All Collections
Cloud Maker Enterprise Server
CMES via Public Connectivity Install Guide
CMES via Public Connectivity Install Guide

Deploy a publicly accessible CMES for access over the internet.

Nick Smith avatar
Written by Nick Smith
Updated over a week ago

Cloud Maker Enterprise Server (CMES) provides all the power of the Cloud Maker platform but is self-hosted and allows you to deploy it to your Azure tenant.

This guide walks you through the installation process for deploying CMES from the Azure Marketplace.

Architecture Overview - Public Connectivity via the Internet

CMES is a powerful, self-hosted version of Cloud Maker that can be deployed in several ways to support your security, availability and governance needs.

This guide focuses on the Public Connectivity option when deploying Cloud Maker Enterprise Server. Please look at the Cloud Maker Enterprise Server KB article for other deployment options.

The Marketplace CMES installation uses the following underlying Azure infrastructure:

Resource

Qty

Azure Subscription

1

Azure Resource Group

1

Azure vNet

1

Azure Subnet

2

Azure NSG

2

Azure VM Scale Set

1

Minimum Azure VM Instance

1

External Load Balancer

1

NAT Gateway

1

Public IP Address

2

PostgreSQL Flexible Server

1

Azure Storage Account

2

Azure Key Vault

1

Private Endpoints

3

Azure App Security Groups

2

Architecture Diagram

CMES Architecture - Public Connectivity via the Internet

Prerequisites

Cloud Maker Enterprise Server requires prerequisites to be set up before the Azure Marketplace Solution Offer can be deployed. These pre-requisites are as follows:

Pre-requisites

Details

Custom Domain Name (Optional)

The custom domain will be used for accessing the CMES appliance through a browser and by Azure DevOps for deployments—for example, cmes.yourdomain.com.

Alternatively, you can use the default endpoint instead of a custom domain.

A default endpoint of the following format will be generated (using the Region and Public IP DNS Label chosen in Basics tab step 4 and Network tab step 8):

<public-ip-dns-label>.<region>.cloudapp.azure.com for Azure Commercial

<public-ip-dns-label>.<region>.cloudapp.usgovcloudapi.net for Azure Government

TLS Certificate (Optional)

When deploying CMES with public connectivity, Let's Encrypt can automatically generate TLS certificates for your (optional) custom domain or the default endpoint.

If you wish to use your own TLS certificate with your custom domain, you will require the private key and public certificate in PEM format.

Any intermediate certificates in the certificate chain will also be required in PEM format.

The first line of the certificate data in PEM format starts with five dashes (-----), and the last line ends with five dashes (-----).

Do not base64 encode the PEM formatted data.

Please take a look at the CMES TLS Certificates KB article for instructions.

Provisioning User Object ID

The Azure Active Directory User Object ID for the user provisioning the CMES appliance. The provisioning user will be the appliance owner and the only user who can log into the appliance until Azure AD SCIM integration has been configured post-deployment.

App Registration

An Azure App Registration is required to install CMES, including the Tenant ID, Client ID, and secret.

Please take a look at the CMES App Registration KB article for instructions on configuring this.

Install Steps

  1. Navigate to the Cloud Maker Enterprise Server solution offer in the Azure Marketplace

  2. Click Get It Now and supply the required information.

  3. Choose the plan that you wish to deploy. By default, our CMES Standard plan is selected. If you have a private plan, you can choose this from the Plan drop-down.

  4. Click Create to begin the set-up process.

Basics Tab

  1. Ensure you are on the Basics tab of the deployment wizard.

  2. Select the Subscription you wish to deploy the CMES appliance into.

  3. Enter a name for the Azure Resource Group into which you wish to deploy CMES and associated Azure resources or create a new Resource Group if required.

  4. Select the region you wish to deploy CMES into.

Cloud Maker Configuration Tab

  1. Select the Cloud Maker configuration tab.

  2. Enter the Organisation Name for the Cloud Maker organisation you'd like to create in the CMES appliance (this can be changed once the CMES is deployed).

  3. Enter a Provisioning User Name. This is used for initial provisioning and is then discarded. You can enter any name you like in this field.

  4. Enter the Provisioning User Object ID. Details of this can be found in the pre-requisites table above.

  5. Enter the Application Client ID from the App Registration you created as part of the pre-requisites.

  6. Enter the Application Client secret generated from the App Registration you created as part of the prerequisites.

  7. Confirm the Application Client secret.

  8. Enter the Tenant ID of the Azure Tenant you are deploying into (can be found on the App Registration details you created as part of the prerequisites).

  9. Select the version of CMES you wish to deploy. By default, the latest version number is selected.

  10. Select the number of VM instances you wish to deploy into your CMES VMSS.

  11. Select the Availability Zone option that fits your needs.

  12. Select the Public connectivity from the Cloud Maker Enterprise Server connectivity options drop-down.

  13. Select the FQDN Option that fits your need:

    1. If you want to use the default endpoint, select Use the FQDN associated with the Public IP, supply an email address for the Let's Encrypt certificate request (for expiration warnings) and jump to the Network tab.

    2. If you would like to use a custom domain:

      1. Choose Specify a FQDN

      2. Enter your chosen domain in the Cloud Maker FQDN box.

      3. If you'd like to allow CMES to automatically handle TLS certificate generation, select Use Let's Encrypt.

      4. Enter an email address to be used with the Let's Encrypt certificate request (for expiration warnings) and jump to the Network tab.

      5. If you'd prefer to supply a TSL certificate provisioned by other means, select Provide certificate data.

      6. Enter the custom domain TLS Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

        NB: Please include the intermediate certificate PEM data if intermediate certificates are required.

      7. Enter the custom domain TLS Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

Network Tab

  1. Select the Network tab.

  2. On the Networking option drop-down, select whether to deploy CMES into an existing vNet or create a new vNet. The default option is to create a new vNet as part of the initial deployment.

    1. If creating a new vNet:

      1. Enter the name of the CMES Azure Virtual Network in the Virtual Network Name field.

      2. Enter the Address Prefix for the virtual network. 10.0.0.0/16 is set by default.

      3. Enter a name for the new CMES subnet in the Primary Subnet Name field.

      4. Enter the subnet prefix for the new primary subnet in the Primary Subnet Address Prefix field. The default is 10.0.0.0/24.

      5. Enter the name of the Network Security Group on the Primary Subnet.

      6. Enter the name of the Database Subnet to be created in the new vNet.

      7. Enter the Database Subnet Address Prefix. The default is 10.0.1.0/24.

      8. Enter the name of the Database Subnet Network Security Group.

    2. If using an existing vNet:

      1. Select the existing vNet you want to use for the CMES deployment.

      2. Select the Primary Subnet from the Primary Subnet drop-down menu.

      3. Enter the name of the new Network Security Group that will be assigned to the Primary Subnet.

      4. Select the existing Database Subnet from the dropdown menu.

      5. Enter the name of the new Network Security Group that will be assigned to the Database Subnet.

  3. Enter the name of the VMSS Instances Application Security Group that will be used to protect the VMSS network traffic.

  4. Enter the name of the Private Endpoint Application Security Group that will be used to protect private endpoint network traffic.

  5. If deploying a new vNet or to an existing vNet which contains a subnet called AzureBastionSubnet, optionally select if you would like an instance of Azure Bastion to be deployed by checking the Azure Bastion box.

    1. Enter Azure Bastion Name.

    2. Enter the Azure Bastion Public IP Address Name.

  6. Enter the Public IP Address Name.

  7. Enter the Public IP DNS Label.

  8. Enter the Load Balancer Name.

  9. Enter the NAT Gateway Name.

  10. Enter the Public IP Name for NAT Gateway.

Compute Tab

  1. Select the Compute tab.

  2. Enter a Virtual Machine Scale Set Name for the CMES appliance VMSS.

  3. Enter the Virtual Machine Scale Set Instance Name Prefix.

  4. Select the size* of the CMES appliance you wish to deploy. We recommend at least a D2V4 VM size.

    *Please make sure you check the pricing information for the desired appliance size since CMES appliance pricing is tied to the number of CPU cores.

  5. Enter the Admin User Name for the virtual machine.

  6. Choose the Authentication type, either Password or SSH.

  7. Enter the VM password or generate a new SSH Key pair and enter a key pair name.

    NB: Please note any SSH Keys, as these are not retrievable later.

  8. Enter a name for the Network Interface Card.

  9. Select the VM Storage SKU.

  10. Select whether you wish VM Boot Diagnostics to be Enabled or Disabled.

Key Vault Tab

  1. Select the Key Vault tab.

  2. Enter the Key Vault Name.

  3. Enter the Key Vault Private Endpoint Name.

Storage Tab

  1. Select the Storage Tab.

  2. Enter the App Storage Account Name.

  3. Enter the Name of private endpoint for app Storage Account.

  4. Enter the Storage Account Name for shared web hosting data.

  5. Enter the Name of private endpoint for shared web hosting data Storage Account.

Security Tab

  1. Select the Security tab.

  2. Enter the User Assigned Managed Identity Name. This new User Assigned Managed Identity will be created during the CMES deployment.

Database Tab

  1. Select the Database tab.

  2. Enter the PostgreSQL Server Name you wish to use. PostgreSQL will be deployed as part of the CMES deployment process.

  3. Enter the PostgreSQL Server Admin Username.

  4. Enter the PostgreSQL Server Admin User Password.

  5. Confirm the PostgreSQL Server Admin User Password.

  6. Select the desired PostgreSQL Server Specification from the drop-down menu.

  7. Select the Backup Retention Days you wish to use for PostgreSQL backups.

  8. Select whether you wish to enable geo-replicated backups of your PostgreSQL database.

  9. Select the maximum storage size for your PostgreSQL database from the drop-down.

Review + Create Tab

  1. Select the Review + Create tab and review the configuration.

  2. When you're happy. Click Create to provision the CMES appliance.

Post-Deployment Tasks

Once the CMES appliance is deployed, additional post-deployment tasks must be completed to ensure the CMES appliance operates correctly.

DNS Configuration

You must configure the appropriate DNS settings on your desired DNS service to route traffic to the CMES appliance.

Azure AD SCIM Integration

CMES uses enterprise-grade OIDC authentication and Azure AD SCIM integration for user and group management.

To allow access to users other than the provisioning user, you must configure Azure AD SCIM integration.

Support and Assistance

If you need any help with the installation of CMES, please reach out to [email protected], and one of our team members will be on hand to help you.








Did this answer your question?