Azure TRE Resource Breakdown
The Azure services deployed within an Azure TRE are described below.
Once an Azure TRE has been provisioned in an Azure Subscription, you will have two Resource Groups:
- Azure TRE Management Resource Group - Pre-requisiste for deploying an Azure TRE instance
- Azure TRE Resource Group - Core Azure TRE instance
Azure TRE Management Resource Group
Name | Azure Service | Description | Additional links |
---|---|---|---|
{MGMT_STORAGE_ACCOUNT_NAME} | Storage Account | Azure TRE Terraform and Porter state | Storage Blobs |
{ACR_NAME} | Container Registry | Azure TRE container images (Porter bundles) | Container Registry |
Azure TRE Resource Group
Name | Azure Service | Description | Additional links |
---|---|---|---|
api-{TRE_ID} | App Service | Azure TRE Python api responsible for all operations on Workspaces and managing Workspace Templates built using the FastAPI framework | FastAPI |
gitea-{TRE_ID} | App Service | Azure TRE Source Mirror - allows mirroring git repositories | Gitea |
nexus-{TRE_ID} | App Service | Azure TRE Package Mirror - allows mirroring packages | Sonatype Nexus |
plan-{TRE_ID} | App Service Plan | Compute resources in which the TRE app services run | App Hosting plans |
agw-{TRE_ID} | Azure Application Gateway | Azure TRE App Gateway provides single public IP address with SSL for accessing core TRE resources | Azure Application Gateway |
appi-{TRE_ID} | Application Insights | Telemetry for all API invocations | Application Insights |
cosmos-{TRE_ID} | Azure Cosmos DB Account | NoSQL state store of TRE resources, templates and operations | Cosmos DB |
mysql-{TRE_ID} | Azure Database for MySQL server | SQL state store for Gitea | Gitea Database |
ampls-{TRE_ID} | Azure Monitor Private Link Scope | Provides secure link between PaaS resources and the TRE vnet using private endpoints | Azure Monitor Private Link Scope |
bas-{TRE_ID} | Azure Bastion | Provides secure access for RDP/SSH to TRE VM (jumpbox) | Azure Bastion |
vm-dsk-{TRE_ID} | Disk | Managed storage disk for TRE VM (jumpbox) | Managed Disks |
fw-dsk-{TRE_ID} | Azure Firewall | Azure TRE Firewall restricts external outbound traffic from all TRE resources | Azure Firewall |
kv-{TRE_ID} | Azure Key Vault | Management of TRE secrets & certificates | Azure Key Vault |
log-{TRE_ID} | Log Analytics Workspace | Azure Monitor Logs store for all TRE resources | Log Analytics |
id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | Managed Identities |
id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | Managed Identities |
id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | Managed Identities |
id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | Managed Identities |
sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | Service Bus |
stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | Storage Blobs |
stg{TRE_ID} | Storage Account | Files shares for TRE services such as Porter, Gitea, Nexus | Storage Files |
stweb{TRE_ID} | Storage Account | Storage for Azure TRE Let's Encrypt | Storage Blob |
vm-{TRE_ID} | Virtual Machine | Azure TRE VM (jumpbox) | Windows Virtual Machine |
vm-{TRE_ID} | Virtual Machine Scale Set | Azure TRE Resource Processor | Virtual Machine Scale Sets |
vnet-{TRE_ID} | Virtual Network | Azure TRE VNET central hub | Virtual Networks |
rt-{TRE_ID} | Route Table | Azure TRE route table | Route Tables |
Note
Network resources such as Network Interfaces, Network Security Groups, Private Endpoints, Private DNS zones and Public IP addresses are not listed above.
Azure TRE Workspace Resource Group
A TRE Workspace will be provisioned in a separate Resource Group along with its own resources. An example TRE Workspace is shown and described here.
Name | Azure Service | Description | Additional links |
---|---|---|---|
guacamole-{TRE_ID}-ws-XXXX-svc-XXXX | App Service | RDP for accessing workspace VMs | Apache Guacamole |
kv-{TRE_ID}-ws-XXXX | Azure Key Vault | Management of TRE workspace secrets & certificates | Azure Key Vault |
osdisk-windowsvm8f45 | Disk | Azure VM storage disk | Managed Disks |
plan-09d0ba4f-f79f-4047-aa2c-03fc9df7b318 | App Service plan | Compute resources in which the workspace app services (Gitea) run | App Hosting Plans |
stgwsb318 | Storage account | Workspace Storage account | Storage Blobs |
vnet-{TRE_ID}-ws-XXXX | Virtual Network | Azure TRE VNET spoke | Virtual Networks |
windowsvm8f45 | Virtual Machine | Windows VM instance for research | Windows Virtual Machine |
Note
Network resources such as Network Interfaces, Network Security Groups and Private Endpoints are not listed above.