Skip to content

Azure Resource Groups

The Cloud Access Manager deployment is seperated into three Azure resource groups within the Azure portal. For a step by step guide to deploying Cloud Access Manager with Azure Cloud Shell, see Azure Cloud Shell Deployment. The resource groups created are:

  • The Root Resource Group
  • The Remote Workstation Resource Group
  • The Connection Service Resource Group

The Root Resource Group

The root resource group, which contains configuration information, storage accounts, data, and secrets for the Cloud Access Manager deployment. The name of this resource group is the one provided by the administrator at the time of deployment. In the case where Cloud Access Manager is deployed as a complete, isolated deployment for testing or other isolated use cases, then the virtual network and the domain controller used by Cloud Access Manager are inside this resource group as well. Please see Cloud Access Manager Configuration Storage for a detailed description of the stored information.

The Remote Workstation Resource Group

The remote workstation resource group, which has the name of the root resource group followed by -RW. This resource group contains the remote workstations which are managed by Cloud Access Manager. Remote workstation virtual machines and network interfaces are in this resource group.

The Connection Service Resource Group

The connection service resource group, which has the name of the root resource group followed by -CS\<number>. The first connection service deployed with Cloud Access Manager has the suffix -CS1. The connection service provides brokering, gateway access, and the management user interface to a Cloud Access Manager deployment. There may be more than one connection service, for example if an upgrade is being tested before switching over. Deploying a connection service has no side-effects on the rest of the system so administrators may create and delete them as needed.

Warning

If all connection services are deleted, then users will not be able to connect to their remote workstations and administrators are unable to manage their Cloud Access Manager deployment, until a new connection service is deployed.

Azure Service Principal

The deployment script will make an Azure service principal for you during deployment, but if your Azure account has insufficient access to create Service Principal accounts in Azure Active Directory you may need to have one made beforehand.

Tagging Azure Resources

It is possible to tag all Azure resources (Cloud Access Connectors, remote workstations, resource groups, gateways, key vaults, storage accounts, VM scale sets, disks and NICs) to enable you to filter resources and help with troubleshooting. In order to add tags, run the following command:

./Deploy-CAM.ps1 -tag @{tagName1=tagValue1;tagName2=tagValue2}