Skip to main content

Cloud Execution for Desktop in Azure

Follow this guide to deploy the Cloud Execution for Desktop (CEfD) module for Azure private data processing.

Prerequisite

Before you deploy the CEfD module, you must complete these steps on the Set Up Azure Subscription and Vnet for Private Data page...

  1. Configured a resource group dedicated to Alteryx Analytics Cloud (AAC) as mentioned in the Create Resource Group section.

  2. Configured a Vnet dedicated to AACAAC as mentioned in the Configure Virtual Private Network section.

  3. App registration and base IAM policy attached to the service account as mentioned in the Configure IAM section.

  4. Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.

Subscription Setup

Step 1: Configure IAM

Step 1a: Create IAM Custom Role

You need to create a custom IAM role. Name it AAC_CEFD_SA_Role and use the following role document. We recommend using the JSON tab instead of the visual editor. AACAAC requires some * permissions to run. Expect some security warnings when you create the role.

注記

AAC_CEFD_SA_Role is an example role name. You can choose any name for the role, but the name must start with AAC_CEFD.

重要

You must update the "assignableScopes" scope of this custom role. Replace <subscription ID> with your subscription ID.

{
    "properties": {
        "roleName": "AAC_CEFD_SA_Role",
        "description": "Custom role for provisioning AAC private data handling",
        "assignableScopes": [
            "/subscriptions/<subscription ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Compute/availabilitySets/*",
                    "Microsoft.Compute/locations/*",
                    "Microsoft.Compute/virtualMachines/*",
                    "Microsoft.Compute/virtualMachineScaleSets/*",
                    "Microsoft.Compute/cloudServices/*",
                    "Microsoft.Compute/disks/write",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
                    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
                    "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
                    "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
                    "Microsoft.Network/loadBalancers/probes/join/action",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/locations/*",
                    "Microsoft.Network/networkInterfaces/*",
                    "Microsoft.Network/networkSecurityGroups/join/action",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/networkSecurityGroups/write", 
                    "Microsoft.Network/networkSecurityGroups/delete",
                    "Microsoft.Network/publicIPAddresses/join/action",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.RecoveryServices/locations/*",
                    "Microsoft.ResourceHealth/availabilityStatuses/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/operationresults/read",
                    "Microsoft.KeyVault/*",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                    "Microsoft.Network/routeTables/routes/write",
                    "Microsoft.Network/routeTables/routes/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/write",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/routeTables/write",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/delete",
                    "Microsoft.Insights/autoScaleSettings/write",
                    "Microsoft.Insights/autoScaleSettings/read",
                    "Microsoft.Insights/autoScaleSettings/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Step 1b: Bind Custom Role to App Registration in the Subscription

Add the AAC_CEFD_SA_Role IAM custom role to the aac_automation_sa service account created on the Set Up Azure Subscription and Vnet for Private Data page.

Step 1c: Create Custom Role for CEFD Auto-Scaling

Azure Function manages the CEFD VM auto-scaling. Create a custom IAM role with the name AAC_CEFD_FunctionAccessRole and attach this policy document:

重要

You must update the "assignableScopes" scope of this custom role. Replace <subscription ID> with your subscription ID.

{
    "properties": {
        "roleName": "AAC_CEFD_FunctionAccessRole",
        "description": "Custom role to grant Azure Functions access to storage accounts, vault secrets, and VMSS",
        "assignableScopes": [
            "/subscriptions/<subscription ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/listKeys/action",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/*",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.Compute/virtualMachineScaleSets/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/write",
                    "Microsoft.Compute/virtualMachineScaleSets/extensions/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Step 2: Route Table

Create the route table for your subnets.

重要

You must configure the Vnet with a network connection to the internet in your subscription.

注記

This route table is an example.

Address Prefix

Next Hop Type

/22 CIDR Block

v-net

0.0.0.0/0

<gateway_ID>

注記

Your <gateway id> can be either a NAT gateway created per AZ or a transit gateway, depending on your network architecture.

Step 3: Configure Subnet

CEfD in the private data processing requires 1 subnet.

  • aac_option: Use this group if you enable Cloud Execution for Desktop within your private data processing. If you enable this option, an AMI swarm runs in this subnet to handle Designer Desktop processing jobs that run in the cloud.

Step 3a: Create Subnet in the Vnet

Configure subnets in the aac_vpc VPC.

Follow this example to create subnets with subnet name, subnet size, and other configurations (modify values, as needed, to meet your network architecture). Attach the Network security group created on the Set Up Azure Subscription and Vnet for Private Data page to the subnets.

Address Space

Subnet Name

Subnet

Service Endpoints

Route Table

Notes

10.10.0.0/22

aac_option

10.10.0.0/23

Microsoft.Storage

Microsoft.KeyVault

Attach to the route table created in Step 2.

重要

10.10.0.0/22 is an example. The subnet name must match with the name as shown in the table.

Step 4: Quota Adjustment

Adjust quotas per these parameters:

CPU Limits

  • Quota Name: Total Regional vCPUs

    • Scope: Regional

    • Azure default quota value: 10

    • Applied quota value: 2500

  • Quota Name: Standard Basv2 Family vCPUs

    • Scope: Regional

    • Azure default quota value: 10

    • Applied quota value: 2500

Private Data Processing

注意

プライベートデータ処理がプロビジョニングされた後で、 AACプロビジョニングされたパブリッククラウドリソースのいずれかの変更または削除をすると、一貫性のない状態になります。この一貫性のない状態は、ジョブの実行中またはプライベートデータプレーン処理設定のプロビジョニング解除中に、エラーを発生させます。

Step 1: Trigger CEfD Deployment

CEfD provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.

  1. From the AACAAC landing page, select the Profile menu and then select Workspace Admin.

  2. From the Admin Console, select Private Data Handling and then select Processing.

  3. Select the Cloud Execution for Desktop checkbox and then select Update.

Selecting Update triggers the deployment of the cluster and resources in the Azure subscription. This runs a set of validation checks to verify the correct configuration of the Azure subscription.

注記

The provisioning process takes approximately 35–40 minutes to complete.

After the provisioning completes, you can view the created resources (for example, VM instances and node pools) through the Azure portal. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing.