Phase 1: Prerequisites for Azure

Overview

This guide covers the Azure prerequisites that customer IT teams must complete before Unique begins deploying the application into a Customer Managed Tenant. It spans identity and access management, networking, compute, and monitoring — with the goal of ensuring a secure, compliant, and reproducible environment from day one.

Audience: IT administrators and cloud architects responsible for the customer's Azure Landing Zone.

Support Limitation — ClickOps Configurations
Unique's deployment support assumes Infrastructure as Code (IaC) or automated configurations. If ClickOps is used instead, Unique's ability to provide effective support or troubleshoot issues will be significantly limited. Customers are strongly encouraged to adopt IaC (e.g., Terraform) to fully leverage Unique's support capabilities.

General Understanding and Preparation

This section covers the foundational knowledge the customer team needs before starting environment setup.

1. Azure Resource Management

• RBAC: All team members must understand Azure Role-Based Access Control for securing the deployment environment. Azure RBAC Documentation · Terraform azurerm — RBAC

• Automation over ClickOps: All resource provisioning should be done via IaC to ensure reproducibility at scale. Azure Automation · Terraform azurerm Provider

2. Networking Proficiency

• Core networking components: Teams must have working knowledge of public IPs, Application Gateways, Virtual Networks, and Network Security Groups. Azure Networking Docs · Terraform azurerm — Networking

• Custom network configurations: If the customer uses custom networking solutions, detailed documentation of how these integrate with Unique's standard deployment architecture is required. Azure Networking Architecture

3. Security and Compliance

• Certificates: Understand how to integrate custom certificates within Azure, including custom Certificate Authority management. TLS Certificate Management

• Compliance: Be aware of all compliance requirements affecting the deployment (data handling, privacy, external network interactions). Azure Compliance

4. Kubernetes and Container Management

• AKS: In-depth knowledge of Azure Kubernetes Service and its dependencies (Managed Prometheus, Grafana, VM Scale Sets, storage). AKS Documentation · Terraform azurerm — AKS

• Tooling: Familiarity with Helm, Helmfile, and kubectl for managing Kubernetes resources. Kubernetes Tools

5. Pre-Deployment Checks

• Infrastructure audit: Conduct a thorough audit of existing infrastructure (VMs, storage, networking) for compatibility with Unique's deployment requirements. Azure Security Audit Best Practices

• Mobile app preparation: If the Unique mobile recording app is in scope, prepare for custom certificate installation on client devices.

6. Training and Documentation

• Internal training: Ensure all team members are current with relevant Azure features and deployment processes. Azure Training

• Documentation: Maintain accessible, up-to-date documentation of all custom configurations and operational procedures.

Identity and Access Management

This section covers the IAM prerequisites that the customer must have in place within their Azure environment.

TODO — Diagram needed: Entity-relationship diagram showing the relationships between RBAC assignments, Certificate Management, Managed Identities, Workload Identities, and Entra ID components (App Registrations, Enterprise Applications, Conditional Access Policies). Should illustrate which identity types access which Azure resources (KeyVault, AKS, LLM endpoints).

1. RBAC Adoption

• Customer must consistently use RBAC for AKS, KeyVault, and all other Azure resources. Outdated access control methods (e.g., vault access policies) are discouraged as they pose security risks. RBAC Overview

2. Certificate Management

• Customer must have a deep understanding of their custom certificate and CA configurations, if used.

• Limitation: The Unique mobile recording app does not currently support custom certificates. Enabling this requires a dedicated integration project (~8 weeks).

3. Microsoft Intune and Azure Entra Integration

• Customer must understand Intune's integration with Azure Entra ID if the Unique mobile recording app is deployed via Intune — including Conditional Access Policies, Enterprise Applications, and App Registrations. Intune + Entra Integration

4. Managed and Workload Identities

• Customer must configure Managed and Workload Identities to access services within the Azure Landing Zone. Workload Identities assigned to backend microservices must have access permissions to the LLM endpoints. Managed Identities Overview

5. API Access Management

• Customer must grant Workload Identities appropriate permissions for specific API access — achievable via Unique-provided Terraform or customer-led configuration.

6. Management Group and Subscription Rights

• Customer must assign adequate rights (Contributor or Owner) on the management group and primary subscription, including necessary Data Actions for any secondary management groups or subscriptions.

7. Single Sign-On (SSO)

• Customer must complete (or be prepared to complete) Entra ID Application registration for SSO. SSO Configuration

8. Support and Debugging Access

• If Unique lacks access to the customer's IDP/Entra accounts, issue resolution will rely on manual methods (screen sharing, log analysis), which are significantly more resource-intensive.

9. Intune Licensing

• The Unique mobile app requires an Intune license in the customer's tenant. Custom Intune configurations that deviate from standard setups may cause compatibility issues — associated remediation costs will be billed. Intune Licensing

Network

This section covers the network prerequisites and configuration decisions the customer must address.

TODO — Diagram needed: Network topology diagram showing the traffic flow between: internet → Application Gateway (or custom upstream gateway) → AKS ingress → pods, with NSG boundaries, DNS zone delegation, and the external Power Automate / SharePoint integration path. Should distinguish public vs. private cluster variants and show where certificates are terminated.

1. Egress Traffic — Development Phase

• During initial/development setup, egress traffic should not be restricted, even if it appears unnecessary for Unique's operations.

2. Network Security Groups (NSGs)

• Customer must initially deploy NSGs as defined by Unique's Terraform scripts. Customers can tighten security configurations afterward. NSG Overview

3. Custom Gateway Integration

• If the default Unique Application Gateway is insufficient, customers may prepend an upstream gateway or deploy a private gateway. Customer is responsible for managing these customizations and ensuring the necessary concepts, permissions, and processes are in place. Application Gateway Configuration

4. Certificate Management for Ingress

• Customer must have certificate practices for ingress traffic established and deployment-ready.

• If cert-manager cannot be used (requires internet-reachable clusters), alternatives must be prepared.

• Certificates should be pre-created or ready to deploy per namespace so ingresses can reference them. This includes certificates managed by Unique's Helm charts.

• Certificate Management Guide

5. Mobile App Certificate Requirements

• The Unique mobile recording app will not function without the necessary custom certificates or CAs installed on client devices.

6. DNS and Zone Configuration

• Customer must configure DNS settings and zone delegations per the Terraform setup. This ensures functionality for URLs such as x.customer.com and all associated subdomains. DNS Best Practices

7. Application Gateway URL

• Customer must prepare the specific URL where the Application Gateway will be hosted, aligned with network and security configurations.

8. Subdomain Structure

• Unique uses structured subdomains (e.g., id.x.customer.com, gateway.x.customer.com). If structured subdomains are not feasible, alternatives such as x-id.customer.com must be correctly bound to the designated IP addresses.

9. Internal Network Accessibility

• Configurations involving internal-only URLs (Private Application Gateways, Private DNS Zones) that make the cluster internet-inaccessible must be carefully planned — misconfigurations here often require extensive troubleshooting.

10. SharePoint Integration via Power Automate

• SharePoint integration operates through Power Automate (Microsoft 365). This integration traverses environments that are external to the secured internal deployment. Stakeholders must understand these data flow boundaries. Power Automate Overview

11. API Gateway for Power Automate

• Calls from Power Automate to the Unique system must be routed through a general API gateway.

12. Private Cluster Limitations

• The Unique mobile app is incompatible with private Kubernetes clusters for recording tenant functionality. Factor this into network architecture decisions.

13. Public IP Management

• Customer is responsible for customizing network setups to manage or restrict public IP usage.

  • AKS Egress Outbound Type

  • AKS Outbound Rules and FQDNs

14. Container Image Access

• Kubernetes nodes must be able to pull images from the internet, or the customer must provision a private image registry with a sync job to update with the latest Unique images after each release.

15. Certificate Management without Cert-Manager

• Customers may use their own certificates instead of cert-manager. This requires manual injection of certificates and CA details into every deployment.

16. Cert-Manager in Isolated Networks

• Cert-manager will not function if the cluster is fully internet-isolated. DNS challenges are an alternative but still require some internet exposure for the DNS zone. Fully air-gapped clusters require further investigation.

17. IP Address Allocation in AKS

• Customer must ensure sufficient IP addresses in subnet ranges to accommodate all pods at startup, per Unique's Terraform recommendations.

Compute

This section covers compute resource prerequisites for the Unique deployment.

The Kubernetes cluster must support running operators and Custom Resource Definitions (CRDs). Components such as Kong rely on CRDs — CRD installation and management is a fundamental requirement.

1. Azure VM Configuration

• Customer must establish an Azure VM with access to all Unique-provisioned KeyVaults and the Kubernetes Private API. The VM's identity must have KeyVault Reader access. Access may be direct or via Azure Bastion. Azure VM Overview

2. VM Tooling Requirements

• The VM must have the following installed:

  • Helm and Helmfile — package management and deployment orchestration

  • kubectl — Kubernetes cluster management

  • Azure CLI (az) — Azure service management

  • Optionally: k9s — interactive Kubernetes management

3. Helm Chart Access

• The VM requires internet access to download public Helm charts from ArtifactHub. Alternatively, all required charts must be manually pulled onto the VM and associated helmfiles customized for the environment.

4. Encrypted Disk Customization

• If Persistent Volumes or the cluster use encrypted disks, customer must customize Helm charts to reference the correct encryption set.

5. Shared Cluster Considerations

• Unique deployments in shared clusters are complex due to CRD requirements (e.g., Kong, cert-manager). Customer must either provide a cluster where CRDs can be freely installed, or pre-install the required CRDs.

6. Subnet Sizing

• If subnet sizes deviate from Unique's Terraform recommendations, scaling may be impacted. Customer is responsible for resolving subnet sizing issues.

Monitoring and Analytics

This section covers the monitoring infrastructure prerequisites.

TODO — Diagram needed: Integration diagram showing the data flow from AKS pods → Log Analytics Workspace and AKS metrics → Managed Prometheus → Managed Grafana. Should show the workspace configuration and data source connections.

1. Log Analytics Workspace

• Customer must establish an accessible Log Analytics Workspace configured to collect and display logs from all Kubernetes pods. Log Analytics Tutorial

2. Grafana Integration

• Customer must set up a Managed Grafana instance to monitor and visualize default metrics from the Kubernetes environment. The instance must be accessible and connected to the required data sources. Grafana on Azure Quickstart

Related Articles

• Infrastructure Requirements & Prerequisites (Public Docs)