Before using DuploCloud, ensure the following prerequisites are met.

Read the Access Control section to ensure at least one person has administrator access.

For Kubernetes prerequisites, see the DuploCloud Kubernetes User Guide.

Before you use DuploCloud for Azure, a subdomain-hosted zone must be created to program DNS entries so DuploCloud services can access your specific domain names. Public and private DNS zones are supported. In addition, keys must be added to the DuploCloud configuration that map to the needed DNS entries. Reach out to DuploCloud support staff to accomplish these tasks.

Once the DNS entries are configured, you can use your existing domain names with DuploCloud.

DuploCloud integrates natively with OpenVPN by provisioning VPN users that you add to the Duplocloud Portal. OpenVPN setup is a two-step process.

Accept OpenVPN

Accept OpenVPN in the Azure marketplace and follow the instructions in the Quick Start Guide.

Provision the VPN

1. In the DuploCloud Portal, navigate to Administrator -> System Settings.

2. Click the VPN tab.

3. Click Provision VPN.

After the OpenVPN is provisioned, it is ready to use. Behind the scenes, DuploCloud launches a cloud formation script to provision the OpenVPN.

Provision the VPN and create a user

Provision a VPN while creating a user:

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. Click Add. The Create User pane displays.

3. Enter a valid email address in the Username field.

4. In the Roles field, select the appropriate role for the User.

5. Select Provision VPN.

6. Click Submit.

Deleting VPN access for a user

For information about removing VPN access for a user, see Deleting a VPN user. To delete VPN access, you must have administrator privileges.

Open a VPN port

By default, users connected to a VPN can SSH or RDP into virtual machines (VMs). Users can also connect to internal load balancers and endpoints of the applications. However, to connect to other services, such as databases and elastic cache, you must open the port to the VPN:

1. In the DuploCloud Portal, navigate to Administrator -> Tenant.

2. Select the Tenant in the Name column.

3. Click the Security tab.

4. Click Add. The Add Tenant Security pane displays.

5. In the Source Type field, select Ip Address.

6. In the IP CIDR field, enter the name of your VPN.

7. Click Add.

Establish secure access to the DuploCloud portal by importing SSL certificates, and creating and configuring the certificates in DuploCloud.

Prerequisites

• Contact the DuploCloud support staff via email or by using your private Slack channel to request the following for SSL certificate setup and configuration:

  • Security Certificate (.crt) file

  • Certificate Private Key

  • Certificate Bundle (.crt) containing the Intermediate and Root Certificates. You can download the Certificate Bundle from https://support.globalsign.com/ca-certificates/intermediate-certificates/alphassl-intermediate-certificates.

Generating the PFX file

Because Azure supports only PFX files for SSL certificates, you must convert the CRT file that DuploCloud provides you to PFX format.

To do this, enter the following using the command line:

openssl pkcs12 -export -out certificate.pfx -inkey <CERTIFICATE_PRIVATE_KEY>.key -in <SECURITY_CERTIFICATE_FILE>.crt -certfile <CERTIFICATE_BUNDLE>.crt

Importing SSL certificates to Azure

After you generate the PFX file, sign in to the Azure Portal and access Azure Key Vault.

1. Select the respective Azure Key Vault for your environment (for example, production versus test) to import the PFX file as shown below.
2. In Azure Key Vault, navigate to Objects -> Certificates and click Generate/Import.
3. When you click Generate/Import, the Create a Certificate form displays. In the Method of Certificate Creation field, select Import.

4. Name the Certificate, using the Certificate Name field.

5. Browse for a file to upload, using the Upload Certificate File field.

6. In the Password field, enter the password you set when you generated the PFX file.
7. Click Create. Even though the certificate is created, notice that the certificate is not yet successfully imported into the vault, as indicated by the No certificates available message, as shown below. To import the certificate, you must obtain the Secret Identifier ARN of this certificate and then configure it in DuploCloud.
8. On the Certificates page, select the certificate from the list, and open the CURRENT VERSION of the certificate, as shown below, to obtain the Secret Identifier.

Configuring the SSL Certificate in DuploCloud

With the Secret Identifier in your Clipboard, you are now ready to configure the certificate in the DuploCloud Portal and

1. In the DuploCloud Portal, navigate to Administrator -> Plans.

2. Select the Plan to which you want to add the certificate from the Name column. The Plans page displays.
3. Click the Certificates tab.
4. Click Add. The Add a Certificate pane displays.
5. Enter a Name for the certificate.

6. Paste the Secret Identifier that you obtained from the Azure Portal (it should be in your Clipboard) into the Certificate ARN field.

7. Click Create.

Using the SSL Certificate for Ingress in DuploCloud

If you use Kubernetes Ingress, you can attach the certificate to the appropriate DuploCloud service in the DuploCloud portal by using the Kubernetes -> Ingress option.

1. In the DuploCloud Portal, navigate to Kubernetes -> Ingress.

2. On the Ingress page, select the Ingress instance for the azure- application-gateway.

3. Click the Ingress Rules tab.

4. From the Actions menu, select Edit.
5. On the Edit Kubernetes Ingress page, select the certificate that you want to attach from the Certificate ARN list box.
6. Click Update.

The certificate is attached to the Ingress application gateway and is available to the service.

DuploCloud integrates natively with OpenVPN by provisioning VPN users added to the Duplocloud portal. As a DuploCloud user, you can access resources in the private network by connecting to the VPN with the OpenVPN client.

Obtain VPN Credentials

User VPN credentials are accessible on the user profile page. It can be accessed through the menu on the upper right of the page or through the Administrator -> Users menu option on the left.

Set up the OpenVPN User Profile and Client App

1. Click the VPN URL link in the VPN Details section of your user profile. Browsers will call the link unsafe since it is using a self-signed certificate. Proceed to it.

5. Open the .ovpn file and click OK in the Import .ovpn profile dialog.

This document provides a step-by-step guide to configure a Managed Identity (MI) in Azure for DuploCloud. DuploCloud requires the VM where it is installed to have owner access to the Azure subscription to launch and manage Azure resources effectively.

Follow these steps post the installation of DuploCloud portal in Azure VM:

Step 1: Create a Managed Identity in Azure

1. Log in to the Azure Portal.

2. Navigate to Managed Identities.

3. Click on + Add to create a new managed identity.

4. Provide the following details:

   • Name: Enter a meaningful name for the managed identity (e.g., duplo-master-managed-identity).

   • Subscription: Select the subscription where the identity will be created.

   • Resource Group: Choose an existing resource group or create a new one.

   • Region: Select the appropriate region for the managed identity.

5. Click Create and wait for the deployment to complete.

Step 2: Assign this Managed Identity to Duplo-Master VM

1. Go to Virtual Machines in the Azure portal and select the VM where DuploCloud is installed.

2. Under the Security section, select Identity.

3. Switch to the User assigned tab and click + Add.

4. Select the managed identity created in Step 1 and click Add.

Step 3: Assign "owner" role to the Managed Identity

1. Go to Subscriptions in the Azure portal and select the subscription where resources will be launched by DuploCloud.

2. Under Access Control (IAM), click + Add -> Add role assignment.

3. Switch to Privileged administrator roles tab

4. Select Owner.

5. In the Assign access to field, choose Managed identity.

6. Search for and select the managed identity created in Step 1.

7. Click Save to complete the role assignment.

Step 4: Assign "owner" role to DuploCloud VM

1. In the same subscription as above, navigate again to Access Control (IAM).

2. Click + Add -> Add role assignment.

3. Switch to Privileged administrator roles tab

4. Select Owner in the Role dropdown.

5. In the Assign access to field, choose Managed Identity.

6. Search for and select the DuploCloud VM.

7. Click Save to apply the changes.

Additional Notes

• Ensure that both the managed identity and the VM are in the same subscription where resources will be launched.

• Verify the assignments under Access Control (IAM) for both the managed identity and the VM to ensure correct configurations.

DuploCloud contains many features that leverage Kubernetes in your cloud environment. In order to create Kubernetes clusters with DuploCloud Azure, you must set the default version of your AKS cluster in DuploCloud's configuration.

Setting the default AKS cluster version for DuploCloud

To set the default AKS cluster version and enable Kubernetes cluster creation:

1. In the DuploCloud Portal, navigate to Administrator -> System Settings.

2. Click the System Config tab.

3. In the System Configs section, click Add. The Add Config pane displays.

4. Select Other from the Config Type list box.

5. Select AppConfig from the Other Config Type list box.

6. In the Key list box, type AKS_DEFAULT_CLUSTER_VERSION.

7. In the Value field, enter the default AKS cluster version number (for example, 1.23.12). When you upgrade your AKS cluster, you will need to update the value of AKS_DEFAULT_CLUSTER_VERSION.
8. Click Submit. The key and value are displayed in the System Config tab.