Configure Layered Network Management (preview) to use Azure IoT Operations in an isolated network
This walkthrough is an example of deploying Azure IoT Operations to a special environment that's different than the default Azure IoT Operations scenario. By default, Azure IoT Operations is deployed to an Arc-enabled cluster that has direct internet access. In this scenario, you deploy Azure IoT Operations to an isolated network environment. The hardware and cluster must meet the prerequisites of Azure IoT Operations and there are extra configurations for the network, host OS, and cluster. As a result, the Azure IoT Operations components run and connect to Arc through the Azure IoT Layered Network Management (preview) service.
Important
This is an advanced scenario for Azure IoT Operations. You should complete the following steps to get familiar with the basic concepts before you start this advanced scenario.
- Deploy Azure IoT Layered Network Management to an AKS cluster
- Deployment overview - Azure IoT Operations
- Prepare your Kubernetes cluster - Azure IoT Operations
- Deploy Azure IoT Operations to an Arc-enabled Kubernetes cluster - Azure IoT Operations
- You can reuse the cloud dependencies you create for this trial to reduce the complexity when setting up Azure IoT Operations in a Purdue Network environment. For example, Key vault, Managed Identity, and Storage account.
You can't migrate a previously deployed Azure IoT Operations from its original network to an isolated network. For this scenario, follow the steps to begin with creating new clusters.
In this example, you Arc-enable AKS Edge Essentials or K3S clusters in the isolated layer of an ISA-95 network environment using the Layered Network Management service running in one level above. The network and cluster architecture are described as follows:
- A level 4 single-node cluster running on a host machine with direct access to the internet.
- A custom DNS in the local network. See the Configure custom DNS for the options. To set up the environment quickly, you should use the CoreDNS approach instead of a DNS server.
- The level 3 cluster that is blocked from accessing internet. It connects to the Layered Network Management service as a proxy for all the Azure Arc related traffic.
For more information, see Example of logical segmentation with minimum hardware.
Configure level 4 Kubernetes cluster and Layered Network Management
After you configure the network, you need to configure the level 4 Kubernetes cluster. Complete the steps in Configure IoT Layered Network Management level 4 cluster. In the article, you:
- Set up a Windows 11 machine and configure AKS Edge Essentials or set up K3S Kubernetes on an Ubuntu machine.
- Deploy and configure the Layered Network Management service to run on the cluster.
You need to identify the local IP of the host machine. In later steps, you direct traffic from level 3 to this IP address with a custom DNS.
After you complete this section, the Layered Network Management service is ready for forwarding network traffic from level 3 to Azure.
Configure the custom DNS
In the local network, you need to set up the mechanism to redirect all the network traffic to the Layered Network Management service. Use the steps in Configure custom DNS. In the article:
- If you choose the CoreDNS approach (only applicable for K3s cluster in L3), you can skip to Configure and Arc enable level 3 cluster and configure the CoreDNS before your Arc-enable the level 3 cluster.
- If you choose to use a DNS server, follow the steps to set up the DNS server before you move to the next section in this article.
Configure and Arc enable level 3 cluster
The next step is to set up an Arc-enabled cluster in level 3 that's compatible for deploying Azure IoT Operations. You can choose either the AKS Edge Essentials or K3S as the Kubernetes platform.
Follow the Prepare your Azure Arc-enabled Kubernetes cluster to set up and Arc-enable your K3s cluster.
- Prepare your K3s cluster with internet access.
- It's recommended to install the kubectl client with these steps to ensure kubectl client is installed properly for Arc-enablement.
- Proceed to Arc-enable the cluster.
- Before you disable internet access of your cluster, you also need to complete the Prerequisites for deploying Azure IoT Operations.
- After installing the required software components and setting up the K3s cluster, you can restrict the internet access for this cluster and configure the CoreDNS to redirect network traffic to your Layered Network Management service at level 4.
Verification
Once the Azure Arc enablement of the level 3 cluster is complete, go to your resource group in the Azure portal. You should see a Kubernetes - Azure Arc resource with the name you specified.
- Open the resource overview page.
- Verify status of the cluster is online.
For more information, see Access Kubernetes resources from Azure portal.
Deploy Azure IoT Operations
Once your level 3 cluster is Arc-enabled, you can deploy IoT Operations to the cluster. All IoT Operations components are deployed to the level 3 cluster and connect to Arc through the Layered Network Management service. The data pipeline also routes through the Layered Network Management service.
You can now follow the steps in Deploy Azure IoT Operations to an Arc-enabled Kubernetes cluster to deploy IoT Operations to the level 3 cluster.
Next steps
Once IoT Operations is deployed, you can try the following tutorials. The Azure IoT Operations in your level 3 cluster works as described in the tutorials.