Automation suite deployment on azure

1.Azure subscription and permissions:

The deployment requires access to an Azure subscription and a Resource Group with
the RBAC role Owner. The Owner role is needed to create a user-assigned Managed
Identity with the Contributor role assigned at the Resource Group scope. The
Managed Identity is needed for managing the VMs (perform scale-in and scale-out
actions, apply instance protection, update the OS).

You can check your role assignment by going through the following:

Resource Group → Access Control (IAM) → Check Access → View My Access

Quotas:
The deployment provisions a number of Standard_D (general purpose), Standard_F
and/or Standard_NC (with GPU) VMs. The Azure subscription has a quota on the number
of cores that can be provisioned for the VM family.
Some of the deployed VMs must be provisioned with Premium SSDs and, depending on
the configuration, Ultra SSDs. Make sure these SSDs are available and are not
blocked by any policy.
We use SQL elastic pools to deploy the databases. Make sure that SQL elastic pools
are not blocked by any policy.
To check the subscription quota, go to Usage + quotas in the Azure portal.

Instance protection:
As part of the installation process, we add instance protection from scale set
operations to all nodes of the Server Scales Set. Since these operations are
performed from Azure, without the server context, cluster malfunction is prevented.
We provide runbooks for cluster management operations. For more about

Scale Set Instance Protection:

We provide instance termination support for Agent Virtual Machine Instances. This
means that when an Agent Virtual Machine Instance is terminated, we cordon, drain,
and delete that node from the Automation Suite cluster.
We run a script on each Agent Virtual Machine Instance that is pooling the Instance
Metadata Service for Termination events. Whenever receiving an event, we trigger a
cordon and a drain command on the respective node, and a server also runs a delete
node command for that specific node.
Extended logs are available for this process. You can find the logs for each node
termination operation under the deployment main storage account in the logs
container. Each log file contains the name of the node and has the -termination.log
suffix.

VM family region availability:

Make sure that the VM SKUs are available for the region in which you deploy.
You can check the availability at: Azure Products by Region.

Cluster certificate configuration:

The Azure template allows you to provide certificates for a custom domain you
specify during deployment so that you do not need to manually do that post-
deployment. However, you need to ensure the .crt certificates are Base64-encoded
before providing them.
The following script generates the Base64-encoded strings from a single .pfx
certificate (server certificate). You can then use these strings when filling in
the template parameters. You can run this bash script on a Windows machine using
Windows Subsystem for Linux. It uses openssl to convert the certificates. Keep in
mind that the server certificate (the .pfx) should meet somerequirements

pfxFile=<path of the pfx file>

# Key
openssl pkcs12 -in $pfxFile -nocerts -out serverCertKeyEncrypted.key
openssl rsa -in serverCertKeyEncrypted.key -out serverCertKeyDecrypted.key

# Server cert
openssl pkcs12 -in $pfxFile -clcerts -nokeys -out serverCert.crt

# CA Bundle:
openssl pkcs12 -in $pfxFile -cacerts -nokeys -chain | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > caBundle.crt

# Converting to base64 and removing newlines

cat serverCertKeyDecrypted.key | base64 | tr -d '\n' > base64CertKey
cat serverCert.crt | base64 | tr -d '\n' > base64Cert
cat caBundle.crt | base64 | tr -d '\n' > base64CABundle

External Orchestrator certificates

To connect AI Center to an external Orchestrator, you must set Connect AiCenter to
an external Orchestrator to true and provide certificates for Orchestrator and
Identity to the parameters listed in Deploying Automation Suite to Azure. For
details on how to obtain the certificates, see Chain certificates.
To encode the certificates in base64 format, run the following commands:

cat orchestrator.cer | base64 | tr -d '\n' > orchestratorCert

cat identity.cer | base64 | tr -d '\n' > identityCert

Resilience to zonal failures in a multi-node HA-ready production cluster:

By default, the templates deploy the VMs across as many Azure Availability Zones as
possible to enable the resilience to zonal failures in a multi-node HA-ready
production cluster.
NOTE:
Not all Azure Regions support Availability Zones. See Azure Geograpies for details.
VM SKUs have additional Availability Zones restrictions that you can check using
the CLI cmdlet. See Get-AzComputeResourceSku for details.
The cluster is considered resilient to zonal failures if the servers are spread
across three Azure Availability Zones. If the Azure region does not support
Availability Zones for the type of VM selected for servers, the deployment will
continue without zone resilience.

DNS:
The template provisions an Azure Load Balancer with a public IP and a DNS label to
access the services.
The DNS label is Microsoft-owned and should have a format similar to:
<dnsName>.<regionName>.cloudapp.azure.com.
We also deploy a private DNS zone, for the cluster VMs to be able to resolve
several subdomains. This is needed for the installation process. To resolve records
in a private DNS zone from the Virtual Network, make sure the DNS server is either
set to Azure-provided or 168.63.129.16.

Deploying into an existing virtual network

The template allows you to deploy the nodes in an existing Virtual Network.
However, the Virtual Network must have a subnet that meets the following
requirements:

has enough free address space to accommodate all the nodes and the internal load
balancer;
outbound connectivity; preferably configured through a NAT gateway as per Microsoft
recommendation;
allows HTTPS traffic on port 443;
Optional: has a service endpoint configured for Microsoft.Storage. This is needed
if you enable the backup at deployment time.
When deploying into an existing Virtual Network, you must have the Owner RBAC role
on it to create a Contributor role assignment at its scope. This is needed for the
Instance Refresh operation when scaling out.

Backup
The template allows you to enable the backup at deployment time. This implies
creating a Microsoft Storage Account with a variable storage capacity (depending on
the number of server nodes - # of server nodes x 512GiB) used as an NFS share and
configuring the backup for the cluster. By default, the backup interval is set to
90 minutes, and the retention interval is 72 hours. You can change the backup and
retention intervals post-deployment. For details, see BackupCluster.

2.Deploying automation suite to azure

After setting up the Azure environment, navigate to one of the following links to
install Automation Suite:

For Azure for US Government, use this link.

For Azure Public Cloud, use this link.

The following table provides an overview of the parameters used in the deployment:

Parameter name

Description

Subscription

The Azure subscription.

Resource Group

The Azure Resource Group, under the subscription.

Resource Group Name

The name of the resource group where the cluster is deployed.

Region

The default region of the Resource Group.

Location

A valid Azure Region where the infrastructure is deployed. Make sure that the
region has enough cores for the instance types used.

You can use the [resourceGroup().location] if this is the same as the Resource
Group’s region.
Automation Suite version

The version of Automation Suite.

Example: 21.10.2
Run Automation Suite Install

Choose whether Automation Suite should be installed after the infrastructure is

provisioned.

Accept License Agreement

By setting the parameter as true, you agree to the applicable license agreement.

DNS Load Balancer

The prefix used for the load balancer subdomain.

If you use a custom domain you will only be able to access the cluster through the
custom domain, not directly using the load balancer's domain (eg.
<prefix>.<region>.cloudapp.azure.com).

Virtual Network New Or Existing

Parameter indicating whether the Virtual Network used for the deployment should be
created or if it already exists.

Existing Virtual Network Resource Group

Resource group where the existing Virtual Network you want to use is deployed.

Parameter used only if the Virtual Network New Or Existing parameter is set to
existing.
Existing Virtual Network Name

Name of the existing Virtual Network used for deployment.

Parameter used only if the Virtual Network New Or Existing parameter is set to
existing.
Existing Subnet Name

Name of an existing subnet inside the previously mentioned Virtual Network. The
subnet must satisfy these requirements.

Parameter used only if the Virtual Network New Or Existing parameter is set to
existing.
Deploy Bastion Host

Deploy a Bastion Host on the Virtual Network. Parameter used only if Virtual
Network New Or Existing is set to new.

Enable Custom Domain

Set to true if you want to use your own custom domain. The needs post-install
configuration.
Custom domain

This is the domain you want to use for the cluster. Post-installation, create two
CNAME/A records that will point to the public load balancer. See .

Enable Custom Certificates

Set to true if you want to use your own custom certificates for your own domain.
Make sure to use this together with the Enable Custom Domain parameter set to true.
Custom Server Certificate

This is a base64 encoded string.

Encode the contents of the .crt server certificate to a base64 string. The server
certificate should have the following .
Custom Server Cert Key

This is a base64 encoded string.

Encode the contents of the .key server certificate key, to a base64 string. This is
the private key from the Custom Server Certificate parameter.
Custom Server Cert Authority Bundle

This is a base64 encoded string.

Create a .crt file containing all public certificates (.crt) from all of the CA
certificates in the Server Certificate chain (excluding the server certificate).
Create a base64 string from the contents of this file.
Automation Suite Installer URL

Optional: The link to the Automation Suite installation package.

Changing this parameter will overwrite the Automation Suite version parameter above
and install the version specified in this URL.
Keep set to None if not used.
Automation Suite Advanced Config

This is a valid json string that will be merged in the cluster_config.json file
that is being built by the template. Will overwrite existing settings.
See advanced installation experience for details.

Server Node Count

The number of VMs created to work as the servers for the cluster. Should be an odd
number.

Server Node Instance Type

The instance type for the server nodes.

Example: Standard_D16s_v3
Server Node Hostname

Server node hostname/computer name prefix. For details on the appended sequence,
see Azure documentation.

Enable Ultra Disks

Enable to use ultra disks for etcd (server nodes). Should only be disabled if the
region you are deploying to does not have zones support.
Agent Node Count

The number of VMs created to serve as the agent nodes for the cluster. If 0, an
empty agent scale set is still created.

Agent Node Instance Type

The instance type for the agent nodes.

Example: Standard_D16s_v3
Agent Node Hostname

Agent node hostname/computer name prefix. For details on the appended sequence, see
Azure documentation.

Gpu Node Count

The number of VMs with GPU created to be the agents for the cluster. Designed for
ML workloads. If 0, no GPU scale set is created.

Gpu Node Instance Type

The type of instances with GPU to be provisioned and to be the agents for the
cluster.

Example: Standard_NC12s_v2
Gpu Node Hostname

GPU node hostname/computer name prefix. For details on the appended sequence, see
Azure documentation.

Task Mining Node Type

Optional: Instance type of the task mining node. This will only be used if you
enable the Task Mining service. Example: Standard_B20ms
Task Mining Node Hostname

Task Mining node hostname/computer name.

AS Robots Node Count

The number of dedicated Automation Suite Robots nodes. If 0, the scale set is still
created.

AS Robots Node Instance Type

The instance type for the dedicated Automation Suite Robots nodes.

Example: Standard_D16s_v3
AS Robots Node Hostname

Automation Suite Robots node hostname/computer name prefix. For details on the
appended sequence, see Azure documentation.

SQL new or existing

Parameter indicating whether the SQL Server used for the deployment should be
created or it already exists. For SQL server requirements, see our documentation .

SQL Server FQDN or IP

FQDN or IP associated with the SQL Server. This is only used if the
SQLNewOrExisting parameter is set to existing.
SQL Server Username

SQL Server user login. If the SQL new or existing parameter is set to existing,
this is the user for the existing SQL server. Otherwise, this username will be set
on the SQL server created. For details on the required permissions, see our
documentation for permissions.
SQL Server Password

SQL Server user password. If the SQL new or existing parameter is set to existing,
this is the user password for the existing SQL server. Otherwise, this password is
set on the created SQL server.
SQL Server Port

SQL Server port. If the SQLNewOrExisting parameter is set to existing, this port is
used.
WarehouseSQLServerFqdnOrIP

FQDN or IP associated with the Warehouse SQL Server. This is only used if the
SQLNewOrExisting parameter is set to existing, and you want to install Process
Mining.
WarehouseSQLServerUsername

Warehouse SQL Server user login. This is only used if you want to install Process
Mining. If the SQLNewOrExisting parameter is set to existing, this is the user for
the existing SQL server. Otherwise this username is set on the created SQL Server.
For details on permissions, see Configuring Microsoft SQL server.
WarehouseSQLServerPassword

Warehouse SQL Server user password. This is only used if you want to install
Process Mining. If the SQLNewOrExisting parameter is set to existing, this is the
user password for the existing SQL server. Otherwise this password is set on the
created SQL server.
WarehouseSQLServerPort

Warehouse SQL Server port. This is only used if you want to install Process Mining.
If the SQLNewOrExisting parameter is set to existing, this port is used.
UiPath Admin Username

The admin username to be set on all nodes. This is also used as the host tenant
admin.

UiPath Admin Password

The password for the node admin user. This is also used as the host tenant admin
password.

Vm Admin Username

The admin username to be used in the virtual machine instances.

Vm Admin Password

The admin password to be used in the virtual machine instances.

Enable Cluster Backup

Set to true if you want to deploy the external NFS file share. Also, the backup
will be enabled at cluster level if the Run Automation Suite Install parameter is
set to true.
Services Install flags (multiple)

Choose if the specific service is installed in the cluster.

externalRegistryFQDN The external registry FQDN.

externalRegistryUsername The external registry username.
externalRegistryPassword The external registry password.
AI Center Connect To External Orchestrator Flag

Flag which determines whether AI Center connects to an external Orchestrator. Only

works if AiCenterInstallFlag is set to 'true'. You need to specify how AI Center
connects to the Orchestrator in the following parameters.
OrchestratorUrl

The URL for Orchestrator to which AI Center connects. Fill this in only if you want
to install AI Center and connect it to an external Orchestrator and Identity
Service.

IdentityUrl

The URL for the Identity Service to which AI Center connects. Fill this in only if
you want to install AI Center and connect it to an external Orchestrator and
Identity Service.

OrchestratorCertficate

The Certificate in Base64 for the Orchestrator to which AI Center connects. Fill
this in only if you want to install AI Center and connect it to an external
Orchestrator and Identity Service.

IdentityCertificate

The Certificate in Base64 for the Identity Service to which AI Center connects.
Fill this in only if you want to install AI Center and connect it to an external
Orchestrator and Identity Service.

Tags by resource

Optional: Tags per resource. Can be empty or have the following format:

{ "Microsoft.Web/serverFarms": { "<TagName>": "<TagValue>" },

"Microsoft.Insights/components": { "<TagName>": "<TagValue>" } }
Enable FIPS

Set to true to enable FIPS 140-2 for the Automation suite installation.
IMPORTANT:
Insights does not work with FIPS 140-2 enabled. If you want to enable FIPS-2, make
sure to disable Insights before starting the installation.