Installing an Azure connector for Container Instance
Learn how to deploy a connector in an Azure environment
Container Instance is a managed compute platform that enables running containerized applications in a fully managed serverless environment.
This article explains how to setup an Apono connector for Container Instance with a Docker image.
Prerequisites
Item | Description |
---|---|
Apono Token | Account-specific Apono authentication value Use the following steps to obtain your token:
|
Kubernetes Command Line Tool (kubectl) | Command-line tool used for communicating with a Kubernetes cluster's control plane |
Azure Cloud Command Line Interface (AZ CLI) | Tool that enables interacting with Azure services using your command-line shell:
|
Azure Cloud Information | Information for your Azure Cloud instance: |
User Access Administrator Role | Azure subscription role that enables managing user access to Azure resources |
User Administrator Role | Microsoft Entra role that enables the following tasks:
|
Install a new connector
Apono supports the following installation approaches:
Azure CLI
Follow these steps to set up a new connector:
-
At the shell prompt, set the environment variables.
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME> export APONO_TOKEN=<APONO_TOKEN> export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID> export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
-
In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.
az login az account set --subscription $SUBSCRIPTION_ID
-
Set the
REGION
environment variable.export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)
-
Run the following command to deploy the connector on the Azure Container Instance service.
export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.5.3 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)
-
Add the User Access Administrator role to the connector in the subscription scope.
az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
-
For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'
# First role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}' # Second role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'
-
On the Connectors page, verify that the connector has been updated.
PowerShell | Windows PowerShell
Follow these steps to set up a new connector:
-
At the shell prompt, set the environment variables.
$APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME> $APONO_TOKEN=<APONO_TOKEN> $SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID> $RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
-
In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.
Connect-AzAccount Set-AzureSubscription -SubscriptionId $SUBSCRIPTION_ID
-
Set the
REGION
environment variable.$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
-
Run the following commands to deploy the connector on the Azure Container Instance service.
$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP $env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID $env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN $env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io" $jsonValue = @{ cloud_provider = "AZURE" subscription_id = $SUBSCRIPTION_ID resource_group = $RESOURCE_GROUP_NAME region = $REGION is_azure_admin = $true } | ConvertTo-Json -Compress $env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue $container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.5.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5 $imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force) $PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
-
Add the User Access Administrator role to the connector in the subscription scope.
New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID
-
For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
$payload = @{ principalId = $PRINCIPAL_ID roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" directoryScopeId = "/" } | ConvertTo-Json -Depth 3 Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
# First role assignment $payload1 = @{ principalId = $PRINCIPAL_ID roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c" directoryScopeId = "/" } | ConvertTo-Json -Depth 3 Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1 # Second role assignment $payload2 = @{ principalId = $PRINCIPAL_ID roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814" directoryScopeId = "/" } | ConvertTo-Json -Depth 3 Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2
-
On the Connectors page, verify that the connector has been updated.
Terraform
Follow these steps to set up a new connector:
-
At the shell prompt, set the environment variables.
export APONO_TOKEN=<APONO_TOKEN> export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME> export SUBNET_ID=[<SUBNET_ID>]
-
In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions:
- With permissions: Enables installing the connector in the cloud environment and managing access to resources
module "connector" { source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector" aponoToken = $APONO_TOKEN resourceGroup = $AZURE_RESOURCE_GROUP ipAddressType = // "Private" or "None" subnetIds = [$SUBNET_ID] }
- Without permissions: Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases
module "connector" { source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector" aponoToken = $APONO_TOKEN resourceGroup = $AZURE_RESOURCE_GROUP ipAddressType = // "Private" or "None" subnetIds = [$SUBNET_ID] }
-
At the Terraform CLI, download and install the provider plugin and module.
terraform init
-
Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.
terraform apply
-
Enter yes to confirm deploying the changes to your Azure account.
-
On the Connectors page, verify that the connector has been deployed.
Updated 6 days ago