Prerequisites
Before deploying Apporetum from the Azure Marketplace, several key factors must be considered.
Pre-Deployment Checklist​
- A Global administrator will be required to grant Application registration consent. This does not have to be the user who initiates the deployment.
- Azure Marketplace must is enabled for the organization’s subscription before deploying Apporetum from the marketplace and no Azure policy block marketplace purchases.
- Desired Subscription is not managed by a Cloud Solution Provider (CSP)
- The account starting the deployment from the marketplace must have contributor rights to the target subscription or resource group.
- Have a plan for how your organization must network Apporetum to your network infrastructure. E.g. Network peering, attached to existing Virtual Network.
- Creation of an application registration in the Azure tenancy including application admin permissions will need to be created before deploying Apporetum from the Azure Marketplace.
- Have the required App registration and associated Client Secret ready
- Subscription and Tenant ID will also be required and noted down.
Recommendations​
- It’s highly recommended to deploy Apporetum into an empty resource group or create a resource group in the deployment wizard.
Creating an Application Registration​
Before deploying Apporetum from the Azure Marketplace, you will need to create an application registration in your Azure Active Directory. The deployment script will use this as an owner to a new App Registration that will be used for daily operation. We will use the provided App Registration to keep everything up to date and ready for you. Ultimately, ownership of both these registrations will be the customer.
Deployment App Registration can be created by:
- From the Azure portal, select Azure Active Directory and open the App Registrations page.
- Click the "New Registration" button to create a new application registration.
- On the "Register an application" page, enter the following information:
- For the application registration name, enter a name that identifies the deployment option for Apporetum (e.g. "Apporetum_PROD").
- Select "Accounts in any organizational directory" option.
- Click "Register" to create the application.
- On the overview page for the newly created application registration, copy the "Application (client) ID" GUID. This will be required later when deploying Apporetum from the marketplace.
- Select the "API permissions" tab and click "Add a permission"
- Under "Microsoft APIs", select "Microsoft Graph". Then, under "Delegated permissions", search for "User.Read" and select the checkbox.
- Next, under "Application permissions", search for "Application.ReadWrite.OwnedBy" and select the checkbox.
- Click "Add permissions".
- Click "Grant admin consent for default directory". This step requires global admin rights.
Generating a Client Secret​
Apporetum requires a client application secret to be generated before deployment from the marketplace. Follow these steps to generate a client secret:
- From the Azure portal, select Azure Active Directory and open the App Registrations page.
- Select the application registration you created earlier.
- Open the "Certificates & secrets" tab, select "Client secrets", and click "New client secret".
- Fill out a description for the secret and specify a duration. It is recommended to use 2 years, but this may depend on organizational policies.
- Click "Add".
- After adding the Client Secret, the value of the Client Secret will be displayed. Copy and Save this value, as you will not be able to display it later. This value will be used for the deployment of Apporetum.
Resource Permissions​
At a minimum, the System Administrator will require contributor rights for the deployment of the resource group and services within the targeted subscription. An enterprise application registration and client secret will be a requirement before the deployment of Apporetum from the Azure Marketplace. Whilst the rest of the services will be deployed as part of the marketplace application install process.
Further consideration may be for networking between the resource group to the Azure Active Directory (or to an alternative identity provider for on-premises Active Directory).
Networking​
Before deploying Apporetum, you will need to consider which network option is best for your organization. We provide both the ability to create a new Virtual network situated within Apporetum's Managed Resource group or to link to an existing Virtual Network in the same Azure Region. As with all networking each option has pros and cons. When deciding which is right for you we recommend you think about:
- Network Isolation - Apporetum only needs to connect to your On-Premises Active Directories and file servers
- Network control - We allow you to fully customize the Virtual Network in both situations but with existing networks, you have the only control. E.g. NSGs and Firewall rules
- Maintainability - When using existing Virtual Network Apporetum provides no support plans. If a change is required we may email you to notify you that a change is required.
New Virtual Network​
The most straightforward way to deploy Apporetum is to create a new Virtual Network (VNet) through the deployment wizard. We suggest leveraging Azure's VNet Peering feature to establish connectivity between Apporetum and your hub VNet, which is linked to your On-Premises Active Directory. To ensure compatibility with VNet peering, it may be necessary to modify the default address space to avoid conflicts with your existing network.
Existing Virtual Network​
Apporetum allows you to connect directly to a pre-existing Virtual Network (VNet) and its subnets. However, as a limitation of the Managed Application offering, we are unable to create subnets or link some of our resources to your existing infrastructure. Therefore, to use this configuration, you will need to set up the VNet and subnets beforehand with the necessary configuration. It's essential to plan and configure your network appropriately to ensure successful deployment and optimal performance of Apporetum.
You must ensure that the VNet that you would like to connect with Apporetum is hosted in the SAME Azure Region.
Configure Your Subnets​
We recommend that you configure a total of three subnets with the following properties to reliably deploy and maintain Apporetum.
Name | Required Addresses | Delegation |
---|---|---|
API Subnet | 2 | System.Web |
KeyVault Subnet | 2 | System.KeyVault |
Database Subnet | 2 | System.Sql |
Using an existing VNet will require post deployment tasks. After your deployment we recommend you follow the steps Here