Set up network integration

Set up network integration with the customer environment
Read time 4 minutesLast updated 12 days ago

To set up network integration, complete these steps:

1. Optionally, connect the solution VNet to the corporate network

Optionally, connect the solution VNet to the corporate network. For example, peer the Vnet with a network hub or create a connection to a virtual WAN (VWAN) hub. This step may be required depending on the selected approaches for MongoDB and client access, as described hereinafter. The solution itself doesn't need access to any resources in the corporate network, except for the MongoDB cluster if it's internal.

2. Grant access to the MongoDB instance

If access from the solution VNet to the MongoDB instance was not available at deployment time, grant it now. Monitor the initialization of the solution to ensure it completes successfully. You can establish this connectivity in two ways:
  • If the MongoDB instance is a public one, for example, if it is deployed in Mongo Atlas, then add the outbound public IP address of the AKS cluster to the allowlist on the MongoDB cluster. To find this IP address, go to the properties of the public load balancer that Azure has deployed in the Azure Kubernetes Service (AKS) infrastructure resource group. The name is hard coded as kubernetes. The outbound IP address is the public IP of the load balancer frontend. You might need this IP to restrict access to the MongoDB instance if it's publicly available. If outbound internet traffic from the AKS cluster is forwarded through a virtual network appliance, then add the addresses of this appliance to the allowlist on the MongoDB instance instead.
  • If the MongoDB instance is internal, that is, if it's accessible through a private IP address, then connect the solution VNet to the corporate network and allow it to access the target MongoDB cluster. If the MongoDB connection string contains a DNS name of the cluster rather than its IP address, then this name must be resolvable from the solution VNet. The specific configuration for this functionality depends on the customer DNS infrastructure setup.

3. Establish the client connectivity to the solution frontend

To establish this connectivity, choose one of these methods:
  • Create a private endpoint to the target Azure Private Link service
  • Establish connectivity directly to the AKS load balancer frontend

3.1 Create a private endpoint to the target Azure Private Link service

Create a private endpoint to the Azure Private Link service that is attached to the AKS load balancer frontend. Connect this private endpoint to a VNet that is in the customer Azure environment and that is accessible from the corporate network, so that end users can reach it. The private endpoint must reside in the same region as the deployed solution. To locate the target Private Link service, look in the infrastructure resource group of the deployed AKS cluster. Alternatively, search for Private Link service resources in the subscription. Create the private endpoint resource in a resource group that is different from the solution resource group and from the AKS infrastructure resource groups. These resource groups are managed and must not contain customer-created resources.

3.2 Establish connectivity directly to the AKS load balancer frontend

Establish connectivity directly to the AKS load balancer frontend to which the Private Link service is attached. You can use this method only if the solution VNet is connected to the corporate network and if clients can access it from their machines.

4. Create a DNS record for the domain name

Create a DNS record for the domain name of the solution, which you have entered when configuring Azure Marketplace offer:
  • This record must be a DNS A record.
  • The record must point to one of these IP addresses, depending on the connectivity method you chose:
    • The IP address of the private endpoint to the Azure Private Link service, which you have created at the previous step
    • The IP address of the AKS load balancer frontend

5. Create a private endpoint for the workspace storage account

Create a private endpoint for the workspace storage account. Alternatively, you can allow public access to this storage account, but this method is less secure. The workspace storage account is a blob subresource that is deployed as part of the solution. To find the target storage account in the solution managed resource group, use this name pattern:
<project-prefix>am<region-code>wrkspc<random-substring>
The private endpoint must meet these requirements:
  • Attach the private endpoint to a VNet that is in the customer Azure environment and that is accessible from the corporate network, so that end users can reach it.
  • Set the private endpoint in the same region as the deployed solution.
  • Create the private endpoint resource in a resource group that is different from the solution resource group and from the AKS infrastructure resource groups. These resource groups are managed and must not contain customer-created resources.
  • Create a DNS entry for this private endpoint in the internal DNS infrastructure, that is, in the privatelink.blob.core.windows.net zone that is managed by the customer. This requirement is to enable clients to resolve the storage account name to its private IP address rather than to the public one. To this end, enable DNS integration for the endpoint with the relevant private DNS zone in the customer cloud environment. Alternatively, create the DNS record in a manual or automated way, depending on the setup of the customer DNS infrastructure.
After you have created a private endpoint and configured DNS, you can safely disable public access to this storage account through the network, in the network firewall settings.

6. Optionally, configure the routing and firewall rules

Optionally, configure the routing and firewall rules to lock or control outbound internet access for the solution in the AKS cluster. If this configuration is required, complete these steps:
  1. Connect the solution VNet to the corporate network.
  2. Apply this additional configuration:
    • To allow the required outbound access, configure the firewall rules on the central network virtual appliance, for example, Azure Firewall. Refer to the firewall rules for the outbound internet access.
    • Configure routing. The
      0.0.0.0/0
      route must point to the network virtual appliance.
    • Change the outboundType setting of the AKS cluster from
      loadBalancer
      to
      userDefinedRouting
      . Refer to the procedure in the Azure documentation.
    Run this command:
    az aks update -g <resourceGroup> -n <clusterName> --outbound-type userDefinedRouting

Next steps

Set up the identity subsystem