Edit

Tutorial 1-4: Create Azure resources from the service catalog in an Azure Enclave workload

The service catalog enables you to deploy Azure services and streaming applications into Azure Enclave quickly while being compliant with Policy Guardrails and enclave isolation requirements.

In this tutorial, part four of eight, you create Azure resources using service catalog in workloads. You learn how to:

  • Deploy a service catalog template for an Azure resource into an existing workload from the Portal

Note

The sample deployment is just for demonstration purposes and doesn't represent all the best practices for network, systems, or applications administration.

Before you begin

Screenshot showing the subnet delegation prerequisite step.

Enable enclave maintenance mode

Tip

Skip this step if enclave maintenance mode is still turned on since you completed Tutorial 1-2.

  1. Navigate to the ve-Enclave-WebApp enclave and select Maintenance Mode.

  2. Enter the information needed to enable maintenance mode:

    • Maintenance Mode: Select General
    • Principals: Select Choose Microsoft Entra principal and enter your username
    • Justification: Select Networking
    • Select Save

    Screenshot showing the maintenance mode screen.

  3. Select Confirm and allow a few minutes for the enclave to return to Succeeded state.

    Screenshow showing the popup confirmation box for maintenance mode confirmation.

Create App Service required resources

  1. Navigate to the wl-webapp-frontend workload to create an Azure App Service for your webapp.

  2. Select Add an Azure service button on the overview page.

  3. Select Private DNS Zones from the service catalog dropdown list and select Next.

    Screenshot showing the service catalog with the private DNS zones template selected.

  4. Create the private DNS zone:

    1. For Resource groups, select wl-webapp-frontend.
    2. For Additional Private DNS Zone Names, enter the private DNS zone name for App Service ["privatelink.azurewebsites.net"]. You might need to use a different value depending on the Azure cloud you're using.
    3. Select Review + Create then Create.

Create Azure web app resources from the service catalog

  1. Navigate to the wl-webapp-frontend workload to create an Azure App Service for your webapp.

  2. Select Add an Azure service button on the overview page.

  3. Select App Service from the service catalog dropdown list and select Next. Screenshot showing the App Service template selected in the workload portal view.

  4. Enter all the required parameters on each tab.

    Screenshot showing the basics input screen for an App Service web app.

  5. Select Next then enter the networking information. Ensure the App Service subnet has a delegation to 'Microsoft.Web/serverfarms' and the private link subnet doesn't.

    • Dedicated App Service Subnet Name: Enter webapp-Subnet for the subnet delegated in the previous step.
    • Private Link Subnet Name: Enter common-subnet for the subnet containing the private endpoints.
    • Private Dns Zone Resource Group Name: Enter rg-webapp-frontend.
    • Private Dns Zone Name: Enter privatelink.azurewebsites.net for App Service.

    Screenshot showing the networking input screen for an App Service web app.

  6. Select Review + Create and then Create.

    Wait for the deployment to complete successfully before you take any actions within your deployed resources.

    Screenshot showing the deployed App Service resources.

Validate the deployment

Go to the specified resource group to confirm the intended resources were created.

Deploy Web App Quickstart (Optional)

Azure App Service has quickstarts for many languages such as the python quickstart or deploy from a zip file

Clean up resources

If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted or all App Service resources can be selected and deleted.

Recommendations

  • Review an architecture example for a basic web application
  • Add tags to service catalog deployments to track important information for that resource such as:
    • Owner: main POC
    • Deployer: yourName
    • Purpose: publish abc app to users
    • Service Catalog Name: Virtual Machine
    • Service Catalog Version: version you deployed
  • Consider adding an Azure Policy to enforce and inherit tags

Next steps

In this tutorial, you created Azure resources with service catalog using Azure portal.

In the next tutorial, you'll learn how to create Azure resources in your enclave.