This page describes the Azure and Google Cloud requirements to use Anthos clusters on Azure.
This section describes the Azure permissions and network access required for installing and using Anthos clusters on Azure.
Installation roles and permissions
To set up your Azure account for Anthos clusters on Azure, you need the following Azure built-in roles:
Application Administrator for creating an Azure Active Directory Application and uploading certificates.
User Access Administrator for granting access to a resource group and resources.
Contributor for creating resources.
Application roles and permissions
To allow Anthos clusters on Azure to manage resources in your Azure account, you must grant the app registration permissions. The following section describes these permissions.
For examples of how to grant these permissions, see Prerequisites.
Create custom roles
Anthos clusters on Azure needs the following permissions to create custom roles that grant cluster control planes access to resources on the same VNet.
Scope: your VNet resource group
"Microsoft.Authorization/roleDefinitions/read", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/delete",
Join the VNet
Anthos clusters on Azure needs the following permissions to join resources to the virtual network (VNet). It also sets up role assignments to allow control plane virtual machine (VM) instances to use the virtual network.
Scope: VNet resource
"*/read", "Microsoft.Network/*/join/action", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete",
VM identity roles
Anthos clusters on Azure needs the following Azure built-in roles to create resources and manage VM identity role assignments within resource groups. Anthos clusters on Azure also uses Azure Key Vault to distribute secrets.
Scope: your cluster resource group
Outbound network access
By default, Anthos clusters on Azure clusters are private to your Virtual Private Cloud (VPC). This means that inbound traffic from the internet is not permitted, and VMs do not have public IP addresses.
Limited outbound internet access is required to create and manage clusters. Outbound internet connectivity should be provided by a NAT gateway.
This section defines the addresses where Anthos clusters on Azure needs to connect to create and manage clusters.
Control plane and node pool VMs must be able to resolve DNS and establish outbound TCP connections on port 443.
Outbound host names
Anthos clusters on Azure might connect to the following endpoints:
||For fetching binary dependencies from Cloud Storage during installation.|
||For fetching binary dependencies during installation from Container Registry.|
||For Anthos multi-cluster management.|
||For cluster authentication.|
This section describes the Google Cloud Identity and Access Management (IAM) roles and permissions that you need to install Anthos clusters on Azure.
Identity and Access Management roles
Install Anthos clusters on Azure
To install Anthos clusters on Azure preview, the user that activates the Anthos clusters on Azure API needs to be part of an allowlist.
Manage user clusters
To manage Anthos clusters on Azure user clusters, you can use predefined IAM roles. For more information, see API permissions.
Google Cloud APIs
Anthos clusters on Azure uses the following APIs on your Google Cloud project:
gkemulticloud.googleapis.com anthos.googleapis.com gkeconnect.googleapis.com cloudresourcemanager.googleapis.com containerregistry.googleapis.com gkehub.googleapis.com logging.googleapis.com monitoring.googleapis.com serviceusage.googleapis.com stackdriver.googleapis.com storage-api.googleapis.com storage-component.googleapis.com securetoken.googleapis.com iam.googleapis.com iamcredentials.googleapis.com sts.googleapis.com
Set up workstation
To install and upgrade your Anthos clusters on Azure installation, you must have access to a workstation running Linux or macOS. This documentation assumes that you are using a bash shell on Linux or macOS. If you do not have access to a bash shell environment, you can use Cloud Shell.
To install Anthos clusters on Azure, you need the Azure CLI installed. For more information, see Install the Azure CLI.
gcloud command-line tool
You install and manage Anthos clusters on Azure with the
gcloud command-line tool from the
Cloud SDK version 347.0.0 or later. To confirm that you have the
gcloud tool installed, run the following command:
If you do not have the
gcloud tool installed, see
Installing Cloud SDK.
To use Anthos clusters on Azure with the
gcloud tool, you also need to
gcloud alpha component. To install the
gcloud alpha component,
run the following command:
gcloud components install alpha && gcloud components update
- Complete the prerequisites for installation.