docs/datacenter/install/azure.md

title	description	keywords
Deploy Docker Enterprise Edition for Azure (Standard/Advanced)	Learn how to deploy Docker EE for Azure (Standard/Advanced) quickly, by using the Azure portal.	docker, enterprise edition, azure, docker ee, docker datacenter, install, orchestration, manage, container, deploy, provision, azure resource manager, arm template

Deploy Docker Enterprise Edition for Azure (Standard/Advanced) quickly to the Azure cloud by using the Azure portal. The deployment workflow creates multiple nodes with Docker EE, and it installs highly available versions of Universal Control Plane (UCP) and Docker Trusted Registry (DTR). For more info, see Docker Enterprise Edition.

Note: You may see references to the earlier brand name, "Docker Datacenter" and "DDC". These names are equivalent with Docker Enterprise Edition for Azure.

Prerequisites for deploying Docker EE for Azure

• A Docker Enterprise Edition license. You can get a 30-day free trial subscription from the Docker Store. For questions on licenses, contact sales@docker.com.
• An Azure account with sufficient privileges for creating resource groups, like the Visual Studio Ultimate with MSDN subscription.
• Service Principal access credentials, which you can generate by following the steps in Docker for Azure Setup and Prerequisites.
• An SSH public/private key pair, which you can generate by following the steps in How to create and use an SSH public and private key pair for Linux VMs in Azure]. Save the public and private keys in a convenient location, like in the same directory as the Docker license, and be sure to remember the password for the key pair.

Provision the Docker EE cluster on Azure

1. In a web browser, go to the Azure portal.

2. Click +New. The Marketplace blade opens.

3. In the search box, type "Docker EE", and press Enter.

4. In the search results, click Docker EE for Azure (Standard/Advanced). The product description blade opens.

5. At the bottom of the blade, click Create. The Create Docker EE for Azure blade opens.

6. In the Basics pane, fill in the required fields.

   • Copy the Service Principal values from the shell that you used to run create-sp-azure.
   • Copy the SSH public key value from the key file that you saved when you ran ssh-keygen or similar tool.
   • For this example, the Swarm Name is "ddcevalswarm" and the Resource group name is "ddcevalrg", but you're free to choose your own values.

   When you're done, the form will be similar to this:

   

7. Click OK. The Docker EE Settings blade opens.

8. In the Settings blade, fill in the required fields. When you're done, the form will be similar to this:

   

   The DDC Username and DDC Password fields are for logging in to the UCP and DTR user interfaces. They're not used for SSH access.

   Be sure to select the size of the virtual machines for the manager nodes and worker nodes. For example, click Worker VM Size to open the Choose a Size blade, and click View all to browse all of the compute offerings. Azure has a wide range of computing power options, and the pricing calculator estimates the monthly cost for each option.

   

   Note: It's possible to select more compute than your Azure subscription permits. If you exceed your limit, the Summary blade in the next step will notify you, and you can return to the Settings blade to select different VM sizes, or you can add more capacity to your subscription. For more info, see Resource Manager core quota increase requests.

9. Click OK. The Summary blade opens, and Azure validates the settings that you've entered. If some of your settings don't pass validation, you can go back to earlier steps and fix them.

   Tip: At the bottom of the blade, click Download template and parameters to save the generated Azure Resource Manager (ARM) template to your local machine. For more info, see Create your first Azure Resource Manager template.

10. Click OK. The Purchase blade opens and displays the terms of use. If you agree, click Purchase. The Azure Dashboard opens, and a tile shows Deploying Docker EE for Azure. When your resources are deployed, after a few minutes, a blade opens for the deployed resource group.

    

What's in the new resource group?

Everything you need to run Docker EE is deployed, and the resource group collects it all in one place. The ARM template defines the architecture as shown in the following diagram.

Here are some of the resources that are included in the resource group.

• Public IP addresses: You connect to UCP and DTR by pointing your browser at the corresponding load balancers. Also, you can SSH to manager nodes.

  

• Node scale sets: Virtual machine scale sets for the manager and worker nodes. For more info, see What are virtual machine scale sets in Azure?

• Virtual network: Click the virtual network resource, which has a name similar to ddcevalswarm-vnet, to examine its architecture. In the left pane, click Diagram to see the network diagram.

• Storage: The Docker EE deployment sets up Azure storage for your images. The storage account has a name similar to f4ybe46tzepm4dtr. The DTR user interface enables viewing details, on the Settings > Storage page.

View the UCP and DTR interfaces

Manage Docker EE by connecting your web browser to the UCP and the DTR load balancers.

1. In the left pane of the resource group blade, click Deployments. The Deployments blade opens, showing your Docker EE for Azure deployment. Click the deployment with a name similar to docker.dockerdatacenterdocker-datacenter-20170413151533 to open the Deployment Details blade.

   

2. In the Output section, copy the URL in UCPLOGINURL and paste it into a web browser. The UCP login page opens. To login, use the DDC username and password you entered in the Settings blade.

3. Copy the URL in DTRLOGINURL and paste it into a new tab in the web browser. The DTR interface page opens.

Connect to a manager node with SSH

In addition to managing Docker EE with the user interface, you can connect to a manager node by using SSH. You need the private key that corresponds with the public key that you provided when you created the Docker EE deployment. When you ssh to a manager node, login with the username "docker", not the username you entered in the Settings blade, which is for UI.

$ ssh docker@ucplb-feykn7mj53x5q.westus.cloudapp.azure.com -p 50000 -i private-key.rsa
Enter passphrase for key 'private-key.rsa':
Welcome to Docker!
swarm-manager000000:~$

Note: In Azure, the first Docker EE manager node maps the default SSH port 22 to port 50000. Subsequent manager nodes map to port 50001, 50002, and so on.

In the manager node, you can run docker commands, like pulling an image and starting a containerized application.

Set up the DTR certificate authority

To pull and push images to Docker Trusted Registry from a local machine, you need to establish trust between the local Docker daemon and DTR on Azure. Establish a trust relationship by registering the DTR certificate on the local machine. Follow the steps in Configure your Docker Engine.

Get the certificate from https://<dtr-url>/ca, which is available through the URL of the DTR load balancer. The certificate's URL looks like https://dtrlb-feykn7mj53x5q.westus.cloudapp.azure.com/ca.

Note: Be sure to restart the Docker daemon on the local machine after you've installed the certificate, or you'll get X.509 errors when you try docker login.

Create an image repository in DTR for Azure

When the certificate authority on your local machine is set up, you can push an image into the registry on Azure. Images live in a repository, so you need to create a repository in DTR to register images.

1. In a web browser, navigate to the DTR Repositories page, which has a URL similar to https://dtrlb-feykn7mj53x5q.westus.cloudapp.azure.com/repositories.
2. Click New repository and enter a repository name.
3. Click Scan on push to enable security scanning on pushed images.
4. Click Save to create the repository.

Push an image to DTR for Azure

The DTR repository is ready to receive images, and you can push images to it, in the same way that you push images to Docker Store.

1. On the local machine, login to the DTR repository by using a docker login command similar to this:

   $ docker login dtrlb-feykn7mj53x5q.westus.cloudapp.azure.com
   

   When you're prompted for the username and password, you can use the values that you entered in the Settings blade, or you can create new users in the DTR user interface, and sign in with those credentials.

2. Pull an image, like golang:1.7.

   $ docker pull golang:1.7
   

3. Tag the image for the remote repository. The command is similar to this:

   $ docker tag golang:1.7 dtrlb-feykn7mj53x5q.westus.cloudapp.azure.com/ddcadmin/azuretest:golang1.7
   

4. Push the tag to the remote repository.

   $ docker push dtrlb-feykn7mj53x5q.westus.cloudapp.azure.com/ddcadmin/azuretest:golang1.7
   

5. In the DTR user interface, navigate to the Repositories page and click on your repository. The Details page opens.

6. Click Images. Your image appears in the list, and if you selected Scan on push when you created the repository, the scan is in progress.

Docker EE component versions

Docker Enterprise Edition for Azure is based on the following stack:

• Linux kernel 4.9.11-moby
• Docker UCP 2.1.1
• Docker Trusted Registry 2.2.3
• Docker Engine 17.03.0-ee-1

Next steps

For more info on deploying Docker Enterprise Edition for Azure, see:

• Docker Enterprise Edition Trial at Docker Store
• Docker EE for Azure (Standard/Advanced) in Azure Marketplace
• Deploying Docker EE on Azure and solving common issues
• Video: Hands-On - Provisioning Docker Enterprise Edition on Azure