# Azure Subscription onboarding This document guides you through the process of setting up your Azure subscription as the data plane. Following these steps ensures that resources are provisioned and managed securely in an isolated environment, leading to a smooth and efficient onboarding experience. *** ### Prerequisites Before starting the onboarding process, ensure the following requirements are met: * **Azure Application Admin Role:** Required for the initial subscription onboarding within your Azure tenant. * **Resource Group Owner Role:** You must have the **Owner** role on the Azure Resource Group for setup. * Complete your **Landing Zone** design documentation. Landing Zone is the foundation that defines the security, naming, and routing standards for your subscription. Landing Zone design documentation is required to ensure the networking components integrate seamlessly with your corporate network, adhere to your tagging policies, and utilize pre-authorized IP address spaces. * **Azure Resource Provider Registration:** Ensure the necessary features are enabled in your Azure tenant, including **Azure BYOA Resource Provider Registration**. For more information, see [Azure BYOA Resource Provider Registration](https://docs.tessell.com/tessell/governance/subscriptions/azure-byoa-resource-provider-registration). *** ### **Accessing the Azure Subscription Creation Flow** 1. In the left navigation pane, hover over the **Governance** App icon.\ A pop-up menu with a list of apps opens. 2. From the pop-up menu, select **Subscriptions**.

3. Click **Add a New Subscription** button in the top-right corner. 4. Select the **Microsoft Azure** option.

*** #### STEP 1 OF 6: ### **Configure Subscription** Configure your Tessell subscription by providing the following details: 1. Specify a name for your subscription in the **Subscription Name** field. (minimum 4 characters).\ Use a **descriptive name** for easy identification. 2. Optionally, add a brief summary or purpose for your subscription in the **Description** field.\ This helps with organization, especially if managing multiple subscriptions. 3. From the **Region** dropdown list, select the primary region for your subscription’s resources.\ Additional regions can be added later if needed.

4. After above details are filled, do one of the following: 1. **Skip to last step:** This option can be used if the ARM template generated from Step 6 is already executed. 2. If the ARM template is not generated, click **Next** to proceed to the Authorization section. *** #### STEP 2 OF 6: ### **Authorization** When deploying databases in Azure, a Resource Group must be configured to effectively organize and manage resources. Follow the steps below to set up your Azure Resource Group and grant authorization. #### **Azure Resource Group Configuration** Provide the following details: * **Azure Subscription ID** – Specify the **Azure Subscription ID** associated with the Resource Group used for database deployment. See [Appendix - How to find Subscription ID?](#how-to-find-subscription-id). * **Resource Group Name** – Specify the **Resource Group Name** where databases are hosted. For an existing Resource Group, follow the steps here:\ See [Appendix - How to find Resource Group Name?](#how-to-find-resource-group-name).

#### **Authorization Setup** Tessell accesses the customer’s Resource Group using a service principal created for the Tessell Azure App in the customer's tenant. Follow these steps: **Azure Tenant ID** * Specify the customer’s **Azure Tenant ID**. See [Appendix - How to find Azure Tenant ID?](#how-to-find-azure-tenant-id). **Authorize Tessell App** 1. Click **Authorize Tessell App** to open a new tab for authorizing the Tessell Azure App and creating a service principal in the customer’s Azure Tenant. 2. Alternatively, select **Copy URL** to generate a direct authorization link.\ **Note:** A user with Application Administrator role (role for the Microsoft Entra ID used to find the tenant ID) is required for this step.

\ **Enable Authorization Confirmation** * After authorizing the Tessell App, select the option **I have authorized the Tessell App**. **Object ID** * Retrieve the Object ID of the Tessell Azure App from the **Enterprise Applications List** in the customer’s Azure Tenant and specify in the **Object ID** field.\ See [Appendix - How to find the object ID of the Tessell App?](#how-to-find-the-object-id-of-the-tessell-app). 3. After the authorization is complete, click **Next** to proceed to the Network section.

*** #### STEP 3 OF 6: ### **Network Configuration** Tessell offers two options for setting up a network: * **Add New:**\ Creates a new Virtual Network (VNet) in the database resource group. * **Register**:\ Registers an existing VNet for database hosting with the option to create/register necessary resources. *** ### **Private CP-DP communication flag enabled** This flag should be enabled for private communication between Tessell Control Plane (CP) and Azure Data Plane (DP). **Note**: Private connectivity is established using Azure Private Link feature.

#### **Add New Network** **Virtual Network Details**: Provide the following information. * **Virtual Network Name**: Specify the name of the new VNet. * **Virtual Network CIDR**: Specify the IP address range (CIDR) for the new VNet. * **Private Subnet Name**: Specify the name of the new private subnet. * **Private Subnet CIDR**: Specify the IP address range (CIDR) for the private subnet. See [Appendix - Address Block Requirement for the Vnet/Subnet for private CP-DP](#address-block-requirement-for-private-cp-dp). **Endpoint Configuration** * **Private Endpoint ID for Tessell Control Plane**: Specify the name of the Azure private endpoint from the Data Plane VNet for connecting to Private Link Service present in Tessell Control Plane for communication.\ See [Appendix - Tessell Control Plane Endpoint Configuration](#tessell-control-plane-endpoint-configuration).

#### **Register Existing Network** **Virtual Network Details**: Provide the following information. * **Virtual Network ID**: Specify the Resource ID of the existing VNet. * **Virtual Network Name**: Specify the name of the VNet in Tessell for reference. * **Private Subnet ID**: Specify the Resource ID of the subnet. **Endpoint Configuration** * **Tessell Control Plane**: * **Add**: Specify the name of the Azure Private Endpoint to be created in the Data Plane VNet connecting to Private Link Service in the Tessell Control Plane. * **Register**: * Specify the Resource ID of the private endpoint present in Data Plane VNet and attached to the Control Plane Private Link Service. * Endpoint IP: Specify the private endpoint IP. If private endpoints are registered in another resource group other than the resource group hosting network or database \[NOT RECOMMENDED], see [APPENDIX - Private endpoints registered in other resource group](#private-endpoints-in-another-resource-group-not-recommended).

As part of the subscription onboarding, following permissions are assigned to Tessell Service Principal on the resource group hosting the Vnet provided above. ```json { "permissions": [ { "actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } ``` #### **Network Security Group (NSG) Configuration** **Tessell Control Plane Endpoint:** * Port **8352-8370** outbound connectivity is required from the database VM to the endpoint. * If endpoints are in a different subnet from the database subnet: * **Inbound** must be open on the private endpoint subnet NSG for port **8352-8370**. * **Outbound** must be open on the database subnet NSG for port **8352-8370**. *** ### **Private CP-DP Communication Disabled**

#### **Add New Network** A new VNet is created as part of subscription onboarding based on the configuration provided in this section. **Virtual Network Details**: Provide the following information. * **Virtual Network Name**: Specify the name of the new VNet. * **Virtual Network CIDR**: Specify the IP address range for the new VNet. * **Private Subnet Name**: Specify the name of the subnet. * **Private Subnet CIDR**: Specify the IP address range for the subnet. See [Appendix - Address Block Requirement for the Vnet/Subnet for non-private CP-DP](#address-block-requirement-for-non-private-cp-dp). **Note**: A NAT Gateway with a public IP is created with the VNet for outbound internet access. **Enable Public Subnet** Toggle this option to create a DB Service with public access in the VNet.\ Additionally, provide the following details for the subnet: * **Public Subnet Name**: Specify the name of the public subnet. * **Public Subnet CIDR**: Specify the IP address block (CIDR) for the public subnet.

#### **Register Existing Network** An existing VNet and Subnet can be used for hosting databases by registering the network details: * **Virtual Network Details**: Provide the following information. * **Virtual Network ID**: Specify the Resource ID of the existing VNet. * **Virtual Network Name**: Specify the name of the VNet in Tessell for reference. * **Private Subnet ID**: Specify the Resource ID of the subnet. * **Enable Public Subnet** Toggle this option to create a DB Service with public access in the VNet. Additionally, provide the following details for the subnet: * **Public Subnet ID:** Specify the Resource ID of the public subnet**.** * After the network details are specified, click **Next** to proceed to the Resources section.

**Permissions Assigned to Tessell Service Principal** As part of the subscription onboarding, the following permissions are assigned to Tessell Service Principal on the resource group hosting the VNet provided above: ```json { "permissions": [ { "actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } ``` #### **Network Security Group (NSG) Configuration** **Tessell Control Plane Outbound** * **For Subnet NSG**: Open outbound for port **8352-8370** for control IP. * **For Firewall**: Open outbound for port **8352-8370** for control DNS and IP. **Azure Services Outbound** * **For Subnet NSG**: Open outbound for port **443** for the following Azure Services: * Azure Storage * Azure Key Vault * Azure Active Directory * Azure Resource Manager * Azure Monitor * **For Firewall**: Open outbound for port **443**. *** #### STEP 4 OF 6: ### **Setup Resources** #### **Storage Account** A Storage Account is created/registered with the following properties: * Part of the Azure resource group hosting the database * Located in the primary region of the Tessell Subscription **Use Case** Storage Accounts store log backups from database instances, ensuring changes and transactions are recorded for recovery and auditing. #### **Configuration Options** 1. **Add New** Creates a new storage account during subscription onboarding. * **Storage Account Name**: Specify the storage account name.

2. **Register** Registers an existing Storage Account. See [Appendix - Existing Storage Account Configuration](#existing-storage-account-configuration). * **Cloud Resource ID**: Provide the Azure Resource ID of the existing account. See [Appendix - How to get a Storage Account Resource ID?](#how-to-get-a-storage-account-resource-id).

*** #### **Network Configuration (Database VM VNet → Storage Account)** **Option 1: Public Access** * Add an NSG outbound rule to allow traffic to `Microsoft.Storage`. | Destination | Destination Port | Purpose | | -------------------- | ---------------- | ----------------------------------- | | Service Tag: Storage | 443 | Allow access to the storage account | * Allow outbound TCP traffic on port 443 if using an external firewall. * Storage Account Firewall: Fully open public access. **Option 2: Service Endpoint** * Add Service Endpoint (**Microsoft.StorageGlobal**) on the subnet hosting the database. * Storage Account Firewall: If public access is restricted, whitelist all database subnets in the firewall. **Option 3: Private Endpoint** * Create a private endpoint to the storage account from the Vnet. * It should have Private DNS enabled. * If using Custom DNS Server for the database Vnet, please ensure it is linked to Azure Private DNS Zone for storage account. This allows storage account DNS to resolve to private IP. * If endpoint is created in subnet different from database subnet, add following NSG Rules: * In Database Subnet NSG: Outbound 443 to Subnet with private endpoint. * In Subnet NSG with Private Endpoint: Inbound 443 from the database subnet. * Another endpoint is required for the Control Plane AQS Storage Account. This is used for sending Tessell Operation Logs to the Control Plane. **Control Plane Connectivity** * If public access is restricted: * For the control plane region: Whitelist the control plane VNet. ```bash az storage account network-rule add --resource-group --account-name --subnet --action Allow --tenant-id ``` * For other regions: Whitelist Control Plane Public NAT IP. *** #### **Secrets** A Key Vault is created/registered with: * Part of the Azure resource group hosting the database * Located in the primary region of the Tessell Subscription **Use Case** Key Vaults securely store database secrets and disk encryption keys, ensuring sensitive information is protected and accessible only to authorized entities. **Configuration Options** **1. Add New** Creates a new Key Vault during subscription onboarding. * **Key Vault**: Specify the vault name.

**2. Register** Registers an existing Key Vault. See [Appendix - Existing Key Vault Configuration](#existing-key-vault-configuration). * **Cloud Resource ID**: Provide the Azure Resource ID. See [Appendix - How to get Key Vault Resource ID](#how-to-get-key-vault-resource-id).

*** #### **Encryption Key** A Disk Encryption Key is created/registered with: * Part of the Azure resource group hosting the database * Located in the primary region of the Tessell Subscription **Configuration Options** **1. Add New** Creates a new Disk Encryption Key Set during subscription onboarding. * **Disk Encryption Set**: Specify the disk encryption set name. * **Key Name**: Name of the key stored in the key vault used for creating the disk encryption set.

**2. Register** Registers an existing Disk Encryption Key Set. See [Appendix - Existing Disk Encryption Key Set Configuration](#existing-disk-encryption-key-set-configuration). * **Cloud Resource ID**: Provide the disk encryption set Azure Resource ID. See [Appendix - How to get Disk Encryption Key Set Resource ID](#how-to-get-disk-encryption-key-set-resource-id). * **Key Name**: Specify the key name that is used by Tessel internally to refer to the disk encryption set.

**3. Set Up Later** * Allows configuration at a later stage.

*** #### **Network Configuration for connectivity from Database VM Vnet to Key Vault** **Option 1: Public Access** * Add following Rule for the subnet’s NSG for outbound traffic to Service Tag: AzureKeyVault. | Destination | Destination Port | Purpose | | -------------------------- | ---------------- | ---------------------------- | | Service Tag: AzureKeyVault | 443 | Allow access to the KeyVault | * Allow outbound TCP traffic on port 443 if any external firewall exists. * Key Vault Firewall: Public access should be fully open. **Option 2: Service Endpoint** * Add Service Endpoint (**Microsoft.KeyVault**) on the subnet hosting the database. * Key Vault Firewall: If public access is restricted, Whitelist all database subnets in the firewall. **Option 3: Private Endpoint** * Create a Private Endpoint to the Key Vault from the Vnet. * It should have Private DNS enabled. * If using Custom DNS Server for the database Vnet, please ensure it is linked to Azure Private DNS Zone for Key Vault. This allows Key Vault DNS resolve to private IP. * If endpoint is created in subnet different from database subnet, add following NSG Rules: * In Database Subnet NSG: Outbound 443 to Subnet with private endpoint * In Subnet NSG with Private Endpoint: Inbound 443 from the database subnet *** #### **Control Plane connectivity to Key Vault** * **Key Vault Firewall:** If public access is restricted, Whitelist Control Plane Public NAT IP **Key Vault Access Policy** Tessell Service Principal ```json "permissions": { "keys": [ "get", "list", "encrypt", "decrypt", "sign", "getrotationpolicy" # ONLY IF KEY MANAGEMENT ACCESS IS GIVEN IN STEP 5 "create", "update", "import", "delete", "recover", "backup", "restore" ], "secrets": [ "all" ] } ``` Tessell Managed Identity ```json "permissions": { "secrets": [ "get", "list" ] } ``` Tessell Disk Encryption Key Set ```json "permissions": { "keys": [ "get", "wrapKey", "unwrapKey", "encrypt", "decrypt", "sign" ] } ``` *** #### **Global Resources** Global resources are created/registered once for all regions for the Tessell Subscription. Part of the Azure resource group hosting the databases. Following are the global resources: **Log Analytics Workspace** Log Analytics Workspaces collect and analyze database alert logs. These workspaces provide powerful tools for monitoring, diagnosing, and alerting on database issues. By aggregating and analyzing alert logs, we can proactively address potential problems and ensure the smooth operation of our DBaaS environment. **User Managed Identity** A User-Managed Identity (UMI) is attached to the VM for secure access to: * **Azure Key Vault**: Enables the VM to retrieve secrets, keys, and certificates without storing credentials. * **Snapshot Operations**: Allows the VM to create and manage disk snapshots for backup and restore. Using UMI ensures secure, credential-free authentication while adhering to Azure security best practices. Global resource can be configured with 2 options: **Add** * **Log Analytics Workspace** * Creates a new log analytics workspace during subscription onboarding. * Specify log analytics workspace name. * **User Managed Identity** * Creates a new user managed identity during subscription onboarding. * Specify user managed identity name.

**Register** * **Log Analytics Workspace** * Registers an existing log analytics workspace. * **Cloud Resource ID**: Provide the Azure Resource ID. * **User Managed Identity** * Registers an existing user managed identity. * **Cloud Resource ID**: Provide the Azure Resource ID.

**Endpoint Configuration** * **Azure Monitor Private Link (Optional):**\ If registering existing VNet:\ Empty the field to skip creating the resource. All endpoints are created in the subnet hosting the database. **Private Link Scope Configuration**: * **Add**: Specify the name of the Azure Monitor Private Link Scope for Log Analytics Workspace.\ **Note**: Created in the resource group hosting the database. * **Register**: Resource ID of the Azure Monitor Private Link Scope. See [Appendix - How to find Azure Monitor Private Link Scope Resource ID?](#how-to-find-azure-monitor-private-link-scope-resource-id). * Log Analytics Workspace created/registered is configured in the private link scope as part of subscription onboarding ARM Template. * **Azure Log Monitor Endpoint (Optional):** * **Add**: Name of the Azure Private Endpoint for Azure Monitor Private Link Scope. * **Register**: Resource ID of the Azure Private Endpoint for Azure Monitor Private Link Scope. See [Appendix - How to find Azure Monitor Private Endpoint Resource ID?](#how-to-find-azure-monitor-private-endpoint-resource-id). * Private DNS is disabled for Azure Log Monitor Endpoint.

* After the resources details are specified, click **Next** to proceed to the Advanced Settings section. #### **Network Security Group (NSG) Configuration** **Azure Monitor** * **Private Endpoint**: * Port **443** outbound connectivity is required from the database VM to the endpoint. * If endpoints are in a different subnet from the database subnet: * **Inbound** must be open on the private endpoint subnet NSG for port **443**. * **Outbound** must be open on the database subnet NSG for port **443**. * **Public Access**: * Port **443** outbound connectivity is required from the database VM to Azure Monitor Service. * To achieve this, add an outbound rule in the database subnet NSG for port 443 for the Azure Monitor Service tag. * If a firewall is used, enable outbound for port **443**. **Azure Active Directory and Azure Resource Manager** These are required for: * **SQL Server** * **High-Performance Shapes** **Public Access \[Recommended]:** * Port **443** outbound connectivity is required from the database VM to: * **Azure Active Directory Service** * **Azure Resource Manager Service** * **Service Endpoint** * **Add outbound rule** in the database subnet NSG for port **443** for the Azure Active Directory & Azure Resource Manager Service tag. * If a firewall is used, enable outbound for port **443**. **Private Link + Private Endpoint** * Port **443** outbound connectivity is required from the database VM to the private endpoint. * **Inbound** must be open on the private endpoint subnet NSG for port **443**. * **Outbound** must be open on the database subnet NSG for port **443**. *** #### STEP 5 OF 6: ### **Setup Permissions** This section lists the Tessell’s permissions across various Azure resources. When the toggle switch is disabled, you see permissions with a green tick and red cross. A green tick indicates full permission and a red cross indicates read-only permissions.

1. Toggle the switch to enable Tessell to manage networks and keys within the resource group.\ This option is only available for non private CP-DP.

2. Click **Next** to Launch and Deploy resources. See [Azure Permission Mapping](https://docs.tessell.com/tessell/governance/subscriptions/azure-permission-mapping). *** #### STEP 6 OF 6: ### **Launch and Deploy** 1. After all the details are filled, click **Launch ARM Template** to get the JSON output.

2. Alternatively, select **Copy URL** to generate a direct link to Azure ARM Template. 3. In the ARM template, click **Edit template** if you want to edit resources in the ARM template.

4. Select your Subscription, Resource group, and Region from the respective dropdown list. 5. Click **Review + create** to review your template and create the resources in Azure. 6. Azure runs a validation check before creating, correct any validation errors. 7. After the resources are created in Azure, copy the JSON output. 8. In the Tessell portal, select the check box “**I have generated the ARM deployment output (JSON)”** and paste the JSON output in the box.

9. Click **Review** to review the resources. 10. Click **Edit subscription** if you want to edit previous details.\ Selecting this option returns you to the previous section, allowing navigation and editing of the resources as needed. 11. Click **Create**. As an alternate method, deploy resources using code. 1. Use the **Code** button at the top-right corner to view the code in different languages like Shell, Python, Go, Java, Javascript, and PowerShell. 2. Copy or download the code using the buttons in the top-right corner. 3. Use the **Close** button at the bottom-left corner to return to the main window. *** ### **Managing subscriptions in the dashboard** The Subscriptions dashboard displays all the available subscriptions across various cloud providers.

1. Specify a subscription name in the Search bar to find and display details of a specific Azure subscription. 2. Click the ellipsis icon (︙) at the top-right corner of a subscription. Following options are displayed: * **Add Region** Using this workflow, you can add a new region to your subscription apart from the primary region. You can then configure networks and resources, and deploy them in the new region. Refer to the steps mentioned below for adding a region: * Choose Region - Refer to [STEP 1](#step-1-of-6). * Add/register network - Refer to [STEP 3](#step-3-of-6). * Add/register resources - Refer to [STEP 4](#step-4-of-6). * Launch and deploy - Refer to [STEP 6](#step-6-of-6). * **Remove Regions** This option allows you to remove a region from the subscription. To remove a region from your subscription, choose the desired region from the dropdown list, confirm your choice, and then click **Remove**. * **Users** This option allows you to view users and their assigned roles within this subscription. You can also add new users and assign them either the 'member' or 'co-owner' role. **Note**: Account Owner can view all the subscriptions without sharing. * **Edit Name** Select this option to edit the name of the subscription. * **Disable** Select this option to disable the subscription. Upon confirmation, subscription is disabled. If you disable a subscription, members can not create new services in this subscription. * **Delete Subscription** Select this option to delete a subscription. Deleting the subscription impacts all associated resources, permissions granted during its creation. Tessell performs all the necessary checks before deleting. * You have to follow certain prerequisites before deleting a subscription. For example, * Delete any associated Availability Machines. If an availability machine is retained for a service, snapshots and backups are retained. * Terminate the database services running in this subscription. As a result, resources like NIC1, security groups, snapshots, backups are deleted along with database service. * Delete the associated servers in the subscription. *** ## **Appendix** #### How to find Subscription ID 1. **Log in to the Azure Portal:** 1. Open [Azure Portal](https://portal.azure.com/) and log in with your credentials. 2. **Navigate to Subscriptions:** 1. In the left-hand navigation pane, click on **Subscriptions**. 2. If you do not see it, use the search bar at the top to search for "Subscriptions." 3. **Go to the Desired Subscriptions:** 1. Click on the Subscriptions you want to use. 4. **Copy the Subscription ID:** 1. In the **Overview** tab of the resource group, locate and copy the **Subscription ID.**

*** #### How to find Resource Group Name 1. **Navigate to Resource Groups:** 1. In the left-hand navigation pane, click on **Resource Groups**. 2. If you do not see it, use the search bar at the top to search for "Resource Groups." 2. **Go to the Desired Resource Group:** 1. Click on the resource group you want to use. 3. **Locate the Resource Group Name:** 1. The name of the resource group is displayed at the top of the **Overview** tab.

*** #### How to find Azure Tenant ID 1. **Navigate to Microsoft Entra ID:** 1. In the left-hand navigation pane, click on **Microsoft Entra ID**. 2. If you do not see it, use the search bar at the top to search for "Microsoft Entra ID." 2. **Copy the Tenant ID:** 1. In the **Overview** section of Azure Active Directory, locate and copy the **Tenant ID**.

*** #### How to find the object ID of the Tessell App 1. **Navigate to Enterprise Applications:** 1. In the left-hand navigation pane, click on **Enterprise Applications**. 2. If you do not see it, use the search bar at the top to search for "Enterprise Applications". 2. **Search for the Tessell Application**: 1. In the search bar, enter the application name **Tessell**. 2. Click on the application after it appears in the results.

3. **Find the Object ID**: 1. Inside the application details, go to the **Overview** section. 2. The **Object ID** is listed there.

*** #### Tessell Control Plane Endpoint Configuration 1. **Navigate to Private Link Center:** 1. In the left-hand navigation pane, click on **Private Link Center**. 2. If you do not see it, use the search bar at the top to search for "Private Link Center" 2. **Create a Private Endpoint** 1. Click on **Private Endpoints** > **+ Create**.

3. **Configure Basics** 1. **Subscription**: Select your Azure subscription. 2. **Resource Group**: Choose an existing or create a new one. 3. **Name**: Specify a name for your Private Endpoint. 4. **Region**: Select the Azure region.

4. **Configure Resource Connection:** 1. Tessell Control Plane Endpoint 1. Select the connection method: Connect to an Azure resource by resource ID or alias. 2. Provide Tessell Control Plane Private Link Service ID in **Resource ID or alias** input.

5. **Configure Virtual Network and Subnet** 1. Select the database **VNet** and **Subnet** where the Private Endpoint is created. 2. Ensure that the subnet does not have a Network Security Group (NSG) blocking traffic to Private Link on port (8350-8370).

6. **Private DNS Integration :** Disabled by default.

7. **Provide Tags, and Review and Create.** 1. Provide Tags as required. 2. Click **Review + Create.** 3. Once validation passes, click **Create.**

8. Endpoint is created with connection state as **Pending.** It gets approved on Tessell subscription onboarding completion.

*** #### How to get resource ID for a private endpoint 1. Navigate to **Private Link Center**, from the left-hand menu select **Private endpoints**. 2. Choose your private endpoint from the list displayed on the right-hand side.

3. On the left-hand side, select **Properties** to view the **Resource ID** field.

*** #### Existing Storage Account Configuration The existing storage account should have the following configuration: * Storage Account in **Azure Portal** > **Settings** > **Configuration** * Allow storage account key access : Enabled * Blob access tier (default) : Hot

* Storage Account in **Azure Portal** > **Security + Networking** > **Networking** > **Firewalls and virtual networks**, either of the following options should be enabled. * Enabled from all networks

* Enabled from selected virtual networks and IP addresses * \[If dataplane and control plane regions are different] Add Tessell Control Public IP in the firewall Address range.

* \[If dataplane and control plane regions are same]: Register Tessell Control Plane Vnet in the storage Account Firewall. * Is tag required: "ALLOW\_IMPORT\_TO\_TESSELL": "true" * Custom Encryption Key Impact has no impact. *** #### How to get a Storage Account resource ID 1. Navigate to **Azure Portal** > **Storage Accounts**.

2. Select a storage account, under essentials, click **JSON View** on the top-right corner to view the Resource ID.

*** #### Existing Key Vault Configuration The existing key vault should have the following configuration: * Key Vault in **Azure Portal** > **Settings** > **Access configuration** * Permission model: It should be set for Vault access policy * Resource access: Following should be enabled: * Azure Disk Encryption for volume encryption * Azure Resource Manager for template deployment

* Key Vault in **Azure Portal** > **Settings** > **Networking** > **Firewalls and virtual networks**, either of the following options should be enabled * Enabled from all networks

* Enabled from selected virtual networks and IP addresses * Add Tessell Control Public IP in the firewall Address range,

* Key Vault in **Azure Portal** > **Objects** > **Keys** * Configuration of the Key to be used for Disk Encryption Key Set * Key Type: RSA * RSA Key Size: 2048 * Permitted Operations: All should be enabled

*** #### Existing Disk Encryption Key Set Configuration * Disk Encryption Set Configuration * Disk Encryption Sets in **Azure Portal** > **Settings** > **Key** * Current Key: Should have value of the key in the Key Vault shared with Tessell * Auto key rotation: Should be disabled * User-assigned identity: Should not be set * Multi-tenant application: Should not be set

\ Tessell Subscription Onboarding ARM Template takes care of Key Vault access policy. *** #### How to get Key Vault resource ID 1. Navigate to **Azure Portal** > **Key Vaults**.

2. Select a key vault from the list, go to **Settings** > **Properties** to view the Resource ID.

*** #### How to get Disk Encryption Key Set resource ID 1. Navigate to the **Azure Portal** > **Disk Encryption Sets**.

2. Select a disk encryption set from the list, go to **Settings** > **Properties** to view the Resource ID.

*** #### Address block requirement for private CP-DP Number of IPs required in the subnet: * 1 IP for Tessell Control Plane Private Endpoint * 14 IPs for Azure Monitor Private Endpoint (Optional) * 2 IPs for Storage Account Endpoint (Optional) * 1 IP for Key Vault Endpoint * 1 IP is required for every DB VM including observer nodes When creating all endpoints, an Address block of /27 or larger should be used.\ If endpoints are created in another subnet, database subnet address block can start from /29. *** #### Address block requirement for non-private CP-DP Number of IPs required in the subnet: * 1 IP for the NAT Gateway * 1 IP is required for every DB VM including observer nodes * If public subnet is enabled, 1 IP will be required for every DB VM in the public subnet Address blocks of size /28 or above is good enough.\ /29 should be used only if one single instance DB is planned to be provisioned in the subnet. *** #### How to find Azure Monitor Private Link Scope resource ID 1. Navigate to **Azure Portal** > **Azure Monitor Private LInk Scopes**, and select a private link scope.

2. Go to **Configure** > **Properties** to view the Resource ID.

*** #### How to find Azure Monitor Private Endpoint resource ID 1. Navigate to **Azure Portal** > **Azure Monitor Private LInk Scopes**, and select a private link scope.

2. Go to **Configure** > **Private Endpoint Connections**, select a private endpoint from the list.

3. Go to **Settings** > **Properties** to view the Resource ID.

*** #### Private endpoints in another resource group (not recommended) Provide following permissions on the resource group to Tessell Service Principal: * For the Tessell Control Plane Endpoint, this is **Mandatory**. ```json { "permissions": [ { "actions": [ "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/networkInterfaces/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } ``` * For Azure Monitor Private Endpoint ```json { "permissions": [ { "actions": [ "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read", "Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } ``` **Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write**\ This permission is required to add data collection endpoint to azure monitor private link scope. Data collection endpoints are created for every region. So if this permission is not provided, it is the responsibility of the customer to add these endpoints to private link scope after every region enablement and subscription onboarding.