Zure Azure PaaS Zero to Hero - DevOps training day

Confidential
Azure DevOps
Okko Oulasvirta, Azure DevOps dude
@okkooulasvirta

Confidential
DEVOPS IS…
THE UNION OF
PEOPLE, PROCESS,
AND PRODUCTS TO
ENABLE…
CONTINUOUS
DELIVERY OF
VALUE TO OUR END
USERS.

Confidential
1. Live in production
2. Collecting telemetry…
3. …that examines the
hypothesis which motivated
the deployment.
Perfect Definition of Done…

Confidential
We believe {customer segment} wants {product/feature}
because {value proposition}
To prove or disprove the above, the team will conduct the
following experiment(s): …
The above experiment(s) proved or disproved the hypothesis by
impacting the following metric(s): …

Confidential
Azure Boards
Overview of VSTS functionalities
@okkooulasvirta

Confidential
Dashboards and Wiki
• Summary – Wiki homepage, builds,
releases, commits, pull requests
• Dashboards – for different purposes:
Status of work, Bug tracking, Testing,
Deployments etc. A lot of widgets
available
• Wiki – Use to guide your team on
development practices, way-of-work
etc. or enrich your work item data
with detailed functional specifications
(wiki pages can be linked to work
items, copy paste images)

Confidential
Azure Boards
• Work Items – Place to find assigned to, followed, mentioned, my activity,
recently updated, completed or created work items
• Boards – KanBan board. Work items shown here depends on team settings
(iterations and areas). Can be customized and each team has their own view
to data.
• Backlogs – Multiple levels and more can be added if needed. Use to
prioritize and schedule your work (sprint planning)
• Sprints – Has sprint Backlog for sprint planning and Task board for daily
standups.
• Queries – Has shared and private queries to search and list work item data.
Results can be shown also in dashboards.

Confidential
Azure DevOps Backlog management – Excel
integration

Confidential
DEMO
Azure Dashboards, Wiki, Boards
@okkooulasvirta

Confidential
Azure Repos
Private and Public Git repositories
@okkooulasvirta

Confidential
Azure Repos
• Files – Contents and history of
source code files.
• Commits – Who did what, when and
why? Code commenting.
• Branches – Master branch, Release
and Feature branches
• Tags – Official versions that went
production
• Pull Requests – Ensure quality of the
code changes and communicate
changes between team members
• Branch policies – Enforces Pull
Requests and other code quality
practices

Confidential
DEMO
Azure Repos
Pull Requests, Code Reviews, Branches, Branch policies
@okkooulasvirta

Confidential
Azure Pipelines and ARM
Templates
Infrastructure as code
Continuous Integration
Continuous Delivery
@okkooulasvirta

Confidential
RBAC standard roles and scope
Subscription
Resource Groups
Resources
Owner
Can perform all management operations
for a resource and its child resources
including access management and
granting access to others.
Contributor
Can perform all management operations
for a resource including create and delete
resources. A contributor cannot grant
access to other.
Reader
Has read-only access to a resource and its
child resources. A reader cannot read
secrets.

Confidential
Azure Resource Manager Template
A JavaScript Object Notation (JSON)
file that defines:
• one or more resources to deploy
to a resource group
• dependencies between the
deployed resources
The template can be used to deploy
the resources consistently and
repeatedly

Confidential
Azure Resource Management templates
Resource Group
Azure
Repos

Confidential
ARM TEMPLATE
structure
{
"$schema": <uri>,
"contentVersion: "1.0",
"parameters": { },
"variables": { },
"functions": { },
"resources": [ ],
"outputs": { }
}
contentVersion: can be used to make sure that the
right template is being used
parameters: are provided by caller when ARM
deployment is executed
variables: used as JSON fragments in the template
functions: user-defined functions that are available
within the template
resources: Azure service to be deployed…
outputs: values that are returned after deployment
to caller

Confidential
Resources section
structure
"resources": [
{
"apiVersion": "",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"properties": { … }
"tags": {
"displayName": “MyApp Consumption Plan"
},
}
],
type: resource-provider/resource-type
name: unique in resource group sometimes also
globally
location: Azure data center region, usually same as
resource group’s
tags: shown in Azure Portal

Confidential
Tooling arm development
Visual Studio with Azure
development workload installed
• Create ARM templates
• Validate ARM templates
• Deploy ARM templates
• VSTS and Git support

Confidential
QA and Production
Azure DevOps blueprint
Development
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
Azure Active
Directory
Authentication
Resource group
Azure SQL Database
logical server
database database
App Service Plan
App Service app
QA resource group
• Developers have read role
• Deployments only with Azure pipelines
• Infrastructure with ARM template(s)
Production resource group
• Support has contributor role
• Developers may have read role
• Deployments only with Azure pipelines
• Infrastructure with ARM template(s)
DEV and TMP resource groups
• Developers have contributor role
• Deployments with Azure pipelines (or with
Visual Studio to troubleshoot)
• ARM templates stored to Azure repos (Git)
• Minimal permissions with Azure AD app based service principal
• Role based access control (RBAC) applied to specific resource groups
• Deployments via Azure Pipelines ARM Service Connections

Confidential
DEMO
1. Luodaan tmp, dev, qa ja prod resurssit
2. Luodaan service principalit ja luvitetaan ne contributor rooliin
3. Luoaan Azure DevOps ARM service connectionit
Tehdään tämä kaikki skriptaten…
@okkooulasvirta

Confidential
CI/CD - Continuous integration
cspkg
DEV
TFVC
Publish deployment artifacts for release
pipeline only if CI build is passed!

Confidential
CI/CD - Continuous Delivery
cspkg
TFVC
DEV: Deploy as often as possible (every commit)
• Track smoke testing with post deployment approvals
• Automate functional (UI) testing
TEST: Run automated performance and load tests
• Execute and track manual acceptance testing
PROD: Acceptance testing passed
• Use predeployment approvals
• Consider to feature toggling and use of A/B testing
• Use Application monitoring!
UI
80% 20%

Confidential
DEMO
Azure Resource Management templates
Azure Pipelines
@okkooulasvirta

©2018 Zure Oy | Confidential | www.zure.com
Deployment slots… S1+
• Use deployment slots to route traffic
to different url than production
• Slot name is suffix to CNAME part of
the website url:
• app.domain.fi → app-slotname.domain.fi
• production site can be swapped with any
of slots in matter of few seconds
• Traffic manager is used to configure
how much of the traffic goes to which
slot – other than production

DEMO
A/B testing with deployment slots
@okkooulasvirta

Azure Monitoring
Application insights
@okkooulasvirta

Confidential
Azure DevOps a.k.a VSTS
Commit and
push local
branch to
Azure Repos
(Git)
Edit
code Continuous
Integration
Continuous
Deployment
Azure
App
Service
Azure
SQL
App
Service
Azure
SQL
App
Service
Azure
SQL
Application Insights
Create a Pull
Request for
peer review
Merge to
master
Azure Pipelines – Monitoring

Confidential
What is application insights?
Application Performance Management
service for monitoring live applications.
Detects automatically performance
anomalies.
Provides analytics tools to diagnose
issues and understand app usage.
How does it work?
Requires instrumentation package in
monitored application and resource in
Azure.
The instrumentation monitors app and
sends telemetry data to AI.
Tracking calls are non-blocking, batched
and sent in a separate thread.

Track issues with
Azure DevOps
• Connect Application Insights to
Azure DevOps
• User in Azure Portal needs to
have also access to Azure
DevOps – authorized with
OAuth
• Create bugs from exception
details in Application Insights

AppInsights in
Azure DevOps
Free extension by Microsoft
• Dashboard can be set to auto
refresh contents – doesn’t
support live monitoring (yet)
• Provides dashboard AI widgets
with plenty of different options
for metrics.

AppInsights in Azure Pipelines
Free extension by Microsoft
• Provides a new release
task to add annotations on
Application Insights
monitoring data
• Use release annotations
to track point of time
when deployment to
production was released

Appinsights Azure
DevOps
configuration
• AppInsights application ID
and API Access key to
identify which app insights
data you want to access.
• API Access key needs to be
generated – remember to
store the key securely!

Confidential
Azure Security
Azure Key Vaults
@okkooulasvirta

Confidential
Azure Key Vault
Secret Store as a service
- Store and manage SECRETs.
- Isolate cryptographic keys.
Azure Resource Provider
Anchored to Azure AD
- Authentication requires Azure AD token
- Permissions expressed in terms of Azure AD identities
Integrated with other Azure services / SDKs
- Allows automated flows of secrets from source to destination.
Subscription
Resource GroupResource GroupResource Group
Key VaultVMVMVM
Storage accountStorage accountStorage account Key VaultKey Vault...
Secret KeySecretSecret KeyKey
Key VersionSecret VersionSecret VersionSecret Version Key VersionKey Version
SubscriptionSubscription

Confidential
Available worldwide, isolated by geo
You choose the region when creating your key vault.
Secrets and keys in that key vault are stored in that region, and backed up in second region within same geo.
6 total copies ➔ you get very high durability.
Your read/write requests are affinitized to the primary region. But service fails over automatically within
region, or to secondary region ➔ you get high availability.
Geo Regions
US West, East, East 2, Central, North Central, South Central
Europe North, West
Asia East, Southeast
Japan East, West
Australia East, Southeast
Brazil South
USGov Iowa, Virginia
China North, East

Confidential
Best practices
1. Inventory your secrets.
2. Store them in stores designed for
secrets.
3. Tie access to your directory.
4. Minimize permissions, review
permissions periodically.
Storage account keys
Certificates
Encryption keys
Passwords
Secret Custodians
(only a handful)
App developers
App5 - Containers
App2 - Web App
App4 - Cloud Service
App3 - Service Fab
App1 - VMs

Confidential
Best practices
secrets.
Secret Custodians
App developers
Certificates
Encryption keys
Passwords
Certificates
Encryption keys
Passwords
App5 - Containers
App2 - Web App
App3 - Service Fab
App1 - VMs
Certificates
Encryption keys
Passwords
Certificates
Encryption keys
Passwords
Certificates
Encryption keys
Passwords

Confidential
Best practices
Certificates
Encryption keys
Passwords
App developers
Secret Custodians
Security Analysts &
Auditors
secrets.
5. Log access, review logs.
6. Rotate secrets periodically.
App5 - Containers
App2 - Web App
App3 - Service Fab
App1 - VMs

Confidential
Best practices
Certificates
Encryption keys
Passwords
App developers
Secret Custodians
Security Analysts &
Auditors
secrets.
5. Log access, review logs.
6. Rotate secrets periodically.
7. Automate → Azure DevOps App5 - Containers
App2 - Web App
App3 - Service Fab
App1 - VMs

Developer builds application (DEV KV)
AppKey Vault
1. Create Key Vault
2. Authorize app, users
3. Create/import keys/secrets
4. Deploy app, configured with
Key Vault URI of key/secret
5. Use key/secret
dev@aad

App moves into test (QA KV)
AppKey Vault
5. Use key/secret
1. Create Key Vault
4. Deploy app, configured with
URI of key/secret
dev@aadciso@aad

App in production (PROD KV)
AppKey Vault
5. Use key/secret
1. Create Key Vault
6. Manage keys/secrets
7. Monitor logs 4. Deploy app, configured with
URI of key/secret
dev@aadciso@aad
No change in
app code!

©2018 Zure Oy | Confidential | www.zure.com 45
Azure Pipelines
Variable Groups and
Azure Key Vault
Use a variable group to store values
that you want to make available across
multiple build and release pipelines.
• Variable groups are defined and
managed in the Library tab of the
Pipelines hub.
• Link secrets from an Azure key vault
as variables
• Requires Azure service connection
with Get and List management
permissions on the vault for secrets
DevOpsVariables
DevOps KeyVault secrets
zure-shared-we-prod-kv
DevOpsVariables

©2018 Zure Oy | Confidential | www.zure.com 46
Secrets in Azure Pipelines (CI/CD)
• Only the secret names are mapped to the variable group the latest version
of the value of each secret is fetched during the build or release
• Any change in the value of a existing secret is available automatically
available for linked Azure pipelines.
• Azure Key Vault supports storing and managing cryptographic keys and
secrets in Azure. Currently, Azure Pipelines variable group integration
supports mapping only Key Vault secrets from the Azure key vault.
Cryptographic keys and certificates are not yet supported → Azure
pipelines has secure files functionality for this

DEMO
47
Create Key Vault using AZ CLI
Connect .NET Core web app with Key Vault
https://docs.microsoft.com/en-us/azure/key-vault/quick-create-net
See demo of Managed Service Identity usage with KeyVault
https://azure.microsoft.com/en-us/resources/samples/app-service-msi-keyvault-dotnet

Zure Azure PaaS Zero to Hero - DevOps training day

Zure Azure PaaS Zero to Hero - DevOps training day

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Zure Azure PaaS Zero to Hero - DevOps training day

Similaire à Zure Azure PaaS Zero to Hero - DevOps training day (20)

Plus de Okko Oulasvirta

Plus de Okko Oulasvirta (8)

Dernier

Dernier (20)

Zure Azure PaaS Zero to Hero - DevOps training day