App Builder in Azure
This guide walks you through setting up App Builder in Azure, enabling automatic data analysis and insights. Follow the steps to configure and optimize your setup efficiently.
Prerequisite
VPC dedicated to AACP has been configured as mentioned in Step 4: Configure Virtual Private Network.
Service account and base IAM policy attached to the service account as described in Step 3: Configure IAM.
PDP provisioning has been triggered successfully as mentioned in Step 6: Trigger Private Data Handling Provisioning.
Subscription Setup
Step 1: Configure IAM
Step 1a: Create App Builder IAM Role
Nota
AAC_AppBuilder_SA_Role is an example policy name. You can choose any name for the policy, but the name must start with AAC_AppBuilder.
You need to create a custom IAM policy. Name it AAC_AppBuilder_SA_Role and attach the following policy document. We recommend using the JSON tab instead of the visual editor. AACAAC requires some * permissions to run. Expect some security warnings when you create the policy.
{
"properties": {
"roleName": "AAC_AppBuilder_SA_Role",
"description": "Custom role for provisioning AAC private data handling",
"assignableScopes": [
"/subscriptions/<subscription ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action",
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action",
"Microsoft.KeyVault/*",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/agentPools/write",
"Microsoft.ContainerService/managedClusters/agentPools/delete",
"Microsoft.ContainerService/managedClusters/availableAgentPoolVersions/read",
"Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Cache/redis/*",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateEndpoints/delete",
"Microsoft.Network/privateDnsZones/read",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/delete",
"Microsoft.Network/privateDnsZones/SOA/read",
"Microsoft.Network/privateDnsZones/SOA/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Insights/autoScaleSettings/write",
"Microsoft.Insights/autoScaleSettings/read",
"Microsoft.Insights/autoScaleSettings/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
]
}
}Nota
Update the "assignableScopes" scope of this custom role. The scope should be the subscription ID.
Step 1b: Bind Custom Role to App Registration in the Subscription
Add the AAC_AppBuilder_SA_Role IAM custom role to the aac_automation_sa service account created in Create an App registration.
Step 2: Route Tables
Nota
You are required to configure the vpc with network connection to internet in your project.
The <gateway id> could be either a NAT gateway or internet gateway, depending on your network architecture.
Below route table is shown as an example.
Address Prefix | next hop |
|---|---|
/18 CIDR Block /22 CIDR Block 0.0.0.0/0 | <gateway id> |
Step 3: Configure Subnet
Nota
Designer Cloud shares a subnet configuration with Machine Learning, Auto Insights, and App Builder. If you are deploying more than one of those applications, you only need to configure the subnets once.
App Builder in a private data processing environment requires following subnet groups:.
aac-aks-node (required) - The AKS cluster uses this subnet to execute Alteryx software jobs (connectivity, conversion, processing, publishing).
aac-public (required) - This group doesn’t run any services, but is used by the aks_node group for egress out of the cluster. Delegate this subnet to
Microsoft.ContainerService/managedClusters, which grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet.aac-private (required) - This group runs services private to the PDP.
Step 3a: Create Subnets in the Vnet
Configure subnets in the aac_vpc VPC.
Create subnets according to the example below. You can adjust the Address Space and Subnet values to match your network architecture. Attach the Network security group created in Create Network Security Group to the subnets.
The address spaces are designed to accommodate a fully scaled-out data processing environment. You can choose a smaller address space if required, but you could run into scaling issues under heavy processing loads.
Importante
The Subnet Name is not a flexible field, it must match the table below.
Address Space | Subnet Name | Subnet | Service Endpoints | Route Table | Comments |
|---|---|---|---|---|---|
10.64.0.0/18 | aac_aks_node | 10.64.0.0/19 | Microsoft.Storage Microsoft.KeyVault | Attaching this subnet to a route table is optional. Azure will setup the network during AKS creation. | AKS cluster subnet |
10.64.32.0/19 | SPARE (Can be configured for blue/green upgrade later) | SPARE (Can be configured for blue/green upgrade later) | |||
10.10.0.0/22 | aac_public | 10.10.0.0/25 | Microsoft.Storage | Attach to the route table created in Step 2. | delegate |
aac_private | 10.10.1.0/24 | Microsoft.KeyVault | Attach to the route table created in Step 2. |
Step 4: Quota Adjustment
CPU limits
Quota Name: Total Regional vCPUs
Scope: Regional
Azure default quota value: 10
Applied quota value: 2500
Quota Name: Standard Basv2 Family vCPUs
Scope: Regional
Azure default quota value: 10
Applied quota value: 2500
Step 5: Feature Registration on Subscription
Enable Encryption at Host on Subscription to enable Host-based encryption on AKS.
For more information, see the Use the Azure CLI to enable end-to-end encryption using encryption at host article in Microsoft Documentation.
Private Data Processing
Attenzione
La modifica o rimozione di qualsiasi risorsa del cloud pubblico fornita tramite sistema AAC, ed eseguita dopo aver configurato la gestione dei dati privati, può causare incongruenze. Tali incongruenze possono causare errori durante l'esecuzione del processo o il deprovisioning della configurazione di gestione dei dati privati.
Step 1: Trigger App Builder Deployment
App Builder provisioning triggers from the Admin Console in AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AACAAC landing page, select the circle icon on the top right with your initials in it. Select Admin Console from the menu.
Select Private Data Handling from the left navigation menu.
Select the Auto Insights checkbox and then select Save.
Selecting Update triggers the deployment of the cluster and resources in the AWS account. This runs a set of validation checks to verify the correct configuration of the AWS account.
Once the initial validation checks complete, provisioning will commence. A message box on the screen will periodically refresh with status updates.
Nota
The provisioning process takes approximately 35–40 minutes to complete.
After the provisioning completes, you can view the created resources (for example, EC2 instances and node groups) through the AWS console. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing.
Step 2: Assign Key Vault Permission to user-managed-id
After successful creation of ‘Private Data Processing’, a kubernetes service account aac-k8s-user-identitycredential-pod-sa is created to allow kubernetes credential service to retrieve private data access credentials from the key vault.
Login to the subscription in which private data storage and private data handling is provisioned.
In the Resource menu, select the key vault where private data storage credential is stored.
Select Access policies and select Create.
Select Get under Secret Management Operations (Secret permissions) and select Next.
On the Principal tab, search for 'aac-k8s-user-identity'. Select Next.
Under Application (optional), select Next.
Select Create.
Step 3: Assign a Role to Credential Service user-managed-identity
After successful creation of ‘Private Data Handling’, a user-managed-identity aac-<id>-credentials-service-managed-identity is created in the subscription to allow kubernetes credential service account to retrieve private data access credentials from the key vault. Provide a role to the managed identity:
Login to the subscription andselect Access control (IAM).
Select Add > Add role assignment.
For Job function roles, select Key Vault Secrets Officer and select Next.
For Assign access to, select Managed identity.
For Select members, choose
aac-<id>-credentials-service-managed-identityand Select.Select Review + assign.