All Collections
Cloud Maker Enterprise Server
Cloud Maker Enterprise Server Install
Cloud Maker Enterprise Server Install

Install Guide for CMES self-hosted appliance

Nick Smith avatar
Written by Nick Smith
Updated over a week ago

Cloud Maker Enterprise Server (CMES) provides all the power of the Cloud Maker platform but is self-hosted and allows you to deploy it to your own Azure tenant.

This guide walks you through the installation process for deploying CMES from the Azure Marketplace.

Architecture Overview

This guide takes you through the steps for deploying the minimal installation of CMES. However, the beauty of being self-hosted is that you can define any architecture you wish to deliver your security and uptime requirements for your own CMES platform - whether it's single-region HA, cross-region HA or completely private networking.

If you want to discuss advanced deployment options, please reach out to Cloud Maker support at [email protected] or use our instant chat.

The recommended minimum install of CMES will deploy the following underlying Azure infrastructure (except for PostgreSQL which must be deployed prior to running the deployment wizard):



Azure Subscription


Azure Resource Group


Azure VNet


Azure Subnet


Azure NSG


Azure VMSS


Azure VMSS Instance


Public Load Balancer


Azure Database for PostgreSQL


Azure Storage Account


Azure Key Vault



Cloud Maker Enterprise Server requires prerequisites to be set up before the Azure Marketplace Solution Offer can be deployed. These pre-requisites are as follows:



Azure Database for PostgreSQL

Azure Database for PostgreSQL is required to be deployed before deployment of the CMES appliance. It is recommended to use PostgreSQL Flexible Server.

PostgreSQL Database Connection String

The Database connection string is required during the installation of CMES and allows the appliance to connect to the database.

Please change the Ssl Mode=Require setting to Ssl Mode=VerifyFull in the connection string.

Custom Domain Name (Optional)

The custom domain that will be used for accessing the CMES appliance through a browser and by Azure DevOps for deployments. For example,

If you don't want to use a custom domain, a default endpoint of the following format will be generated (using the Region and Public IP DNS Label chosen in Basics tab step 4 and Network tab step 8):

<public-ip-dns-label>.<region> for Azure Commercial

<public-ip-dns-label>.<region> for Azure Government

TLS Certificate (Optional)

CMES can use Let's Encrypt to automatically generate TLS certificates for either your (optional) custom domain or the default endpoint.

However, if using a custom domain, you have the option to supply a TLS certificate that you've provisioned by other means.

In this scenario, the install of CMES will require the private key and public certificate in PEM format.

Any intermediate certificates in the certificate chain will also be required in PEM format.

The first line of the certificate data in PEM format starts with 5 dashes (-----) and the last line end with 5 dashes (-----).

Do not base64 encode the PEM formatted data.

Please see the CMES TLS Certificates KB article for instructions.

Provisioning User Object ID

The Azure Active Directory User Object ID for the user that is provisioning the CMES appliance. The provisioning user will be the appliance owner and the only user that can log into the appliance until Azure AD SCIM integration has been configured post-deployment.

Application Client ID

An Azure App Registration is required to install CMES.

Please see the CMES App Registration KB article for instructions on configuring this.

Azure Tenant ID

The Azure Tenant ID of the tenant CMES is being deployed to.

Install Steps

  1. Navigate to the Cloud Maker Enterprise Server solution offer in the Azure Marketplace

  2. Click Get It Now and supply the required information.

  3. Choose the plan that you wish to deploy. By default our CMES Standard plan is selected. If you have a private plan available to you, you can select this from the Plan drop-down.

  4. Click Create to begin the set up process.

Basics Tab

  1. Ensure you are on the Basics tab of the deployment wizard.

  2. Select the Subscription you wish to deploy the CMES appliance into.

  3. Enter a name for the Azure Resource Group into which you wish to deploy CMES and associated Azure resources or create a new Resource Group.

  4. Select the region you wish to deploy CMES into.

Cloud Maker Configuration Tab

  1. Select the Cloud Maker configuration tab.

  2. Enter the Organisation Name for the Cloud Maker organisation you wish to create in the CMES appliance (this can be changed once the CMES is deployed).

  3. Enter a Provisioning User Name. This is used for initial provisioning and is then discarded. You can enter any name you like in this field.

  4. Enter the Provisioning User Object ID. Details of this can be found in the pre-requisites table above.

  5. Enter the Application Client ID. Details of this can be found in the pre-requisites table above.

  6. Enter the Tenant ID of the Azure Tenant you are deploying into.

  7. Select the version of CMES you wish to deploy. By default Latest is selected.

  8. Select the number of instances you wish to deploy into your CMES VMSS.

  9. Select the Availability Zone option that fits your needs.

  10. Select the FQDN option that fits your needs.

    1. If you would like to use the default endpoint, select Use the FQDN associated with the Public IP, supply an email address to be used with Let's Encrypt certificate request (for expiration warnings) and jump to Network tab.

    2. If you would like to use a custom domain:

      1. Choose Specify a FQDN

      2. Enter your chosen domain in the Cloud Maker FQDN box.

      3. If you'd like to allow CMES to automatically handle TLS certificate generation, select Use Let's Encrypt, supply an email address to be used with Let's Encrypt certificate request (for expiration warnings) and jump to Network tab.

      4. If you'd prefer to supply a TSL certificate provisioned by other means, select Provide certificate data.

      5. Enter the custom domain TLS Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

        NB: Please include the intermediate certificate PEM data if intermediate certificates are required.

      6. Enter the custom domain TLS Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

Network Tab

  1. Select the Network tab.

  2. Enter the name of the CMES Azure Virtual Network in the Virtual Network Name field.

  3. Enter the Address Prefix for the virtual network. is set by default.

  4. Enter the name for the CMES Subnet in the Subnet Name field.

  5. Enter the Subnet Address Prefix.

  6. Enter the Network Security Group Name.

  7. Enter the Public IP Address Name.

  8. Enter the Public DNS Label.

  9. Enter the Public Load Balancer Name.

Compute Tab

  1. Select the Compute tab.

  2. Enter a Virtual Machine Scaleset Name for the CMES appliance VMSS.

  3. Enter the Virtual Machine Scaleset Instance Name Prefix.

  4. Select the size* of CMES appliance you wish to deploy. We recommend at least a D2V4 VM size.

    *Please ensure you check the pricing information for the desired appliance size as CMES appliance pricing is tied to the number of CPU cores.

  5. Enter the Admin User Name for the virtual machine.

  6. Choose the Authentication type, either Password or SSH.

  7. Enter the VM password, or generate a new SSH Key pair and enter a key pair name.

    NB: Please note down any SSH Keys, as these are not retrievable later.

  8. Enter a name for the Network Interface Card.

  9. Select the VM Storage SKU.

Key Vault Tab

  1. Select the Key Vault tab.

  2. Enter the App Settings Key Vault Name.

  3. Enter the Data Protection Vault Name.

  4. Enter the Secret Store Key Vault Name.

  5. Enter the Certificate Store Key Vault Name.

Storage Tab

  1. Select the Storage Tab.

  2. Enter the Data Protection Storage Account Name.

  3. Enter the Secret Store Storage Account Name.

  4. Enter the Storage Account Name for shared web hosting data.

  5. Enter the Name of private endpoint for shared web hosting data Storage Account.

Security Tab

  1. Select the Security tab.

  2. Enter the User Assigned Managed Identity Name.

Database Tab

  1. Select the Database tab.

  2. Enter the ADO.NET connection string for PostgresSQL (see the pre-requisites table above).

    NB: Please ensure you change the Ssl Mode=Require to Ssl Mode=VerifyFull in the connection string; otherwise, the connection to PostgreSQL will fail.

Review + Create Tab

  1. Select the Review + Create tab and review the configuration.

  2. When you're happy. Click Create to provision the CMES appliance.

Post-Deployment Tasks

Once the CMES appliance is deployed, additional post-deployment tasks must be completed to ensure the CMES appliance operates correctly.

PostgreSQL Firewall Configuration

To allow the CMES appliance to connect to the PostgreSQL database, you must add the newly provisioned public IP address to the PostgreSQL firewall.

Once added to the PostgreSQL firewall, please restart the CMES appliance virtual machine.

DNS Configuration (Optional)

If you have used a custom domain, to route traffic to CMES (e.g. ), you need to configure the appropriate DNS settings on your desired DNS service to route traffic to CMES appliance.

The Basic install of CMES outlined in this guide deploys a Public IP for the CMES Appliance. You should configure your DNS to route to the DNS name associated with this public IP address.

If you wish to use an advanced architecture or do not wish to provision a public IP for your CMES appliance, please get in touch with Cloud Maker support at [email protected], who can discuss advanced deployment configurations for the CMES appliance.

Azure AD SCIM Integration

CMES uses enterprise-grade OIDC authentication and Azure AD SCIM integration for user and group management.

In order to allow access to users other than the provisioning user, you will need to configure Azure AD SCIM integration.

Support and Assistance

If you require any support or need assistance with the installation of CMES, please reach out to [email protected], and one of our team are on hand to assist you.

Did this answer your question?