http://aka.

ms/fundamentalsofazure
Today’s Agenda
1. Current Challenges
2. Basics of Azure Resource Groups & Azure
Resource Manager
3. Role Based Access Control
4. ARM Template Details
Managing Azure Deployments
Azure Service Manager (ASM)
Traditional way to deploy and manage applications hosted in Azure
Production Portal
PowerShell / CLI (default mode)
REST API

Azure Resource Manager (ARM)

Modern way to deploy and manage applications hosted in Azure
Preview “Ibiza” Portal
PowerShell / CLI (ARM mode)
REST API
Azure Resource Management Library for .NET
The Challenge
????

Deploy/Update logical group

of resources

Visualize related resources:

Provision/Deprovision
Costs
Security/Permissions
Single Resource Point-of-View
Deployment – complex.

Coordinated deployment?

Communication/configuration between resources?

dency
depen

depen
dency

web.config
Single Resource Point-of-View
The Foundation

AZURE RESOURCE GROUPS

Azure Resource Groups
Lifecycle of application and
resources

Declarative

Consistent Management API

Resource Group
Azure Resource Manager
What is Azure Resource Manager?
Unit of Management
• Lifecycle
• Identity
• Grouping

One Resource -> One Resource Group

Resource Group
Resource Groups
One or Many?

Resource Group

Resource Group Resource Group

How are the resources managed?

 Consistent Management Layer
Tools

Azure Resource Manager

REST API
https://management.azure.com/subscriptions/{{subscriptionId}}/
providers?api-version={{apiVersion}}

Provider Contract

Resource
Provider
?
Website VM SQL DB Cache …..
Benefits
SQL-
Desired-state deployment Websit
A
e
[SQL CONFIG] VM
(2x)

Faster deployment

Role-based access control (RBAC)

DEPENDS ON DEPENDS ON
Resource-provider model SQL SQL

Orchestration
Virtu
SQL - Websit Machin
al
Resource configuration A e es

SQ CONFI
L G

Image source - http://channel9.msdn.com/Events/Build/2014/2-607

Why

?
• Internal software development teams
– Quickly deploy technologies
– Rapidly create training environments
– Consistent deployment with enforced constraints

• Corporate IT
– Predefined environments for dev, QA, or production

?
– Provide LOB solutions

• ISV/CSV
– Hosting a solution for customers
– Inject solution into customer’s subscription
– Sell via Azure Marketplace

?
• Community / OSS
– Host on GitHub to allow community to share and improve.
 Browse the Azure Preview Portal

DEMO
Browse the Azure Preview Portal
ARM Definitions
Resource: Atomic unit of deployment

Resource Group: Collection of resources

Resource Provider: Manages specific kinds of

resources

Resource Type: Specifies the type of resource

Resource Providers
Deploy specific types of resources

Identified by provider namespace

e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web (~ 25 Microsoft or customer namespaces)

Resource types
Each provider namespace manages one or more resource types
Microsoft.Compute/availabiltySets
Microsoft.Compute/virtualMachines
Microsoft.Compute/locations
Different regional availability and apiVersion
Resource Providers - PowerShell
Get-AzureLocation indicates which resourceTypes
are available in each region
Get-AzureProvider indicates which resource
providers and apiVersions are available in each region.

(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where

{ $_.ResourceTypeName -eq 'storageAccounts' } | Select –ExpandProperty ApiVersions

(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where

{ $_.ResourceTypeName -eq 'storageAccounts' } | Select -ExpandProperty Locations
20
Resource Group Definition
Name
Unique inside a subscription
Id
Unique across Azure
Location
Resources
Set of resources in the resource group
Tags
Resource group can be tagged to provide (billing) metadata
 Resource Group Definition
PS C:\> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event";
Value=“VSLIVE"}, @{Name="Admin";Value="mcollier"}
VERBOSE: 9:52:35 PM - Created resource group ‘VSLiveNYC' in location 'eastus'

ResourceGroupName : VSLiveNYC
Location : eastus
ProvisioningState : Succeeded
Tags :
Name Value
========= ========
Event VSLIVE
Admin mcollier

Permissions :
Actions NotActions
======= ==========
*

ResourceId : /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/
VSLiveNYC
 Resource Group Definition
C:\Users\MCOLLIER>azure
info: _ _____ _ ___ ___
info: /_\ |_ / | | | _ \ __|
info: _ ___/ _ \__/ /| |_| | / _|___ _ _
info: (___ /_/ \_\/___|\___/|_|_\___| _____)
info: (_______ _ _) _ ______ _)_ _
info: (______________ _ ) (___ _ _)
info:
info: Microsoft Azure: Microsoft's Cloud Platform
info:
info: Tool version 0.9.9
help:
help: Display help for a given command
help: help [options] [command]
help:
help: Log in to an Azure subscription using Active Directory. Currently, the user can login only via Microsoft organizational account
help: login [options] [username]
help:
help: Log out from Azure subscription using Active Directory. Currently, the user can log out only via Microsoft organizational account
help: logout [options] [username]
help:
help: Open the portal in a browser
help: portal [options]
help:
help: Commands:
help: account Commands to manage your account information and publish settings
help: config Commands to manage your local settings
help: hdinsight Commands to manage HDInsight clusters and jobs
help: mobile Commands to manage your Mobile Services
help: network Commands to manage your networks
help: sb Commands to manage your Service Bus configuration
help: service Commands to manage your Cloud Services
help: site Commands to manage your Web Sites
help: sql Commands to manage your SQL Server accounts
help: storage Commands to manage your Storage objects
help: vm Commands to manage your Virtual Machines
help:
help: Options:
help: -h, --help output usage information
help: -v, --version output the application version
help:
help: Current Mode: asm (Azure Service Management)
 Resource Group Definition
C:\Users\MCOLLIER>C:\Users\MCOLLIER>azure login [email protected]
info: Executing command login
Password: ********
/info: Added subscription Visual Studio Ultimate with MSDN (Microsoft FTE)
info: Setting subscription "Visual Studio Ultimate with MSDN (Microsoft FTE)" as default
+
info: login command OK

C:\Users\MCOLLIER>azure config mode arm

info: New mode is arm
C:\C:\Users\MCOLLIER>azure group create -n "vslivenyc2015-cli" -l "East US" -t event=vslive;admin=mcollier
info: Executing command group create
+ Getting resource group vslivenyc2015-cli
+ Creating resource group vslivenyc2015-cli
info: Created resource group vslivenyc2015-cli
data: Id: /subscriptions/0bbbc191-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/
vslivenyc2015-cli
data: Name: vslivenyc2015-cli
data: Location: eastus
data: Provisioning State: Succeeded
data: Tags: event=vslive;admin=mcollier
data:
info: group create command OK
C:\Users\MCOLLIER>
Resource Characteristics
Resource group
Resource exists in precisely one resource group at any time
Resource can be moved from one resource group to another
Location
Resource can be created in any region where there is an a
appropriate resource provider
Locks
Resource can be locked to prevent deletion
Tags
Resource can be tagged to provide (billing) metadata
Resource Group Characteristics
Two types of resource groups
Lifecycle
Shared
Lifecyle
Contains resources with common lifecycle and management
e.g., virtual machines and storage accounts for an application
Shared
Contains resources shared among several resource groups
e.g., VNETs used to host VMs from many applications
Resource Definition
Name
Unique for resource group and resource type (e.g.,
Microsoft.Compute/virtualMachines)
{
Id "apiVersion": "2015-05-01-preview",
Unique across Azure "type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
/subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute/
"location": "[resourceGroup().location]",
virtualMachines/vmName "tags": {
Location },
"displayName": "StorageAccount"

ResourceType "properties": {
"accountType":
ResourceGroup "[variables('storageAccountType')]"
Properties }
}
Additional properties specific to the resource provider
Resource Tags
Tag {
"apiVersion": "2015-05-01-preview",
Name/value pair "type": "Microsoft.Compute/availabilitySets",
"name": "[variables('availabilitySetName')]",
Provides metadata to classify resources and resource
"location": "[resourceGroup().location]",
groups "tags": {
"displayName": "AvailabilitySet"
Resources and resource
}
groups
}

An array of tags can be associated with a resource or a

resource group
Billing > New-AzureResourceGroup -Name VSLiveNYC -Location
"East US" -Tag @{Name=“Event"; Value=“VSLive"},
Tags are surfaced to Azure bills so they can be used in
@{Name="Admin";Value="mcollier"}
allocating resource costs
Resource Locks
Prevents deletion of a resource or
resource group
Associate a resource lock with the resource or
resource group
Only the Owner or User Access Administrator
roles can create or modify locks
Resource Locks
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"apiVersion": "2015-05-01-preview",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
},
"resources": [
{ Name of the lock
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('newStorageAccountName'),
'/Microsoft.Authorization/collierLock')]",
"apiVersion": "2015-01-01",
"dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/',
parameters('newStorageAccountName'))]" ],
"properties": {
"level": "CannotDelete",
"notes": "Mike's important files - do not delete!"
}
} ]
} ]
Options: CannotDelete and ReadOnly*
Resource Locks
# Apply a resource lock to the storage account.
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierLock' `
-ResourceName $storageAccountName `
-ResourceType 'Microsoft.Storage/storageAccounts' `
-ResourceGroup $resourceGroup –Verbose

# Apply a resource lock to an entire resource group

New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierGroupLock' `
-ResourceGroup 'CollierMedia' -Verbose
Resource Locks
More information:
https://michaelscollier.com/2015/06/21/lock-
down-your-azure-resources/
Azure Resource Groups

ROLE BASED ACCESS CONTROL

Motivation
ASM
Admins, co-admins and X.509 certs
No RBAC
Pushback from enterprises

Azure Active Directory

Cloud-scale directory service

ARM
AAD
RBAC
RBAC
Assign an AAD identity to a role at some scope
ARM mode
Role
Specifies a set of Actions and NotActions
Contains zero or more AAD identities

35
RBAC Scope
Know Your Role
Core system roles
Owner
Contributor
Reader
Security Manager
User Access Administrator

Resource-based roles
Virtual Machine Contributor
SQL Server Contributor
… (currently 20)

Custom roles
Announced at Ignite 2015
Know Your Role
Assign via PowerShell
New-AzureRoleAssignment
Remove-AzureRoleAssignment
Get-AzureRoleAssignment
Get-AzureRoleDefinition
New-AzureRoleAssignment `
-UserPrincipalName [email protected] `
-RoleDefinitionName Reader `
-Scope
/subscriptions/GUID/resourceGroups/SomeResourceGroup
Name
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Role Actions
Switch-AzureMode -Name AzureResourceManager

$roles = Get-AzureRoleDefinition #| where { $_.Name -like "SQL*"}

foreach ($def in $roles) {

Write-Host 'Role: '$def.Name
Write-Host 'Actions'
(Get-AzureRoleDefinition -Name $def.Name).Actions
Write-Host 'NotActions'
(Get-AzureRoleDefinition -Name $def.Name).NotActions
Write-Host ([Environment]::NewLine)
}
Features and Deployment

ARM TEMPLATES
ARM Deployment Options
ARM Templates
Desired-state deployment for a single resource group
Parameterized JSON template
Resources deployed in parallel
Resource dependency constraints enforced
Template language provides some built-in functions
ARM Deployment Options
Azure PowerShell Azure XPlat CLI Azure Preview Portal Deploy To Azure

> Switch-AzureMode
AzureResourceManager
https://github.com/Azure/azure-quickstart-
Azure Marketplace
azure config mode templates
* https://github.com/Azure/azure- arm
Resource Manager stack
powershell/wiki/Deprecation-of- http://deploy.azure.com
Switch-AzureMode-in-Azure-
PowerShell

ARM mode
Resource-specific cmdlets
Template-deployment cmdlets
ARM Templates
Template file comprises several sections
parameters – parameterizes the deployment of a template
variables – provides variables used in the definition of resources
resources – specifies a goal state for a set of resources in a resource group
outputs – provides values to be returned from the template

Parameter file provides actual values for parameters

Goal state
Parameterized template provides the goal state for a resource group
Resource group specified at runtime
ARM Functions
ARM Templates supports small set of built-in functions
parameters, variables
reference, resourceGroup, resourceId
base64, concat, padLeft, padLeft, replace, toLower, toUpper
deployment, provider, subscription
listKeys

Not supported
User-defined functions
Control constructs – if, while, etc.
Loops and Nested Templates
Loops
Provide basic copy capability
Useful in cloning resource configuration
For example, deploying multiple VMs

Nested Templates
One template can invoke another
Simplifies creation of sophisticated templates
Supports parameters
Supports output variables
ARM Deployment Logs
Logs
Provider
Resource group
Resource

Availability
Kept for 15 days
Default is last hour (PowerShell)
Filter by Status e.g., Failed

PowerShell
Get-AzureResourceProviderLog
Get-AzureResourceGroupLog
Get-AzureResourceLog
Explore and Deploy an ARM template

DEMO
Inside vs. Outside the box
ARM Template

State Configuration /
Extensions
Inside vs. Outside the box
• Outside – part of the template
– VM, network topology, tags, RBAC, references to
certs/secrets, etc.

• Inside – executed by template only

– Configure server roles, configure software, deploy a
website, manage services, manage local users, etc.
– Extensions for PowerShell DSC, Chef, and Puppet.
Free Form . . . Ideal?
User selects arbitrary configuration
Number of nodes, VM sizes, disks, storage accounts, etc.

Maintenance overhead
Support for an undetermined number of configs

Subscription management
Resource limits per subscription
Density challenge – set aside capacity for potential use
Subscription creation cannot be automated
Known Configuration
T-Shirt Sizing
Size: Small, Medium, Large
Product/Audience: Community, Enterprise
Feature: Basic, High Availability
Flexibility within size to select number of resources (to
max)

Known sizing – known resources

 Template Decomposition
Parameters Shared Resources Template

adminUserName
Template Metadata
adminPassword
storageAccountName
region
virtualNetworkName Optional Resource
Main Template Template(s)
addressPrefix
subnetName
subnetPrefix
jumpbox Known Configuration
Resources Template Widely Reusable Script(s)
tshirtSize
osFamily

Member Resources Custom Scripts

Template(s)
57
Image: https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/#identifying-what-is-outside-and-inside-of-a-vm
Advanced ARM template

DEMO
Summary
Application Lifecycle Management
Provision & deprovision resources for an application as a logical unit

Declarative
Rapid, repeatable deployment
Save application topology

Consistent Management API

Uniform REST API
Portal, Command Line, PowerShell, Visual Studio or other tools

ARM is the future of resource management in Azure

Resources
ARM Template Examples
– https://github.com/azure/azure-quickstart-templates

Best Practices for Designing Azure Resource Manager Templates

https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/

Rest API Reference

http://msdn.microsoft.com/en-us/library/azure/dn790568.aspx

ARM Template Functions

https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/

Azure Resource Explorer

https://resources.azure.com/

Microsoft Cloud Solution Architect Blog

http://aka.ms/csablog/
Questions?