Unlock new and powerful ways to manage your Azure resources. Keeping track of all the various resources used by a solution is a daunting task. There needs to be an easier way to combine various resources into logical groups. The Azure Resource Manager enables you to group and manage multiple resources as a single logical group. With the ability to create reusable templates, it becomes much easier to consistently deploy solutions. In this session we will explore how the Azure Resource Manager can be used to better manage our Azure solutions. We will dive deep into creating resources and manipulating the Resource Manager templates. In the end, you'll be able to unlock new and powerful ways to manage your Azure resources. You will learn: - How to create and manage Resource Groups from PowerShell and the Cross-Platform Command-Line Interface - How to create custom Azure Resource Manager templates - How to manage security for resources using Azure Resource Manager and Azure Active Directory

1. Inside Azure Resource Manager
Michael S. Collier
Cloud Solution Architect,
Microsoft
Level: Intermediate

2. Michael S. Collier
Cloud Solution Architect
Microsoft
michael.collier@microsoft.com
@MichaelCollier
www.MichaelSCollier.com
http://aka.ms/csablog

3. http://aka.ms/fundamentalsofazure

4. Today’s Agenda
1. Current Challenges
2. Basics of Azure Resource Groups & Azure
Resource Manager
3. Role Based Access Control
4. ARM Template Details

5. Managing Azure Deployments
Azure Service Manager (ASM)
Traditional way to deploy and manage applications hosted in Azure
Production Portal
PowerShell / CLI (default mode)
REST API
Azure Resource Manager (ARM)
Modern way to deploy and manage applications hosted in Azure
Preview “Ibiza” Portal
PowerShell / CLI (ARM mode)
REST API
Azure Resource Management Library for .NET

6. The Challenge
Deploy/Update logical group
of resources
Visualize related resources:
Provision/Deprovision
Costs
Security/Permissions
????

7. Single Resource Point-of-View
Deployment – complex.
Coordinated deployment?
Communication/configuration between resources?

8. Single Resource Point-of-View

9. AZURE RESOURCE GROUPS
The Foundation

10. Azure Resource Groups
Lifecycle of application and
resources
Declarative
Consistent Management API

11. Azure Resource Manager
What is Azure Resource Manager?
Unit of Management
• Lifecycle
• Identity
• Grouping
One Resource -> One Resource Group

12. Resource Groups
One or Many?
How are the resources managed?

13. Consistent Management Layer
Resource
Provider
https://management.azure.com/subscriptions/{{subscriptionId}}/provide
rs?api-version={{apiVersion}}
?
REST API

14. Benefits
Desired-state deployment
Faster deployment
Role-based access control (RBAC)
Resource-provider model
Orchestration
Resource configuration
SQL - A Website Virtual
Machines
SQL-A
Website
[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Image source - http://channel9.msdn.com/Events/Build/2014/2-607

15. Why
• Internal software development teams
– Quickly deploy technologies
– Rapidly create training environments
– Consistent deployment with enforced constraints
• Corporate IT
– Predefined environments for dev, QA, or production
– Provide LOB solutions
• ISV/CSV
– Hosting a solution for customers
– Inject solution into customer’s subscription
– Sell via Azure Marketplace
• Community / OSS
– Host on GitHub to allow community to share and improve.
?

16. DEMO
Browse the Azure Preview Portal
Browse the Azure Preview Portal

17. ARM Definitions
Resource: Atomic unit of deployment
Resource Group: Collection of resources
Resource Provider: Manages specific kinds of
resources
Resource Type: Specifies the type of resource

18. Resource Providers
Deploy specific types of resources
Identified by provider namespace
e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web (~ 25 Microsoft or customer
namespaces)
Resource types
Each provider namespace manages one or more resource types
Microsoft.Compute/availabiltySets
Microsoft.Compute/virtualMachines
Microsoft.Compute/locations
Different regional availability and apiVersion

19. Resource Providers - PowerShell
Get-AzureLocation indicates which resourceTypes
are available in each region
Get-AzureProvider indicates which resource
providers and apiVersions are available in each region.
22
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where {
$_.ResourceTypeName -eq 'storageAccounts' } | Select –ExpandProperty ApiVersions
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where {
$_.ResourceTypeName -eq 'storageAccounts' } | Select -ExpandProperty Locations

20. Resource Group Definition
Name
Unique inside a subscription
Id
Unique across Azure
Location
Resources
Set of resources in the resource group
Tags
Resource group can be tagged to provide (billing) metadata

21. Resource Group Definition
PS C:> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event"; Value=“VSLIVE"},
@{Name="Admin";Value="mcollier"}
VERBOSE: 9:52:35 PM - Created resource group ‘VSLiveNYC' in location 'eastus'
ResourceGroupName : VSLiveNYC
Location : eastus
ProvisioningState : Succeeded
Tags :
Name Value
========= ========
Event VSLIVE
Admin mcollier
Permissions :
Actions NotActions
======= ==========
*
ResourceId : /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/VSLiveNYC

22. Resource Group Definition
C:UsersMCOLLIER>azure
info: _ _____ _ ___ ___
info: /_ |_ / | | | _ __|
info: _ ___/ _ __/ /| |_| | / _|___ _ _
info: (___ /_/ _/___|___/|_|____| _____)
info: (_______ _ _) _ ______ _)_ _
info: (______________ _ ) (___ _ _)
info:
info: Microsoft Azure: Microsoft's Cloud Platform
info:
info: Tool version 0.9.9
help:
help: Display help for a given command
help: help [options] [command]
help:
help: Log in to an Azure subscription using Active Directory. Currently, the user can login only via Microsoft organizational account
help: login [options] [username]
help:
help: Log out from Azure subscription using Active Directory. Currently, the user can log out only via Microsoft organizational account
help: logout [options] [username]
help:
help: Open the portal in a browser
help: portal [options]
help:
help: Commands:
help: account Commands to manage your account information and publish settings
help: config Commands to manage your local settings
help: hdinsight Commands to manage HDInsight clusters and jobs
help: mobile Commands to manage your Mobile Services
help: network Commands to manage your networks
help: sb Commands to manage your Service Bus configuration
help: service Commands to manage your Cloud Services
help: site Commands to manage your Web Sites
help: sql Commands to manage your SQL Server accounts
help: storage Commands to manage your Storage objects
help: vm Commands to manage your Virtual Machines
help:
help: Options:
help: -h, --help output usage information
help: -v, --version output the application version
help:
help: Current Mode: asm (Azure Service Management)

23. Resource Group Definition
C:UsersMCOLLIER>C:UsersMCOLLIER>azure login admin@mcollier.onmicrosoft.com
info: Executing command login
Password: ********
/info: Added subscription Visual Studio Ultimate with MSDN (Microsoft FTE)
info: Setting subscription "Visual Studio Ultimate with MSDN (Microsoft FTE)" as default
+
info: login command OK
C:UsersMCOLLIER>azure config mode arm
info: New mode is arm
C:C:UsersMCOLLIER>azure group create -n "vslivenyc2015-cli" -l "East US" -t event=vslive;admin=mcollier
info: Executing command group create
+ Getting resource group vslivenyc2015-cli
+ Creating resource group vslivenyc2015-cli
info: Created resource group vslivenyc2015-cli
data: Id: /subscriptions/0bbbc191-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vslivenyc2015-cli
data: Name: vslivenyc2015-cli
data: Location: eastus
data: Provisioning State: Succeeded
data: Tags: event=vslive;admin=mcollier
data:
info: group create command OK
C:UsersMCOLLIER>

24. Resource Characteristics
Resource group
Resource exists in precisely one resource group at any time
Resource can be moved from one resource group to another
Location
Resource can be created in any region where there is an a
appropriate resource provider
Locks
Resource can be locked to prevent deletion
Tags
Resource can be tagged to provide (billing) metadata

25. Resource Group Characteristics
Two types of resource groups
Lifecycle
Shared
Lifecyle
Contains resources with common lifecycle and management
e.g., virtual machines and storage accounts for an application
Shared
Contains resources shared among several resource groups
e.g., VNETs used to host VMs from many applications

26. Resource Definition
Name
Unique for resource group and resource type (e.g.,
Microsoft.Compute/virtualMachines)
Id
Unique across Azure
/subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute/virtua
lMachines/vmName
Location
ResourceType
ResourceGroup
Properties
Additional properties specific to the resource provider
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "StorageAccount"
},
"properties": {
"accountType": "[variables('storageAccountType')]"
}
}

27. Resource Tags
Tag
Name/value pair
Provides metadata to classify resources and resource
groups
Resources and resource groups
An array of tags can be associated with a resource or a
resource group
Billing
Tags are surfaced to Azure bills so they can be used in
allocating resource costs
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Compute/availabilitySets",
"name": "[variables('availabilitySetName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "AvailabilitySet"
}
}
> New-AzureResourceGroup -Name VSLiveNYC -Location "East
US" -Tag @{Name=“Event"; Value=“VSLive"},
@{Name="Admin";Value="mcollier"}

28. Resource Locks
Prevents deletion of a resource or
resource group
Associate a resource lock with the resource or
resource group
Only the Owner or User Access Administrator
roles can create or modify locks

29. Resource Locks
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('newStorageAccountName')]",
"apiVersion": "2015-05-01-preview",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('newStorageAccountName'), '/Microsoft.Authorization/collierLock')]",
"apiVersion": "2015-01-01",
"dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/', parameters('newStorageAccountName'))]" ],
"properties": {
"level": "CannotDelete",
"notes": "Mike's important files - do not delete!"
}
} ]
} ]
Options: CannotDelete and ReadOnly*
Name of the lock

30. Resource Locks
# Apply a resource lock to the storage account.
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierLock' `
-ResourceName $storageAccountName `
-ResourceType 'Microsoft.Storage/storageAccounts' `
-ResourceGroup $resourceGroup –Verbose
# Apply a resource lock to an entire resource group
New-AzureResourceLock -LockLevel CanNotDelete `
-LockNotes 'No deleting!' `
-LockName 'CollierGroupLock' `
-ResourceGroup 'CollierMedia' -Verbose

31. Resource Locks
More information:
https://michaelscollier.com/2015/06/21/lock-
down-your-azure-resources/

32. ROLE BASED ACCESS CONTROL
Azure Resource Groups

33. Motivation
ASM
Admins, co-admins and X.509 certs
No RBAC
Pushback from enterprises
Azure Active Directory
Cloud-scale directory service
ARM
AAD
RBAC

34. RBAC
Assign an AAD identity to a role at some scope
ARM mode
Role
Specifies a set of Actions and NotActions
Contains zero or more AAD identities
37

35. RBAC Scope

36. Know Your Role
Core system roles
Owner
Contributor
Reader
Security Manager
User Access Administrator
Resource-based roles
Virtual Machine Contributor
SQL Server Contributor
… (currently 20)
Custom roles
Announced at Ignite 2015

37. Know Your Role
Assign via PowerShell
New-AzureRoleAssignment
Remove-AzureRoleAssignment
Get-AzureRoleAssignment
Get-AzureRoleDefinition
New-AzureRoleAssignment `
-UserPrincipalName user@somedomain.com `
-RoleDefinitionName Reader `
-Scope
/subscriptions/GUID/resourceGroups/SomeResourceGroupName

38. Know Your Role
Assign via Azure Preview Portal

39. Know Your Role
Assign via Azure Preview Portal

40. Know Your Role
Assign via Azure Preview Portal

41. Know Your Role
Assign via Azure Preview Portal

42. Role Actions
Switch-AzureMode -Name AzureResourceManager
$roles = Get-AzureRoleDefinition #| where { $_.Name -like "SQL*"}
foreach ($def in $roles) {
Write-Host 'Role: '$def.Name
Write-Host 'Actions'
(Get-AzureRoleDefinition -Name $def.Name).Actions
Write-Host 'NotActions'
(Get-AzureRoleDefinition -Name $def.Name).NotActions
Write-Host ([Environment]::NewLine)
}

43. ARM TEMPLATES
Features and Deployment

44. ARM Deployment Options
ARM Templates
Desired-state deployment for a single resource group
Parameterized JSON template
Resources deployed in parallel
Resource dependency constraints enforced
Template language provides some built-in functions

45. ARM Deployment Options
> Switch-AzureMode
AzureResourceManager
* https://github.com/Azure/azure-
powershell/wiki/Deprecation-of-
Switch-AzureMode-in-Azure-
PowerShell
Azure PowerShell
azure config mode arm
Azure XPlat CLI
Azure Marketplace
Resource Manager stack
Azure Preview Portal
https://github.com/Azure/azure-quickstart-
templates
http://deploy.azure.com
Deploy To Azure
ARM mode
Resource-specific cmdlets
Template-deployment cmdlets

46. ARM Templates
Template file comprises several sections
parameters – parameterizes the deployment of a template
variables – provides variables used in the definition of resources
resources – specifies a goal state for a set of resources in a resource group
outputs – provides values to be returned from the template
Parameter file provides actual values for parameters
Goal state
Parameterized template provides the goal state for a resource group
Resource group specified at runtime

47. ARM Functions
ARM Templates supports small set of built-in functions
parameters, variables
reference, resourceGroup, resourceId
base64, concat, padLeft, padLeft, replace, toLower, toUpper
deployment, provider, subscription
listKeys
Not supported
User-defined functions
Control constructs – if, while, etc.

48. Loops and Nested Templates
Loops
Provide basic copy capability
Useful in cloning resource configuration
For example, deploying multiple VMs
Nested Templates
One template can invoke another
Simplifies creation of sophisticated templates
Supports parameters
Supports output variables

49. ARM Deployment Logs
Logs
Provider
Resource group
Resource
Availability
Kept for 15 days
Default is last hour (PowerShell)
Filter by Status e.g., Failed
PowerShell
Get-AzureResourceProviderLog
Get-AzureResourceGroupLog
Get-AzureResourceLog

50. DEMO
Explore and Deploy an ARM template

51. Inside vs. Outside the box
ARM Template
State Configuration /
Extensions

52. Inside vs. Outside the box
• Outside – part of the template
– VM, network topology, tags, RBAC, references to
certs/secrets, etc.
• Inside – executed by template only
– Configure server roles, configure software, deploy a
website, manage services, manage local users, etc.
– Extensions for PowerShell DSC, Chef, and Puppet.

53. Free Form . . . Ideal?
User selects arbitrary configuration
Number of nodes, VM sizes, disks, storage accounts, etc.
Maintenance overhead
Support for an undetermined number of configs
Subscription management
Resource limits per subscription
Density challenge – set aside capacity for potential use
Subscription creation cannot be automated

54. Known Configuration
T-Shirt Sizing
Size: Small, Medium, Large
Product/Audience: Community, Enterprise
Feature: Basic, High Availability
Flexibility within size to select number of resources (to
max)
Known sizing – known resources

55. Template Decomposition
59
Parameters
adminUserName
adminPassword
storageAccountName
region
virtualNetworkName
addressPrefix
subnetName
subnetPrefix
jumpbox
tshirtSize
osFamily
Template Metadata
Main Template
Known Configuration
Resources Template
Shared Resources Template
Widely Reusable Script(s)
Custom ScriptsMember Resources
Template(s)
Optional Resource
Template(s)
Image: https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/#identifying-what-is-outside-and-inside-of-a-vm

56. DEMO
Advanced ARM template

57. Summary
Application Lifecycle Management
Provision & deprovision resources for an application as a logical unit
Declarative
Rapid, repeatable deployment
Save application topology
Consistent Management API
Uniform REST API
Portal, Command Line, PowerShell, Visual Studio or other tools
ARM is the future of resource management in Azure

58. Resources
ARM Template Examples
– https://github.com/azure/azure-quickstart-templates
Best Practices for Designing Azure Resource Manager Templates
https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/
Rest API Reference
http://msdn.microsoft.com/en-us/library/azure/dn790568.aspx
ARM Template Functions
https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/
Azure Resource Explorer
https://resources.azure.com/
Microsoft Cloud Solution Architect Blog
http://aka.ms/csablog/

59. Questions?

60. Thank You!
Michael S. Collier
@MichaelCollier | www.michaelscollier.com
michael.collier@microsoft.com