kony fabric on ms azure cloud › 8_x_pdfs › konyfabric › kony_fabric_on_azure… ·...

Kony Fabric

Installation Guide for Kony Fabric on

Microsoft Azure Cloud

Release V8 SP4

Document Relevance and Accuracy

This document is considered relevant to the Release stated on this title page and the document version stated on the Revision History page.Remember to always view and download the latest document version relevant to the software release you are using.

© 2018 by Kony, Inc. All rights reserved 1 of 153

Installation Guide

for Kony Fabric on Azure CloudVersion1.6

Copyright © 2017 Kony, Inc.

All rights reserved.

January, 2020

This document contains information proprietary to Kony, Inc., is bound by the Kony license agreements, and

may not be used except in the context of understanding the use andmethods of Kony, Inc., software without

prior, express, written permission. Kony, Empowering Everywhere, Kony Fabric, Kony Nitro, and Kony

Visualizer are trademarks of Kony, Inc. MobileFabric is a registered trademark of Kony, Inc. Microsoft, the

Microsoft logo, Internet Explorer, Windows, andWindows Vista are registered trademarks of Microsoft

Corporation. Apple, the Apple logo, iTunes, iPhone, iPad, OS X, Objective-C, Safari, Apple Pay, AppleWatch,

and Xcode are trademarks or registered trademarks of Apple, Inc. Google, the Google logo, Android, and the

Android logo are registered trademarks of Google, Inc. Chrome is a trademark of Google, Inc. BlackBerry,

PlayBook, Research inMotion, and RIM are registered trademarks of BlackBerry. SAP® and SAP® Business

Suite® are registered trademarks of SAP SE in Germany and in several other countries. All other terms,

trademarks, or servicemarks mentioned in this document have been capitalized and are to be considered the

property of their respective owners.


Installation Guide


Revision History

Date DocumentVersion

Description of Modifications/Release

01/21/2020 1.6 Document Published for V 8.4.3.6 GA. The guide has been

updated for the following:

l Prerequisites: Supported and Unsupported regions

l Features:

l Configure Autoscalability for cluster

l Enhanced steps to use Kubernetes Dashboard

l Pod Anti-affinity

l Whitelist IP Address in Azure CDN

l Configure Backup and Restore for Azure File Share

l Configurations:

l Service Principle Object ID

l Configure geographically redundant backup

l Azure Redis Cache Support

07/31/2019 1.5 Document for V 8.4.3.1 GA

l New Configuration parameters have been added.

l New FAQs have been added.

05/02/2019 1.4 Document Released for V 8.4.1.1 GA

02/27/2019 1.3 Document Released for V 8.3.1.1 GA


Installation Guide


Date DocumentVersion

Description of Modifications/Release

10/16/2018 1.2 Document Released for V 8.3 GA

07/25/2018 1.1 Document Released for V 8.2.1 GA

05/07/2018 1.0 Document Released for V 8.1.1 GA


Installation Guide


Table of Contents

1. Overview 7

2. Kony Fabric on Azure 8

2.1 Prerequisites 8

2.2 VMSetup 13

2.3 Source Code Setup 15

2.4 Configuration 16

2.5 Script Execution 34

2.6 Configuring Visualizer to Connect to Kony Fabric on Azure 35

2.7 Updating the Azure Kubernetes Service Cluster configuration 35

2.8 Setting up Azure Content Delivery Network (CDN) 35

2.9 Configuring ClamAntiVirus for Azure Virtual Machines 46

2.10 Configuring OSSEC Intrusion Detection 52

3. Appendices 60

3.1 Prerequisite Packages 60

3.2 Network Settings - Accessing Azure SQL Database 60

3.3 Configuring NAT Gateway 60

3.4 Hosting your domain with Azure DNS 61

3.5 Generating a PFX file fromPEM 65

3.6 Extracting Logs from your Application 66

3.7 Connecting to AKS nodes through Jumpbox 67


Installation Guide


3.8 Log Analytics 67

3.9 New RelicMonitoring 75

3.10 Rolling Updates 88

3.11 KubernetesDashboard 97

3.12 Pod Anti-Affinity 104

3.13 AKS Autoscaling 104

3.14 Azure ResourceGroup Role Based AccessControl (RBAC) 105

3.15 Block IP addresses in the AzureWeb Application Firewall 109

3.16 Block IP addresses in the Azure CDN 113

3.17 Whitelist IP Address in Azure CDN 115

3.18 Configure Email Alerts for ClamAV andOSSEC 117

3.19 VPN Reference Implementation 133

3.20 Configure Backup and Restore for Azure File Share 133

3.21 Azure Components Version Tracker 148

4. Frequently Asked Questions (FAQs) 150


1. Overview Installation Guide


1. Overview

Kony Fabric Containers on Azure Solution is designed to facilitate Kony Fabric on Azure for Trial and

Enterprise needs. This setup occurs with minimalmanual intervention and leverages the following

technologies:

l Docker - To package different components as portable container images (with all the required

binaries and libs)

l Kubernetes - To orchestrate andmaintain all these running containers. It will also have features

like auto-scaling, secrets, deployment upgrades and rollbacks.

l Azure - For provisioning of the underlying infrastructure.

Salient Features

The Kony Fabric Containers on Azure Solution Trial Version provides developers with tools to build

applications and the Enterprise Version provides IT with multi-architecture operations at scale.

The Kony Fabric Containers on Azure Solution has the following features:

l Creates amulti-layer architecture along with the Application Gateway in a Virtual Network

making it secure.

l Supports options to configure a customDNS name, SSL cert support for secure

communication, and includes Jumpbox for DevOps activities.


2. Kony Fabric on Azure Installation Guide


2. Kony Fabric on Azure

2.1 Prerequisites

1. Azure Account - The setup script creates all the resources in this account. In your Azure

subscription, your account should have the following permissions:

i. Azure Subscription Permissions:

l Your account must have the role of anOwner.

l If your account has the role of a Contributor, you do not have adequate

permissions. Contact your Azure Account Administrator for getting the required

permissions.


https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner



Steps to check the permissions of your Azure subscription:

a. In the Azure Portal, select your account from the upper right corner, and

select My permissions.

b. From the drop-down list, select Subscription. Select Click here to view

complete access details for this subscription.




c. View the roles assigned to you. In the following image, the user has the role

of the Owner, whichmeans that the user has adequate permissions.

ii. Azure Active Directory Permissions:

To check your Azure AD permissions:




a. Select Azure Active Directory.

b. In Azure Active Directory, select Overview and look at your user information. You

should have the role of a Global Administrator to proceed further. If you do not




have this role, contact your administrator to assign this role to you.

2. Prerequisite packages - The Kony Fabric Containers on Azure Solution does not need any

additional software to be pre-installed, as the prerequisite packages are downloaded as a part

of the setup scripts.

The packages that are installed as part of the install scripts are: azure-cli, kubectl, jq, and

sponge.

Note: Tomake sure that the script is able to download all the necessary software, youmight

need to open outbound connections to the respective sites. For more information, refer to

the Appendices section of this document.

3. SSH Public Key – Using the SSH protocol, you can connect and authenticate to remote servers

and services. Kony Fabric setup expects an SSH key pair for authentication. The SSH public

key is used for creating the Azure Virtual Machine, and for installing the Kony Fabric Setup. You

need to specify the SSH Public Key in the .properties file.

On Ubuntu terminal, use the ssh-keygen command to generate SSH public and private key

files that are created by default in the ~/.ssh directory. This command can be executed from

your local (Ubuntu) machine:

ssh-keygen -t rsa -b 2048




Youmust create and configure a key pair as you need to provide them in the Configuration

settings.

4. Supported and Unsupported regions - In the installation directory, you need tomodify the file

/conf/azure_supported_regions.txt to update the variables waf_v2_

unsupported_regions and storage_account_replication_type_ZRS_supported_regions by

adding the regions to the existing list in the text file.

l Thewaf_v2_unsupported_regions variable has the list of regionswhere waf_v2 is not

supported for Azure Application gateway.

l The storage_account_replication_type_ZRS_supported_regions variable has the list of

regionswhere Storage account replication type supports Zone Redundant Storage.

5. Domain Name (Optional) - You can have a Domain Name for the solution, which you can

purchase from any third-party organizations, such asGoDaddy, and a proper DNS which you

need tomap to the public DNS of the Application Gateway. Refer to the Appendices section, for

more details.

6. SSL certs (Optional)- To secure the communication, acquire the SSL certs (Azure Application

Gateway requires certificates in .pfx format) and provide them during the Installation process.

These SSL certsmust be associated with the Domain Name that the user has procured. Refer

to the Appendices section on SSL cert pfx format conversion.

Note: To execute the installation scripts, youmust use Bash version 4 or later.

2.2 VM Setup

You need an Azure Virtual Machine to download the artifacts, and execute the setup scripts from the

VM to install Kony Fabric on Azure.

Follow these steps to create a VM through Azure Portal:

1. Login to the Azure Portal with the same account you configured for the role of the Global

Administrator. Navigate to the Virtual Machines Tab.

Click on +Add button and select the Ubuntu Server image.




2. Select Ubuntu Server 16.04 LTS image and click on Create.




3. Proceed with the remaining steps in the wizard and provide the SSH Public Key where

needed.

2.3 Source Code Setup

Steps to Install Kony Fabric on MS Azure:

1. Fetch the Public IP of the Virtual Machine fromAzure Portal.

Login to the VMby executing the following command in the Terminal:$ ssh azureuser@<public-ip> -i ~/.ssh/id_rsa




2. Switch to the root user, install the unzip package for extracting contents, and download thekony-fabric-containers-azure.zip file:

$ sudo -s

$ apt-get install unzip

$ curl -o kony-fabric-containers-azure.zip -L kony-fabric-

containers-azure_8.4.1.1_GA.zip

3. Unzip the downloaded artifacts:

$ unzip kony-fabric-containers-azure.zip -d <directory-name>

The structure of the document will be as shown below:

2.4 Configuration

Edit the input parameters in the following files based on the type of solution you want to create.

l <Installation Directory>/conf/trial.properties for Trial solution.

l <Installation Directory>/conf/enterprise.properties for Enterprise solution.

For more information, refer to the sample.properties file.

You need to provide the following parameters during Installation:

Note: None of the values for parameters in trial or enterprise properties file should contain quotes.

1. Azure Subscription ID, Azure Service Principal ID Name, Azure Service Principal ID

Secret, and Service Principal Object ID- Azure Subscription ID is a GUID that uniquely


https://community.kony.com/download-product/field_product_download_link/23477/23478

https://community.kony.com/download-product/field_product_download_link/23477/23478

http://docs.kony.com/konylibrary/konyfabric/konyfabric_on_azure/Content/sample.zip



identifies your subscription to use Azure services. The Application needs the Service Principal

to access or configure resources through the Azure ResourceManager (ARM) in the Azure

Stack.

Youmust have an Azure account with the permissions of a Global Administrator and the role

of a User. Without these privileges, it is not possible to create the AKS clusters (or other

resources).

The following section describes fetching Azure Subscription ID, generating Azure Service

Principal ID Name, Azure Service Principal ID Secret, and Service Principal Object ID.

i. Steps to get the Subscription ID:

l Navigate to http://portal.azure.com/.

l Navigate to Browse.

l In the search box, begin to type subscription.


http://portal.azure.com/



l Select Subscriptions from the search results.




Find the appropriate subscription to check your Azure subscription GUID.

ii. Generating Azure Service Principal ID Name and Azure Service Principal ID Secret:

Login to Azure Portal and click on Cloud Shell as shown:

a. Execute:

$ az group create --name "resource_group_name" --

location "eastus".




b. Execute:

$

az ad sp create-for-rbac --role="Contributor" --

scopes="/subscriptions/<subscription_

id>/resourceGroups/<resource_group_name>"

After executing the above command, a json response will be displayed on the

command prompt.

{

"appId": "APP_ID",

"displayName": "ServicePrincipalName",

"name": "http://ServicePrincipalName",

"password": ...,

"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

}

In the properties file of the conf directory:

l SERVICE_PRINCIPAL_CLIENT_ID is the value of the appId.

l SERVICE_PRINCIPAL_CLIENT_SECRET is the value of the password.




Note: The values of the SERVICE_PRINCIPAL_CLIENT_ID and SERVICE_

PRINCIPAL_CLIENT_SECRET should not contain any quotationmarks. For

example:

l SERVICE_PRINCIPAL_CLIENT_ID = a5afa829-525c-436c-ca4f-

f442027cfd2e

l SERVICE_PRINCIPAL_CLIENT_SECRET = cx4q44eq-fq7a-450v-

zf41-4049183d1eb8

iii. Generating Service Principal Object ID

Login to Azure Portal and click on Power Shell.

a. Execute:

$(Get-AzureADServicePrincipal -Filter "AppId eq

‘<Service_principle_client_ID>’").ObjectId

2. Azure Location - Azure location is the location of the Azure Resource group.




Note: Azure AKS is supported in various Azure locations. For more information about

Azure locations, refer to Products available by region.

3. SSH Public Key - You need this to configure all the Linuxmachineswith the SSH RSA public

key string.

4. VNET_ADDRESS_SPACE: Provide custom address space of virtual network, if required.

5. AKS_SUBNET_ADDRESS_SPACE: If custom address space of virtual network is configured,

then set the value of AKS subnet address space.

6. APP_GATEWAY_SUBNET_ADDRESS_SPACE: If custom address space of virtual network

is configured, then set the value of azure application gateway subnet address space.

7. JUMPBOX_SUBNET_ADDRESS_SPACE: If custom address space of virtual network is

configured, then set the value of jumpbox subnet address space.

8. DNS_SERVICE_IP: If custom address space of virtual network is configured, then set the IP

address value of the DNS service.

9. SERVICE_CIDR: If custom address space of virtual network is configured, then set the IP

address value of the Kubernetes internal service.

Note: If custom address space of virtual network is configured thenmake sure AKS_

SUBNET_ADDRESS_SPACE, APP_GATEWAY_SUBNET_ADDRESS_SPACE,

JUMPBOX_SUBNET_ADDRESS_SPACE, DNS_SERVICE_IP, SERVICE_CIDR IP

address do not overlap and at the same time exist in the virtual network address space.

10. ALERT_NOTIFICATION_ENABLED: Flag to enable or disable alert notifications.

11. AZURE_ACTION_GROUP_NAME: Action group name is the identifier for a set of email IDs to

which notifications are sent.

12. USER_EMAIL_ID: Primary email ID is provided for receiving alert notifications. You can access

the Azure portal to add other email IDs, if required.


https://azure.microsoft.com/en-gb/global-infrastructure/services?products=kubernetes-service&regions=all



13. IS_DB_SSL_ENABLED: Flag for enabling or disabling SSL connection to accessMySQLDB.

Note: If IS_DB_SSL_ENABLED is set to true then IS_SSL_ENABLED should also be set

to true.

14. ARRAY_TO_WHITELIST_IPS_TO_ACCESS_DB: Enter the IP address to be whitelisted to

access any database.

15. IS_SSL_ENABLED – Flag to enable or disable SSL on Kony Fabric setup. This flag is set to true

by default. If you do not require SSL, set this parameter to false.

l Place the SSL certificate (in a .pfx file format) in the ssl-cert folder, and then provide the

Server Domain Name and AppGateway SSL Cert Password.

l For enabling HTTPS on the back-end of appgateway, perform the following steps:

1. The SSL certificates with the cert data and key data should be in separate files

(both in a .pem file format).

2. Save the Cert file asingress.pem.

3. Save the Key file asingress_key.pem.

4. Place both ingress.pem and ingress_key.pem files in the certs folder of the

installation directory.

16. Server Domain Name - This is the external server domain that you need tomapwith the Azure

Application GatewayDNS name.

17. AppGateway SSL Cert Password – This is the Password used for getting the pfx key for the

SSL offloading.

18. AZURE_LOG_ANALYTICS_ENABLED – Flag to enable Azure OperationsManagement Suite

(OMS) Log analytics solution.

19. AZURE_LOG_ANALYTICS_SERVICE_TIER - Service tier for Azure log analytics. The

allowed values are Free, Standalone, and PerNode. The Free Tier is applicable only if you




created your Azure account before 02-April-2018. This tier has a 500MB limit on the amount of

data collected daily and also has a 7-day limit on data retention. If you created your Azure

Account after 02-April-2018, you only have the Standalone or PerNode options. If you use the

Free tier, the installation throws an error. For information about the pricing of the Standalone

and PerNode options, refer to the Azure pricing for Log Analytics.

20. AZURE_LOG_ANALYTICS_DATA_RETENTION_PERIOD – This is the data retention

period for the logs in log analytics solution (minimumdata retention period: 7, maximumdata

retention period : 738). This value is required if log analytics is enabled. For Free tier, data

retention period is not allowed for more than 7 days. For Standalone and PerNode tiers, data is

retained at no charge for the first 31 days. There is no daily limit for data upload for Standalone

or PerNode tiers.

21. DATABASE_TYPE - This is the database type you want to use for hosting Kony Fabric on

Azure.

The Kony Fabric Containers on Azure Solution supports theMS SQL andMySQLServer

Databases.

22. DATABASE_USER_NAME - The preferred Database Username (other thanAdmin).

Note: Ensure that the value of the DB_NAME parameter in the properties file is unique. An

installation error is thrownwhen a DB service with the same name already exists.

23. DATABASE_PASSWORD - String containing aminimumof 8 characters and combination of

alpha-numeric and non-alpha-numeric characters.

Important: The Database Username and Database Password provided heremust also be

used to login to the Database using the Azure Portal.

24. DB_SKUTIER: For MySQLDB, the Skutier can be Basic, GeneralPurpose, or

MemoryOptimized tier. The default is set to GeneralPurpose.


https://azure.microsoft.com/en-in/pricing/details/log-analytics/



25. DB_SKUCAPACITY: Specify the vCore capacity. If Skutier is Basic, the possible values

include 1,2. If Skutier is GeneralPurpose the possible values include 2, 4, 8, 16, 32 or 64. If

Skutier isMemoryOptimized the possible values include 2, 4, 8, 16, 32.

26. DB_SKUFAMILY: Specify the Computer Generation. If Skutier is Basic the possible values

includeGen4, Gen5. If Skutier is GeneralPurpose the possible values includeGen4, Gen5. If

Skutier isMemoryOptimized the possible values includeGen5.

27. DB_SKUNAME = Specify the Skutier name in the following format: TierPrefix_family_

capacity. For example, B_Gen5_1, GP_Gen5_16, MO_Gen5_32.

28. DB_SKUSIZEMB: Specify themax provisioned storage size required for the server in

megabytes. For example, 5120.

29. MYSQL_VERSION: Specify theMySQL version. Currently supportedMySQL versions are

5.6, and 5.7.

30. DB_BACKUP_RETENTION_DAYS: Specify the desired backup retention period in days. If

PCI is enabled choose the value as 31 days. If PCI is disabled choose the value as 15 days.

31. DB_GEO_REDUNDANT_BACKUP: To configure the Geo-Redundancy backup for DB

snapshots, set the value to Enabled. The default value is set as Disabled.

Note: The DB_SKUTIER, DB_SKUCAPACITY, DB_SKUFAMILY, DB_SKUNAME, DB_

SKUSIZEMB, MYSQL_VERSION, DB_BACKUP_RETENTION_DAYS, and DB_GEO_

REDUNDANT_BACKUP properties are specific to theMySQL Database.

32. DATABASE_PORT: Specify the Database Port. For MySQL it is 3306. For MS SQL it is 1433.

33. AZURE_AUTH_REDIS_CACHE_NAME: Name for the cache. Name can only contain letters,

numbers, and hyphens. The first and last charactersmust each be a letter or a number.

Consecutive hyphens are not allowed.

34. AZURE_AUTH_REDIS_SKU_TYPE: The possible values are Basic, Standard, Premium.




35. AZURE_AUTH_REDIS_SKU_FAMILY: The possible values are: 'C', 'P'; where C =

Basic/Standard, and P = Premium.

36. AZURE_AUTH_REDIS_SKU_CAPACITY : The possible value for this can only be a numeric

value. For the C (Basic/Standard) family: (0, 1, 2, 3, 4, 5, 6). For the P (Premium) family: (1, 2, 3,

4).

37. AZURE_AUTH_REDIS_CACHE_EVICTION_POLICY: The available Eviction policies are

volatile-lru, allkeys-lru, volatile-random, allkeys-random, volatile-ttl, and noeviction. The

default value is set to volatile-lru.

38. AZURE_SERVER_REDIS_CACHE_NAME: Name for the cache. Name can only contain

letters, numbers, and hyphens. The first and last charactersmust each be a letter or a number.

Consecutive hyphens are not allowed. For example: kfrediscacheserver.

39. AZURE_SERVER_REDIS_SKU_TYPE: The possible values are Basic, Standard, Premium.

40. AZURE_SERVER_REDIS_SKU_FAMILY: The possible values are: 'C', 'P'; where C =

Basic/Standard, and P = Premium.

41. AZURE_SERVER_REDIS_SKU_CAPACITY: The possible value for this can only be a

numeric value. For the C (Basic/Standard) family: (0, 1, 2, 3, 4, 5, 6). For the P (Premium)

family: (1, 2, 3, 4).

42. AZURE_SERVER_REDIS_CACHE_EVICTION_POLICY: The available Eviction policies are

volatile-lru, allkeys-lru, volatile-random, allkeys-random, volatile-ttl, and noeviction. The

default value is set to volatile-lru.

43. AZURE_SERVER_REDIS_CONNECTION_MINIMUM_IDLE_SIZE: The value for Minimum

idle Redis connection amount. The default value is set to 5.

44. AZURE_SERVER_REDIS_IDLE_CONNECTION_TIMEOUT_IN_MILLISECONDS: The

value for Redis Idle connection timeout. Default value is set to 10000.

45. AZURE_SERVER_REDIS_CONNECTION_POOL_SIZE: This is themaximumpool size for

Redis connection. Default value is set to 64.




46. AZURE_SERVER_REDIS_CONNECTION_TIMEOUT: The value for Redis connection

timeout in milliseconds. Default value is set to 10000.

47. JUMPBOX_ENABLED - Flag to create Jumpbox as a part of the Kony Fabric setup. Set this to

false if you do not require Jumpbox. Refer to Appendices for more details on how to connect to

the Azure Kubernetes through Jumpbox.

Important: After completion of installation, you must whitelist the URLs that the DevOps

would use to Log-in.

48. Automatic Registration Details:

PARAMETER DESCRIPTION

AUTO_REGISTRATION_USER_ID The E-mail id used for Kony Fabric

Registration.

AUTO_REGISTRATION_PASSWORD The Password used for Kony Fabric

Registration.

AUTO_REGISTRATION_FIRST_NAME The First Name used for Kony Fabric

Registration.

AUTO_REGISTRATION_LAST_NAME The Last Name used for Kony Fabric

Registration.

AUTO_REGISTRATION_ENV_NAME: Name of the environment. You can set this in the

.properties file

Important: The AUTO_REGISTRATION_USER_ID and AUTO_REGISTRATION_

PASSWORD provided here will also be used to login to the Kony Fabric Console.

Youmust provide the following parameters additionally for an Enterprise solution.




l AKS Node Count - This is the number of worker nodes in the cluster.

l AKS Node Size - Type of the worker nodes in the cluster.

l AKS Master Node Count - This is the AKS Master Node Count.

Specify the following parameters in the trial.properties/enterprise.properties file to enable

Autoscaling. For more information on Autoscaling refer to, AKS Autoscaling.

49. AKS_MAX_NODE_COUNT: Themaximumnumber of worker nodes that can be provisioned

by Autoscaling.

Note: Themax pod count for all the components should not exceed themax node count.

For the INTEGRATION Component:

50. NUM_INTEGRATION_PODS: The number of minimumpods. For example, the values can be

set to: 1, 2, etc.

51. INTEGRATION_POD_MAX_REPLICAS: Themaximumnumber of pods to be scaled.

Provide an integer value.

52. INTEGRATION_POD_CPU_USAGE_THRESHOLD: The scaling of podswill be triggered if

CPU utilization value in percentage crosses the user given threshold value. For example, the

values can be set to: 80, 90, etc.

53. INTEGRATION_POD_CPU_USAGE_REQUESTS: For pod placement, AKS looks for a

node that has enough CPU to handle the pod requests. For example, the values can be set to:

300m, 400m, etc.

54. INTEGRATION_POD_MEMORY_USAGE_THRESHOLD: Thememory utilization threshold

in percentage that is required to trigger scaling. For example, the values can be set to: 80, 90,

etc.

55. INTEGRATION_POD_MEMORY_USAGE_REQUESTS: For pod placement AKS looks for

a node that has enoughmemory according to the requests configuration. For example, the

values can be set to: 1G, 2G, etc.




56. INTEGRATION_POD_MEMORY_USAGE_LIMIT: Themaximumamount of memory that

can be allocated to a pod in the node. For example, the values can be set to: 3.2G, 3.5G, etc.

For the ENGAGEMENTComponent:

57. NUM_ENGAGEMENT_PODS: The number of minimumpods. For example, the values can

be set to: 1, 2, etc.

58. ENGAGEMENT_POD_MAX_REPLICAS: Themaximumnumber of pods to be scaled. For

example, the values can be set to: 1, 2, etc.

59. ENGAGEMENT_POD_CPU_USAGE_THRESHOLD: The scaling of podswill be triggered if

CPU/memory utilization value in percentage crosses the user given threshold value. For


60. ENGAGEMENT_POD_CPU_USAGE_REQUESTS: For pod placement, AKS looks for a

node that has a CPU that can handle the pods, according to the requests. For example, the

values can be set to: 300m, 400m, etc.

61. ENGAGEMENT_POD_MEMORY_USAGE_THRESHOLD: Thememory utilization

threshold in percentage that is required to trigger scaling. For example, the values can be set to:

80, 90, etc.

62. ENGAGEMENT_POD_MEMORY_USAGE_REQUESTS: For pod placement AKS looks for

a node that has enoughmemory according to the requests configuration. For example, the

values can be set to: 1G, 2G, etc.

63. ENGAGEMENT_POD_MEMORY_USAGE_LIMIT: Themaximumamount of memory that

can be allocated to a pod in the node. For example, the values can be set to: 3.2G, 3.5G, etc.

For the IDENTITY component:

64. NUM_IDENTITY_PODS: The number of minimumpods. For example, the values can be set

to: 1, 2, etc.

65. IDENTITY_POD_MAX_REPLICAS: Themaximumnumber of pods to be scaled. For





66. IDENTITY_POD_CPU_USAGE_THRESHOLD: The scaling of podswill be triggered if



67. IDENTITY_POD_CPU_USAGE_REQUESTS: For pod placement, AKS looks for a node that

has a CPU that can handle the pods, according to the requests. For example, the values can be

set to: 300m, 400m, etc.

68. IDENTITY_POD_MEMORY_USAGE_THRESHOLD: Thememory utilization threshold in

percentage that is required to trigger scaling. For example, the values can be set to: 80, 90, etc.

69. IDENTITY_POD_MEMORY_USAGE_REQUESTS: For pod placement AKS looks for a

node that has enoughmemory according to the requests configuration. For example, the values

can be set to: 1G, 2G, etc.

70. IDENTITY_POD_MEMORY_USAGE_LIMIT: Themaximumamount of memory that can be

allocated to a pod in the node. For example, the values can be set to: 3.2G, 3.5G, etc.

For the CONSOLE component:

71. NUM_CONSOLE_PODS: The number of minimumpods. For example, the values can be set

to: 1, 2, etc.

72. CONSOLE_POD_MAX_REPLICAS: Themaximumnumber of pods to be scaled. For


73. CONSOLE_POD_CPU_USAGE_THRESHOLD: The scaling of podswill be triggered if



74. CONSOLE_POD_CPU_USAGE_REQUESTS: For pod placement, AKS looks for a node

that has a CPU that can handle the pods, according to the requests. For example, the values

can be set to: 300m, 400m, etc.

75. CONSOLE_POD_MEMORY_USAGE_THRESHOLD: Thememory utilization threshold in





76. CONSOLE_POD_MEMORY_USAGE_REQUESTS: For pod placement AKS looks for a



77. CONSOLE_POD_MEMORY_USAGE_LIMIT: Themaximumamount of memory that can be

allocated to a pod in the node. For example, the values can be set to: 3.2G, 3.5G, etc.

For the APIPORTAL component:

78. NUM_API_PORTAL_PODS: The number of minimumpods. For example, the values can be

set to: 1, 2, etc.

79. APIPORTAL_POD_MAX_REPLICAS: Themaximumnumber of pods to be scaled. For


80. APIPORTAL_POD_CPU_USAGE_THRESHOLD: The scaling of podswill be triggered if



81. APIPORTAL_POD_CPU_USAGE_REQUESTS: For pod placement, AKS looks for a node

that has a CPU that can handle the pods, according to the requests. For example, the values

can be set to: 300m, 400m, etc.

82. APIPORTAL_POD_MEMORY_USAGE_THRESHOLD: Thememory utilization threshold in


83. APIPORTAL_POD_MEMORY_USAGE_REQUESTS: For pod placement AKS looks for a



84. APIPORTAL_POD_MEMORY_USAGE_LIMIT: Themaximumamount of memory that can

be allocated to a pod in the node. For example, the values can be set to: 3.2G, 3.5G, etc.

85. AZURE_FILE_SHARE_SECRET: The name for the Kubernetes secret used by integration

pods to access Azure file share. The default value is azure-file-share-secret.




86. MOUNT_PATH: Enter theMount path of the Integration pods required to store data. The

default value is set to/mnt/shared.

87. AZURE_FILE_SHARE_ENABLED: The flag to enable or disable Azure file share on the Kony

Fabric setup. This flag is set to true by default.

88. AZURE_FILE_SHARE_STORAGE_ACCOUNT: The Azure storage account namemust be

between 3 and 24 characters in length andmust contain alpha-numeric characters in

lowercase. The default value is set to konyfs.

89. AZURE_FILE_SHARE_DIRECTORY_NAME: The Azure file share directory namemust be

between 1 and 255 characters in length andmust not contain the following special characters

\/:|<>*?. The default value is set to kony.

90. STORAGE_ACCOUNT_KIND: Enter the value for the kind of Storage account. The possible

values include StorageV2 and FileStorage. The default value is set to StorageV2 as

FileStorage Storage account does not support Zone Redundant Storage(ZRS).

91. STORAGE_ACCOUNT_REPLICATION_TYPE: If Storage Account kind is StorageV2,

possible values include Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS,

Premium_LRS, Premium_ZRS, Standard_GZRS, and Standard_RAGZRS. If Storage

Account kind is FileStorage, possible values include Premium_LRS. Default value is set to

Standard_ZRS.

Note: Only few regions support Standard_ZRS. Therefore, youmust ensure that the region

entered in the AZURE_LOCATION param supports Standard_ZRS.

92. ACCESS_TIER: Only the Standard performance has access tiers. The possible values for

access tiers include Hot and Cool. The default value is set to Cool.

93. AZURE_FILE_SHARE_NAME: The file share namemust be between 3 and 63 characters in

length and can use numbers, lower-case letters, and hyphens only. The default value is

konyfileshare.




94. AZURE_FILE_SHARE_QUOTA: Themaximum size of the share in Gigabytes. You can edit

the value later in Azure portal. If performance is Standard then its valuemust be greater than 0,

and less than or equal to 5120(5 Terabytes). If performance is Premium then its valuemust be

greater than 0, and less than or equal to 102400(100 Terabytes). The default value is set to

1024.

95. AZURE_FILE_SHARE_BACK_UP_VAULT: The Recovery Services vault namemust be

between 2 and 50 characters in length, must start with a letter, and should consist only of letters,

numbers, and hyphens. The default value is KonyRecoveryServiceVault.

96. ARRAY_TO_WHITELIST_IPS_TO_ACCESS_FILE_SHARE: Enter the IP address that

should be whitelisted to access Azure file share. For example: ("103.140.124.130").

97. AZURE_STORAGE_ACCOUNT_NAME: The Azure storage account namemust be between

3 and 24 characters in length, must contain only lowercase alphabets. The default value is kony.

Note: The default values for all the above parameters are given in the properties file.




2.5 Script Execution

1. Switch to the directory that contains the kf_setup.sh file and execute the setup script using:

$ bash kf_setup.sh

2. Select the Installationmode – Trial or Enterprise.

3. Login to your Azure account using the link printed on the screen, and enter the given code for

the script to continue the setup process.

4. The Bash prompt prints the Public DNS of the Application Gatewaywhile executing the script.

Youmust map this DNS to your customDomain Name, if SSL is to be configured. Once you

confirm themapping on the command line, the script resumes execution and completes the

setup.

Note: To execute the installation scripts, youmust use Bash version 4 or later.

Upon successful completion of the setup, all the Application URLswill be printed on the screen

as shown in the image.




You can start using Kony Fabric using the Kony Fabric Console URL. The credentials to login

to the Console are the same as that of the Auto-registration details provided in the properties

file.

Once the installation is complete, and you take a backup, you can delete the Virtual Machine

created for executing the setup script. To do so, go to the Azure Portal and navigate to the

Virtual Machines Tab. Select the VMand confirm its deletion.

2.6 Configuring Visualizer to Connect to Kony Fabric on Azure

For details about connecting to Kony Fabric Console through Visualizer, refer to Connecting to Kony

Fabric.

2.7 Updating the Azure Kubernetes Service Cluster configuration

You need to have the current config files if you want to update the AKS cluster configuration. Once the

installation is complete, take a backup of the unzipped directory where you installed the kony-

fabric-containers-azure.zip to perform further updates to the AKS clusters.

Important: If you do not have a backup of the unzipped directory, updating the AKS cluster is

difficult.

2.8 Setting up Azure Content Delivery Network (CDN)

A Content Delivery Network (CDN) is a distributed network of servers that can efficiently deliver web

content to users. Tominimize latency, CDNs store cached content on edge servers in Point-Of-

Presence (POP) locations that are close to end users.


http://docs.kony.com/konylibrary/visualizer/visualizer_user_guide/Default.htm#Connect_to_KonyFabric.htm

http://docs.kony.com/konylibrary/visualizer/visualizer_user_guide/Default.htm#Connect_to_KonyFabric.htm



Azure Content Delivery Network (CDN) offers a global solution for developers to rapidly deliver high-

bandwidth content to users by caching the content at strategically placed physical nodes across the

world.

Note: Azure CDN SKU for AKS cluster is set to PremiumVerizon, which supports configuration of

cache rules for Kony Fabric Apps.

2.8.1 Enable CDN on Azure AKS cluster

Follow these steps to enable CDN in your AKS cluster .

1. Set the value of AZURE_CDN_ENABLED to true in the properties file (trail.properties

/enterprise.properties).

2. Set the CDN Endpoint:

l FOR SSL ENABLED CLOUD (IS_SSL_ENABLED = true), after creating the

CDN endpoint, map the CDN endpoint to a custom domain name.

l FOR SSLDISABLED CLOUD (IS_SSL_ENABLED = false), nomapping of server

domain name is required.

Once you create the CDN profile and endpoint, follow these steps tomanually configure the CDN

settings in the Azure portal:




1. Open the Azure portal (portal.azure.com) and login using your Microsoft account credentials.

2. Select Resource groups from the left navigation pane.

All existing resource groups appear.

Select the resource group in which the AKS Cluster is created.





3. If the cloud is SSL enabled, open CDN Endpoint from the list of resources in the Azure

ResourceGroup.

4. Click Custom Domain.The CustomDomain page appears.




5. Select ON to enable HTTPS for custom domain.

2.8.2 Configuring Caching Rules

1. Go to CDN profile from the list of resources available in the Azure ResourceGroup (having the

created AKS cluster).




2. ClickManage from the top navigation bar.




3. Configure all the rules in the CDN Manage Console.

4. From the HTTP Large list, select cache settings -> query string caching .




5. Select no-cache as the query string caching and click Update.

6. From the HTTP Large list, select Rules Engine.

7. Configure all the required rules.




l Rule 1

l Rule 2

l Rule 3




l Rule 4

l Rule 5

l Rule 6




l Rule 7

l Rule 8

l Rule 9




l RulesOrder

2.9 Configuring Clam AntiVirus for Azure Virtual Machines

ClamAntiVirus (ClamAV) is an open-source anti-virus software toolkit. You can choose to install

ClamAV on Azure Virtual Machines in the kubernetes cluster. ClamAV is designed to be an on-

demand scanner, and will only run when invoked to run.

A cron job is configured to run ClamAV on Azure Virtual Machines based on the frequency specified in

the properties file. ClamAV scans all the files in the virtual machine and pushes the logs

(clamscan.log and freshclam.log) present in /var/log/clamav directory to the clamavlogs container

in the storage account of the Azure ResourceGroup in which the AKS cluster is created.

Provide the following inputs in the properties file to enable ClamAV.

2.9.1 Generating SSH Keys

Using the SSH protocol, you can connect and authenticate to remote servers and services.

On Ubuntu terminal, use $cd ~/.ssh command to set ~/.ssh as the current directory to generate

the SSH public and private key files.

Use the ssh-keygen -t rsa -b 2048 to generate the SSH key pair using RSA encryption and

a bit length of 2048.

Name the key to be generated as id_rsa.




2.9.2 Install ClamAV on Azure Virtual Machine

Follow these steps to install ClamAV on your Azure Virtual Machine:

1. Set the value of INSTALL_CLAMAV to true in the properties file (trail.properties

/enterprise.properties).

2. Place your SSH private key and SSH public key in the sshkeys folder with names id_rsa

and id_rsa.pub respectively.

3. Set the frequency of the cron job to start the ClamAV scan and push the generated logs to the

storage account.

Note: Use the following format to set the values for the frequencies of clamscan_cron_

schedule and clamscanlogpush_cron_schedule in the properties file (trail.-

properties /enterprise.properties).

* * * * *

| | | | |

| | | | |

| | | | +---- Day of the Week (range: 1-7, 1 standing

for Monday)

| | | +------ Month of the Year (range: 1-12)

| | +-------- Day of the Month (range: 1-31)

| +---------- Hour (range: 0-23)

+------------ Minute (range: 0-59)

* = any value

For example, if you configure the crontab timing as 00 16 * * *, this indicates that the crontab

runs every day at 16:00:00 (UTC).

l Youmust maintain aminimumgap of 02:30 hrs. between the clamscan_cron_

schedule and clamscanlogpush_cron_schedule.




l All cron job timings follow UTC timezone.

2.9.3 Access ClamAV logfiles in the Virtual Machine

Follow these steps to access the ClamAV logs in the Virtual Machine.

l Log on to Jumpbox using the following ssh command:ssh devops@<Jumpbox_Public_IP_Address>

l Log on to the Virtual Machine from Jumpbox using the following SSH command:ssh -i id_rsa azureuser@<Virtual_Machine_IP_Address>

l Using the following command, go to /var/log/clamav directory:

cd /var/log/clamav

This directory contains the clamscan.log and freshclam.log files that are

generated byClamAV after scanning the Virtual Machine.

Another cron job is configured to push the generated logs into the Azure Storage Account.

2.9.4 Edit the cron job

l Use the following command to view existing cron jobs on the VM.crontab -l

l Use the crontab -e command to open the crontab list in edit mode.

2.9.5 Edit the ClamAV conf file

The freshclam.conf file configures the ClamAV Database Updater.




l Go to the etc/clamav/ directory.

l Open the freshclam.conf file in any editor to make any required changes to the conf

file.

2.9.6 Accessing Logs in the Azure Storage Account

All the logs generated byCLAMAV are pushed to the Azure Storage Account.

1. Log on to the Azure portal (portal.azure.com) using your Microsoft account credentials.





2. Select Resource Groups from the left navigation pane.



3. Select the storage account from the list of resources available in the resource group.




4. Click Blobs to see all the containers available in the storage account.

5. Select the clamavlogs container from the list of containers available in the storage account.

This shows all the log files pushed byClamAV from the virtual machine.




6. Click Download to view the logs in the file.

7. Unzip the downloaded .zip file and extract the content.

You can now view all the logs that are pushed byCLAMAV from virtual machine.

2.10 Configuring OSSEC Intrusion Detection

OSSEC is an open source Host-based Intrusion Detection System (HIDS). It has a powerful

correlation and analysis engine, and can perform integrating log analysis, file integrity checking,

Windows registrymonitoring, centralized policy enforcement, rootkit detection, real-time alerting, and

active response.

OSSEC runs as a daemon process. It notifies through alert logswhen intrusion attacks occur. These

alert logs are pushed to the osseclogs container in the storage account in the Azure ResourceGroup

in which AKS cluster is created.

Provide the following inputs in the properties file to enable OSSEC.

2.10.1 Generating SSH Keys

Using the SSH protocol, you can connect and authenticate to remote servers and services.




OnUbuntu terminal, use $cd ~/.ssh command to set ~/.ssh as the current directory to generate

the SSH public and private key files.

Use the ssh-keygen -t rsa -b 2048 to generate the SSH key pair using RSA encryption and

a bit length of 2048.

Name the key to be generated as id_rsa.

2.10.2 OSSEC Installation steps

1. Enable the INSTALL_OSSEC flag in the properties file (trial.properties /enterprise.properties):

2. AsOSSEC is a daemon process, it continuously detects intrusion activities and stores alerts in

alerts.log file. A cron job is configured to push the alerts from

/var/ossec/logs/alerts/alerts.log to the Azure Storage Account.

Note: Configure the cronjob osseclogpush_cron_schedule in the properties file

(trail.properties /enterprise.properties) to set the frequency value of the cron job. Configure

the Crontab timing in the following format:




* * * * *

| | | | |

| | | | |

| | | | +---- Day of the Week (range: 1-7, 1 standing

for Monday)

| | | +------ Month of the Year (range: 1-12)

| | +-------- Day of the Month (range: 1-31)

| +---------- Hour (range: 0-23)

+------------ Minute (range: 0-59)

* = any value

For example, if you configure the crontab timing as 00 16 * * *, this indicates that the crontab

runs every day at 16:00:00 (UTC).

l You canmodify the default values of the cron job, if required.

l All cron job timings follow UTC timezone.

3. Place your SSH private key in the sshkeys folder with name id_rsa.

2.10.3 Access log files of OSSEC in Virtual Machine

Follow these steps to accessOSSEC logs in the Virtual Machine.

1. Use the following SSH command to log on to Jumpbox

$ ssh devops@<Jumpbox_Public_IP_Address>

2. Use the following SSH command, to log on to the Virtual Machine from the Jumpbox

$ ssh -i id_rsa azureuser@IPaddress of Virtual Machine

3. Execute the following command to login as a root user.




$ sudo su

4. You can view the syslogs at /var/log/syslog.

$cd /var/log/

$cat syslog

5. Logs created byOSSEC daemons are stored in the sub directories of /var/ossec/logs.

l You can view theOSSEC logs at /var/ossec/logs/ossec.log

$cd /var/ossec/logs/

$cat ossec.log

l You can view theOSSEC alerts at

/var/ossec/logs/alerts/alerts.log.

$cd /var/ossec/logs/alerts/

$cat alerts.log

2.10.4 Edit cron jobs

l To view the existing cron jobs use the following command on VM.

$ crontab -l

l Use the crontab -e command to open the crontab list in edit mode.

2.10.5 Accessing Logs in Azure Storage Account

All the logs generated byOSSEC are pushed to the Azure Storage Account.




1. Log on to the Azure portal (portal.azure.com) using your Microsoft account credentials..

2. Select Resource groups from the left navigation pane.







3. Select the storage account from the list of resources available in the resource group.

4. Click Blobs to see all the containers available in the storage account.




5. Select the osseclogs container from the list of containers available in the storage account.

The page displays the log files pushed byOSSEC fromVirtual Machine.

6. Click Download to view the logs file.

You can now view all the logs that are pushed byOSSEC from the virtual machine.




Note: Follow these steps to edit the preloaded-vars.conf file to give customized

inputs (other than defaults) to install OSSEC.

1. Login to the specific Virtual Machine (node) using SSH keys in the terminal.

2. Go to the /home/azureuser/ossec-hids-2.9.0/etc/ directory by

using following command.

$ cd /home/azureuser/ossec-hids-2.9.0/etc/

3. Open thepreloaded-vars.conf file and edit as required.

Note: Follow these steps to edit the ossec.conf file and change the existing

configurations of OSSEC.

1. Login to the specific Virtual Machine (node) using SSH keys in the terminal.

2. Go to the /var/ossec/etc directory using following command.

$ cd /var/ossec/etc

3. Open the ossec.conf file and edit as required.


3. Appendices Installation Guide


3. Appendices

3.1 Prerequisite Packages

White-list the https://packages.microsoft.com/repos/azure-cli/ URL to allow the Kony Fabric

Containers on Azure Solution to download Azure CLI.

3.2 Network Settings - Accessing Azure SQL Database

Communication fromKony's License servers will originate from the following Kony IP address, which

should be white-listed in an organization's firewall configuration:

l 115.113.211.130

White-listing the Kony IP address enables access to the Azure SQLDatabase.

3.3 Configuring NAT Gateway

A network address translation (NAT) gateway is used to enable instances in a private subnet to

connect to the internet or other AWS services, but prevent the internet from initiating a connection with

those instances. For more information about NAT, see NAT.

FromV8 SP4 onwards, Kony Fabric on Azure will support the routing of private subnets through a

NAT instance.

To enable NATGateway:

l Set the AZURE_FIREWALL_ENABLED flag in properties file to true.

Azure Firewall acts asNATGateway. All the internet traffic fromKubernetes nodes(VMs) is routed

through the NATGateway. Deployment of Azure Firewall will increase the overall cost. The cost for

Firewall in the east US region is $1.25/hour in Azure. On amonthly basis, the cost of azure firewall

deployment costs around 900$. If you do not want to configure the NAT Gateway, disable the firewall

deployment by setting the AZURE_FIREWALL_ENABLED flag to false.


https://packages.microsoft.com/repos/azure-cli/

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html



3.4 Hosting your domain with Azure DNS

TheDomain NameSystem, or DNS, is responsible for translating (or resolving) a website or service

name to its IP address. Azure DNS is a hosting service for DNS domains, providing name resolution

usingMicrosoft Azure infrastructure. By hosting your domains in Azure, you canmanage your DNS

records using the same credentials, APIs, tools, and billing as your other Azure services.

Follow these steps to create your first DNS zone and record using the Azure Portal:

1. Create a DNS Zone

i. Sign in to the Azure portal.




ii. On the Hubmenu, click Create a resource > Networking > and then click DNS zone to

open the Create DNS zone page.

iii. On the Create DNS zone page enter the following values, then click Create:

Setting Value Details

Name customdomainname.com The name of the DNS zone





Subscription [Your subscription] Select a subscription to create the DNS

zone in.

Resource

group

Create new:

testresourcegroup

Create a resource group. The resource

group namemust be unique within the

subscription you selected.

Location West US

Note: The resource group refers to the location of the resource group, and has no

impact on the DNS zone. The DNS zone location is always global, and is not shown.

2. Create a DNS Record

i. Go to DNS Zones in the Azure portal and select customdomainname.com DNS zone in

the list.

ii. At the top of the DNS zone page, select + Record set to open the Add record set

page.

iii. On the Add record set page, enter the following values, and clickOK. In this example,

you are creating a CNAME record.


Name www Name of the

record.





Type CNAME Type of DNS

record you want to

create. Acceptable

values are A,

AAAA, CNAME,

MX, NS, SRV,

TXT, and PTR. For

more information

about record types,

visit Overview of

DNS zones and

records.

TTL 1 Time-to-live of the

DNS request.

TTL unit Hours Measurement of

time for TTL value.

IP Address Alias value This value is the

Alias that the DNS

record resolves.

3. Update Name Servers

Once you are satisfied that your DNS zone and records have been set up correctly, you need to

configure your domain name to use the Azure DNS name servers. This enables other users on

the Internet to find your DNS records. The name servers for your zone are given in the Azure

portal:


https://docs.microsoft.com/en-us/azure/dns/dns-zones-records





These name servers should be configured with the domain name registrar (where you

purchased the domain name). Your registrar offers the option to set up the name servers for the

domain. For more information, refer Delegate your domain to Azure DNS.

Note: Currently, Azure DNS does not support purchasing of domain names. If you want to

purchase domains, you need to use a third-party domain name registrar. The domains can then

be hosted in Azure DNS for management of DNS records.

3.5 Generating a PFX file from PEM

Different platforms and devices require SSL certificates to be converted to different formats. Use the

following command to generate the .pfx file from a .pem file:

$ openssl pkcs12 -inkey private.pem -in public.pem -export -out

certificate.pfx -passout

pass:xxxxxxxx -certfile more.crt


https://docs.microsoft.com/en-us/azure/dns/dns-domain-delegation



Breaking down the command:

l openssl – Is the command for executing OpenSSL

l pkcs12 – Is the file utility for PKCS#12 files in OpenSSL

l -export -out certificate.pfx – Helps export and save the PFX file as certificate.pfx

l -inkey privateKey.key – Uses the private key file privateKey.pem as the private key to combine

with the certificate.

l -in infile - Is this parameter for input filename

l -passout p - Is the output file to pass phrase source. Should be passed as pass:<password>

l -certfile more.crt – This is optional, this is if you have any additional certificates you would like to

include in the PFX file.

3.6 Extracting Logs from your Application

If you want to extract logs from a container, execute the following commands from your terminal:

COMMAND LOG

$ kubectl config

current-context

Display the current-context

$ kubectl config

use-context

<cluster-name>

Set the default context to the cluster-name if the current context does not point

to the Kony Fabric cluster.

$ kubectl get pods Lists all the pods

$ kubectl logs -f

<pod-name>

To tail logs from a specific pod

$ kubectl logs pod-

name > logs.txt

To extract the logs of a specific pod to local file




3.7 Connecting to AKS nodes through Jumpbox

1. Get the Public IP of the Jumpbox from the Azure Portal.

2. Use the following SSH command to connect to the Jumpbox:

$ ssh username@publicip

The default username is devops and password is Devops@12345.

3. To log in to Azure Kubernetes node from Jumpbox, you need to get the Private IP of the node

from the Azure Portal.

4. Use the private key of the public key you have provided during Kony Fabric installation. Copy

the private key to Jumpbox. Make sure you delete the key during logout.

5. Execute the following command to login to AKS node:

$ ssh -i key.pem username@privateIpOfNode

The default username is azureuser.

3.8 Log Analytics

Microsoft Azure providesOMS (OperationManagement Suite) Log Analytics solution to view the

application logs. If you enable the flag for installation of log analytics solution (AZURE_LOG_

ANALYTICS_ENABLED) in the properties file, then theOperationsManagementWorkspace is

created in the Azure ResourceGroup.

Follow these steps to view the application specific logs:




1. Navigate to http://portal.azure.com/.

2. On the home page, select the resource group in which the AKS cluster is created. You can find

the resource group (AZURE_RESOURCE_GROUP) in the properties file which was used in

the Kony Fabric installation.

3. Select Containers solution.





4. Select Container Monitoring Solution.

5. Select CONTAINER LOGS.

6. In the Log Search page, you need to execute the following queries to fetch the logs.




l ContainerLog | where LogEntrySource == "stdout" | sort by

TimeGenerated desc - To fetch all the logs.

l ContainerLog | where LogEntrySource == "stderr" | sort by

TimeGenerated desc - To fetch all the error logs.

3.8.1 Search Logs

l Using Docker Image Name:

If you want to view feature specific (console, identity, integration, engagement, API Portal) logs,

select the respective image.

Feature Docker image

Console Kony-fabric-console

Identity Kony-fabric-identity

Integration Kony-fabric-integration

Engagement Kony-fabric-engagement




Feature Docker image

API Portal Kony-fabric-apiportal

The image name gets appended to the query when you select the image. Execute the new

query to get logs specific to the image.




l Using content

When you want to search specific keyword in the logs execute the following query:

ContainerLog | where LogEntrySource == "stdout" | where Image ==

"<image-name>" | sort by TimeGenerated desc | search "<keyword>"




You can also apply filters to the logs. Filters can be applied to any column.

l Using request ID




To view the logs based on request id, you need to apply a filter on the Log Entry column.

l Using date range

You can select custom date range to access the logs.

l By pod name

You can fetch the logs specific to a pod in the kubernetes cluster.




Feature Pod name prefix

Console K8s_Kony-fabric-console

Identity K8s_Kony-fabric-identity

Integration K8s_Kony-fabric-integration

Engagement K8s_Kony-fabric-engagement

Api Portal K8s_Kony-fabric-apiportal

3.9 New Relic Monitoring

New Relic is amonitoring system that enables you to understand the performance of the application,

dependencies, bottlenecks, and also increases the efficiency and accuracy. New Relic enables you to:

l Get a complete overview of the application and the operating environment.

l Manage your application's performance.




l Identify and troubleshoot bottlenecks.

l Analyze data about customers' usage and experience.

l Monitor your technical resources and ecosystem.

Monitoring of Kony Fabric on Azure using New Relic is performed at two levels:

l InfrastructureMonitoring

l Application PerformanceMonitoring

Infrastructure Monitoring enables you tomonitor node-levelmetrics like CPU, Memory, Disk Usage,

Average load, and I/Ometrics.

Application Performance Monitoring enables you to view application performance trends like page

load times, error rates, slow transactions, and a list of servers running the application in the real-time. It

helps in identifying and troubleshooting the issues andmetrics of Transactions, Databases, JVM's,

Error analytics of each pod individually.

3.9.1 Enabling New Relic Monitoring in Microsoft Azure Cloud

Youmust have a New Relic license key to enable New RelicMonitoring in Microsoft Azure cloud.

For more information, refer license key.

Follow these steps to enable New RelicMonitoring in Microsoft Azure cloud:

l To enable New Relic Infrastructure Monitoring, change the value of NEW_RELIC_INFRA_

MONITORING_ENABLED to true in the trial.properties or

enterprise.properties file.

l To enable New Relic Application Performance Monitoring, change the value of NEW_

RELIC_APP_PERF_MONITORING_ENABLED to true in the trial.properties or

enterprise.properties file.

l Provide the New Relic Authorized license key for the NEW_RELIC_LICENSE_KEY

parameter in the trial.properties or enterprise.properties file.


https://docs.newrelic.com/docs/accounts/install-new-relic/account-setup/license-key



3.9.2 Accessing New Relic Monitoring Data

Follow these steps to view the business insights or application performance results:

1. Create a New Relic account to get the required NEW_RELIC_LICENSE_KEY to enable the

New Relic Monitoring feature.

2. Sign in to the New Relic portal by providing your credentials at

https://rpm.newrelic.com/accounts/2056095/applications.

3. Choose the requiredmonitoring option in the upper left corner of the New Relic portal. Select

APM for Application PerformanceMonitoring and INFRASTRUCTURE for Infrastructure


https://rpm.newrelic.com/accounts/2056095/applications



Monitoring.




3.9.2.1 Application Performance Monitoring

In APM, you can view themetrics of Kony Fabric Kubernetes pods deployed onMicrosoft Azure

Kubernetes cluster.

Select a specific pod to view the performancemetrics of that pod.




You can view various application performancemetrics by selecting the options from the left navigation

pane.




l Distributed tracing lets you trace the path of a single request in a complex system. You can

understand the entire chain of events, discover the latency of that complete request, and know

which step in the path is creating a bottleneck.

l Service maps show the connections and dependencies of your app, including databases and

external services.

Health indicators and performancemetrics show you the current operational status for every

part of your architecture.

l The Transactions screen provides an overview of the throughput metrics and the top five time-

consuming transactions.

A transaction trace gives a detailed snapshot of a single transaction in your application. It

records the available function calls, database calls, and external calls. You can use transaction

traces to troubleshoot performance issues and get detailed low-level insight into how your app is

working.

l The Databases screen provides a detailed overview of the performance of your database -

pointing out critical errors that are slowing down your application. The database overview




provides a stack ranking of themost time-consuming database calls along with aggregated

metrics around response times, throughput, and slow SQL traces.

l The External services screen captures calls to out-of-process services such asweb services,

resources in the cloud, and any other network calls. The external services dashboard provides

charts with your top five external services by response time and external calls per minute.




l The JVMs screen capturesmetrics that include thread activity, HTTP session data, connection

poolmetrics, class load (or) unload counts, and so on.




3.9.2.2 Infrastructure Monitoring

In the Infrastructure portal of New Relic Monitoring, you can view the Infrastructuremetrics of Kony

Fabric.

You can view various infrastructure levelmetrics by selecting different options from the top navigation

pane.




l TheHosts screen helps you understand the performancemetrics such asCPU usage, load

average, andmemory used.

l The Network screen provides real-time visibility into the health and performance of individual

hosts, web servers, or other groups of resources across your network. Charts include

bandwidthmetrics by packet, bandwidth by bytes, and errors per second.




l The Storage screen allows you tomonitor the capacity and efficiency of your resources, overall

utilization, disk usage, or I/O operations.




l The Processes screen lets you view information about the processes running on your

infrastructure and set alerts on processmetrics.

l The Inventory screen provides a real-time view to filter and search the inventories in each host's

configuration

l The Events screen is a live feed of important system and host activity; including inventory

change events, configuration changes, and log analytics events. The event feed helps you

understand the correlations between the events and the performance of your system. You can

search and filter your events to decrease themean time to detect and repair the infrastructure

issues.

The INSIGHTS tab leverages the data fromNew Relic's other products to allow you to analyze user

behavior, business transactions, customer insights, andmore. Using the Insights interface, you can

quickly and easily build dashboards to identify problemswith your apps and hosts in real-time or to

track ongoing data trends.




Select a Dashboard fromKubernetes insights window to view the data about container CPU usage,

container memory usage, container restarts, resources used etc.

3.10 Rolling Updates

Microsoft Azure provides rolling updates feature to update the deployment with zero downtime by

incrementally updating the pod instanceswith new pods.




Using the rolling updates feature, you can perform the following actions:

l Update kubernetes pod configuration.

o Update the properties in the deployment section.

o Update the -d parameters.

l Increase or decrease the pod count.

l Update the docker image of the container present in the pod.

3.10.1 Prerequisites

Following are the prerequisites to perform rolling updates:

l Linuxmachine with Ubuntu 16.04 installed.

l Unzipped directory of the Kony Fabric installation zip (Use the same unzipped directory of the

Kony Fabric installation which was used for the initial Kony Fabric setup).

Note: You can update the following Kony Fabric pods using the rolling update feature:

l kony-fabric-apiportal

l kony-fabric-console

l kony-fabric-engagement

l kony-fabric-identity

l kony-fabric-integration

3.10.2 Execute Rolling Updates in Azure Kubernetes Cluster

To execute the rolling updates in Azure Kubernetes cluster, perform the following steps.




1. Log on to the Linux machine.

2. Perform the following actions in the unzipped directory of the Kony Fabric on Azure setup.

a. Provide the inputs in the properties file.

b. Execute the kf_setup.sh script.

c. Execute kubectl commands to check the latest status of pods.

Note: Upgrade one pod at a time for smooth roll out of upgrade process.

Modify the properties file for the specific pod you want to upgrade, and execute the script.

Once the new pod is created, repeat the process for other pods.

3.10.2.1 Provide Inputs in Properties File

Note: Use the same properties file that was used to create the cluster.

l Make sure that all the values (AZURE_RESOURCE_GROUP, AZURE_SUBSCRIPTION_ID,

SERVICE_PRINCIPAL_CLIENT_ID, SERVICE_PRINCIPAL_CLIENT_SECRET, AZURE_

LOCATION, SSH_PUBLIC_KEY, SERVER_DOMAIN_NAME, NEW_RELIC_LICENSE_KEY,

Azure DB service parameters, Azure Redis cache details) match with the existing cluster.

l For Non-SSL cloud, SERVER_DOMAIN_NAMEmust be the Domain Name of the Azure

Application Gateway. For example, <random_value>.cloudapp.net.

You can find the Domain Name in Azure console using the following path:

Home > resource group > application gateway > Frontend

public IP address

l For SSLCloud, SERVER_DOMAIN_NAMEmust be the External Domain Name.

l To execute the rolling update for a pod, set the values of the following parameters in the

properties file:




l MAX_SURGE - The number of pods that are created in addition to the desired number of

pods during rolling update. Once the roll out is complete, the number of pods are reduced

to the desired number of pods. MAX_SURGE is set to one in the properties file, by default.

For example, if the number of pods is three, andmaxSurge= 1, then there are at most

four pods during the update process. Once the roll out is complete, the number of pods

will be three.

l MAX_UNAVAILABLE - Themaximumnumber of pods that can be unavailable during the

update process. MAX_UNAVAILABLE is set to one in the properties file, by default.

For example, If the number of pods is three, andmaxUnavailable=1, then there will be at

least two pods in service during the update process. Once the roll out is complete, the

number of podswill be three.

Note: The values of MAX_SURGE and MAX_UNAVAILABLEmust not be zero simultaneously.

3.10.2.2 Execute the kf_setup.sh Script

1. Make sure the current directory is /azure.

2. Execute the kf_setup.sh script using the $bash kf_setup.sh command.

3. Select the installationmode of the cloud that you want to upgrade (If the setup was done in

enterprisemode, then select enterprise; otherwise, select trial mode).




4. Select the executionmode. For rolling updates, select Update.

5. If a database upgrade is required, choose to execute flywaymigration. Otherwise, skip the

flywaymigration.

3.10.2.3 Execute kubectl Commands to Check Latest Status of Pods

Execute the following actions to check the latest status of the pods

l Open a new terminal instance on the Linuxmachine.

l While the rolling update is in progress, execute the following command in the terminal to view

the current state of the pod:

$kubectl get pods

$kubectl get deployments

Wait till the desired and available counts for the specific pod are equal.




If you want to upgrade other pods, repeat the process.

3.10.3 Update kubernetes Pod Configuration

3.10.3.1 Modify the Properties in Deployment Section

The kubernetes rolling update allows you to update the values in the deployment object for every

deployment of the Kony Fabric pod.

You can update the following values in the kubernetes cluster:

l Number of Pods

l Docker image

l Readiness init delay

l Liveness probe init delay

Update the values in the properties file based on your requirement. The image displays the options

available to upgrade the Integration pod:




3.10.3.2 Modify -d parameters for the Pod

Perform the following actions tomodify other parameter values for the pod:

l Edit the required values in the properties file.

l Increase the value of readiness_init_delay (or) liveness_init_delay of the pod by one second

so that the kubernetes rolling update for the pod will get triggered.

Note: The kubernetes rolling update starts only when the parameter values in the deployment

object aremodified. Tomodify the -d parameters in the configmap section, edit the liveness (or)

readiness probe delay to perform the rolling update.

Note:Consider a scenario where your Kony Fabric setup does not contain New RelicMonitoring

enabled, and you obtain the license key later. You can enable new relic on your Kony Fabric setup

by setting the following values to true.

l NEW_RELIC_INFRA_MONITORING_ENABLED = true

l NEW_RELIC_APP_PERF_MONITORING_ENABLED = true




Provide the license key value in the properties file NEW_RELIC_LICENSE_KEY = <value>

Youmust increase the value of readiness (or) liveness probe by one second for a pod to trigger

the rolling update and enable the new relic agent in the pod.

Perform the rolling update.

3.10.4 Increase (or) Decrease Pod Count

To increase the pod count, make sure that the kubernetesworker nodes (Azure VM’s) are scaled

properly, and the number of pods is equal to the number of worker nodes.

For example, if you want to increase the integration pod count to three, then the number of worker

nodesmust be three.

3.10.4.1 Increasing kubernetes Worker Nodes in Azure

1. Sign In toMicrosoft Azure Console.

2. Select the resource group in which the AKS Cluster is created.

3. Select the Scale option on the cluster home page, increase (or) decrease the count of worker

nodes based on your requirement. Save the configuration.




3.10.4.2 Increase (or) Decrease the Number of Pods

After increasing (or) decreasing the number of worker nodes (Azure VM’s), you canmodify the pod

count by following the given steps:

1. Modify the node count of the pod in the properties file.

2. Execute the kf_setup.sh file as described in the earlier section.




3.10.5 Update the Docker Image of the Container inside the Pod

l Modify the docker image in the properties file.

l Execute the kf_setup.sh file as described in the earlier section.

3.11 Kubernetes Dashboard

You can access the Kubernetes dashboard in the Azure portal to view the information related to an

application deployed in Azure Kuberntes cluster. Using the kubernetes dashboard, you can also view

podmetrics such asCPU Usage, MemoryConsumption, as well as Kubernetes objects like

deployments, configmaps etc.

3.11.1 Prerequisites

Following are the prerequisites to use the Kubernetes dashboard:

l Linuxmachine with Ubuntu 16.04 installed

l A valid Azure account

l AKS Cluster deployed in Azure




3.11.2 Steps to Initialize Kubernetes Dashboard in Browser

Following are the steps to access Kubernetes dashboard in browser:

1. Sign in to the Azure portal.

2. Select the Resource Group in which the Kubernetes cluster is created.

3. In the list of resources, select the created Kubernetes cluster.

4. Select the View Kubernetes dashboard tab in the lower-right corner of the screen.

The configuration screen appears:




1. Follow these steps to initialize the Kubernetes dashboard

i. Click on the copy button below theOpen the Kubernetes dashboard by running the

following command step. The following code is copied:

$az aks browse --resource-group <resource group name> --

name <aks cluster name>




ii. From the top right corner on the navigation bar, click the Power Shell icon.

The bash terminal opens at the bottom of the window.




iii. Paste and execute the copied command in the Bash terminal.

iv. Copy the response URL and open it in a browser to display the KubernetesDashboard

for the requested resource group.

The KubernetesDashboard is rendered on the browser.




You can view the summary of Kubernetes objects of a deployed application like daemon sets,

jobs, pods, CPU usage, memory usage, and so on.

Select options from the left navigation pane to view the detailed information of various

Kubernetes objects.

For example, select Daemon Sets to view the analytics specific to daemon sets.




3.11.3 Viewing an Application

l Select Pods from the left pane to view the information about each pod.




l Click Services from the left pane to get the IP address of the application.

You can also view more information about daemon sets, replica sets, replication controllers, jobs,

deployments, pods, and stateful sets.

3.12 Pod Anti-Affinity

Pod anti-affinity is used to handle the creation of pods in worker nodes in Azure Kubernetes cluster for

deploying a resilient application in the Kubernetes cluster. Certain rules are defined in a pod

configuration which allows pod to be deployed only on a particular node when the required conditions

are satisfied. No two pods of same kind will be deployed on a single node. Pod anti-affinity helps in

distributing the pods across the cluster nodes and helps in creating resilient applications.

3.13 AKS Autoscaling

AKS autoscaling feature helps to scale the service in case of a spike or a drop in application traffic.

Incase of a spike in traffic new pods need to be created and the cluster should create new worker

nodes to deploy additional pods to serve the incoming traffic. Similarly, when there is a drop in traffic,

nodes and pods need to scale down. This ability to automatically scale up or down the number of




nodes in the AKS cluster helps in running an efficient and cost-effective cluster.

There are two components involved in auto scaling of AKS cluster.

l Cluster Autoscaler: Scale the nodes in the cluster based on the pending podswhich need to be

deployed.

l Horizontal Pod Autoscaler: Monitors the resource demand of pods. If a service needsmore

resources, the number of pods is automatically increased tomeet the demand. Youmust give

inputs of memory, CPU limit, and themin andmax number of pods that can be scaled.

You can check the runtime usage of memory and CPU by using the following command:

"kubectl get hpa" //hpa is horizontal pod autoscaler.

Whenever the usage of either thememory or the CPU exceeds the limit given for that particular

pod, the Horizontal Pod Autoscaler is triggered and it starts scaling up the pod.

As pod anti-affinity is implemented, multiple nodes of same component can’t be scheduled on a

node to take care of fault-tolerance of deployed application.

When the traffic goes down and thememory and CPU usage falls below the threshold values,

newly created pods are terminated. This also results in scaling down of newly created nodes to

theminimumnumber of nodes specified by the user.

For the details about user inputs, refer to the Configuration section.

3.14 Azure Resource Group Role Based Access Control (RBAC)

Theway to control access to resources using RBAC is to create role assignments.

A role assignment is the process of binding a role definition to a user, group, or service principal at a

particular scope for the purpose of granting access. You can create Role assignments using the Azure

portal, Azure CLI, Azure PowerShell, Azure SDKs, or REST APIs.

The creation of Role Assignments has the following three elements:




l Security Principal: An object that represents a user, group, or service principal that requests

access to Azure resources.

l Role Definition: A collection of permissions such as read, write, and delete. Roles can be

generic, like owner; or specific, like virtual machine reader. you can either use the built-in roles

or create custom roles for assigning.

l Scope: A boundary that the access applies to. It can be specified at multiple levels such as

management group, subscription, resource group or resource.

To create and remove role assignments, youmust haveMicrosoft.Authorization/ roleAssignments/ *

permission. TheOwner or User Access Administrator roles can grant this permission.

Note: When planning the access control strategy, it is a best practice to grant users the least

privilege to get their work done.

3.14.1 Assign a Role at a Resource Group Scope

1. In the navigation list, select Resource groups.

2. Select a resource group.

3. Select Access control (IAM) to see the current list of role assignments at the resource group

scope.




4. Select Add to open the Add Permissions pane.




5. The Add option is visible only if you have the permission to assign roles.

6. In the Role drop-down list, select a role such as Virtual Machine Contributor.

7. In the Select list, select a user, group, or application. If you don't see the security principal in the

list, you can type in the Select box to search the directory for display names, email addresses,

and object identifiers.

8. Click Save to assign the role.




9. After a few moments, the security principal is assigned the role at the resource group scope.

You can use the same process to assign a role at the subscription level, management group level.

Note: If the built-in roles do not meet the specific needs of your organization, then you can create

custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service

principals at subscription, resource group, and resource scopes. Custom roles are stored in an

Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each

directory can have up to 2000 custom roles. You can create custom roles with Azure PowerShell,

Azure CLI, or the REST API.

3.15 Block IP addresses in the Azure Web Application Firewall

Follow these steps to block IP addresses in the AzureWeb Application Firewall:


2. Select the Resource group in whichWAF is created.





3. Select theWeb Application Firewall resource.

4. Select the subnet which has theWAF attached.

5. Create a new Network Security Group (NSG).




Note: By default, NSG is not created for AppGateway.

6. Configure inbound rules in the Network Security Group.

7. Add new rules in the Network Security Group.




8. Associate the AppGateway subnet with the Network Security Group.




3.16 Block IP addresses in the Azure CDN

Follow these steps to block IP addresses in the Azure Content Delivery Network (CDN):


2. Select the Resource group in which CDN is created.





3. Go to CDN profile from the list of resources available in the Azure ResourceGroup.

4. ClickManage from the top navigation bar.

5. From the HTTP Large list, select Rules Engine.




6. Configure the new Rule.

3.17 Whitelist IP Address in Azure CDN

Automation of rules configuration is not supported by az-cli, therefore we need to accessCDN

manage portal to configure rules.

Follow these steps to whitelist IP addresses in the Azure Content Delivery Network (CDN):


2. Select the Resource group in which CDN is created.

3. Go to CDN profile from the list of resources available in the Azure ResourceGroup.

4. Click on theManage from the top navigation bar to accessCDN Manage Portal.

5. Configure the new Rule.





6. Set Deny Access (403) to Enabled.

This determineswhether all requests are rejected with a 403 Forbidden response or not.

You can set Deny Access (403) to the values shown in the following table:

Value Result

Enabled Causes all requests that satisfy thematching

criteria to be rejected with a 403 Forbidden

response.

Disabled Allow the origin server to determine the type of

response that will be returned.

Note: It takes some time for the rule to be propagated to the CDN edge nodes. Check the

status of rule in CDN Manage Portal.




3.18 Configure Email Alerts for ClamAV and OSSEC

3.18.1 INSTALLING OMS AGENT ON THE VIRTUAL MACHINE

1. Select OMS workspace from the list of resources available in the resource group, .




2. Select virtual machines from the left navigation pane.

3. From the list of available virtual machines, select the virtual machine from the required resource

group.




4. Click Connect to install OMS agent on the selected virtual machine.




3.18.2 CONFIGURING CUSTOM LOGS IN LOG ANALYTICS








Select the resource group in which the Log Analytics workspace is created.

3. Click on Log Analytics Workspace.

4. Select Advance settings from the left navigation pane.




5. Navigate to Data -> Custom Logs -> and click Add+ to create a new custom log.

6. Upload a sample log file which is of the same format as that of the logs to be collected.




7. Select the delimiter (newline/timestamp) based on which the logs are to be separated.

8. Give the path fromwhere the logs are to be fetched.




9. Give a Name and Description for the custom log created and clickOK.




3.18.3 CREATE ALERT RULES FOR THE LOGS








Select the resource group in which the Log Analytics workspace is created.

3. Click on Log Analytics Workspace.




4. Click Alerts onMonitoring.

5. Click New Alert Rule.




6. Creation of an Alert rule consists of 3 steps.

l Select the resource for which you want to configure the alert.




l Configure the condition on which the alert should be triggered.

Click Add condition.

l Select the type of log on which the conditionmust be configured.

Select Custom log search.




l Write the query for which the alert should be triggered.

Set the Alert logic, Condition, Threshold, Period and Frequency values.

Click Done.

7. Set the action group whichmust trigger or intimate the alert.

Click Create new.




8. Configure all the details.

Select action type as Email/SMS/Push/Voice.

Give themail id and other details to create the action group.

ClickOk.




9. Set the alert rule details such asName and Description to be shown in the triggeredmail.

Select yes for Enable rule upon creation.




3.19 VPN Reference Implementation

Note: VPN Reference Implementation is documented assuming that the FortiGate Firewall is

used on theOn-Premise setup. If you are using any other firewall, contact your system

administrator for setting up the incoming policies fromKony Fabric set up onMicrosoft Azure

Cloud.

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure

virtual network over an IPsec or IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires an

on-premises VPN device that has an externally facing public IP address assigned to it. Follow the

steps described here to setup a site-to-site VPN.

3.20 Configure Backup and Restore for Azure File Share

An Azure file share is a convenient place for cloud applications to write their logs, metrics, and crash

dumps. Logs can be written by the application instances via the File REST API, and developers can

access them bymounting the file share on their local machine. To understand how to create a file

share on Azure, refer to Create a file share in Azure Files.

Before you back up an Azure file share, youmust ensure that it is present in one of the supported

Storage Account types.

3.20.1 Configuring Backup

1. Create a Recovery Services Vault in the same region as your file share.

2. After creating a vault or if you already have a vault, open your vault’s Overview page and click

Backup.

3. In the Backup Goal menu, fromWhat do you want to back up?, choose Azure FileShare.


https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share

https://docs.microsoft.com/en-us/azure/backup/backup-azure-files#limitations-for-azure-file-share-backup-during-preview



4. Click Backup to configure the backup of Azure FileShare to your Recovery Services vault.

A Select Storage Account window appears. A list of all the supported Storage Accounts in the

region where your vault exists is displayed.

5. From the given list of Storage accounts, you should select an account and clickOK.

Azure searches for the storage account for file shares that can be backed up. If you have

recently added your file shares and do not see them in the list, allow a little time for the file

shares to appear.

6. From the list of File Shares that appear, select one or more of the file shares you want to back

up and clickOK.

7. After choosing your file shares, the Backupmenu switches to the Backup policy. From this

menu either select an existing backup policy, or create a new one, and then click Enable

Backup.

After establishing a backup policy, a snapshot of the file shareswill be taken at the scheduled

time, and the recovery point is retained for the chosen period.

You can also create an on-demand backup of file shares. For more information on this feature,

refer to Create an on-demand backup.

3.20.2 Configuring Restore

If you need to restore an entire file share or individual files or folders from aRestore Point, do the

following in the Backup Itemsmenu.

1. Open the Recovery Services Vault that contains the file share recovery points and click

Backup Items. The list of Backup Item types appears.

2. From the list, select Azure Storage (Azure Files). The list of Azure file shares appears.

3. From the list of Azure file shares, select the desired file share. The Backup Item details

appears.


https://docs.microsoft.com/en-us/azure/backup/backup-azure-files#create-an-on-demand-backup



4. From the Backup Itemmenu, choose Restore Share to restore an entire file share from a

desired Point-in-time.

5. From the list of Restore Points that are displayed, select one. The selected restore point will be

used to Overwrite your current file share or Restore it to an alternate file share in the same

region.

3.20.3 Create and share a File Share Snapshot

Azure Files provides the capability to take share snapshots of file shares. Share snapshots capture the

share state at that point in time.

Snapshots can be of the following types, based on the operating system in which they're being

captured.

l Logical VolumeManager (LVM) snapshots for Linux systems

l Apple File System (APFS) snapshots for MacOS

l Volume Shadow CopyService (VSS) for Windows file systems. NTFS and ReFS are examples

of VSS.

The az storage share snapshot commandmust be used to create a snapshot of an existing share

under the specified account.

Command

az storage share snapshot --name [--account-key] [--account-name] [-

-connection-string] [–metadata] [–quota] [--sas-token] [–

subscription] [–timeout]

Example


https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-point-time-snapshot



SNAPSHOT=$(az storage share snapshot --account-name $STORAGEACCT --

account-key $STORAGEKEY --name "myshare" --query "snapshot" | tr -

d '"')

3.20.4 Restore from a share snapshot

The az storage file copy start command can be used to restore a file. Perform the following steps to

restore from a share snapshot:

1. Delete the sample file (for example: SampleUpload.txt) that you have uploaded earlier, so you

can restore it from the snapshot.

az storage file delete --account-name $STORAGEACCT --account-

key $STORAGEKEY --share-name "myshare" --path

"myDirectory/SampleUpload.txt"

2. Build the source URI for a snapshot restore.

URI=$(az storage account show --resource-group

"myResourceGroup" --name $STORAGEACCT --query

"primaryEndpoints.file" | tr -d '"')

URI=$URI"myshare/myDirectory/SampleUpload.txt?sharesnapshot="$S

NAPSHOT

3. Restore SampleUpload.txt from the share snapshot.

az storage file copy start --account-name $STORAGEACCT --

account-key $STORAGEKEY --source-uri $URI --destination-share

"myshare" --destination-path "myDirectory/SampleUpload.txt"




3.20.5 Virtual Private Network (VPN) Reference Implementation:

3.20.6 Site-to-Site tunnel between Microsoft Azure and On-Premise Network with

FortiGate Firewall

This document outlines the process required to set up a site-to-site tunnel between an Azure network

and an on-premise network with FortiGate Firewall.

Note: VPN Reference Implementation is documented assuming that the FortiGate Firewall is

used on theOn-Premise setup. If you are using any other firewall, contact your system

administrator for setting up the incoming policies fromKony Fabric set up onMicrosoft Azure

Cloud.

The following steps help you to implement a VPN connection betweenMicrosoft Azure and anOn-

Premise Network:

1. Create the Azure Virtual Network

2. Create the GatewaySubnet

3. Create the Virtual NetworkGatewayObject

4. Create the Local NetworkGatewayObject

5. Create Site-to-Site VPN

3.20.6.1 Step 1. Create the Azure Virtual Network

From the Azure portal, click New and start typing Virtual network into the search field, then click on

Virtual network.




l Name: Provide the name for the Virtual Network object in Azure.

l Address space: Provide a subnet IP Address and ensure that it does not overlap with your on-

premises IP address space. Pick an address that is outside the range of your local subnets.For

example, 10.100.0.0/16.

l Resource group: Creates an object in Azure called a Resource group (a container with items

related to one another).

l Location: Places your network into a specificMicrosoft datacenter. You cannot connect a virtual

machine from a different datacenter to this virtual network.

l Subnet: Provide a Name and an Address range. You can provide the same details, or a sub-set

of the details (saving additional space for later use), that you provided in the Address space. For

example,10.100.0.0/24.

Once you configure all the fields, click Create to complete the setup.




3.20.6.2 Step 2. Create the Gateway Subnet

You need an internal gateway in your network that Azure can use to route traffic back to your on-

premises environment.

1. After your virtual network is built, select it from All resources.

2. On the left menu, select Subnets.

3. Click the option to add a Gateway subnet.

Note: Azure picks an address range within the space you previously defined. In the given

example, it uses 10.100.1.0/24 as theGatewaySubnet. You cannot pick any other name as

this is how Azure knowswhat the subnet is for.




4. Click OK.

3.20.6.3 Step 3. Create the Virtual Network Gateway object

You need a software VPN service which is the endpoint for your firewall. The VPN is called a Virtual

network gateway in Azure.

Follow these steps to create a new Virtual network gateway:

1. Go to New.

2. Search for Virtual network gateway, and select it from the search results.

3. On the next screen, Click Create.




Enter the following details:

l Name: Provide a name that matcheswith the name of your virtual network.

l Gateway type: Select VPN.

l VPN type: Select Route-based VPN.

l SKU: Select Basic, as it fits the requirements of most SMBs (Server Message Blocks).

l Virtual network: Choose the Virtual Network that you created.

l Public IP address: To create a new Public IP Address: Click on Create new, give it a name,

and click OK.

It is recommended to append IP to the name that matches the gateway object you create.




Choose your Subscription and your Location (make sure that youmatch it with your other

resources), and click Create.

The creation of the virtual network gatewaymay take some time to complete.

3.20.6.4 Step 4. Create the Local Network Gateway object

Youmust create another object to represent your local on-premises network, so that Azure knows

your location, and what is behind your firewall. Basically, this defines your on-premises IP address

space, aswell as an endpoint or gateway (the public IP assigned to your firewall).

Search for Local network gateway and click Add.




Enter the following details:

l Name: Provide a name that is distinct from the Azure Gateway.

l IP address: This is your firewall’s primary public IP address.

l Address space: Add all the internal subnets that exist behind your firewall. The Azure virtual

network requires routes to these subnets.




Note: Include only those subnets that require communication with the Azure virtual

network.

l Subscription: Select your subscription type.

l Resource group: Choose your resource group.

l Location: Select the same location as you did during the creation of the Azure Virtual Network.

After entering all these details, click Create.

3.20.6.5 Step 5. Create Site-to-Site VPN

Go to More Services > Virtual network gateways > Connections > Add




l Name: Provide a name related to the Azure Virtual network that you are creating.

l Connection type: From the drop-down, select Site-to-Site (IPSec).

l Local network gateway: Select the Local network gateway that you created.

l Shared key (PSK): Provide a complex string and save it securely. Youmust provide this key on

your on-premises firewall.

After entering these details, click OK.




3.20.6.6 On-Prem FortiGate Firewall configuration

Log in to Fortinet and go to the VPN tab. Configure both the phases based on the following sections:

Phase 1 Configuration

l Click the Auto Key (IKE) Tab and create Phase 1.

l Fill out the IP addresswith the Azure Virtual GW IP.

l Under P1 Proposal, ensure the following:

l Encryptionmust be AES256. This ismandatory for the FortiGate Vendor.

l Authenticationmust be SHA1.

l Key life must be 7200.

l Enable NAT translation.




Phase 2 Configuration

l Click Auto Key (IKE) Tab and create Phase 2.

l Under Phase 2, set Local Address to the local subnet and Remote Address to the VPN tunnel

endpoint subnet (present at the Virtual Network Address Spaces in Microsoft Azure).

3.20.6.7 Policies

Follow these steps to create the FortiGate firewall policies:

l Go to Policy & Objects > Policy

l Create a new policy for the site-to-site connection that allows outgoing traffic.

l Set the Source Address and Destination Address using the Firewall objects you just created.

l Create another policy for the same connection to allow incoming traffic and swap the Source

Address and Destination Address.




Go to VPN > Monitor > IPsec Monitor to check the status of your VPN tunnel.

3.21 Azure Components Version Tracker

Azure Component Version

Kubectl V1.13.12

Redis Cache 4.0.14




Azure Component Version

Azure CLI 2.0.77

Azure Kubernetes Service 1.13.12

Ubuntu(Virtual Machine) 16.04

Tomcat 8.5.35

Docker 18.09.9-ce

ingress-nginx 0.16.0

SQL product 12.0.2000.8

SQLmajor version 12

SQLminor version 0

SQL Engineedition 5

SQL Productlevel RTM

MySQL 5.7


4. Frequently Asked Questions (FAQs) Installation Guide


4. Frequently Asked Questions (FAQs)

1. What permissions do I need to have to create the Azure AKS resources?

You require the following permissions to create the Azure AKS resources:

The Azure account holder should have the role of a Global Administrator. The default role is

User. As aGlobal Administrator you can create AKS clusters and other resources through the

Azure Portal or the Azure CLI. Otherwise, the following error will be shown:

Directory permission is needed for the current user to register the application.

For how to configure the service principal portal, refer Create service principal portal on Azure.

For more details, refer Check azure subscription permissions.

2. Is Azure Kubernetes Service (AKS) supported in all the regions?

No. The available regions for the resource type -

Microsoft.ContainerService/managedClusters are: eastus, westeurope, centralus,

canadacentral, canadaeast.

3. Do I need to have an account with the Docker Hub to pull the Kony Fabric Images?

No, you do not need an account with the Docker Hub to access the Kony Fabric images. The

images are public and you do not need any authorization to download them.

4. Can I decide the number of nodes in my AKS cluster?

Yes, you can provide this as an input through the K8S_NODE_COUNT parameter in the aks_

cluster_config.properties file along with the other parameters.

5. Can I configure a custom address space for AKS cluster instead of the default address

space?

Yes, you can provide the custom address space by setting the value for VNET_ADDRESS_

SPACE in the aks_cluster_config.properties file.


https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#check-azure-subscription-permissions



Note: To provide a custom address space, ensure that the AKS subnet address space,

Azure application gateway subnet address space, and the jumpbox subnet address space,

exist within the same virtual network address space and do not overlap.

6. Can I configure an additional email address for alert notifications?

Yes, you can provide an additional email address for alert notifications. To do so, you need to

select the Azure role to configure sending alert notifications in the Azure portal. Perform the

following steps:

1. Log in to Azure portal.

2. Select Monitor, clickManage action groups.

3. Edit the action group for which the email IDs needs to be added.

4. Select the role from the given list, as illustrated in the following image.




7. What is the frequency of monitoring for alert notification?

By default, for a window size of 60minutes, polling will take place to check for threshold violation

in every 5minutes. A value for window size and polling time can be set on the Azure portal, if

required.

Note: Based on the Azure subscription, user can customize the polling time according to

requirement.

8. How can I use a custom domain name to access my Kony Fabric installation?

You can use the Azure DNS Service for installing Kony Fabric.

For detailed documentation, refer to DNS-Getting Started Portal

9. How can I whitelist custom IP ranges to allow access to my Database service?

You can whitelist the required IP addresses under the Firewall Rules of the Connection Security

page for the Database, so that it is accessible by the DB user and the application.

For more details, refer to Firewall Rules

10. Can I create multiple clusters simultaneously?

Yes, you can. Make sure that youmaintain separate folders for each installation.

11. How can I delete my AKS cluster?

Go to the Resource Groups tab in the Azure portal and delete the resource group which was

created during the installation.

12. What can be done if the Installation fails underway?

If the error is related to somemisconfiguration of the properties file, user permissions, or Azure

quota issues, you need to fix those issues. Then you need to delete the resource group and

execute the installation script.


https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal

https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules



13. What can be done if VNet Peering is required with the existing AKS Cluster VNet?

You can have VNet Peering with the existing VNet created during the installation. Make sure

that the address range for VNets does not overlap. The CIDR for the existing VNet is

10.0.0.0/8.

14. Can I publish an app in WAR format?

No, you cannot publish an app inWAR format. Kony Fabric on Azure currently supports

publishing an app only in Zip folder format. Publishing app inWAR format results in error.


kony fabric on ms azure cloud › 8_x_pdfs › konyfabric › kony_fabric_on_azure… ·...

Documents