-
Notifications
You must be signed in to change notification settings - Fork 11
Preparing for Deployment
This can either be a new subsciption or one that already exists. If you are using an existing subscription, ensure that you (or the person that will do the deployment) have the appropriate permissions to deploy the SRE into that subscription.
Multiple SRE environments can coexist in a single subscription as long as the 6-character name prefix is different for each one. This is a good option when multiple SRE environment need to align with the same compliance standard, for eample.
In each SRE deployment there are three roles that are specific to the environment. It is recommended to create three different groups in Azure AD to represent these roles. The group names given are only suggestions, feel free to customize them.
If you have multiple instances of this configuration in your environment then each one should have its own set of groups to ensure that the correct people have access to the correct environments. Naming your groups carefully using an agreed-upon convention will help you keep track of which group is associated with which environment.
- SRE Data Owner: Adds and removes data sets from the environment by uploading and downloading them from the external-facing storage location.
- SRE Approver: Reviews data which is ready for export and approves or reject requests to move data sets out of the environment.
- SRE Researcher: Accesses the environment to work with the data sets that have been approved for use.
One of the optional features of the SRE is automated movement of data into and out of the externally-visible storage account. If you are going to use this feature then you need to provide (or create) and Azure AD service principal which has will be granted permission to perform those tasks as part of the deployment process.
To create a service principal, consult with your local IT team or Azure administrator becasue it is likely you will need their assistance. This link describes how to create one using the Azure Portal; they can also be created using the Azure CLI or Powershell.
If you do not plan to use the automated-data-movement capability because the SRE will only be used to provide a secure environment for researchers to work in then you can use a user account instead.
When working in Azure, especially ones that are sensitive in any way, it is imperative that you align with any requirements in your organization regarding where data can be stored and also with any requirements that are part of any data use agreement for the data set(s) you are using. If you are unsure about this, consult with your IT security or Azure adminsitrator teams.
There are dozens of Azure regions around the globe. The SRE can be deployed into any of them. Your choice of region can affect many aspects of your Azure experience in service availability, connectivity, cost, network latency and performance. You should consider these factors when making your choice.
If you are deploying the SRE into an existing Azure environment , consult with your local Azure team for recommendations about what region to use.
If you are creating a new environment then you should choose a region that is close to where the majoriyty of users are located. This will help to minimize latency and improve performance.
Each Azure subscription has a default set of limits on how many CPU cores can be deployed of each type/family per subscription and region.
If you are deploying the SRE into an existing Azure environment then you should consult with your local IT team about the tools you will use to do analysis (individual VM's, compute clusters, GPU's, Azure Synapse instances etc) to ensure that you have enough quota of the right CPU/GPU type(s) to do your work.
To see the current quotas for a subscription, you can use the Azure portal, the Azure CLI, PowerShell, or the Azure Resource Manager API.
If additional quota is needed, submitting a quota increase request is quick and easy via the Azure Portal.
Requests for quota increases are typically approved very quickly but requests that involve specialized hardware such as GPU's and FPGA's the request can take longer. You can submit a quota increase request before the SRE deployment is complete. If you need GPU quota, you should submit your request as soon as possible.