Setup inCloud Managed with Azure

Note: groundcover inCloud is available only to users subscribed to one of our paid plans.

Intro

inCloud general overview

groundcover inCloud is a managed enterprise solution for installing groundcover’s observability infrastructure in a customer-owned cloud environment.

To set up groundcover inCloud, you need to create an isolated subscription within your Azure organization. groundcover's control plane will automatically manage the project resources, establishing, configuring, and maintaining the infrastructure and workloads within the subscription. These include Azure Managed Groups, VNet, AKS, and LB services.

Security of groundcover Control-Plane

groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.

The control plane can securely access the isolated subscription service's principal within the customer organization using a cross-tenant federation chain. It is important to note that the inCloud setup does not require access to customer production data or workloads and is not granted such access.

Setup Guide

Chapter 1 - inCloud Backend

Step 1: Create a new Azure subscription under your organization

Create a new Azure subscription called groundcover-incloud (suggested name) for groundcover deployment. Step 2: Install the groundcover-managed application into the Azure tenant containing the subscription

Select "Tenant Properties" in Azure Portal
Copy the tenant ID (this information will be used later in the guide)
Paste the tenant ID into the following link, replacing <TENANT-ID> with the copied value. https://login.microsoftonline.com/<TENANT_ID>/oauth2/authorize?client_id=81c2dd72-dd18-442e-a2bb-546c00fe63dd&response_type=code&redirect_uri=https%3A%2F%2Fgroundcover.com
Follow the oauth2 link from a privileged browser session.
You will be presented with a permission request screen, choose "Accept for the organisation" box and click "Accept"

Step 3: Grant the application access to groundcover-incloud subscription

From https://portal.azure.com/#home search for "Subscription".
Pick groundcover-incloud subscription and choose "Access Control (IAM)"
Choose "Add > Role Assignment"
On the roles screen select "Privileged administrator roles", pick the Owner role and click "Next"
On the Members screen
1. Click "Select Members"
2. Popup modal should appear allowing you to add new members permissions into the subscription.
3. Search for groundcover-managed
4. Select the service principal and click "Select"
groundcover-managed now appears in the list of members that are able to gain permissions on the subscription object. Click Next
Click Review and Assign

After completing the previous steps, share the service the <TENANT_ID> and <SUBSCRIPTION_ID> (created in the previous steps) with your dedicated integration manager at groundcover.

Chapter 2 - Backend Reconciliation

At this stage, our automation kicks in. Please allow approximately 2 hours for the initial reconciliation loop to stabilize.

Chapter 3 - Sensor Deployment

Once stabilized, your integration manager will share with you (using a private channel) the incloud-values.yaml that should be used during sensor deployment on production workload, in the following manner:

groundcover deploy -f incloud-values.yaml

Please see API Key Secret for additional information.

Start using groundcover Managed inCloud

You can now log in to app.groundcover.com to use groundcover Managed inCloud, with total data control and privacy.

Last updated 2 months ago