Anthos clusters on Azure is available for customers with an existing support relationship with Google Cloud. Contact your account representative for access.

Access requirements

This page describes the Azure and Google Cloud requirements to use Anthos clusters on Azure.

Azure

This section describes the Azure permissions and network access required for installing and using Anthos clusters on Azure.

Installation roles and permissions

To set up your Azure account for Anthos clusters on Azure, you need the following Azure built-in roles:

Application roles and permissions

To allow Anthos clusters on Azure to manage resources in your Azure account, you must grant the app registration permissions. The following section describes these permissions.

For examples of how to grant these permissions, see Prerequisites.

Create custom roles

Anthos clusters on Azure needs the following permissions to create custom roles that grant cluster control planes access to resources on the same VNet.

Scope: your VNet resource group

Permissions:

"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleDefinitions/delete",

Join the VNet

Anthos clusters on Azure needs the following permissions to join resources to the virtual network (VNet). It also sets up role assignments to allow control plane virtual machine (VM) instances to use the virtual network.

Scope: VNet resource

Permissions:

"*/read",
"Microsoft.Network/*/join/action",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",

VM identity roles

Anthos clusters on Azure needs the following Azure built-in roles to create resources and manage VM identity role assignments within resource groups. Anthos clusters on Azure also uses Azure Key Vault to distribute secrets.

Scope: your cluster resource group

Roles:

Outbound network access

By default, Anthos clusters on Azure clusters are private to your Virtual Private Cloud (VPC). This means that inbound traffic from the internet is not permitted, and VMs do not have public IP addresses.

Limited outbound internet access is required to create and manage clusters. Outbound internet connectivity should be provided by a NAT gateway.

Outbound connections

This section defines the addresses where Anthos clusters on Azure needs to connect to create and manage clusters.

General connections

Control plane and node pool VMs must be able to resolve DNS and establish outbound TCP connections on port 443.

Outbound host names

Anthos clusters on Azure might connect to the following endpoints:

Endpoint Reason
storage.googleapis.com For fetching binary dependencies from Cloud Storage during installation.
*.gcr.io For fetching binary dependencies during installation from Container Registry.
gkeconnect.googleapis.com For Anthos multi-cluster management.
oauth2.googleapis.com

sts.googleapis.com
For cluster authentication.

Google Cloud

This section describes the Google Cloud Identity and Access Management (IAM) roles and permissions that you need to install Anthos clusters on Azure.

Identity and Access Management roles

Install Anthos clusters on Azure

To install Anthos clusters on Azure preview, the user that activates the Anthos clusters on Azure API needs to be part of an allowlist.

Manage user clusters

To manage Anthos clusters on Azure user clusters, you can use predefined IAM roles. For more information, see API permissions.

Google Cloud APIs

Anthos clusters on Azure uses the following APIs on your Google Cloud project:

gkemulticloud.googleapis.com
anthos.googleapis.com
gkeconnect.googleapis.com
cloudresourcemanager.googleapis.com
containerregistry.googleapis.com
gkehub.googleapis.com
logging.googleapis.com
monitoring.googleapis.com
serviceusage.googleapis.com
stackdriver.googleapis.com
storage-api.googleapis.com
storage-component.googleapis.com
securetoken.googleapis.com
iam.googleapis.com
iamcredentials.googleapis.com
sts.googleapis.com

Set up workstation

To install and upgrade your Anthos clusters on Azure installation, you must have access to a workstation running Linux or macOS. This documentation assumes that you are using a bash shell on Linux or macOS. If you do not have access to a bash shell environment, you can use Cloud Shell.

Azure

To install Anthos clusters on Azure, you need the Azure CLI installed. For more information, see Install the Azure CLI.

gcloud command-line tool

You install and manage Anthos clusters on Azure with the gcloud command-line tool from the Cloud SDK version 347.0.0 or later. To confirm that you have the gcloud tool installed, run the following command:

gcloud version

If you do not have the gcloud tool installed, see Installing Cloud SDK.

To use Anthos clusters on Azure with the gcloud tool, you also need to install the gcloud alpha component. To install the gcloud alpha component, run the following command:

gcloud components install alpha && gcloud components update

What's next