BYO Azure Account¶
Bring Your Own Azure Subscription to Frame¶
Xi Frame provides two options for using Azure infrastructure. You can “Bring Your Own” (BYO) Microsoft Azure subscription that you own and manage yourself or purchase Nutanix IaaS credits to use Nutanix-managed Azure subscription. When you bring your own (BYO) Azure subscription, you pay Microsoft directly for infrastructure (your VMs, storage, networking, etc.) and only pay Xi Frame for the platform services.
Common reasons why you would bring your own Azure subscription are:
- You wish to take advantage of existing billing arrangements with Azure for convenience and/or pricing. For example, your organization may already have certain Azure consumption commitments or pre-payments – you can use Frame to consume those resources on your own Azure account.
- You want to have additional administrative control over your Xi Frame workloads for more detailed monitoring and metrics.
- You want to configure other network integrations (VPN gateways, ExpressRoutes) which you can’t do using Nutanix-managed Azure subscription.
- You must meet industry-specific compliance regimes (e.g., HIPAA) that require you to fully manage and control your cloud resources.
- In order to register your Azure account with Frame, you will need a Microsoft Azure account with a valid Azure subscription. If you don’t have one already you can create one by going to Microsoft’s website.
- Permissions to add and modify role assignments for the Azure subscription ID.
- Before proceeding, ensure that the following Resource Providers are registered in your Azure subscription:
Please note that some costs (e.g., storage) may begin to accrue immediately after adding your BYO Azure Cloud Account credentials to Frame Platform.
Create an Azure Application Registration¶
This section assumes that you already have an active Azure account with a subscription dedicated to Xi Frame. At this point, you should have also set the resource limits for your subscription to levels high enough to accommodate your expected loads. To confirm your subscription, login to the Azure web portal, navigate to your subscription, and confirm that its status is “active”:
- You will need to create an Azure app registration for Xi Frame. The app registration is the mechanism by which you’ll give Frame access to creating and managing virtual machines and storage resources in your Azure subscription. Open the Azure Active Directory option and App registration section. From there, select “New registration” to create a new app.
- You’ll see a panel titled “Register an application.” You’ll be asked for the following information:
- a valid Name: you can choose any name, but we recommend you simply call it “Frame” or “Xi Frame.”
- select your desired “Supported account types” option to specify who has access to the application.
- a Redirect URI: You can leave this optional field blank.
- Click “Register” at the bottom of the panel.
- A notification will appear informing you that your application has been created successfully. It should now be available in your “App registrations” list.
- Next, select your new application from the list and copy or write down the “Application (client) ID” and “Directory (tenant) ID.” These IDs are two of the four values you will need for setting up your Frame integration (note that you do NOT need the “Object ID”):
- Once you have written down the Application (client) ID, navigate to the “Branding” page listed in the menu on the left side of your Azure portal.
- Use the application icon shown below. Click “Save.”
- Next, you’ll need to create a “Client Secret” for Xi Frame to use as a password to manage your Azure resources. Click “Certificates and secrets” under your application’s management options. Click the “New client secret” button under “Client secrets”.
- You will be prompted to add a new client secret. Simply add a description and select the “Never” option under “Expires.” Click “Add.”
Please note that the app key is used by Xi Frame to manage your BYO Azure account. If your key expires, Xi Frame will no longer be able to manage your account for you and you will experience an outage. This is why we recommend selecting “Never.”
- On the “Client secrets” page, copy your newly-created client secret. We will need this value later on.
The final step before integrating your BYO Azure cloud account with Xi Frame entails obtaining your Azure Subscription ID and adding owner permissions to your new application.
- At the top of your Azure portal, search for “Subscriptions” and click on the first option that appears.
- Find the subscription that you created for Xi Frame. Copy the Subscription ID and set it aside to be used in the final steps of this guide.
- Now, click on the subscription to open its properties. Click on the “Access Control (IAM)” page, and then click the “Add” button on the top of the Access Control panel. Select “Add role assignment.”
- A new window will appear asking for the following information:
- Role: Select “Owner” from the drop-down menu.
- Assign access to: Select “Azure AD user, group, or service principal” option.
- Select: Select the name of your application.
- Once you have configured the fields above, click “Save.”
- Before moving on, ensure you have obtained the following values.
- Azure Application ID
- Azure Directory ID
- Azure Subscription ID
- Azure Client Secret
You’ll use these values for the Xi Frame setup below.
Adding your Azure Cloud Account¶
BYO cloud accounts can be created either at the “customer” or “organization” tiers of Frame’s logical hierarchy. More information about Frame’s hierarchy concepts can be referenced here.
A BYO cloud account created at the “customer” (highest) tier will be accessible to all hierarchical children (“organizations” and their accounts). If you choose to add the BYO cloud account at the “organization” tier, the BYO cloud account will only be available to the chosen organization and any accounts underneath it. Customer Administrators can add a BYO cloud account at the Customer or Organization level while Organization Administrators may only add a BYO cloud account at the Organization tier.
A particular cloud subscription can only be associated with a single entity on the Frame platform. If you associate your cloud subscription to one Organization, it cannot be associated with another Organization or Customer. If your use case requires that multiple Organizations will have access to your Azure subscription, you must associate the cloud account to your Customer entity.
Azure Cloud Account Registration Procedure¶
Go to the Frame Admin view.
Navigate to the “Organizations” or “Customers” section (depending on where you wish to add the cloud account).
Click on the ellipsis listed next to the organization or customer you wish to add your cloud account to, click “Edit.”
Select the “Cloud Accounts” tab and then select “Add Cloud Account” in the upper right corner:
A new window will appear prompting you for the information you recorded earlier:
- Name: Enter the desired name for your BYO Cloud Account.
- Application ID: Enter the Azure Application ID.
- Directory ID: Enter the Azure Directory ID.
- Secret: Enter the Azure Secret key value.
- Subscription ID: Enter the Azure Subscription ID.
- Verify Azure credentials: Click this button to verify that your credentials are valid before creating the cloud account.
- Select data centers: Select at least one data center you would like to provision your Xi Frame account(s) and resources in.
Click the check box once you have read through the disclaimer, and then click “Create.”
Now that your Azure Cloud Account is created and accessible within Frame, you will be able to create Frame accounts using this BYO cloud account. Be aware that the first Xi Frame account created in an Azure datacenter region may take 30+ minutes as Frame Platform must copy the Nutanix-provided OS images to the Azure datacenter before the Frame account is created.
Resources Created During BYO Azure Cloud Account Creation¶
Xi Frame provisions a single storage account for every datacenter region selected upon cloud account creation. The Nutanix-provided OS master images are copied to each storage account and will be used when the first Frame account is created in that region.
Azure Service Limits¶
By default, a newly created Azure account will impose certain service limits on available resources. Depending on the size of the Frame workload required, you will likely need to adjust the default limits imposed on the Azure account. If these limits are set to values that are lower than what is required by the Frame platform, you can expect certain functions to either fail, or be substantially delayed. The requirements by Frame for these service limits depends on the desired workload and required resources. The recommended service limit increases include the following:
The following steps may not be necessary for smaller production environments or trial accounts.
|Compute/VM||Frame recommends setting the Azure VMs service limit to 2.2x your expected max number of instances. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc.|
|Azure Managed Disks||Typically, this resource does not need to be modified. If you have any concerns about capacity, we recommend 64 GiB per instance.|
|Public IPs||By default Azure offers 1,000 public IPs per region. You will need at least 2 public IPs available per workload instance and one public IP per Sandbox/Utility Server VM.|
|VNets||Each Frame account will use one VNet.|
|GPU-backed Instances||We recommend increasing service limits for GPU-backed instances to 2.2x your expected max number of instances. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc.|
Click the link for more information on Azure service limits. When requesting compute service limit increases, you must calculate and request limits based on the amount of CPU cores you will need per region, per instance type. For instance, if you needed two D2_V2 instances, you would need to request 4 cores (2 cores x 2 instances) for the “D Series” SKU Family in your Azure Portal. More information about requesting vCPU limit increases can be found in their official documentation. When requesting instance types, you must calculate and request limits based on the amount of CPU cores you will need per region, per instance type. For instance, if you needed two D2_V2 instances, you would need to request 4 cores (2 cores x 2 instances) for the “D Series” SKU Family in your Azure Portal. More information about requesting vCPU limit increases can be found in their official documentation.
When requesting limit/quota increases the Azure team may ask which deployment model is used. The method used is ARM (not ASM).
Azure Instance Types¶
Each IaaS provider has a unique naming scheme for their instance types. Azure breaks down their instance types by vCPU cores. More information about Windows virtual machines in Azure can be found in their official Azure documentation.
For the latest Azure instances supported by Xi Frame, refer to Nutanix Xi Frame Pricing Page. Note that since you are bringing your own Azure account, your pricing may be different from that shown in the table.
Promotional instances provided by Microsoft by default are not currently supported by Frame Platform. If you wish to use an account with an existing promotion, you will need to either exhaust promotional hours first or contact Azure support to remove those instances.
The total cost of your Azure service depends on your service tier with Azure and any custom pricing arrangements you may have. Full details of Azure pricing for these areas are listed in Azure’s pricing information online. If you have an Enterprise Agreement, you can download your specific price list from the EA Portal.
Storage sizing is based on several factors specific to your apps: the base system image of the Windows OS, the size of your applications plus application data and any user data. Additional data is consumed if you are using a Utility Server.
The base system image for the Sandbox can be set to any desired capacity upon account creation. The general formula for estimating the total amount of storage required is the Sandbox image size multiplied by the maximum number of instances multiplied by the monthly hours consumed. Total storage also includes the system image size of all Utility Servers multiplied by the number of hours consumed per month.
Even if instances are powered off, storage is still consumed.
Your networking usage on Azure also depends on your apps and the work patterns of your users. Azure networking limits and data transfer pricing are based on inbound and outbound data sent to or from Azure regions or the internet. Typical data transfer costs for Frame customers are between 1% and 2% of their overall monthly bill. For details about how your account will be charged for data transfers, please refer to Azure documentation.
Your Azure expenses are separate from the cost of the Frame service for our BYO accounts. Azure bills your account according to your usage patterns on Frame, as described in our documentation regarding capacity management.