This document provides an overview of Azure DevOps and related Azure services for continuous integration, delivery, and monitoring. It discusses DevOps practices including source control with Azure Repos, work tracking with Azure Boards, continuous integration and deployment pipelines with Azure Pipelines, infrastructure as code with ARM templates, and application monitoring with Application Insights. It also covers security practices like role-based access control and use of Azure Key Vault for secrets management. Live demos are provided for many of the Azure DevOps features and services discussed.
3. Confidential
1. Live in production
2. Collecting telemetry…
3. …that examines the
hypothesis which motivated
the deployment.
Perfect Definition of Done…
4. Confidential
We believe {customer segment} wants {product/feature}
because {value proposition}
To prove or disprove the above, the team will conduct the
following experiment(s): …
The above experiment(s) proved or disproved the hypothesis by
impacting the following metric(s): …
6. Confidential
Dashboards and Wiki
• Summary – Wiki homepage, builds,
releases, commits, pull requests
• Dashboards – for different purposes:
Status of work, Bug tracking, Testing,
Deployments etc. A lot of widgets
available
• Wiki – Use to guide your team on
development practices, way-of-work
etc. or enrich your work item data
with detailed functional specifications
(wiki pages can be linked to work
items, copy paste images)
7. Confidential
Azure Boards
• Work Items – Place to find assigned to, followed, mentioned, my activity,
recently updated, completed or created work items
• Boards – KanBan board. Work items shown here depends on team settings
(iterations and areas). Can be customized and each team has their own view
to data.
• Backlogs – Multiple levels and more can be added if needed. Use to
prioritize and schedule your work (sprint planning)
• Sprints – Has sprint Backlog for sprint planning and Task board for daily
standups.
• Queries – Has shared and private queries to search and list work item data.
Results can be shown also in dashboards.
11. Confidential
Azure Repos
• Files – Contents and history of
source code files.
• Commits – Who did what, when and
why? Code commenting.
• Branches – Master branch, Release
and Feature branches
• Tags – Official versions that went
production
• Pull Requests – Ensure quality of the
code changes and communicate
changes between team members
• Branch policies – Enforces Pull
Requests and other code quality
practices
13. Confidential
Azure Pipelines and ARM
Templates
Infrastructure as code
Continuous Integration
Continuous Delivery
Okko Oulasvirta, Azure DevOps dude
@okkooulasvirta
14. Confidential
RBAC standard roles and scope
Subscription
Resource Groups
Resources
Owner
Can perform all management operations
for a resource and its child resources
including access management and
granting access to others.
Contributor
Can perform all management operations
for a resource including create and delete
resources. A contributor cannot grant
access to other.
Reader
Has read-only access to a resource and its
child resources. A reader cannot read
secrets.
15. Confidential
Azure Resource Manager Template
A JavaScript Object Notation (JSON)
file that defines:
• one or more resources to deploy
to a resource group
• dependencies between the
deployed resources
The template can be used to deploy
the resources consistently and
repeatedly
17. Confidential
ARM TEMPLATE
structure
{
"$schema": <uri>,
"contentVersion: "1.0",
"parameters": { },
"variables": { },
"functions": { },
"resources": [ ],
"outputs": { }
}
contentVersion: can be used to make sure that the
right template is being used
parameters: are provided by caller when ARM
deployment is executed
variables: used as JSON fragments in the template
functions: user-defined functions that are available
within the template
resources: Azure service to be deployed…
outputs: values that are returned after deployment
to caller
18. Confidential
Resources section
structure
"resources": [
{
"apiVersion": "",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"properties": { … }
"tags": {
"displayName": “MyApp Consumption Plan"
},
}
],
type: resource-provider/resource-type
name: unique in resource group sometimes also
globally
location: Azure data center region, usually same as
resource group’s
tags: shown in Azure Portal
19. Confidential
Tooling arm development
Visual Studio with Azure
development workload installed
• Create ARM templates
• Validate ARM templates
• Deploy ARM templates
• VSTS and Git support
20. Confidential
QA and Production
Azure DevOps blueprint
Development
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
QA resource group
• Developers have read role
• Deployments only with Azure pipelines
• Infrastructure with ARM template(s)
Production resource group
• Support has contributor role
• Developers may have read role
• Deployments only with Azure pipelines
• Infrastructure with ARM template(s)
DEV and TMP resource groups
• Developers have contributor role
• Deployments with Azure pipelines (or with
Visual Studio to troubleshoot)
• ARM templates stored to Azure repos (Git)
• Minimal permissions with Azure AD app based service principal
• Role based access control (RBAC) applied to specific resource groups
• Deployments via Azure Pipelines ARM Service Connections
21. Confidential
DEMO
1. Luodaan tmp, dev, qa ja prod resurssit
2. Luodaan service principalit ja luvitetaan ne contributor rooliin
3. Luoaan Azure DevOps ARM service connectionit
Tehdään tämä kaikki skriptaten…
Okko Oulasvirta, Azure DevOps dude
@okkooulasvirta
22. Confidential
CI/CD - Continuous integration
cspkg
DEV
TFVC
Publish deployment artifacts for release
pipeline only if CI build is passed!
23. Confidential
CI/CD - Continuous Delivery
cspkg
TFVC
DEV: Deploy as often as possible (every commit)
• Track smoke testing with post deployment approvals
• Automate functional (UI) testing
TEST: Run automated performance and load tests
• Execute and track manual acceptance testing
PROD: Acceptance testing passed
• Use predeployment approvals
• Consider to feature toggling and use of A/B testing
• Use Application monitoring!
UI
80% 20%
28. Confidential
Azure DevOps a.k.a VSTS
Commit and
push local
branch to
Azure Repos
(Git)
Edit
code Continuous
Integration
Continuous
Deployment
Azure
App
Service
Azure
SQL
App
Service
Azure
SQL
App
Service
Azure
SQL
Application Insights
Create a Pull
Request for
peer review
Merge to
master
Azure Pipelines – Monitoring
29. Confidential
What is application insights?
Application Performance Management
service for monitoring live applications.
Detects automatically performance
anomalies.
Provides analytics tools to diagnose
issues and understand app usage.
How does it work?
Requires instrumentation package in
monitored application and resource in
Azure.
The instrumentation monitors app and
sends telemetry data to AI.
Tracking calls are non-blocking, batched
and sent in a separate thread.
35. Confidential
Azure Key Vault
Secret Store as a service
- Store and manage SECRETs.
- Isolate cryptographic keys.
Azure Resource Provider
Anchored to Azure AD
- Authentication requires Azure AD token
- Permissions expressed in terms of Azure AD identities
Integrated with other Azure services / SDKs
- Allows automated flows of secrets from source to destination.
Subscription
Resource GroupResource GroupResource Group
Key VaultVMVMVM
Storage accountStorage accountStorage account Key VaultKey Vault...
Secret KeySecretSecret KeyKey
Key VersionSecret VersionSecret VersionSecret Version Key VersionKey Version
SubscriptionSubscription
36. Confidential
Available worldwide, isolated by geo
You choose the region when creating your key vault.
Secrets and keys in that key vault are stored in that region, and backed up in second region within same geo.
6 total copies ➔ you get very high durability.
Your read/write requests are affinitized to the primary region. But service fails over automatically within
region, or to secondary region ➔ you get high availability.
Geo Regions
US West, East, East 2, Central, North Central, South Central
Europe North, West
Asia East, Southeast
Japan East, West
Australia East, Southeast
Brazil South
USGov Iowa, Virginia
China North, East
37. Confidential
Best practices
1. Inventory your secrets.
2. Store them in stores designed for
secrets.
3. Tie access to your directory.
4. Minimize permissions, review
permissions periodically.
Storage account keys
Certificates
Encryption keys
Passwords
Secret Custodians
(only a handful)
App developers
App5 - Containers
App2 - Web App
App4 - Cloud Service
App3 - Service Fab
App1 - VMs
38. Confidential
Best practices
1. Inventory your secrets.
2. Store them in stores designed for
secrets.
3. Tie access to your directory.
4. Minimize permissions, review
permissions periodically.
Secret Custodians
App developers
Storage account keys
Certificates
Encryption keys
Passwords
Storage account keys
Certificates
Encryption keys
Passwords
App5 - Containers
App2 - Web App
App4 - Cloud Service
App3 - Service Fab
App1 - VMs
Storage account keys
Certificates
Encryption keys
Passwords
Storage account keys
Certificates
Encryption keys
Passwords
Storage account keys
Certificates
Encryption keys
Passwords
39. Confidential
Best practices
Storage account keys
Certificates
Encryption keys
Passwords
App developers
Secret Custodians
Security Analysts &
Auditors
1. Inventory your secrets.
2. Store them in stores designed for
secrets.
3. Tie access to your directory.
4. Minimize permissions, review
permissions periodically.
5. Log access, review logs.
6. Rotate secrets periodically.
App5 - Containers
App2 - Web App
App4 - Cloud Service
App3 - Service Fab
App1 - VMs
40. Confidential
Best practices
Storage account keys
Certificates
Encryption keys
Passwords
App developers
Secret Custodians
Security Analysts &
Auditors
1. Inventory your secrets.
2. Store them in stores designed for
secrets.
3. Tie access to your directory.
4. Minimize permissions, review
permissions periodically.
5. Log access, review logs.
6. Rotate secrets periodically.
7. Automate → Azure DevOps App5 - Containers
App2 - Web App
App4 - Cloud Service
App3 - Service Fab
App1 - VMs