Quickstart: Prerequisites for Operator and Containerized Network Function (CNF)

This quickstart contains the prerequisite tasks for Operator and Containerized Network Function (CNF). While it's possible to automate these tasks within your NSD (Network Service Definition), in this quickstart, the actions are performed manually.

Note

The tasks presented in this article may require some time to complete.

Permissions

You need an Azure subscription with an existing Resource Group over which you have the Contributor role and the User Access Administrator role.

Alternatively the AOSM CLI extension can create the Resource Group for you, in which case you need the Contributor role over this subscription. If you use this feature, you will need to add to your user the User Access Administrator role with scope of this newly created Resource Group.

You also need the User Access Administrator role over the Network Function Definition Publisher Resource Group. The Network Function Definition Publisher Resource Group was used in Quickstart: Publish Nginx container as Containerized Network Function (CNF). Check the input-cnf-nfd.jsonc file for the Resource Group name.

Set environment variables

Adapt the environment variable settings and references as needed for your particular environment. For example, in Windows PowerShell, you would set the environment variables as follows:

$env:ARC_RG="<my rg>"

To use an environment variable, you would reference it as $env:ARC_RG.

export resourceGroup=operator-rg
export location=<region>
export clusterName=<replace with clustername>
export customlocationId=${clusterName}-custom-location
export extensionId=${clusterName}-extension

Create Resource Group

Create a Resource Group to host your Azure Kubernetes Service (AKS) cluster. This will also be where your Operator resources are created in later guides.

az account set --subscription <subscription>
az group create -n ${resourceGroup} -l ${location}

Provision Azure Kubernetes Service (AKS) cluster

az aks create -g ${resourceGroup} -n ${clusterName} --node-count 3 --generate-ssh-keys

Enable Azure Arc

Enable Azure Arc for the Azure Kubernetes Service (AKS) cluster. Running the commands below should be sufficient. If you would like to find out more, see Create and manage custom locations on Azure Arc-enabled Kubernetes.

Retrieve the config file for AKS cluster

az aks get-credentials --resource-group ${resourceGroup} --name ${clusterName}

Create a connected cluster

Create the cluster:

az connectedk8s connect --name ${clusterName} --resource-group ${resourceGroup}

Register your subscription

Register your subscription to the Microsoft.ExtendedLocation resource provider:

az provider register --namespace Microsoft.ExtendedLocation

Enable custom locations

Enable custom locations on the cluster:

az connectedk8s enable-features -n ${clusterName} -g ${resourceGroup} --features cluster-connect custom-locations

Connect cluster

Connect the cluster:

az connectedk8s connect --name ${clusterName} -g ${resourceGroup} --location $location

Create extension

Create an extension:

az k8s-extension create -g ${resourceGroup} --cluster-name ${clusterName} --cluster-type connectedClusters --name ${extensionId} --extension-type microsoft.azure.hybridnetwork --release-train preview --scope cluster

Create custom location

Create a custom location:

export ConnectedClusterResourceId=$(az connectedk8s show --resource-group ${resourceGroup} --name ${clusterName} --query id -o tsv)
export ClusterExtensionResourceId=$(az k8s-extension show -c $clusterName -n $extensionId -t connectedClusters -g ${resourceGroup} --query id -o tsv)
az customlocation create -g ${resourceGroup} -n ${customlocationId} --namespace "azurehybridnetwork" --host-resource-id $ConnectedClusterResourceId --cluster-extension-ids $ClusterExtensionResourceId

Retrieve custom location value

Retrieve the Custom location value. You need this information to fill in the Configuration Group values for your Site Network Service (SNS).

Search for the name of the Custom location (customLocationId) in the Azure portal, then select Properties. Locate the full Resource ID under the Essentials information area and look for field name ID. The following image provides an example of where the Resource ID information is located.

Screenshot showing the search field and Properties information.

Tip

The full Resource ID has a format of: /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.extendedlocation/customlocations/{customLocationName}

Create User Assigned Managed Identity for the Site Network Service

  1. Save the following Bicep script locally as prerequisites.bicep.

    param location string = resourceGroup().location
    param identityName string = 'identity-for-nginx-sns'
    
    
    resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
      name: identityName
      location: location
    }
    output managedIdentityId string = managedIdentity.id
    
  2. Start the deployment of the User Assigned Managed Identity by issuing the following command.

    az deployment group create --name prerequisites --resource-group ${resourceGroup}  --template-file prerequisites.bicep
    
  3. The script creates a managed identity.

Retrieve Resource ID for managed identity

  1. Run the following command to find the resource ID of the created managed identity.

    az deployment group list -g ${resourceGroup} | jq -r --arg Deployment prerequisites '.[] | select(.name == $Deployment).properties.outputs.managedIdentityId.value'
    
  2. Copy and save the output, which is the resource identity. You need this output when you create the Site Network Service.

Update Site Network Service (SNS) permissions

To perform these tasks, you need either the 'Owner' or 'User Access Administrator' role in both the operator and the Network Function Definition Publisher Resource Groups. You created the operator Resource Group in prior tasks. The Network Function Definition Publisher Resource Group was created in Quickstart: Publish Nginx container as Containerized Network Function (CNF) and named nginx-publisher-rg in the input.json file.

In prior steps, you created a Managed Identity labeled identity-for-nginx-sns inside your reference resource group. This identity plays a crucial role in deploying the Site Network Service (SNS). Follow the steps in the next sections to grant the identity the 'Contributor' role over the Publisher Resource Group and the Managed Identity Operator role over itself. Through this identity, the Site Network Service (SNS) attains the required permissions.

Grant Contributor role over publisher Resource Group to Managed Identity

  1. Access the Azure portal and open the Publisher Resource Group created when publishing the Network Function Definition.

  2. In the side menu of the Resource Group, select Access Control (IAM).

  3. Choose Add Role Assignment.

    Screenshot showing the publisher resource group add role assignment.

  4. Under the Privileged administrator roles, category pick Contributor then proceed with Next.

    Screenshot showing the privileged administrator role with contributor selected.

  5. Select Managed identity.

  6. Choose + Select members then find and choose the user-assigned managed identity identity-for-nginx-sns.

    Screenshot showing the select managed identities with user assigned managed identity.

Grant Contributor role over Custom Location to Managed Identity

  1. Access the Azure portal and open the Operator Resource Group, operator-rg.

  2. In the side menu of the Resource Group, select Access Control (IAM).

  3. Choose Add Role Assignment.

    Screenshot showing the publisher resource group add role assignment to custom location.

  4. Under the Privileged administrator roles, category pick Contributor then proceed with Next.

    Screenshot showing the privileged administrator role with contributor selected.

  5. Select Managed identity.

  6. Choose + Select members then find and choose the user-assigned managed identity identity-for-nginx-sns.

    Screenshot showing the select managed identities with user assigned managed identity.

Grant Managed Identity Operator role to itself

  1. Go to the Azure portal and search for Managed Identities.

  2. Select identity-for-nginx-sns from the list of Managed Identities.

  3. On the side menu, select Access Control (IAM).

  4. Choose Add Role Assignment.

    Screenshot showing identity for nginx SNS add role assignment.

  5. Select the Managed Identity Operator role then proceed with Next.

    Screenshot showing add role assignment with managed identity operator selected.

  6. Select Managed identity.

  7. Select + Select members and navigate to the user-assigned managed identity called identity-for-nginx-sns and proceed with the assignment.

    Screenshot showing the select managed identities with user assigned managed identity.

  8. Select Review and assign.

Completion of all the tasks outlined in these articles ensure that the Site Network Service (SNS) has the necessary permissions to function effectively within the specified Azure environment.

Next steps