Launch Opaque from Azure Marketplace¶

This guide walks you through deploying Opaque using a private Azure Marketplace offering. You’ll configure your environment, complete a Marketplace form, and verify that everything deployed correctly. This process ensures your data and compute remain in your control while Opaque manages the control plane.

Overview¶

Opaque’s Azure Marketplace offering lets you deploy a managed application using a hybrid architecture: Opaque hosts and maintains the control plane, while your team retains full control over the client and data plane components.

This deployment requires a private plan tied to your subscription, along with pre-provided credentials and configuration values for automation and secure integration.

As part of your setup, you’ll choose how to manage your DNS and certificates:

Fully automated DNS and certificates: DNS records are configured through your Cloudflare account, and TLS certificates are provisioned using ZeroSSL. This is the fastest option and requires the least manual setup.
Manual DNS and certificates: You manage DNS and certificates manually. Upload your own certificate and private key and point your domains to the deployment’s public IP. Recommended for teams with strict compliance requirements or existing certificate workflows.

Before you begin¶

Make sure you have all of the following information before launching your Azure-based Opaque deployment:

Administrative requirements
- A signed licensing agreement with Opaque.
- A customer identifier (provided by Opaque).
Azure environment setup (for creating a private Marketplace offer tailored to your environment)
- Service Principal ID and secret (provided by Opaque): Enables the Managed Application to fetch customer-specific configuration from an Azure Key Vault.
- User-assigned managed identity configuration (created by you): Required for deployment. This identity must have both contributor and user access admin roles in the subscription where Opaque will be deployed. For setup guidance, see Manage user-assigned managed identities.
Deployment parameters (defined by you and used during launch)
- Terraform VM password: The admin password for the virtual machine that runs deployment automation.
- Opaque REST API domain (e.g., api.yourdomain.com).
- Opaque frontend domain (e.g., app.yourdomain.com).
These domains will host the UI and back-end services.
Third-party credentials (required for automating DNS and certificate provisioning) Depending on your DNS and certificate management preferences, you'll need:
- Cloudflare API token: Used to automate DNS record creation. Required only if you choose to automate DNS management.
- ZeroSSL credentials: Includes an HMAC key, key ID, and email for automated TLS certificate provisioning. Required only if you choose to automate certificate management.
- TLS certificate and private key files: Required only if you choose to manage TLS manually.
Azure subscription requirements
- Compute Quota for at least:
  - 20 vCPUs in the Standard_E2_v5 family
  - 20 vCPUs in the Standard DCASv5 family
  Need more vCPUs in either VM family?
  
  Request a quota increase in the Azure portal.
- Resource providers registered:
  - Microsoft.Storage
  - Microsoft.Compute
  See Register resource providers for details.

Step 1. Deploy Opaque¶

This step guides you through launching Opaque’s private Marketplace application and configuring key infrastructure, DNS, and certificate settings.

To complete the following steps, the user must have contributor and user access admin roles on the target Azure subscription.

Open the private Azure Marketplace listing URL provided by Opaque.
On the Basics tab, fill in the form inputs using the values from your “Before you begin” checklist, including customer identifier, service principal ID and secret, managed identity, and Terraform VM password.

Provide credentials to enable secure access to your Azure Key Vault during deployment.

These values enable the deployment process to authenticate securely and retrieve configuration values from your Azure Key Vault.
On the Application Configuration tab, specify the domain names you want to use for your Opaque deployment. These include:
- A domain for your REST API (e.g., api.customer.com)
- A domain for the Opaque frontend (e.g., app.customer.com).
These domains must be owned by your organization and will serve as the access points for users and services. Whether you’re using automated or manual DNS, these values define the endpoints for your deployment.

Note

Be sure to share the REST API domain with your Opaque organization admin. This domain is required to run services and workflows.

Specify the domain names you want to use for your Opaque deployment.

You can also choose to enable OpenTelemetry (OTLP) by selecting the checkbox under Optional features. This allows Opaque to export metrics to an OTLP-compatible collector.

Important

If you plan to use telemetry, you must enable OTLP during deployment—this cannot be turned on later without redeploying. The destination endpoint can be configured afterward.

Requirements for your OTLP receiver:
- Must support receiving metrics via a gRPC stream.
- Must present a valid TLS certificate signed by a trusted certificate authority.
- Must use Bearer token authentication.
We may support HTTP-based export in a future release, but gRPC is currently required for efficiency.
On the Infrastructure Configuration tab, customize how your environment handles network exposure and workload integrity. You can choose to:
- Enable private cluster AKS, which restricts Kubernetes API server access to your private network.
- Enable public load balancer for Traefik, which exposes the frontend and API endpoints through a public IP address.
- Use workload-attested data plane, which enforces runtime attestation to ensure only verified workloads can access sensitive data.
Tailor how the Opaque control plane integrates with your security, networking, and runtime environments.

These options let you tailor how the Opaque control plane integrates with your security, networking, and runtime environments.
On the Security & Certificates tab, choose how you want to manage DNS records and TLS certificates for your domains. You can automate DNS and certificate management using Cloudflare and ZeroSSL or manage everything manually.
Automate certificate managementBring your own certificate
To automate certificate management, provide your Cloudflare and ZeroSSL credentials to automatically create DNS records and generate TLS certificates during deployment.

Provide your Cloudflare and ZeroSSL credentials to automate certificate management.
To manage both DNS and certificates yourself, select Use custom TLS certificate and upload your certificate and private key during deployment. Then update your DNS to point to the deployment’s public IP. You'll be asked to upload two files:
- TLS certificate file (e.g., "codeops.crt")
- TLS private key file (e.g., "codeops.key")
Certificate requirement

Your TLS certificate must:

Cover both the frontend and API domains using a wildcard certificate (e.g., *.example.com) to secure both subdomains with a single certificate.

Include the full certificate chain, with the server certificate followed by all required intermediate certificates, to ensure client trust validation.
To manage DNS and TLS manually, upload your certificate and private key.

Info

Certificates are securely applied to Opaque-managed endpoints. You retain full control of domain and certificate management. Uploaded certificates are validated for correct format, key match, and resolvable domain fields before deployment continues.
On the Review & Submit tab, verify your entries, then click Create.

After submission, you’ll be redirected to the Deployment page. Look for the message “Deployment is in progress” on the Managed Application page. Provisioning typically completes within one hour.

Step 2. Verify your deployment¶

Once you submit the deployment form, Azure begins provisioning your Opaque environment. The steps for verifying deployment differ slightly depending on how you configured certificates.

If you used automated certificates . . .If you uploaded your own TLS certificate . . .

You can track the progress and verify completion in the Azure portal.

Search for your application name (defined during setup), or go to Managed Applications.
- If the deployment failed, copy the error message from the portal and send it to [email protected].
- If deployment succeeded, you'll see “Your deployment is complete.”
If your deployment succeeded, you'll see “Your deployment is complete.”
Click Go to resource to access the Managed Application page, and click the managed resource group link in the upper-right corner of the page.

Click the managed resources link to access the Managed Application.
Then, on the Resources tab, confirm that the following resources were created (you may need to scroll to view all items):
- Two AKS clusters
- Two storage accounts
This confirms that your environment was provisioned successfully.

The presence of two AKS clusters and storage accounts means your environment was provisioned successfully.

Follow these steps after confirming that deployment succeeded:

In the Azure portal, go to the managed resource group associated with your deployment.
On the Resources tab, click the Kubernetes service (e.g., ask-client-xxxx) for your deployment.
In the left-hand navigation, scroll down to Kubernetes resources and select Services and Ingress.
In the table, locate the row for the traefik service. Copy the value in the External IP column.
Info
- If you enabled public ingress, look for a resource named *-public-ip (e.g., traefik-public-ip).
- If you selected private ingress, look for *-private-ip instead (e.g., traefik-private-ip).
Locate the traefik resource and copy its IP address.

Use this IP to configure the A records for your frontend and API domains in your DNS provider (e.g., api.customer.com and app.customer.com).

For example:

[api.customer.domain.com](http://api.customer.domain.com/)    A    <Load_Balancer_IP>
[app.customer.domain.com](http://app.customer.domain.com/)    A    <Load_Balancer_IP>

Wait for the DNS changes to propagate, based on your TTL settings.

Note

If you're planning a staged rollout or expect to make changes, consider lowering your DNS TTL values so updates propagate quickly.

If your organization uses split-horizon DNS—where internal and external DNS resolve the same domain differently—make sure internal DNS takes precedence for internal clients..

Step 3. Post-deployment tasks¶

After a successful deployment, you’ll need to confirm that your Opaque environment is accessible and securely send key deployment details to Opaque. These final steps ensure secure communication between your data plane, client plane, and the Opaque-hosted control plane.

Access the Opaque frontend¶

Start by verifying that the Opaque frontend is reachable.

Visit the front-end domain (app.yourdomain.com) you specified on the Basics tab during deployment. You should see the following Opaque log-in page.

Gather deployment details¶

Next, gather the following values from your Azure environment. These details are required to establish secure communication between your client and data planes and the Opaque-hosted control plane, configure access to your storage and identity resources, and complete final readiness and integration checks.

Value	Where to look for it
Redis hostname	In the managed resource group, find the Azure Cache for the Redis instance and copy the hostname.
Redis password	In the Redis instance, go to Settings > Authentication and retrieve the primary key. Send it as GPG-encrypted secret (see "Encrypt the Redis password" below for guidance).
Storage account name	In the managed resource group, locate the storage account with the the `prodwestus` suffix.
Storage account managed identity client ID	In the same resource group, find the managed identity without a `client` or `dataplane` suffix.
Front-end domain	From the domain you specified in the deployment form (e.g., app.domain.com).

Submit deployment details via Yopass¶

To securely transmit this information to Opaque, use Yopass to create a one-time encrypted message.

Info

Yopass is an open-source, secure web-based secret sharing tool that uses browser-side encryption, so Yopass never sees your data nor is it ever transmitted or stored unencrypted on their servers.

Follow these steps:

Go to https://yopass.se and paste your deployment details into the Secret message box using the following format. Replace each placeholder with your actual values:

Customer name: <your name, company>
Redis hostname: <your-redis-hostname>
Redis password: <your-redis-password>
Storage account name: <your-storage-account-name>
Storage account managed identity client ID: <your-managed-identity-client-id>
Frontend domain: <your-frontend-domain>

Select One week as the expiration time to ensure the message remains available in case of delay.
Leave both checkboxes enabled:
- One-time download
- Generate decryption key
Click Encrypt message.
On the confirmation screen, copy the One-click link (recommended). This link includes the decryption key and allows us to retrieve the secret in a single access.
Email the link to your Opaque onboarding contact. Use the subject line:

Opaque Azure Deployment – Deployment Details

Feel free to include a short message such as:
```
Hi Opaque team,
Here is the secure link with our Azure deployment details.

<paste Yopass link>

<Your name>
<Your company>
```

Deployment issues?

If you encounter any issues during deployment, reach out to your Opaque onboarding contact or email [email protected].