Deploying Cube Cloud BYOC on Azure
With Bring Your Own Cloud (BYOC) on Azure, all the components interacting with private data are deployed on the customer infrastructure on Azure and managed by the Cube Cloud Control Plane via the Cube Cloud Operator. This document provides step-by-step instructions for deploying Cube Cloud BYOC on Azure.
Overall Design
Cube Cloud will gain access to your Azure account via the Cube Cloud Provisioner Enterprise App.
It will leverage a dedicated subscription where it will create a new Resource Group and bootstrap all the necessary infrastructure. At the center of the BYOC infrastructure are two AKS clusters that provide compute resources for the Cube Store and all Cube deployments you configure in the Cube Cloud UI. These AKS clusters will have a Cube Cloud operator installed in them that is connected to the Cube Cloud Control Plane. The Cube Cloud Operator receives instructions from the Control Plane and dynamically creates or destroys all the necessary Kubernetes resources required to support your Cube deployments.
Prerequisites
The bulk of provisioning work will be done remotely by Cube Cloud automation. However, to get started, you'll need to provide Cube with the necessary access along with some additional information that includes:
- Azure Tenant ID - the Entra ID of your Azure account
- Azure Subscription ID - The target subscription where Cube Cloud will be granted admin permissions to provision the BYOC infrastructure
- Region - The target Azure region where Cube Cloud BYOC will be installed
Provisioning access
Add Cube tenant to your organization
First you should add the Cube Cloud tenant to your organization. To do this, open the Azure Portal (opens in a new tab) and go to Azure Active Directory → External Identities → Cross-tenant access settings → Organizational Settings → Add Organization.
For Tenant ID, enter 197e5263-87f4-4ce1-96c4-351b0c0c714a
.
Make sure that B2B Collaboration → Inbound Access → Applications is set to Allows access.
Register Cube Cloud service principal at your organization
To register the Cube Cloud service principal for your organization, follow these steps:
- Log in with an account that has permissions to register Enterprise applications.
- Open a browser tab and go to the following URL, replacing
<TENANT_ID>
with your tenant ID:https://login.microsoftonline.com/<TENANT_ID>/oauth2/authorize?client_id=0c5d0d4b-6cee-402e-9a08-e5b79f199481&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
- The Cube Cloud service principal has specific credentials. Check that the following details match exactly what you see on the dialog box that pops up:
- Client ID:
d1c59948-4d4a-43dc-8d04-c0df8795ae19
- Name:
cube-cloud-byoc-provisioner
Once you have confirmed that all the information is correct, select Consent on behalf of your organization and click Accept.
Grant admin permissions on your BYOC Azure Subscription to the cube-cloud-byoc-provisioner
On the Azure Portal (opens in a new tab), go to Subscriptions
→ Your BYOC Subscription → IAM→ Role Assignment
and assing Contributor
and Role Based Access Control Administrator
to the cube-cloud-byoc-provisioner
Service Principal.
Deployment
The actual deployment will be done by Cube Cloud automation. All that's left to do is notify your Cube contact point that access has been granted, and pass along your Azure Tenant/Subscription/Region information.