Azure identity and access management for HPC in manufacturing

This article builds on considerations and recommendations that are described in the article Azure identity and access management design. It can help you examine design considerations for identity and access management that are specific to the deployment, on Azure, of HPC applications designed for the manufacturing industry.

Microsoft Entra Domain Services (Microsoft Entra Domain Services) provides managed domain services like domain join and Group Policy. It also provides access to legacy authentication protocols like lightweight directory access protocol (LDAP) and Kerberos/NTLM authentication. Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant. This integration enables users to sign in to services and applications connected to the managed domain by using their existing credentials in Microsoft Entra ID. You can also use existing groups and user accounts to help secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure, especially for hybrid environments.

For more information, see design recommendations for platform access and Azure identity and access for landing zones.

HPC design considerations

Depending on the HPC compute resource orchestrator that you use, various authentication methods are supported, as described here.

  • Azure CycleCloud. CycleCloud provides three authentication methods: a built-in database with encryption, Active Directory, and LDAP.
  • Azure Batch. Batch account access supports two authentication methods: Shared Key and Microsoft Entra ID.
  • HPC Pack. Currently, all HPC Pack nodes must be joined into an Active Directory domain. If you're deploying the HPC Pack cluster in a virtual network that has a site-to-site VPN or Azure ExpressRoute connection to your corporate network (and firewall rules allow access to Active Directory domain Controllers), there's typically already an Active Directory domain. If you don't have an Active Directory domain in your virtual network, you can choose to create one by promoting the head node as domain controller. Another option would be to utilize Microsoft Entra Domain Services to allow the HPC Pack nodes to be domain joined to this service vs. on-premises Active Directory domain controllers. If the Head Nodes will be deployed in Azure, it is important to determine if remote users on-premises will be submitting jobs. If remote users are submitting jobs it would be recommended to use Active Directory as this will allow a better experience and allow certificates to be used properly for authentication. Otherwise, if Active Directory is not utilized and Microsoft Entra Domain Services is used instead, the remote clients will need to use the REST API service to submit jobs.

The following diagram shows a manufacturing reference architecture that uses CycleCloud:

Diagram that shows a manufacturing reference architecture, which uses Azure CycleCloud.

This diagram shows a manufacturing architecture that uses Batch:

Diagram that shows a manufacturing reference architecture, which uses Azure Batch.

Next steps

The following articles provide guidance that you might find helpful at various points during your cloud adoption process. They can help you succeed in your cloud adoption scenario for manufacturing HPC environments.