Setup Options
You can set up Azure for Porter in two ways:- Option 1: Automated Setup Script (Recommended) - One-click setup using our script
- Option 2: Manual Setup - Step-by-step manual configuration
Option 1: Automated Setup Script (Recommended)
Download and run our automated setup script that handles all the configuration steps for you:- Azure CLI installed and authenticated (
az login
) jq
command-line JSON processor installed- Admin permissions on your Azure subscription (for granting API permissions)
- ✅ Enable all required Azure resource providers
- ✅ Create the custom
porter-aks-restricted
role - ✅ Create the service principal with proper permissions
- ✅ Add Microsoft Graph API permissions
- ✅ Grant admin consent (if you have permissions)
- ✅ Display the credentials needed for Porter
- Copy the displayed credentials to the Porter dashboard when creating your project
- Request quota increases if needed (see Compute Quotas section below)
- Proceed with cluster provisioning in Porter
If the script fails to grant admin consent automatically, you can grant it manually in the Azure Portal: App registrations > azure-porter-restricted-sp > API permissions > Grant admin consent for Default Directory.
If you prefer to set up manually or want to understand each step, continue with Option 2 below.
Option 2: Manual Setup
Prerequisites
To provision through Porter, you must enable certain Azure resource providers for your subscription.- In the Azure portal, search for Subscriptions, select the subscription you would like to use to provision, and click the Resource providers tab in the subscription console.
- Enable the following providers by selecting the providers and clicking Register:
- Microsoft.Capacity
- Microsoft.Compute
- Microsoft.ContainerRegistry
- Microsoft.ContainerService
- Microsoft.ManagedIdentity
- Microsoft.Network
- Microsoft.OperationalInsights
- Microsoft.OperationsManagement
- Microsoft.ResourceGraph
- Microsoft.Resources
- Microsoft.Storage
Creating the Service Principal
- Create a new role with the Azure CLI
The following commands can be run in the Azure Cloud Shell (selecting the
Bash
option) or in your local terminal after installing the Azure CLI and authenticating with az login
.PORTER_AZURE_SUBSCRIPTION_ID
environment variable to your subscription id:
- Create a new service principal through the Azure CLI that uses the role you just created:
- Grant API permissions to your service principal
- Application.ReadWrite.All
- Directory.ReadWrite.All
- Domain.Read.All
- Group.Create
- Group.ReadWrite.All
- RoleManagement.ReadWrite.Directory
- User.ReadWrite.All
Compute Quotas
By default, Azure limits the types of resources you can provision in your subscription. To provision a Porter cluster, you will need to request a quota increase for the compute resources you plan to use. In your Azure portal, navigate to your subscription and select Usage + quotas. Set the resource filter to Compute and region to your desired region.Resource Family | Recommended Quota |
---|---|
Total Regional vCPUs | 40 |
Standard Basv2 Family vCPUs | 40 |
Provisioning Your Porter Cluster
Once you create your project and select Azure as your cloud provider, you will be prompted to provide the credentials for the service principal you created earlier.Rotating Service Principal Credentials
Azure mandates that client secrets for Service Principals(thepassword
field displayed when you create a Service Principal) expire every 365 days. When a client secret expires, Porter loses the ability to manage your infrastructure or push new deployments. Note that in the event of a client secret’s expiration, your cluster continues to function normally, and existing workloads are not affected.
To refresh your client secret:
- Visit https://aka.ms/NewClientSecret and select the app ID for the service principal that was used to create your cluster(to check what your app ID is, you can navigate to
Integrations
on the Porter dashboard and selectAzure
). - Generate a fresh client secret, and copy new value.
- Navigate to
Integrations
on the Porter dashboard and selectAzure
. - Update the value of the
Password
field with the new value you generated on Azure, and hitUpdate
.
Deleting Provisioned Resources
Deleting resources on Azure via Porter may result in dangling resources. After clicking delete, please make sure to check your Azure portal to see if all resources have properly been removed. You can remove any dangling resources via either the Azure console or the Azure CLI.
<PROJECT_ID>-<AZURE_REGION>
containing an Azure container registry with your application build images. By default, Porter will not delete your build images, so you will need to delete this resource group manually.
No other resource groups should be present. If any are, you should delete them manually by clicking on the resource group and selecting Delete resource group.