Configuring VNets on Azure with private IPs and CCM

When you configure a Vnet with private IPs and CCM, you have two alternatives: Have CDP set up your private network and security groups or Set up the VNet with you yor private IPs and security groups.

Have CDP set up your private network and security groups

If you choose to have CDP create your private network and security groups when you are testing or sandboxing CCM, when you enable CCM, CDP performs the following:

  • Creates six subnets as Azure does not distinguish between Public and Private subnets. By default they are all Private.
  • When CDP creates the security group, it opens two ports to the CIDR range that you specify, port 22 and port 443. Use these ports only to access these clusters. Outbound is not limited and has access to everything that is ongoing since the Network Load Balancer (NLB) that the SSH tunnel service relates does not have a predictive IP address range.

Set up VNets with your own private IPs and security groups

If you choose to configure your own VNets with private IPs, you will need the following at least three private subnets for hosts that will use CCM.

In your Azure Portal console, configure the following:

  1. Create three private subnets:

    1. You must configure outbound traffic for CDP resources.

    2. The workload clusters containing CCM (Knox, master, or CM for Classic Cluster) must be able to reach the Network Load Balancers (NLBs).

    3. Currently you can use ports 6000-6049 to connect to the NLBs.

  2. Create your security groups.

    Security groups do not need any external facing connections. You can choose what they open. The only requirement is to have outbound connectivity. At this point there is no defined network CIDR range needed. The SSH tunnel service will assign a random IP to the NLB.
In the CDP user interface, configure the following:
  1. After you have created your subnets and security groups, follow the steps for creating an Environment.

    See Register an Azure environment.
  2. Click the button to Enable Cluster Connectivity Manager on the Region, Networking, Security and Storage page.

    This will install CCM on the gateway nodes for the private subnets, establishing the reverse SSH tunnel.