Page Comparison

This wiki page provides step by step instructions on how to manually setup the Nex!™ Platform as a Service (PaaS) on a brand new Azure account.

...

1. Search for "App registrations" in the Azure search bar
2. Enter a name for the registration. E.g. nex-uat (nex-prd for production)
3. Enter a URL for the service. E.g. expected Nex!™ UAT URL
4. Copy the Application ID - this is the Azure Client ID
5. Go the newly created App Registration and search for the "Keys" section
6. Enter a description and set to "never expires"
7. Click on "save"
8. Copy the application key- this is the Azure Client Secret
9. Search for "Active Directory" in the Azure search bar
10. Go to properties
11. Copy the Directory ID. This is the Azure Tenant ID.
12. Search for "Subscriptions" in the Azure search bar
13. Click on the default subscription ("Free Trial" or "Pay as you go"). If no subscription exists yet, Add a plan and select "Pay as you go".
14. Go to "Resource Groups"
15. Create a new resource group attached to this subscription called nex-grid-uat (nex-grid-prd for production).  Copy the name. This is the Azure Resource Group.
16. Click on the newly created resource group
17. Click on Access Control
18. Click on "Add", select "Owner" as a role and enter the name of the app registration you created previously (e.g. nex-uat). This action will give permissions to the API Key to manage the resource group.
19. Go back to Overview
20. Copy the Subscription ID. This is the Azure Subscription ID.

...

1. From the left menu panel select Virtual Networks (/!\ do not use the 'classic' version).
2. Click Add
3. Choose a sensible name. E.g. nex-grid-uat-sea-vnet (UAT / South East Asia / Virtual Network)
4. Choose a /16 network. E.g. 10.0.0.0/16 for UAT and 10.50.0.0/16 for production. Increment the second number for multi-environments (eg: 10.1.0.0/16 for UAT, 10.51.0.0/16 for production)
5. Attach the network to the right resource group (UAT or Production)
6. Select the right location (Southeast Asia in the example above)

...

1. From the left menu panel select More services then search for Network Security Groups (/!\ do not use the 'classic' version).

2. Create the following four security groups along with their Inbound Security Rules. Adapt naming, resource group and location based on the environment and region. Adapt source range based on virtual network IP range.
   NOTE: rules below are grouped per "use type" and may therefore overlap on each other. This is intended and aims at better anticipating future changes on source ranges due to stricter security requirements.

   Security Group	Rule Name	Source	Destination	Port
   nex-grid-uat-sea-sg-compute	SSH	Any	Any	22
   	HTTP	Any	Any	80
   	HTTPS	Any	Any	443
   	Internal-sea	10.0.0.0/16	Any	1024-65535
   nex-grid-uat-sea-sg-nat	SSH	Any	Any	22
   	Internal-sea	10.0.0.0/16	Any	*
   nex-grid-uat-sea-sg-routing	SSH	Any	Any	22
   	HTTP	Any	Any	80
   	HTTPS	Any	Any	443
   nex-grid-uat-sea-sg-storage	SSH	Any	Any	22
   	Rsync-sea	10.0.0.0/16	Any	873

   
   

3.4 - Load BalancerLoad Balancer

Repeat the following steps for each environment and region

1. From the left menu select Load Balancer
2. Create a new load balancer. 
3. Adapt the name based on region and environment (e.g. nex-grid-uat-sea-elb)
4. Choose "public" for the load balancer type
5. Attach a dynamic IP to it with a name related to the load balancer name (e.g. nex-grid-uat-sea-elb-ip)
6. Set the Resource group to the existing one (UAT or production)
7. Set the region accordingly
8. Save your load balancer
9. Select your load balancer
10. Go to Health Probes under it

11. Add a health probe with a consistent name (e.g. nex-grid-uat-sea-elb-probe)

    Name	Protocol	Port	Path
    nex-grid-uat-sea-elb-probe	HTTP	80	/_mno_healthcheck_ping

    
    

12. Go to Backend Pool

13. Create a new backend pool with a consistent name (e.g. nex-grid-uat-sea-elb-pool). Leave it "unassociated".

14. Go to Load Balancing Rules under your load balancer

15. Add the following load balancing rules

    Name	Port	Backend Port	Backend Pool	Probe
    nex-grid-uat-sea-elb-rule-http	80	80	nex-grid-uat-sea-elb-pool	nex-grid-uat-sea-elb-probe
    nex-grid-uat-sea-elb-rule-https	443	443	nex-grid-uat-sea-elb-pool	nex-grid-uat-sea-elb-probe

    
    

16. Search Go to IP Addresses and search for the ip you created along with the load balancer (e.g. nex-grid-uat-sea-elb-ip)
17. Go to Configuration
18. Choose a friendly label to uniquely identify this load balancer. This label will be used to generate the load balancer DNS (see full URL under the input field).
    Example: nex-grid-uat-sea-elb-<project-name>
    Full example: a label nex-grid-uat-sea-elb-nexmin for an IP address in Southeast Asia will generate the following DNS: nex-grid-uat-sea-elb-nexmin.southeastasia.cloudapp.azure.com

3.5 - Gateway/NAT static IP address

...

1. From the left menu select More Services then Public IP Addresses
2. Click Add
3. Adapt the name based on region and environment (e.g. nex-grid-uat-sea-nat-ip)
4. Select static for the type of IP
5. You do not have to enter a DNS label
6. Attach the IP address to the relevant resource group and select the relevant location
7. Click on create
8. Wait for Azure to provision the new IP address

3.6 - DNS & SSL Setup

3.6.1 - Corporate DNS

After setting up the Load Balancer DNS above you should setup a wildcard DNS from your own domain to this Load Balancer DNS.

To do so login to your DNS manager portal (e.g. Azure DNS, AWS Route53, GoDaddy etc.) and create the following record. The name of the record should be adapted on your URL branding requirements.

3.6.2 - Default SSL Certificate

...

1. From the left panel go to More Services then search for MySQL
2. Select Azure Database for MySQL
3. Enter Add a new Database and enter a globally unique name describing the resource, region, environment and project. E.g. nex-orchestrator-uat-sea-db-nexmin
4. Choose an Set the admin username to azure_root and generate a random password. The Note that the admin username must not match with a built-in MySQL user (e.g. root).
5. Attach the resource to the resource group corresponding to the environment your are targeting (e.g. nex-grid-uat)
6. Select the location corresponding to the location the infrastructure has been deployed to (e.g. Southeast Asia)
7. Save the resource and wait for Azure to deploy it
8. Go to the resource under Connection Security and disable SSL

   Status
   subtle true colour Red title Action Needed

9. Still under Connection Security add a connectivity rule for all traffic (0.0.0.0 to 255.255.255.255) 

   Status
   subtle true colour Red title Action Needed

...

After Azure has deployed the service you should configure a friendly DNS to point to the Nex!™ orchestrator load balancer - in a similar fashion to what you have done previously for the wildcard domain pointing to the Nex!™ grid.

To do so login to your DNS manager portal (e.g. Azure DNS, AWS Route53, GoDaddy etc.) and create the following record. The name of the record should be adapted on your URL branding requirements.

4.3.3 - SSH Access

Accessing the first Nex!™ orchestrator machine via SSH:

...

# Navigate to the orchestrator root path
cd /apps/nex/current

# Fire the console. Adapt the environment: uat or production
bundle exec rails c uat

Before launching new virtual machines, you may need to increase the Azure Account Quotas limit, see paragraph Increasing your account quota

6.2 - Setup a Gateway Rack

In the console enter the following command for each vpc_region:

# Adjust the region based on where the infrastructure is located
r = GatewayRack.create!(vpc_region: "southeastasia", stack: 'nat')

# This will enqueue a background job to provision the actual rack
r.provision!

# Wait for the rack to be "running"
r.reload.status

...