License Server Access from anDREa

License Server Access from anDREa

Introduction

This section details the network design that enables outbound access to license servers from VMs running in the anDREa research environment.  
We will assist in setting up License Server Access, but will not provide or mediate in licenses.

Problem Statement 

Research projects often use Licensed Software. The most common licensing approach is a centrally distributed/validated Volume Licensing service(s) e.g., IBM SPSS. This service is often hosted on-premises and or at a shared location outside of the usage location, in this case, the anDREa environment. This calls for direct connectivity between VMs running licensed software and the license servers as illustrated below.  

With each tenant running anywhere between 20 to 1000+ VMs this means allowing inbound connections from a huge set of public IPs. This is not an acceptable solution to any Firewall administrator. 

This problem is exacerbated with multiple tenants running multiple different license servers with varying licensing agreements with their vendors.  

Proposed Solution 

The proposed to solution is a combination of a SNAT endpoint using Azure Firewall and dedicated routes defined per tenant for their subscription to isolate the traffic going to their own License server endpoints. This is illustrated in the diagram below. 
This approach requires only one Public IP address to be allowed at each tenants’ firewall and simplifies network setup on the consumer side. On the anDREa side it’s a little tricky to configure but will be automated thereby reducing the complexity overhead. 

If a different solution is preferred or required, this can be submitted as a non-standard change. Please understand we might reject the non-standard change if it compromises the security, impacts scaling and maintenance efforts, or user experience.


When not all Workspaces are allowed to access the license servers, e.g. in situation of commercial funded studies:
  1. Create and associate new Microsoft Azure subscription with anDREa AAD
  2. Do not request access to the license servers for that subscription, this ensures:
    1. Even when a user is personally allowed to use the application via the Tenant License server, the application cannot connect to the license server.
  3. In myDRE everything runs in context of a Workspace and the role a person has in that Workspace



What is required from the Tenant 

  1. The tenant is expected to provide the list of License server(s) IP address(es) that the workloads running on their VMs will be expecting to connect to. These IP addresses will be added to the Route Tables to each of the Tenant's VNETs that host the VMs. 
  2. The tenant is expected to allow inbound connections from the anDREa IP that would be provided during Tenant onboarding on the ports/ranges that the license clients and servers are expected to communicate over. 

Post activity after license server onboarding:

After implementing the above, please update the information in:
  1. (Core) Support Team log in as agent at support.mydre.org
  2. Go to: Help Center > {tenant} > Specifics > Specific Configurations
  3. Update the article: {tenant} - License Servers

    • Related Articles

    • anDREa FAQ

      First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...

    • anDREa / myDRE standard services

      Introduction This is an overview of the standard services that can be expected.  Functionalities can be added or changed as part of the ongoing development of myDRE. Local Support Team Support Team Onboarding Training of local Support Team Support ...

    • Managing anDREa Accounts

      Introduction The purpose of this document is to describe anDREa’s Managing anDREa Accounts.  This document will be updated at least annually and when significant change happens.  Managing anDREa Accounts All changes must be approved or conducted by ...

    • anDREa Service Level Agreement

      First version: 2021-12-19 Last updated: 2023-11-28 Last change: Banner on top anDREa reserves the right to modify the EULA and SLA at any time in its sole discretion. Changes will be effective upon the posting of the modifications on the EULA and ...

    • Who/what is License Administrator / licenseadmin@mydre.org?

      From time to time it is important that the VMs are started to fetch and install updates, or add functionality provided by anDREa. The anDREa development team uses an account called License Administrator (with username licenseadmin@mydre.org – this is ...