Overview

Before you install CloudPrem on Azure, you must set up a set of supporting infrastructure resources. These components provide the foundational compute, storage, database, and networking services that CloudPrem depends on. This documentation outlines all the resources you must set up in your Azure account before you proceed to the installation steps described in the Azure AKS Installation Guide.

Infrastructure Requirements

Here are the components you must provision:

• Azure Kubernetes Service (AKS): A running AKS cluster sized for your expected CloudPrem workload.
• PostgreSQL Flexible Server: An Azure Database for PostgreSQL instance that CloudPrem will use to store its metadata.
• Blob Storage container: An Azure Storage container to hold CloudPrem logs.
• Client Identity and permissions: An Azure AD application with read/write access to the storage container.
• NGINX Ingress Controller: Installed on the AKS cluster to route external traffic to CloudPrem services.
• Datadog Agent: Deployed on the AKS cluster to collect and send logs to CloudPrem.

Azure Kubernetes Service (AKS)

CloudPrem runs entirely on Kubernetes. You need an AKS cluster with sufficient CPU, memory, and disk space configured for your workload. See the Kubernetes cluster sizing recommendations for guidance.

Deploy the AKS cluster

• Deploy an AKS cluster with the Azure CLI
• Deploy an AKS cluster with Terraform

Verify cluster connectivity and health

To confirm the cluster is reachable and nodes are in the Ready state, run the following command:

kubectl get nodes -o wide

Azure PostgreSQL Flexible Server

CloudPrem stores its metadata and configuration in a PostgreSQL database. Datadog recommends the Azure Database for PostgreSQL Flexible Server. It must be reachable from the AKS cluster, ideally with private networking enabled. See the Postgres sizing recommendations for details.

Create the PostgreSQL database

• Create an Azure Database for PostgreSQL Flexible Server using the Azure CLI
• Create an Azure Database for PostgreSQL Flexible Server using Terraform

Verify database connectivity

Connect to your PostgreSQL database from within the AKS network using the PostgreSQL client, psql. First, start an interactive pod in your Kubernetes cluster using an image that includes psql:

kubectl run psql-client \
  -n <NAMESPACE_NAME> \
  --rm -it \
  --image=bitnami/postgresql:latest \
  --command -- bash

Then, run the following command directly from the shell, replacing the placeholder values with your actual values:

psql "host=<HOST> \
      port=<PORT> \
      dbname=<DATABASE> \
      user=<USERNAME> \
      password=<PASSWORD>"

If successful, you should see a prompt similar to:

psql (15.2)
SSL connection (protocol: TLS...)
Type "help" for help.

<DATABASE>=>

Blob Storage Container

CloudPrem uses Azure Blob Storage to persist logs. Create a dedicated container for this purpose.

Create a Blob Storage container

Use a dedicated container per environment (for example, cloudprem-prod, cloudprem-staging), and assign least-privilege RBAC roles at the container level, rather than at the storage account scope.

• Create a Blob Storage container using the Azure CLI
• Create a Blob Storage container using Terraform

Client Identity and permissions

An Azure AD application must be granted read/write access to the Blob Storage container. Register a dedicated application for CloudPrem and assign the corresponding service principal the Contributor role on the Blob Storage container created above.

Register the application

Register an application in Microsoft Entra ID

Assign Contributor role

Assign an Azure role for access to blob data

NGINX Ingress Controller

Public NGINX Ingress Controller

The public ingress is essential for enabling Datadog’s control plane and query service to manage and query CloudPrem clusters over the public internet. It provides secure access to the CloudPrem gRPC API through the following mechanisms:

• Creates an internet-facing Azure Load Balancer that accepts traffic from Datadog services
• Implements TLS encryption with termination at the ingress controller level
• Uses HTTP/2 (gRPC) for communication between Datadog and CloudPrem clusters
• Requires mutual TLS (mTLS) authentication where Datadog services must present valid client certificates
• Configures the controller in TLS passthrough mode to forward client certificates to CloudPrem pods with the ssl-client-cert header
• Rejects requests that are missing valid client certificates or the certificate header

Use the following nginx-public.yaml Helm values file in order to create the public NGINX Ingress Controller:

controller:
  electionID: public-ingress-controller-leader
  ingressClass: nginx-public
  ingressClassResource:
    name: nginx-public
    enabled: true
    default: false
    controllerValue: k8s.io/public-ingress-nginx
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz

Then, install the controller with Helm using the following command:

helm upgrade --install nginx-public ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace nginx-ingress-public \
  --create-namespace \
  -f nginx-public.yaml

Verify that the controller pod is running:

kubectl get pods -n nginx-ingress-public -l app.kubernetes.io/component=controller

Verify that the service exposes an external IP:

kubectl get svc -n nginx-ingress-public -l app.kubernetes.io/component=controller

Internal NGINX Ingress Controller

The internal ingress enables log ingestion from Datadog Agents and other log collectors within your environment through HTTP. Use the following nginx-internal.yaml Helm values file in order to create the public NGINX Ingress Controller:

controller:
  electionID: internal-ingress-controller-leader
  ingressClass: nginx-internal
  ingressClassResource:
    name: nginx-internal
    enabled: true
    default: false
    controllerValue: k8s.io/internal-ingress-nginx
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz

Then, install the controller with Helm using the following command:

helm upgrade --install nginx-internal ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace nginx-ingress-internal \
  --create-namespace \
  -f nginx-internal.yaml

Verify that the controller pod is running:

kubectl get pods -n nginx-ingress-internal -l app.kubernetes.io/component=controller

Verify that the service exposes an external IP:

kubectl get svc -n nginx-ingress-internal -l app.kubernetes.io/component=controller

DNS

Optionally, you can add a DNS entry pointing to the IP of the public load balancer, so future IP changes won’t require updating the configuration on the Datadog side.

Next steps

After completing the Azure configuration

1. Install CloudPrem on Azure AKS - Follow the Azure AKS Installation Guide to deploy CloudPrem
2. Set up log ingestion - Configure log ingestion to start sending logs to CloudPrem

Further reading

お役に立つドキュメント、リンクや記事:

Install CloudPrem on Azure AKSDOCUMENTATION Configure Log IngestionDOCUMENTATION