Skip to content

Azure

This page describes the infrastructure and other prerequisites for deploying Tower on Microsoft Azure.

Tower container images#

Seqera Labs publishes the Tower Enterprise containers to a private Azure Container Registry instance.

  1. Acquire credentials from Seqera Labs

    Customers who chose to retrieve their Tower Enterprise containers from Seqera's Azure Container Registry will be supplied with a user id and authentication token during the onboarding process.

  2. Retrieve a local copy of the container

    Clients using the docker-compose deployment method must retrieve container copies for local use.

    1. Authenticate Docker against the Seqera Azure Container Registry.

      1
      2
      # Replace USER and TOKEN with the credentials supplied by Seqera Labs
      docker login -u USER -p TOKEN seqera.azurecr.io
      

    2. Pull the containers to your local instance

      1
      2
      3
      4
      5
      export REPOSITORY_URL="seqera.azurecr.io/nf-tower-enterprise"
      export TAG="v22.2.4"
      
      docker pull ${REPOSITORY_URL}/backend:${TAG}
      docker pull ${REPOSITORY_URL}/frontend:${TAG}
      

Mandatory prerequisites#

Resource group and storage account#

A resource group and a storage account are required to use Azure. Refer to the Detailed Instructions section for instructions on how to provision these resources.

SMTP server#

If you do not have an email server, you can use Microsoft 365 or a third party service such as SendGrid as recommended by Microsoft for sending emails from Azure VMs.

MySQL database#

An external database (i.e. external to your Docker Compose or Kubernetes deployment) is highly recommended for production deployments. If you don't have your own database service, you can use Azure Database for MySQL.

If you decide to use an external database, you must create a MySQL user and database manually. Refer to the Configuration section for more details.

Note

When creating a MySQL user, remember to use the format USER@HOSTNAME for the TOWER_DB_USER environment variable.

Note

For Azure managed MySQL, it is recommended to pass an explicit serverTimezone to the TOWER_DB_URL environment variable, which depending on your configuration could be UTC and therefore the connection string should look like jdbc:mysql://MYSQL_INSTANCE_NAME.mysql.database.azure.com/TOWER_DATABASE?serverTimezone=UTC.

VM instance (Docker Compose)#

A Linux VM instance is required to deploy Tower via Docker Compose. Refer to the Detailed Instructions section for instructions on how to provision a VM instance for this purpose.

AKS cluster (Kubernetes)#

An Azure Kubernetes Service (AKS) cluster is required to deploy Tower via Kubernetes. Refer to the AKS documentation for instructions on how to provision your own cluster.

HTTPS redirects

If you'd like to customize your cluster's Ingress Controller to support HTTPS redirects and TLS certificates, please refer to the instructions.

Optional prerequisites#

SSL certificate#

Required to allow your Tower instance to handle HTTPS traffic.

Warning

Starting in Tower 22.1.1, HTTP-only implementations must set the following environment variable in their Tower hosting infrastructure in order for users to be able to successfully log in: TOWER_ENABLE_UNSAFE_MODE=true.

While there are many ways to implement DNS and TLS-termination, Seqera recommends using the specialized native services offered by your cloud provider. In the case of Azure:

  • Use Application Gateway for TLS-termination and load-balancing.
  • Use App Service Domains for domain acquisition.
  • Use Azure DNS for domain record management.
  • Use Azure Vault for PKI certificate storage.

These decisions should be made now because they impact how Tower configuration files are updated.

Detailed Instructions#

This section provides step-by-step instructions for some commonly used GCP services for Tower deployment. Please consult the Azure documentation for the most up-to-date instructions, and please contact Azure support if you have any issues with provisioning Azure resources.

Azure Resource Group#

  1. Sign in to the Azure portal.

  2. Select Resource groups.

  3. Select Add.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter a new resource group name (e.g. nftowerrg).

    • Region: Select the Region where your assets will exist (e.g. East US).

  5. Select Review and Create.

  6. Select Create.

Azure Storage Account#

  1. Sign in to the Azure portal.

  2. Select Storage accounts.

  3. Select Create.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter your resource group name.

    • Storage account name: Enter a new storage account name (e.g. nftowerstorage).

    • Region: Select the same Region as where your Resource Group exists (e.g. East US).

    • Performance: Select Standard.

    • Redundancy: Select Geo-redundant storage (GRS)

  5. Select Review + create. Please note that the default values are used in the other tabs. See the Azure documentation for further details on each setting.

  6. Select Create.

Azure Linux VM#

We recommend the following VM settings:

  1. Use default values unless otherwise specified.
  2. Provision at least 2 CPUS and 8GB RAM.
  3. Use the Ubuntu Server 20.04 LTS - Gen2 image.
  4. Ensure your VM is accessible by SSH.
  5. Do not implement DNS or Load Balancing directly against the VM (do so via Azure Application Gateway instead).

To create a VM:

  1. Configure the Basics tab:

    • Ensure your Region is the same as your Resource group.
    • Do not set the VM as an Azure Spot instance.
    • Ensure your Security Group allows ingress on Port 8000.
  2. Configure the Disks tab:

    • Ensure your OS disk type is Standard SSD.
  3. Configure the Network tab:

    • Ensure that a Public IP is assigned to the VM.
    • Do not place the VM in the backend pool of an existing load balancing solution.
  4. Select Review + create.

  5. Select Create.

To make the VM's IP address static:

  1. Enter Public IP addresses in the search.

  2. Under Services, select Public IP addresses.

  3. In the Public IP addresses page, select the entry containing your VM name. A page opens with that IP's details.

  4. Select Configuration from the left-hand navigation panel.

  5. Ensure that your IP address assignment is Static.

  6. Do not add a custom DNS name label to the VM.

To allow ingress on port 8000:

  1. Enter Virtual Machines in the search.

  2. Under Services, select Virtual machines.

  3. In the Virtual machines page, select your VM name to navigate to the VM details.

  4. Select Networking from the left-hand navigation panel.

  5. Add inbound port rule for port 8000

Back to top