Appendix J. Deploying Sentinet in Microsoft Azure platform using Azure ARM templates

You can automate the Sentinet deployment to Microsoft Azure Platform using the practice of infrastructure as code. Nevatech provides Azure Resource Manager (ARM) template, which is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your Sentinet deployment, and Sentinet components configuration files and Power Shell scripts. The template uses the declarative syntax to specify the resources to deploy and the properties of those resources. This Appendix described a sample scenario when one Repository Database, one Repository Application, one Developer Portal database, one Developer Portal Application and one Node are deployed according to the Azure best practices with virtual networks and subnets isolations, and capabilities to scale behind Azure load-balancers.

The sample template creates three virtual machines for each Sentinet Application, where each virtual machine is part of Azure Scale Set placed behind its own load-balancer. High-level schematic diagram below depicts resources used for Sentinet deployment:

Deployment Artifacts

To deploy the Sentinet to Azure you will need the following artifacts:

File name	Description
Install.ps1	The PowerShell script that automates the Sentinet installation process.
NodeConfiguration.ps1	The PowerShell script that automates the Sentinet Node configuration.
NodeConfiguration.xml	The Sentinet node configuration file.
PortalConfiguration.ps1	The PowerShell script that automates the Sentinet Developer Portal configuration.
PortalConfiguration.xml	The Sentinet Developer Portal configuration file.
Prerequisites.ps1	The PowerShell script that installs Windows OS pre-requisites.
RepositoryConfiguration.ps1	The PowerShell script that automates the Sentinet Repository configuration.
RepositoryConfiguration.xml	The Sentinet Repository configuration file.
Sentinet.msi	The Sentinet installation media.
SslCertificate.pfx	The wild-card SSL certificate. See “Obtain SSL Certificate” section of this document.

All artifacts must be stored in an Azure Storage Account accessible by the Azure Resource Manager at the time of deployment.

Sentinet ARM Template

Resources

The Sentinet ARM template file azuredeploy.json defines the following resources:

Resource Type	Description
Network Security Groups	Network security groups filter network traffic to and from Azure resources deployed in the Sentinet Virtual Network. The front-end security group protects the Sentinet Repository, Node and Developer Portal while back-end security group protects the Sentinet Azure SQL Server instance.
Virtual Network	The virtual network enables Sentinet resources to security communicate with each other and the internet. The virtual network consists of 4 subnets where the Sentinet Repository, Node, Developer Portal and Azure SQL Server are deployed.
Azure SQL Server	The Azure SQL Server instance that will host Sentinet databases.
Private Endpoint	A network interface that securely connects Sentinet resources to Azure SQL Server instance.
Public Load Balancers	Layer 4 OSI routers that distribute network traffic across instances in a back-end virtual machine scale set.
Virtual Machine Scale Sets	Groups of load-balanced VMs that host the Sentinet Repository, Node and Developer Portal applications.
Autoscale Settings	Autoscale settings help ensure that you have the right amount of resources running to handle the fluctuating load of Sentinet applications.

Parameters

The Sentinet ARM template has the following parameters:

Parameter name	Type	Description
configFilePassword	securestring	The optional repository/node/portal XML configuration file password if encrypted.
deployPortal	bool	True to deploy the Sentinet Developer Portal resources. The default value is false.
deploySql	bool	True to deploy the dedicated Sentinet Azure SQL Server, false to connect to an existing instance. The default value is true.
licenseCompany	securestring	The name of a company to which the Sentinet license is issued.
licenseKey	securestring	The Sentinet license key.
licenseUser	securestring	The name of a user to whom the Sentinet license is issued.
nodeHostName	string	The Sentinet Node public DNS host name, i.e. node.sentinet.contoso.com.
nodePublicIpAddressName	string	The name of the Azure Public IP address to be assigned to the Sentinet Node load balancer.
nodeSubnetPrefix	string	The Sentinet Node subnet address space in CIDR notation. The default value is 10.0.2.0/24.
portalHostName	string	The Sentinet Developer Portal public DNS host name, i.e. portal.sentinet.contoso.com.
portalPublicIpAddressName	string	The name of the Azure Public IP address to be assigned to the Sentinet Developer Portal load balancer.
portalSubnetPrefix	string	The Sentinet Portal subnet address space in CIDR notation. The default value is 10.0.3.0/24.
repositoryHostName	string	The Sentinet Repository public DNS host name, i.e. repository.sentinet.contoso.com.
repositoryPublicIpAddressName	string	The name of the Azure public IP address to be assigned to the Sentinet Repository load balancer.
repositorySubnetPrefix	string	The Sentinet Repository subnet address space in CIDR notation. The default value is 10.0.1.0/24.
sentinetAdminEmail	securestring	The Sentinet administrator email address.
sentinetAdminPassword	securestring	The Sentinet administrator password.
sentinetAdminUserName	securestring	The Sentinet administrator user name. The default value is Administrator.
sqlAdminPassword	securestring	The Azure SQL Server administrator password.
sqlAdminUserName	securestring	The Azure SQL Server administrator user name. The default value is sqladmin.
sqlPortalDatabaseName	string	The Sentinet Developer Portal database name. the default value is SentinetPortal.
sqlPortalRuntimePassword	securestring	The Sentinet Developer Portal runtime SQL password.
sqlPortalRuntimeUserName	securestring	The Sentinet Developer Portal runtime SQL user name.
sqlRepoDatabaseName	securestring	The Sentinet Repository database name. The default value is Sentinet.
sqlRepoRuntimePassword	securestring	The Sentinet Repository runtime SQL password.
sqlRepoRuntimeUserName	securestring	The Sentinet Repository runtime SQL user name.
sqlServerName	string	The Azure SQL Server name.
sqlSubnetPrefix	string	The Sentinet SQL subnet address space in CIDR notation. The default value is 10.0.4.0/24.
sslCertificatePassword	securestring	The password for SSL certificate pfx file.
sslCertificateThumbprint	string	The SSL certificate thumbprint.
storageAccountKey	securestring	The access key of a storage account that hosts Sentinet deployment artifacts.
storageAccountName	string	The name of a storage account that hosts Sentinet deployment artifacts.
storageContainerName	string	The name of the storage container that hosts Sentinet deployment artifacts.
tags	object	The tags to be assigned to all deployed Sentinet resources.
vmAdminPassword	securestring	The Azure VM administrator password.
vmAdminUserName	securestring	The Azure VM administrator user name. the default value is vmadmin.
vnetAddressPrefix	string	The Sentinet VNet address space in CIDR notation. The default value is 10.0.0.0/16.

You can specify parameter values in the provided azuredeploy.parameters.json file before starting the deployment operation. By providing different parameter files, you can reuse the Sentinet ARM template for different environments.

Sentinet Deployment Step-By-Step

Obtain SSL Certificate

You will need to obtain a valid wild-card SSL certificate from an approved Certificate Authority (CA). The certificate’s common name should be something like *.sentinet.contoso.com. You can use OpenSSL tool to generate the certificate for testing purposes:
```
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout SslCertificate.key -out 
SslCertificate.crt -subj "/CN=*.sentinet.contoso.com" -addext 
"subjectAltName=DNS:sentinet.contoso.com,DNS:*.sentinet.contoso.com,IP:127.0.0.1"

openssl pkcs12 -export -out SslCertificate.pfx -inkey SslCertificate.key -in SslCertificate.crt
```
Note

Using single wild-card certificate in the sample template serves the purpose of simplifying certificates management and deployment process. Sample template can be modified to use non wild-card, individual certificates for different Sentinet components.
Create Azure Resource Group

In the Azure Portal, create a new resource group where Sentinet resources will be created. Specify a descriptive group name, i.e. sentinet-rg, select a subscription and a region (location).
Create Public IP Addresses

In the new Sentinet resource group create 3 public, static IP addresses that will be assigned to the Sentinet Repository, Node, and Developer Portal load balancers respectively. In the azuredeploy.parameters.json file set nodePublicIpAddressName, portalPublicIpAddressName, and repositoryPublicIpAddressName parameters to match the new IP address names.

Note

You can skip portal IP address configuration if you are not deploying the Sentinet Developer Portal.
Create Public DNS Records

Contact your DNS registrar to create DNS A (address) record for each public IP address created in the previous step. Each DNS A record must match the SSL certificate’s common name. For example, if the certificate common name is *.sentinet.contoso.com then the DNS record for the repository IP address could be repository.sentinet.contoso.com. In the azuredeploy.parameters.json file set nodeHostName, portalHostName, and repositoryHostName parameter values to match public DNS A records.
Review Configuration Files

Review and update Sentinet configuration files:
- NodeConfiguration.xml: the node key.
- PortalConfiguration.xml: access key length and lifetime.
- RepositoryConfiguration.xml: reporting time zone, time interval and alerts configuration settings.
Prepare Deployment Artifacts

You will need an Azure Storage Account. You can use an existing storage or create a new one. Within the storage account, create a new private blob container. Upload deployment artifacts to the new container. In the azuredeploy.parameters.json file set storageAccountKey, storageAccountName, and storageContainerName parameter values.
Provide Remaining Parameter Values

Provide values for remaining parameters in azuredeploy.parameters.json file.
Review ARM Template Resources

Review and update azuredeploy.json file to ensure deployed resources match your requirements and expected load:
- Network Groups: inbound / outbound rules.
- Virtual Network: VNet and subnets address spaces.
- SQL Server: database SKU, edition and licensing.
- Load Balancers: load balancing rules.
- Virtual Machine Scale Sets: SKU, storage profile and image reference.
- Autoscale Settings: scale in / out rules and corresponding metric triggers.
Deploy Sentinet Resources

In the Azure Portal, open Cloud Shell. In the dropdown, switch the environment to PowerShell. Upload azuredeploy.json and azuredeploy.parameters.json files to the mounted shell storage.

In the command prompt, execute the following command to start the deployment operation (replace {Resource Group Name} token with the name of the Sentinet resource group):
```
New-AzResourceGroupDeployment `
 -Name SentinetDeployment `
 -ResourceGroupName {Resource Group Name} `
 -TemplateFile "azuredeploy.json" `
 -TemplateParameterFile "azuredeploy.parameters.json"
```
It may take minutes to up to an hour for the deployment to complete. You can monitor the deployment progress by navigating to the resource group’s Deployments blade.
Connect to Existing Azure SQL Server

It is possible to configure Sentinet to connect to an existing Azure SQL Server instance. Before deploying Sentinet resources:
- Create the private endpoint connection to Azure SQL Server if it doesn’t yet exist.
- Add SQL Server firewall rules to allow network traffic from the Sentinet Repository and Developer Portal public IP addresses.
- Create Sentinet and SentinetPortal databases.
- In the azuredeploy.parameters.json file set the following parameters:
  - deploySql = false
  - sqlServerName = Azure SQL Server name.
  - sqlAdminUserName = Azure SQL Server administrator name .
  - sqlAdminPassword = Azure SQL Server administrator password.
- Deploy Sentinet resources as described in the previous step.