Dev Ops
Dev Ops
FOR USE ONLY AS PART OF MICROSOFT VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED
FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
Looking to implement
• DevOps methodology
• Better communication tools
• Shared tooling
• What is DevOps?
Learning Objectives
• How do GitHub and Azure DevOps play a
role in the DevOps process?
Learning Objective: What is DevOps?
eShopOnWeb all in on DevOps
ase
le
e
Mo
Code
DEV
nitor
OPS
es
i
R
po
ld
B u nd
& le ar n
Test &
DevOps accelerates delivery
Plan Develop
OPS
DevOps
DEV
Plan &
Process
Track
Operate Build
Release
Why is DevOps so Important?
Version Control
• Version Control, usually with a Git-based
Repository, enables teams located anywhere in
the world to communicate effectively during
daily development activities.
Explore the DevOps journey – CI/CD
Continuous Integration
• Continuous Integration drives the ongoing
merging and testing of code, which leads to
finding defects early.
Continuous Delivery
• Continuous Delivery of software solutions to
production and testing environments helps
organizations quickly fix bugs and respond
to ever-changing business requirements.
Explore the DevOps journey
Monitoring and logging
• Monitoring and Logging of running
applications.
Cloud
• Public and Hybrid Clouds have made the
impossible easy.
Explore the DevOps journey – IaC and Microservices
Microservices
• Isolate business use cases into small reusable
services that communicate via interface contracts.
Explore the DevOps journey - Containers
Containers
• Containers are the next evolution in virtualization.
QUALITY
DATE FEATURES
Move? Reduce?
Estimates More accurate Enables parallel
development
Confirms alignment
with delivery date
Never accept an estimate
over 4 hours
Never start from a date
The rules apply to everyone
No one is
above the law
Learning Objective: How do GitHub and Azure
DevOps play a role in the DevOps process?
What is GitHub?
2 Repos: Provide cloud-hosted and on-premises git repos for both public and private projects
3 Actions: Create automation workflows with environment variables and customized scripts
4 Packages: Ease integration with numerous existing packages and open-source repositories
5 Security: Review code and identity vulnerabilities early in the development cycle
End-to-end, code-to-cloud DevOps
Automating workflows from code to any cloud
Build Test
- Largest ecosystem
- Community-led automation Monitor Operate
What is Azure DevOps?
1 Azure Boards: Agile planning, work item tracking, visualization and reporting tool
Azure Pipelines: A language, platform and cloud agnostic CI/CD platform with support for
2 containers or Kubernetes
Azure Artifacts: Provides integrated package management with support for Maven, npm, Python
4 and NuGet package feeds from public or private sources
5 Azure Test Plans: Provides an integrated planned and exploratory testing solution
GitHub Advanced Security for Azure DevOps: Application security testing service that is native to
6 the developer workflow.
Work with Azure Boards
ase
le
e
Mo
Code
DEV
nitor
OPS
es
i
R
po
ld
B u nd
& le ar n
Test &
• Effective development tools
• GitHub Copilot
• GitHub Codespaces
Learning Objectives
• Introduction to Microsoft Dev Box and its
role in DevOps
• Branching Strategy
Learning Objective: Effective development tools
What is Source Control and Why do we Need it?
Every developer clones a copy of a repository Common distributed source control systems
and has the full history of the project. are Mercurial, Git, and Bazaar.
What is GitHub?
Expertise sharing
Cross-team collaboration
Improved code reuse
Codespaces on GitHub
GitHub Actions (CI/CD)
Increased velocity
GitHub features
Security: Review code and identity vulnerabilities early in the development cycle
Repos: Provide cloud-hosted and on-premises git repos for both public and private projects
Actions: Create automation workflows with environment variables and customized scripts
Packages: Ease integration with numerous existing packages and open-source repositories
Copilot: Use OpenAI to suggest code and functions in real-time from editor
GitHub benefits in the DevOps culture
Features of GitHub:
• Automate from code to cloud
• Securing software, together
• Seamless code review
• Code and documentation in one place
• Coordinate
• Manage teams
Components of a Git Project
.gitignore – Commits –
untracked track changes
files to ignore to artifacts
GitHub Project files
README.md file – Document your project
Documents
CODEOWNERS file – Define who is responsible for code
Source
Pull Requests – Request to merge your changes .gitignore
LICENSE
Issues – Track issues/bugs/features
README.md
Releases – Bundle specific iterations of your project
Explore source control integration
Can push code from Azure Automation to source control Azure DevOps (Git)
or pull your runbooks from source control to Azure
Automation
Collaborate with pull requests
Pull requests let you tell others Review and merge your code in a Be sure to provide good feedback
about changes. single collaborative process. and protect branches with policies.
Actions
Demo GitHub In Action
Learning Objective: GitHub Copilot
What is GitHub Copilot?
Increase developer productivity
And satisfaction by focusing on real
problems
Accelerate innovation
Prototype & innovate more rapidly
hybrid team
Provision for any workload
Microsoft Dev Box capabilities
Any tool and any workload Own your workstation
• Self-service Dev Box lifecycle management • Dedicated compute to match project demands
• Ready-to-code with task-focused images • Deploy any IDE, SDK tools that run on Windows
• Dev Box hibernation and easy restart • Develop for desktop, mobile, web, and more
• WSL and nested virtualization support
• Accessible on any OS or browser
• Day-to-day development
• Works with the latest Windows versions
• Separate Dev Boxes for different projects
• Secured and centrally managed
• Proof of Concepts
Deploy on any device • Maintaining legacy applications
GitHub Microsoft
Codespaces Dev Box
Operating
Linux system Windows
Complimentary Repos on
SCM
Support Any version
services: GitHub control system
Box IT
Endpoint Microsoft
GitHub.com Mgmt.
Manager Azure
Learning Objective: Extending DevOps with
Visual Studio Code
What is Visual Studio Code?
Thousands of extensions!
Main
Development
Branch
Feature Branch A A A
Feature Branch B B B
Your Users
Trunk based development
Topic
Topic Hotfix
Main
Releases/M129
Releases/M130
How can that work?
Maintaining quality w/pull requests
Tests OK
Looks good to me
Pull request
Main branch
Feature flags
On
Off
Off
New Feature Feature Flag or Toggle
Consumers
Glorified If statement
Bob Sarah “Beta Page”
{ {
Key: If group is beta return
Key: [email protected]”,
[email protected]”, true
name: “Bob Smith”,
name: “Sarah Jones”, … if not, return false
group: “beta”
} group: “normal”
}
If ( flag = true ) {
true [ SHOW BETA PAGE ] Beta
}
Else if ( flag = false ) {
[ RUN THIS CODE ]
}
false
Your Code Result
No really… it’s an if statement
if (flag == true) {
// do new behaviour
}
else {
// do old behaviour
}
A/B experiments
23%
11%
Rollout
Fee
dback
Done
Demo Feature Flags
Let’s Recap
It's a union of
security,
DevOps Security
development, and
operations teams.
DevSecOps
Benefits of DevSecOps
IDE
/Pull CI DEV TEST
Request
Static Code Analysis Static Code Analysis Passive Pen Test Infrastructure Scan
Application Code Review OSS Vulnerability Scan SSL Scanner
CI/CD Work Item Linking Unit Tests Infrastructure Scan
Code Metrics
Increasing efficiency
Eliminating waste
eShopOnWeb
Needs
Confidence
Security
eShopOnWeb Website
.NET 7
Microservices with
backend APIs and Web
Frontend
Dependency Tree
Security and vulnerability management
Dependency Tree
Where security fits in the development lifecycle
EMBEDED SECURITY IN THE DEVELOPER WORKFLOW
eShopOnWeb
Needs
Vulnerability Management
• Code scanning
• Secret scanning
• Largest vulnerability database
• Automated security updates
CodeQL
• World’s most advanced code analysis
• Vulnerability hunting tool
• Community of top security experts
Shift security left with GitHub Advanced Security
Security Shifting Left
~ 40M
SDLC Develop Build Test Deploy Breach
Stages
$ Millions
$7,600
~ 70K
$960
Remediation $80 $240
Professional Security
Costs Developers Researchers
Development Build Test/QA Production Breach
570x
more developers than
Vastly more cost effective to remediate during development security researchers
GitHub Advanced Security
Feature Public repository Private Private • Code scanning: Automatically detect common
repository repository vulnerabilities and coding errors.
without with
• Secret scanning: Receive alerts when secrets or
Advanced Advanced
Security Security
keys are checked in, exclude files from scanning,
and define up to 100 custom patterns.
Code scanning Yes No Yes • Dependency review: Show the full impact of
changes to dependencies and see details of any
Yes (limited
vulnerable versions before you merge a pull
Secret scanning functionality No Yes
only) request.
• Security Overview: Review the security
Dependency
review
Yes No Yes configuration and alerts for an organization and
identify the repositories at greatest risk.
Security
No No Yes • Push Protection: Use secret scanning to prevent
Overview
supported secrets from being pushed into your
Push organization or repository.
No No Yes
Protection
GitHub Advanced Security in the software
development lifecycle
Code Review
PR
Traditional Commit
“security as a Merge
CI/Testing
gate” approach.
Project Project Code/Test
Inception Configuration
CD
QA &
Ship Integration
Testing Security Audit
GitHub Advanced Security in the software
development lifecycle
Code scanning
Software PR
Code Review
Secret scanning
Dependency review
development Commit
lifecycle with Security policies
Merge
GitHub
CI/Testing Code scanning
Advanced Project
Inception
Project
Configuration
Code/Test Security Overview
Security. CD
QA &
Ship Integration
Testing
Vulnerability Management
Scanning
Code Secret Dependency
GitHub GitHub scanning scanning review Azure Azure
Codespaces Repos Actions IaC Container
Scanning Registry
Policy
Azure Microsoft
Entra ID Azure Azure Security WAF /
App Azure Secure Sentinel
Monitor Benchmark DDoS
Config Key Vault Score
Secret Scanning Push Protection
Proactively protect against leaked secrets in your
repositories. Resolve blocked pushes and, once the
detected secret is removed, push changes to your working
branch from the command line or web UI.
Provide security
Monitor security settings
recommendations
Access Stabilize
Recommendations
Detect – Verify a high security alert was raised Configure a security policy
Azure Sentinel
Aggregate your data and monitor your
ecosystem, while detecting and monitoring
threats. Automate and integrate security
intelligence and enrich your detection and
investigation with AI.
Cloud-native application security solution
…
Unify visibility into
DevOps security posture
Empower security teams
with unified DevOps
Strengthen cloud
security management resource configurations
across multipipeline and
multicloud environments
Automate with integrated
security intelligence
Unify visibility into
DevOps security posture
Shifting cloud security left,
bridging SecOps and DevOps
Automated discovery
Continuous assessment
Security insights
Demo • Unify visibility into DevOps security posture
Learning Objective: Container Security
Kubernetes architecture
Self-managed main node(s)
Scheduler Controller
Manager
App/workload Kubernetes Cloud Controller
definition API endpoint
Agent Pool
Docker Docker Docker Docker Docker
Agent Pool
Docker Docker Docker Docker Docker
d7b1189bf667
c220123c8472
Image Layers
d31af33eb855
Read Only
a7183fb762a8
f61792ba8979
From: Alpine:3.8
Demo • Building Containers
Learning Objective: Quality
Bridge to Kubernetes
Backend for
Frontend Coupon App
My coupons
Windows Forms
&
ASP.NET Windows
Website Logic Apps Function App Presentation
Foundation
Cart
Products
Popular products
Mobile for
iOS & Android Frontend Function App Logic Apps Power Apps Cognitive
Xamarin Apps Stock Cosmos DB Services
GitHub Actions
Automate
Customizable
What did we learn?
Continuous Integration
Trunk Based Development Protect Production
Continuous Delivery
Continuous Deployment Protect Secrets
eShopOnWeb
CI and CD
GitHub Actions
Infrastructure as Code
Learning Objectives Protecting Production
Explore slot deployment for Pre-Production
environments
Handling Keys and Credentials
Learning Objective: CI and CD
Your changes work with everyone else’s changes
Continuous
Integration
Your code still builds
Continuous
Delivery
Including infrastructure and dependencies
Continuous
Deployment
Doesn’t have to be to Production
Protip:
Continuous Delivery • Always have Continuous
Automates delivery. New build artifact is Deployment to somewhere.
available, artifact is deployed. • Don’t assume this version will
deploy as cleanly as the last.
Continuous Deployment
From when you commit and check in code to
production, everything is automated.
Explore benefits of continuous integration
Reducing build times for rapid feedback and early detection of problems (risk
3 reduction)
4 Reduces time to mitigate incidents (TTM) and time to remediate incidents (TTR)
Provides a faster release cadence so that hotfixes can become part of the normal
5 release cycle
Learning Objective: GitHub Actions
What are Actions?
trunk/main
trunk/main
trunk/main
trunk/main
Staging Production
Deployment slots – Staging traffic
Staging Production
100% 0%
Deployment slots – Production traffic
Staging Production
0% 100%
Deployment slots – Canary deployment
Staging Production
10% 90%
• CI/CD with pre-production and UAT
Demo environments
Learning Objective: Handling Keys and
Credentials
GitHub Secrets
Create encrypted secrets
• Like environment
variable but encrypted
• Created at repository or
organization level
• Created/assigned in the
GitHub UI
GitHub Secrets settings
Use secrets in a workflow
as environment variables
steps:
• Avoid passing secrets in - shell: pwsh
command-line arguments
env:
DB_PASSWORD: ${{ secrets. DBPassword }}
run: |
db_test "$env.DB_PASSWORD"
Azure Key Vault
Continuous Integration
Continuous Delivery
Continuous Deployment
Summary
Dashboard Metrics
Virtual Azure SQL Storage
Machine Server account
Integrate Azure Load Testing
in your CI/CD pipeline
during the development
lifecycle. Azure Monitor
Identify performance regressions with Azure
Demo
Load Testing and GitHub Actions
DevOps and eShopOnWeb
Recap
Understanding Responsible Incident Guiding Incident Response
Application Behavior Response with Automation
In a lousy economy,
NOTHING is more important
The value of than automation.