Skip to content

Low-side Azure prerequisites for Milestone 1

Use this checklist before running the Azure Commercial low-side deployment.

Required prerequisites

  • SSH key exists at the path referenced by SSH_KEY_PATH (e.g., ~/.ssh/<your-low-side-key>)
  • az login is complete
  • the target subscription is selected
  • keyVaultAccessObjectIds contains the operator AAD object ID
  • repoClientAddressPrefix contains the operator CIDR
  • install local Python dependencies inline because automation/requirements.txt is not present: 
    python3 -m pip install 'PyYAML>=6.0,<7.0' 'requests>=2.31,<3.0'

For the two-command operator flow, continue to ../../DEPLOYMENT.md.

Azure Government (usgovernment) prerequisites

The same infra/low-side/main.bicep template targets Azure Government when cloudEnvironment=usgovernment is passed (either via parameter file or --parameters override). No fork is required — the privatelink DNS zones, PostgreSQL FQDN suffix, ACR login server, and Key Vault DNS automatically switch to the .usgovcloudapi.net / .azurecr.us family.

Government cloud adds the following prerequisites on top of the list above:

  • Operator workstation must use the gov cloud profile before any az command: 
    az cloud set --name AzureUSGovernment
az login   # authenticates against login.microsoftonline.us
az account set --subscription <gov-subscription-id>
  • Pick a gov region for location: usgovvirginia, usgovarizona, or usgovtexas (availability of ACA, PostgreSQL Flex, and Redis varies; verify in the target region).
  • Use the gov-specific bicepparam file:
  • infra/low-side/main.usgovernment.example.bicepparam is the committed template.
  • Copy to main.usgovernment.local.bicepparam (gitignored) and fill placeholders.
  • When running the bootstrap wrapper, pass --cloud usgovernment: 
    ./automation/bootstrap/run_e2e.sh --resource-group <gov-rg> --cloud usgovernment
    This causes run_e2e.sh and prepare_container_apps.py to call az cloud set --name AzureUSGovernment before any other az operation, so subsequent CLI calls hit management.usgovcloudapi.net instead of management.azure.com.
  • Confirm your AAD object ID with the gov-cloud profile active (az ad signed-in-user show --query id -o tsv); commercial-tenant object IDs do not carry over to the gov tenant.
  • Repo client CIDR must be reachable from the gov environment's allowed egress (typical pattern: ExpressRoute or peered VNet, not direct internet).

Deploy to Azure portal button

For first-time evaluators, two one-click portal buttons are available in the README. They deploy the compiled infra/low-side/main.json template via the Azure Custom Deployment wizard — no CLI required to start:

Cloud Button
Azure Commercial Deploy to Azure
Azure US Government Deploy to Azure US Government

The button deploys the same template as scripts/quickstart.sh. For repeatable, validated deployments with secret bootstrapping use scripts/quickstart.sh; use the portal button only when you want an interactive first look at the resource parameters.