Set up Microsoft Azure

Contributors netapp-bcammett netapp-mwallis

A few steps are required to prepare your Microsoft Azure subscription before you can manage Azure Kubernetes Service clusters with Astra Control Service.

Quick start for setting up Azure

Get started quickly by following these steps or scroll down to the remaining sections for full details.

One Review Astra Control Service requirements for Azure Kubernetes Service

Ensure that clusters are healthy and running Kubernetes version 1.17 or later, that node pools are online and running Linux, and more. Learn more about this step.

Two Register for Azure NetApp Files

Register the NetApp Resource Provider. Learn more about this step.

Three Create a NetApp account

In the Azure portal, go to Azure NetApp Files and create a NetApp account. Learn more about this step.

Four Set up capacity pools

Set up one or more capacity pools for your persistent volumes. Learn more about this step.

Five Delegate a subnet to Azure NetApp Files

Delegate a subnet to Azure NetApp Files so that Astra Control Service can create persistent volumes in that subnet. Learn more about this step.

Six Create an Azure service principal

Create an Azure service principal that has the Contributor role. Read step-by-step instructions.

AKS cluster requirements

A Kubernetes cluster must meet the following requirements so you can discover and manage it from Astra Control Service.

Kubernetes version

Clusters must be running Kubernetes version 1.17 or later.

Image type

The image type for all node pools must be Linux.

Cluster state

Clusters must be running in a healthy state and have at least one online worker node with no worker nodes in a failed state.

Azure region

Clusters must reside in a region where Azure NetApp Files is available. View Azure products by region.

Subscription

Clusters must reside in a subscription where Azure NetApp Files is enabled. You’ll choose a subscription when you register for Azure NetApp Files.

VNet
  • Clusters must reside in a VNet that has direct access to an Azure NetApp Files delegated subnet. Learn how to set up a delegated subnet.

  • If your Kubernetes clusters are in a VNet that’s peered to the Azure NetApp Files delegated subnet that’s in another VNet, then both sides of the peering connection must be online.

  • Be aware that the default limit for the number of IPs used in a VNet (including immediately peered VNets) with Azure NetApp Files is 1,000. View Azure NetApp Files resource limits.

    If you’re close to the limit, you have two options:

    • You can submit a request for a limit increase. Contact your NetApp representative if you need help.

    • When creating a new AKS cluster, specify a new network for the cluster. Once the new network is created, provision a new subnet and delegate the subnet to Azure NetApp Files.

Private networking

Private networking must not be enabled on a cluster.

External volume snapshot controller

Clusters must have a CSI volume snapshot controller installed. This controller is installed by default starting with K8s version 1.21, but you’ll need to check on clusters running versions 1.17, 1.18, 1.19, or 1.20. Learn more about an external snapshot controller for on-demand volume snapshots.

Install a CSI volume snapshot controller

As noted in the list of requirements, Kubernetes clusters must have a CSI volume snapshot controller installed. Follow these steps to install the controller on your clusters.

Steps for K8s versions 1.17, 1.18, and 1.19
  1. Install volume snapshot CRDs.

    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/release-3.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/release-3.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/release-3.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml
  2. Create the snapshot controller.

    If you want the snapshot controller in a specific namespace, download and edit the following files before you apply them.

    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/release-3.0/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/release-3.0/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml
Steps for K8s version 1.20
  1. Install volume snapshot CRDs.

    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml
  2. Create the snapshot controller.

    If you want the snapshot controller in a specific namespace, download and edit the following files before you apply them.

    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.0.0/deploy/kubernetes/snapshot-controller/rbac-snapshot-controller.yaml
    kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.0.0/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml

Register for Azure NetApp Files

If you don’t have a Microsoft Azure account, begin by signing up for Microsoft Azure. Then, get access to Azure NetApp Files by registering the NetApp Resource Provider.

Steps
  1. If you already have a Microsoft Azure account, skip to step 4.

  2. Go to the Azure subscription page to subscribe to the Azure service.

  3. Select a plan and follow the instructions to complete the subscription.

  4. Log in to the Azure portal.

  5. Follow Azure NetApp Files documentation to register the NetApp Resource Provider.

Create a NetApp account

After you’ve registered, create a NetApp account in Azure NetApp Files.

Set up a capacity pool

One or more capacity pools are required so that Astra Control Service can provision persistent volumes in a capacity pool. Astra Control Service doesn’t create capacity pools for you.

Take the following into consideration as you set up capacity pools for your Kubernetes apps:

  • A capacity pool can have an Ultra, Premium, or Standard service level. Each of these service levels are designed for different performance needs. Astra Control Service supports all three.

    You need to set up a capacity pool for each service level that you want to use with your Kubernetes clusters.

  • Before you create a capacity pool for the apps that you intend to protect with Astra Control Service, choose the required performance and capacity for those apps.

    Provisioning the right amount of capacity ensures that users can create persistent volumes as they are needed. If capacity isn’t available, then the persistent volumes can’t be provisioned.

  • An Azure NetApp Files capacity pool can use the manual or auto QoS type. Astra Control Service supports auto QoS capacity pools. Manual QoS capacity pools aren’t supported.

Delegate a subnet to Azure NetApp Files

You need to delegate a subnet to Azure NetApp Files so that Astra Control Service can create persistent volumes in that subnet. Note that Azure NetApp Files enables you to have only one delegated subnet in a VNet.

If you’re using peered VNets, then both sides of the peering connection must be online: the VNet where your Kubernetes clusters reside and the VNet that has the Azure NetApp Files delegated subnet.

After you’re done

Wait about 10 minutes before discovering the cluster running in the delegated subnet.

Create an Azure service principal

Astra Control Service requires a Azure service principal that is assigned the Contributor role. Astra Control Service uses this service principal to facilitate Kubernetes application data management on your behalf.

A service principal is an identity created specifically for use with applications, services, and tools. Assigning a role to the service principal restricts access to specific Azure resources.

Follow the steps below to create a service principal using the Azure CLI. You’ll need to save the output in a JSON file and provide it to Astra Control Service later on. Refer to Azure documentation for more details about using the CLI.

The following steps assume that you have permission to create a service principal and that you have the Microsoft Azure SDK (az command) installed on your machine.

Requirements
  • The service principal must use regular authentication. Certificates aren’t supported.

  • The service principal must be granted Contributor or Owner access to your Azure subscription.

  • The Azure subscription must contain the AKS clusters and your Azure NetApp Files account.

Steps
  1. Identify the subscription and tenant ID where your AKS clusters reside (these are the clusters that you want to manage in Astra Control Service).

    az configure --list-defaults
    az account list --output table
  2. Create the service principal, assign the Contributor role, and specify the scope to the entire subscription where the clusters reside.

    az ad sp create-for-rbac --name http://sp-astra-service-principal --role contributor --scopes /subscriptions/SUBSCRIPTION-ID
  3. Store the resulting Azure CLI output as a JSON file.

    You’ll need to provide this file so that Astra Control Service can discover your AKS clusters and manage Kubernetes data management operations. Learn about managing credentials in Astra Control Service.

  4. Optional: Add the subscription ID to the JSON file so that Astra Control Service automatically populates the ID when you select the file.

    Otherwise, you’ll need to enter the subscription ID in Astra Control Service when prompted.

    Example

    {
      "appId": "0db3929a-bfb0-4c93-baee-aaf8",
      "displayName": "sp-example-dev-sandbox",
      "name": "http://sp-example-dev-sandbox",
      "password": "mypassword",
      "tenant": "011cdf6c-7512-4805-aaf8-7721afd8ca37",
      "subscriptionId": "99ce999a-8c99-99d9-a9d9-99cce99f99ad"
    }
  5. Optional: Test your service principal.

    az login --service-principal --username APP-ID-SERVICEPRINCIPAL --password PASSWORD --tenant TENANT-ID
    az group list --subscription SUBSCRIPTION-ID
    az aks list --subscription SUBSCRIPTION-ID
    az storage container list --subscription SUBSCRIPTION-ID