Skip to main content

Set Up Azure Subscription and Vnet for Private Data

Azure private data processing involves running an Alteryx Analytics Cloud (AAC) data processing cluster inside of your Azure subscription and Vnet. This combination of your infrastructure, together with Alteryx-managed Azure resources and software, is commonly referred to as a private data plane.

This page focuses on how to set up your Azure subscription and Vnet for a private data plane on AACAAC.

Note

The Azure subscription and Vnet setup require access and permissions to the Azure portal. If you don’t have this access, please contact your IT team to complete this step.

Attention

Never delete resources provisioned for Private Data Processing.

Setup Steps

Important

To continue with these steps, you must have Azure Application Developer and Owner RBAC roles assigned to you.

Step 1: Select the Azure Subscription

Select the subscription where you’d like to run your private data plane.

To improve performance and reduce egress costs, your blob storage and private data handling AKS cluster should be in the same region and resource group that you selected for private data storage. This applies to any data sources that you want to connect to the AACAAC.

The VPC created in the Azure subscription should be dedicated to AACAAC. You can set up connectivity to private data sources using VPC peering, transit gateways, PrivateLink, or others.

Step 2: Create Resource Group

Azure cloud resources required by AACAAC deploy in a resource group.

  1. Create a resource group with the name aac_resource_group.

    Note

    aac_resource_group is an example name in this guide. You can choose any name for the resource group.

  2. Tag the resource group with these parameters:

    1. Tag Name: AACResource

    2. Tag Value: aac

  3. Review and create the resource group.

Step 3: Configure IAM

With your Azure subscription in place, now set up the service principal and access keys.

Note

You can use the same app registration to provision the private data plane in a different subscription under the same tenant.

Step 3a: Create an App Registration (Service Account) 

  1. Create a new registration with the name aac_automation_sa.

  2. On Supported account types, select Accounts in this organizational directory only (Any Microsoft Entra ID tenant - Multitenant).

  3. Select Register.

  4. Generate an Access Key:

    1. Select the app registration you just created.

    2. Select Certificates & secrets.

    3. Select Client secrets.

    4. Select New client secret.

    5. Select Add.

Note

You'll need the app registration client id and secret key to provision the cloud resources for private data processing.

Step 3b: Create IAM Custom Role

You need to create a custom IAM role. Name the IAM role AAC_Base_SA_Role and attach the following role document. We recommend that you use the JSON tab instead of the visual editor. AACAAC does requires some * permissions to run. Expect some security warnings when you create the role.

{
    "properties": {
        "roleName": "AAC_Base_SA_Role",
        "description": "Custom role for provisioning AAC private data handling",
        "assignableScopes": [
            "/subscriptions/<subscription ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
                    "Microsoft.Network/locations/*",
                    "Microsoft.Network/networkInterfaces/*",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/operationresults/read",
                    "Microsoft.Storage/storageAccounts/*",
                    "Microsoft.KeyVault/*",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/routeTables/routes/read",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Authorization/roleDefinitions/write",
                    "Microsoft.Authorization/roleAssignments/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Important

AAC_Base_SA_Role is an example role name. You can choose any name for the role, but the name must start with AAC_Base.

Step 3c: Bind Custom Role to App Registration in the Subscription

  1. Select the subscription created in Step 1.

  2. Select Access control (IAM).

  3. Select Add and then select Add role assignment.

  4. Select the custom role created in Step 3b.

    1. The custom role might be in the Job function roles or Privileged administrator roles tab.

  5. Select Next.

  6. Under Members, select the app registration created in Step 3a.

  7. Select Review and Assign.

Step 4: Create Network Security Group (NSG)

  1. Create a network security group in the resource group aac_resource_group.

  2. Tag the network security group with these parameters:

    1. Tag Name: AACResource

    2. Tage Value: aac

Step 5: Configure Virtual Private Network

Step 5a: Create Virtual Network (Vnet)

  1. Create a virtual network with the name aac_vpc in the resource group aac_resource_group.

    Astuce

    Azure creates a default address space and a default subnet. Delete the default subnet and update the address space.

  2. Add these IPv4 address spaces depending on which modules you want to deploy. You might need to create the Vnet with a single address space and then select Settings > Address space to add the second.

    1. For Designer Cloud and Machine Learning, add /18 and /22 address spaces.

    2. For Cloud Execution for Desktop, add /22 address space

  3. Tag the Vnet with these parameters:

    1. Tage Name: AACResource

    2. Tag Value: aac

Step 5b: Configure Feature Flag

Register the EnableAPIServerVnetIntegrationPreview feature flag on your Azure Subscription.

Note

Connections to private data sources require network paths between the Vnet and the data source. As defined in the shared responsibility matrix, you set up these network paths in accordance with your own network policies and preferences.

Step 6: Trigger Private Data Handling Provisioning

Data plane provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.

  1. From the AACAAC landing page, select the Profile menu and then select Workspace Admin.

  2. From the Admin Console, select Private Data Handling and then select Processing.

Attention

Si vous modifiez ou supprimez l'une des ressources de cloud public provisionnées par AAC une fois que la gestion des données privées est provisionnée, l'état sera défini sur incohérent. Cette incohérence déclenche des erreurs lors de l'exécution de la tâche ou du désapprovisionnement de la configuration de gestion du plan de données privé.

Make sure that Private Data Storage shows Successfully Configured before you proceed. If the status is Not Configured, go to  ADLS as Private Data Storage first, then return to this step.

Under the Processing section, enter the required Environment Details from the Azure subscription and Vnet setup steps you just completed:

  1. Enter the Azure Tenant ID. This is also known as Directory ID.

  2. Enter the Azure Subscription ID.

  3. Enter the Resource Group Name.

  4. Enter the Virtual Network Id.

  5. Select the Region of the Azure subscription you want to use for private data processing.

  6. Enter the Client ID.This is also known as Application ID.

  7. Select Create.

Selecting Create triggers the deployment of the cluster and resources in your Azure subscription. This runs a set of validation checks to verify the correct configuration of the Azure subscription. If there are incorrectly configured permissions, or the creation or tagging of the Vnet resources is incorrect, you’ll receive an error message with a description that should point you in the right direction.

Dans cette section​: