Follow this guide to deploy the Cloud Execution for Desktop (CEfD) module for Azure private data processing.
Before you deploy the CEfD module, you must complete these steps on the Set Up Azure Subscription and Vnet for Private Data page:
Configured a resource group dedicated to Alteryx Analytics Cloud (AAC) as mentioned in the Create Resource Group section.
Configured a Vnet dedicated to AACAAC as mentioned in the Configure Virtual Private Network section.
App registration and base IAM policy attached to the service account as mentioned in the Configure IAM section.
Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.
Nota
AAC_CEFD_SA_Role is an example role name. You can choose any name for the role, but the name must start with AAC_CEFD.
You need to create a custom IAM role. Name it AAC_CEFD_SA_Role and use the following role document. We recommend using the JSON tab instead of the visual editor. AACAAC requires some * permissions to run. Expect some security warnings when you create the role.
Importante
Update the assignableScopes scope of this custom role. The scope should be the subscription ID.
{
"properties": {
"roleName": "AAC_CEFD_SA_Role",
"description": "Custom role for provisioning AAC private data handling",
"assignableScopes": [
"/subscriptions/<subscription ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.KeyVault/*",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Insights/autoScaleSettings/write",
"Microsoft.Insights/autoScaleSettings/read",
"Microsoft.Insights/autoScaleSettings/delete",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/serverFarms/write",
"Microsoft.Web/serverFarms/delete"
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationalInsights/workspaces/delete",
"Microsoft.Insights/components/*",
"Microsoft.Web/sites/*",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleDefinitions/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
} Add the AAC_CEFD_SA_Role IAM custom role to the aac_automation_sa service account created on the Set Up Azure Subscription and Vnet for Private Data page.
Create the route table for your subnets.
Importante
You must configure the Vnet with a network connection to the internet in your subscription.
Nota
This route table is an example.
Address Prefix | Next Hop Type |
|---|---|
/22 CIDR Block | v-net |
0.0.0.0/0 | <gateway_ID> |
Nota
Your <gateway id> can be either a NAT gateway created per AZ or a transit gateway, depending on your network architecture.
CEfD in the private data processing requires 1 subnet.
aac_public (required) - This group doesn’t run any services, but is used for egress out of the cluster. Delegate this subnet to
Microsoft.ContainerService/managedClusters, which grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet.aac_private (required) - This group runs services private to the PDP.
aac_option: Use this group if you enable Cloud Execution for Desktop within your private data processing. If you enable this option, an AMI swarm runs in this subnet to handle Designer Desktop processing jobs that run in the cloud.
aac_function: This subnet is used by Azure function for auto-scaling CEFD VMs.
Configure subnets in the aac_vpc VPC.
Create subnets according to the example below. You can adjust the Address Space and Subnet values to match your network architecture. Attach the Network security group created in the Set Up Azure Subscription and Vnet for Private Data page to the subnets.
The address spaces are designed to accommodate a fully scaled-out data processing environment. You can choose a smaller address space if required, but you could run into scaling issues under heavy processing loads.
Importante
The Subnet Name is not a flexible field, it must match the table below.
Address Space | Subnet Name | Subnet | Service Endpoints | Route Table | Notes |
|---|---|---|---|---|---|
10.10.0.0/22 | aac_option | 10.10.0.0/23 | Microsoft.Storage Microsoft.KeyVault | Attach to the route table created in Step 2. | |
aac_function | 10.10.2.0/29 | None | Microsoft.Web/serverFarms |
Attenzione
La modifica o rimozione di qualsiasi risorsa del cloud pubblico fornita tramite sistema AAC, ed eseguita dopo aver configurato la gestione dei dati privati, può causare incongruenze. Tali incongruenze possono causare errori durante l'esecuzione del processo o il deprovisioning della configurazione di gestione dei dati privati.
CEfD provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AACAAC landing page, select the Profile menu and then select Workspace Admin.
From the Admin Console, select Private Data Handling and then select Processing.
Select the Cloud Execution for Desktop checkbox and then select Update.
Selecting Update triggers the deployment of the cluster and resources in the Azure subscription. This runs a set of validation checks to verify the correct configuration of the Azure subscription.
Nota
The provisioning process takes approximately 35–40 minutes to complete.
After the provisioning completes, you can view the created resources (for example, VM instances and node pools) through the Azure portal. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing.