introduction to azure resource manager, global azure bootcamp 2016.04
TRANSCRIPT
INTRODUCTION TOAZURE RESOURCE MANAGER
Łukasz KałużnySenior Cloud Architect @ MVP: Microsoft Azure
You can find me at:blog.kaluzny.pro@kaluzaaa
AZURE RESOURCE MANAGER API
Areas of Focus
Deploy Organize Control
Resource Group container for multiple
resources resources exist in one*
resource group resource groups can span
regions resource groups can span
services
*and only one
RESOURCE GROUP
Deployment
Deployment tracks template execution created within a resource
group allows nested deploymentsRESOURCE GROUP
Deploying with Azure Resource Manager template-driven declarative multi-service multi-region extensible
@ a glance - template language expressions*base64encode(‘stringtoencode’)concat(‘string’,’to’,’encode’)copyIndex(offset)listKeys(storageAccountResourceId, apiVersion)padLeft(stringToPad,targetLength,paddingCharacter)parameters(‘parameterName’)providers(namespace, resourceType)reference(resourceId,apiVersion)resourceGroup()resourceId(‘namespace/resourceType', ‘resourceName’)subscription()variables(‘variables’)
Advanced Template Scenarios Resource ExtensionsVM+DSC/Chef/Puppet/CustomScript/etc.AppService + WebDeploySQL DB + BACPAC Copies Nested Templates NewOrExisting Patterns
TOOLS Visual Studio 2015 with Azure SDK https://resources.azure.com/ Azure CLI Azure PowerShell (module)
DEMO 1 New resource group gabc Deployment demo1.json from portal.azure.com WebApp
https://github.com/kaluzaaa/arm-WebAppForArmDemo/blob/master/demo1.json
DEMO 2 Deployment demo2.json using Azure CLI Deployment app from GitHub
Commandsazure loginazure account set 1a961a9b-cc6a-4523-b095-58cea3bd2731azure config mode armazure group deployment create -f "C:\Users\lukasz.kaluzny\Documents\GitHub\arm-WebAppForArmDemo\demo2.json" -g gabc -n azure -vv
https://github.com/kaluzaaa/arm-WebAppForArmDemo/blob/master/demo2.json
DEMO 3 Deployment demo5.json using Azure PowerShell Deployment of app.setting, Storage Account, SQL
Database & connectionstrings, app.setting
CommandsLogin-AzureRmAccountSelect-AzureRmSubscription -SubscriptionId 1a961a9b-cc6a-4523-b095-58cea3bd2731$tFile = "C:\Users\lukasz.kaluzny\Documents\GitHub\arm-WebAppForArmDemo\demo5.json"New-AzureRmResourceGroupDeployment -ResourceGroupName gabc -TemplateFile $tFile -Mode Incremental -Name demo -Verbose
https://github.com/kaluzaaa/arm-WebAppForArmDemo/blob/master/demo5.json
DEMO 4 Export Resource Group as template
Organize
Organizing with Azure Resource Manager resource groups linked resources tags
Resource Group
App-centric Resource Groups and Templates
SQL DB AppService
VirtualMachine
My3 Tier
Template
reference()
Resource Group
App-centric Resource Groups and Tier-centric Templates
SQL DB AppService
VirtualMachine
MyDB Tier
Template
MyWeb TierTemplate
MyVM Tier
Template
reference()
Resource Group
App-centric Resource Groups and Nested Templates
SQL DB AppService
VirtualMachine
My NestedDB Tier
Template
My NestedWeb TierTemplate
My NestedVM Tier
TemplateP
aren
t Tem
plat
e
reference()
Resource Group
Tier-centric Resource Groups and Templates
SQL DB AppService
VirtualMachine
MyDB Tier
Template
MyWeb TierTemplate
MyVM Tier
Template
Linked Resource
Resource Group Resource Group
Resource Tags▷ Name-value pairs assigned to
resources or resource groups
▷ Subscription-wide taxonomy
▷ Each resource can have up to 15 tags
x15
Tagging Tips▷ Tag by environment, e.g. dev/test/prod
▷ Tag by role, e.g. web/cache/db
▷ Tag by department, e.g. finance/retail/legal
▷ Tag by responsible party, e.g. Bob
x15
Control
Control with Azure Resource Manager role based access control audit logs resource locks Azure Resource Policy
Role Based Access Control Allows secure access with granular permissions
Assignable to users, groups, or service principals
Built-in roles make it easy to get started
Two Key Concepts
Role Definitions• describes the set of permissions
(e.g. read actions)• can be used in multiple
assignments
Role Assignments• associate role definitions with
an identity (e.g. user/group) at a scope (e.g. resource group)
• always inherited – subscription assignments apply to all resources
Role Based Access Control
/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
Granular Scopes
subscription level – grants permissions to all resources in the sub
resource group level – grants permissions to all resources in the group resource level – grants
permissions to the specific resource
Audit Logs journals all write/delete/actions
central location
common format
Key Concepts Resource lockPolicy which enforces a "lock level" at a particular scope Lock levelType of enforcement; current values include CanNotDelete and ReadOnly Scope: The realm to which the lock level is applied. Expressed as a URI; can be set at the resource group, or resource scope.
Azure Resource Policy JSON - http://
schema.management.azure.com/schemas/2015-10-01-preview/policyDefinition.json{ "if" : { <condition> | <logical operator> }, "then" : { "effect" : "deny | audit | append" }} Usage examples:Chargeback: Require departmental tagsGeo Compliance: Ensure resource locationsUse Approved SKUsNaming ConventionTag requirement
DEMO$policy = New-AzureRmPolicyDefinition -Name namingPolicy -Policy '{ "if" : { "not" : { "field" : "name", "like" : "test-*" } }, "then" : { "effect" : "deny" }}'$subscription = Get-AzureRmSubscription -SubscriptionId 1a961a9b-cc6a-4523-b095-58cea3bd2731$resourceGroup = Get-AzureRmResourceGroup -Name gabc$scope = "/subscriptions/" + $subscription.SubscriptionId + "/resourceGroups/" + $resourceGroup.ResourceGroupNameNew-AzureRmPolicyAssignment -Name serverNaming -PolicyDefinition $policy -Scope $scope
Thanks!Any questions?You can find me at:@[email protected]
Presentation template by SlidesCarnival
GŁÓWNI PARTNERZY KONFERENCJI:
PARTNERZY TECHNOLOGICZNI:
PARTNERZY KONFERENCJI:
PATRONI MEDIALNI: