Skip to main content
All CollectionsCloud Maker Enterprise Server
CMES via Private Endpoint Install Guide
CMES via Private Endpoint Install Guide

Deploy a privately accessible CMES with private endpoint connectivity

Nick Smith avatar
Written by Nick Smith
Updated over a year ago

Cloud Maker Enterprise Server (CMES) provides all the power of the Cloud Maker platform but is self-hosted and allows you to deploy it to your Azure tenant.

This guide walks you through the installation process for deploying CMES from the Azure Marketplace.

Architecture Overview - Private Connectivity via Private Endpoint

CMES is a powerful, self-hosted version of Cloud Maker that can be deployed in several ways to support your security, availability and governance needs.

This guide focuses on the Private Connectivity via Private Endpoint option when deploying Cloud Maker Enterprise Server. Please look at the Cloud Maker Enterprise Server KB article for other deployment options.

The Marketplace CMES installation uses the following underlying Azure infrastructure:

Resource

Qty

Azure Subscription

1

Azure Resource Group

1

Azure vNet

1

Azure Subnet

2

Azure NSG

2

Azure VM Scale Set

1

Minimum Azure VM Instance

1

Internal Load Balancer

1

NAT Gateway

1

Public IP Address

1

PostgreSQL Flexible Server

1

Azure Storage Account

2

Azure Key Vault

1

Private Endpoints

3

Private Link Service

1

Azure App Security Groups

2

Architecture Diagram

CMES Architecture - Private Connectivity via Private Endpoint

Prerequisites

Cloud Maker Enterprise Server requires prerequisites to be set up before the Azure Marketplace Solution Offer can be deployed. These pre-requisites are as follows:

Pre-requisites

Details

Custom Domain Name

The custom domain will be used for accessing the CMES appliance through a browser and by Azure DevOps for deployments—for example, cmes.yourdomain.com.

TLS Certificate

You must use your own TLS certificate with your custom domain, you will require the private key and public certificate in PEM format.

Any intermediate certificates in the certificate chain will also be required in PEM format.

The first line of the certificate data in PEM format starts with five dashes (-----), and the last line ends with five dashes (-----).

Do not base64 encode the PEM formatted data.

Please take a look at the CMES TLS Certificates KB article for instructions.

Provisioning User Object ID

The Azure Active Directory User Object ID for the user provisioning the CMES appliance. The provisioning user will be the appliance owner and the only user who can log into the appliance until Azure AD SCIM integration has been configured post-deployment.

App Registration

An Azure App Registration is required to install CMES, including the Tenant ID, Client ID, and secret.

Please take a look at the CMES App Registration KB article for instructions on configuring this.

Install Steps

  1. Navigate to the Cloud Maker Enterprise Server solution offer in the Azure Marketplace

  2. Click Get It Now and supply the required information.

  3. Choose the plan that you wish to deploy. By default, our CMES Standard plan is selected. If you have a private plan, you can choose this from the Plan drop-down.

  4. Click Create to begin the set-up process.

Basics Tab

  1. Ensure you are on the Basics tab of the deployment wizard.

  2. Select the Subscription you wish to deploy the CMES appliance into.

  3. Enter a name for the Azure Resource Group into which you wish to deploy CMES and associated Azure resources or create a new Resource Group if required.

  4. Select the region you wish to deploy CMES into.

Cloud Maker Configuration Tab

  1. Select the Cloud Maker configuration tab.

  2. Enter the Organisation Name for the Cloud Maker organisation you'd like to create in the CMES appliance (this can be changed once the CMES is deployed).

  3. Enter a Provisioning User Name. This is used for initial provisioning and is then discarded. You can enter any name you like in this field.

  4. Enter the Provisioning User Object ID. Details of this can be found in the pre-requisites table above.

  5. Enter the Application Client ID from the App Registration you created as part of the pre-requisites.

  6. Enter the Application Client secret generated from the App Registration you created as part of the prerequisites.

  7. Confirm the Application Client secret.

  8. Enter the Tenant ID of the Azure Tenant you are deploying into (can be found on the App Registration details you created as part of the prerequisites).

  9. Select the version of CMES you wish to deploy. By default, the latest version number is selected.

  10. Select the number of VM instances you wish to deploy into your CMES VMSS.

  11. Select the Availability Zone option that fits your needs.

  12. Select the Private connectivity via private endpoint from the Cloud Maker Enterprise Server connectivity options drop-down.

  13. Enter your chosen domain in the Cloud Maker FQDN box.

  14. Enter the custom domain TLS Certificate Public Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

    NB: Please include the intermediate certificate PEM data if intermediate certificates are required.

  15. Enter the custom domain TLS Certificate Private Key. This must be in PEM format. Additional details can be found in the pre-requisites table above. Do not base64 encode the PEM formatted certificate data.

Network Tab

  1. Select the Network tab.

  2. On the Networking option drop-down, select whether to deploy CMES into an existing vNet or create a new vNet. The default option is to create a new vNet as part of the initial deployment.

    1. If creating a new vNet:

      1. Enter the name of the CMES Azure Virtual Network in the Virtual Network Name field.

      2. Enter the Address Prefix for the virtual network. 10.0.0.0/16 is set by default.

      3. Enter a name for the new CMES subnet in the Primary Subnet Name field.

      4. Enter the subnet prefix for the new primary subnet in the Primary Subnet Address Prefix field. The default is 10.0.0.0/24.

      5. Enter the name of the Network Security Group on the Primary Subnet.

      6. Enter the name of the Database Subnet to be created in the new vNet.

      7. Enter the Database Subnet Address Prefix. The default is 10.0.1.0/24.

      8. Enter the name of the Database Subnet Network Security Group.

    2. If using an existing vNet:

      1. Select the existing vNet you want to use for the CMES deployment.

      2. Select the Primary Subnet from the Primary Subnet drop-down menu.

      3. Enter the name of the new Network Security Group that will be assigned to the Primary Subnet.

      4. Select the existing Database Subnet from the dropdown menu.

      5. Enter the name of the new Network Security Group that will be assigned to the Database Subnet.

  3. Enter the name of the VMSS Instances Application Security Group that will be used to protect the VMSS network traffic.

  4. Enter the name of the Private Endpoint Application Security Group that will be used to protect private endpoint network traffic.

  5. If deploying a new vNet or to an existing vNet which contains a subnet called AzureBastionSubnet, optionally select if you would like an instance of Azure Bastion to be deployed by checking the Azure Bastion box.

    1. Enter Azure Bastion Name.

    2. Enter the Azure Bastion Public IP Address Name.

  6. Enter the Load Balancer Name.

  7. Enter the NAT Gateway Name.

  8. Enter the Public IP Name for the NAT Gateway.

  9. Enter the Private Link Service name for the private link service that will be used to connect to your private endpoint.

  10. Choose whether to deploy the consumer private endpoint into an existing subnet to connect to CMES by checking the Deploy consumer private endpoint box.

    1. If checked, you will be asked to provide details for the vNet and Subnet you wish to connect the private endpoint to.

    2. Select the vNet from the dropdown menu.

    3. Select the Subnet from the dropdown menu.

    4. Optionally, if you wish to deploy the private endpoint to a different Resource Group than the one used for CMES, check the Optionally provide resource group... checkbox and select the Resource Group from the drop-down.

  11. Enter the Private Endpoint Name.

Compute Tab

  1. Select the Compute tab.

  2. Enter a Virtual Machine Scale Set Name for the CMES appliance VMSS.

  3. Enter the Virtual Machine Scale Set Instance Name Prefix.

  4. Select the size* of the CMES appliance you wish to deploy. We recommend at least a D2V4 VM size.

    *Please make sure you check the pricing information for the desired appliance size since CMES appliance pricing is tied to the number of CPU cores.

  5. Enter the Admin User Name for the virtual machine.

  6. Choose the Authentication type, either Password or SSH.

  7. Enter the VM password or generate a new SSH Key pair and enter a key pair name.

    NB: Please note any SSH Keys, as these are not retrievable later.

  8. Enter a name for the Network Interface Card.

  9. Select the VM Storage SKU.

  10. Select whether you wish VM Boot Diagnostics to be Enabled or Disabled.

Key Vault Tab

  1. Select the Key Vault tab.

  2. Enter the Key Vault Name.

  3. Enter the Key Vault Private Endpoint Name.

Storage Tab

  1. Select the Storage Tab.

  2. Enter the App Storage Account Name.

  3. Enter the Name of private endpoint for app Storage Account.

  4. Enter the Storage Account Name for shared web hosting data.

  5. Enter the Name of private endpoint for shared web hosting data Storage Account.

Security Tab

  1. Select the Security tab.

  2. Enter the User Assigned Managed Identity Name. This new User Assigned Managed Identity will be created during the CMES deployment.

Database Tab

  1. Select the Database tab.

  2. Enter the PostgreSQL Server Name you wish to use. PostgreSQL will be deployed as part of the CMES deployment process.

  3. Enter the PostgreSQL Server Admin Username.

  4. Enter the PostgreSQL Server Admin User Password.

  5. Confirm the PostgreSQL Server Admin User Password.

  6. Select the desired PostgreSQL Server Specification from the drop-down menu.

  7. Select the Backup Retention Days you wish to use for PostgreSQL backups.

  8. Select whether you wish to enable geo-replicated backups of your PostgreSQL database.

  9. Select the maximum storage size for your PostgreSQL database from the drop-down.

Review + Create Tab

  1. Select the Review + Create tab and review the configuration.

  2. When you're happy. Click Create to provision the CMES appliance.

Post-Deployment Tasks

Once the CMES appliance is deployed, additional post-deployment tasks must be completed to ensure the CMES appliance operates correctly.

DNS Configuration

You must configure the appropriate DNS settings on your desired DNS service to route traffic to the CMES appliance.

Azure AD SCIM Integration

CMES uses enterprise-grade OIDC authentication and Azure AD SCIM integration for user and group management.

To allow access to users other than the provisioning user, you must configure Azure AD SCIM integration.

Support and Assistance

If you need any help with the installation of CMES, please reach out to [email protected], and one of our team members will be on hand to help you.

Did this answer your question?