Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure Resource Manager from A to Z

David Pazdera
September 03, 2022
Technology
0
2

Azure Resource Manager from A to Z

David Pazdera

September 03, 2022
Tweet

More Decks by David Pazdera

See All by David Pazdera
Azure Deployment Environments: A practical guide
pazdedav
0
2
Combining the power of Azure Verified Modules and private modules
pazdedav
0
24
A hitchhiker's guide to technical content creation and community work
pazdedav
0
2
Using AVD for privileged access in highly regulated environments
pazdedav
0
5
A practical guide to Test-Driven Development of infrastructure code
pazdedav
0
100
A practical guide to AVD Landing Zone Accelerator
pazdedav
0
260
Unified Operations and Management of your cross-premises server fleet with Azure Arc
pazdedav
0
57
Production readiness in Azure: A practical guide
pazdedav
1
190
Mortal Compat - Azure Automation vs. Functions
pazdedav
0
2.8k

Other Decks in Technology

See All in Technology
Zabbixチョットデキルとは!?
kujiraitakahiro
0
180
20250408 AI Agent workshop
sakana_ai
PRO
15
3.5k
.mdc駆動ナレッジマネジメント/.mdc-driven knowledge management
yodakeisuke
24
11k
10分でわかるfreeeのQA
freee
1
12k
NLP2025 参加報告会 / NLP2025
sansan_randd
4
510
20250413_湘南kaggler会_音声認識で使うのってメルス・・・なんだっけ?
sugupoko
1
390
Android는 어떻게 화면을 그릴까?
davidkwon7
0
100
Would you THINK such a demonstration interesting ?
shumpei3
1
160
Micro Frontends: Necessity, Implementation, and Challenges
rainerhahnekamp
2
350
Lakeflow Connectのご紹介
databricksjapan
0
100
フロントエンドも盛り上げたい!フロントエンドCBとAmplifyの軌跡
mkdev10
2
240
OSSコントリビュートをphp-srcメンテナの立場から語る / OSS Contribute
sakitakamachi
0
1.3k

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Thoughts on Productivity
jonyablonski
69
4.6k
How to Ace a Technical Interview
jacobian
276
23k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Six Lessons from altMBA
skipperchong
27
3.7k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Speed Design
sergeychernyshev
29
880
Building Adaptive Systems
keathley
41
2.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
The Language of Interfaces
destraynor
157
24k
Rails Girls Zürich Keynote
gr2m
94
13k

Transcript

  1. None
  2. None
  3. None
  4. None

  5. Everything is on GitHub github.com/pazdedav/arm-meetup • Slides • Templates •

    Scripts • Etc.

  6. The ASM is dead, long live the ARM?

  7. None

  8. Benefits       Deployments  

       

  9. AZURE RESOURCE MANAGER API

  10. None

  11. Microsoft.Compute, Microsoft.Storage, Microsoft.Web, NewRelic.APM virtualMachines, loadBalancers availability Get-AzureRmResourceProvider az provider

    list

  12.  Microsoft.Compute/virtualMachines /subscriptions/GUID/resourceGroups/myRG/providers/Microsoft.Compute /virtualMachines/vmName

  13. Jason is your best friend JSON is your best friend

    https://en.wikipedia.org/wiki/JSON

  14. SQL - A Website Virtual Machines SQL-A Website [SQL CONFIG]

    VM (2x) DEPENDS ON SQL DEPENDS ON SQL SQL CONFIG

  15. • $schema: Location of the JSON schema file that describes

    the version of the template language. • contentVersion: Version of the template (such as 1.0.0.0). Used for versioning. • parameters: Values that are provided when deployment is executed to customize resource deployment. • variables: Values that are used as JSON fragments in the template to simplify template language expressions. • resources: Types of services deployed. Minimum of 1. • output: Values that are returned after deployment. Note: Yellow sections are mandatory.

  16. • Parameter name and type are required • Allowed JSON

    types: string, secureString, int, bool, object, secureObject, array
  17. None

  18. • Required: • apiVersion • type • name

  19. • Name required • Output types supported are same as

    for parameters

  20. https://jsonlint.com/ https://jsonformatter.org/ here

  21. None
  22. None

  23. Episode 1: Template for Jen Simplifying resource deployment for users…

  24. None

  25. Icon Extension Name Description Azure Account Provides a single Azure

    sign-in and subscription filtering. Makes Azure’s Cloud Shell available in VS Code’s integrated terminal. Azure Resource Manager Tools Provides language support for ARM deployment templates and template language expressions. Azure Tools for Visual Studio Code Convenient features for devs: template repository search, deployment within VS Code, template exports, etc. Azure CLI Tools Tools for developing and running commands of the Azure CLI. Gives IntelliSense and snippets for .azcli scrapbooks. Azure Extension Pack A collection of extensions for working with Azure resources in VS Code, e.g. App Services, Functions, Microservices (docker tools, AKS, ACR), Storage, Databases, VSTS, IoT Azure ARM Template Helper VS-like tree-view for ARM templates including a few helpers (Preview)
  26. None

  27.  Postman ARMClient     Libraries Get-AzureRmResourceGroup az

    group list [--tag]

  28. JSON apiVersion 2016-01-01 Microsoft.Storage/storageAccounts mystorageaccount "location": "westus", "sku": { "name":

    "Standard_LRS" }, "kind": "Storage" HTTP Microsoft.Storage/storageAccounts/mystorageaccount api-version=2016-01-01 "location": "westus", "properties": { } "sku": { "name": "Standard_LRS" }, "kind": "Storage"

  29. Azure Status

  30. Deployment “engines” Template storage Runbook (PSH script) Workflow (ARM connector)

    Your code (Azure client libraries) Build definition (ARM deployment) Azure Resource Manager REST API Desktop

  31.  Tools Azure PowerShell Azure CLI Azure portal Resource Manager

    REST API  Mode default info

  32. https://docs.microsoft.com/en-us/rest/api/

  33. https://aka.ms/quotas/documentation link

  34. None

  35. link

  36. Episode 2: Douglas wants a catalogue Building a simple Service

    Catalogue…
  37. None
  38. None
  39. None
  40. None
  41. None

  42. BUILT-IN ROLE ACTIONS NOT ACTIONS Owner (allow all actions) *

    Contributor (allow all actions except writing or deleting role assignments) * Microsoft.Authorization/*/Write, Microsoft.Authorization/*/Delete Reader (allow all read actions) */Read

  43. Role Definitions • describes the set of permissions (e.g. read

    actions) • can be used in multiple assignments across your subscriptions Role Assignments • associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group) • always inherited – subscription assignments apply to all resources
  44. None

  45. RBAC - Granular Scopes /subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site} subscription level – grants permissions

    to all resources in the sub resource group level – grants permissions to all resources in the group resource level – grants permissions to the specific resource
  46. None

  47. "resources": [ { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2015-06-15", "name": "SimpleWindowsVM", "location":

    "[resourceGroup().location]", "tags": { "costCenter": "Finance" }, ... } ]

  48. policy is a default allow

  49. None

  50. info

  51. info

  52. Episode 3: New CISO arrives Adding some security and compliance

    stuff…
  53. None

  54. Reynholm Ind. – IT Security Policy for Azure • Least

    privilege for all users – limit number of subscription Owners • Secure production resources from accidental deletion and limiting who could remove locks • Apply mandatory tags for better resource and cost management (Environment, CostPool) • Production data stores cannot be deployed outside of EU. Compliance with this policy shall not be enforced first but it must be checked regularly.
  55. None

  56. info

  57. -Verbose

  58. None
  59. None
  60. None

  61. Usage

  62. Complete list available at https://azure.microsoft.com/en-in/documentation/articles/resource-group-template-functions/

  63. ▪ Use parameters for resource names that need to be

    set on the fly ▪ Use variables or hard-coded resource names otherwise ▪ camelCasing is recommended ▪ use “metadata” to add descriptions Consistency is key

  64. • TemplateLink must be visible to Resource Manager: http or

    https uri • Can use variables to create multiple URLs from base name

  65. { "apiVersion": "2015-05-01-preview", "type": "Microsoft.Compute/virtualMachines", "name": "[concat(parameters('vmNamePrefix'), copyindex())]", "location": "[parameters('location')]",

    "copy": { "name": "virtualMachineLoop", "count": "[parameters('numberOfInstances')]" }, "dependsOn": [ "[concat('Microsoft.Network/networkInterfaces/', 'nic', copyindex())]" ], "properties": { "hardwareProfile": { "vmSize": "[parameters('vmSize')]" }, "osProfile": { "computername": "[concat('vm', copyIndex())]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" }, "storageProfile": { "osDisk": { "name": "[concat(parameters('vmNamePrefix'),'-osDisk',copyindex())]", "osType": "[parameters('osType')]", "caching": "ReadWrite", "image": { "uri": "[variables('userImageName')]" }, "vhd": { "uri": "[concat(variables('osDiskVhdContainer'),parameters('vmNamePrefix'),copyindex(),'osDisk.vh d')]" } } },

  66. "outputs": { "masterip": { "value": "[reference(concat(variables('nicName'),0)).ipConfigurations[0].properties.privateIPAddre ss]", "type":"string" }} "masterIpAddress":

    { "value": "[reference('master-node').outputs.masterip.value]" } }

  67. Name Value Description region String from a constrained list of

    Azure regions The location where the resources will be deployed. storageAccountNamePrefix String Unique DNS name for the Storage Account where the VM’s disks will be placed domainName String Domain name of the publicly accessible jumpbox VM in the format: {domainName}.{location}.cloudapp.co m For example: mydomainname.westus.cloudapp.azure. com adminUsername String Username for the VMs adminPassword String Password for the VMs tshirtSize String from a constrained list of offered t-shirt sizes The named scale unit size to provision. For example, “Small”, “Medium”, “Large” virtualNetworkName String Name of the virtual network that the consumer wants to use. jumpbox String from a constrained list (enabled/disabled) Parameter that identifies whether to enable a jumpbox for the environment. Values: “enabled”, “disabled”

  68. • No control flow logic built into ARM template language

    • An approach with parameters, variables, and linked templates – Use provides parameter value that provides context, e.g. tshirtSize parameter is passed in as a value of ‘small’ – Using concat and a pre-defined variable, a new variable value is created which points to the specific , e.g. ‘tshirtSize-small.json’ – Template linking is incorporated into the template and uses this new value to identify which template to deploy. – Common examples are “tshirt sizes” and optional features for a deployment, e.g. “enableJumpbox” Control Flow

  69. Best practices - security • Use Azure Key Vault with

    Resource Manager to orchestrate and store VM secrets and certificates • Separate keys from deployments – Template 1: Creation of vaults (which will contain the key material) – Template 2: Deployment of the VMs (with URI references to the keys contained in the vaults) • Use AD service principals for cross-subscription interactions • Use Network Security Groups to control traffic to VMs in a Virtual Network
  70. None

  71. Episode 4: Automated Moss Automating deployments and IT processes…

  72. None
  73. None

  74. MVA MVA Pluralsight Pluralsight azure.com link

  75. PDF

  76. http://azureinteractives.azurewebsites.net/ https://shell.azure.com

  77. None