Identity and access management for Azure HPC in energy

The guidance in this article can help you examine design considerations and recommendations that relate to identity and access management for high-performance computing (HPC). This scenario is specific to the deployment of an HPC application for the energy industry. For more information about design considerations and recommendations, see the Azure landing zone design area for identity and access management.

Microsoft Entra Domain Services (Microsoft Entra Domain Services) can make use of managed domain services such as domain join, group policy, and access to legacy authentication protocols like lightweight directory access protocol (LDAP) and Kerberos/NTLM authentication. Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant, so users can sign into services and applications connected to the managed domain using their Microsoft Entra credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure, especially for a hybrid environment.

For more information, see design recommendations for platform access and Azure identity and access for landing zones.

Design considerations

HPC deployment uses the Azure landing zone infrastructure setup for security identity and access management needs.

Two common deployment types in oil and gas industry workloads are cloud only and hybrid cloud models. While it's less complex to have all of your compute, storage, and visualization resources in the cloud, our customers sometimes use a hybrid model due to multiple business constraints for seismic and reservoir-simulation HPC workloads.

Both the cloud only and hybrid cloud models might have their own unique identity and access needs that affect which type of active directory solution to adopt.

Workloads in the cloud only deployment model use Microsoft Entra ID for Azure service fabric authentication, while the HPC hybrid cloud model uses the Microsoft Entra hybrid identity solution for authentication. Regardless of the deployment type, Linux clients and POSIX-compliant storage solutions require legacy active directory support through Microsoft Entra Domain Services.

A typical HPC setup includes a frontend for submitting jobs, a job scheduler or orchestrator, a compute cluster, and shared storage. The jobs can be submitted from on-premises and/or in the cloud. Identity and access management considerations for users and visualization devices might vary depending on the enterprise standards.

Review the Azure administration and management activities that you require from your teams. Consider your HPC needs on Azure resources. Determine the best possible distribution of responsibilities within your organization.

Design recommendations

Depending on the HPC compute resource orchestrator that you choose, different types of authentication methods are supported:

  • Azure CycleCloud offers three methods of authentication: a built-in database with encryption, active directory, or LDAP.
  • Azure Batch supports two methods of authentication: shared key and Microsoft Entra ID.
  • Microsoft HPC Pack: Currently all HPC Pack nodes must be joined into an active directory domain. If you deploy the HPC Pack cluster in a virtual network that has a site-to-site VPN or ExpressRoute connection with your corporate network, there's usually an existing active directory domain. If you don't have an active directory domain in your virtual network yet, you can choose to create one by promoting the head node as domain controller.

Next steps

The following articles provide guidance for specific steps in the cloud adoption journey for energy HPC environments.