Skip to content

Introduction

Installation & Setup

Deploy EntiHub into your Azure subscription, point it at your warehouse database, and let the application initialize its own configuration schema on first run. No hand-written DDL is required.

Prerequisites

  • An Azure subscription with permission to deploy marketplace solutions and manage container workloads.
  • A Microsoft Entra ID tenant for user and service-principal authentication.
  • A target database reachable from your deployment: Microsoft Fabric / Azure SQL, PostgreSQL, Oracle, or MySQL.
  • A container runtime suitable for production: Azure Container Apps, AKS, or on-premises Docker / Kubernetes.

Azure Marketplace deployment

  • Locate EntiHub in Azure Marketplace and start the provisioning flow.
  • The container image is deployed with sensible defaults, then you complete host-specific settings such as CPU, memory, scaling, and networking.
  • After the container is running, configure the warehouse connection and identity: either a full connection string or composed endpoint settings plus ServicePrincipal or SqlUser credentials.
  • Ensure outbound connectivity from the container to your database endpoint and, for Entra-authenticated SQL, to Azure AD token endpoints.

Container configuration

Set configuration through environment variables or app settings using the standard .NET Mdm section.

Connection & database

  • Mdm__DbConnectionString — full ADO.NET-style connection string.
  • Mdm__DatabaseBackendSqlServer, PostgreSql, Oracle, or MySql.
  • Mdm__DbAuthModeServicePrincipal or SqlUser.
  • Mdm__ConfigSchema — schema for metadata and governance tables.
  • Mdm__EntityDataSchema — schema for physical entity tables.

Application settings

  • Mdm__LakehouseName — logical lakehouse / database name included in webhook payloads.
  • Mdm__PermissionsKey — secret key used to hash user identifiers for role assignments; change it in production.
  • Mdm__AuditRetentionDays — retention window for audit log entries in days.

Rate limiting

  • Mdm__RateLimit__Enabled — enable or disable API rate limiting.
  • Mdm__RateLimit__PermitLimit — maximum requests per client in the time window.
  • Mdm__RateLimit__WindowSeconds — fixed window duration in seconds.

Rate limiting is applied per client on all /api/* endpoints. When exceeded, the API returns HTTP 429 Too Many Requests.

Security defaults

  • Security headers: Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.
  • HSTS is enabled in production environments; HTTPS redirection is always on.
  • Rate limiting is enabled by default.
  • Webhook URL policy supports AllowAllExceptLocalhost and Strict modes.
  • Database access uses parameterized SQL and parsed filter DSL.
  • ZIP package deploy validates archive entries against path traversal.
  • Regex validation runs with execution timeout to prevent ReDoS.

Bootstrap (first run)

  • On first startup EntiHub connects to the configured warehouse using the selected backend and authentication mode.
  • If the config schema does not exist, it is created and all required metadata tables are provisioned.
  • The process is idempotent; subsequent starts only add missing objects.
  • No manual SQL scripts are required for baseline installation.

Health check

  • GET /health — lightweight liveness probe.
  • GET /health/ready — verifies the application can reach the database with configured credentials.

If readiness fails, verify connection strings, firewall rules, Entra configuration, and permissions on the configured schemas.

Local development

  • Set Mdm__PromptForDbModeOnStartup=true for interactive local runs.
  • At startup the host prompts you to choose the backend and authentication mode instead of reading them only from configuration.
  • Disable this in shared or production environments.