Overview

Paragon allows customers the option of self-hosting Paragon on your own infrastructure. All the resources live in your AWS, Azure, or GCP, and data never leaves your cloud. We additionally offer a Managed On-Premise solution that almost 100% of our on-prem customers use at no additional cost. In this model, our enterprise team will take care of deploying, configuring, and managing your installation to offload 100% of developer time while providing the security and transparency of owning the resources and confidence that other resources in your Azure account are inaccessible.

Security

We use the principle of least privileged access to grant the Paragon installer the access it needs to create and manage resources in your account. For Azure customers, we recommend a combination of Azure Tenants, Azure Subscriptions, and RBAC (role-based access control). With this method:
  • a new tenant is created on your Azure account with resources created belonging to that tenant and separate from all other resources
  • a new subscription is created to associate all Paragon resources created within that tenant
  • a role is created to manage resources in the subscription for that tenant and provided to the installer
Using this method, extra redundancies are put in place that ensures Paragon can only interact with the intended resources while providing a means for you to transparently view all resources created, separate billing to manage the resources while being connected to a parent account, and have super user access for all resources created.

Setup

We’ll need 4 values to install Paragon.
  • Tenant Id
  • Subscription Id
  • Client Id
  • Client Secret

Directions

  1. Login to your Azure portal as an admin.
  2. Create a tenant. a. Search Azure Active Directory in the search bar, navigate to your Azure Active Directory, and click the Manage tenants tab. b. Click + Create. c. Select Azure Active Directory as the tenant type in the Basics tab. d. Click the Configuration tab. e. Enter Paragon as the Organization name. f. Enter a domain name with paragon and your organization’s name, i.e. paragongoogle. The domain must be alphanumeric. g. Click the Review + create tab. h. Click the Create button to create the tenant. i. Search Azure Active Directory in the search bar, navigate to your Azure Active Directory. j. ⭐️ Copy the text in the Overview section next to Tenant ID. This is the Tenant Id. ⭐️
  3. Create a subscription under the tenant. a. Switch to your default Azure directory. You can do this by clicking your account in the top right corner and clicking Switch directory. b. Search Subscriptions in the search bar, and navigate to your Subscriptions. c. Click +Add d. In the Basics tab, enter Paragon for the Subscription name. e. Click the Advanced tab and select the new tenant you created for the Subscription directory. f. Click the Review + create tab. g. Confirm the name of the subscription is correct in the Basics section and the correct tenant is selected in the Advanced section. h. Click Create. i. ⭐️ Copy the id of the subscription. This is the Subscription Id. ⭐️
  4. Create credentials for the Paragon installer. a. Switch to the new Paragon directory. You can do this by clicking your account in the top right corner and clicking Switch directory. b. Search Azure Active Directory in the search bar, navigate to your Azure Active Directory, and click the App registrations tab. c. Click + New registration. d. Enter Paragon Installer for the name of the application. e. Select Accounts in this organizational directory only for the access type. f. Leave the Redirect URI (optional) field empty. g. Click Create to create the application. h. ⭐️ Save the text next to Application (client) ID. This is the Client Id. ⭐️ i. Click Add a certificate or secret next to Client credentials. j. Click + New client secret to create a new secret. k. Enter Paragon Installer for the description. l. Select 24 months for Expires. m. Click Add to create the secret. n. ⭐️ Save the text under the Value column. This is the Client Secret. ⭐️
  5. Give the new Paragon Installer application access to manage the newly created subscription. a. Search Subscriptions in the search bar, and navigate to your Subscriptions. b. Click the newly created Paragon subscription. c. Click Access control (IAM) in the left sidebar. d. Click + Add and select Add role assignment. e. Search Contributor and click View on the right side. f. Click Select role at the bottom of the sidebar that opened. g. Click the Members tab and click + Select members. h. Search Paragon Installer and select the application. i. Click the Select button at the bottom of the sidebar. j. Click Review + assign to assign the role.

Next Steps

Once all of this is done, provide us with these four values, and we’ll set up your installation! If you have any questions, email [email protected] for help.