Installation Guide¶
This guide walks you through deploying CertifyClouds in your Azure environment.
Prerequisites¶
Before you begin, ensure you have:
- [ ] Azure subscription with Owner or Contributor role
- [ ] Azure CLI installed and logged in (
az login) - [ ] A CertifyClouds license key (provided by CertifyClouds)
- [ ] Azure Container Registry (ACR) with the CertifyClouds image imported
- [ ] Two subnets in your VNet (one for the application, one for PostgreSQL)
Step 1: Import the CertifyClouds Image to Your ACR¶
Contact CertifyClouds for Docker Hub credentials, then import the image:
az acr import --name YOUR_ACR \
--source docker.io/certifyclouds/certifyclouds:latest \
--image certifyclouds:latest \
--username certifyclouds \
--password <PROVIDED_TOKEN>
Step 2: Create Required Subnets¶
CertifyClouds requires two subnets in your VNet:
Application Subnet (Container Apps or ACI)¶
# For Container Apps (minimum /27)
az network vnet subnet create \
--resource-group <NETWORKING_RG> \
--vnet-name <VNET_NAME> \
--name snet-certifyclouds-cae \
--address-prefixes 10.0.1.0/27 \
--delegations Microsoft.App/environments \
--service-endpoints Microsoft.KeyVault Microsoft.ContainerRegistry
# For Container Instances (minimum /28)
az network vnet subnet create \
--resource-group <NETWORKING_RG> \
--vnet-name <VNET_NAME> \
--name snet-certifyclouds-aci \
--address-prefixes 10.0.1.0/28 \
--delegations Microsoft.ContainerInstance/containerGroups \
--service-endpoints Microsoft.KeyVault Microsoft.ContainerRegistry
PostgreSQL Subnet (minimum /28)¶
az network vnet subnet create \
--resource-group <NETWORKING_RG> \
--vnet-name <VNET_NAME> \
--name snet-certifyclouds-psql \
--address-prefixes 10.0.1.32/28 \
--delegations Microsoft.DBforPostgreSQL/flexibleServers
Step 3: Deploy CertifyClouds¶
Choose your deployment method:
Option A: Azure Container Apps (Recommended)¶
Fully-managed with auto-scaling, health probes, and load balancing. Cost: ~$60-100/month.
./deploy-certifyclouds-cae.sh \
--name prd \
--location uksouth \
--acr-name YOUR_ACR \
--container-apps-subnet /subscriptions/YOUR_SUB/resourceGroups/YOUR_RG/providers/Microsoft.Network/virtualNetworks/YOUR_VNET/subnets/snet-certifyclouds-cae \
--postgres-subnet /subscriptions/YOUR_SUB/resourceGroups/YOUR_RG/providers/Microsoft.Network/virtualNetworks/YOUR_VNET/subnets/snet-certifyclouds-psql
Option B: Azure Container Instances¶
Simpler and cheaper. Direct private IP, no load balancer. Cost: ~$40-60/month.
./deploy-certifyclouds-aci.sh \
--name prd \
--location uksouth \
--acr-name YOUR_ACR \
--aci-subnet /subscriptions/YOUR_SUB/resourceGroups/YOUR_RG/providers/Microsoft.Network/virtualNetworks/YOUR_VNET/subnets/snet-certifyclouds-aci \
--postgres-subnet /subscriptions/YOUR_SUB/resourceGroups/YOUR_RG/providers/Microsoft.Network/virtualNetworks/YOUR_VNET/subnets/snet-certifyclouds-psql
Deployment Output¶
On successful deployment, you'll see:
================================================================================
DEPLOYMENT COMPLETE!
================================================================================
Managed Identity Principal ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Use this Principal ID to grant Key Vault access:
./setup-certifyclouds-access.sh --principal-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --apply
Save the Principal ID - you'll need it for the next step.
Step 4: Configure Key Vault Permissions¶
Run the setup script with the Principal ID from deployment output:
# Check current permissions (dry run)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID
# Apply permissions
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply
# (Optional) Enable Rotation permissions (PRO tier only)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply --enable-rotation
The script will:
- Discover all Key Vaults across your subscriptions
- Auto-detect RBAC vs Access Policy configuration
- Grant appropriate read (or write) permissions
- Add subnet to Key Vault firewall rules if needed
Step 5: Access the Application¶
CertifyClouds is deployed with internal-only ingress - it has no public IP address.
Access Methods¶
| Method | Description |
|---|---|
| VPN | Connect to your VNet via VPN Gateway |
| Azure Bastion | Use a jumpbox VM in the same VNet |
| ExpressRoute | Access from on-premises network |
| Peered VNet | Access from a VM in a peered VNet |
URLs¶
- Container Apps:
https://<INTERNAL_FQDN>(shown in deployment output) - ACI:
http://<PRIVATE_IP>:8080(shown in deployment output)
Step 6: First-Time Setup¶
- Login: Use the admin credentials displayed at the end of deployment
- Username:
admin(or as configured) - Password: The generated password from deployment output
- Change Password: Immediately change the admin password after first login
- Settings > Subscriptions: Add your Azure subscription IDs
- Test Connection: Verify CertifyClouds can access Azure
- Discovery: Run your first scan
- Compliance: Review security posture
- Alerts: Configure notification rules
Configuration Reference¶
Environment Variables¶
The deployment scripts configure these automatically. See Environment Setup for the complete reference.
| Variable | Description |
|---|---|
CERTIFYCLOUDS_LICENSE_KEY | Your license key (CC-XXXX-XXXX-XXXX) |
INITIAL_ADMIN_USERNAME | Initial admin username (default: admin) |
INITIAL_ADMIN_PASSWORD | Initial admin password (auto-generated if not set) |
SECRET_KEY | Encryption key for Sync credentials (auto-generated if not set) |
Email Configuration (for Alerts)¶
Configure email alerts by setting SMTP environment variables:
Resource Requirements¶
| Environment | Key Vaults | Secrets | CPU | Memory |
|---|---|---|---|---|
| Small | 1-10 | <500 | 1 vCPU | 2 GB |
| Medium | 10-50 | <2,000 | 2 vCPU | 4 GB |
| Large | 50-200 | <10,000 | 4 vCPU | 8 GB |
Updating CertifyClouds¶
When a new version is released:
# 1. Import new version to ACR
az acr import --name YOUR_ACR \
--source docker.io/certifyclouds/certifyclouds:v3.1.0 \
--image certifyclouds:v3.1.0 \
--username certifyclouds \
--password <PROVIDED_TOKEN>
# 2a. For Container Apps - update image
az containerapp update \
--name cc-uks-prd \
--resource-group rg-cc-uks-prd \
--image YOUR_ACR.azurecr.io/certifyclouds:v3.1.0
# 2b. For ACI - redeploy with new version
./deploy-certifyclouds-aci.sh \
--name prd \
--location uksouth \
--acr-name YOUR_ACR \
--aci-subnet /subscriptions/.../subnets/snet-certifyclouds-aci \
--postgres-subnet /subscriptions/.../subnets/snet-certifyclouds-psql \
--image-version v3.1.0
Architecture¶
+------------------------------------------------------------------------+
| Your Azure Subscription |
| |
| +------------------------------------------------------------------+ |
| | Your Existing VNet | |
| | | |
| | +------------------------+ +-------------------------------+ | |
| | | Application Subnet | | PostgreSQL Subnet | | |
| | | (snet-certifyclouds) | | (snet-certifyclouds-psql) | | |
| | | | | | | |
| | | +--------------------+ | | +---------------------------+ | | |
| | | | Container App/ACI | | | | Azure DB for PostgreSQL | | | |
| | | | - CertifyClouds |----| | Flexible Server | | | |
| | | | - Port 8080 | | | | - Burstable B1ms | | | |
| | | | - Managed Identity | | | | - VNet integrated | | | |
| | | +--------------------+ | | +---------------------------+ | | |
| | +------------------------+ +-------------------------------+ | |
| +------------------------------------------------------------------+ |
| |
| Key Vaults (various subscriptions) |
| - Accessed via Managed Identity |
+------------------------------------------------------------------------+
Support¶
- Documentation: You're reading it!
- Email: support@certifyclouds.com