I cant install AKS in azure, because it doesnt allow me to choose a region. I have selected every possible region, but is not possible to use it. I am using a student account in europe. Can you please let me know which region to use?
KR
Policy enforcement value does not meet requirements on resource Microsoft.ContainerService/manageCluster The field location with with
the value US(westus3) is denied
PolicyEnforcement in azure you can apply configuration setting and resource creation rules at the subscription level , Resource Group and Resource level as well.
Azure Policy is an Azure service for creating, assigning, and managing policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements.
So based on above statement could say there might be policy enforcement from your Administrator or might be set a default policy from Azure Side for student account to do not create the AKS.
As for Azure Student account This benefit provides you access to a free tier of the following services:
• Azure App Service
• Azure Functions
• Azure Notification Hubs
• Azure Database for MySQL
• Application Insights
• Azure DevOps Services (formerly Visual Studio Team Services)
For more information you can refer this Document
Related
Currently, I am working on establishing enterprise-scale landing zones for Cloud Adoption Framework in Azure.
Azure has a list of BuiltInRoles defined as mentioned in this article - https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles.
It is unclear to me which role should be assigned to which resource
Especially for the below Resources
Management Groups
Subscriptions
Vnets
Gateways,
VMs
Storage Accounts,
SQL databases
Can you suggest what are all the Roles should be assigned while provisioning any of the above listed Resources?
The Cloud Adoption framework is not about putting some roles on some arbitrary resources. You have to look at the framework in terms of hierarchical levels. Each hierarchical level has its own purpose and therefore uses its own set of permissions to deploy the resources needed for that particular step. I referenced some role mapping templates from aztfmod (Terraform + CAF) so that you get an idea about the role/permission structure.
Level 0: Core platform automation
Billing subscription role delegation (source)
Credential role mappings (source)
Launchpad role mappings (source)
Level 1: Core platform governance
Level 2: Core platform connectivity
ASVM role mappings (source)
Level 3: Application landing zones vending machine
Level 4: Applications landing zone
If you understand the levels correctly, you are able to infer what permissions are needed at what stage of the deployment of the CAF framework. For example:
level 0 is initiated by a user that is tenant administrator and Enterprise Agreement (EA) user, besides it needs to be the owner of the initial "launchpad" subscription.
From there this user will create service principals for each of the other stages of the deployment, and delegate permissions according to the principle of least privilege.
Key vaults and key vault policies are used to exchange sensitive information like credentials in between steps.
Each platform step (automation, governance, connectivity) is then run by its own service principal with its own specific set of permissions set on a specific scope (management group, subscription, resource group).
When all the platform components are in place you’ll be able to provision custom landing zones. Where you’ll again create service principals that are scoped to a single subscription. These service principals are able to deploy resources only within that landing zone.
Etc.
I would not recommend setting CAF or the permissions by hand, because it will become a pain in the ass to maintain. You could for example use aztfmod a Terraform implementation of CAF. If you follow the steps as described here, you'll create terraform configuration to deploy a CAF setup.
Team,
I am using the CSP subscription. I need to create a cloud service within the azure portal. But it gave me an red line saying that the "subscription not allowed to register Microsoft.classiccompute".
Is this because its using the CSP subscription ? Is there any workaround ?
I tried to find the "provider to register" to my subscription but cannot be found in the list to register it.
How do we possibly include the provider to my subscription or is it that CSP subscription is not allowed to register?
Do I have to use a Non CSP subscription.? Please help
Azure CSP supports only the Azure Resource Manager model, the cloud service Microsoft.classiccompute is classic deployment model, you need to use another subscription, refer to this link.
For example, because Azure CSP supports only the Azure Resource Manager model, non-Azure Resource Manager services are not available in the program.
I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.
I have several App Services, and storage accounts set up in Azure. We have a Resource Group, which is a handy way to bundle together all the services and storage - for example, for tracking billing (other teams use the same subscription).
Now, I want to add a new Cloud Service, and have it included in the Resource Group. But then I see the Cloud Service listed at the same level as Resource Groups, which makes no sense.
Is it possible to include Cloud Services inside a Resource Groups, along with our App Services - and if not, what's the rationale?
Currently azure cloud services( web roles and worker roles) are not part of the Azure resource manager feature. Hence you cannot add a cloud service to a resource group. This is a requested feature in the azure feedback portal. You can go add your comments and cast your vote.
https://feedback.azure.com/forums/169386-cloud-services-web-and-worker-role/suggestions/7899432-add-cloud-services-as-an-available-resource-when-w
What is the difference between these two portals and why? And when should I use which of them?
For example:
When I want to configure if/which Java version I want to use in a WebApp, in the "manage"-portal I only can choose between off and v1.7.0_51. In the "portal"-portal I can choose between off, v7 and v8.
Or, if I want to create a new Ubuntu-VM, in the "manage"-portal I can choose between v12.04, v14.04 and v15.04. In the "portal"-portal there is only v14.04.
As commented by Mike, manage.windowsazure.com is the current production Azure Portal while portal.azure.com is the preview portal which will eventually replace the production portal.
From an underlying technology perspective, there's one big difference between the production and preview portal. Production portal makes use of Azure Service Management API while the Preview portal makes use of Azure Resource Manager (ARM). Along with ARM API, you get Role-based access control (RBAC) that enables you to grant granular permissions on your Azure resources to your team members. In the production portal, there's only a concept of Subscription Administrator and Subscription Co-Administrator.
Not all services in Azure has been ported to make use of ARM API as of today and that's why you see only few services in the preview portal. Services that make use of ARM API (all the new services) will only show up the preview portal.
As to when to use what portal, just see the Azure services you need to manage. Based on how they can be managed, you will choose between production and preview portal. Also please note that functionality for a service may differ between portals even though it is present in both portals. That may be another criteria between choosing the portal.
More information Can be find from microsoft site
Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources