Chapter 2. Installing Red Hat Ansible Automation Platform on Microsoft Azure

2.1. Prerequisites

Azure requirements

  • A subscription for Microsoft Azure.
  • Contributor or Administrator access to that Azure subscription.
  • Access to the Azure CLI.

Ansible Automation Platform requirements

  • An account on the Red Hat Red Hat Customer Portal (access.redhat.com).
  • A specific subscription entitlement for Red Hat Ansible Automation Platform.

2.1.1. Azure resource quotas and infrastructure limits

Microsoft imposes resource limits within each Azure region. The CPU limit is the most likely to impact Red Hat Ansible Automation Platform on Microsoft Azure.

Before you install Ansible Automation Platform on Microsoft Azure, ensure that you have capacity to deploy the managed application into your desired region. Refer to Azure infrastructure usage for infrastructure requirements.

2.1.1.1. Regional vCPU limits

The Azure resources used during the deployment of the managed application temporarily exceed the resource requirements in Azure infrastructure usage. The Total Regional vCPUs quota is temporarily consumed when deploying the managed application.

Every Azure region has a separate Total Regional vCPUs quota. To prevent installation failure, ensure that you have at least 80 DS2_V3 vCPUs available in the Azure region where you want to deploy the managed application.

The following steps describe how to view the resource quotas for your subscription the Azure console:

  1. In the Azure console, search for Quotas and open the My Quotas page.
  2. Select the region where you wish to deploy the managed application to view your allocation and usage metrics for that region. Ensure that you have selected a single region. Viewing all regions at once will not show the limitations of a single Azure region.

2.1.1.2. Regional StandardCore limits

The StandardCore limit is a compute metric for the resources that are temporarily consumed when deploying the managed application.

It is possible that the Ansible Automation Platform on Microsoft Azure can deploy without hitting the StandardCore limit. When a deployment fails because the consumed resources hit the StandardCore limit, the error message includes container group quota 'StandardCores' exceeded:

code: DeploymentFailed
message:
  At least one resource deployment operation failed. Please list deployment operations for details.
  Please see https://aka.ms/DeployOperations for usage details.
details:
  - code: DeploymentScriptContainerGroupInvalidSettings
    message:
      Resource type 'Microsoft.ContainerInstance/containerGroups'
      container group quota 'StandardCores' exceeded in region 'eastus'.
      Limit: '10', Usage: '10' Requested: '1'.

Requesting StandardCore limit increase

The StandardCore metric is not displayed in the My Quotas page in the Azure console. To request the value of your regional limit, contact Microsoft directly.

If your deployments fail because the consumed resources reach this limit, you must submit a resource increase request for StandardCore to Microsoft. Only submit a quota increase request if you encounter a deployment failure due to this issue.

Use the following information to respond to questions from Microsoft support:

Will the container groups be run in Linux or Windows?
Linux
What will the core and memory be in your Container Group instance?
Red Hat recommends 20 cores, 16 GB
When will you create all the Container Group Instances?
During managed application deployment of Red Hat Ansible Automation Platform on Microsoft Azure
How frequent will you create/delete the container groups?
Only during managed application deployment of Red Hat Ansible Automation Platform on Microsoft Azure

2.2. Creating a service principal

To enable the Ansible Automation Platform application to access and manage Azure resources, you must provide authorization credentials after deployment. The Microsoft Azure collection supports service principal authentication.

To create a service principal, you must have administrator privileges with tenancy-wide permissions on your Azure tenant. Your Ansible Automation Platform on Microsoft Azure deployment will be provisioned in the same Subscription ID as the service principal created in this step.

  1. Navigate to the Azure portal and click the Cloud Shell icon to open a bash Cloud Shell in your browser.
  2. Set the Azure CLI to use the subscription that you intend to use for automating Azure services. Run the following command from the shell:

    az account set --subscription <your_subscription_id>
  3. Run the following command using the Azure CLI to create a privileged service principal in Azure AD:

    az ad sp create-for-rbac --name ansible --role Contributor

    The output displays the appID and tenant keys for the service principal:

    {
      "appId": "xxxxxxx-xxx-xxxx",
      "displayName": "ansible",
      "name": "xxxxxxx-xxx-xxxx",
      "password": "xxxxxxx-xxx-xxxx",
      "tenant": "xxxxxxx-xxx-xxxx"
    }
  4. Store the service principal details securely, as they are displayed only when you create the secret. You will need them when you deploy Automation controller.

2.2.1. Maintaining your service principals

Service principal credentials have a limited lifetime that is set in your Azure AD configuration. Track the lifespan of the service principal if you intend to automate against Azure for an extended period of time. You can create a new one when needed.

To view records of updated or deleted service principles, run the following Azure CLI command:

az ad sp list -o table | grep ansible

This command does not display the secrets for your service principals. Delete the service principal and create a new one if the secret is lost.

When you create a new service principal to replace an expired or deleted one, you must update the credential that uses the service principal that you are replacing. If the credential is not updated, automations that use that credential will fail.

2.3. Deploying Ansible Automation Platform from Azure Marketplace

2.3.1. Locating Ansible Automation Platform in Azure Marketplace

  1. In a browser, navigate to the Azure Marketplace.
  2. Click Private Products from the menu on the left of the screen.
  3. Search for Red Hat Ansible Automation Platform.
  4. Click the card that is returned in the search. Be sure to select the official offering from Red Hat.
  5. Click Get it Now.
  6. Click Continue.
  7. The Overview tab contains important information about activating your subscription for Ansible Automation Platform.

    1. Read the entire Before you begin section.
    2. Follow the Click here link to enable your subscription. You cannot use Ansible Automation Platform without a valid subscription.
  8. Return to the Overview tab and click Create to initiate the deployment process.

2.3.2. Provisioning Red Hat Ansible Automation Platform on Microsoft Azure

When you initiate the deployment of the Red Hat Ansible Automation Platform managed app from Azure marketplace, a form is displayed in the Create Red Hat Ansible Automation Platform on Microsoft Azure window.

Before you fill in the form, decide whether you want to create a public or private deployment of Ansible Automation Platform on Microsoft Azure:

  • Public deployments allow ingress to the Ansible Automation Platform on Microsoft Azure user interfaces over the public internet. No configuration is required to access the application URLs.
  • Private deployments are created in an isolated Azure VNet that blocks access from the public internet. To access Ansible Automation Platform on Microsoft Azure user interfaces, you must configure network peering and routing.

You create the network configuration for the Ansible Automation Platform on Microsoft Azure VNet when you initiate the deployment. Refer to your network configuration plan before deploying the managed application. For information about planning your network configuration, see Network.

Complete the form to provision Red Hat Ansible Automation Platform infrastructure and resources into your Azure tenant.

  1. Click the Basics tab and enter values for your deployment in the following fields in the form:

    • Subscription: Select Ansible on Clouds.
    • Resource Group: Create or select a resource group where you want to deploy the managed application.
    • Region: The Azure region where the application will be deployed.
    • Application Name: A unique name for the managed application.
    • Administrator Password: Create an adminstrator password for your deployment.

      The Administrator Password must contain at least 8 characters, and must include uppercase letters, lowercase letters, and numbers.

    • Confirm Administrator Password: Confirm the Administrator Password.
    • Access: Choose whether your deployment will be public or private.
    • Managed Resource Group: A resource group for the managed application infrastructure.

      Keep this resource group isolated from other resource groups, including the Resource Group where you will deploy the managed application.

  2. Store the information that you entered in the form in a secure place. You will need to provide the Administrator password to access automation controller and private automation hub.
  3. Click Next
  4. Follow the steps in Red Hat Ansible Automation Platform on Microsoft Azure VNet Preparation to configure your network configuration.
  5. Click Next.
  6. Click the Business continuity tab.
  7. From the Disaster Recovery list, select an option to enable or disable disaster recovery.
  8. Select the Deployment tab.
  9. Note the following requirements in the description:

    • You must have a Red Hat account.
    • To use Ansible Automation Platform, you must have a valid subscription linked to your Red Hat account.
    • You must use the Deployment Driver during deployment.
  10. Select the checkboxes to indicate that you understand these requirements.
  11. Click Review + Create.
  12. If the information you entered in the form is valid, the window displays Validation Passed.
  13. Select I agree to accept the Co-Admin Access Permissions terms and conditions.
  14. Click Create to begin the provisioning process for the application.

The application will begin provisioning.

You can use the deployment engine to view the progress of your deployment a few minutes after the Azure console displays "Your deployment is complete". See Monitoring deployments on the Ansible Automation Platform Deployment Engine for more information.

It may take 30 minutes or longer for the infrastructure and software to fully provision.

Once provisioning is complete, you can access and login to your new Ansible Automation Platform instance and launch automation controller and automation hub.

2.3.3. Monitoring deployments on the Ansible Automation Platform Deployment Engine

The deployment engine displays information about your Ansible Automation Platform on Microsoft Azure deployment. You can monitor the progress of the deployment, restart failed deployment steps, and cancel the deployment.

When you begin deploying Ansible Automation Platform on Microsoft Azure, the Azure interface displays the Overview page for the deployment. The Overview page displays the deployment status.

  1. When the status in the Overview page shows "Your deployment is complete", navigate to the deployed managed application.
  2. Click Parameters and Outputs in the Settings menu for the deployed managed application.

    Approximately 10 minutes into the deployment process, the Outputs section of the Parameters and Outputs page displays a link to the deploymentEngineUrl.

  3. Copy the link and paste it in another browser tab to open the login page for the deployment engine.
  4. Login to the deployment using the following credentials:

    • Username: admin
    • Password: Use the Administrator Password that you chose when configuring your deployment.
Ansible Automation Platform Deployment Engine interface

The Ansible Automation Platform Deployment Engine displays a list of the steps in the deployment process. A progress bar shows how far along the deployment is. Icons indicate the steps that have been completed, the steps that are in progress, and steps that have failed.

To view extended information about a step that failed, click on the failed icon for that step.

To restart a failed step, click Restart Step.

2.3.4. Canceling Red Hat Ansible Automation Platform on Microsoft Azure deployments

You can gracefully cancel a Red Hat Ansible Automation Platform on Microsoft Azure deployment.

Procedure

  1. Login to the deployment engine to display the progress of the deployment steps in the Ansible Automation Platform Deployment Engine page. Refer to Monitoring deployments on the Ansible Automation Platform Deployment Engine for information on accessing and logging into the Ansible Automation Platform Deployment Engine page.
  2. To cancel the deployment, click Cancel Deployment and confirm.

    This action cancels all the remaining steps in the deployment, including the currently running step. It also cancels pending steps in the deployment.

    The status for the steps that have not been executed updates to Canceled. To view the deployment processes on Azure, navigate to the Overview page for the managed resource group in which you deployed Ansible Automation Platform and select Deployments.

    Important

    Canceling the deployment does not delete the managed application from your Azure subscription. To avoid incurring costs for the managed application and other resources that are still running, you must delete them.

  3. To delete Azure resources, navigate to the resource group for your deployment in the Azure portal. Select the resources you want to delete and click Delete. For more information about deleting resources, refer to Manage Azure resources by using the Azure portal in the Microsoft Azure documentation.

2.4. Accessing Red Hat Ansible Automation Platform on Microsoft Azure

When you initiate the deployment of the Red Hat Ansible Automation Platform managed app from Azure marketplace, a form is displayed in the Create Red Hat Ansible Automation Platform on Microsoft Azure window. Complete the form to provision Ansible Automation Platform infrastructure and resources into your Azure tenant.

  1. In a web browser, navigate to Managed Applications in the Azure console.
  2. Select the instance of Red Hat Ansible Automation Platform on Microsoft Azure that you deployed.
  3. Select Parameters and Outputs in the Settings section in the left navigation menu.

    • The Parameters and Outputs page contains a link to the Ansible Automation Platform Landing page. The Ansible Automation Platform Landing page is available after deployment completes. From the Ansible Automation Platform Landing page, you can access your automation controller and automation hub instance and view announcements and notifications. You do not have to login to view the Ansible Automation Platform Landing page.
    • The Parameters and Outputs page also displays direct links to the automation controller and automation hub.
  4. Save the URL links for the Ansible Automation Platform Landing page, automation controller, and automation hub. The names for the links are automationControllerUrl, automationHubUrl, and landingPageUrl.
  5. Open the Ansible Automation Platform Landing page.

2.4.1. Ansible Automation Platform Landing page

The Ansible Automation Platform Landing page is a convenient page for deployments of Ansible Automation Platform on Microsoft Azure. You can open the following views from the navigation pane:

Overview

Links to automation controller, automation hub, and Automation Analytics.

Ansible Automation Platform Landing page overview
Announcements

You can view notifications about your subscription and global notifications about maintenance, upgrades, and resource downtime, for both public and private deployments of Ansible Automation Platform on Microsoft Azure.

To view announcements, click the Bell bell icon.

Automation Controller

Displays links to the automation controller documentation.

To open the automation controller from this view, click Launch Automation Controller.

Automation Hub

Displays links to the automation hub documentation.

To open the automation hub from this view, click Launch Automation Hub.

Automation Analytics
Links to Automation Analytics documentation
Documentation
Links to Red Hat Ansible Automation Platform on Microsoft Azure documentation.

2.4.2. Logging in to automation controller

  • In a browser, navigate to the automation controller URL, and then log in using the following credentials:
  • Username: admin
  • Password: Use the Administrator password you provided when you deployed the Ansible Automation Platform application.

The first time you login to Ansible Automation Platform on Microsoft Azure, you must configure a subscription and agree to the terms and conditions.

2.4.3. License association

Red Hat provided a specific subscription entitlement manifest when you subscribed to Red Hat Ansible Automation Platform on Microsoft Azure.

When asked to submit information about your license, select your license manifest file that you obtained from access.redhat.com.

2.4.4. Azure Active Directory (Azure AD) SSO configuration

Follow the procedures below to configure SSO with Azure Active Directory (Azure AD). If your organization does not use Azure AD for application authorization, you can create users in the user management system in Ansible Automation Platform.

Configuring the base URL for the Ansible Automation Platform deployment

  1. In a browser, navigate to the Automation controller URL and log in using the following credentials:

    • Username: admin
    • Password: Use the Administrator password you provided when you deployed the Ansible Automation Platform application.
  2. In the Automation controller console, click Settings in the menu options.
  3. Click Miscellaneous System settings under the System settings.
  4. Click Edit. Enter the Automation controller URL in the Base URl of the service field.
  5. Click Save.

Configuring authentication for Ansible Automation Platform

To set up enterprise authentication for Microsoft Azure Active Directory (Azure AD), you must obtain an OAuth2 key and secret by registering your Ansible Automation Platform deployment in Azure.

To register the automation controller instance in Azure, you must supply the Azure AD OAuth2 Callback URL from the automation controller settings.

Fetching the Azure AD OAuth2 Callback URL

  1. In a web browser, open the automation controller console.
  2. Click Settings in the menu to open the main settings page.
  3. Click Azure AD settings in the Authentication category to open the Details page.
  4. Copy the value for Azure AD OAuth2 Callback URL. You will need this value when you register your deployed application in Azure AD.

Creating a registered application in Azure AD

  1. In a web browser, open the Azure portal.
  2. Ensure that you are using the tenant where you deployed Ansible Automation Platform.
  3. Type Azure Active Directory in the search bar.
  4. Select Azure Active Directory from the search results.
  5. Under Manage in the menu options, click App registrations.
  6. In the App registrations page, click + New registration.
  7. Configure the new registration as follows:

    • In the Name field, enter the same name that you used for the deployed application.
    • Select the default value for Supported account types.
    • Select Web for Redirect URI (optional).
    • In the Redirect URI (optional) field, enter the Azure AD OAuth2 Callback URL value that you fetched from automation controller.
  8. Click Register to create the registration.

When registration is complete, the registration page for the Automation Controller application is displayed.

Generating secrets for communication

  1. In the Automation controller application registration page on Azure, copy and save the value of Application (client) ID.

    You will use this value for the Azure AD OAuth2 Key in the Ansible Automation Platform settings.

  2. Under Manage, click Certificates & secrets.
  3. Click Client secrets and then + New client secret.
  4. Provide a description for the new secret.

    It is not possible to automatically renew a certificate or identify when it is about to expire.

    It is useful to include the date in the description, for example: AAP Client Secret <Today’s Date in YYYY-MM-DD format>.

  5. Provide an expiration date for the new secret.

    The maximum lifetime for the certificate is 2 years. Unless you have specific security needs that prevent the creation of a long term certificate, select an expiration date of 24 months.

  6. Save the secret Value to a location on your local machine. Once you navigate away from this page it will be hidden and no longer retrievable.

Adding secrets to Ansible Automation Platform settings

Add the key (Application (client) ID) and value (Value) of the secret that you generated in Azure to your Ansible Automation Platform instance.

  1. Open the automation controller console in a web browser.
  2. Click SettingsAzure AD settings.
  3. Click Edit.
  4. Enter the information for the secret that you generated in Azure AD:
  5. In Azure AD OAuth2 Key, paste the Application (client) ID.
  6. In Azure AD OAuth2 Secret, paste the secret Value.
  7. Click Save.

Adding Azure Credentials to Automation controller

  1. Open the automation controller in a web browser.
  2. Under Resources, click Credentials.
  3. Click Add to open the Create New Credentials page.
  4. Enter a name for the new credential and select Azure Resource Manager for the credential type.
  5. Use the Service Principal details to fill out the values of the form:

    • Name: Choose a descriptive name for the credential, for example *Azure Infrastructure*.
    • Subscription ID: Enter the subscription id where your resources created in Azure should be associated. This is unique to your tenant. Your organization may have multiple subscription ids; consult your Azure administrator regarding the subscription id that you should use.
    • Client ID: Enter the appId value from the Service Principal creation.
    • Client Secret: Enter the password from the Service Principal creation.
    • Tenant ID: Enter the tenant from the Service Principal creation.
  6. Click Save to save the credential.