BYOA - Azure

1. Create an Azure Service Principal

1. Go to your Azure portal.
2. Search Microsoft Entra ID in the search bar.
3. Click the Add button and select APP Registration.
4. Fill the name field with lepton-sa and click Register.

2. Create New Credentials

After the registration, you will be redirected to the application page. Click on Add a certificate or secret and create a new client secret in the creation page.

After creating the secret, you need to copy and save the secret value, as it will not be shown again.

3. Setup Access Control(IAM)

For the service principal to access your Azure resources, you need to assign the service principal to a role.

For now, Lepton only needs these roles:

• Network Contributor
• Virtual Machine Contributor
• Quota Request Operator

1. Navigate to the Subscriptions page.
2. Select the subscription you want to use or create a new one.
3. Click on the Access Control (IAM) tab.
4. Click on the Add button and select Add role assignment.
5. Search and select all the above roles and click Save.
6. Click on the Members and search for lepton-sa.
7. Click Review + assign to assign the role to lepton-sa.

4. Create Resource Group

1. Click on the Resource groups tab in the subscription page.
2. Click on the Create button and fill in the Resource group field with lepton-rg, select your target region.
3. Click Review + create to create the resource group.

5. Create Network Security Group and Virtual Network

1. Click on the resource group lepton-rg that you just created to enter the resource group page.
2. Click on the Create button and search for Network Security Group.
3. Click on the Create button, fill in the Name field with lepton-nsg and select the target region.
4. Click Review + create to create the network security group.
5. After the deployment is complete, navigate to the Network Security Group page to create inbound and outbound security rules.
   • For inbound security rules, Lepton requires port 22 as an SSH port.
   • Optionally, you need to open ports from 40000 to 65535 if you want to use Lepton's dev pods feature.
   • For outbound security rules, Lepton requires all ports to be open.
     
6. Head back to the resource group page and click on the Create button to search for virtual network.
   
7. Fill in the Name field with lepton-vn and select the target region.
   
8. Switch to IP addresses tab to modify the default subnet to 192.168.0.0/20 like the following image.
   
9. Click on the Review and create to create the virtual network.
10. After the deployment is complete, navigate to the virtual network page, open subnets page under the settings tab, and click on the default subnet.
11. Find the Security section in the subnet edit form, click on the Network security group to select the lepton-nsg that you just created. And then click Save.
    

6. Add Azure Account to Your Workspace

Now we've setup everything in Azure, let's add the Azure account to your Lepton workspace.

Head over to node group page in your workspace.

Click on Manage Provider, and then click on Add Provider to select Azure.

As you can see, we need to fill in the following fields:

• Subscription ID: You can find it in the subscription page.
• Resource Group: The resource group name, lepton-rg in this case.
• Application ID: You can find it in the application page.
• Tenant ID: You can find it in the application page, also known as Directory ID.
• Secret: The secret value you saved before.

After filling in all the fields, click Submit to add the Azure account to your workspace. You can see the provider status in the provider list page.

It might take a few minutes to verify the provider status. After the status changes to Ready, you can start using the Azure account in your workspace.

For how to create node groups with the Azure account, please refer to the node group documentation.