Installing a Azure connector for Container Instance

Learn how to deploy a connector in an Azure environment

Container Instance is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Container Instance with a Docker image.

Prerequisites

Item	Description
Apono Token	Account-specific Apono authentication value Use the following steps to obtain your token: On the Connectors page, click Install Connector. The Install Connector page appears. Click Cloud installation. Click Cloud installation > Azure > Install and Connect Azure Account > CLI / Terraform (Container Instance). Copy the token in step listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)	Command-line tool used for communicating with a Kubernetes cluster's control plane
Azure Cloud Command Line Interface (AZ CLI)	Tool that enables interacting with Azure services using your command-line shell: Azure CLI PowerShell \| Windows PowerShell Terraform CLI
Azure Cloud Information	Information for your Azure Cloud instance: Subscription ID Resource group name
User Access Administrator Role	Azure subscription role that enables managing user access to Azure resources
User Administrator Role	Microsoft Entra role that enables the following tasks: Creating and managing users and groups Resetting passwords for users, helpdesk administrators, and user administrators

Item

Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > Azure > Install and Connect Azure Account > CLI / Terraform (Container Instance).
Copy the token in step listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

Command-line tool used for communicating with a Kubernetes cluster's control plane

Azure Cloud Command Line Interface (AZ CLI)

Tool that enables interacting with Azure services using your command-line shell:

Azure CLI
PowerShell | Windows PowerShell
Terraform CLI

Azure Cloud Information

Information for your Azure Cloud instance:

User Access Administrator Role

Azure subscription role that enables managing user access to Azure resources

User Administrator Role

Microsoft Entra role that enables the following tasks:

Creating and managing users and groups
Resetting passwords for users, helpdesk administrators, and user administrators

Install a new connector

Apono supports the following installation approaches:

Azure CLI

Follow these steps to set up a new connector:

At the shell prompt, set the environment variables.

export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export APONO_TOKEN=<APONO_TOKEN>
export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>

In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.

az login 
az account set --subscription $SUBSCRIPTION_ID

Set the REGION environment variable.

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)

Run the following command to deploy the connector on the Azure Container Instance service.

export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.6.7 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

Add the User Access Administrator role to the connector in the subscription scope.

az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

# First role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}'

# Second role assignment
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}'

On the Connectors page, verify that the connector has been updated.

PowerShell | Windows PowerShell

Follow these steps to set up a new connector:

At the shell prompt, set the environment variables.

$APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
$APONO_TOKEN=<APONO_TOKEN>
$SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
$RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>

In your shell environment, log in to your Azure account and set the subscription on which you want to deploy the Apono connector.

Connect-AzAccount
Set-AzureSubscription -SubscriptionId $SUBSCRIPTION_ID

Set the REGION environment variable.

$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location

Run the following commands to deploy the connector on the Azure Container Instance service.

$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP

$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID

$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN

$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"

$jsonValue = @{
    cloud_provider = "AZURE"
    subscription_id = $SUBSCRIPTION_ID
    resource_group = $RESOURCE_GROUP_NAME
    region = $REGION
    is_azure_admin = $true
} | ConvertTo-Json -Compress

$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue

$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.6.7 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5 

$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)

$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId

Add the User Access Administrator role to the connector in the subscription scope.

New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID

For Azure AD, add the Director Readers role to the connector. For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.

$payload = @{
    principalId = $PRINCIPAL_ID
    roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
    directoryScopeId = "/"
} | ConvertTo-Json -Depth 3

Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload

# First role assignment
$payload1 = @{
    principalId = $PRINCIPAL_ID
    roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c"
    directoryScopeId = "/"
} | ConvertTo-Json -Depth 3

Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1

# Second role assignment
$payload2 = @{
    principalId = $PRINCIPAL_ID
    roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814"
    directoryScopeId = "/"
} | ConvertTo-Json -Depth 3

Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2

On the Connectors page, verify that the connector has been updated.

Terraform CLI

Follow these steps to set up a new connector:

At the shell prompt, set the APONO_TOKEN environment variable to your account token.

export APONO_TOKEN=<APONO_TOKEN>
export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
export SUBNET_ID=[<SUBNET_ID>]

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions:

With permissions

Enables installing the connector in the cloud environment and managing access to resources

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

Without permissions

Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

At the Terraform CLI, download and install the provider plugin and module.

terraform init

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

terraform apply

Enter yes to confirm deploying the changes to your Azure account.
On the Connectors page, verify that the connector has been deployed.

PreviousEC2 via Systems Manager Agent (SSM)NextUpdating a connector in Azure

Last updated 6 days ago