Initial Preparation and Configuration of the Microsoft Azure Managed Application

This section covers initial preparation and configuration of the Managed Application on Microsoft Azure.

1. Configuring your SUSE Multi-Linux Manager instance

There are two tabs you need to fill out: Basics and Virtual Machine Settings.

1.1. Fill Out the Basics Tab

  1. Project Details

    1. As with every resource in Azure, you need to provide a Resource Group (RG). This can be an existing RG or you can create a new RG for this deployment.

  2. Instance Details

    1. Region – where the instance should run.

    2. Virtual Machine Name – the name of the VM in which SUSE Multi-Linux Manager will run.

    3. Username – the administrator account for the SUSE Multi-Linux Manager VM.

    4. SSH Key Source and Key – needed to access the machine.

    We do not allow the use of a password here. This is to reduce the risk of brute force attacks.

  3. Managed Application Details

    1. Application Name – the name of the Managed Application.

    2. Managed Resource Group (MRG) – where the SUSE Multi-Linux Manager VM and its resources will be deployed into.

1.2. Switch to the Virtual Machine Settings Tab

  1. Instance Size

    1. The default for the instance size is D8as v5, which is a good baseline for a production server. It provides enough resources for more data disks and IOPS throughput for disk and network. https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series

      If you only need a test instance, you can go smaller and choose an instance size with 4 vCPUs and 16GB memory or use a B-Series (Burstable) instance with a similar configuration.

  2. Diagnostic Storage Account

    1. If you normally create a VM in the Azure portal, boot diagnostics are enabled by default using a managed storage account. You can choose an existing storage account or create a new one (default).

  3. OS Disk Size

    1. This is the root disk of the SUSE Multi-Linux Manager installation, which holds:

      1. The OS and the SUSE Multi-Linux Manager application.

      2. /var/cache – where you need to provide storage space for each product you want to manage.

    The proposed default of 100GB should be accepted.

  4. Database Disk Size

    1. This holds the Database for SUSE Multi-Linux Manager and needs a minimum of 50GB. The proposed value of 80GB is a good default suggestion.

  5. Spacewalk Disk Size

    1. This holds the package repositories and should have at least 100GB. Additional requirements include:

      1. 50GB for every SUSE product.

      2. >360GB for every RedHat or other Linux product.

      The proposed default of 500GB is a safe default to start with.

    Repository synchronization will fail if this directory runs out of disk space.

  6. Public IP Address for the VM

    1. By default, a Public IP Address is created to access the SUSE Multi-Linux Manager VM and Application.

      1. If you use it, please ensure this is secure and access is limited.

        Running SUSE Multi-Linux Manager on the public cloud means implementing robust security measures. It is essential to limit, filter, monitor, and audit access to the instance. SUSE strongly advises against a globally accessible SUSE Multi-Linux Manager instance that lacks adequate perimeter security.

        You should carefully consider this, as the SUSE Multi-Linux Manager Server will have access to all managed nodes. If someone gains access to SUSE Multi-Linux Manager, it would mean access to all managed nodes as well. Threat actors actively scan for accessible machines with open management ports (e.g., SSH or RDP), especially on cloud providers.

        A Network Security Group (NSG) is created by default if you choose to create a Public IP. It only allows inbound SSH access via port 22 as a minimal protection for the public IP.

        It is recommended to additionally restrict access to a defined list of networks and allow Azure’s virtual network to drop requests originating from other networks.

      Furthermore, you can add Just-in-Time access and/or use the Azure Bastion Service, Firewall, VPN, or private network methods to secure public access.

    You can choose not to create a Public IP address (which is more secure), but you will need to use other methods to access the created SUSE Multi-Linux Manager VM and its Web UI for further configuration. Additionally, you must take care of the DNS and ensure a correct FQDN.

  7. DNS Prefix for the Public IP Address

    1. The SUSE Multi-Linux Manager server must resolve its FQDN correctly. If the FQDN cannot be resolved, it can cause issues in several SUSE Multi-Linux Manager components.

    2. To ensure that the SUSE Multi-Linux Manager domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. You also need to ensure that reverse lookups are correctly configured.

      If you use the Public IP address, a DNS name is automatically created from Azure. You only need to ensure that a unique name is used. The default suggestion creates one by including a random number to make the domain name unique.

    If you do not use the Public IP, you need to make sure that your setup can resolve the FQDN correctly as mentioned above.

  8. Virtual Network / Subnet

    1. You will see a default proposal for a virtual network where SUSE Multi-Linux Manager will reside. By clicking edit, you can adjust it to your needs.

    2. Remember that a Managed Application will be deployed from SUSE to your Azure tenant. Therefore, this network is the network in the Managed Resource Group (MRG) and cannot overlap with existing networks.

      At a later stage, you need to peer this network to the network with the nodes you want to manage. Alternatively, you can create the managed nodes within this network.

      With all fields filled out, press Next or Create. The Azure portal will perform a final check and provide a summary screen of this deployment.

    If everything is correct, press Create to deploy the Managed Application for SUSE Multi-Linux Manager.

1.3. After Deployment

After the VM is deployed, you can access it via SSH.

Usage and Costs

Keep in mind that since this is a PAYG image, you will be billed according to your actual usage, including the number of systems you manage and monitor with this instance. It’s essential to regularly track and review your usage to prevent unexpected costs and ensure alignment with your needs.