User's Guide - Deploying the ACI Application Using Azure Portal

1.0 Introduction

Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This article describes how to deploy confidential Azure Container Instances (ACI) group using Azure portal.

2.0 Deploy Confidential ACI Group Using Azure Portal

Perform the following steps:

  1. From the Azure portal, search and select the Deploy a custom template wizard button.
    Screenshot from 2023-07-20 20-29-37.png
    Figure 1: Search Box
  2. On the Custom Deployment screen, select the Build your own template in the editor option.
    build_your_own.pngFigure 2: Build You Own Template in the Editor
  3. In the next screen, paste the JSON ARM template copied earlier in the User’s Guide: Create an Image
  4. Click the Save button to save the template.
    Screenshot
    Figure 3: Paste JSON ARM Template
  5. On the Project details form, fill in the relevant details:
    • Subscription: Enter a relevant name.
      • Resource Group: Select the required resource group from the drop down menu or create your own resource.
    • Instance details:
      • Region: Fortanix ACI is supported in East US, North Europe, West Europe, West US 2 countries only.
      • Join Token: Copy it from the CCM UI. Refer to Steps 7 and 8 below.
      • Ports: The ports will be automatically picked from the Image ARM template (can be updated if required).
      • Location: Fortanix ACI is supported in East US 2, West Europe, West US 2 countries only. For more information, refer to Section Confidential SKU (preview) to know all the supported regions at https://learn.microsoft.com/en-us/azure/container-instances/container-instances-region-availability.
      • Name: Name of the newly created resource.
      • Request App Cert: Application certificate to request from Fortanix CCM. This should be an approved domain in the App.
      • App Config Id: Leave this field blank for ACI application. For more information, refer to Workflows Applications Using Fortanix ACI.
      • Agent Log Info: Logging level for the Fortanix agent container. You can select the value from the drop down menu.
      • Startup Timeout Minutes: Determines the duration for which the system will wait for the application certificate before timing out. The time is specified in minutes. An empty value indicates an infinite wait period.
      • Exit Delay Minutes: Determines the waiting period before the system terminates the process in the event of a certificate request failure. The time is specified in minutes. An empty value indicates an infinite wait period.
      • Disable Default Certificate: Disables requesting the default certificate when no application certificate is set up. This parameter has two options: "Enable Default Certificate" and "Deactivate Default Certificate."
        Screenshot from 2023-11-30 12-41-36.png
        Figure 4: Deployment Details
  6. To generate your Join Token, log in to https://ccm.fortanix.com. and
  7. Click the InfrastructureCompute Nodes menu item and click + ENROLL NODE on the Compute Nodes page.
    compute-nodes-1 - Copy.png
    Figure 5: Enroll Compute Node
  8. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.
    Screenshot from 2023-07-20 20-11-28.png
    Figure 6: Generate Token
  9. Click the Review + create button to create the custom deployment.
    Screenshot from 2023-11-30 12-41-46.png
    Figure 7: Validate Node Agent
  10. Wait for the validation to pass.
  11. After successful validation, click the Create button to create the custom deployment. 
    Screenshot
    Figure 8: Node Agent Created
  12. Navigate to CCM UI →  InfrastructureAZURE SEV CONTAINERS tab. Check if the node with attestation type AMD_SEV_SNP is created and active.
    EnrolledACINode.png Figure 9: Check Status
  13. Check if the application is running successfully by ensuring that the app is active, and the compute node is linked to the image. You can also view and download the certificate to verify the status.
    Fig-10-compute-nodes-list-screen.png
    Figure10: Verify Status

3.0 Verification Steps

Perform the following steps to validate the ACI deployment:

  1. Navigate to the resource group deployment container instance.
  2. Access the required application on the public IP and port numbers. For example, if the public IP is 20.23.216.154 and the app is running on port 80, then access the application using http://20.23.216.154 or curl http://20.23.216.154:80.
  3. The nginx welcome page will be launched.
    893d22c5-bf83-4ece-9904-3fe3c9d76255.png
    Figure 11: Welcome Screen
  4. Ensure that the node agent and app containers of the deployment are running. Check the logs to the containers to identify errors.
    Screenshot
    Figure 12: Check Status

    Screenshot
    Figure 13: Check Logs

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful