Anapaya EDGE on Microsoft Azure¶
This section will guide you through the steps to get the Anapaya EDGE Appliance from the Azure Compute Gallery up and running.
Prerequisites¶
Before you can start, you need to have an Azure account. If you do not have one yet, you can create one here. You also need to have a SCION access into the Azure cloud. If you do not have one yet, please contact the Anapaya Customer Success team.
Installation¶
The Anapaya EDGE Appliance is available on the Azure Marketplace.
Start an Anapaya EDGE VM using one of the recommended instance types. We
recommend allocating at least two CPUs and 4GB of memory or four CPUs and 8GB of
memory for better throughput. You can always change the instance type later on
if you want to increase performance. Use anapaya as the username for the
Administrator account and set a secure password (do not use SSH public key
based authentication at this point).
VNET Configuration¶
We recommend to launch the appliance in a VNET with at least two subnets. One subnet is used for the management interface and can have Internet access. The other subnet is used for the SCION interface towards the SCION network; the IP addressing details of this subnet are provided by your SCION access provider. Ideally, you should also have a third subnet to connect the EDGE appliance to your applications.
Security Group Configuration¶
If you want to access the appliance from the Internet via SSH, you need to
configure the security group to allow incoming SSH connections. The appliance
uses port 22 for SSH.
Connecting to the Appliance¶
Once the appliance is launched, you can connect to it via SSH or use the Azure Serial console. Use the credentials that you configured on instance creation. As part of the appliance configuration, you can configure the appliance to use your SSH keys for login. See SSH Configuration for more details.
Configuration¶
After connecting to the appliance, you can configure it using the appliance-cli. Refer to the Initial Configuration section in the general getting started guide for more details
Note
The appliance is configured to use DHCP on initial launch. When you
start changing the appliance configuration, you should first configure the
interfaces section with the DHCP values for the management interface that were
assigned by Azure. Otherwise, you might lose connectivity to the appliance.
NAT Configuration¶
In some scenarios you might need to configure NAT on the appliance. Refer to the Network Address Translation (NAT) section in the general configuration guide for more details.
Redundancy¶
To achieve redundancy, you can deploy two appliances in different availability zones and configure them as a cluster. Refer to the Cluster section in the general configuration guide for more details. For a redundant deployment in Azure, we recommend using the BGP integration of the Anapaya EDGE which can be configured together with the Azure Route Server.
The diagrams below show different examples of how you can deploy the Anapaya EDGE appliance in the Azure cloud within and across regions. In all cases, the EDGE appliances are run as part of a Virtual Machine Scale Set, but you can also run them as individual VMs in different availability zones. The EDGE appliances are connected to the SCION network via the Express Route provided by the SCION Access Provider (ISP). Inside the Azure VNET (Transit VNET), the appliances are connected to the Azure Route Server to exchange routing information with the Azure network. We recommend using a separate VNET for the applications that use the SCION connectivity and connect it to the Transit VNET via a VNET peering.
Single ISP¶
A single SCION ISP can provide SCION connectivity to multiple EDGE appliances in an Azure VNET.
Dual ISP¶
If you require ISP redundancy for your applications, you can connect the EDGE appliances to two different SCION ISPs. One EDGE appliance can be connected to one or more ISPs, depending on the offerings of the SCION ISPs.
Dual ISP in different regions¶
If you require ISP redundancy across regions, you can connect the EDGE appliances to two different SCION ISPs in different regions.
