Skip to content

Azure Cloud Resources

Overview

Before installing the Privacera Manager software, the following Azure Cloud resources need to be created:

Prerequisite Description
Azure Virtual Machine A virtual machine to run the Privacera Manager software. Refer here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
Azure AKS cluster AKS cluster to run the Privacera software. Refer here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
Azure Postgre SQL Azure PostgreSQL server for the Privacera database. Refer here for more details.
🟢 For self-managed: Required.
🔴 PrivaceraCloud Data plane: Not Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
Wildcard certificate and Key A wildcard certificate for the domain name used for the Privacera service endpoints, along with the private key, is required. Refer to here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.

Appendix

Azure Virtual Machine for running Privacera Manager

Virtual Machine

Privacera Manager runs on a Virtual Machine that has access to the Kubernetes cluster and can create and manage cloud resources.

Tip

The Privacera Manager installation on this Virtual Machine will contain signed certificates necessary for subsequent upgrades. Therefore, it is recommended that this Virtual Machine is not deleted and is protected from termination. It is also strongly advised to backup the contents of the Privacera Manager folder on regular basis.

You don't need to run this Virtual Machine 24x7. You can stop the Virtual Machine when it is not in use.

Vitrual Machine configuration

The Vitrual Machine needs to be provisioned to run the Privacera Manager software. At a minimum, the instance should have the following specifications:

  • Ubuntu 20.04
  • Minimum 1 vCPUs
  • Minimum 4 GB RAM
  • Minimum 100 GB disk space
  • SELinux should be disabled
User Configuration

Privacera Manager requires a dedicated user account with sudo privileges to run properly. This user must be configured with NOPASSWD sudo access to ensure automated operations can execute without manual intervention.

To create and configure the user:

  1. Create a dedicated user (e.g., privacera-admin):

    Bash
    1
    sudo useradd -m -s /bin/bash privacera-admin

  2. Add the user to the sudo group:

    Bash
    1
    sudo usermod -aG sudo privacera-admin

  3. Configure NOPASSWD sudo access by adding the following line to /etc/sudoers using visudo:

    Bash
    1
    privacera-admin ALL=(ALL) NOPASSWD:ALL

Following software should be installed on the virtual machine:

Packages
  • ssh, curl, tar, wget, gcc*,
    Bash
    1
2
    sudo apt update
sudo apt install ssh curl tar wget gcc -y
  • Openssl (v1.01, build 16 or later)
    Bash
    1
2
    sudo apt install openssl -y
openssl version
  • Python3 (with python-devel*)
    Text Only
    1
2
    sudo apt install python3 python3-dev python3-pip python3-passlib -y
python3 --version
  • User account with sudo permissions
docker
Bash
1
2
3
4
5
6
7
sudo apt update -y 
sudo apt install docker.io -y 
sudo service docker start
sudo usermod -a -G docker azureuser

# log out and log back into the virtual machine to activate the new group
docker ps
kubectl

Follow the instructions on this link.

helm

Follow the instructions on this link.

Bash
1
2
3
4
curl -fsSL -o get_helm.sh \
  https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Azure AKS cluster for running Privacera Software

Azure AKS

Azure AKS cluster with the following specifications:

  • Kubernetes version - For supported version check Compatibility and Versions.
  • Node type - D4s v3 or similar
  • Auto-scaling node group - min 3 to max 10 nodes
  • Kubernetes Metrics Server - Required for monitoring and autoscaling. See installation instructions below
Kubernetes Metrics Server

The Kubernetes Metrics Server is required for Privacera to function properly. It provides resource metrics for pods and nodes, which are essential for monitoring and autoscaling.

Check if Metrics Server is already installed:

Bash
1
kubectl get deployment metrics-server -n kube-system

If the Metrics Server is not installed, follow these steps:

Option 1: Install via YAML (Recommended)

For Azure AKS, you can install Metrics Server with the standard command:

Bash
1
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

If you encounter TLS certificate issues, patch the deployment with additional flags:

Bash
1
2
3
kubectl patch deployment metrics-server -n kube-system --type='json' \
  -p='[{"op": "add", "path": "/spec/template/spec/hostNetwork", "value": true},
       {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"}]'

Option 2: Install via Helm

Bash
1
2
3
4
5
6
7
8
9
# Add Helm repository
helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
helm repo update

# Install with AKS-specific configuration
helm install metrics-server metrics-server/metrics-server \
  --namespace kube-system \
  --set hostNetwork.enabled=true \
  --set 'args[0]=--kubelet-preferred-address-types=InternalIP\,Hostname\,ExternalIP'

Troubleshooting TLS Certificate Errors

Azure AKS kubelets use certificates that are signed by the cluster CA and recognized by the Metrics Server automatically. You typically don't need the --kubelet-insecure-tls flag.

However, if you encounter an error like:

Text Only
1
Unable to fetch metrics: x509: certificate signed by unknown authority

Then re-run the Helm installation with the insecure TLS flag:

Bash
1
2
3
4
5
helm install metrics-server metrics-server/metrics-server \
  --namespace kube-system \
  --set hostNetwork.enabled=true \
  --set 'args[0]=--kubelet-insecure-tls' \
  --set 'args[1]=--kubelet-preferred-address-types=InternalIP\,Hostname\,ExternalIP'

Verify Installation:

Bash
1
2
3
4
5
6
# Check if Metrics Server is running
kubectl get deployment metrics-server -n kube-system

# Verify metrics are available (may take 1-2 minutes)
kubectl top nodes
kubectl top pods -A

For more information, refer to the official Kubernetes Metrics Server documentation.

Azure PostgreSQL Server

Azure PostgreSQL Server

Azure PostgreSQL Server with the following specifications:

  • PostgreSQL Server.
  • create privacera_db as the database by following these commands
    SQL
    1
    create database privacera_db character set latin1 collate latin1_swedish_ci;

Wildcard certificate and Private Key

Wildcard certificate and Private Key

A wildcard certificate for the domain name used for the Privacera service endpoints, along with the private key. This should one of these:

  • Wild-card certificate. The certificate requirements are given in TLS Certificate.
  • Certificate with specific host names generated by Privacera Manager
  • Certificate with specific host names generated by you for the service endpoints.