To assign a Cloud Block Store (CBS) Array to a Fusion Availability Zone (AZ), the following six steps must be completed:
In Azure, deploy a Storage Endpoint Collection (SEC) Resource.
In Azure, give the resulting SEC identity a permissioned role that enables it to join the load balancer.
In Azure, deploy a CBS Array, and ensure it can connect with the SEC.
In Pure1, install the Fusion Agent onto your CBS Array.
In Pure1, create an AZ.
In Pure1, assign a CBS Array to the AZ.
Steps 1 and 2 need to be completed only one time per AZ. If you already have a functioning AZ with CBS arrays in it, and you simply wish to deploy a new array to that AZ, skip to step 3.
Steps 5 and 6 are covered in this article.
Some steps are dependent on the completion of others. If you follow the steps in the order presented above, you will not run into any dependency issues. The technically necessary order of dependencies is illustrated below.
Step 1: Deploy an SEC Resource in Azure
What is an SEC?
The Storage Endpoint Collection (SEC) is an Azure managed application specifically for Fusion on CBS that enables load balancing for storage endpoints thereby providing high availability in the cloud. With Fusion on CBS, these storage endpoints are separated from individual array resources and housed within the load balancer resource. The two storage endpoints serve as the iSCSI discovery IP addresses and initial data IP addresses for the entire AZ. For every one Fusion AZ, there must be one SEC.
Deploy an SEC
- Navigate to portal.azure.com/home with your logged in Azure account. At the top of the page under Azure services, click “Create a resource”.
- In the search bar above Popular Azure services, search for Pure Fusion Storage Endpoint Collection.
- Click on the Pure Fusion Storage Endpoint Collection resource.
- Choose the Pure Fusion Storage Endpoint Collection 1.0.0 plan.
You will be sent to a webpage with the title: Create Cloud Block Store Storage Endpoint Collection. This webpage consists of 4 tabs: Basics, Tags, JIT Configuration, and Review + create. The Basics tab is where we supply most of the information you need to create the SEC. The Tags tab could be useful if you want to help different organizations keep track of your endpoint. The JIT Configuration tab is useful if you want Pure Storage Support to have access to your managed resource group. Finally, the Review + create tab summarizes the inputs you have provided and contains the deploy button.
The fields in the Basics tab are as follows:
Subscription - The Azure account you are using.
Resource Group - Enter a name for the resource group of which your SEC will be a part.
Region - Where it’s physically going to be located. Select the region where you plan on deploying the CBS Arrays that will be in the same Fusion AZ as this SEC.
Fusion Storage Endpoint Collection Name - The name of the Cloud Block Store Fusion Availability Zone.
Configure Virtual Networks
Load Balancer Network - Select the load balancer network you want to use for the SEC. Note that the SEC must be in the same network as the iSCSI interfaces of all the arrays that will be used in the same Fusion AZ as this SEC.
Subnet - Select the subnet you want to use for Fusion CBS deployment. We strongly recommend that the subnet is the same as the subnet of the iSCSI interfaces of arrays in the same AZ as the SEC contains a Load Balancer which must have access to the iSCSI IPs of the arrays.
Managed Application Details
Application Name - Enter a name for your application.
Managed Resource Group - Enter a name for your Managed Resource Group. This resource group holds all the resources that are required by the managed application. In this case, a load balancer and a managed identity.
When you have supplied the information, press Next: Tags >.
Tags are not necessary for the SEC to function, but they can be helpful for specific users. For more information about tags, see this article.
Enabling JIT allows permissioned members of the subscription to give temporary access to Pure Storage Support within the scope of the SEC managed app . We strongly recommend this option so that support can assist with problems pertaining to the SEC. Select ‘Yes’ if you want to take advantage of JIT access. Select ‘No’ if you want to allow standing access. Enabling JIT access will default the approval mode to auto approval and the maximum JIT access duration to 8 hours. You can customize approval mode, maximum JIT access duration and configure JIT approvers through the 'Customize JIT configuration' option below.
Review and Create
Check that the information is correct, then select the Agree checkbox.
With that, you have successfully deployed your SEC. Next, you must ensure your SEC Network has Load Balancer Access.
Step 2: Grant the SEC Network Load Balancer Access
Why are we doing this?
Azure's cloud security systems use managed identities and roles to control access to specific actions within different scopes. We need arrays that get deployed to add themselves to the backend pool of the SEC's load balancer. As part of SEC's deployment, we give the SEC's managed identity the ownership role over the SEC itself. However, because of the way Azure is set up, you must manually give the required load balancer role to the identity.
Create a Custom Role
Instructions on how to create a custom role in Azure can be found here.
Step 4 of that article shows you how to specify permissions for your custom role. Please ensure that your custom role has the following permission:
Microsoft.Network/virtualNetworks/joinLoadBalancer/action. To minimize the permissions that the SEC has over external resources, we recommend you create a new role which has only that permission.
Step 5 of that article describes assignable scope. Your assignable scope must be the resource group that contains the subnet the SEC is deployed in. It must be granted to the Managed Identity of the SEC.
Grant Load Balancer Access
- Once you have created your custom role, and set the permission for it, navigate to the Managed Resource Group you specified for your SEC, and find the Managed Identity.
- Click the Managed Identity, then on the left-most panel, click Azure role assignments.
- Click Add Role assignment.
- Set the scope as Resource Group, and set the role as your custom role that has the load balancer permission.
Note: For increased security, you could specify the resource of the vnet itself instead of the resource group that contains it. The process for this is slightly differnt and is done through the IAM of the vnet, but the result is effectively similar.
- Click Save.
Step 3: Deploy a CBS Array
With the storage endpoint collection configured, you can now deploy a CBS Array. Deployment for a Fusion-enabled CBS Array follows mostly the same process as outlined in this article, but with two key considerations. (These considerations pertain to steps 5-7 of the linked document.)
First, when inputting values into the Basics tab of the CBS Product Deployment window, check the “This Array will be used with Pure Fusion” checkbox. Additional fields will appear. Click the Add button, and find your User Assigned Managed Identity from the list of identities that appears on the right side of the webpage. This must be the same managed identity of the SEC that will be used by the Fusion Availability Zone. This is necessary due to security constraints imposed by Azure.
If you have deployed an SEC but it does not appear in the list of User Assigned Managed Identities, you can provide the Storage Endpoint Collection ID path manually. This can be found in the relevant resource identity overview under properties. For a detailed walkthrough to find this Id, see Appendix.
Second, when inputting values into the Network tab of the CBS Product Deployment window, ensure that the iSCSI subnet you provide exactly matches the subnet of the SEC. There will be a blue tooltip emphasizing this point.
Otherwise, deploy your CBS array as normal.
Once your CBS array is deployed, you will be able to interact with it in Pure1. However, you will not be able to use it in Fusion until you install the Fusion Agent onto the Array.
Step 4: Install the Pure Fusion Agent onto your CBS Array
- From Pure1, navigate to Administration > Edge Service > Agents. Find Pure Fusion and click Install this agent.
- Select your CBS array, and click Review Permissions.
- Click Accept and Install.
- Complete the step-up authentication process. The installation will take about three minutes to complete.
Following installation of the agent, your CBS Array will be ready for assignment to an Availability Zone. For instructions on setting up an AZ, and assigning an array to it, see this article.
Appendix - Finding your Storage Endpoint Collection ID path.
Sometimes, delays in Azure cause a managed identity not to automatically appear in the list of managed identities. In this case, you can enter in the SEC ID path manually.
- Navigate to the SEC resource group you deployed. You can get there from Home > Resource groups.
- Click on the name of your SEC resource group.
- Click on the identity in the Resources list.
- Click on Settings > Properties on the left-most panel.
- The ID you’re looking for is under Id.