Set Up Azure Subscription and Vnet for Private Data
Azure private data processing involves running an Alteryx Analytics Cloud (AAC) data processing cluster inside of your Azure subscription and Vnet. This combination of your infrastructure, together with Alteryx-managed Azure resources and software, is commonly referred to as a private data processing.
This page focuses on how to set up your Azure subscription and Vnet for a private data processing on AACAAC.
Nota
The Azure subscription and Vnet setup require access and permissions to the Azure portal. If you don’t have this access, please contact your IT team to complete this step.
Attenzione
Never delete resources provisioned for Private Data Processing.
Setup Steps
Importante
To continue with these steps, you must have Azure Application Developer and Owner RBAC roles assigned to you.
Step 1: Select the Azure Subscription
Select the subscription where you’d like to run your private data processing.
To improve performance and reduce egress costs, your blob storage and private data handling AKS cluster should be in the same region and resource group that you selected for private data storage. This applies to any data sources that you want to connect to the AACAAC.
The VPC created in the Azure subscription should be dedicated to AACAAC. You can set up connectivity to private data sources using VPC peering, transit gateways, PrivateLink, or others.
Step 2: Create Resource Group
Azure cloud resources required by AACAAC deploy in a resource group.
Create a resource group with the name
aac_resource_group.Nota
aac_resource_groupis an example name in this guide. You can choose any name for the resource group.Tag the resource group with these parameters:
Tag Name:
AACResourceTag Value:
aac
Review and create the resource group.
Step 3: Configure IAM
With your Azure subscription in place, now set up the service principal and access keys.
Nota
You can use the same app registration to provision the private data processing in a different subscription under the same tenant.
Step 3a: Create an App Registration (Service Account)
Create a new registration with the name
aac_automation_sa.On Supported account types, select Accounts in this organizational directory only (Any Microsoft Entra ID tenant - Multitenant).
Select Register.
Generate an Access Key:
Select the app registration you just created.
Select Certificates & secrets.
Select Client secrets.
Select New client secret.
Select Add.
Nota
You'll need the app registration client id and secret key to provision the cloud resources for private data processing.
Step 3b: Create IAM Custom Role
You need to create a custom IAM role. Name the IAM role AAC_Base_SA_Role and attach the following role document. We recommend that you use the JSON tab instead of the visual editor. AACAAC does requires some * permissions to run. Expect some security warnings when you create the role.
{
"properties": {
"roleName": "AAC_Base_SA_Role",
"description": "Custom role for provisioning AAC private data handling",
"assignableScopes": [
"/subscriptions/<subscription ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.KeyVault/*",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleDefinitions/delete",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}Importante
AAC_Base_SA_Role is an example role name. You can choose any name for the role, but the name must start with AAC_Base.
Step 3c: Bind Custom Role to App Registration in the Subscription
Select the subscription created in Step 1.
Select Access control (IAM).
Select Add and then select Add role assignment.
Select the custom role created in Step 3b.
The custom role might be in the Job function roles or Privileged administrator roles tab.
Select Next.
Under Members, select the app registration created in Step 3a.
Select Review and Assign.
Step 4: Create Network Security Group (NSG)
Create a network security group in the resource group
aac_resource_group.Tag the network security group with these parameters:
Tag Name:
AACResourceTage Value:
aac
Step 5: Configure Virtual Private Network
Step 5a: Create Virtual Network (Vnet)
Create a virtual network in the resource group
aac_resource_group.Suggerimento
Azure creates a default address space and a default subnet. Delete the default subnet and update the address space.
Add these IPv4 address spaces depending on which modules you want to deploy. You might need to create the Vnet with a single address space and then select Settings > Address space to add the second.
For Designer Cloud and Machine Learning, add
/18and/22address spaces.For Cloud Execution for Desktop, add
/22address space
Tag the Vnet with these parameters:
Tage Name:
AACResourceTag Value:
aac
Step 5b: Configure Feature Flag
Register the EnableAPIServerVnetIntegrationPreview feature flag on your Azure Subscription.
Nota
Connections to private data sources require network paths between the Vnet and the data source. As defined in the shared responsibility matrix, you set up these network paths in accordance with your own network policies and preferences.
Step 6: Create a Key Vault
Your data source credentials are encrypted using your key and securely stored in a private vault (Private Credential Storage) within your private data plane account. These credentials are only retrieved from the vault when you need them.
Create key vault in the resource group
aac_resource_group.Name the vault
aac-credentials-vaultand select Next.Choose Azure role-based access control as the permission model, then select Next to continue.
To allow access, select Selected networks.
Add the virtual network (VNet) created in Set Up Azure Subscription and Vnet for Private Data - Step 5a: Create Virtual Network (VNet).
Select the Select all checkbox.
Select Add to proceed.
Tag the key vault
Tag Name
Value
AACResource
aac
Select Review and Create.
Nota
The Key vault name is provided in the Private Data Processing page.
Step 7: Trigger Private Data Handling provisioning
Avvertimento
Changing or removing any AAC-provisioned public cloud resources after Private Data Handling has been set up can cause inconsistencies. These inconsistencies may lead to errors during job execution or when deprovisioning the Private Data Handling setup.
Data processing environment provisioning triggers from the Admin Console in AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
On the AACAAC landing page, select the circle icon in the top right with your initials in it. Select Admin Console from the menu.
Select Private Data Handling from the left navigation menu.
Make sure that Private Data Storage shows Successfully Configured before you proceed. If the status is Not Configured, go to ADLS as Private Data Storage first, then return to this step.
Under the Private Data Processing section, you need to fill out 5 fields. These values come from setup steps you just completed.
Selecting Create will trigger a set of validation checks to verify the Azure subscription is setup as needed. If permissions are not configured correctly, or the Vnet resources are not created or tagged correctly, you’ll receive an error message with a description that should point you in the right direction.