Cloud Maker Enterprise Server (CMES) provides all the power of the Cloud Maker platform but is self-hosted and allows you to deploy it to your own Azure tenant.
This guide walks you through the installation process for deploying CMES from the Azure Marketplace.
Architecture Overview
This guide takes you through the steps for deploying the minimal installation of CMES. However, the beauty of being self-hosted is that you can define any architecture you wish to deliver your security and uptime requirements for your own CMES platform - whether it's single-region HA, cross-region HA or completely private networking.
If you want to discuss advanced deployment options, please reach out to Cloud Maker support at [email protected] or use our instant chat.
The recommended minimum install of CMES requires the following underlying Azure infrastructure:
Resource | QTY |
Azure Subscription | 1 |
Azure Resource Group | 2 |
Azure VNet | 1 |
Azure Subnet | 1 |
Azure NSG | 1 |
Azure VM (D2v4 recommended) | 1 |
Azure Database for PostgreSQL | 1 |
Azure Storage Account | 2 |
Azure Key Vault | 4 |
Pre-requisites:
Cloud Maker Enterprise Server requires pre-requisites to be set up before the Azure Marketplace Solution Offer can be deployed. These pre-requisites are as follows:
Pre-requisites | Details |
Azure Database for PostgreSQL | Azure Database for PostgreSQL is required to be deployed prior to deployment of the CMES appliance. |
PostgreSQL Database Connection String | The Database connection string is required during the install of CMES and allows the appliance to connect to the database. |
Domain Name | The top-level domain that will be used to create the app. and api. endpoints for accessing the CMES appliance through a browser and Azure DevOps for deployments. |
SSL Certificate for app.yourdomain.com | You will need to provision an SSL certificate for the subdomain app.yourdomain.com.
Any intermediate certificates in the certificate chain will also be required in PEM format. |
SSL Certificate for api.yourdomain.com | You will need to provision an SSL certificate for the subdomain api.yourdomain.com.
Any intermediate certificates in the certificate chain will also be required in PEM format.
Please see the CMES SSL Certificates KB article for instructions. |
Provisioning User Object ID | The Azure Active Directory User Object ID for the user that is provisioning the CMES appliance. The provisioning user will be the appliance owner and the only user that can log into the appliance until Azure AD SCIM integration has been configured post-deployment. |
Application Client ID | An Azure App Registration is required to install CMES. |
Azure Tenant ID | The Azure Tenant ID of the tenant CMES is being deployed to. |
Certificate data | The certificate data must be supplied in PEM format.
The first line of the certificate data in PEM format starts with 5 dashes (-----) and the last line end with 5 dashes (-----).
Do not base64 encode the PEM formatted data. |
Install Steps
Navigate to the Cloud Maker Enterprise Server solution offer in the Azure Marketplace
Click Get It Now and supply the required information.
Choose the plan that you wish to deploy. By default our CMES Standard plan is selected. If you have a private plan available to you, you can select this from the 'Plan' drop-down.
Click Create to begin the set up process.
Ensure you are on the Basics tab of the deployment wizard.
Select the Subscription you wish to deploy the CMES appliance into.
Enter a name for the Azure Resource Group into which you wish to deploy CMES and associated Azure resources.
Select the region you wish to deploy CMES into.
Select the Cloud Maker configuration tab.
Enter the Organisation Name for the Cloud Maker organisation you wish to create on the CMES appliance (this can be changed once the CMES is deployed).
Enter a Provisioning User Name. This is used for initial provisioning and is then discarded. You can enter any name you like in this field.
Enter the Provisioning User Object ID. Details of this can be found in the pre-requisites table above.
Enter the Application Client ID. Details of this can be found in the pre-requisites table above.
Enter the Tenant ID of the Azure Tenant you are deploying into.
Enter the top-level Domain Name that will be used for the CMES appliance. This will be used to create the app.domainname.com and api.domainname.com endpoints.
Enter the app.domainname.com SSL Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
NB: Please include the intermediate certificate PEM data if intermediate certificates are required.Enter the app.domainname.com SSL Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
Enter the api.domainname.com SSL Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
NB: Please include the intermediate certificate PEM data if intermediate certificates are required.Enter the app.domainname.com SSL Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
Select the Network tab.
Enter the name of the CMES Azure Virtual Network in the Virtual networks field.
Enter the name for the CMES Subnet in the Subnet field.
Enter the Subnet Address Prefix.
Enter the Network Security Group Name.
Select the Compute tab.
Enter a Virtual Machine Name for the CMES appliance VM.
Select the size* of CMES appliance you wish to deploy. We recommend at least a D2V4 VM size.
*Please ensure you check the pricing information for the desired appliance size as CMES appliance pricing is tied to the number of CPU cores.Choose the Authentication type, either Password or SSH.
Enter the VM password, or generate a new SSH Key pair and enter a key pair name.
NB: Please note down any SSH Keys, as these are not retrievable later.Enter a name for the Network Interface Card.
Enter a name for the CMES Appliance Public IP.
Select the Key Vault tab.
Enter the App Settings Key Vault Name.
Enter the Data Protection Vault Name.
Enter the Secret Store Key Vault Name.
Enter the Certificate Store Key Vault Name.
Select the Storage Tab.
Enter the Data Protection Storage Account Name.
Enter the Data Protection Storage Container Name for the Data Protection Storage Account.
Enter the Secret Store Storage Account Name.
Enter the Data Protection Storage Container Name for the Secret Store Storage Account.
Select the Security tab.
Enter the User Assigned Managed Identity Name.
Select the Database tab.
Enter the ADO.NET connection string for postgres SQL (please see the pre-requisites table above).
NB: Please ensure you change the Ssl=Require to Ssl=VerifyFull in the connection string; otherwise, the connection to PostgreSQL will fail.Select the Review + Create tab and review the configuration.
When you're happy. Click Create to provision the CMES appliance.
Post-Deployment Tasks
Once the CMES appliance is deployed, additional post-deployment tasks should be completed to ensure the best experience when using CMES.
PostgreSQL Firewall Configuration
In order to allow the CMES appliance to connect to the PostgreSQL database, you will need to add the newly provisioned public IP address to the PostgreSQL firewall.
Once added to the PostgreSQL firewall, please restart the CMES appliance virtual machine.
DNS Configuration
In order to route traffic to the CMES endpoints (app.yourdomain.com and api.yourdomain.com), you need to configure the appropriate DNS settings on your desired DNS service to route traffic to CMES appliance.
The Basic install of CMES outlined in this guide deploys a Public IP for the CMES Appliance. You should configure your DNS to route to the DNS name associated with this public IP address.
If you wish to use an advanced architecture or do not wish to provision a public IP for your CMES appliance, please contact Cloud Maker support at [email protected], who can discuss advanced deployment configurations for the CMES appliance.
Azure AD SCIM Integration
CMES uses enterprise-grade OIDC authentication and Azure AD SCIM integration for user and group management.
In order to allow access to users other than the provisioning user, you will need to configure Azure AD SCIM integration.
Support and Assistance
If you require any support or need assistance with the installation of CMES, please reach out to [email protected], and one of our team are on hand to assist you.