Installing an Azure connector for Container Instance

Learn how to deploy a connector in an Azure environment

Container Instance is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Container Instance with a Docker image.



Prerequisites

ItemDescription
Apono TokenAccount-specific Apono authentication value

Use the following steps to obtain your token:
  1. On the Connectors page, click Install Connector. The Install Connector page appears.
  2. Click Cloud installation.
  3. Click Cloud installation > Azure > Install and Connect Azure Account > CLI / Terraform (Container Instance).
  4. Copy the token in step listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)Command-line tool used for communicating with a Kubernetes cluster's control plane
Azure Cloud Command Line Interface (AZ CLI)Tool that enables interacting with Azure services using your command-line shell:
Azure Cloud InformationInformation for your Azure Cloud instance:
User Access Administrator RoleAzure subscription role that enables managing user access to Azure resources
User Administrator RoleMicrosoft Entra role that enables the following tasks:
  • Creating and managing users and groups
  • Resetting passwords for users, helpdesk administrators, and user administrators


Install a new connector

Apono supports the following installation approaches:



Azure CLI

Follow these steps to set up a new connector:

  1. At the shell prompt, set the environment variables.

    export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
    export APONO_TOKEN=<APONO_TOKEN>
    export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
    export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
    
  2. In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.

    az login 
    az account set --subscription $SUBSCRIPTION_ID
    
  3. Set the REGION environment variable.

    export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)
    
  4. Run the following command to deploy the connector on the Azure Container Instance service.

    export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.5.3 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)
    
  5. Add the User Access Administrator role to the connector in the subscription scope.

    az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
    
  6. For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

    az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'
    
    # First role assignment
    az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}'
    
    # Second role assignment
    az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'
    
  7. On the Connectors page, verify that the connector has been updated.



PowerShell | Windows PowerShell

Follow these steps to set up a new connector:

  1. At the shell prompt,set the environment variables.

    $APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
    $APONO_TOKEN=<APONO_TOKEN>
    $SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
    $RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
    
  2. In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.

    Connect-AzAccount
    Set-AzureSubscription -SubscriptionId $SUBSCRIPTION_ID
    
  3. Set the REGION environment variable.

    $REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
    
  4. Run the following commands to deploy the connector on the Azure Container Instance service.

    $port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP
    
    $env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID
    
    $env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN
    
    $env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"
    
    $jsonValue = @{
        cloud_provider = "AZURE"
        subscription_id = $SUBSCRIPTION_ID
        resource_group = $RESOURCE_GROUP_NAME
        region = $REGION
        is_azure_admin = $true
    } | ConvertTo-Json -Compress
    
    $env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue
    
    $container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.5.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5 
    
    $imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)
    
    $PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
    
  5. Add the User Access Administrator role to the connector in the subscription scope.

    New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID
    
  6. For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

    $payload = @{
        principalId = $PRINCIPAL_ID
        roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
        directoryScopeId = "/"
    } | ConvertTo-Json -Depth 3
    
    Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
    
    # First role assignment
    $payload1 = @{
        principalId = $PRINCIPAL_ID
        roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c"
        directoryScopeId = "/"
    } | ConvertTo-Json -Depth 3
    
    Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1
    
    # Second role assignment
    $payload2 = @{
        principalId = $PRINCIPAL_ID
        roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814"
        directoryScopeId = "/"
    } | ConvertTo-Json -Depth 3
    
    Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2
    
  7. On the Connectors page, verify that the connector has been updated.



Terraform

Follow these steps to set up a new connector:

  1. At the shell prompt, set the APONO_TOKEN environment variables to your account token.

    export APONO_TOKEN=<APONO_TOKEN>
    export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
    export SUBNET_ID=[<SUBNET_ID>]
    
  2. In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions:

    • With permissions: Enables installing the connector in the cloud environment and managing access to resources
    module "connector" {
        source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
        aponoToken = $APONO_TOKEN
        resourceGroup = $AZURE_RESOURCE_GROUP
        ipAddressType = // "Private" or "None"
        subnetIds = [$SUBNET_ID]
    }
    
    • Without permissions: Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases
    module "connector" {
        source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
        aponoToken = $APONO_TOKEN
        resourceGroup = $AZURE_RESOURCE_GROUP
        ipAddressType = // "Private" or "None"
        subnetIds = [$SUBNET_ID]
    }
    
  3. At the Terraform CLI, download and install the provider plugin and module.

    terraform init
    
  4. Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

    terraform apply
    
  5. Enter yes to confirm deploying the changes to your Azure account.

  6. On the Connectors page, verify that the connector has been deployed.