Installing a Azure connector for Container Instance Learn how to deploy a connector in an Azure environment
Container Instance is a managed compute platform that enables running containerized applications in a fully managed serverless environment.
This article explains how to setup an Apono connector for Container Instance with a Docker image.
Prerequisites
Item Description Account-specific Apono authentication value
Use the following steps to obtain your token:
On the Connectors page, click Install Connector . The Install Connector page appears.
Click Cloud installation .
Click Cloud installation > Azure > Install and Connect Azure Account > CLI / Terraform (Container Instance) .
Copy the token in step listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)
Azure Cloud Command Line Interface (AZ CLI)
Tool that enables interacting with Azure services using your command-line shell:
Information for your Azure Cloud instance:
User Access Administrator Role
Microsoft Entra role that enables the following tasks:
Creating and managing users and groups
Resetting passwords for users, helpdesk administrators, and user administrators
Install a new connector
Apono supports the following installation approaches:
Azure CLI
Follow these steps to set up a new connector:
At the shell prompt, set the environment variables.
Copy export APONO_CONNECTOR_ID =< A_UNIQUE_CONNECTOR_NAME >
export APONO_TOKEN =< APONO_TOKEN >
export SUBSCRIPTION_ID =< AZURE_SUBSCRIPTION_ID >
export RESOURCE_GROUP_NAME =< AZURE_RESOURCE_GROUP_NAME >
In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.
Copy az login
az account set --subscription $SUBSCRIPTION_ID
Set the REGION
environment variable.
Copy export REGION = $( az group show --name $RESOURCE_GROUP_NAME --query location --output tsv )
Run the following command to deploy the connector on the Azure Container Instance service.
Copy export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.5.3 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)
Add the User Access Administrator role to the connector in the subscription scope.
Copy az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
Azure AD Azure AD Groups
Copy az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'
Copy # First role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}'
# Second role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'
On the Connectors page, verify that the connector has been updated.
PowerShell | Windows PowerShell
Follow these steps to set up a new connector:
At the shell prompt, set the environment variables.
Copy $APONO_CONNECTOR_ID= < A_UNIQUE_CONNECTOR_NAME >
$APONO_TOKEN= < APONO_TOKEN >
$SUBSCRIPTION_ID= < AZURE_SUBSCRIPTION_ID >
$RESOURCE_GROUP_NAME= < AZURE_RESOURCE_GROUP_NAME >
In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.
Copy Connect-AzAccount
Set-AzureSubscription -SubscriptionId $SUBSCRIPTION_ID
Set the REGION
environment variable.
Copy $REGION=$( Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
Run the following commands to deploy the connector on the Azure Container Instance service.
Copy $port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP
$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID
$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN
$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"
$jsonValue = @{
cloud_provider = "AZURE"
subscription_id = $SUBSCRIPTION_ID
resource_group = $RESOURCE_GROUP_NAME
region = $REGION
is_azure_admin = $true
} | ConvertTo-Json -Compress
$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue
$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.5.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5
$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)
$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
Add the User Access Administrator role to the connector in the subscription scope.
Copy New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID
For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
Azure AD Azure AD Groups
Copy $payload = @ {
principalId = $PRINCIPAL_ID
roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
directoryScopeId = "/"
} | ConvertTo-Json - Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
Copy # First role assignment
$payload1 = @ {
principalId = $PRINCIPAL_ID
roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c"
directoryScopeId = "/"
} | ConvertTo-Json - Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1
# Second role assignment
$payload2 = @ {
principalId = $PRINCIPAL_ID
roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814"
directoryScopeId = "/"
} | ConvertTo-Json - Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2
On the Connectors page, verify that the connector has been updated.
Terraform CLI
Follow these steps to set up a new connector:
At the shell prompt, set the APONO_TOKEN
environment variable to your account token.
Copy export APONO_TOKEN =< APONO_TOKEN >
export RESOURCE_GROUP_NAME =< AZURE_RESOURCE_GROUP_NAME >
export SUBNET_ID = [ < SUBNET_ID > ]
With permissions
Enables installing the connector in the cloud environment and managing access to resources
Copy module "connector" {
source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
aponoToken = $APONO_TOKEN
resourceGroup = $AZURE_RESOURCE_GROUP
ipAddressType = // "Private" or "None"
subnetIds = [$SUBNET_ID]
}
Without permissions
Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases
Copy module "connector" {
source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
aponoToken = $APONO_TOKEN
resourceGroup = $AZURE_RESOURCE_GROUP
ipAddressType = // "Private" or "None"
subnetIds = [$SUBNET_ID]
}
At the Terraform CLI, download and install the provider plugin and module.
Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.
Enter yes to confirm deploying the changes to your Azure account.
On the Connectors page, verify that the connector has been deployed.