Payg azure update jcayouette (#3746)

* update

* update

CHANGELOG.md

@@ -1,3 +1,4 @@
+- Updated instructions for deploying PAYG on Azure
 - Added instructions for Server installation on SUSE Linux
   Enterprise Server 15 SP6  to Installation and Upgrade Guide
 - Add section about container image inspection to Image

modules/specialized-guides/pages/public-cloud-guide/payg/azure/payg-azure-configure-the-image.adoc

@@ -5,49 +5,147 @@ endif::[]
 
 This section covers initial preparation and configuration of the Managed Application on {azure}.
 
-.Procedure: Configuring your {productname} instance
+== Configuring your {productname} instance
 
-. Start by logging into your Azure account at Azure Portal.
+There are two tabs you need to fill out: _Basics_ and _Virtual Machine Settings_.
 
-. In the Azure Portal, find the menu:[Virtual Machines] section. This can be done either through the **dashboard** or by using the **search bar**.
+=== Fill Out the _Basics_ Tab
 
-. Select menu:[Create a resource] in the top left corner of the portal.
+.. Project Details
+    ... As with every resource in Azure, you need to provide a _Resource Group_ (RG). This can be an existing RG or you can create a new RG for this deployment.
 
-. Choose menu:[Compute] and then select menu:[Virtual Machine].
+.. Instance Details
+    ... Region – where the instance should run.
+    ... Virtual Machine Name – the name of the VM in which {productname} will run.
+    ... Username – the administrator account for the {productname} VM.
+    ... SSH Key Source and Key – needed to access the machine.
 
-. You will be guided through the **Create a virtual machine** process.
++
+[NOTE]
+====
+We do not allow the use of a password here. This is to reduce the risk of brute force attacks.
+====
+
+.. Managed Application Details
+    ... Application Name – the name of the Managed Application.
+    ... Managed Resource Group (MRG) – where the {productname} VM and its resources will be deployed into.
 
-. Fill in the required details such as subscription, resource group, and VM name.
+=== Switch to the _Virtual Machine Settings_ Tab
 
-. Choose a region for your VM. Ensure it complies with any geo-fencing policies you might have.
+.. Instance Size
+    ... The default for the instance size is _D8as v5_, which is a good baseline for a production server. It provides enough resources for more data disks and IOPS throughput for disk and network. 
+    https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series
 
-. In the **Image** dropdown, select the **{productname} {productnumber} with 24x7 Support ltd** or the **{productname} {productnumber} with 24x7 Support llc** image for your VM. If the image is not listed, select **Browse all public and private images** to find the required image.
-
- . Suggested sizes are selected by default for this VM. Configure optional features such as virtual CPUs, memory as required.
++
 
-. Set up an administrator account for the VM. This can be a username and SSH public key.
+[NOTE]
+====
+If you only need a test instance, you can go smaller and choose an instance size with 4 vCPUs and 16GB memory or use a _B-Series (Burstable)_ instance with a similar configuration.
+====
 
-. Ensure the VM is connected to the appropriate virtual network (VNet) and subnet, especially if it needs to communicate with other specific services like {productname}.
-For network requirements, see xref:specialized-guides:public-cloud-guide/payg/azure/payg-azure-server-setup.adoc[Azure Server Setup: Network Configuration].
++
 
-. Configure additional settings such as storage, monitoring, or any extensions you may need. The following partitions are created by default when initializing the {azure} image:
+.. Diagnostic Storage Account
+... If you normally create a VM in the Azure portal, boot diagnostics are enabled by default using a managed storage account. You can choose an existing storage account or create a new one (default).
 
-* **100 GB** for the root partition
-
-* **500 GB** for spacewalk storage
-
-* **80 GB** for the database.
+.. OS Disk Size
+... This is the root disk of the {productname} installation, which holds:
+.... The OS and the {productname} application.
+.... [path]``/var/cache`` – where you need to provide storage space for each product you want to manage.
+
++
 
-. Once all configurations are set, review the settings.
+The proposed default of 100GB should be accepted.
 
-. Click "Create" to deploy your VM.
+.. Database Disk Size
+... This holds the Database for {productname} and needs a minimum of 50GB. The proposed value of 80GB is a good default suggestion.
 
-. After the VM is deployed, you can access it via SSH.
+.. Spacewalk Disk Size
+... This holds the package repositories and should have at least 100GB. Additional requirements include:
+.... 50GB for every SUSE product.
+.... >360GB for every RedHat or other Linux product.
+
++
 
-[NOTE] 
-.Usage and Costs
+The proposed default of 500GB is a safe default to start with.
+
++
+
+[NOTE]
 ====
-Keep in mind that since this is a {payg} image, you will be billed according to your actual usage, including the number of systems you **manage** and **monitor** with this instance. It's essential to regularly track and review your usage to prevent unexpected costs and ensure alignment with your needs.
+Repository synchronization will fail if this directory runs out of disk space.
+====
++
+
+.. Public IP Address for the VM
+... By default, a Public IP Address is created to access the {productname} VM and Application. 
+.... *If you use it, please ensure this is secure and access is limited.*
+
++
+
+[IMPORTANT]
+====
+Running {productname} on the public cloud means implementing robust security measures. It is essential to limit, filter, monitor, and audit access to the instance. SUSE strongly advises against a globally accessible {productname} instance that lacks adequate perimeter security.
 ====
 
++
+
+You should carefully consider this, as the {productname} Server will have access to all managed nodes. If someone gains access to {productname}, it would mean access to all managed nodes as well. Threat actors actively scan for accessible machines with open management ports (e.g., SSH or RDP), especially on cloud providers.
+
++
+
+A Network Security Group (NSG) is created by default if you choose to create a Public IP. It only allows inbound SSH access via port 22 as a minimal protection for the public IP.
+
++
+
+It is recommended to additionally restrict access to a defined list of networks and allow Azure's virtual network to drop requests originating from other networks.
+
++
+
+Furthermore, you can add Just-in-Time access and/or use the Azure Bastion Service, Firewall, VPN, or private network methods to secure public access.
+
++
 
+You can choose not to create a Public IP address (which is more secure), but you will need to use other methods to access the created {productname} VM and its Web UI for further configuration. Additionally, you must take care of the DNS and ensure a correct FQDN.
+
+.. DNS Prefix for the Public IP Address   
+
+... The {productname} server must resolve its FQDN correctly. If the FQDN cannot be resolved, it can cause issues in several {productname} components.
+
+... To ensure that the {productname} domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. You also need to ensure that *reverse lookups* are correctly configured.
+
++
+
+If you use the Public IP address, a DNS name is automatically created from Azure. You only need to ensure that a unique name is used. The default suggestion creates one by including a random number to make the domain name unique.
+
++
+
+If you do not use the Public IP, you need to make sure that your setup can resolve the FQDN correctly as mentioned above.
+
+.. Virtual Network / Subnet
+
+... You will see a default proposal for a virtual network where {productname} will reside. By clicking _edit_, you can adjust it to your needs.
+
+... Remember that a _Managed Application_ will be deployed from SUSE to your Azure tenant. Therefore, this network is the network in the _Managed Resource Group (MRG)_ and cannot overlap with existing networks.
+
++
+
+At a later stage, you need to peer this network to the network with the nodes you want to manage. Alternatively, you can create the managed nodes within this network.
+
++
+
+With all fields filled out, press _Next_ or _Create_. The Azure portal will perform a final check and provide a summary screen of this deployment.
+
++
+
+If everything is correct, press _Create_ to deploy the _Managed Application_ for {productname}.
+
+=== After Deployment
+
+After the VM is deployed, you can access it via SSH.
+
+.Usage and Costs
+[NOTE]
+====
+Keep in mind that since this is a {payg} image, you will be billed according to your actual usage, including the number of systems you **manage** and **monitor** with this instance. It's essential to regularly track and review your usage to prevent unexpected costs and ensure alignment with your needs.
+====

modules/specialized-guides/pages/public-cloud-guide/payg/azure/payg-azure-connections-and-bootstrapping.adoc

@@ -95,4 +95,3 @@ tcp_keepalive_cnt: 3
 ----
 
 . Restart the [literal]`venv-salt-minion service`.
-

modules/specialized-guides/pages/public-cloud-guide/payg/azure/payg-azure-public-cloud-images.adoc

@@ -4,30 +4,60 @@ ifeval::[{uyuni-content} == true]
 endif::[]
 
 Follow these step-by-step instructions to locate the {productname} {productnumber} {payg} image on {azure}.
-You can also review the latest available images for the public cloud using Pint (Public Cloud Information Tracker). 
 
-See: link:https://pint.suse.com/[pint.suse.com]
+. Firstly, log in to your Azure account, via https://portal.azure.com
+
++
+
+This makes sure that the Azure system is able to identify in which country your account get billed.
+
++
+
+It is important, as billing for {productname} {payg} is handled via the Azure Marketplace.
+As there are restrictions on which countries this listing can be billed, the account you will transact to should be the one you are logged into.
+
++
 
 There are currently two offers for {productname} {payg} on {azure}:
 
-* **{productname} {productnumber} with 24x7 Support ltd**
-* **{productname} {productnumber} with 24x7 Support llc**
+* ** {productname} {productnumber} with 24x7 Support (EMEA Orders only)**
+* **{productname} {productnumber} with 24x7 Support**
+
++
+
+Pick the listing that reflects in which country your Azure account gets billed. It depends on the _sold to address_ of the account, see https://learn.microsoft.com/azure/cost-management-billing/manage/change-azure-account-profile.
+
++
+
+[NOTE]
+====
+Do *not* go directly to the Azure Marketplace and get the offer. Even if the offers are visible, they should not be selected from here, as the Azure Web page is not able to identify your billing account. *Always log into the portal first*
+====
+
+. After you are logged into the Azure Portal, click btn:[Create a resource].
+
+. Enter {productname} {productnumber} into the search field on the top and press kbd:[RETURN]
+
++
+
+You get a list of offerings and need to select the version of _{productname} {productnumber} with 24x7 Support_ depending on your billing country.
+
++
 
+For example, for an account billed in Germany, it would be _{productname} {productnumber} with 24x7 Support (EMEA Orders Only)_.
 
-.Procedure: Obtaining the {productname} {payg} Image on {azure}
-. Start by logging into your {azure} account at {azure} Portal.
++
 
-. Once logged in, navigate to the **Virtual Machines** section. 
-  This can be found in the dashboard or by using the search bar at the top of the {azure} Portal.
+[NOTE]
+====
+The offer show up as _Azure Application_ and not as a _Virtual Machine_
+====
 
-. Click on **Create a Virtual Machine.** 
-  Here, you will be asked to fill in details such as the subscription, resource group, and virtual machine name.
+. Click the description text to get the Product description and then on btn:[Plans + Pricing]. If this is shown with a description and plan, you have chosen the right offer. If there is nothing shown you selected the wrong one.
 
-. During the creation of a virtual machine there is an option for **Image.** 
-  Select the correct  cloud image for your VM. 
+. Next, click on the btn:[Create_ button]
 
-. If you do not find the image you need, you can browse the {azure} Marketplace. 
-  Click on **See all images** or go to the **Marketplace** and search for the image you need. 
++
 
-. After selecting your image, continue with the configuration of your virtual machine. 
-  Review all settings, and then create your VM.
+This will bring you to a form similar you may know from creating other Azure resources.
+There are two tabs you need to fill _Basic_ and _Virtual Machine Settings_

modules/specialized-guides/pages/public-cloud-guide/payg/azure/payg-azure-requirements.adoc

@@ -5,14 +5,57 @@ endif::[]
 
 The {productname} {payg} offering in Azure need to communicate with the Azure Billing API, therefore it is not a simple virtual machine (VM) offering.
 
-When setting up a {productname} {payg} instance on {azure}, it s essential to consider system requirements for optimal performance and functionality. 
-The default requirements outlined below have been tailored for smooth deployment and operation.
+Azure has created the Managed Application offering for this use case.
+For more information, see https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/overview.
 
-By default, certain disks are automatically generated when establishing a {productname} {payg} instance on {azure}. 
-To complete the setup of these disks, use the [literal]``mgr-storage-server tool.
+.Architecture Diagram of a managed application
+image::AzureManagedApp.svg[architecture of a managed application, 60%]
+
+
+
+== Application resource group
+
+This resource group ( in the diagram _ResGroup A_ ) holds the managed application instance, which could be translated as the metadata or definition of the offering. It can only contain a single resource.
+
+A customer has full access to the resource group and uses it to manage the life cycle of the managed application.
+
+
+
+== Managed resource group (MRG)
+
+This resource group ( in the diagram _MRG_ ) holds all the resources that are required by the managed application. For example, an application's virtual machines, storage accounts, and virtual networks.
+
+A _managed application_ is similar to a solution template in Azure Marketplace, with a few key differences:
+
+* The resources are deployed into a _managed resource group_ that is normally managed by the application's publisher.
+
+* It is present in the customer's subscription, but an identity in the publisher's tenant can be given access to the managed resource group.
+
+* The publisher's _management access_ and the customers _deny assignment_ are optional.
+
++
+
+There are different permission scenarios available. SUSE is using here the _Customer managed_ to give our customers of SUSE Manager full control.
+
+Customer managed::
+
+* Customer
+** Customer has full access to the solution (in the managed resource group)
+** The customer manages the solution
+* Publisher
+** The publisher has no access to manage the solution.
+** The publisher develops the application and publishes on Azure Marketplace but does not manage the application.
+** The publisher licenses the application for billing through Azure Marketplace.
+
+
+
+== Instance requirements
+When setting up a {productname} {payg} instance on {azure}, it's essential to consider system requirements for optimal performance and functionality. The default requirements outlined below have been tailored for smooth deployment and operation.
+
+By default, certain disks are automatically generated when establishing a {productname} {payg} instance on {azure}. To complete the setup of these disks, use the **mgr-storage-server** tool.
 
 .{azure} System Requirements
-[cols="1,1"]
+[cols="1,1", options="header"]
 |===
 | Requirement | Details
 
@@ -34,4 +77,4 @@ To complete the setup of these disks, use the [literal]``mgr-storage-server tool
 | Network Configuration
 | Typically configured by your organization
 
-|===
+|===