Skip to main content

Deploy EDGE on Azure

This section guides you through the steps to get the Anapaya EDGE Appliance from the Azure Compute Gallery up and running.

Prerequisites

Before you can start, you need to have an Azure account. If you do not have one yet, create one on Azure. You also need to have a SCION access into the Azure cloud. If you do not have one yet, contact the Anapaya customer success team.

Installation

The Anapaya EDGE appliance is available on the Azure marketplace.

Start an Anapaya EDGE VM using one of the recommended instance types. It is recommended to allocate at least two CPUs and 4GB of memory or four CPUs and 8GB of memory for better throughput. You can always change the instance type later on if you want to improve performance. Use anapaya as the username for the Administrator account and use SSH public key based authentication.

Cloud-Init

You can use cloud-init to further customize the appliance during the launch process, for example to set SSH keys for the anapaya user.

#cloud-config
users:
    - name: anapaya
      ssh_authorized_keys:
          - ...

Refer to the cloud-init documentation for more examples and details.

warning

The Anapaya EDGE appliance will overwrite the SSH keys of the anapaya user as soon as the first configuration is applied. This means that the SSH keys you set in the cloud-init configuration will be removed. If you want to keep the SSH keys, you need to configure them in the appliance configuration during initial configuration.

VNET configuration

It is recommended to launch the appliance in a VNET with at least two subnets. One subnet is used for the management interface and can have Internet access. The other subnet is used for the SCION interface towards the SCION network; the IP addressing details of this subnet are provided by your SCION access provider. Ideally, you should also have a third subnet to connect the EDGE appliance to your applications.

Security group configuration

If you want to access the appliance from the Internet via SSH, you need to configure the security group to allow incoming SSH connections. The appliance uses port 22 for SSH.

Connecting to the appliance

Once the appliance is launched, you can connect to it via SSH or use the Azure Serial console. Use the credentials that you configured on instance creation. As part of the appliance configuration, you can configure the appliance to use your SSH keys for login. See Management for more details.

Password disabled

Password authentication for SSH is disabled.

Configuration

After connecting to the appliance, you can configure it using the appliance-cli. Refer to the Setup section in the general getting started guide for more details.

Configure interfaces on first configuration

The appliance is configured to use DHCP on initial launch. When you start changing the appliance configuration, you should first configure the interfaces section with the DHCP values for the management interface that were assigned by Azure. Otherwise, you might lose connectivity to the appliance.

NAT configuration

In some scenarios you might need to configure NAT on the appliance. Refer to NAT for more details.

Redundancy

To achieve redundancy, you can deploy two appliances in different availability zones and configure them as a cluster. Refer to Cluster for more details. For a redundant deployment in Azure, it is recommended to use the BGP integration of the Anapaya EDGE which can be configured together with the Azure Route Server.

Enable Azure Route Server

When configuring a BGP session between the EDGE and the Azure Route Server, you must enable ebgp_multihop. Without it, the prefixes received from the Azure Route Server will not be installed in the EDGE's routing table nor advertised to SGRP. For more information please visit the Azure Route Server FAQ .

note

Refer to the Azure Route Server Documentation for more details

The diagrams below show different examples of how you can deploy the Anapaya EDGE appliance in Azure within and across regions. In all cases, the EDGE appliances are run as part of a Virtual Machine Scale Set, but you can also run them as individual VMs in different availability zones. The EDGE appliances are connected to the SCION network via the Express Route provided by the SCION Access Provider (ISP). Inside the Azure VNET (Transit VNET), the appliances are connected to the Azure Route Server to exchange routing information with the Azure network. It is recommended to use a separate VNET for the applications that use the SCION connectivity and connect it to the Transit VNET via a VNET peering.

A single SCION ISP can provide SCION connectivity to multiple EDGE appliances in an Azure VNET.

Single ISP