Set up Microsoft Azure with Azure NetApp Files

Contributors netapp-mwallis

A few steps are required to prepare your Microsoft Azure subscription before you can manage Azure Kubernetes Service clusters with Astra Control Service. Follow these instructions if you plan to use Azure NetApp Files as a storage backend.

Quick start for setting up Azure

Get started quickly by following these steps or scroll down to the remaining sections for full details.

One Review Astra Control Service requirements for Azure Kubernetes Service

Ensure that clusters are healthy and running a supported version of Kubernetes, that node pools are online and running Linux, and more. Learn more about this step.

Two Sign up for Microsoft Azure

Create a Microsoft Azure account. Learn more about this step.

Three Register for Azure NetApp Files

Register the NetApp Resource Provider. Learn more about this step.

Four Create a NetApp account

Go to Azure NetApp Files in the Azure portal and create a NetApp account. Learn more about this step.

Five Set up capacity pools

Set up one or more capacity pools for your persistent volumes. Learn more about this step.

Six Delegate a subnet to Azure NetApp Files

Delegate a subnet to Azure NetApp Files so that Astra Control Service can create persistent volumes in that subnet. Learn more about this step.

Seven Create an Azure service principal

Create an Azure service principal that has the Contributor role. Learn more about this step.

Eight Optional: Configure redundancy for Azure backup buckets

By default, the buckets Astra Control Service uses to store Azure Kubernetes Service backups use the Locally Redundant Storage (LRS) redundancy option. As an optional step, you can configure a more durable level of redundancy for Azure buckets. Learn more about this step.

Azure Kubernetes Service cluster requirements

A Kubernetes cluster must meet the following requirements so you can discover and manage it from Astra Control Service.

Kubernetes version

Clusters must be running Kubernetes version 1.23 to 1.25.

Image type

The image type for all node pools must be Linux.

Cluster state

Clusters must be running in a healthy state and have at least one online worker node with no worker nodes in a failed state.

Azure region

Clusters must reside in a region where Azure NetApp Files is available. View Azure products by region.

Subscription

Clusters must reside in a subscription where Azure NetApp Files is enabled. You’ll choose a subscription when you register for Azure NetApp Files.

VNet

Consider the following VNet requirements:

  • Clusters must reside in a VNet that has direct access to an Azure NetApp Files delegated subnet. Learn how to set up a delegated subnet.

  • If your Kubernetes clusters are in a VNet that’s peered to the Azure NetApp Files delegated subnet that’s in another VNet, then both sides of the peering connection must be online.

  • Be aware that the default limit for the number of IPs used in a VNet (including immediately peered VNets) with Azure NetApp Files is 1,000. View Azure NetApp Files resource limits.

    If you’re close to the limit, you have two options:

    • You can submit a request for a limit increase. Contact your NetApp representative if you need help.

    • When creating a new Amazon Kubernetes Service (AKS) cluster, specify a new network for the cluster. Once the new network is created, provision a new subnet and delegate the subnet to Azure NetApp Files.

Sign up for Microsoft Azure

If you don’t have a Microsoft Azure account, begin by signing up for Microsoft Azure.

Steps
  1. Go to the Azure subscription page to subscribe to the Azure service.

  2. Select a plan and follow the instructions to complete the subscription.

Register for Azure NetApp Files

Get access to Azure NetApp Files by registering the NetApp Resource Provider.

Create a NetApp account

Set up a capacity pool

One or more capacity pools are required so that Astra Control Service can provision persistent volumes in a capacity pool. Astra Control Service doesn’t create capacity pools for you.

Take the following into consideration as you set up capacity pools for your Kubernetes apps:

  • The capacity pools need to be created in the same Azure region where the AKS clusters will be managed with Astra Control Service.

  • A capacity pool can have an Ultra, Premium, or Standard service level. Each of these service levels are designed for different performance needs. Astra Control Service supports all three.

    You need to set up a capacity pool for each service level that you want to use with your Kubernetes clusters.

  • Before you create a capacity pool for the apps that you intend to protect with Astra Control Service, choose the required performance and capacity for those apps.

    Provisioning the right amount of capacity ensures that users can create persistent volumes as they are needed. If capacity isn’t available, then the persistent volumes can’t be provisioned.

  • An Azure NetApp Files capacity pool can use the manual or auto QoS type. Astra Control Service supports auto QoS capacity pools. Manual QoS capacity pools aren’t supported.

Delegate a subnet to Azure NetApp Files

You need to delegate a subnet to Azure NetApp Files so that Astra Control Service can create persistent volumes in that subnet. Note that Azure NetApp Files enables you to have only one delegated subnet in a VNet.

If you’re using peered VNets, then both sides of the peering connection must be online: the VNet where your Kubernetes clusters reside and the VNet that has the Azure NetApp Files delegated subnet.

After you’re done

Wait about 10 minutes before discovering the cluster running in the delegated subnet.

Create an Azure service principal

Astra Control Service requires a Azure service principal that is assigned the Contributor role. Astra Control Service uses this service principal to facilitate Kubernetes application data management on your behalf.

A service principal is an identity created specifically for use with applications, services, and tools. Assigning a role to the service principal restricts access to specific Azure resources.

Follow the steps below to create a service principal using the Azure CLI. You’ll need to save the output in a JSON file and provide it to Astra Control Service later on. Refer to Azure documentation for more details about using the CLI.

The following steps assume that you have permission to create a service principal and that you have the Microsoft Azure SDK (az command) installed on your machine.

Requirements
  • The service principal must use regular authentication. Certificates aren’t supported.

  • The service principal must be granted Contributor or Owner access to your Azure subscription.

  • The subscription or resource group you choose for scope must contain the AKS clusters and your Azure NetApp Files account.

Steps
  1. Identify the subscription and tenant ID where your AKS clusters reside (these are the clusters that you want to manage in Astra Control Service).

    az configure --list-defaults
    az account list --output table
  2. Do one of the following, depending on if you use an entire subscription or a resource group:

    • Create the service principal, assign the Contributor role, and specify the scope to the entire subscription where the clusters reside.

      az ad sp create-for-rbac --name service-principal-name --role contributor --scopes /subscriptions/SUBSCRIPTION-ID
    • Create the service principal, assign the Contributor role, and specify the resource group where the clusters reside.

      az ad sp create-for-rbac --name service-principal-name --role contributor --scopes /subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-ID
  3. Store the resulting Azure CLI output as a JSON file.

    You’ll need to provide this file so that Astra Control Service can discover your AKS clusters and manage Kubernetes data management operations. Learn about managing credentials in Astra Control Service.

  4. Optional: Add the subscription ID to the JSON file so that Astra Control Service automatically populates the ID when you select the file.

    Otherwise, you’ll need to enter the subscription ID in Astra Control Service when prompted.

    Example

    {
      "appId": "0db3929a-bfb0-4c93-baee-aaf8",
      "displayName": "sp-example-dev-sandbox",
      "name": "http://sp-example-dev-sandbox",
      "password": "mypassword",
      "tenant": "011cdf6c-7512-4805-aaf8-7721afd8ca37",
      "subscriptionId": "99ce999a-8c99-99d9-a9d9-99cce99f99ad"
    }
  5. Optional: Test your service principal. Choose from the following example commands depending on the scope your service principal uses.

    Subscription scope
    az login --service-principal --username APP-ID-SERVICEPRINCIPAL --password PASSWORD --tenant TENANT-ID
    az group list --subscription SUBSCRIPTION-ID
    az aks list --subscription SUBSCRIPTION-ID
    az storage container list --account-name STORAGE-ACCOUNT-NAME
    Resource group scope
    az login --service-principal --username APP-ID-SERVICEPRINCIPAL --password PASSWORD --tenant TENANT-ID
    az aks list --subscription SUBSCRIPTION-ID --resource-group RESOURCE-GROUP-ID

Optional: Configure redundancy for Azure backup buckets

You can configure a more durable redundancy level for Azure backup buckets. By default, the buckets Astra Control Service uses to store Azure Kubernetes Service backups use the Locally Redundant Storage (LRS) redundancy option. To use a more durable redundancy option for Azure buckets, you need to do the following:

Steps
  1. Create an Azure storage account that uses the redundancy level you need using these instructions.

  2. Create an Azure container in the new storage account using these instructions.

  3. Add the container as a bucket to Astra Control Service. See Add an additional bucket.

  4. (Optional) To use the newly created bucket as the default bucket for Azure backups, set it as the default bucket for Azure. See Change the default bucket.