Set Up Azure Subscription and Vnet for Private Data
Azure private data processing involves running an Alteryx Analytics Cloud (AAC) data processing cluster inside of your Azure subscription and Vnet. This combination of your infrastructure, together with Alteryx-managed Azure resources and software, is commonly referred to as a private data processing.
This page focuses on how to set up your Azure subscription and Vnet for a private data processing on AACAAC.
Note
The Azure subscription and Vnet setup require access and permissions to the Azure portal. If you don’t have this access, please contact your IT team to complete this step.
Attention
Never delete resources provisioned for Private Data Processing.
Setup Steps
Important
To continue with these steps, you must have Azure Application Developer
and Owner
RBAC roles assigned to you.
Step 1: Select the Azure Subscription
Select the subscription where you’d like to run your private data processing.
To improve performance and reduce egress costs, your blob storage and private data handling AKS cluster should be in the same region and resource group that you selected for private data storage. This applies to any data sources that you want to connect to the AACAAC.
The VPC created in the Azure subscription should be dedicated to AACAAC. You can set up connectivity to private data sources using VPC peering, transit gateways, PrivateLink, or others.
Step 2: Create Resource Group
Azure cloud resources required by AACAAC deploy in a resource group.
Create a resource group with the name
aac_resource_group
.Note
aac_resource_group
is an example name in this guide. You can choose any name for the resource group.Tag the resource group with these parameters:
Tag Name:
AACResource
Tag Value:
aac
Review and create the resource group.
Step 3: Configure IAM
With your Azure subscription in place, now set up the service principal and access keys.
Note
You can use the same app registration to provision the private data processing in a different subscription under the same tenant.
Step 3a: Create an App Registration (Service Account)
Create a new registration with the name
aac_automation_sa
.On Supported account types, select Accounts in this organizational directory only (Any Microsoft Entra ID tenant - Multitenant).
Select Register.
Generate an Access Key:
Select the app registration you just created.
Select Certificates & secrets.
Select Client secrets.
Select New client secret.
Select Add.
Note
You'll need the app registration client id
and secret key
to provision the cloud resources for private data processing.
Step 3b: Create IAM Custom Role
You need to create a custom IAM role. Name the IAM role AAC_Base_SA_Role
and attach the following role document. We recommend that you use the JSON tab instead of the visual editor. AACAAC does requires some * permissions to run. Expect some security warnings when you create the role.
{ "properties": { "roleName": "AAC_Base_SA_Role", "description": "Custom role for provisioning AAC private data handling", "assignableScopes": [ "/subscriptions/<subscription ID>" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Network/applicationGateways/backendAddressPools/join/action", "Microsoft.Network/locations/*", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Storage/storageAccounts/*", "Microsoft.KeyVault/*", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/read", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/delete", "Microsoft.Authorization/roleAssignments/delete" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
Important
AAC_Base_SA_Role
is an example role name. You can choose any name for the role, but the name must start with AAC_Base
.
Step 3c: Bind Custom Role to App Registration in the Subscription
Select the subscription created in Step 1.
Select Access control (IAM).
Select Add and then select Add role assignment.
Select the custom role created in Step 3b.
The custom role might be in the Job function roles or Privileged administrator roles tab.
Select Next.
Under Members, select the app registration created in Step 3a.
Select Review and Assign.
Step 4: Create Network Security Group (NSG)
Create a network security group in the resource group
aac_resource_group
.Tag the network security group with these parameters:
Tag Name:
AACResource
Tage Value:
aac
Step 5: Configure Virtual Private Network
Step 5a: Create Virtual Network (Vnet)
Create a virtual network in the resource group
aac_resource_group
.Astuce
Azure creates a default address space and a default subnet. Delete the default subnet and update the address space.
Add these IPv4 address spaces depending on which modules you want to deploy. You might need to create the Vnet with a single address space and then select Settings > Address space to add the second.
For Designer Cloud and Machine Learning, add
/18
and/22
address spaces.For Cloud Execution for Desktop, add
/22
address space
Tag the Vnet with these parameters:
Tage Name:
AACResource
Tag Value:
aac
Step 5b: Configure Feature Flag
Register the EnableAPIServerVnetIntegrationPreview
feature flag on your Azure Subscription.
Note
Connections to private data sources require network paths between the Vnet and the data source. As defined in the shared responsibility matrix, you set up these network paths in accordance with your own network policies and preferences.
Step 6: Trigger Private Data Handling Provisioning
Data processing provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AACAAC landing page, select the Profile menu and then select Workspace Admin.
From the Admin Console, select Private Data Handling and then select Processing.
Attention
Si vous modifiez ou supprimez l'une des ressources de cloud public provisionnées par AAC une fois que la gestion des données privées est provisionnée, l'état sera défini sur incohérent. Cette incohérence déclenche des erreurs lors de l'exécution de la tâche ou du désapprovisionnement de la configuration de gestion du plan de données privé.
Make sure that Private Data Storage shows Successfully Configured
before you proceed. If the status is Not Configured
, go to ADLS as Private Data Storage first, then return to this step.
Under the Processing section, enter the required Environment Details from the Azure subscription and Vnet setup steps you just completed:
Enter the Azure Tenant ID. This is also known as Directory ID.
Enter the Azure Subscription ID.
Enter the Resource Group Name.
Enter the Virtual Network Id.
Select the Region of the Azure subscription you want to use for private data processing.
Enter the Client ID. This is also known as Application ID.
Enter the Client Secret.
Select Create.
Selecting Create triggers the deployment of the cluster and resources in your Azure subscription. This runs a set of validation checks to verify the correct configuration of the Azure subscription. If there are incorrectly configured permissions, or the creation or tagging of the Vnet resources is incorrect, you’ll receive an error message with a description that should point you in the right direction.