace storage account

Create a private endpoint for the workspace storage account. This account is a blob subresource that has been deployed as part of the solution. The name pattern has this format:
<project-prefix>am<region-code>wrkspc<random-substring>
The private endpoint must meet these requirements:
  • If public access to that storage account is to be prohibited, attach the private endpoint to a VNet that is in the customer Azure environment and that is accessible from the corporate network, so that end users can reach it.
  • Create the private endpoint resource in a resource group that is different from the solution resource group and from the AKS infrastructure resource groups. These resource groups are managed and must not contain customer-created resources.
  • Create a DNS entry for this private endpoint in the internal DNS infrastructure, that is, in the privatelink.blob.core.windows.net zone that is managed by the customer. This requirement is to enable clients to resolve the storage account name to its private IP address rather than to the public one. To this end, enable DNS integration for the endpoint with the relevant private DNS zone in the customer cloud environment. Alternatively, create the DNS record in a manual or automated way.
After you have created a private endpoint and configured DNS, you can safely disable public access to this storage account through the network, in the network firewall settings.

Next steps

Set up the identity subsystem