Embed Size (px)
Citation preview
Inside Azure Resource Manager
Michael S. CollierCloud Solution Architect,
Microsoft
Level: Intermediate
Michael S. CollierCloud Solution ArchitectMicrosoft
@MichaelCollierwww.MichaelSCollier.comhttp://aka.ms/csablog
http://aka.ms/fundamentalsofazure
Today’s Agenda1. Current Challenges2. Basics of Azure Resource Groups & Azure
Resource Manager3. Role Based Access Control4. ARM Template Details
Managing Azure DeploymentsAzure Service Manager (ASM)
Traditional way to deploy and manage applications hosted in AzureProduction PortalPowerShell / CLI (default mode)REST API
Azure Resource Manager (ARM)Modern way to deploy and manage applications hosted in AzurePreview “Ibiza” PortalPowerShell / CLI (ARM mode)REST APIAzure Resource Management Library for .NET
The ChallengeDeploy/Update logical group of resources
Visualize related resources:Provision/DeprovisionCostsSecurity/Permissions
????
Single Resource Point-of-ViewDeployment – complex.
Coordinated deployment?
Communication/configuration between resources?
dependency
web.config
dependency
Single Resource Point-of-View
AZURE RESOURCE GROUPS
The Foundation
Azure Resource GroupsLifecycle of application and resources
Declarative
Consistent Management API
Resource Group
Azure Resource ManagerWhat is Azure Resource Manager?
Resource Group
Unit of Management• Lifecycle• Identity• Grouping
One Resource -> One Resource Group
Resource GroupsOne or Many?
Resource Group
Resource Group
Resource Group
How are the resources managed?
Cache
Consistent Management Layer
Azure Resource Manager
Website VM SQL DB
Resource Provider
…..
Provider Contract
https://management.azure.com/subscriptions/{{subscriptionId}}/providers?api-version={{apiVersion}}
Tools
?
REST API
BenefitsDesired-state deployment
Faster deployment
Role-based access control (RBAC)
Resource-provider model
Orchestration
Resource configuration
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Image source - http://channel9.msdn.com/Events/Build/2014/2-607
Why• Internal software development teams
– Quickly deploy technologies– Rapidly create training environments– Consistent deployment with enforced constraints
• Corporate IT– Predefined environments for dev, QA, or production– Provide LOB solutions
• ISV/CSV– Hosting a solution for customers– Inject solution into customer’s subscription– Sell via Azure Marketplace
• Community / OSS– Host on GitHub to allow community to share and improve.
??
?
DEMOBrowse the Azure Preview Portal
Browse the Azure Preview Portal
ARM DefinitionsResource: Atomic unit of deployment
Resource Group: Collection of resources
Resource Provider: Manages specific kinds of resources
Resource Type: Specifies the type of resource
Resource ProvidersDeploy specific types of resources
Identified by provider namespacee.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web (~ 25 Microsoft or customer namespaces)
Resource typesEach provider namespace manages one or more resource types
Microsoft.Compute/availabiltySetsMicrosoft.Compute/virtualMachinesMicrosoft.Compute/locations
Different regional availability and apiVersion
Resource Providers - PowerShellGet-AzureLocation indicates which resourceTypes are available in each region
Get-AzureProvider indicates which resource providers and apiVersions are available in each region.
22
(Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where { $_.ResourceTypeName -eq 'storageAccounts' } | Select –ExpandProperty ApiVersions (Get-AzureProvider -ProviderNamespace Microsoft.Storage).ResourceTypes | Where { $_.ResourceTypeName -eq 'storageAccounts' } | Select -ExpandProperty Locations
Resource Group DefinitionName
Unique inside a subscriptionId
Unique across AzureLocationResources
Set of resources in the resource groupTags
Resource group can be tagged to provide (billing) metadata
Resource Group DefinitionPS C:\> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event"; Value=“VSLIVE"}, @{Name="Admin";Value="mcollier"}VERBOSE: 9:52:35 PM - Created resource group ‘VSLiveNYC' in location 'eastus'
ResourceGroupName : VSLiveNYCLocation : eastusProvisioningState : SucceededTags : Name Value ========= ======== Event VSLIVE Admin mcollier
Permissions : Actions NotActions ======= ========== *
ResourceId : /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/VSLiveNYC
Resource Group DefinitionC:\Users\MCOLLIER>azureinfo: _ _____ _ ___ ___info: /_\ |_ / | | | _ \ __|info: _ ___/ _ \__/ /| |_| | / _|___ _ _info: (___ /_/ \_\/___|\___/|_|_\___| _____)info: (_______ _ _) _ ______ _)_ _info: (______________ _ ) (___ _ _)info:info: Microsoft Azure: Microsoft's Cloud Platforminfo:info: Tool version 0.9.9help:help: Display help for a given commandhelp: help [options] [command]help:help: Log in to an Azure subscription using Active Directory. Currently, the user can login only via Microsoft organizational accounthelp: login [options] [username]help:help: Log out from Azure subscription using Active Directory. Currently, the user can log out only via Microsoft organizational accounthelp: logout [options] [username]help:help: Open the portal in a browserhelp: portal [options]help:help: Commands:help: account Commands to manage your account information and publish settingshelp: config Commands to manage your local settingshelp: hdinsight Commands to manage HDInsight clusters and jobshelp: mobile Commands to manage your Mobile Serviceshelp: network Commands to manage your networkshelp: sb Commands to manage your Service Bus configurationhelp: service Commands to manage your Cloud Serviceshelp: site Commands to manage your Web Siteshelp: sql Commands to manage your SQL Server accountshelp: storage Commands to manage your Storage objectshelp: vm Commands to manage your Virtual Machineshelp:help: Options:help: -h, --help output usage informationhelp: -v, --version output the application versionhelp:help: Current Mode: asm (Azure Service Management)
C:\Users\MCOLLIER>
Resource Group DefinitionC:\Users\MCOLLIER>C:\Users\MCOLLIER>azure login [email protected]: Executing command loginPassword: ********/info: Added subscription Visual Studio Ultimate with MSDN (Microsoft FTE)info: Setting subscription "Visual Studio Ultimate with MSDN (Microsoft FTE)" as default+info: login command OK
C:\Users\MCOLLIER>azure config mode arminfo: New mode is armC:\C:\Users\MCOLLIER>azure group create -n "vslivenyc2015-cli" -l "East US" -t event=vslive;admin=mcollierinfo: Executing command group create+ Getting resource group vslivenyc2015-cli+ Creating resource group vslivenyc2015-cliinfo: Created resource group vslivenyc2015-clidata: Id: /subscriptions/0bbbc191-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vslivenyc2015-clidata: Name: vslivenyc2015-clidata: Location: eastusdata: Provisioning State: Succeededdata: Tags: event=vslive;admin=mcollierdata:info: group create command OKC:\Users\MCOLLIER>
Resource CharacteristicsResource group
Resource exists in precisely one resource group at any timeResource can be moved from one resource group to another
LocationResource can be created in any region where there is an a appropriate resource provider
LocksResource can be locked to prevent deletion
TagsResource can be tagged to provide (billing) metadata
Resource Group CharacteristicsTwo types of resource groups
LifecycleShared
LifecyleContains resources with common lifecycle and managemente.g., virtual machines and storage accounts for an application
SharedContains resources shared among several resource groupse.g., VNETs used to host VMs from many applications
Resource DefinitionName
Unique for resource group and resource type (e.g., Microsoft.Compute/virtualMachines)Id
Unique across Azure/subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/vmName
LocationResourceTypeResourceGroupProperties
Additional properties specific to the resource provider
{ "apiVersion": "2015-05-01-preview", "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('newStorageAccountName')]", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount" }, "properties": { "accountType": "[variables('storageAccountType')]" }}
Resource TagsTag
Name/value pairProvides metadata to classify resources and resource groups
Resources and resource groupsAn array of tags can be associated with a resource or a resource group
BillingTags are surfaced to Azure bills so they can be used in allocating resource costs
{ "apiVersion": "2015-05-01-preview", "type": "Microsoft.Compute/availabilitySets", "name": "[variables('availabilitySetName')]", "location": "[resourceGroup().location]", "tags": { "displayName": "AvailabilitySet" }}
> New-AzureResourceGroup -Name VSLiveNYC -Location "East US" -Tag @{Name=“Event"; Value=“VSLive"}, @{Name="Admin";Value="mcollier"}
Resource LocksPrevents deletion of a resource or resource group
Associate a resource lock with the resource or resource groupOnly the Owner or User Access Administrator roles can create or modify locks
Resource Locks"resources": [ { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('newStorageAccountName')]", "apiVersion": "2015-05-01-preview", "location": "[parameters('location')]", "properties": { "accountType": "[parameters('storageAccountType')]" }, "resources": [ { "type": "Microsoft.Storage/storageAccounts/providers/locks", "name": "[concat(parameters('newStorageAccountName'), '/Microsoft.Authorization/collierLock')]", "apiVersion": "2015-01-01", "dependsOn": [ "[concat('Microsoft.Storage/storageAccounts/', parameters('newStorageAccountName'))]" ], "properties": { "level": "CannotDelete", "notes": "Mike's important files - do not delete!" } } ]} ] Options: CannotDelete and ReadOnly*
Name of the lock
Resource Locks# Apply a resource lock to the storage account. New-AzureResourceLock -LockLevel CanNotDelete ` -LockNotes 'No deleting!' ` -LockName 'CollierLock' ` -ResourceName $storageAccountName ` -ResourceType 'Microsoft.Storage/storageAccounts' ` -ResourceGroup $resourceGroup –Verbose
# Apply a resource lock to an entire resource groupNew-AzureResourceLock -LockLevel CanNotDelete ` -LockNotes 'No deleting!' ` -LockName 'CollierGroupLock' ` -ResourceGroup 'CollierMedia' -Verbose
Resource LocksMore information: https://michaelscollier.com/2015/06/21/lock-down-your-azure-resources/
ROLE BASED ACCESS CONTROL
Azure Resource Groups
MotivationASM
Admins, co-admins and X.509 certsNo RBACPushback from enterprises
Azure Active DirectoryCloud-scale directory service
ARMAADRBAC
RBACAssign an AAD identity to a role at some scope
ARM modeRole
Specifies a set of Actions and NotActionsContains zero or more AAD identities
37
RBAC Scope
Know Your RoleCore system roles
OwnerContributorReaderSecurity ManagerUser Access Administrator
Resource-based rolesVirtual Machine ContributorSQL Server Contributor… (currently 20)
Custom rolesAnnounced at Ignite 2015
Know Your RoleAssign via PowerShell
New-AzureRoleAssignmentRemove-AzureRoleAssignmentGet-AzureRoleAssignmentGet-AzureRoleDefinition
New-AzureRoleAssignment `-UserPrincipalName [email protected] `-RoleDefinitionName Reader `-Scope
/subscriptions/GUID/resourceGroups/SomeResourceGroupName
Know Your RoleAssign via Azure Preview Portal
Know Your RoleAssign via Azure Preview Portal
Know Your RoleAssign via Azure Preview Portal
Know Your RoleAssign via Azure Preview Portal
Role ActionsSwitch-AzureMode -Name AzureResourceManager
$roles = Get-AzureRoleDefinition #| where { $_.Name -like "SQL*"}
foreach ($def in $roles) { Write-Host 'Role: '$def.Name Write-Host 'Actions' (Get-AzureRoleDefinition -Name $def.Name).Actions Write-Host 'NotActions' (Get-AzureRoleDefinition -Name $def.Name).NotActions Write-Host ([Environment]::NewLine)}
ARM TEMPLATESFeatures and Deployment
ARM Deployment OptionsARM Templates
Desired-state deployment for a single resource groupParameterized JSON templateResources deployed in parallelResource dependency constraints enforcedTemplate language provides some built-in functions
ARM Deployment Options> Switch-AzureMode AzureResourceManager
* https://github.com/Azure/azure-powershell/wiki/Deprecation-of-Switch-AzureMode-in-Azure-PowerShell
Azure PowerShell
azure config mode arm
Azure XPlat CLI
Azure Marketplace
Resource Manager stack
Azure Preview Portal
https://github.com/Azure/azure-quickstart-templates
http://deploy.azure.com
Deploy To Azure
ARM modeResource-specific cmdletsTemplate-deployment cmdlets
ARM TemplatesTemplate file comprises several sections
parameters – parameterizes the deployment of a templatevariables – provides variables used in the definition of resourcesresources – specifies a goal state for a set of resources in a resource groupoutputs – provides values to be returned from the template
Parameter file provides actual values for parameters
Goal stateParameterized template provides the goal state for a resource groupResource group specified at runtime
ARM FunctionsARM Templates supports small set of built-in functions
parameters, variablesreference, resourceGroup, resourceIdbase64, concat, padLeft, padLeft, replace, toLower, toUpperdeployment, provider, subscriptionlistKeys
Not supportedUser-defined functionsControl constructs – if, while, etc.
Loops and Nested TemplatesLoops
Provide basic copy capabilityUseful in cloning resource configurationFor example, deploying multiple VMs
Nested TemplatesOne template can invoke anotherSimplifies creation of sophisticated templatesSupports parametersSupports output variables
ARM Deployment LogsLogs
ProviderResource groupResource
AvailabilityKept for 15 daysDefault is last hour (PowerShell)Filter by Status e.g., Failed
PowerShellGet-AzureResourceProviderLogGet-AzureResourceGroupLogGet-AzureResourceLog
DEMOExplore and Deploy an ARM template
Inside vs. Outside the boxARM Template
State Configuration / Extensions
Inside vs. Outside the box• Outside – part of the template
– VM, network topology, tags, RBAC, references to certs/secrets, etc.
• Inside – executed by template only– Configure server roles, configure software, deploy a
website, manage services, manage local users, etc.– Extensions for PowerShell DSC, Chef, and Puppet.
Free Form . . . Ideal?User selects arbitrary configuration
Number of nodes, VM sizes, disks, storage accounts, etc.
Maintenance overheadSupport for an undetermined number of configs
Subscription managementResource limits per subscriptionDensity challenge – set aside capacity for potential useSubscription creation cannot be automated
Known ConfigurationT-Shirt Sizing
Size: Small, Medium, LargeProduct/Audience: Community, EnterpriseFeature: Basic, High AvailabilityFlexibility within size to select number of resources (to max)
Known sizing – known resources
Template Decomposition
59
Parameters
adminUserNameadminPasswordstorageAccountNameregionvirtualNetworkNameaddressPrefixsubnetNamesubnetPrefixjumpboxtshirtSizeosFamily
Template Metadata
Main Template
Known Configuration Resources Template
Shared Resources Template
Widely Reusable Script(s)
Custom ScriptsMember Resources Template(s)
Optional Resource Template(s)
Image: https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/#identifying-what-is-outside-and-inside-of-a-vm
DEMOAdvanced ARM template
SummaryApplication Lifecycle Management
Provision & deprovision resources for an application as a logical unit
DeclarativeRapid, repeatable deploymentSave application topology
Consistent Management APIUniform REST APIPortal, Command Line, PowerShell, Visual Studio or other tools
ARM is the future of resource management in Azure
ResourcesARM Template Examples
– https://github.com/azure/azure-quickstart-templates
Best Practices for Designing Azure Resource Manager Templateshttps://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-design-templates/
Rest API Referencehttp://msdn.microsoft.com/en-us/library/azure/dn790568.aspx
ARM Template Functionshttps://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/
Azure Resource Explorerhttps://resources.azure.com/
Microsoft Cloud Solution Architect Bloghttp://aka.ms/csablog/
Questions?
