Chapter 2. Installing Red Hat Ansible Automation Platform on Microsoft Azure
2.1. Prerequisites
Azure requirements
- A subscription for Microsoft Azure.
- Contributor or Administrator access to that Azure subscription.
- Access to the Azure CLI.
Ansible Automation Platform requirements
- An account on the Red Hat Red Hat Customer Portal (access.redhat.com).
- A specific subscription entitlement for Red Hat Ansible Automation Platform.
2.1.1. Azure resource quotas and infrastructure limits
Microsoft imposes resource limits within each Azure region. The CPU limit is the most likely to impact Red Hat Ansible Automation Platform on Microsoft Azure.
Before you install Ansible Automation Platform on Microsoft Azure, ensure that you have capacity to deploy the managed application into your desired region. Refer to Azure infrastructure usage for infrastructure requirements.
2.1.1.1. Regional vCPU limits
The Azure resources used during the deployment of the managed application temporarily exceed the resource requirements in Azure infrastructure usage. The Total Regional vCPUs quota is temporarily consumed when deploying the managed application.
Every Azure region has a separate Total Regional vCPUs quota. To prevent installation failure, ensure that you have at least 80 DS2_V3 vCPUs available in the Azure region where you want to deploy the managed application.
The following steps describe how to view the resource quotas for your subscription the Azure console:
- In the Azure console, search for Quotas and open the My Quotas page.
- Select the region where you wish to deploy the managed application to view your allocation and usage metrics for that region. Ensure that you have selected a single region. Viewing all regions at once will not show the limitations of a single Azure region.
2.1.1.2. Regional StandardCore limits
The StandardCore limit is a compute metric for the resources that are temporarily consumed when deploying the managed application.
It is possible that the Ansible Automation Platform on Microsoft Azure can deploy without hitting the StandardCore limit. When a deployment fails because the consumed resources hit the StandardCore limit, the error message includes container group quota 'StandardCores' exceeded:
code: DeploymentFailed
message:
At least one resource deployment operation failed. Please list deployment operations for details.
Please see https://aka.ms/DeployOperations for usage details.
details:
- code: DeploymentScriptContainerGroupInvalidSettings
message:
Resource type 'Microsoft.ContainerInstance/containerGroups'
container group quota 'StandardCores' exceeded in region 'eastus'.
Limit: '10', Usage: '10' Requested: '1'.Requesting StandardCore limit increase
The StandardCore metric is not displayed in the My Quotas page in the Azure console. To request the value of your regional limit, contact Microsoft directly.
If your deployments fail because the consumed resources reach this limit, you must submit a resource increase request for StandardCore to Microsoft. Only submit a quota increase request if you encounter a deployment failure due to this issue.
Use the following information to respond to questions from Microsoft support:
- Will the container groups be run in Linux or Windows?
- Linux
- What will the core and memory be in your Container Group instance?
- Red Hat recommends 20 cores, 16 GB
- When will you create all the Container Group Instances?
- During managed application deployment of Red Hat Ansible Automation Platform on Microsoft Azure
- How frequent will you create/delete the container groups?
- Only during managed application deployment of Red Hat Ansible Automation Platform on Microsoft Azure
2.2. Creating a service principal
To enable the Ansible Automation Platform application to access and manage Azure resources, you must provide authorization credentials after deployment. The Microsoft Azure collection supports service principal authentication.
To create a service principal, you must have administrator privileges with tenancy-wide permissions on your Azure tenant. Your Ansible Automation Platform on Microsoft Azure deployment will be provisioned in the same Subscription ID as the service principal created in this step.
- Navigate to the Azure portal and click the Cloud Shell icon to open a bash Cloud Shell in your browser.
Set the Azure CLI to use the subscription that you intend to use for automating Azure services. Run the following command from the shell:
az account set --subscription <your_subscription_id>
Run the following command using the Azure CLI to create a privileged service principal in Azure AD:
az ad sp create-for-rbac --name ansible --role Contributor
The output displays the appID and tenant keys for the service principal:
{ "appId": "xxxxxxx-xxx-xxxx", "displayName": "ansible", "name": "xxxxxxx-xxx-xxxx", "password": "xxxxxxx-xxx-xxxx", "tenant": "xxxxxxx-xxx-xxxx" }- Store the service principal details securely, as they are displayed only when you create the secret. You will need them when you deploy Automation controller.
2.2.1. Maintaining your service principals
Service principal credentials have a limited lifetime that is set in your Azure AD configuration. Track the lifespan of the service principal if you intend to automate against Azure for an extended period of time. You can create a new one when needed.
To view records of updated or deleted service principles, run the following Azure CLI command:
az ad sp list -o table | grep ansible
This command does not display the secrets for your service principals. Delete the service principal and create a new one if the secret is lost.
When you create a new service principal to replace an expired or deleted one, you must update the credential that uses the service principal that you are replacing. If the credential is not updated, automations that use that credential will fail.
2.3. Deploying Ansible Automation Platform from Azure Marketplace
2.3.1. Locating Ansible Automation Platform in Azure Marketplace
- In a browser, navigate to the Azure Marketplace.
- From the navigation panel, select Private Products from the menu on the left of the screen.
- Search for Red Hat Ansible Automation Platform.
- Click the card that is returned in the search. Be sure to select the official offering from Red Hat.
- Click Get it Now, Continue, and then Create to initiate the deployment process.
2.3.2. Provisioning Red Hat Ansible Automation Platform on Microsoft Azure
When you initiate the deployment of the Red Hat Ansible Automation Platform managed app from Azure marketplace, a form is displayed in the Create Red Hat Ansible Automation Platform on Microsoft Azure window.
Before you fill in the form, decide whether you want to create a public or private deployment of Ansible Automation Platform on Microsoft Azure:
- Public deployments allow ingress to the Ansible Automation Platform on Microsoft Azure user interfaces over the public internet. No configuration is required to access the application URLs.
- Private deployments are created in an isolated Azure VNet that blocks access from the public internet. To access Ansible Automation Platform on Microsoft Azure user interfaces, you must configure network peering and routing.
You create the network configuration for the Ansible Automation Platform on Microsoft Azure VNet when you initiate the deployment. Refer to your network configuration plan before deploying the managed application. For information about planning your network configuration, see Networking configuration.
Complete the form to provision Red Hat Ansible Automation Platform infrastructure and resources into your Azure tenant.
Enter values for your deployment in the following fields in the form:
- Subscription: Select Ansible on Clouds.
- Resource Group: Create or select a resource group where you want to deploy the managed application.
- Region: The Azure region where the application will be deployed.
- Application Name: A unique name for the managed application.
Administrator Password: Create an adminstrator password for your deployment.
The Administrator Password must contain at least 8 characters, and must include uppercase letters, lowercase letters, and numbers.
- Confirm Administrator Password: Confirm the Administrator Password.
- Access: Choose whether your deployment will be public or private.
Managed Resource Group: A resource group for the managed application infrastructure.
Keep this resource group isolated from other resource groups, including the Resource Group where you will deploy the managed application.
- Store the information that you entered in the form in a secure place. You will need to provide the Administrator password to access automation controller and private automation hub.
- Click Next
- Follow the steps in Red Hat Ansible Automation Platform on Microsoft Azure VNet Preparation to configure your network configuration.
- Click Review + Create.
- If the information you entered in the form is valid, the window displays Validation Passed.
- Select I agree to accept the Co-Admin Access Permissions terms and conditions.
- Click Create to begin the provisioning process for the application.
The application will begin provisioning.
It may take 30 minutes or longer for the infrastructure and software to fully provision.
Once provisioning is complete, you can access and login to your new Ansible Automation Platform instance and launch automation controller and automation hub.
2.4. Accessing Red Hat Ansible Automation Platform on Microsoft Azure
When you initiate the deployment of the Red Hat Ansible Automation Platform managed app from Azure marketplace, a form is displayed in the Create Red Hat Ansible Automation Platform on Microsoft Azure window. Complete the form to provision Ansible Automation Platform infrastructure and resources into your Azure tenant.
- In a web browser, navigate to Managed Applications in the Azure console.
- Select the instance of Red Hat Ansible Automation Platform on Microsoft Azure that you deployed.
- Select Parameters and Outputs in the Settings section in the left navigation menu.
- Copy the URL links for automation controller and automation hub, and then save them. The names for the links are automationControllerUrl and automationHubUrl.
In a browser, navigate to the automation controller URL, and then log in using the following credentials:
-
Username:
admin - Password: Use the Administrator password you provided when you deployed the Ansible Automation Platform application.
-
Username:
The first time you login to Ansible Automation Platform on Microsoft Azure, you must configure a subscription and agree to the terms and conditions.
2.4.1. License association
Red Hat provided a specific subscription entitlement manifest when you subscribed to Red Hat Ansible Automation Platform on Microsoft Azure.
When asked to submit information about your license, select your license manifest file that you obtained from access.redhat.com.
2.4.2. Azure Active Directory (Azure AD) SSO configuration
Follow the procedures below to configure SSO with Azure Active Directory (Azure AD). If your organization does not use Azure AD for application authorization, you can create users in the user management system in Ansible Automation Platform.
Configuring the base URL for the Ansible Automation Platform deployment
In a browser, navigate to the Automation controller URL and log in using the following credentials:
-
Username:
admin - Password: Use the Administrator password you provided when you deployed the Ansible Automation Platform application.
-
Username:
- In the Automation controller console, click Settings.
- Click Miscellaneous System settings under the System settings.
- Click Edit. Enter the Automation controller URL in the Base URl of the service field.
- Click Save.
Configuring authentication for Ansible Automation Platform
To set up enterprise authentication for Microsoft Azure Active Directory (Azure AD), you must obtain an OAuth2 key and secret by registering your Ansible Automation Platform deployment in Azure.
To register the automation controller instance in Azure, you must supply the Azure AD OAuth2 Callback URL from the automation controller settings.
Fetching the Azure AD OAuth2 Callback URL
- In a web browser, open the automation controller console.
- Click Settings in the menu to open the main settings page.
- Click Azure AD settings in the Authentication category to open the Details page.
- Copy the value for Azure AD OAuth2 Callback URL. You will need this value when you register your deployed application in Azure AD.
Creating a registered application in Azure AD
- In a web browser, open the Azure portal.
- Ensure that you are using the tenant where you deployed Ansible Automation Platform.
-
Type
Azure Active Directoryin the search bar. - Select Azure Active Directory from the search results.
- From the menu options, select Manage → App registrations.
- In the App registrations page, click + New registration.
Configure the new registration as follows:
- In the Name field, enter the same name that you used for the deployed application.
- Select the default value for Supported account types.
- Select Web for Redirect URI (optional).
- In the Redirect URI (optional) field, enter the Azure AD OAuth2 Callback URL value that you fetched from automation controller.
- Click Register to create the registration.
When registration is complete, the registration page for the Automation Controller application is displayed.
Generating secrets for communication
In the Automation controller application registration page on Azure, copy and save the value of Application (client) ID.
You will use this value for the Azure AD OAuth2 Key in the Ansible Automation Platform settings.
- Select Manage → Certificates & secrets.
- Click Client secrets and then New client secret.
Provide a description for the new secret.
It is not possible to automatically renew a certificate or identify when it is about to expire.
It is useful to include the date in the description, for example: AAP Client Secret <Today’s Date in YYYY-MM-DD format>.
Provide an expiration date for the new secret.
The maximum lifetime for the certificate is 2 years. Unless you have specific security needs that prevent the creation of a long term certificate, select an expiration date of 24 months.
- Save the secret Value to a location on your local machine. Once you navigate away from this page it will be hidden and no longer retrievable.
Adding secrets to Ansible Automation Platform settings
Add the key (Application (client) ID) and value (Value) of the secret that you generated in Azure to your Ansible Automation Platform instance.
- Open the automation controller console in a web browser.
- Click Settings → Azure AD settings.
- Click Edit.
- Enter the information for the secret that you generated in Azure AD:
- In Azure AD OAuth2 Key, paste the Application (client) ID.
- In Azure AD OAuth2 Secret, paste the secret Value.
- Click Save.
Adding Azure Credentials to Automation controller
- Open the automation controller in a web browser.
- Select Resources → Credentials and click Add to open the Create New Credentials page.
- Enter a name for the new credential and select Azure Resource Manager for the credential type.
Use the Service Principal details to fill out the values of the form:
- Name: Choose a descriptive name for the credential, for example *Azure Infrastructure*.
- Subscription ID: Enter the subscription id where your resources created in Azure should be associated. This is unique to your tenant. Your organization may have multiple subscription ids; consult your Azure administrator regarding the subscription id that you should use.
- Client ID: Enter the appId value from the Service Principal creation.
- Client Secret: Enter the password from the Service Principal creation.
- Tenant ID: Enter the tenant from the Service Principal creation.
- Click Save to save the credential.
