Skip to main content

Azure Container Apps Setup Guide

Overview

If you are hosting in Microsoft Azure, DataGrail recommends using Azure Container Apps to deploy the Request Manager Agent. Deploying in Azure Container Apps will result in most of the details of load balancing, SSL termination, and service uptime being managed in a simple and standard manner. This toolchain provides simple and robust management of your deployment. To get an overview of Azure Container Apps, check out Microsoft's documentation.

Sourcing the Agent Image

The Request Manager Agent Docker image is hosted in DataGrail's private image registry. Once you have obtained credentials from your DataGrail representative, you can pull the image using the following command:

Pulling the image
# Authenticate with the DataGrail registry
docker login contairium.datagrail.io -u $DATAGRAIL_SUBDOMAIN -p $DATAGRAIL_API_KEY

# Pull the latest Request Manager Agent image (or specify a version)
docker pull contairium.datagrail.io/datagrail-rm-agent:latest

Create an Azure Resource Group

  1. Navigate to Resource Groups (type "Resource group" in the search bar and select the service).
  2. Click Create.
  3. Select your preferred Azure subscription.
  4. Under Resource group, enter a name such as datagrail-rm-agent.
  5. Click Create.

Register an Application and Create Application Credentials

Register an Application

  1. Navigate to App Registrations (type "App registrations" in the search bar).
  2. Click New registration.
  3. Under Name, enter a name such as datagrail-rm-agent.
  4. Leave all other values as default and click Register.

Create Application Credentials

  1. Navigate to the Certificates & secrets module in the left-hand menu.
  2. Click New client secret.
  3. Enter a description such as datagrail-rm-agent.
  4. Copy the Value field immediately after creation. This value will disappear after navigating away from the page.

Create a Key Vault, Store Secrets, and Grant Application RBAC to Key Vault

Create a Key Vault

  1. Navigate to Key Vaults (type "Key vault" in the search bar).
  2. Click Create.
  3. Select your preferred subscription and the datagrail-rm-agent resource group.
  4. Name the key vault dg-agent-secrets.
  5. Select your preferred region and click Create.

Store Secrets

  1. Navigate to Secrets in the Key Vault menu.
  2. Click Generate/Import.
  3. Create the following secrets:
    • DataGrail Application Credentials:
      • Name: datagrail-rm-agent-credentials
      • Value (JSON format): {"client_id": "<arbitrary value>", "client_secret": "<secure string>"}
    • DataGrail Callback Token:
      • Name: datagrail-credentials
      • Value (JSON format): {"token": "<token provided by DataGrail>"}
    • Connector Credentials (e.g., Snowflake):
      • Name: snowflake-credentials
      • Value (JSON format): {"user": "<DB username>", "password": "<DB password>", "account": "<Snowflake Account>", "warehouse": "<Snowflake Warehouse>", "database": "<Snowflake DB>"}

Grant Application RBAC to Key Vault

  1. Navigate to Access control (IAM) in the Key Vault.
  2. Click Role assignments > Add > Add role assignment.
  3. Select Key Vault Secrets User and click Next.
  4. Search for the registered application by name and select it.
  5. Click Review and assign.

Create a Container App, Container Apps Environment, Store Secrets, and Modify Ingress

Create a Container App

  1. Navigate to Container Apps (type "Container Apps" in the search bar).
  2. Click Create.
  3. Select your preferred subscription and the datagrail-rm-agent resource group.
  4. Enter a name such as datagrail-rm-agent for the container app.
  5. Select your preferred region.
  6. Under Container Apps Environment, select Create new.

Create a Container Apps Environment

  1. Enter datagrail-rm-agent as the environment name.
  2. Under Monitoring, ensure Azure Log Analytics is selected.
  3. Create a new Logs Analytics workspace.
  4. Under Networking, select the VNet and subnet for deployment.
  5. Click Create.

Create a Container App (Continued)

  1. De-select Use quickstart image.

  2. Select Azure Container Registry and choose the datagrail-rm-agent registry.

  3. Configure the following environment variables:

    • DATAGRAIL_AGENT_CONFIG: Filled-in configuration JSON object.
    • AZURE_TENANT_ID: Your Azure tenant ID.
    • AZURE_CLIENT_ID: Client ID from step 2.
    • AZURE_CLIENT_SECRET: Placeholder value (to be updated later).

  4. Enable Ingress:

    • Set Client certificate mode to Require.
    • Set Target port to 80.

  5. Click Review and create.

Store Secrets

  1. Navigate to Secrets in the Container App menu.
  2. Create a secret:
    • Key: datagrail-rm-agent-client-id
    • Value: Client ID from step 2.
  3. Navigate to Revisions and click Create a new revision.
  4. Update the AZURE_CLIENT_SECRET source to reference the secret created above.
  5. Click Save and then Create.

Modify Ingress

  1. Navigate to Ingress in the Container App menu.
  2. Under IP Restrictions Mode, select Allow traffic from IPs configured below, deny all other traffic.
  3. Add the following IP address: 52.36.177.91/32 (DataGrail’s IP address).

Grant Container App Permission to Write to Azure Blob Storage

  1. Navigate to Storage accounts (type "Storage accounts" in the search bar).
  2. Select the pre-created DataGrail container.
  3. Under Access Control (IAM), click Add > Add role assignment.
  4. Select Storage Blob Data Contributor and click Next.
  5. Select the registered application created in step 2.
  6. Click Review and assign.

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.