Clarifications on Deploying Nerdio Manager Enterprise in a Azure Landing Zone

Avatar
Sirilakshmi Veerapaneni

Hello Nerdio Community,

We are planning to bring Nerdio Manager Enterprise (NME) into our existing landing zone and have a few clarifications before proceeding. Our decision is to not expose the connection to the internet, so we plan to bring all NME backend applications through private endpoints.

While reviewing the Azure App Service requirements, I noticed that VNet integration requires a separate subnet. Based on the reference architecture - https://nmehelp.getnerdio.com/hc/en-us/articles/26124355756941-Nerdio-Manager-for-Enterprise-reference-architecture  , my understanding is that we need two subnets:

  1. App Service VNet integration subnet
  2. Private endpoint subnet

 

Could you please confirm if this draft version of the diagram is correct for bringing all private connections?

Additionally, regarding outbound connectivity requirements, I referred to https://nmehelp.getnerdio.com/hc/en-us/articles/26124375247757-VNet-integration-firewall-requirements. Since we plan to use VNet integration - https://nmehelp.getnerdio.com/hc/en-us/articles/26124375247757-VNet-integration-firewall-requirements , do we need to satisfy both firewall requirements listed in the guide? In addition to the above 2, is there any other firewall requirements are there?

 

 I am a bit confused because our AVD session hosts are not exposed to the internet. My understanding is that the above two firewall requirements apply only to firewalls, not NSGs. Could you please confirm?

Regarding permissions, the guide lists the following:

  1. Installation and configuration – https://nmehelp.getnerdio.com/hc/en-us/articles/25499388177421-Azure-Permissions-and-Nerdio-Manager
  2. Data access permissions - https://nmehelp.getnerdio.com/hc/en-us/articles/26124345701645-Does-Nerdio-Manager-Store-Customer-Information#:~:text=Nerdio%20Manager%20does%20not%20collect%20any%20customer%20data.
  3. RBAC – https://nmehelp.getnerdio.com/hc/en-us/articles/26124313324173-Role-based-access-control-RBAC-in-Nerdio-Manager

 

Are these the only permissions required by Nerdio, or do we also need to include permissions for the PaaS services being deployed, such as Azure SQL, Key Vault, Storage Account, etc.?

Also, when is the Enterprise app actually created – pre-deployment, during deployment, or after deployment?

Some additional clarifications:

  • Are we using Azure SQL DB or Azure SQL Managed Instance, and which is compatible?
  • The setup guide mentions that a service account or domain admin account is needed – is this an AD security group or an Entra security group?

Thank you in advance for your guidance!

 

0

Comments (0 comments)

Please sign in to leave a comment.