Azure Infrastructure Requirements for POP Deployment
To deploy CWPP POP services in Azure, the POP deployment will make use of the below Azure infrastructure. The following Azure resources are required or provisioned as part of the deployment process:
- Resource Group. A container that holds all the related resources for CWPP.
- VNet (Virtual Network). A virtual network dedicated to the account.
- Subnet. Subnet within Virtual Network to configure POP infrastructure.
- NAT (Network Address Translation) Gateway. Azure service to provide outbound internet connectivity for subnet in virtual network.
- Network Security Group. Filters network traffic to and from Azure resources in an Azure virtual network.
- Availability Zone. An availability zone is a logical data center in a region available for use.
- Network Interface. To enable an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources.
- Virtual Machine. Virtual server to run the application with the given virtual machine size, username and authentication type.
- Virtual Machine Scale set. Provides and manages the load balanced secondary virtual machines.
- Bastion Host. To provide secure and seamless RDP and SSH access to the virtual machine I.e, POP directly through the Azure Portal
- Load balancers. Routes incoming traffic across multiple targets.
- Private Endpoints. To enable private connection between Virtual Network and endpoint service powered by Azure Private Link
- Private Link Service. To provide private connectivity between the virtual network and CWPP application hosted in Azure.
- Storage Account. File storage account to store logs of POP services present in virtual machine and Virtual Machine scale sets within and across multiple Availability zones. And to provide object storage. (PoPDeployment.tar, RunAzureDeployment.sh)
- Role-based Access control. Set of permissions to manage the Azure resources.