http://aka.
ms/fundamentalsofazure
Today’s Agenda
1. Current Challenges
2. Basics of Azure Resource Groups & Azure
Resource Manager
3. Role Based Access Control
4. ARM Template Details
Managing Azure Deployments
Azure Service Manager (ASM)
Traditional way to deploy and manage applications hosted in Azure
Production Portal
PowerShell / CLI (default mode)
REST API
Azure Resource Manager (ARM)
Modern way to deploy and manage applications hosted in Azure
Preview “Ibiza” Portal
PowerShell / CLI (ARM mode)
REST API
Azure Resource Management Library for .NET
The Challenge
????
Deploy/Update logical group
of resources
Visualize related resources:
Provision/Deprovision
Costs
Security/Permissions
Single Resource Point-of-View
Deployment – complex.
Coordinated deployment?
Communication/configuration between resources?
dency
depen
depen
dency
web.config
Single Resource Point-of-View
The Foundation
AZURE RESOURCE GROUPS
Azure Resource Groups
Lifecycle of application and
resources
Declarative
Consistent Management API
Resource Group
Azure Resource Manager
What is Azure Resource Manager?
Unit of Management
• Lifecycle
• Identity
• Grouping
One Resource -> One Resource Group
Resource Group
Resource Groups
One or Many?
Resource Group
Resource Group Resource Group
How are the resources managed?
Consistent Management Layer
Tools
Azure Resource Manager
REST API
https://management.azure.com/subscriptions/{{subscriptionId}}/
providers?api-version={{apiVersion}}
Provider Contract
Resource
Provider
?
Website VM SQL DB Cache …..
Benefits
SQL-
Desired-state deployment Websit
A
e
[SQL CONFIG] VM
(2x)
Faster deployment
Role-based access control (RBAC)
DEPENDS ON DEPENDS ON
Resource-provider model SQL SQL
Orchestration
Virtu
SQL - Websit Machin
al
Resource configuration A e es
SQ CONFI
L G
Image source - http://channel9.msdn.com/Events/Build/2014/2-607
Why
?
• Internal software development teams
– Quickly deploy technologies
– Rapidly create training environments
– Consistent deployment with enforced constraints
• Corporate IT
– Predefined environments for dev, QA, or production
?
– Provide LOB solutions
• ISV/CSV
– Hosting a solution for customers
– Inject solution into customer’s subscription
– Sell via Azure Marketplace
?
• Community / OSS
– Host on GitHub to allow community to share and improve.
Browse the Azure Preview Portal
DEMO
Browse the Azure Preview Portal
ARM Definitions
Resource: Atomic unit of deployment
Resource Group: Collection of resources
Resource Provider: Manages specific kinds of
resources
Resource Type: Specifies the type of resource
Resource Providers
Deploy specific types of resources
Identified by provider namespace
e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web (~ 25 Microsoft or customer namespaces)
Resource types
Each provider namespace manages one or more resource types
Microsoft.Compute/availabiltySets
Microsoft.Compute/virtualMachines
Microsoft.Compute/locations
Different regional availability and apiVersion
Resource Providers - PowerShell
Get-AzureLocation indicates which resourceTypes
are available in each region
Get-AzureProvider indicates which resource
providers and apiVersions are available in each region.
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where
{ $_.ResourceTypeName -eq 'storageAccounts' } | Select –ExpandProperty ApiVersions
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where
{ $_.ResourceTypeName -eq 'storageAccounts' } | Select -ExpandProperty Locations
20
Resource Group Definition
Name
Unique inside a subscription
Id
Unique across Azure
Location
Resources
Set of resources in the resource group
Tags
Resource group can be tagged to provide (billing) metadata
Resource Group Definition
PS C:\> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event";
Value=“VSLIVE"}, @{Name="Admin";Value="mcollier"}
VERBOSE: 9:52:35 PM - Created resource group ‘VSLiveNYC' in location 'eastus'
ResourceGroupName : VSLiveNYC
Location : eastus
ProvisioningState : Succeeded
Tags :
Name Value
========= ========
Event VSLIVE
Admin mcollier
Permissions :
Actions NotActions
======= ==========
*
ResourceId : /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/
VSLiveNYC
Resource Group Definition
C:\Users\MCOLLIER>azure
info: _ _____ _ ___ ___
info: /_\ |_ / | | | _ \ __|
info: _ ___/ _ \__/ /| |_| | / _|___ _ _
info: (___ /_/ \_\/___|\___/|_|_\___| _____)
info: (_______ _ _) _ ______ _)_ _
info: (______________ _ ) (___ _ _)
info:
info: Microsoft Azure: Microsoft's Cloud Platform
info:
info: Tool version 0.9.9
help:
help: Display help for a given command
help: help [options] [command]
help:
help: Log in to an Azure subscription using Active Directory. Currently, the user can login only via Microsoft organizational account
help: login [options] [username]
help:
help: Log out from Azure subscription using Active Directory. Currently, the user can log out only via Microsoft organizational account
help: logout [options] [username]
help:
help: Open the portal in a browser
help: portal [options]
help:
help: Commands:
help: account Commands to manage your account information and publish settings
help: config Commands to manage your local settings
help: hdinsight Commands to manage HDInsight clusters and jobs
help: mobile Commands to manage your Mobile Services
help: network Commands to manage your networks
help: sb Commands to manage your Service Bus configuration
help: service Commands to manage your Cloud Services
help: site Commands to manage your Web Sites
help: sql Commands to manage your SQL Server accounts
help: storage Commands to manage your Storage objects
help: vm Commands to manage your Virtual Machines
help:
help: Options:
help: -h, --help output usage information
help: -v, --version output the application version
help:
help: Current Mode: asm (Azure Service Management)
Resource Group Definition
C:\Users\MCOLLIER>C:\Users\MCOLLIER>azure login [email protected]
info: Executing command login
Password: ********
/info: Added subscription Visual Studio Ultimate with MSDN (Microsoft FTE)
info: Setting subscription "Visual Studio Ultimate with MSDN (Microsoft FTE)" as default
+
info: login command OK
C:\Users\MCOLLIER>azure config mode arm
info: New mode is arm
C:\C:\Users\MCOLLIER>azure group create -n "vslivenyc2015-cli" -l "East US" -t event=vslive;admin=mcollier
info: Executing command group create
+ Getting resource group vslivenyc2015-cli
+ Creating resource group vslivenyc2015-cli
info: Created resource group vslivenyc2015-cli
data: Id: /subscriptions/0bbbc191-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/
vslivenyc2015-cli
data: Name: vslivenyc2015-cli
data: Location: eastus
data: Provisioning State: Succeeded
data: Tags: event=vslive;admin=mcollier
data:
info: group create command OK
C:\Users\MCOLLIER>
Resource Characteristics
Resource group
Resource exists in precisely one resource group at any time
Resource can be moved from one resource group to another
Location
Resource can be created in any region where there is an a
appropriate resource provider
Locks
Resource can be locked to prevent deletion
Tags
Resource can be tagged to provide (billing) metadata
Resource Group Characteristics
Two types of resource groups
Lifecycle
Shared
Lifecyle
Contains resources with common lifecycle and management
e.g., virtual machines and storage accounts for an application
Shared
Contains resources shared among several resource groups
e.g., VNETs used to host VMs from many applications
Resource Definition
Name
Unique for resource group and resource type (e.g.,
Microsoft.Compute/virtualMachines)
{
Id "apiVersion": "2015-05-01-preview",
Unique across Azure "type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
/subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute/
"location": "[resourceGroup().location]",
virtualMachines/vmName "tags": {
Location },
"displayName": "StorageAccount"
ResourceType "properties": {
"accountType":
ResourceGroup "[variables('storageAccountType')]"
Properties }
}
Additional properties specific to the resource provider
Resource Tags
Tag {
"apiVersion": "2015-05-01-preview",
Name/value pair "type": "Microsoft.Compute/availabilitySets",
"name": "[variables('availabilitySetName')]",
Provides metadata to classify resources and resource
"location": "[resourceGroup().location]",
groups "tags": {
"displayName": "AvailabilitySet"
Resources and resource
}
groups
}
An array of tags can be associated with a resource or a
resource group
Billing > New-AzureResourceGroup -Name VSLiveNYC -Location
"East US" -Tag @{Name=“Event"; Value=“VSLive"},
Tags are surfaced to Azure bills so they can be used in
@{Name="Admin";Value="mcollier"}
allocating resource costs
Resource Locks
Prevents deletion of a resource or
resource group
Associate a resource lock with the resource or
resource group
Only the Owner or User Access Administrator
roles can create or modify locks
Resource Locks
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"apiVersion": "2015-05-01-preview",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
},
"resources": [
{ Name of the lock
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('newStorageAccountName'),
'/Microsoft.Authorization/collierLock')]",
"apiVersion": "2015-01-01",
"dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/',
parameters('newStorageAccountName'))]" ],
"properties": {
"level": "CannotDelete",
"notes": "Mike's important files - do not delete!"
}
} ]
} ]
Options: CannotDelete and ReadOnly*
Resource Locks
# Apply a resource lock to the storage account.
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierLock' `
-ResourceName $storageAccountName `
-ResourceType 'Microsoft.Storage/storageAccounts' `
-ResourceGroup $resourceGroup –Verbose
# Apply a resource lock to an entire resource group
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierGroupLock' `
-ResourceGroup 'CollierMedia' -Verbose
Resource Locks
More information:
https://michaelscollier.com/2015/06/21/lock-
down-your-azure-resources/
Azure Resource Groups
ROLE BASED ACCESS CONTROL
Motivation
ASM
Admins, co-admins and X.509 certs
No RBAC
Pushback from enterprises
Azure Active Directory
Cloud-scale directory service
ARM
AAD
RBAC
RBAC
Assign an AAD identity to a role at some scope
ARM mode
Role
Specifies a set of Actions and NotActions
Contains zero or more AAD identities
35
RBAC Scope
Know Your Role
Core system roles
Owner
Contributor
Reader
Security Manager
User Access Administrator
Resource-based roles
Virtual Machine Contributor
SQL Server Contributor
… (currently 20)
Custom roles
Announced at Ignite 2015
Know Your Role
Assign via PowerShell
New-AzureRoleAssignment
Remove-AzureRoleAssignment
Get-AzureRoleAssignment
Get-AzureRoleDefinition
New-AzureRoleAssignment `
-UserPrincipalName [email protected] `
-RoleDefinitionName Reader `
-Scope
/subscriptions/GUID/resourceGroups/SomeResourceGroup
Name
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Know Your Role
Assign via Azure Preview Portal
Role Actions
Switch-AzureMode -Name AzureResourceManager
$roles = Get-AzureRoleDefinition #| where { $_.Name -like "SQL*"}
foreach ($def in $roles) {
Write-Host 'Role: '$def.Name
Write-Host 'Actions'
(Get-AzureRoleDefinition -Name $def.Name).Actions
Write-Host 'NotActions'
(Get-AzureRoleDefinition -Name $def.Name).NotActions
Write-Host ([Environment]::NewLine)
}
Features and Deployment
ARM TEMPLATES
ARM Deployment Options
ARM Templates
Desired-state deployment for a single resource group
Parameterized JSON template
Resources deployed in parallel
Resource dependency constraints enforced
Template language provides some built-in functions
ARM Deployment Options
Azure PowerShell Azure XPlat CLI Azure Preview Portal Deploy To Azure
> Switch-AzureMode
AzureResourceManager
https://github.com/Azure/azure-quickstart-
Azure Marketplace
azure config mode templates
* https://github.com/Azure/azure- arm
Resource Manager stack
powershell/wiki/Deprecation-of- http://deploy.azure.com
Switch-AzureMode-in-Azure-
PowerShell
ARM mode
Resource-specific cmdlets
Template-deployment cmdlets
ARM Templates
Template file comprises several sections
parameters – parameterizes the deployment of a template
variables – provides variables used in the definition of resources
resources – specifies a goal state for a set of resources in a resource group
outputs – provides values to be returned from the template
Parameter file provides actual values for parameters
Goal state
Parameterized template provides the goal state for a resource group
Resource group specified at runtime
ARM Functions
ARM Templates supports small set of built-in functions
parameters, variables
reference, resourceGroup, resourceId
base64, concat, padLeft, padLeft, replace, toLower, toUpper
deployment, provider, subscription
listKeys
Not supported
User-defined functions
Control constructs – if, while, etc.
Loops and Nested Templates
Loops
Provide basic copy capability
Useful in cloning resource configuration
For example, deploying multiple VMs
Nested Templates
One template can invoke another
Simplifies creation of sophisticated templates
Supports parameters
Supports output variables
ARM Deployment Logs
Logs
Provider
Resource group
Resource
Availability
Kept for 15 days
Default is last hour (PowerShell)
Filter by Status e.g., Failed
PowerShell
Get-AzureResourceProviderLog
Get-AzureResourceGroupLog
Get-AzureResourceLog
Explore and Deploy an ARM template
DEMO
Inside vs. Outside the box
ARM Template
State Configuration /
Extensions
Inside vs. Outside the box
• Outside – part of the template
– VM, network topology, tags, RBAC, references to
certs/secrets, etc.
• Inside – executed by template only
– Configure server roles, configure software, deploy a
website, manage services, manage local users, etc.
– Extensions for PowerShell DSC, Chef, and Puppet.
Free Form . . . Ideal?
User selects arbitrary configuration
Number of nodes, VM sizes, disks, storage accounts, etc.
Maintenance overhead
Support for an undetermined number of configs
Subscription management
Resource limits per subscription
Density challenge – set aside capacity for potential use
Subscription creation cannot be automated
Known Configuration
T-Shirt Sizing
Size: Small, Medium, Large
Product/Audience: Community, Enterprise
Feature: Basic, High Availability
Flexibility within size to select number of resources (to
max)
Known sizing – known resources
Template Decomposition
Parameters Shared Resources Template
adminUserName
Template Metadata
adminPassword
storageAccountName
region
virtualNetworkName Optional Resource
Main Template Template(s)
addressPrefix
subnetName
subnetPrefix
jumpbox Known Configuration
Resources Template Widely Reusable Script(s)
tshirtSize
osFamily
Member Resources Custom Scripts
Template(s)
57
Image: https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/#identifying-what-is-outside-and-inside-of-a-vm
Advanced ARM template
DEMO
Summary
Application Lifecycle Management
Provision & deprovision resources for an application as a logical unit
Declarative
Rapid, repeatable deployment
Save application topology
Consistent Management API
Uniform REST API
Portal, Command Line, PowerShell, Visual Studio or other tools
ARM is the future of resource management in Azure
Resources
ARM Template Examples
– https://github.com/azure/azure-quickstart-templates
Best Practices for Designing Azure Resource Manager Templates
https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/
Rest API Reference
http://msdn.microsoft.com/en-us/library/azure/dn790568.aspx
ARM Template Functions
https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/
Azure Resource Explorer
https://resources.azure.com/
Microsoft Cloud Solution Architect Blog
http://aka.ms/csablog/
Questions?