Install Linksight with Azure Marketplace
The Linksight software can be easily installed in an Azure tenant with the Linksight Azure application. This Linksight marketplace item can be found in the Azure Marketplace.
Solution overview
The solution consists of a virtual machine, which is setup to run the Linksight software using Docker. Accompanying Azure resources like a network interface, a public IP address, a virtual network and a network security group are deployed as well.
Components
The Linksight software consists of two components:
- Data station: The core where the datasets are managed and protocols are run together with other data stations across organizations.
- Analysis Hub: The component (frontend and backend) where users interact with the data station and Linksight platform to run data analyses.
Prerequisites
- A user account in the Azure portal.
- An Azure tenant with a subscription where the solution will be deployed.
- A user account on the Governance Hub (https://linksight.network) with the
IT adminorOrganization adminrole.- No user account? Ask your organization administrator to invite you to the organization, or create a new organization after signing in.
Installation
-
Log into the Azure Portal.
-
Go to the Azure Marketplace.
-
Search for the Azure application
Linksight Data Station & Analysis Hub(link).
-
Click on
Create.
-
Follow the wizard to configure the marketplace item.
- Basics: Select or create a new empty resource group and select the region.
- Virtual machine: Select the VM size, operating system and configure the details for the administrator account.
- Domain name + IP:
- Pick under domain name the Analysis Hub should be accessible. The options are:
- An Azure domain name
*.<region>.cloudapp.azure.com
- Your own domain name
- An Azure domain name
- Choose whether to setup TLS of the Analysis Hub frontend with Let's Encrypt or with your own certificates.
- When choosing to use your own certificates, upload the certificate file and the certificate key file.
- The certificate file should be a PEM encoded
.crtfile. The key file should be an unencrypted PEM encoded.keyfile. Encrypted key files are not supported.
- Pick under domain name the Analysis Hub should be accessible. The options are:
- Basics: Select or create a new empty resource group and select the region.
-
Review the configuration on the last tab of the wizard, and click on
Create.
-
Wait for the deployment to finish.
-
Go to the resource group, and inspect the
Public IP addressresource. -
Depending on which domain name type was picked:
- Azure domain name: The Analysis Hub will be accessible on the domain under
DNS name. - Your own domain name: Copy the IP address, and add a
Arecord to your DNS zone for the configured domain name.
- Azure domain name: The Analysis Hub will be accessible on the domain under
-
Access the Analysis Hub on your domain name. It can take up to 5 minutes for the installation to complete and the Analysis Hub to be ready.
The Linksight software is now up and running! Follow the instructions on the page Register nodes to register the nodes.
Configure network security group
The deployed solution includes a network security group (NSG) with default rules that permit all necessary connections for standard operation. No additional configuration is required for basic functionality. For further details about network connections, refer to the Network connections documentation.
To enhance the security posture of your deployment, consider the following recommendations:
- Data station peer-to-peer communication (Ports
8443and9090):
These ports are open to the internet and secured using mutual TLS (mTLS) authentication. They facilitate peer-to-peer communication between data stations. For additional security, you may implement IP-based restrictions to allow connections only from trusted partner organizations. For more information, see Data Station Peer-to-Peer Communication. - Analysis Hub frontend access (Port
443):
Port443serves the Analysis Hub frontend. As the frontend is intended for internal use by end users, it does not need to be accessible from the public internet. Restrict access to port443by allowing only trusted internal IP ranges. - Let's Encrypt certificate issuance (Port
80):
Port80is used exclusively by Let's Encrypt to issue TLS certificates automatically. If you are not using Let's Encrypt for the Analysis Hub frontend, you can enhance security by removing the rule for port80from the NSG.
Virtual machine automatic updates
By default, the virtual machine is configured to automatically install critical and security updates on a regular maintenance schedule:
- Schedule: Every third Tuesday of the month, between 00:00 and 03:55 UTC.
Modifying the maintenance schedule
You can customize the maintenance schedule in the Azure portal:
- Navigate to your virtual machine resource in the Azure portal.
- In the left sidebar, select Operations > Updates.
- Open the Scheduling tab and choose the
maintenance-schedule. - Adjust the schedule as needed to fit your organization's requirements.
For more information, refer to the Azure documentation on VM maintenance.
Maintenance and troubleshooting
To update the configuration, or investigate issues with the software, access the secure shell of the virtual machine using SSH. Review the Azure page Connect to a Linux VM to find the preferred way to connect to the VM.
Stop the Linksight software
$ cd linksight
$ docker compose down
Start the Linksight software
$ cd linksight
$ docker compose up -d
Show logs of the containers
$ cd linksight
$ docker compose logs -f
Show all running containers
$ docker ps
Update TLS certificates
# Copy TLS files to a temporary directory on the VM, e.g.:
local$ scp new_cert.crt linksight@<vm_ip>:/tmp/tls.crt
local$ scp new_cert.key linksight@<vm_ip>:/tmp/tls.key
# SSH to the VM
local$ ssh linksight@<vm_ip>
# Change the ownership of the TLS files
$ sudo chown 65532:65532 /tmp/tls.crt
$ sudo chown 65532:65532 /tmp/tls.key
# Move the TLS files to the analysis-hub-backend data directory
# The files must be named tls.crt and tls.key in the data directory.
$ sudo mv /tmp/tls.crt /home/linksight/linksight/data/analysis/certs/tls.crt
$ sudo mv /tmp/tls.key /home/linksight/linksight/data/analysis/certs/tls.key
# Restart the nodes
$ cd ~/linksight
$ docker compose down
$ docker compose up -d
Next steps
- Register the nodes. Follow the instructions on the page
Register nodes.