User's Guide - Deploying the ACI Application Using Azure Portal

1.0 Introduction

Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This article describes how to deploy confidential Azure Container Instances (ACI) group using Azure portal.

2.0 Deploy Confidential ACI Group Using Azure Portal

Perform the following steps:

1. From the Azure portal, search and select the Deploy a custom template wizard button.

   

2. On the Custom Deployment screen, select the Build your own template in the editor option.

   

3. In the next screen, paste the JSON ARM template copied earlier in the User’s Guide: Create an Image

4. Click the Save button to save the template.

   

5. On the Project details form, fill in the relevant details:

   • Subscription: Enter a relevant name.

     • Resource Group: Select the required resource group from the drop down menu or create your own resource.

   • Instance details:

     • Region: Fortanix ACI is supported in East US, North Europe, West Europe, West US 2 countries only.

     • Join Token: Copy it from the CCM UI. Refer to Steps 7 and 8 below.

     • Ports: The ports will be automatically picked from the Image ARM template (can be updated if required).

     • Location: Fortanix ACI is supported in East US 2, West Europe, West US 2 countries only. For more information, refer to Section Confidential SKU (preview) to know all the supported regions at https://learn.microsoft.com/en-us/azure/container-instances/container-instances-region-availability.

     • Name: Name of the newly created resource.

     • Request App Cert: Application certificate to request from Fortanix CCM. This should be an approved domain in the App.

     • App Config Id: Leave this field blank for ACI application. For more information, refer to Workflows Applications Using Fortanix ACI.

     • Agent Log Info: Logging level for the Fortanix agent container. You can select the value from the drop down menu.

     • Startup Timeout Minutes: Determines the duration for which the system will wait for the application certificate before timing out. The time is specified in minutes. An empty value indicates an infinite wait period.

     • Exit Delay Minutes: Determines the waiting period before the system terminates the process in the event of a certificate request failure. The time is specified in minutes. An empty value indicates an infinite wait period.

     • Disable Default Certificate: Disables requesting the default certificate when no application certificate is set up. This parameter has two options: "Enable Default Certificate" and "Deactivate Default Certificate."

       

6. To generate your Join Token, log in to https://ccm.fortanix.com. and

7. Click the Infrastructure → Compute Nodes menu item and click + ENROLL NODE on the Compute Nodes page.

   

8. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.

   

9. Click the Review + create button to create the custom deployment.

   

10. Wait for the validation to pass.

11. After successful validation, click the Create button to create the custom deployment. 

    

12. Navigate to CCM UI →  Infrastructure → AZURE SEV CONTAINERS tab. Check if the node with attestation type AMD_SEV_SNP is created and active.

    

13. Check if the application is running successfully by ensuring that the app is active, and the compute node is linked to the image. You can also view and download the certificate to verify the status.

    

3.0 Verification Steps

Perform the following steps to validate the ACI deployment:

1. Navigate to the resource group deployment container instance.

2. Access the required application on the public IP and port numbers. For example, if the public IP is 20.23.216.154 and the app is running on port 80, then access the application using http://20.23.216.154 or curl http://20.23.216.154:80.

3. The nginx welcome page will be launched.

   

4. Ensure that the node agent and app containers of the deployment are running. Check the logs to the containers to identify errors.