Log in|Playground

Setup BYOC with Azure

Note: groundcover BYOC is available only to users subscribed to one of our paid plans.

Intro

inCloud general overview

groundcover BYOC is a managed enterprise solution for installing groundcover’s observability infrastructure in a customer-owned cloud environment.

To set up groundcover BYOC, you need to create an isolated subscription within your Azure organization. groundcover's control plane will automatically manage the project resources, establishing, configuring, and maintaining the infrastructure and workloads within the subscription. These include Azure Managed Groups, VNet, AKS, and LB services.

Security of groundcover Control-Plane

groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.

The control plane can securely access the isolated subscription service's principal within the customer organization using a cross-tenant federation chain. It is important to note that the inCloud setup does not require access to customer production data or workloads and is not granted such access.

Setup Guide

Chapter 0 - Create a workspace

If you've previously set up a workspace with groundcover, skip this step

Follow the steps in the link below to signup and create a workspace in groundcover:

Login and Create a Workspace

Chapter 1 - BYOC Backend

Step 1: Create a new Azure subscription under your organization

Create a new Azure subscription called groundcover-incloud (suggested name) for groundcover deployment. Step 2: Install the groundcover-managed application into the Azure tenant containing the subscription\

  1. Select "Tenant Properties" in Azure Portal

  2. Copy the tenant ID (this information will be used later in the guide)

  3. Paste the tenant ID into the following link, replacing <TENANT-ID> with the copied value. https://login.microsoftonline.com/<TENANT_ID>/oauth2/authorize?client_id=81c2dd72-dd18-442e-a2bb-546c00fe63dd&response_type=code&redirect_uri=https%3A%2F%2Fgroundcover.com

  4. Follow the oauth2 link from a privileged browser session.

  5. You will be presented with a permission request screen, choose "Accept for the organisation" box and click "Accept"

Step 3: Grant the application access to groundcover-incloud subscription

  1. From https://portal.azure.com/#home search for "Subscription".

  2. Pick groundcover-incloud subscription and choose "Access Control (IAM)"

  3. Choose "Add > Role Assignment"

  4. On the roles screen select "Privileged administrator roles", pick the Owner role and click "Next"

  5. On the Members screen

    1. Click "Select Members"

    2. Popup modal should appear allowing you to add new members permissions into the subscription.

    3. Search for groundcover-managed

    4. Select the service principal and click "Select"

  6. groundcover-managed now appears in the list of members that are able to gain permissions on the subscription object. Click Next

  7. Click Review and Assign

Step 4: Enable Quotas for Azure Database for PostgreSQL Flexible Server

If your region is not in the below - skip this step

If the region you are setting up BYOC on is one of the following:

  • Canada East

  • East US

  • Germany West Central

  • Qatar Central

You need to enable PostgreSQL flexible server for the region by navigating to Help + Support -> Create a support request.

Enter the following description -> Go

Choose the first option then Next -> Create a support request

In the next page choose Azure service and then the groundcover-incloud subscription created at the beggining, and the Azure Database for PostgreSQL Flexible Server quota type, then click Next.

In Request Details click on Enter Details. Then enter the following details - the Location is based on the location where you BYOC deployment will run.

Click Save and Continue, Enter your contact details -> Next -> Create.

It usually takes up to a day for the request to be approved, once it's approved we can continue to the next steps.

Step 5: Share the integration details with groundcover

After completing the previous steps, share the service the <TENANT_ID> and <SUBSCRIPTION_ID> (created in the previous steps) with your dedicated integration manager at groundcover.

Chapter 2 - Backend Reconciliation

At this stage, our automation kicks in. Please allow approximately 2 hours for the initial reconciliation loop to stabilize.

Chapter 3 - Sensor Deployment

Once stabilized, your integration manager will share with you (using a private channel) the incloud-values.yaml that should be used during sensor deployment on production workload, in the following manner:

groundcover deploy -f incloud-values.yaml

Please see API Key Secret for additional information.

Start using groundcover

You can now log in to app.groundcover.com to use groundcover, with total data control and privacy.

Last updated