Edit

Deploy Common Dependencies from the service catalog into a workload

Azure Enclave is a cloud networking service that provides organizations with highly sensitive data the ability to quickly deploy and manage workloads across Commercial and air-gapped Azure clouds at scale. In this quickstart, you:

Deploy a service catalog template for Common Dependencies when deploying Azure services into an existing workload from the Portal. The template includes the options to create a:

Note

This sample deployment is just for demo purposes and doesn't represent all the best practices for network, systems, or applications administration.

Before you begin

Prerequisites

There are guardrail requirements on the enclaves to ensure enclave resources are using Customer-Managed Keys (CMK) encryption. This requires a key and identity to access the key to be accessible in the enclave. Create the CMK (optional Key Vault) and Managed Identity in the Common Dependencies service catalog template

  1. Subnet for Private Endpoints: You had the option to create subnets during enclave creation or you can create new subnets after enclave creation.
  2. Quickly create these Private DNS Zones based on what you create next:
    • Key Vault required when creating a Key Vault from this template or the more customizable Key Vault template.
    • Storage File, Storage Queue, Storage Blob, and Storage Table are required when making a Storage Account from this template or the more customizable Storage Account template.

Deploy the template

  1. Navigate to the workload for the intended deployment.
  2. Select Add Service button.
  3. Select the Common Dependencies service template from the service catalog list dropdown, confirm the version you need (default: latest), and select Next.

Screenshot showing the Common Dependencies template selected from the service catalog list.

  1. Go through each tab and enter all the required parameters.
  2. Adjust any of the prepopulated parameters as needed.
  3. Select Review + Create then Create.

It can take 30 minutes to finish all resource creation. Wait for the deployment to be successfully completed before you take any actions within your deployed resources.

Validate the deployment

Go to the specified resource group to confirm the intended resources were created.

Delete the deployment

If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted.

Recommendations

  • Add tags to service catalog deployments to track important information for that resource such as:
    • Owner: <main POC>
    • Deployer: <yourName>
    • Purpose: <enclave shared resources>
    • Service Catalog Name: <Common Dependencies>
    • Service Catalog Version: <version you deployed>
  • Consider adding an Azure Policy to enforce and inherit tags

Troubleshooting

Expiration date doesn't match

If you deploy the Common Dependencies template and see an error about the expiration date not matching for the CMK (Customer Managed Key) resource, you probably have a CMK (a Key Vault key) with the same name already. This can occur if you deploy the template with the same inputs twice since the expiration date can't be updated through a redeployment. This means that your CMK already exists and you can use it as-is. If you need to update the CMK, you can log in to your Admin VM, then access the key vault via the portal to make changes. You can also redeploy the Common Dependencies template again and change the name of the CMK to create a new CMK.