Cloud Maker Enterprise Server (CMES) provides all the power of the Cloud Maker platform but is self-hosted and allows you to deploy it to your Azure tenant.
This guide walks you through the installation process for deploying CMES from the Azure Marketplace.
Architecture Overview - Private Connectivity via vNet Peering
CMES is a powerful, self-hosted version of Cloud Maker that can be deployed in several ways to support your security, availability and governance needs.
This guide focuses on the Private Connectivity via vNet Peering option when deploying Cloud Maker Enterprise Server. Please look at the Cloud Maker Enterprise Server KB article for other deployment options.
The Marketplace CMES installation uses the following underlying Azure infrastructure:
Resource | Qty |
Azure Subscription | 1 |
Azure Resource Group | 1 |
Azure vNet | 1 |
Azure Subnet | 2 |
Azure NSG | 2 |
Azure VM Scale Set | 1 |
Minimum Azure VM Instance | 1 |
Internal Load Balancer | 1 |
NAT Gateway (optional) | 1 |
Public IP Address (optional) | 1 |
PostgreSQL Flexible Server | 1 |
Azure Storage Account | 2 |
Azure Key Vault | 1 |
Private Endpoints | 3 |
Azure App Security Groups | 2 |
Architecture Diagram
Prerequisites
Cloud Maker Enterprise Server requires prerequisites to be set up before the Azure Marketplace Solution Offer can be deployed. These pre-requisites are as follows:
Pre-requisites | Details |
Custom Domain Name
| The custom domain will be used for accessing the CMES appliance through a browser and by Azure DevOps for deployments—for example, |
TLS Certificate | You must use your own TLS certificate with your custom domain, you will require the private key and public certificate in PEM format.
Any intermediate certificates in the certificate chain will also be required in PEM format. The first line of the certificate data in PEM format starts with five dashes ( |
Provisioning User Object ID | The Azure Active Directory User Object ID for the user provisioning the CMES appliance. The provisioning user will be the appliance owner and the only user who can log into the appliance until Azure AD SCIM integration has been configured post-deployment. |
App Registration | An Azure App Registration is required to install CMES, including the Tenant ID, Client ID, and secret. |
Install Steps
Navigate to the Cloud Maker Enterprise Server solution offer in the Azure Marketplace
Click Get It Now and supply the required information.
Choose the plan that you wish to deploy. By default, our CMES Standard plan is selected. If you have a private plan, you can choose this from the Plan drop-down.
Click Create to begin the set-up process.
Basics Tab
Ensure you are on the Basics tab of the deployment wizard.
Select the Subscription you wish to deploy the CMES appliance into.
Enter a name for the Azure Resource Group into which you wish to deploy CMES and associated Azure resources or create a new Resource Group if required.
Select the region you wish to deploy CMES into.
Cloud Maker Configuration Tab
Select the Cloud Maker configuration tab.
Enter the Organisation Name for the Cloud Maker organisation you'd like to create in the CMES appliance (this can be changed once the CMES is deployed).
Enter a Provisioning User Name. This is used for initial provisioning and is then discarded. You can enter any name you like in this field.
Enter the Provisioning User Object ID. Details of this can be found in the pre-requisites table above.
Enter the Application Client ID from the App Registration you created as part of the pre-requisites.
Enter the Application Client secret generated from the App Registration you created as part of the prerequisites.
Confirm the Application Client secret.
Enter the Tenant ID of the Azure Tenant you are deploying into (can be found on the App Registration details you created as part of the prerequisites).
Select the version of CMES you wish to deploy. By default, the latest version number is selected.
Select the number of VM instances you wish to deploy into your CMES VMSS.
Select the Availability Zone option that fits your needs.
Select the Private connectivity via vNet peering from the Cloud Maker Enterprise Server connectivity options drop-down.
Enter your chosen domain in the Cloud Maker FQDN box.
Enter the custom domain TLS Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
NB: Please include the intermediate certificate PEM data if intermediate certificates are required.Enter the custom domain TLS Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.
Network Tab
Select the Network tab.
On the Networking option drop-down, select whether to deploy CMES into an existing vNet or create a new vNet. The default option is to create a new vNet as part of the initial deployment.
If creating a new vNet:
Enter the name of the CMES Azure Virtual Network in the Virtual Network Name field.
Enter the Address Prefix for the virtual network. 10.0.0.0/16 is set by default.
Enter a name for the new CMES subnet in the Primary Subnet Name field.
Enter the subnet prefix for the new primary subnet in the Primary Subnet Address Prefix field. The default is 10.0.0.0/24.
Enter the name of the Network Security Group on the Primary Subnet.
Enter the name of the Database Subnet to be created in the new vNet.
Enter the Database Subnet Address Prefix. The default is 10.0.1.0/24.
Enter the name of the Database Subnet Network Security Group.
If using an existing vNet:
Select the existing vNet you want to use for the CMES deployment.
Select the Primary Subnet from the Primary Subnet drop-down menu.
Enter the name of the new Network Security Group that will be assigned to the Primary Subnet.
Select the existing Database Subnet from the dropdown menu.
Enter the name of the new Network Security Group that will be assigned to the Database Subnet.
Enter the name of the VMSS Instances Application Security Group that will be used to protect the VMSS network traffic.
Enter the name of the Private Endpoint Application Security Group that will be used to protect private endpoint network traffic.
If deploying a new vNet or to an existing vNet which contains a subnet called AzureBastionSubnet, optionally select if you would like an instance of Azure Bastion to be deployed by checking the Azure Bastion box.
Enter Azure Bastion Name.
Enter the Azure Bastion Public IP Address Name.
Enter the Load Balancer Name.
If you wish to deploy the vNet peering on the CMES vNet as part of the deployment, check the Deploy peering... checkbox.
Enter the name of the vNet Peering.
Select the Virtual Network you would like to peer with from the drop-down menu.
If you wish to deploy the consumer vNet peering, check the Deploy customer vNet peering checkbox.
Enter the Customer Virtual Network Peering Name.
Select your Internet Connectivity option of either NAT Gateway or Customer NVA.
If you select NAT Gateway, the CMES deployment will provision a NAT Gateway with Public IP Address.
Enter the Nat Gateway Name.
Enter the Public IP Name for NAT Gateway.
If you select Customer NVA the CMES deployment will provision a Route Table to route to your NVA.
Enter the Route Table Name of the route table that will be provisioned in the CMES vNet.
Enter the NVA IP Address.
Compute Tab
Select the Compute tab.
Enter a Virtual Machine Scale Set Name for the CMES appliance VMSS.
Enter the Virtual Machine Scale Set Instance Name Prefix.
Select the size* of the CMES appliance you wish to deploy. We recommend at least a D2V4 VM size.
*Please make sure you check the pricing information for the desired appliance size since CMES appliance pricing is tied to the number of CPU cores.Enter the Admin User Name for the virtual machine.
Choose the Authentication type, either Password or SSH.
Enter the VM password or generate a new SSH Key pair and enter a key pair name.
NB: Please note any SSH Keys, as these are not retrievable later.Enter a name for the Network Interface Card.
Select the VM Storage SKU.
Select whether you wish VM Boot Diagnostics to be Enabled or Disabled.
Key Vault Tab
Select the Key Vault tab.
Enter the Key Vault Name.
Enter the Key Vault Private Endpoint Name.
Storage Tab
Select the Storage Tab.
Enter the App Storage Account Name.
Enter the Name of private endpoint for app Storage Account.
Enter the Storage Account Name for shared web hosting data.
Enter the Name of private endpoint for shared web hosting data Storage Account.
Security Tab
Select the Security tab.
Enter the User Assigned Managed Identity Name. This new User Assigned Managed Identity will be created during the CMES deployment.
Database Tab
Select the Database tab.
Enter the PostgreSQL Server Name you wish to use. PostgreSQL will be deployed as part of the CMES deployment process.
Enter the PostgreSQL Server Admin Username.
Enter the PostgreSQL Server Admin User Password.
Confirm the PostgreSQL Server Admin User Password.
Select the desired PostgreSQL Server Specification from the drop-down menu.
Select the Backup Retention Days you wish to use for PostgreSQL backups.
Select whether you wish to enable geo-replicated backups of your PostgreSQL database.
Select the maximum storage size for your PostgreSQL database from the drop-down.
Review + Create Tab
Select the Review + Create tab and review the configuration.
When you're happy. Click Create to provision the CMES appliance.
Post-Deployment Tasks
Once the CMES appliance is deployed, additional post-deployment tasks must be completed to ensure the CMES appliance operates correctly.
DNS Configuration
You must configure the appropriate DNS settings on your desired DNS service to route traffic to the CMES appliance.
Azure AD SCIM Integration
CMES uses enterprise-grade OIDC authentication and Azure AD SCIM integration for user and group management.
To allow access to users other than the provisioning user, you must configure Azure AD SCIM integration.
Support and Assistance
If you need any help with the installation of CMES, please reach out to [email protected], and one of our team members will be on hand to help you.