Deploy to Azure

5 minute read

Azure Requirements

An Azure subscription. If you don’t have one, create a free account
An Azure resource group to deploy the resources into
An Azure Virtual Network (vNet) with at least two subnets:
- An “outside” subnet for the appliance to connect to the Trustgrid control plane and data plane gateways, and accept incoming connections if the Azure Trustgrid appliance will be acting as a data plane gateway
- An “inside” subnet for communicating with other virtual machines and services within the Azure vNet
- (For Clustered Appliances) An Azure routing table associated with the “inside” subnet.

VM Requirements

Requirement	Description
Disk Size	At least 30 GB
Interfaces	1 Public with a Public IP address 1 Private
CPU & RAM	See Instance Type below for recommendations

Instance Size

Trustgrid has validated using the B-series burstable - Azure Virtual Machines instance type.

VPN throughput is tied to CPU the recommended size depends on roles, expected throughput.

For Gateway nodes expecting up to ~200Mbps throughput, Trustgrid recommends the Standard_B4ms or larger
For Edge nodes expecting less than 100Mbps throughput, Trustgrid recommends the Standard_B2s or Standard_B2ms or larger

Interfaces

One WAN interface with a public IP and one LAN interface on a private subnet. The nodes will need to be able to route to all required hosts/applications that need to communicate across the Trustgrid virtual network.

The LAN interface needs to have IP Forwarding Enabled in order to forward the traffic across the tunnel.

IP Forwarding

See Azure virtual network traffic routing.

Supported Regions

The Trustgrid official community image, trustgrid-node-2204-prod, in the public gallery trustgrid-45680719-9aa7-43b9-a376-dc03bcfdb0ac is currently published in the following region. If you need to deploy in another region please contact Trustgrid support. If you are not a direct customer of Trustgrid, please check with your vendor that is utilizing Trustgrid to have them contact support.

Region Display Name	Region Name
East US	eastus
Central US	centralus
North Central US	northcentralus
South Central US	southcentralus
West US	westus

Network Access

For gateways:

Outbound internet access to the Trustgrid control plane networks and ability to resolve public DNS names.
Inbound access required is the TCP port defined for the Trustgrid gateway service to listen on. Edge nodes will connect to the gateways public IP and port defined. The default port used is 8443.

For edge nodes:

Outbound internet access to the Trustgrid control plane networks, outbound access to the IP and ports of the Trustgrid gateways, and ability to resolve public DNS names.
No inbound access is required on the public interface.

For all clustered nodes:

The cluster heartbeat runs on the LAN/inside interface on TCP Port 9000. This port will need to be open between both Trustgrid Gateways for failover to work correctly.

Other VM Requirements

System-assigned Managed Identity needs to be enabled for both VMs in the cluster.
Boot Diagnostics needs to be enabled to allow access via the Serial Console

Deployment Process

One of more Virtual Machines will need to be deployed into the target Azure subscription to act as the Trustgrid nodes using the official community image. Then the remote registration process can be used to activate the nodes in the Trustgrid portal.

Participants

Site Tech - User(s) with permissions and skills to deploy new instances in Azure, create the required Managed System Identity shown above, and make changes in Azure to allow the required network connectivity
Trustgrid User - User with permissions to Activate nodes in the Trustgrid portal (or API)

If the Site Tech is not part of the organization that is a Trustgrid’s direct customer, Trustgrid’s professional service team will need documented approval from that customer before proceeding with assisting in the deployment.

High-Level Process

The Site Tech should be able to complete the following steps independently:
1. Build out prerequisite resources including Resource Groups, vNets, subnets and routing tables in Azure
- For single node deployments:
  1. Create VM Instances based of the official Trustgrid community image
- For clustered deployments:
  1. Create a routing table for the in LAN interface subnet if it does not already exist
  2. Create two VM Instances based of the official Trustgrid community image
  3. Create the Azure IAM role as defined above
1. Use the Azure VM Serial Console to start the registration process, this code then needs to be communicated securely to the Trustgrid User.
Trustgrid Tech -
1. Activate the device with the target organization
2. Confirm healthy functionality and connectivity to the required gateways
3. Configure the nodes as needed (e.g. clustering, VPN, L4proxy)

Deployment Methods

Deploy via Azure command line tool

Documentation Coming Soon for…

Deploy via the Azure Portal
Deploy via Azure Bicep modules

High Availability

Trustgrid supports two methods for supporting high availability networking connectivity via clustered Trustgrid nodes in Azure. These methods can be used together or independently.

Method	Description	Common Use Cases
Route failover	Publishes routes to the Azure route table associated an interface or specified route tables. Automatically adjusts the `Next hop IP address` to point to the active node.	Environments with only a few route tables that need to be adjusted
IP failover	Assigns a floating IP address to the interface of the active Trustgrid node.	Environments with many route tables.¹ Environments using Azure Virtual WAN. Using connectors on the Azure cluster.

¹ Route based failover requires the nodes to have correct Azure permission to modify each route table. Environments with many route tables would have to grant permission to the containers (resource groups, subscriptions) for each table which makes maintaining least-privilege access difficult.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.