Unlock new and powerful ways to manage your Azure resources.
Keeping track of all the various resources used by a solution is a daunting task. There needs to be an easier way to combine various resources into logical groups. The Azure Resource Manager enables you to group and manage multiple resources as a single logical group. With the ability to create reusable templates, it becomes much easier to consistently deploy solutions. In this session we will explore how the Azure Resource Manager can be used to better manage our Azure solutions. We will dive deep into creating resources and manipulating the Resource Manager templates. In the end, you'll be able to unlock new and powerful ways to manage your Azure resources.
You will learn:
- How to create and manage Resource Groups from PowerShell and the Cross-Platform Command-Line Interface
- How to create custom Azure Resource Manager templates
- How to manage security for resources using Azure Resource Manager and Azure Active Directory
4. Today’s Agenda
1. Current Challenges
2. Basics of Azure Resource Groups & Azure
Resource Manager
3. Role Based Access Control
4. ARM Template Details
5. Managing Azure Deployments
Azure Service Manager (ASM)
Traditional way to deploy and manage applications hosted in Azure
Production Portal
PowerShell / CLI (default mode)
REST API
Azure Resource Manager (ARM)
Modern way to deploy and manage applications hosted in Azure
Preview “Ibiza” Portal
PowerShell / CLI (ARM mode)
REST API
Azure Resource Management Library for .NET
14. Benefits
Desired-state deployment
Faster deployment
Role-based access control (RBAC)
Resource-provider model
Orchestration
Resource configuration
SQL - A Website Virtual
Machines
SQL-A
Website
[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Image source - http://channel9.msdn.com/Events/Build/2014/2-607
15. Why
• Internal software development teams
– Quickly deploy technologies
– Rapidly create training environments
– Consistent deployment with enforced constraints
• Corporate IT
– Predefined environments for dev, QA, or production
– Provide LOB solutions
• ISV/CSV
– Hosting a solution for customers
– Inject solution into customer’s subscription
– Sell via Azure Marketplace
• Community / OSS
– Host on GitHub to allow community to share and improve.
?
17. ARM Definitions
Resource: Atomic unit of deployment
Resource Group: Collection of resources
Resource Provider: Manages specific kinds of
resources
Resource Type: Specifies the type of resource
18. Resource Providers
Deploy specific types of resources
Identified by provider namespace
e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web (~ 25 Microsoft or customer
namespaces)
Resource types
Each provider namespace manages one or more resource types
Microsoft.Compute/availabiltySets
Microsoft.Compute/virtualMachines
Microsoft.Compute/locations
Different regional availability and apiVersion
19. Resource Providers - PowerShell
Get-AzureLocation indicates which resourceTypes
are available in each region
Get-AzureProvider indicates which resource
providers and apiVersions are available in each region.
22
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where {
$_.ResourceTypeName -eq 'storageAccounts' } | Select –ExpandProperty ApiVersions
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where {
$_.ResourceTypeName -eq 'storageAccounts' } | Select -ExpandProperty Locations
20. Resource Group Definition
Name
Unique inside a subscription
Id
Unique across Azure
Location
Resources
Set of resources in the resource group
Tags
Resource group can be tagged to provide (billing) metadata
21. Resource Group Definition
PS C:> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event"; Value=“VSLIVE"},
@{Name="Admin";Value="mcollier"}
VERBOSE: 9:52:35 PM - Created resource group ‘VSLiveNYC' in location 'eastus'
ResourceGroupName : VSLiveNYC
Location : eastus
ProvisioningState : Succeeded
Tags :
Name Value
========= ========
Event VSLIVE
Admin mcollier
Permissions :
Actions NotActions
======= ==========
*
ResourceId : /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/VSLiveNYC
22. Resource Group Definition
C:UsersMCOLLIER>azure
info: _ _____ _ ___ ___
info: /_ |_ / | | | _ __|
info: _ ___/ _ __/ /| |_| | / _|___ _ _
info: (___ /_/ _/___|___/|_|____| _____)
info: (_______ _ _) _ ______ _)_ _
info: (______________ _ ) (___ _ _)
info:
info: Microsoft Azure: Microsoft's Cloud Platform
info:
info: Tool version 0.9.9
help:
help: Display help for a given command
help: help [options] [command]
help:
help: Log in to an Azure subscription using Active Directory. Currently, the user can login only via Microsoft organizational account
help: login [options] [username]
help:
help: Log out from Azure subscription using Active Directory. Currently, the user can log out only via Microsoft organizational account
help: logout [options] [username]
help:
help: Open the portal in a browser
help: portal [options]
help:
help: Commands:
help: account Commands to manage your account information and publish settings
help: config Commands to manage your local settings
help: hdinsight Commands to manage HDInsight clusters and jobs
help: mobile Commands to manage your Mobile Services
help: network Commands to manage your networks
help: sb Commands to manage your Service Bus configuration
help: service Commands to manage your Cloud Services
help: site Commands to manage your Web Sites
help: sql Commands to manage your SQL Server accounts
help: storage Commands to manage your Storage objects
help: vm Commands to manage your Virtual Machines
help:
help: Options:
help: -h, --help output usage information
help: -v, --version output the application version
help:
help: Current Mode: asm (Azure Service Management)
23. Resource Group Definition
C:UsersMCOLLIER>C:UsersMCOLLIER>azure login admin@mcollier.onmicrosoft.com
info: Executing command login
Password: ********
/info: Added subscription Visual Studio Ultimate with MSDN (Microsoft FTE)
info: Setting subscription "Visual Studio Ultimate with MSDN (Microsoft FTE)" as default
+
info: login command OK
C:UsersMCOLLIER>azure config mode arm
info: New mode is arm
C:C:UsersMCOLLIER>azure group create -n "vslivenyc2015-cli" -l "East US" -t event=vslive;admin=mcollier
info: Executing command group create
+ Getting resource group vslivenyc2015-cli
+ Creating resource group vslivenyc2015-cli
info: Created resource group vslivenyc2015-cli
data: Id: /subscriptions/0bbbc191-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vslivenyc2015-cli
data: Name: vslivenyc2015-cli
data: Location: eastus
data: Provisioning State: Succeeded
data: Tags: event=vslive;admin=mcollier
data:
info: group create command OK
C:UsersMCOLLIER>
24. Resource Characteristics
Resource group
Resource exists in precisely one resource group at any time
Resource can be moved from one resource group to another
Location
Resource can be created in any region where there is an a
appropriate resource provider
Locks
Resource can be locked to prevent deletion
Tags
Resource can be tagged to provide (billing) metadata
25. Resource Group Characteristics
Two types of resource groups
Lifecycle
Shared
Lifecyle
Contains resources with common lifecycle and management
e.g., virtual machines and storage accounts for an application
Shared
Contains resources shared among several resource groups
e.g., VNETs used to host VMs from many applications
26. Resource Definition
Name
Unique for resource group and resource type (e.g.,
Microsoft.Compute/virtualMachines)
Id
Unique across Azure
/subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute/virtua
lMachines/vmName
Location
ResourceType
ResourceGroup
Properties
Additional properties specific to the resource provider
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "StorageAccount"
},
"properties": {
"accountType": "[variables('storageAccountType')]"
}
}
27. Resource Tags
Tag
Name/value pair
Provides metadata to classify resources and resource
groups
Resources and resource groups
An array of tags can be associated with a resource or a
resource group
Billing
Tags are surfaced to Azure bills so they can be used in
allocating resource costs
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Compute/availabilitySets",
"name": "[variables('availabilitySetName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "AvailabilitySet"
}
}
> New-AzureResourceGroup -Name VSLiveNYC -Location "East
US" -Tag @{Name=“Event"; Value=“VSLive"},
@{Name="Admin";Value="mcollier"}
28. Resource Locks
Prevents deletion of a resource or
resource group
Associate a resource lock with the resource or
resource group
Only the Owner or User Access Administrator
roles can create or modify locks
29. Resource Locks
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"apiVersion": "2015-05-01-preview",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('newStorageAccountName'), '/Microsoft.Authorization/collierLock')]",
"apiVersion": "2015-01-01",
"dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/', parameters('newStorageAccountName'))]" ],
"properties": {
"level": "CannotDelete",
"notes": "Mike's important files - do not delete!"
}
} ]
} ]
Options: CannotDelete and ReadOnly*
Name of the lock
30. Resource Locks
# Apply a resource lock to the storage account.
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierLock' `
-ResourceName $storageAccountName `
-ResourceType 'Microsoft.Storage/storageAccounts' `
-ResourceGroup $resourceGroup –Verbose
# Apply a resource lock to an entire resource group
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierGroupLock' `
-ResourceGroup 'CollierMedia' -Verbose
33. Motivation
ASM
Admins, co-admins and X.509 certs
No RBAC
Pushback from enterprises
Azure Active Directory
Cloud-scale directory service
ARM
AAD
RBAC
34. RBAC
Assign an AAD identity to a role at some scope
ARM mode
Role
Specifies a set of Actions and NotActions
Contains zero or more AAD identities
37
36. Know Your Role
Core system roles
Owner
Contributor
Reader
Security Manager
User Access Administrator
Resource-based roles
Virtual Machine Contributor
SQL Server Contributor
… (currently 20)
Custom roles
Announced at Ignite 2015
37. Know Your Role
Assign via PowerShell
New-AzureRoleAssignment
Remove-AzureRoleAssignment
Get-AzureRoleAssignment
Get-AzureRoleDefinition
New-AzureRoleAssignment `
-UserPrincipalName user@somedomain.com `
-RoleDefinitionName Reader `
-Scope
/subscriptions/GUID/resourceGroups/SomeResourceGroupName
44. ARM Deployment Options
ARM Templates
Desired-state deployment for a single resource group
Parameterized JSON template
Resources deployed in parallel
Resource dependency constraints enforced
Template language provides some built-in functions
46. ARM Templates
Template file comprises several sections
parameters – parameterizes the deployment of a template
variables – provides variables used in the definition of resources
resources – specifies a goal state for a set of resources in a resource group
outputs – provides values to be returned from the template
Parameter file provides actual values for parameters
Goal state
Parameterized template provides the goal state for a resource group
Resource group specified at runtime
47. ARM Functions
ARM Templates supports small set of built-in functions
parameters, variables
reference, resourceGroup, resourceId
base64, concat, padLeft, padLeft, replace, toLower, toUpper
deployment, provider, subscription
listKeys
Not supported
User-defined functions
Control constructs – if, while, etc.
48. Loops and Nested Templates
Loops
Provide basic copy capability
Useful in cloning resource configuration
For example, deploying multiple VMs
Nested Templates
One template can invoke another
Simplifies creation of sophisticated templates
Supports parameters
Supports output variables
49. ARM Deployment Logs
Logs
Provider
Resource group
Resource
Availability
Kept for 15 days
Default is last hour (PowerShell)
Filter by Status e.g., Failed
PowerShell
Get-AzureResourceProviderLog
Get-AzureResourceGroupLog
Get-AzureResourceLog
51. Inside vs. Outside the box
ARM Template
State Configuration /
Extensions
52. Inside vs. Outside the box
• Outside – part of the template
– VM, network topology, tags, RBAC, references to
certs/secrets, etc.
• Inside – executed by template only
– Configure server roles, configure software, deploy a
website, manage services, manage local users, etc.
– Extensions for PowerShell DSC, Chef, and Puppet.
53. Free Form . . . Ideal?
User selects arbitrary configuration
Number of nodes, VM sizes, disks, storage accounts, etc.
Maintenance overhead
Support for an undetermined number of configs
Subscription management
Resource limits per subscription
Density challenge – set aside capacity for potential use
Subscription creation cannot be automated
54. Known Configuration
T-Shirt Sizing
Size: Small, Medium, Large
Product/Audience: Community, Enterprise
Feature: Basic, High Availability
Flexibility within size to select number of resources (to
max)
Known sizing – known resources
57. Summary
Application Lifecycle Management
Provision & deprovision resources for an application as a logical unit
Declarative
Rapid, repeatable deployment
Save application topology
Consistent Management API
Uniform REST API
Portal, Command Line, PowerShell, Visual Studio or other tools
ARM is the future of resource management in Azure
58. Resources
ARM Template Examples
– https://github.com/azure/azure-quickstart-templates
Best Practices for Designing Azure Resource Manager Templates
https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/
Rest API Reference
http://msdn.microsoft.com/en-us/library/azure/dn790568.aspx
ARM Template Functions
https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/
Azure Resource Explorer
https://resources.azure.com/
Microsoft Cloud Solution Architect Blog
http://aka.ms/csablog/
60. Thank You!
Michael S. Collier
@MichaelCollier | www.michaelscollier.com
michael.collier@microsoft.com
Notes de l'éditeur
Introduce the two ways to manage Azure services.
ASM has been around since 2009 and is getting long in the tooth.
ARM supports modern deployment practices. It is designed to be extensible to all current and future services.
Let’s talk about the challenge we have when deploying Azure-based solutions . . . The multiple resources needed.
Single resource – not so bad.
Multiple resources – gets to be more of a challenge.
Need to coordinate the deployment so that dependencies are handled (e.g. DB before web so that configuration string can be set).
Lifecycle of application and related resources
Resource - an Azure entity such as a VM, WebSite, Storage Account, SQL Database
Resource Group
Collection of Azure resources
Every Resource must exist in one, and only one, Resource Group
Unit of Management
Lifecyle - deployment, update, delete, obtain status
Grouping - Billing
Open a template in Visual Studio. Show various sections of the template (parameters, variables, resources, etc.).
Deploy via PowerShell
ARM templates are for control things outside the VM – the VM itself and resources related to the deployment.
Inside – installed software and overall desired state. Scripts are executed by the ARM template but aren’t contained within the template itself.
DSC extensions can help to control “drift”.
Walkthrough the template at https://github.com/Azure/azure-quickstart-templates/blob/master/postgresql-on-ubuntu/azuredeploy.json