Protegrity Anonymization on Azure

Installation of Protegrity Anonymization requires working with the following Microsoft Azure services: Container Registries, Kubernetes Services, Disks. You’ll need an administrator to be able to grant permissions for these services to interact with each other. Proficiency with helm and kubectl is strongly recommended.

Note: For ease of configuration and installation, we recommend that you work within your target Subscription, with the same Resource group, Virtual network, Subnet, and Zone.

Create a base machine

We recommend creation of a Virtual machine on Microsoft Azure, from which you’ll interact with all the necessary services to standup Protegrity Anonymization. The following installation instructions have been tested with a Linux machine (Ubuntu 24.04). The following steps assume creation of such a Virtual machine.

1. Install and initialize the Azure CLI on your virtual machine.

   For more information about the installation steps, refer to How to install the Azure CLI.

2. From your virtual machine, login to your account by running:

   az login
   

   Follow the steps presented by the wizard to complete authentication.

3. Install Kubectl version 1.32.3. Kubectl enables you to run commands from the virtual machine so that you can communicate with the Kubernetes cluster.

Note: For more information about installing kubectl, refer to Install Tools.

4. Install the Helm client version 3.17.2 for working with Kubernetes clusters.

Note: For more information about installing the Helm client, refer to Installing Helm.

5. Install Docker engine 28.0.4.

Note: For more information about installing the Docker engine 28.0.4, refer to Install Docker Engine. Make sure to run the post-installation steps as well.

Create a Container Registry

To create a container registry leverage the Container registries service on Azure and configure it according to your environment requirements and constraints.

Note: For more information about creating the Azure Container Registry, refer to Create an Azure container registry using the Azure portal.

Create a Kubernetes cluster

This section describes how to create a Kubernetes Cluster on Azure.

Note: The steps listed in this procedure for creating a Kubernetes cluster are for reference use. Be advised of potential differences between the screen captures here presented and what you’ll encounter on the user interface on the Azure user interface.

To create a Kubernetes cluster via the user interface:

1. Log in to the Azure Cloud and access Kubernetes services.

2. CLick on Create and the following options will appear:

   

3. Click Kubernetes cluster and the Create Kubernetes cluster screen appears.

4. We’ll detail the basic and mandatory configurations to launch a cluster (of type private) for the Anonymization. In Basics tab, Subscription field select the desired subscription where you intend to deploy Protegrity Anonymization. In the Resource group field, select the required resource group. On Cluster preset configuration choose the preset that best suits your needs. In the Kubernetes cluster name field, specify a name for your Kubernetes cluster. Select 1.32.3 as the Kubernetes version. Retain the default values for the remaining settings.

5. In the Node pools tab:

• Under Node pools by default an agentpool is created with System Mode. System node pools are preferred for system pods.
• Click Add node pool, select a name for your Node pool name, select User Mode user node pools are preferred for your application pods, Ubuntu Linux OS SKU, Availability zones according to your regions and zones, Node size of at least 4 vCPUs and 16 RAM(GiB), Minimum node count of at least 2, and Maximum node count of 5 strikes a good balance. Everything else can be left with default values.

1. In the Networking tab:

• Under Private access, select Enable private cluster.
• Under Container networking, select Azure CNI Node Subnet. Enable Bring your own Azure virtual network. On Virtual network select your virtual network and subnet for the Cluster subnet.

1. In the Integrations tab, choose the name of your Container Registry, previously created.

2. Click Review + create to validate the configuration.

3. Click Create to create the Kubernetes cluster.

   The Kubernetes cluster is created.

Note: Protegrity Anonymization leverages volume mounts on Kubernetes. Be advised that this will require interaction between Kubernetes and Disks. Once the cluster has been created you must ensure the cluster managed identity has the necessary permissions to mount storage. You can find more information here. You may create your own customized set of permissions or use a default Azure role of Virtual Machine Contributor and add the Kubernetes cluster managed identity directly to the respective resource group.

Deploy Protegrity Anonymization on AKS

Note: Because the installation script changes parameter values of configuration files, if you make a mistake during installation you might end up with inconsistent values for the same parameters. In that case, to attempt installation again, we recommend that you run step 3 again.

1. Make sure to read the optional section for additional configuration options Anonymization on AWS or Azure.

2. Obtain and copy Protegrity Anonymization’s installation artifact ANON-API_RHUBI-ALL-64_x86-64_Generic.K8S_1.3.0.tgz into a directory on your base machine.

3. From that directory, run tar -xvzf ANON-API_RHUBI-ALL-64_x86-64_Generic.K8S_1.3.0.tgz.

4. Edit the install.properties file and follow additional instructions on that file. You’ll encounter global configurations and Cloud specific sections.

5. You’ll find a Azure_install.sh file. Make sure to read the script before you run it, since it contains delete operations, namely deleting Kubernetes namespaces and auxiliary files.

6. Run Azure_install.sh. This will generally take less than 30 minutes to deploy Protegrity Anonymization. At the end of the script, you’ll be shown an IP address of Ingress which you’ll need to edit your hosts file, like so XX.XX.XX.XX anon.protegrity.com. To get additional information about the deployment, you may leverage the following commands (these are the default namespaces defined in install.properties):

   kubectl get pods -n anon-ns
   kubectl get svc -n anon-ns
   kubectl get pods -n nginx
   kubectl get svc -n nginx
   

7. You may now use Protegrity Anonymization. Use the URLs provided here for viewing the Protegrity Anonymization service and pod details after you have successfully deployed the Protegrity Anonymization. For more information about updating the hosts file, refer to step 2 of the section Enabling custom certificates from SDK.

   1. Open a web browser. Use the following URL to view basic information about Protegrity Anonymization: https://anon.protegrity.com/.
   2. Use the following URL to view the Swagger UI. The various Protegrity Anonymization APIs are visible on this page: https://anon.protegrity.com/anonymization/api/v1/ui.
   3. Go to https://anon.protegrity.com/lab, where you’ll have a Jupyter Lab environment available to quickly experiment with Protegrity Anonymization. Inside the folder Anonymization-engine, you’ll find a Jupyter Notebook with several examples.
   4. Use the following URL to view the contractual information for Protegrity Anonymization: https://anon.protegrity.com/about.
   5. Visit https://anon.protegrity.com/sdkapi and you’ll find a link to download the python SDK. Install it and use it with python 3.12 in your environment to interact with Protegrity Anonymization.
   6. Refer to the Sample Requests for Protegrity Anonymization section for code snippets.

Note: Do not stop or delete the running Dask scheduler or the Protegrity Anonymization API container service, which might lead to loss of respective data and logs.

Uninstall

From the same Virtual machine from where you installed the product, run the following commands in accordance with what you specified in the install.properties file

1. List deployments with:

   helm list -n anon-ns
   helm list -n nginx
   

2. Uninstall via:

   helm uninstall <name of anon deployment> -n anon-ns
   #eg: helm uninstall anon -n anon-ns
   helm uninstall <name of nginx deployment> -n nginx
   #eg: helm uninstall ingress-nginx -n nginx
   

3. You may monitor the status of the uninstall with:

   kubectl get pods -n anon-ns
   kubectl get pods -n nginx
   kubectl get pv -n anon-ns
   kubectl get pvc -n anon-ns
   

4. Wait for the deletion of the pods.
5. If you face an issue with pv and or pvc at this stage, run:

   # ----- anon-db-pvc -----
   kubectl patch pvc anon-db-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pv anon-db-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pvc anon-db-pvc -n anon-ns --ignore-not-found
   kubectl delete pv anon-db-pv --grace-period=0 --force --ignore-not-found
   
   # ----- anon-nb-pvc -----
   kubectl patch pv anon-nb-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pvc anon-nb-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pv anon-nb-pv --grace-period=0 --force --ignore-not-found
   kubectl delete pvc anon-nb-pvc -n anon-ns --ignore-not-found
   
   # ----- anon-storage-pvc -----
   kubectl patch pvc anon-storage-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pv anon-storage-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pvc anon-storage-pvc -n anon-ns --ignore-not-found
   kubectl delete pv anon-storage-pv --grace-period=0 --force --ignore-not-found
   

6. Delete the AKS cluster.
7. The product installation will create 3 Disks, which you’ll need to delete (e.g., from the Azure console). By default, given the properties in install.properties, those volumes are called: deployment_anon_storage; deployment__anon_db; deployment_anon_workstation.