Set up network integration

1. Optionally, connect the solution VNet to the corporate network

2. Grant access to the MongoDB instance

• If the MongoDB instance is a public one, for example, if it is deployed in Mongo Atlas, then add the outbound public IP address of the AKS cluster to the allowlist on the MongoDB cluster. To find this IP address, go to the properties of the public load balancer that Azure has deployed in the Azure Kubernetes Service (AKS) infrastructure resource group. The name is hard coded as kubernetes. The outbound IP address is the public IP of the load balancer frontend. You might need this IP to restrict access to the MongoDB instance if it's publicly available. If outbound internet traffic from the AKS cluster is forwarded through a virtual network appliance, then add the addresses of this appliance to the allowlist on the MongoDB instance instead.
• If the MongoDB instance is internal, that is, if it's accessible through a private IP address, then connect the solution VNet to the corporate network and allow it to access the target MongoDB cluster. If the MongoDB connection string contains a DNS name of the cluster rather than its IP address, then this name must be resolvable from the solution VNet. The specific configuration for this functionality depends on the customer DNS infrastructure setup.

3. Establish the client connectivity to the solution frontend

• Create a private endpoint to the target Azure Private Link service
• Establish connectivity directly to the AKS load balancer frontend

3.1 Create a private endpoint to the target Azure Private Link service

3.2 Establish connectivity directly to the AKS load balancer frontend

4. Create a DNS record for the domain name

• This record must be a DNS A record.
• The record must point to one of these IP addresses, depending on the connectivity method you chose:
  • The IP address of the private endpoint to the Azure Private Link service, which you have created at the previous step
  • The IP address of the AKS load balancer frontend

5. Create a private endpoint for the workspace storage account

<project-prefix>am<region-code>wrkspc<random-substring>

• Attach the private endpoint to a VNet that is in the customer Azure environment and that is accessible from the corporate network, so that end users can reach it.
• Set the private endpoint in the same region as the deployed solution.
• Create the private endpoint resource in a resource group that is different from the solution resource group and from the AKS infrastructure resource groups. These resource groups are managed and must not contain customer-created resources.
• Create a DNS entry for this private endpoint in the internal DNS infrastructure, that is, in the privatelink.blob.core.windows.net zone that is managed by the customer. This requirement is to enable clients to resolve the storage account name to its private IP address rather than to the public one. To this end, enable DNS integration for the endpoint with the relevant private DNS zone in the customer cloud environment. Alternatively, create the DNS record in a manual or automated way, depending on the setup of the customer DNS infrastructure.

6. Optionally, configure the routing and firewall rules

1. Connect the solution VNet to the corporate network.
2. Apply this additional configuration:
   • To allow the required outbound access, configure the firewall rules on the central network virtual appliance, for example, Azure Firewall. Refer to the firewall rules for the outbound internet access.
   • Configure routing. The

     0.0.0.0/0

     route must point to the network virtual appliance.
   • Change the outboundType setting of the AKS cluster from

     loadBalancer

     to

     userDefinedRouting

     . Refer to the procedure in the Azure documentation.
   Run this command:

   az aks update -g <resourceGroup> -n <clusterName> --outbound-type userDefinedRouting

Next steps