Trustgrid Azure Gateway Deployment

Operating System: Ubuntu 18.04

Resources: 2 vCPU / 4 GB RAM

Interfaces: One WAN interface with a public IP and one LAN interface on a private subnet. The gateways will need to be able to route to all required hosts/applications that need to communicate across the Trustgrid virtual network.

Network Access: Outbound internet access and ability to resolve public DNS names. The only inbound access required is the TCP port defined for the Trustgrid gateway service to listen on. Edge nodes will connect to the gateways public IP and port defined. The default port used is 8443 but this can be any preferred TCP port.

Azure Permissions Required for Cluster Route Failover :

  1. Managed System Identity needs to be enabled.

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

2. Below are the minimum permissions required for the Trustgrid Gateways to be able to manage the Azure route table. This should be the route table that the LAN interfaces are associated to. This is required for high availability. When a failover event happens the route table is modified to point the virtual route to the secondary gateway.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 { "properties": { "roleName": "tg-route-table", "description": "manage azure route table", "assignableScopes": [ "/subscriptions/a2kdkdkd-621b-415a-9420-e17657b93b6d/resourceGroups/Sales", "/subscriptions/a2kdkdkd-621b-415a-9420-e17657b93b6d/resourceGroups/Sales/providers/Microsoft.Network/virtualNetworks/Sales" ], "permissions": [ { "actions": [ "Microsoft.Network/networkWatchers/nextHop/action", "Microsoft.Network/networkInterfaces/effectiveRouteTable/action", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/write", "Microsoft.Network/routeTables/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Compute/virtualMachines/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }

The assignableScopes section will need to be modified to represent the resource information of the target Azure account.