Skip to main content
Version: 2.7

AKS cluster prerequisites

This topic provides the list of permissions and actions required for managing Azure clusters. These permissions and actions are essential for managing Azure clusters effectively. Ensuring that the necessary permissions are granted helps to maintain a secure and well-functioning cluster environment. The following section outlines the:

  • Portworx Backup prerequisites

  • Permissions required to install Portworx Backup on an AKS cluster

  • Permissions required to add an AKS cluster as application cluster in Portworx Backup

    note

    Regardless of the security principal (user, group, service principal or managed identity) you have created in Azure Portal, the permissions to create role definition specified in the below sections remain the same.

Portworx Backup prerequisites

  1. Before adding your AKS cluster to Portworx Backup, make sure that:

  2. From Azure Cloud Shell create the following:

    • Azure Storage account in Azure

      az storage account list --resource-group <ResourceGroupName> --query "[].{Name:name}" --output table
    • Azure storage account key

      az storage account keys list --resource-group <ResourceGroupName> --account-name <StorageAccountName> --query "[0].value"

      Output:

      az storage account keys list --resource-group "resource_group_name"--account-name "storage_account_name"
      [
      {
      "creationTime": null,
      "keyName": "key1",
      "permissions": "FULL",
      "value": "azure-storage-account-key1"
      },
      {
      "creationTime": null,
      "keyName": "key2",
      "permissions": "FULL",
      "value":"azure-storage-account-key2"
      }
      ]
      note

      You can pick any one of the key values as the storage account key from this output. Alternatively, you can also get the account key details from the Azure cloud portal.

  3. Before adding an Azure cloud account in Portworx Backup, fetch the following mandatory (optional as well, if your environment requires) parameters:

    • Mandatory parameters

      • Cloud account name
      • Storage account name
      • Storage account key
    • Optional parameters

      • Subscription ID
      • Client ID
      • Client Secret
      • Tenant ID

    You can add the above optional parameters at a later point in time in the Portworx Backup user interface. Hence, you can fetch them later.

    note

    These optional parameters are mandatory to:

    • Add an Azure immutable container as backup location.
    • To restore/delete cloud-native backups taken prior to Portworx Backup 2.7.0.

Permissions to install Portworx Backup

You need the following permissions/actions to bring up Portworx Backup on any cluster:

PermissionsPurpose
Microsoft.Compute/disks/deleteAllows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Compute/disks/writeGrants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/readEnables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/virtualMachines/writePermits creating or updating virtual machines. This is essential for provisioning and configuring VMs.
Microsoft.Compute/virtualMachines/readAllows reading the properties and metadata of virtual machines. This is necessary for monitoring and managing VMs.
Microsoft.Network/loadBalancers/readEnables reading the properties and metadata of load balancers. This is important for managing and monitoring network traffic distribution.
Microsoft.Network/loadBalancers/writePermits creating or updating load balancers. This is essential for configuring and managing network traffic distribution.
Microsoft.Network/loadBalancers/deleteAllows for the deletion of load balancers. This is crucial for cleaning up and managing network resources.
Microsoft.Network/publicIPAddresses/readEnables reading the properties and metadata of public IP addresses. This is necessary for managing public-facing network resources.
Microsoft.Network/publicIPAddresses/writePermits creating or updating public IP addresses. This is essential for provisioning public-facing network resources.
Microsoft.Network/publicIPAddresses/deleteAllows for the deletion of public IP addresses. This is important for managing and cleaning up network resources.
Microsoft.Network/publicIPAddresses/join/actionGrants permission to join public IP addresses to resources. This is crucial for associating public IP addresses with network resources.
Microsoft.Network/loadBalancers/loadBalancingRules/readAllows reading the properties and metadata of load balancing rules. This is necessary for monitoring and managing load balancer rules.
Microsoft.Network/loadBalancers/probes/readEnables reading the properties and metadata of load balancer probes. This is important for managing and monitoring load balancer health checks.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/
networkInterfaces/read
Grants permission to read the properties and metadata of network interfaces attached to VM scale set instances. This is necessary for monitoring and managing network configurations of scale set VMs.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/
networkInterfaces/ipconfigurations/publicipaddresses/read
Allows reading the properties and metadata of public IP addresses attached to network interfaces of VM scale set instances. This is crucial for managing and monitoring public-facing network configurations.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/writeGrants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/readAllows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/readEnables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.
Microsoft.Network/networkSecurityGroups/readEnables reading the properties and metadata of network security groups. This is necessary for monitoring and managing network security configurations.
Microsoft.Network/networkSecurityGroups/writeGrants permission to create or update network security groups. This is essential for configuring and managing network security settings.
note

Sometimes creation of an Azure custom role takes at least 20 minutes for the role (with the specified permissions) to reflect in your Azure cluster environment.

Permissions to add application cluster

You need the following list of permissions/actions required to add a cluster as an application cluster:

PermissionsPurpose
Microsoft.Compute/disks/beginGetAccess/actionGrants temporary access to a disk, typically used for scenarios where a disk snapshot needs to be accessed or copied.
Microsoft.Compute/snapshots/deleteAllows for the deletion of snapshots, crucial for managing storage and ensuring outdated snapshots are removed.
Microsoft.Compute/snapshots/writePermits creating or updating snapshots of virtual machine disks, essential for backup and restore operations.
Microsoft.Compute/snapshots/readEnables reading snapshot properties and metadata, necessary for monitoring and managing snapshots.
Microsoft.Compute/disks/writeGrants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/readEnables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/disks/deleteAllows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Storage/storageAccounts/readEnables reading the properties and metadata of storage accounts, necessary for accessing and managing storage resources.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/writeGrants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/readAllows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/readEnables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.

You can now add an Azure cloud account in Portworx Backup with the inputs obtained from the above steps.

Restore prerequisites

If you have to restore a backup of Azure volumes created in an Azure cluster or you have to restore a backup to a cluster in a different resource group, follow the below steps.

note

Following steps are not required if you have backed up some applications and want to restore to a cluster in the same resource group or if both the clusters are created with the same managed identity/service principal, or if you want to restore Portworx volumes then these steps are not required.

  1. Create a custom role with the following JSON content and command:

    a. JSON content

    {

    "Name": "<custom_role_name>",
    "Description": "",
    "AssignableScopes": [
    "/subscriptions/<subscription_ID>"
    ],
    "Permissions": [
    {
    "Actions": [
    "Microsoft.Compute/disks/beginGetAccess/action"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": []
    }
    ]
    }

    b. Command:

    az role definition create --role-definition roles.json
  2. Fetch your AKS Infrastructure Resource Group Name with the following command:

    az aks show -n <aks_cluster_name> -g <source_backup_resource_group_name> | jq -r '.nodeResourceGroup'
  3. Get the Principal ID associated with your Kubernetes source cluster

    az aks show --resource-group <destination_cluster_resource_group_name> --name <kubernetes_cluster_name> --query identity
  4. Add Assignee with the following command:

    az role assignment create --assignee <"Principal_Id"> --role <"Role_name"> --scope "/subscriptions/<Subscription_Id>/resourceGroups/<AKS_Infrastructure_Resource_Name>"

Network prerequisites

Make sure that the following ports are open or enabled in Portworx Backup cluster:

PortPurpose
10001For REST API communication
10002For gRPC server communication

Related topics:

Was this page helpful?