0% found this document useful (0 votes)
17 views202 pages

Dev Ops

The document outlines the Microsoft Azure Virtual Training Days program focused on accelerating development using Azure DevOps and GitHub, emphasizing the importance of DevOps in enhancing collaboration and continuous delivery. It details the roles of GitHub and Azure DevOps in the DevOps process, covering features like source control, CI/CD, and automation tools. Additionally, the document discusses effective development tools, branching strategies, and the integration of GitHub with Azure DevOps to optimize the developer workflow.

Uploaded by

daily.use.web
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
17 views202 pages

Dev Ops

The document outlines the Microsoft Azure Virtual Training Days program focused on accelerating development using Azure DevOps and GitHub, emphasizing the importance of DevOps in enhancing collaboration and continuous delivery. It details the roles of GitHub and Azure DevOps in the DevOps process, covering features like source control, CI/CD, and automation tools. Additionally, the document discusses effective development tools, branching strategies, and the integration of GitHub with Azure DevOps to optimize the developer workflow.

Uploaded by

daily.use.web
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 202

© Copyright Microsoft Corporation. All rights reserved.

FOR USE ONLY AS PART OF MICROSOFT VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED
FOR DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.

Classified as Microsoft Confidential


Microsoft Azure Virtual Training
Days: Accelerate Development using
Azure DevOps & GitHub
Get started with GitHub and Azure DevOps
Who is eShopOnWeb?
Experiencing rapid growth

Differing goals across teams

Need for better collaboration

Looking to implement
• DevOps methodology
• Better communication tools
• Shared tooling
• What is DevOps?
Learning Objectives
• How do GitHub and Azure DevOps play a
role in the DevOps process?
Learning Objective: What is DevOps?
eShopOnWeb all in on DevOps

ase
le
e

Mo
Code

DEV

nitor
OPS
es
i

R
po

ld
B u nd
& le ar n
Test &
DevOps accelerates delivery

Plan Develop

DevOps is the union of people,


process, and products to enable
continuous delivery of value to
your end users.
− Donovan Brown DevOps

Learn about What is DevOps Operate Deliver


People

OPS

DevOps
DEV
Plan &

Process
Track

Monitor & Develop


Learn GitHub + Azure
DevOps

Operate Build

The home for your


DevOps Tools! Test
Deploy

Release
Why is DevOps so Important?

 Understand your cycle time


 Observe, Orient, Decide,
Act (OODA) loop
 Become data-informed
 Strive for validated learning
 Shorten your cycle time
 Optimize validated learning
Explore the DevOps journey – Plan and Source Control
Agile/lean
• Plan and isolate work into sprints.

• Manage team capacity and help teams quickly


adapt to changing business needs.
• A DevOps Definition of Done is working software
collecting telemetry against the intended
business goals.

Version Control
• Version Control, usually with a Git-based
Repository, enables teams located anywhere in
the world to communicate effectively during
daily development activities.
Explore the DevOps journey – CI/CD
Continuous Integration
• Continuous Integration drives the ongoing
merging and testing of code, which leads to
finding defects early.

Continuous Delivery
• Continuous Delivery of software solutions to
production and testing environments helps
organizations quickly fix bugs and respond
to ever-changing business requirements.
Explore the DevOps journey
Monitoring and logging
• Monitoring and Logging of running
applications.

Cloud
• Public and Hybrid Clouds have made the
impossible easy.
Explore the DevOps journey – IaC and Microservices

Infrastructure as Code (IaC)


• Enables the automation and validation of the
creation and teardown of environments to help
with delivering secure and stable application
hosting platforms.

Microservices
• Isolate business use cases into small reusable
services that communicate via interface contracts.
Explore the DevOps journey - Containers
Containers
• Containers are the next evolution in virtualization.

DevOps may hurt at first


General principles

Product is built incrementally

Frequent inspection and adaption (course correction)

Transparency (Product and Sprint backlogs are public)

Product Owner, Development Team, Scrum Main

Scrum Teams are self-organizing and cross-functional


Quality is non-negotiable

QUALITY

DATE FEATURES
Move? Reduce?
Estimates More accurate Enables parallel
development
Confirms alignment
with delivery date
Never accept an estimate
over 4 hours
Never start from a date
The rules apply to everyone

Even the CEO must


obey the rules

No one is
above the law
Learning Objective: How do GitHub and Azure
DevOps play a role in the DevOps process?
What is GitHub?

1 Codespaces: Provide cloud-hosted collaborative development environments

2 Repos: Provide cloud-hosted and on-premises git repos for both public and private projects

3 Actions: Create automation workflows with environment variables and customized scripts

4 Packages: Ease integration with numerous existing packages and open-source repositories

5 Security: Review code and identity vulnerabilities early in the development cycle
End-to-end, code-to-cloud DevOps
Automating workflows from code to any cloud

Build Test

Home for all developers Deploy anywhere, including


Home for the world’s code Code Release your own data centers
- Elastic, to any scale - On-prem

- Fully managed - Azure

- Always the latest packages - AWS


Plan Deploy
- Supports all OS for CI/CD - Google Cloud Platform

- Largest ecosystem
- Community-led automation Monitor Operate
What is Azure DevOps?

1 Azure Boards: Agile planning, work item tracking, visualization and reporting tool

Azure Pipelines: A language, platform and cloud agnostic CI/CD platform with support for
2 containers or Kubernetes

3 Azure Repos: Provides cloud-hosted private git repos

Azure Artifacts: Provides integrated package management with support for Maven, npm, Python
4 and NuGet package feeds from public or private sources

5 Azure Test Plans: Provides an integrated planned and exploratory testing solution

GitHub Advanced Security for Azure DevOps: Application security testing service that is native to
6 the developer workflow.
Work with Azure Boards

Agile, Scrum, and


Kanban processes
by default.

Track work, issues,


and code defects
associated with
your project.
Demo Explore GitHub and Azure DevOps capabilities
Demo Tracking Work using Azure Boards
Integrating GitHub and Azure DevOps

1 Azure Pipelines Integrated with GitHub

2 GitHub Code & Azure Repos


+

3 GitHub Issues & Azure Boards


DevOps and eShopOnWeb
Recap
GitHub and
What is DevOps Process and Estimate
Azure DevOps
eShopOnWeb

Needed Solving The Solution


• Rapidly growing • Source control via GitHub
• Lack of collaboration • Visual Studio Code for shared tooling
• Lack of shared tooling • Solid foundation for a DevOps strategy
Establish and optimize the developer
workflow
DevOps is the union of people, process and
products to enable the continuous delivery of
value to our end users. Donovan Brown
eShopOnWeb all in on DevOps

ase
le
e

Mo
Code

DEV

nitor
OPS
es
i

R
po

ld
B u nd
& le ar n
Test &
• Effective development tools

• GitHub Copilot

• GitHub Codespaces
Learning Objectives
• Introduction to Microsoft Dev Box and its
role in DevOps

• Extending DevOps with Visual Studio Code

• Branching Strategy
Learning Objective: Effective development tools
What is Source Control and Why do we Need it?

A form of version control

Uses concept of code repositories

Tracks changes made within repositories

Allows for cross-team collaboration

GitHub as a code hosting platform for


version control and collaboration
Understand distributed source control

Strengths Best Used for


• Cross platform support • Smaller size (in bytes) and modular
codebases
• An open-source friendly code review
model via pull requests • Evolving through open-source
• Complete offline support • Highly distributed teams
Distributed
• Portable history • Teams working across platforms
• An enthusiastic growing user base • Greenfield codebases

Every developer clones a copy of a repository Common distributed source control systems
and has the full history of the project. are Mercurial, Git, and Bazaar.
What is GitHub?

GitHub is the leader in Git repository


hosting. Some key features of GitHub:

Expertise sharing
Cross-team collaboration
Improved code reuse
Codespaces on GitHub
GitHub Actions (CI/CD)
Increased velocity
GitHub features
Security: Review code and identity vulnerabilities early in the development cycle

Repos: Provide cloud-hosted and on-premises git repos for both public and private projects

Actions: Create automation workflows with environment variables and customized scripts

Packages: Ease integration with numerous existing packages and open-source repositories

Codespaces: Provide cloud-hosted collaborative development environments

Copilot: Use OpenAI to suggest code and functions in real-time from editor
GitHub benefits in the DevOps culture

Largest open-source community

Features of GitHub:
• Automate from code to cloud
• Securing software, together
• Seamless code review
• Code and documentation in one place
• Coordinate
• Manage teams
Components of a Git Project

Branches – Tags – point


isolate to a specific
Code! development
release
work

.gitignore – Commits –
untracked track changes
files to ignore to artifacts
GitHub Project files
README.md file – Document your project

SECURITY.md file – Define your security policy

LICENSE file – Define the license for your project Deploy

Documents
CODEOWNERS file – Define who is responsible for code
Source
Pull Requests – Request to merge your changes .gitignore

LICENSE
Issues – Track issues/bugs/features
README.md
Releases – Bundle specific iterations of your project
Explore source control integration

Azure Automation supports source control integration Azure Automation supports


the following source Control
Easier collaboration options:

Increased auditing and traceability GitHub

Roll back to earlier versions of your runbooks

Can push code from Azure Automation to source control Azure DevOps (Git)
or pull your runbooks from source control to Azure
Automation
Collaborate with pull requests
Pull requests let you tell others Review and merge your code in a Be sure to provide good feedback
about changes. single collaborative process. and protect branches with policies.

Branch Discuss Merge


Develop features on a branch and Discuss and approve code changes Merge the branch with the click of a
create a pull request to get changes related to the pull request. button.
reviewed.
Explore GitHub flow
Create a Create a pull Merge your
branch request pull request

Make changes Address Delete your


review branch
comments

GitHub Flow is a lightweight,


branch-based workflow. The
GitHub flow is useful for
everyone, not just developers
What is GitHub Actions?

1 Automations within the GitHub environment

2 Often used to build CI/CD implementations

3 Based on YAML files living within GitHub repositories

4 Executed on GitHub or self-hosted runners

5 Large number of existing actions in the GitHub Marketplace


Explore Actions flow
Events trigger workflows: Events
• Schedule, code, etc.
Trigger

Workflows contain jobs: Workflows


• May contain multiple
Contain

Jobs use actions: Jobs


• Configured within steps
Use

Actions
Demo GitHub In Action
Learning Objective: GitHub Copilot
What is GitHub Copilot?
Increase developer productivity
And satisfaction by focusing on real
problems

Accelerate innovation
Prototype & innovate more rapidly

Bridge skill gaps


GitHub Copilot helps professionals
learn and practice new languages
faster
AI Pair Programmer

GitHub Copilot offers code suggestions


contextualized to your project
● Convert comments to code
● Autofill for repetitive code
● Show alternatives
Demo GitHub Copilot
Learning Objective: GitHub Codespaces
What is GitHub Codespaces?

• Codespaces is a cloud-based development environment that


GitHub hosts.
• Syntax highlighting.
• Autocomplete.
• Integrated debugging.
• Direct Git integration.
• GitHub Codespaces addresses several issues from which
developers regularly suffer.
• You can do all your work in Codespaces within a browser.
Develop online with GitHub Codespaces

Avoids issues with old


Based on Visual Studio Code
hardware/software

Work from PCs, tablets,


Highly portable
Chromebooks

Protect against proliferation of Connect to Codespaces from


intellectual property Visual Studio Code
Demo GitHub Codespaces
Learning Objective: Introduction to Microsoft
Dev Box and its role in DevOps
Self-service development with Microsoft Dev Box

Ready-to-code, secure Ready Flexible but Managed


dev workstations for a to code controlled and secure

hybrid team
Provision for any workload
Microsoft Dev Box capabilities
Any tool and any workload Own your workstation

• Self-service Dev Box lifecycle management • Dedicated compute to match project demands

• Ready-to-code with task-focused images • Deploy any IDE, SDK tools that run on Windows

• Dev Box hibernation and easy restart • Develop for desktop, mobile, web, and more
• WSL and nested virtualization support
• Accessible on any OS or browser
• Day-to-day development
• Works with the latest Windows versions
• Separate Dev Boxes for different projects
• Secured and centrally managed
• Proof of Concepts
Deploy on any device • Maintaining legacy applications
GitHub Microsoft
Codespaces Dev Box
Operating
Linux system Windows

Complimentary Repos on
SCM
Support Any version
services: GitHub control system

Codespaces + Cloud native apps


Including: web apps,
Target
Any workload
Including: Desktop, IoT,
workloads
Microsoft Dev
APIs, backends mobile, games, & more
(Windows or cross-plat)

Box IT
Endpoint Microsoft
GitHub.com Mgmt.
Manager Azure
Learning Objective: Extending DevOps with
Visual Studio Code
What is Visual Studio Code?

Visual Studio Code is a lightweight and


powerful source code editor.

Run anywhere (Mac, Win, Lin)


Git commands built-in
Extensible and customizable
IntelliSense syntax highlights
Easily debug code
Open Source
Learn about Visual Studio Code
Free!
Visual Studio Code Marketplace

Thousands of extensions!

Microsoft and Third-party


• Language support
• Tooling support
• Connectivity
• Deployment
• Multi-cloud

Learn about Visual Studio Code Marketplace


Extension example – Live Share extension pack

Share your code and collaborate

Share terminals and servers


Edit
Debug
Audio calls
Chat
Demo Tying it all together with Visual Studio Code
Learning Objective: Branching Strategy
Traditional branching strategy

Feature Branching without flags

Main

Development
Branch

Feature Branch A A A

Feature Branch B B B

Your Users
Trunk based development

Using trunk-based development to avoid merge debt


Topic

Topic
Topic Hotfix

Main

Releases/M129

Releases/M130
How can that work?
Maintaining quality w/pull requests
Tests OK

Looks good to me

Pull request

Main branch
Feature flags

On

Off

Off
New Feature Feature Flag or Toggle
Consumers
Glorified If statement
Bob Sarah “Beta Page”
{ {
Key: If group is beta return
Key: [email protected]”,
[email protected]”, true
name: “Bob Smith”,
name: “Sarah Jones”, … if not, return false
group: “beta”
} group: “normal”
}

If ( flag = true ) {
true [ SHOW BETA PAGE ] Beta

}
Else if ( flag = false ) {
[ RUN THIS CODE ]
}
false
Your Code Result
No really… it’s an if statement

if (flag == true) {
// do new behaviour
}
else {
// do old behaviour
}
A/B experiments

23%

50% visitors see Variation A Conversion


variation A

11%

50% visitors see Variation B Conversion


variation B
Safe deployment

Rollout

Fee
dback

New Feature Soft Launch Incremental Rollout


Set switch to off. Done.
Rollback

Done
Demo Feature Flags
Let’s Recap

Development Tools Source Control Branching Strategy


eShopOnWeb.

Needed Solving The Solution


• Managing Work • Scrum and Azure Boards
• Managing Source Control Changes • Trunk Based Development
• Automation to help with processes • Feature Flags
Shift Security “Left” in your CI/CD Process
Goals for this Session

Security Apply Security Build Quality and


to Containers Gain Confidence
What is DevSecOps?
Security and Vulnerability Management
GitHub Advanced Security for Azure DevOps
Learning Objectives Microsoft Defender for Cloud
Container Security
Quality
Learning Objective: What is DevSecOps?
DevSecOps makes delivery secure

It's a union of
security,
DevOps Security
development, and
operations teams.

DevSecOps
Benefits of DevSecOps

• Shift security left occurs at earlier and


more critical points in the development
lifecycle, reducing time to remediation.
Dev Ops
• It also helps organizations to form a
seamless workflow by integrating it Security
into existing toolchains.
SDL OSA
• More so, this aids organization in
continually identifying new threat
vectors.
DevSecOps key validation points
Continuous security validation should be added at each step from development through production
OSS Library Vulnerabilities
OSS License Violations
Failed Unit Tests
Static Code Rule Warnings Pen Test Issues
SSL Issues Pen Test Issues
Performance Issues Infrastructure Issues
Feedback Code Review Comments Regression Bugs
Static Code Rule Warnings

IDE
/Pull CI DEV TEST
Request

Static Code Analysis Static Code Analysis Passive Pen Test Infrastructure Scan
Application Code Review OSS Vulnerability Scan SSL Scanner
CI/CD Work Item Linking Unit Tests Infrastructure Scan
Code Metrics

Load and Performance Testing Active Pen Test


Nightly Test
Automated Regression Testing Infrastructure Scan
Runs
Infrastructure Scan
How DevSecOps helps?
Deliver value Plan Develop

Increasing efficiency

Eliminating waste

Streamline the feedback loop


DevSecOps
Continuously improve

Deliver faster Operate Deliver

Happier and secure customers SECURITY


Understand Shift-left

The goal for shifting left


is to move quality
upstream by performing
tests early in the pipeline.

Combine test and process


improvements to reduce
the time it takes for tests.
eShopOnWeb Website
eShopOnWeb Website
.NET 7
Docker container on
Azure App Service

Azure SQL Database Azure Cosmos DB


What Quality

eShopOnWeb
Needs
Confidence

Security
eShopOnWeb Website
.NET 7
Microservices with
backend APIs and Web
Frontend

Azure SQL Database Azure Cosmos DB


Learning Objective: Security and
Vulnerability Management
Security and vulnerability management

Dependency Tree
Security and vulnerability management

Dependency Tree
Where security fits in the development lifecycle
EMBEDED SECURITY IN THE DEVELOPER WORKFLOW

PRE-COMMIT COMMIT (CI)


• Threat modeling • Static code analysis
• IDE security plug-in • Security unit tests
• Pre-commit hooks • Dependency
• Secure coding management
standards • Credential scanning
• Peer review
DEPLOY (CD)
OPERATE & MONITOR • Infra as code (IaC)
• Continuous • Security scanning
monitoring • Cloud configuration
• Threat intelligence • Security acceptance
• Blameless tests
postmortems
Dependency Insights
• Real-time inventory
What • License compliance
• Vulnerability alerting

eShopOnWeb
Needs
Vulnerability Management
• Code scanning
• Secret scanning
• Largest vulnerability database
• Automated security updates

CodeQL
• World’s most advanced code analysis
• Vulnerability hunting tool
• Community of top security experts
Shift security left with GitHub Advanced Security
Security Shifting Left

~ 40M
SDLC Develop Build Test Deploy Breach
Stages
$ Millions

$7,600
~ 70K
$960
Remediation $80 $240
Professional Security
Costs Developers Researchers
Development Build Test/QA Production Breach

570x
more developers than
Vastly more cost effective to remediate during development security researchers
GitHub Advanced Security
Feature Public repository Private Private • Code scanning: Automatically detect common
repository repository vulnerabilities and coding errors.
without with
• Secret scanning: Receive alerts when secrets or
Advanced Advanced
Security Security
keys are checked in, exclude files from scanning,
and define up to 100 custom patterns.
Code scanning Yes No Yes • Dependency review: Show the full impact of
changes to dependencies and see details of any
Yes (limited
vulnerable versions before you merge a pull
Secret scanning functionality No Yes
only) request.
• Security Overview: Review the security
Dependency
review
Yes No Yes configuration and alerts for an organization and
identify the repositories at greatest risk.
Security
No No Yes • Push Protection: Use secret scanning to prevent
Overview
supported secrets from being pushed into your
Push organization or repository.
No No Yes
Protection
GitHub Advanced Security in the software
development lifecycle
Code Review
PR
Traditional Commit
“security as a Merge
CI/Testing
gate” approach.
Project Project Code/Test
Inception Configuration
CD

QA &
Ship Integration
Testing Security Audit
GitHub Advanced Security in the software
development lifecycle
Code scanning
Software PR
Code Review
Secret scanning
Dependency review
development Commit
lifecycle with Security policies
Merge
GitHub
CI/Testing Code scanning

Advanced Project
Inception
Project
Configuration
Code/Test Security Overview

Security. CD

QA &
Ship Integration
Testing
Vulnerability Management

Over 62 million security alerts sent


across GitHub.
GitHub security
Code Scanning
Find and fix vulnerabilities before they are
merged into the code base with automated
CodeQL scans
Scan containers
Scan for common vulnerabilities in Docker
images before pushing them to a container
registry or deploying them to a containerized
web app or Kubernetes cluster
Manage secrets using Azure Key Vault
Dynamically pull secrets from an Azure Key Vault
instance for consumption in GitHub Action
workflows
GitHub Advisory Database

The GitHub Advisory Database provides


information on the state of your dependencies.

Search the GitHub Advisory Database for


vulnerabilities in third-party solutions.

List security vulnerabilities mapped to packages


tracked by dependency graphs.
Dependabot

Check for Automated Review and


Alerts
updates pull requests triage
Demo • Azure Security and GitHub Advanced Security
eShopOnWeb Website
• Vulnerable container images
• Missing Settings
• Passwords
• Database Connection strings
• Secrets
Learning Objective: GitHub Advanced
Security for Azure DevOps
Develop apps securely with a unified solution
Visual Studio Azure Azure GitHub Advanced Security
Code Repos Pipelines Container
Dev

Scanning
Code Secret Dependency
GitHub GitHub scanning scanning review Azure Azure
Codespaces Repos Actions IaC Container
Scanning Registry

Microsoft Defender for Cloud

GitHub & Azure


DevOps Security Code to Cloud
DevOps
Mgmt. Context
Connectors

Secure Azure Cloud Security


Threat Protection
Posture Management
SecOps

Policy

Azure Microsoft
Entra ID Azure Azure Security WAF /
App Azure Secure Sentinel
Monitor Benchmark DDoS
Config Key Vault Score
Secret Scanning Push Protection
Proactively protect against leaked secrets in your
repositories. Resolve blocked pushes and, once the
detected secret is removed, push changes to your working
branch from the command line or web UI.

 Secrets Blocked in all repositories

 15k secrets blocked in GHAS repos since our launch


in April
 Over 2k secrets from default pattern types push
protected in the last month
Secret scanning
FIND AND MANAGE HARD-CODED SECRETS
 Proactively identify secrets as early as possible
 Finds secrets (including Azure secrets) the moment
they are pushed to Azure DevOps and immediately
notifies developers when they are found.

 Detect more than 200+ token types from more


than 100 partners
 For every commit made to your repository and its
full git history, we'll look for secret formats
from our secret scanning partners.
Code scanning
Find and fix vulnerabilities as you code
CodeQL
Turns source code into relational data that can be queried for vulnerabilities.

Find and fix vulnerabilities fast


Find and fix vulnerabilities before they are merged into the code base with
automated scans.

Community of top security experts


Your projects are powered by world-class security teams. Use queries
created by the security community in your projects.

Integrated with developer workflow


Integrate security results directly into the developer workflow for a
frictionless experience and faster development.
Dependency scanning
Provide visibility into vulnerable and
out-of-date dependencies
Automated security alerts
Keep your projects secure and up to date by monitoring them for
vulnerable and out-of-date components.

Integrated with developer workflow


Dependency Scanning integrates directly into the developer workflow for
a frictionless experience and faster fixes.

Rich vulnerability data


GitHub tracks vulnerabilities in packages from supported package
managers using data from security researchers, maintainers, and the
National Vulnerability Database – all discoverable in the GitHub Advisory
Database.
Learning Objective: Microsoft Defender for
Cloud
Explore Microsoft Defender for Cloud

Provide security
Monitor security settings
recommendations

Analyze and identify potential


Use Azure Machine Learning
attacks

Supports Windows and Linux Provide just-in-time (JIT)


operating systems access control
Examine Microsoft Defender for Cloud usage
scenarios
Scenario 1 Scenario 2
Use Microsoft Defender for Cloud for an incident Use Microsoft Defender for Cloud recommendations to
response enhance security

Diagnose Security Policy


Detect Close

Access Stabilize
Recommendations

Detect – Verify a high security alert was raised Configure a security policy

Access – Obtain information about the alert


Implement the recommendations for the security
policy
Diagnose – Follow the remediation steps
Understand Microsoft Defender for identity
Identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions

• Microsoft Defender portal


monitors and responds to
suspicious activity
• Microsoft Defender sensor
monitors domain controller
traffic
• Microsoft Defender cloud
service connects to
Microsoft Intelligent
Security Graph
Microsoft Defender for Cloud and Azure Sentinel
Microsoft Defender for
Cloud
Empower security teams with unified DevOps
security management across multi-pipeline
and multi-cloud environments, with unified
visibility into DevOps security posture and
strengthened cloud resource configurations.

Azure Sentinel
Aggregate your data and monitor your
ecosystem, while detecting and monitoring
threats. Automate and integrate security
intelligence and enrich your detection and
investigation with AI.
Cloud-native application security solution

Microsoft Defender for Cloud

DevOps Security Cloud Security Cloud Workload


Management Posture Management Protection


Unify visibility into
DevOps security posture
Empower security teams
with unified DevOps
Strengthen cloud
security management resource configurations
across multipipeline and
multicloud environments
Automate with integrated
security intelligence
Unify visibility into
DevOps security posture
Shifting cloud security left,
bridging SecOps and DevOps

Automated discovery

Continuous assessment

Security insights
Demo • Unify visibility into DevOps security posture
Learning Objective: Container Security
Kubernetes architecture
Self-managed main node(s)

API Server etcd

Scheduler Controller
Manager
App/workload Kubernetes Cloud Controller
definition API endpoint

Agent Pool
Docker Docker Docker Docker Docker

Pods Pods Pods Pods Pods


Kubernetes Architecture
Azure managedmain
Self-managed control plane
node(s)

API Server etcd

Scheduler Controller Manager

User App/workload Kubernetes Cloud Controller


definition API endpoint

Agent Pool
Docker Docker Docker Docker Docker

Pods Pods Pods Pods Pods


Refresher on container layers
Container Layer Read/Write
91e49dfb1179

d7b1189bf667

c220123c8472
Image Layers
d31af33eb855
Read Only

a7183fb762a8

f61792ba8979

From: Alpine:3.8
Demo • Building Containers
Learning Objective: Quality
Bridge to Kubernetes

Simplifies microservice development


Eliminates the need to manually source, configure, and compile external
dependencies

Streamlines application development


Sidestep operational complexities of building and deploying code into the
cluster to test and debug

Work in isolation in a shared development environment


Work in a private “sandbox” environment by routing specific traffic locally
Demo • Gaining DevOps Confidence
Automation to the rescue!
eShopOnWeb is now in a good state
Azure Kubernetes Service Rewards App SQL DB

Backend for
Frontend Coupon App
My coupons
Windows Forms
&
ASP.NET Windows
Website Logic Apps Function App Presentation
Foundation
Cart

Profile Microsoft 365 Cognitive Services

Products

App Center GitHub Visual Studio Code Visual Studio

Popular products

Mobile for
iOS & Android Frontend Function App Logic Apps Power Apps Cognitive
Xamarin Apps Stock Cosmos DB Services
GitHub Actions

Automate

Build, test and deploy


with confidence

Customizable
What did we learn?

Code Scanning and


Dependency Alerts

Build More Secure


Containers

Gain DevOps Confidence


Deliver changes to the cloud
Goals for this Session

Continuous Integration
Trunk Based Development Protect Production
Continuous Delivery
Continuous Deployment Protect Secrets
eShopOnWeb
CI and CD
GitHub Actions
Infrastructure as Code
Learning Objectives Protecting Production
Explore slot deployment for Pre-Production
environments
Handling Keys and Credentials
Learning Objective: CI and CD
Your changes work with everyone else’s changes
Continuous
Integration
Your code still builds

Your tests still run


You have a deployable piece of work

Continuous
Delivery
Including infrastructure and dependencies

Deploy from build to a testing, staging, and/or production


environment
Deploy that piece of work

Continuous
Deployment
Doesn’t have to be to Production

Trustworthy and reproducible


CI and CD
Continuous Integration
Develop phase. Build, test, and validate code.

Protip:
Continuous Delivery • Always have Continuous
Automates delivery. New build artifact is Deployment to somewhere.
available, artifact is deployed. • Don’t assume this version will
deploy as cleanly as the last.
Continuous Deployment
From when you commit and check in code to
production, everything is automated.
Explore benefits of continuous integration

1 Improving code quality based on rapid feedback

2 Triggering automated testing for every code change

Reducing build times for rapid feedback and early detection of problems (risk
3 reduction)

4 Better management of technical debt and code analysis

5 Reducing long, difficult, and bug-inducing merges


Benefits of continuous deployment

1 Minimizes the time to deploy

2 Makes deploying to production a low-stress activity

3 Provides visibility and feedback cycles

4 Reduces time to mitigate incidents (TTM) and time to remediate incidents (TTR)

Provides a faster release cadence so that hotfixes can become part of the normal
5 release cycle
Learning Objective: GitHub Actions
What are Actions?

Automations within the GitHub environment

Often used to build CI/CD implementations

Based on YAML files living within GitHub repositories

Executed on GitHub or self-hosted runners

Large number of existing actions in the GitHub Marketplace


GitHub Actions

Automation for any Dozens of events that Continuous Integration


software workflow can trigger workflows and Continuous Delivery
Demo • GitHub Actions – CI/CD
Learning Objective: Infrastructure as Code
What is Bicep?
Azure Bicep is the next revision of param storageName string =

ARM templates designed to solve


'stg${uniqueString(resourceGroup().id)}'
param location string = resourceGroup().location
some of the issues developers were
facing when deploying their resource storageaccount

resources to Azure. 'Microsoft.Storage/storageAccounts@2021-02-01' =


{
name: 'name'
location: location
kind: 'StorageV2'
sku: {
Note: Beware that when converting ARM templates name: 'Premium_LRS'
to Bicep, there might be issues since it's still a work }
in progress. }
Understand Bicep file structure
and syntax
Azure Bicep comes with its own syntax,
however, it's easy to understand and
follow:
• Scope, Parameters, Variables,
Resources, Modules, Outputs.

Other features: loops, conditional


deployment, multiline strings, referencing
an existing cloud resource, and many
more.
Demo • Deploy a Bicep file from GitHub workflows
Learning Objective: Protecting Production
Pull Request Workflows

Workflow triggers Build, test, deploy Checks before merging


on PR to main branch
Trunk-based development
Release branches (no commits)

trunk/main

Short-lived feature branches


Trunk-based development – Topic Branches

trunk/main

Short-lived feature branches


Trunk-based development – Merge, Build and Deploy

trunk/main

Short-lived feature branches


Trunk-based development - Releases
Release branches (no commits)

trunk/main

Short-lived feature branches


Demo • Trunk Based Development and PR Workflows
Learning Objective: Explore slot deployment
for Pre-Production environments
Deployment slots

Staging Production
Deployment slots – Staging traffic

Staging Production

100% 0%
Deployment slots – Production traffic

Staging Production

0% 100%
Deployment slots – Canary deployment

Staging Production

10% 90%
• CI/CD with pre-production and UAT
Demo environments
Learning Objective: Handling Keys and
Credentials
GitHub Secrets
Create encrypted secrets

• Like environment
variable but encrypted
• Created at repository or
organization level
• Created/assigned in the
GitHub UI
GitHub Secrets settings
Use secrets in a workflow

• Secrets not automatically steps: actions/upload-artifact


- name: Test Database Connectivity
passed to runners with:
db_username: ${{ secrets.DBUserName }}
• Can be passed as inputs or db_password: ${{ secrets.DBPassword }}

as environment variables
steps:
• Avoid passing secrets in - shell: pwsh

command-line arguments
env:
DB_PASSWORD: ${{ secrets. DBPassword }}
run: |
db_test "$env.DB_PASSWORD"
Azure Key Vault

Keys Secrets Certificates


Azure Key Vault actions
Future ideas for eShopOnWeb

Rotate credentials in Automatically build a new Pull commit messages


Key Vault when an dev environment and fork since last production release
admin asks a Teams Bot a repository based on a and build release notes for
properly-formatted issue customers
Demo • Integrating Azure Key Vault with Azure DevOps
What did we learn?

Continuous Integration

Continuous Delivery

Continuous Deployment
Summary

Add CD to your pipeline!

Continuously deploy somewhere

Protect production with GitHub Environments

Centralize Secrets Storage


Incorporate performance testing
in your CI/CD pipeline
• Understanding application behavior in
production

Learning Objectives • Proactive Incident Response

• Guiding incident response with automation

• Azure Load Testing


Learning Objective: Understanding application
behavior in production
Agenda

Understanding Application Proactive Incident Response Guiding Incident Response


Behavior with Automation
Creating Visibility in Production If no one is on-call, everyone is Using computers to help people
do the right things
The goals for monitoring our production systems

Improve Time to Detect

Reduce Time to Mitigate/Remediate

Enable Validated Learning


Sources of Monitoring Data

Real User Monitoring Synthetic Transactions Telemetry


Defining effective monitoring

What and why?

Over what time period?

Who needs to know?


Demo From Instrumentation to Alerting
Learning Objective: Proactive Incident Response
API calls are failing!

Disaster Strikes! Email notifications


went out… to everyone

And time goes by…


Establishing a basic designated responsible individual
rotation

Create a shared DRI schedule

Identify an escalation path

Define response time targets


The DRI is responsible for

Responding to alerts/incidents in the defined time window

Coordinating with partner service DRIs

Ensuring the proper escalation of severe or long-running


issues
Incident Response

Incident Notifications are not:

Broadly Informational Heartbeat or


distributed only logging
Incident Response

Incident Notifications not:

Specifically Actionable In need of


directed human intervention
Learning Objective: Guiding incident response
with automation
Can't see the value of
automation?!! At some
The value of point it's an IQ test.
automation – Jeffrey Snover
Technical Fellow and
Creator of PowerShell
2010
Reducing manual intervention

Move manual, repetitive tasks to automation

Reduce human interaction to reduce variability in response

Protect production by ensuring notification and response


Demo Creating a Basic DRI Notification
Learning Objective: Azure Load Testing
Explore Azure Load Testing
Application and its
Azure Load Testing Azure dependencies

Azure Load Testing is a fully Test engine


managed load-testing Test engine
service that enables you to JMeter
script
App
Service
Kubernetes Application
Insights
Test engine
generate high-scale load.

Dashboard Metrics
Virtual Azure SQL Storage
Machine Server account
Integrate Azure Load Testing
in your CI/CD pipeline
during the development
lifecycle. Azure Monitor
Identify performance regressions with Azure
Demo
Load Testing and GitHub Actions
DevOps and eShopOnWeb
Recap
Understanding Responsible Incident Guiding Incident Response
Application Behavior Response with Automation
In a lousy economy,
NOTHING is more important
The value of than automation.

automation – Jeffrey Snover


Technical Fellow and
Creator of PowerShell
2010
Session
Resources Get Certified
Designing and Implementing
Explore Microsoft Learn Content Microsoft DevOps Solutions
for the AZ-400 Certification
http://aka.ms/AZ-400
http://aka.ms/AZ-400

You might also like