Initial Preparation and Configuration of the Microsoft Azure Image

Table of Contents

1. Configuring your SUSE Manager instance

This section covers initial preparation and configuration of the image on Microsoft Azure.

1. Configuring your SUSE Manager instance

There are two tabs you need to fill out: Basics and Virtual Machine Settings.

1.1. Fill Out the Basics Tab

Project Details
1. As with every resource in Azure, you need to provide a Resource Group (RG). This can be an existing RG or you can create a new RG for this deployment.
Instance Details
1. Region – where the instance should run.
2. Virtual Machine Name – the name of the VM in which SUSE Manager will run.
3. Username – the administrator account for the SUSE Manager VM.
4. SSH Key Source and Key – needed to access the machine.
We do not allow the use of a password here. This is to reduce the risk of brute force attacks.
Managed Application Details
1. Application Name – the name of the Managed Application.
2. Managed Resource Group (MRG) – where the SUSE Manager VM and its resources will be deployed into.

1.2. Switch to the Virtual Machine Settings Tab

Instance Size
1. The default for the instance size is D8as v5, which is a good baseline for a production server. It provides enough resources for more data disks and IOPS throughput for disk and network. https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series
  
  If you only need a test instance, you can go smaller and choose an instance size with 4 vCPUs and 16GB memory or use a B-Series (Burstable) instance with a similar configuration.
Diagnostic Storage Account
1. If you normally create a VM in the Azure portal, boot diagnostics are enabled by default using a managed storage account. You can choose an existing storage account or create a new one (default).
OS Disk Size
1. This is the root disk of the SUSE Manager installation, which holds:
  1. The OS and the SUSE Manager application.
  2. /var/cache – where you need to provide storage space for each product you want to manage.
The proposed default of 100GB should be accepted.
Database Disk Size
1. This holds the Database for SUSE Manager and needs a minimum of 50GB. The proposed value of 80GB is a good default suggestion.
Spacewalk Disk Size
1. This holds the package repositories and should have at least 100GB. Additional requirements include:
  1. 50GB for every SUSE product.
  2. >360GB for every RedHat or other Linux product.
  The proposed default of 500GB is a safe default to start with.
Repository synchronization will fail if this directory runs out of disk space.

Public IP Address for the VM

By default, a Public IP Address is created to access the SUSE Manager VM and Application.

If you use it, please ensure this is secure and access is limited.

Running SUSE Manager on the public cloud means implementing robust security measures. It is essential to limit, filter, monitor, and audit access to the instance. SUSE strongly advises against a globally accessible SUSE Manager instance that lacks adequate perimeter security.

You should carefully consider this, as the SUSE Manager Server will have access to all managed nodes. If someone gains access to SUSE Manager, it would mean access to all managed nodes as well. Threat actors actively scan for accessible machines with open management ports (e.g., SSH or RDP), especially on cloud providers.

A Network Security Group (NSG) is created by default if you choose to create a Public IP. It only allows inbound SSH access via port 22 as a minimal protection for the public IP.

It is recommended to additionally restrict access to a defined list of networks and allow Azure’s virtual network to drop requests originating from other networks.

Furthermore, you can add Just-in-Time access and/or use the Azure Bastion Service, Firewall, VPN, or private network methods to secure public access.

You can choose not to create a Public IP address (which is more secure), but you will need to use other methods to access the created SUSE Manager VM and its Web UI for further configuration. Additionally, you must take care of the DNS and ensure a correct FQDN.

DNS Prefix for the Public IP Address
1. The SUSE Manager server must resolve its FQDN correctly. If the FQDN cannot be resolved, it can cause issues in several SUSE Manager components.
2. To ensure that the SUSE Manager domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. You also need to ensure that reverse lookups are correctly configured.
  
  If you use the Public IP address, a DNS name is automatically created from Azure. You only need to ensure that a unique name is used. The default suggestion creates one by including a random number to make the domain name unique.
If you do not use the Public IP, you need to make sure that your setup can resolve the FQDN correctly as mentioned above.
Virtual Network / Subnet
1. You will see a default proposal for a virtual network where SUSE Manager will reside. By clicking edit, you can adjust it to your needs.
2. Remember that a Managed Application will be deployed from SUSE to your Azure tenant. Therefore, this network is the network in the Managed Resource Group (MRG) and cannot overlap with existing networks.
  
  At a later stage, you need to peer this network to the network with the nodes you want to manage. Alternatively, you can create the managed nodes within this network.
  
  With all fields filled out, press Next or Create. The Azure portal will perform a final check and provide a summary screen of this deployment.
If everything is correct, press Create to deploy the Managed Application for SUSE Manager.

1.3. After Deployment

After the VM is deployed, you can access it via SSH.

Usage and Costs

Keep in mind that since this is a PAYG image, you will be billed according to your actual usage, including the number of systems you manage and monitor with this instance. It’s essential to regularly track and review your usage to prevent unexpected costs and ensure alignment with your needs.