User's Guide - Deploying the ACI Application Using Azure Portal

1.0 Introduction

Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This document describes how to deploy confidential Azure Container Instances (ACI) group using Azure portal.

2.0 Deploy Confidential ACI Group Using Azure Portal

1. From the Azure portal, search and select the Deploy a custom template wizard button.
   
   Figure 1: Search Box
2. On the Custom Deployment screen, select the Build your own template in the editor option.
   Figure 2: Build You Own Template in the Editor
3. In the next screen, paste the JSON ARM template copied earlier in the User’s Guide: Create an Image
4. Click the Save button to save the template.
   
   Figure 3: Paste JSON ARM Template
5. On the Project details form, fill in the relevant details:
   • Subscription: Enter a relevant name.
     • Resource Group: Select the required resource group from the drop down menu or create your own resource.
   • Instance details:
     • Region: Fortanix ACI is supported in East US, North Europe, West Europe, West US 2 countries only.
     • Join Token: Copy it from the CCM UI. Refer to Steps 7 and 8 below.
     • Ports: The ports will be automatically picked from the Image ARM template (can be updated if required).
     • Location: Fortanix ACI is supported in East US 2, West Europe, West US 2 countries only. For more information, refer to Section Confidential SKU (preview) to know all the supported regions at https://learn.microsoft.com/en-us/azure/container-instances/container-instances-region-availability.
     • Request App Cert: Application certificate to request from Fortanix CCM. This should be an approved domain in the App.
     • App Config Id: Leave this field blank for ACI application. For more information, refer to Workflows Applications Using Fortanix ACI.
     • Agent Log Info: Logging level for the Fortanix agent container. You can select the value from the drop down menu.
     • Name: Name of the newly created resource.
       
       Figure 4: Deployment Details
6. To generate your Join Token, log in to https://ccm.fortanix.com and in the Infrastructure tab, select Compute Nodes and click + ENROLL NODE in the Compute Nodes page.
   
   Figure 5: Enroll Compute Node
7. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.
   
   Figure 6: Generate Token
8. Click the Review + create button to create the custom deployment.
   
   Figure 7: Validate Node Agent
9. Wait for the validation to pass.
10. After the validation is successful, click the Create button to create the custom deployment. 
    
    Figure 8: Node Agent Created
11. Navigate to CCM UI > Infrastructure > AZURE SEV CONTAINERS tab. Check if the node with attestation type AMD_SEV_SNP is created and active.
    Figure 9: Check Status
12. Check if the application is running successfully by ensuring that the app is active, and the compute node is linked to the image. You can also view and download the certificate to verify the status.
    
    Figure10: Verify Status

3.0 Verification Steps

Perform the following steps to validate the ACI deployment:

1. Navigate to resource group deployment container instance.
2. Access the required application on the public IP and port numbers. For example, if the public IP is 20.23.216.154 and the app is running on port 80, then access the application using http://20.23.216.154 or curl http://20.23.216.154:80.
3. The nginx welcome page will be launched.
   
   Figure 11: Welcome Screen

4. Ensure that the node agent and app containers of the deployment are running. Check the logs to the containers to identify errors.
   
   Figure 12: Check Status

   
   Figure 13: Check Logs