This wiki page provides step by step instructions on how to manually setup the Nex!™ Platform as a Service (PaaS) on a brand new Azure account.
...
- Search for "App registrations" in the Azure search bar
- Enter a name for the registration. E.g. nex-uat (nex-prd for production)
- Enter a URL for the service. E.g. expected Nex!™ UAT URL
- Copy the Application ID - this is the Azure Client ID
- Go the newly created App Registration and search for the "Keys" section
- Enter a description and set to "never expires"
- Click on "save"
- Copy the application key- this is the Azure Client Secret
- Search for "Active Directory" in the Azure search bar
- Go to properties
- Copy the Directory ID. This is the Azure Tenant ID.
- Search for "Subscriptions" in the Azure search bar
- Click on the default subscription ("Free Trial" or "Pay as you go"). If no subscription exists yet, Add a plan and select "Pay as you go".
- Go to "Resource Groups"
- Create a new resource group attached to this subscription called nex-grid-uat (nex-grid-prd for production). Copy the name. This is the Azure Resource Group.
- Click on the newly created resource group
- Click on Access Control
- Click on "Add", select "Owner" as a role and enter the name of the app registration you created previously (e.g. nex-uat). This action will give permissions to the API Key to manage the resource group.
- Go back to Overview
- Copy the Subscription ID. This is the Azure Subscription ID.
...
- From the left menu panel select Virtual Networks (/!\ do not use the 'classic' version).
- Click Add
- Choose a sensible name. E.g. nex-grid-uat-sea-vnet (UAT / South East Asia / Virtual Network)
- Choose a /16 network. E.g. 10.0.0.0/16 for UAT and 10.50.0.0/16 for production. Increment the second number for multi-environments (eg: 10.1.0.0/16 for UAT, 10.51.0.0/16 for production)
- Attach the network to the right resource group (UAT or Production)
- Select the right location (Southeast Asia in the example above)
...
- From the left menu panel select More services then search for Network Security Groups (/!\ do not use the 'classic' version).
Create the following four security groups along with their Inbound Security Rules. Adapt naming, resource group and location based on the environment and region. Adapt source range based on virtual network IP range.
NOTE: rules below are grouped per "use type" and may therefore overlap on each other. This is intended and aims at better anticipating future changes on source ranges due to stricter security requirements.Security Group Rule Name Source Destination Port nex-grid-uat-sea-sg-compute SSH Any Any 22 HTTP Any Any 80 HTTPS Any Any 443 Internal-sea 10.0.0.0/16 Any 1024-65535 nex-grid-uat-sea-sg-nat SSH Any Any 22 Internal-sea 10.0.0.0/16 Any * nex-grid-uat-sea-sg-routing SSH Any Any 22 HTTP Any Any 80 HTTPS Any Any 443 nex-grid-uat-sea-sg-storage SSH Any Any 22 Rsync-sea 10.0.0.0/16 Any 873
3.4 - Load BalancerLoad Balancer
Repeat the following steps for each environment and region
- From the left menu select Load Balancer
- Create a new load balancer.
- Adapt the name based on region and environment (e.g. nex-grid-uat-sea-elb)
- Choose "public" for the load balancer type
- Attach a dynamic IP to it with a name related to the load balancer name (e.g. nex-grid-uat-sea-elb-ip)
- Set the Resource group to the existing one (UAT or production)
- Set the region accordingly
- Save your load balancer
- Select your load balancer
- Go to Health Probes under it
Add a health probe with a consistent name (e.g. nex-grid-uat-sea-elb-probe)
Name Protocol Port Path nex-grid-uat-sea-elb-probe HTTP 80 /_mno_healthcheck_ping Go to Backend Pool
Create a new backend pool with a consistent name (e.g. nex-grid-uat-sea-elb-pool). Leave it "unassociated".
Go to Load Balancing Rules under your load balancer
Add the following load balancing rules
Name Port Backend Port Backend Pool Probe nex-grid-uat-sea-elb-rule-http 80 80 nex-grid-uat-sea-elb-pool nex-grid-uat-sea-elb-probe nex-grid-uat-sea-elb-rule-https 443 443 nex-grid-uat-sea-elb-pool nex-grid-uat-sea-elb-probe - Search Go to IP Addresses and search for the ip you created along with the load balancer (e.g. nex-grid-uat-sea-elb-ip)
- Go to Configuration
- Choose a friendly label to uniquely identify this load balancer. This label will be used to generate the load balancer DNS (see full URL under the input field).
Example: nex-grid-uat-sea-elb-<project-name>
Full example: a label nex-grid-uat-sea-elb-nexmin for an IP address in Southeast Asia will generate the following DNS: nex-grid-uat-sea-elb-nexmin.southeastasia.cloudapp.azure.com
3.5 - Gateway/NAT static IP address
...
- From the left menu select More Services then Public IP Addresses
- Click Add
- Adapt the name based on region and environment (e.g. nex-grid-uat-sea-nat-ip)
- Select static for the type of IP
- You do not have to enter a DNS label
- Attach the IP address to the relevant resource group and select the relevant location
- Click on create
- Wait for Azure to provision the new IP address
3.6 - DNS & SSL Setup
3.6.1 - Corporate DNS
After setting up the Load Balancer DNS above you should setup a wildcard DNS from your own domain to this Load Balancer DNS.
To do so login to your DNS manager portal (e.g. Azure DNS, AWS Route53, GoDaddy etc.) and create the following record. The name of the record should be adapted on your URL branding requirements.
DNS Entry | Type | Value |
---|---|---|
*.uat.nexmin.maestrano.io (example for a maestrano domain related to a "nexmin" project in UAT) | CNAME | nex-grid-uat-sea-elb-nexmin.southeastasia.cloudapp.azure.com (example of load balancer DNS generated by Azure) |
3.6.2 - Default SSL Certificate
...
- From the left panel go to More Services then search for MySQL
- Select Azure Database for MySQL
- Enter Add a new Database and enter a globally unique name describing the resource, region, environment and project. E.g. nex-orchestrator-uat-sea-db-nexmin
- Choose an Set the admin username to azure_root and generate a random password. The Note that the admin username must not match with a built-in MySQL user (e.g. root).
- Attach the resource to the resource group corresponding to the environment your are targeting (e.g. nex-grid-uat)
- Select the location corresponding to the location the infrastructure has been deployed to (e.g. Southeast Asia)
- Save the resource and wait for Azure to deploy it
- Go to the resource under Connection Security and disable SSL
Status subtle true colour Red title Action Needed - Still under Connection Security add a connectivity rule for all traffic (0.0.0.0 to 255.255.255.255)
Status subtle true colour Red title Action Needed
...
After Azure has deployed the service you should configure a friendly DNS to point to the Nex!™ orchestrator load balancer - in a similar fashion to what you have done previously for the wildcard domain pointing to the Nex!™ grid.
To do so login to your DNS manager portal (e.g. Azure DNS, AWS Route53, GoDaddy etc.) and create the following record. The name of the record should be adapted on your URL branding requirements.
DNS Entry | Type | Value |
---|---|---|
api-nex.uat.nexmin.maestrano.io (example for a maestrano domain related to a "nexmin" project in UAT) | CNAME | nex-orchestrator-uat-sea-elb-nexmin.southeastasia.cloudapp.azure.com (example of load balancer DNS generated by Azure during service deployment) |
4.3.3 - SSH Access
Accessing the first Nex!™ orchestrator machine via SSH:
...
Code Block | ||
---|---|---|
| ||
# Navigate to the orchestrator root path cd /apps/nex/current # Fire the console. Adapt the environment: uat or production bundle exec rails c uat |
Before launching new virtual machines, you may need to increase the Azure Account Quotas limit, see paragraph Increasing your account quota
6.2 - Setup a Gateway Rack
In the console enter the following command for each vpc_region
:
Code Block | ||
---|---|---|
| ||
# Adjust the region based on where the infrastructure is located r = GatewayRack.create!(vpc_region: "southeastasia", stack: 'nat') # This will enqueue a background job to provision the actual rack r.provision! # Wait for the rack to be "running" r.reload.status |
...