Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: databasin-rg

Overview

The databasin-rg resource group is designed to support a suite of Azure services focused on managing container applications, enabling data management and analysis workflows, and integrating with Azure's varied data storage and monitoring solutions. This resource group encapsulates a series of container applications that connect to various data sources, utilize Azure Key Vault for secure secret management, and include logging and monitoring capabilities to ensure operational efficiency and security.

Resources

1. Managed Environment

  • Type: Microsoft.App/managedEnvironments
  • Name: databasin-env
  • Location: Central US
  • Properties:
    • App Logs Configuration: Integrates with Log Analytics for centralized logging.
    • VNet Configuration:
      • Infrastructure Subnet ID: Uses the subnet ACASubnet from a specified VNet to facilitate internal communication.
  • Relationships: This managed environment supports the container applications which rely on its networking and security configurations.

2. Key Vaults

  • Type: Microsoft.KeyVault/vaults
  • Names:
    • databasin-api-kv
    • databasin-data-kv
    • databasin-hrch-kv
    • databasin-kv
  • Locations: Central US
  • Properties:
    • Access Policies: Manages access to secrets, keys, and certificates securely.
    • Enable Soft Delete: Helps protect against accidental deletions.
    • Public Network Access: Allows Azure services to access the vaults.
  • Relationships: These vaults store sensitive information, including credentials used by the container apps for databases and other services.

3. User Assigned Identities

  • Type: Microsoft.ManagedIdentity/userAssignedIdentities
  • Names:
    • databasin-api-uami
    • databasin-hrchy-api-uami
    • databasin-ui-uami
  • Properties: Provides managed identities for secure access to Azure resources without needing to manage credentials explicitly.
  • Relationships: Integrated with different components of the infrastructure, allowing secure access to the Key Vaults and other Azure resources.

4. Container Applications

  • Type: Microsoft.App/containerapps
  • Names:
    • databasin-api
    • databasin-hrchy-api
    • databasin-ui
  • Location: Central US, each defined for different purposes (API services, administrative interfaces, etc.)
  • Properties:
    • Secrets Management: Each application integrates Key Vault secrets for configuration.
    • Ingress Configuration: Defines public accessibility and support for traffic management.
    • Resource Allocation: CPU and memory configurations are defined for workloads.
  • Relationships:
    • Each application is connected to the managed environment (databasin-env), leveraging the defined network and security settings.

Data Storage

Data handling is primarily facilitated via the Azure Key Vaults, which store various secrets essential for accessing databases and API configurations. Databases connected include:

  • PostgreSQL Server: Most jobs rely on a PostgreSQL database located at the IP address 10.25.46.196 (port 5432), which handles various data queries and operations related to the container apps.
  • Data Storing: The Key Vaults securely store configurations like database URI, usernames, passwords, and other secrets connected with the container applications.

Networking

The network configuration leverages a virtual network (VNet) named wusm-prod-vnet-main. Key details include:

  • VNet Integration: The managed environment connects to specified subnets (ACASubnet) in the VNet, enabling secure communication among resources.
    • Subnet Configuration (IP Address): Using the internal IP address 10.237.3.15 to facilitate seamless communication between components within the VNet.

Security Overview

Security considerations include:

  • Use of Key Vaults: Secrets are stored securely inside dedicated Key Vaults, promoting the principle of least privilege by maintaining access policies.
  • Identity Management: User Assigned Identities ensure that applications can access Azure resources securely without hard-coded secrets.
  • Network Security Group Considerations: Ensure appropriate NSGs are configured for the VNet to control inbound and outbound traffic effectively.
  • Public Access: Ensure services that require public access, like the API and UI applications, are adequately secured through authentication mechanisms.

Other Information

  • Scalability: The design allows for container applications to scale both vertically and horizontally (up to 10 replicas), enabling responsiveness to varying load conditions.
  • Cost Management: By leveraging consumption-based billing models and monitoring, it optimizes costs by only scaling resources when necessary.
  • Operational Monitoring: Integration with Azure Monitor and Log Analytics supports observability over application health and performance, ensuring issues are detected and addressed promptly.

This resource group is a well-rounded setup designed to handle distributed data processing tasks while ensuring security, scalability, and manageability.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024