azure arm getting started
TRANSCRIPT
Azure ARM getting startedHerman Keijzer PTS HMSP
Azure Templates can:• Ensure Idempotency• Simplify Orchestration• Simplify Roll-back• Provide Cross-Resource
Configuration and Update Support
Azure Templates are: • Source file, checked-in• Specifies resources and
dependencies (VMs, WebSites, DBs) and connections (config, LB sets)
• Parametized input/output
Instantiation of repeatable config.Configuration Resource Group
Power of Repeatability
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
template-driven declarative idempotent multi-service multi-region extensible
Deploying with Azure Resource Manager
Why IaaS under ARM? Cloudformation Compete
Complex application templates Role based Access Control
Enterprise grade security Tags based billing
Superior cost management on the Cloud Deep Integration with
Azure Services Ex: Websites with Virtual Machines Enhanced Portal experiences
Azure Marketplace Solution templates
Regional ArchitectureIncreased Subscription ScaleIncreased throttling scaleEngineering Agility for features/fixes
Decoupled network modelClean separation of compute and network conceptsNetwork model resembles traditional physical devices
Reduced locking semanticsMassively parallel deployment of virtual machines
Enhanced Compute Capabilities Improved SSH Experience 3 fault domains and 20 update domains
Unified Azure StackOne single model to interact with the Microsoft Cloud
Simplified Manageability of Applications on IaaS
Upgrade
• complexity made simple• master template can be used to rollout
upgrades• imperative APIs, Client tools support to update
the resourcesManageability, Auditing
• operations can be tracked upto 90 days• management Locks to lock down resources from
deletion
Wide range of Quickstart Templates
Github Repo Indexed on Azure.com Community & Microsoft contributed
Integration of IaaS with Azure Services
Getting Started with Azure Templates
https://azure.microsoft.com/en-us/documentation/templates/
Github
https://github.com/Azure/azure-quickstart-templates
Cache
Consistent Management Layer
Azure Resource Manager
Website VM SQL DB
Resource Provider
…..
Provider Contract
https://management.azure.com/subscriptions/{{subscriptionId}}/providers?api-version={{apiVersion}}
Tools
?
REST API
Resource Manager: Building a VMResource Group
Subnet
Storage
VM
VNET
Public IP storageAccount- accountType
publicIPAddress- allocationMethod- domainNameLab
el
virtualNetwork- addressSpace- Subnet
- addressPrefix
networkInterface- privateIPAllocati
onMethod
virtualMachine- hardwareProfile- osProfile- storageProfile- networkProfile
NIC
Templates 101The Basics
Inside vs. Outside the boxARM Template
PowerShell DSCChef
PuppetCustom Script Ext (.ps1, .sh)
Inside vs. Outside the boxOutside – part of the templateVM, network topology, tags, RBAC, references to certs/secrets, etc.
Inside – executed by template onlyConfigure server roles, configure software, deploy a website, manage services, manage local users, etc.Extensions for PowerShell DSC, Chef, Puppet, and custom scripts.
The Basics{"$schema": "","contentVersion": "1.0.0.0","parameters":{},"variables": {},"resources": []}
The Basics - Parameters{"$schema": "","contentVersion": "1.0.0.0","parameters":{ "adminUsername": { "type": "string", "minLength": 1 }, "windowsOSVersion": { "type": "string", "defaultValue": "2012-R2-Datacenter", "allowedValues": [ "2008-R2-SP1", "2012-Datacenter", "2012-R2-Datacenter" ], "metadata": { "description": "The Windows version for the VM." } }},}
The Basics - Variables{"$schema": "","contentVersion": "1.0.0.0","parameters":{…}"variables": { "imagePublisher": "MicrosoftWindowsServer", "subnetName": "Subnet", "virtualNetworkName": "MyVNET", "vhdStorageType": "Standard_LRS", "vhdStorageName": "[concat('vhdstorage', uniqueString(resourceGroup().id))]", "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", "subnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]",},}
The Basics - Resources{"$schema": "","contentVersion": "1.0.0.0","parameters":{…}"variables": {…}"resources": [ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('vhdStorageName')]", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount" }, "properties": { "accountType": "[variables('vhdStorageType')]" } }, ]}
DSC Extension{ "name": "DSCExt1", "type": "extensions", "location": "[resourceGroup().location]", "apiVersion": "2015-05-01-preview", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" ], "properties": { "publisher": "Microsoft.Powershell", "type": "DSC", "typeHandlerVersion": "2.8", "settings": { "modulesUrl": "[parameters('modulesUrl')]", "configurationFunction": "ConfigureWebServer.ps1\\Main", "properties": { "MachineName": "[parameters('vmName')]", "WebDeployPackagePath": "[parameters('webdeploypkg')]", "UserName": "[parameters('adminUserName')]", "Password": "[parameters('adminPassword')]", } }, }}
URL to DSC ZIP
URL to WebDeploy ZIP
URLs must be publically accessible (not local files)* SAS Token
Template Language ExpressionsBuilding Blocks
Most Commonparameters('parameterName')variables('variableName')
concat('string', 'to', 'join')
Usage"variables":{"authorizationHeader": "[concat('Basic ', base64(variables('password')))]}
copyIndex()"parameters": { "numberOfInstances": { "type": "int", },"resources":[ { "apiVersion": "[variables('apiVersion')]", "type": "Microsoft.Compute/virtualMachines", "name": "[concat('myvm', copyIndex())]", "location": "[variables('location')]", "copy": { "name": "virtualMachineLoop", "count": "[parameters('numberOfInstances')]" }, "dependsOn": [ "[concat('Microsoft.Network/networkInterfaces/', 'nic', copyindex())]", "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" ],……}
Create me N of these
myvm0myvm1….myvmN
Other FunctionsresourceGroup()resourceId(‘provider/resourceType', 'resourceName')
listKeys('storageAccountResourceId', '2015-05-01')]
uniqueString(resourceGroup().id)]toLower('mystring')
Complete list available at:https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/
Your First TemplateLet’s Do This!
orAny text editor!
Adding resources to the template"resources": [ { "name": "myStorageAccount", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "Standard_LRS" } } ],
Within the resources array we added a new object with an open and closing curly bracket. Within that object the common attributes (name, type, apiVersion, location and properties) are specified. The value of the properties attribute is enclosed in curly brackets, indicating that the value allows for multiple different child attributes. This template deploys a storage account configured with the type set to the Local Redundant Storage option in the East US region.
All resource types require some common attributes like "name" and "type". Azure Resource Manager uses these attributes to ensure that the correct resource provider is handling the request. The following common attributes are required across all resources. • name is used to name the deployed resource. Each
resource of the same resource type within a single resource group must be uniquely named. Depending on the resource type it may also require uniqueness at either subscription, tenant or global scopes.
• type contains the resource provider and the resource type within that resource provider.
• apiVersion is used to identify the API version for the resource type. Multiple API versions can exist for a single resource type. These API versions are used to identify the available properties of a resource type.
• location sets the region for the resource to be deployed into. This can be a region in Microsoft Azure or a region in Microsoft Azure Stack, hosted by a service provider or running in your datacenter
Besides these required common attributes, each different resource can have optional common attributes like tags or comments and will have properties that are resource specific. For example, a storage account requires a replication policy while a virtual network requires a subnet. Resource specific properties are configured in the properties attribute. • properties contain resource specific information
Adding parameters to the template"parameters": { "storageAccountType": { "type": "string", "defaultValue": "Standard_LRS", "allowedValues": [ "Standard_LRS", "Standard_GRS", "Standard_RAGRS" ] } },
The values for these parameters are requested from the tenant when a template is deployed. The values for the parameters can be passed to the template deployment in different ways.
A parameter requires a type, but can optionally contain a default value and allowed values. The type attribute specifies the expected type of input (string, int, bool, array, object, secureString). The type can also be used to render a user interface field when deploying the template from the tenant portal. The default value is used if no value is specified by the tenant at deployment time. If a parameter does not contain a default value, the tenant is required to submit a value when deploying the template
Adding parameters to the template, dynamic"resources": [ { "name": "storageAccount", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],
While the parameter has been specified, the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName') enclosed by two square brackets. The square brackets allow Azure Resource Manager to identify the content as a function to be evaluated instead of a static string.
Adding variables to the template"variables": { "storageAccountName": "myStorageAccountName" },
"resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],
Where parameters are used to request a value from the tenant at deployment time, a variable is a value that can be reused throughout the template without requiring user input
The variable can be referenced using the function: variables('variableName'). The function, just like the parameter function, is enclosed by two square brackets indicating that it should be evaluated by Azure Resource Manager accordingly.
Using functions in the template"variables": { "storageAccountName": "[concat(uniquestring(resourceGroup().id),'storage')]" },
we can concatenate a unique string to the text ‘storage’. This can be achieved by using the concat(), resourceGroup() and uniqueString() template functions.The storage account name is generated by concatenating a unique string that is derived from the id of the resource group that the template is being deployed to and the string 'storage'. Because the storage account resource already references the variable for the storageAccountName, the resource itself does not require a change to reflect the new value of the variable.
Using functions in the template"resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],
Although we have created a parameter for the storageAccountType, each time the template is deployed the storage account will always be created in "East US". That fixed value is specified in the location attribute of the resource. The obvious solution would be to define parameter for the location and ask the user for the region.. A template function solves this challenge. You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location, the template remains reusable across clouds and requires one less input from the tenant. Using this function each resources location ensures that all resources will be deployed in the same region as the resource group.
Adding output to the template"outputs": { "storageAccountEndpoint": { "type": "string", "value": "[variables('storageAccountName')]" } }
A template can also contain outputs. The outputs and their values are displayed and recorded when the deployment is finished. Outputs can be useful to display properties of a deployed resource (e.g. the FQDN of a web server). Each output requires a type (string, int, bool, array, object, secureString) and can contain template functions, parameters and variables.
Template deployment{ "$schema": "https://schema.management.azure.com/schemas/2015-0101/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountType": { "type": "string", "defaultValue": "Standard_LRS", "allowedValues": [ "Standard_LRS", "Standard_GRS", "Standard_RAGRS" ] } }, "variables": { "storageAccountName": "[concat(uniquestring(resourceGroup().id),'storage')]" }, "resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "properties": { "accountType": "[parameters('storageAccountType')]" } } ], "outputs": { "storageAccountEndpoint": { "type": "string", "value": "[variables('storageAccountName')]" } }}
Parameter file{ "$schema": "https://schema.management.azure.com/schemas/2015-0101/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountType": { "value": " Standard_GRS" } } }If you are frequently deploying your template during the authoring process, the values for the parameters need to be resubmitted each time. A parameter file can automate this process. A parameter file contains values for the parameters in the template, and can be parsed when the template is deployed. Instead of manually typing in the parameters, the values are pulled from the parameter file. You can create multiple parameter files, representing different stages of an environment (Development, Testing, Acceptance and Production – or, DTAP), different regions or different clouds.
Notice that the file has a different schema? This new schema has a contentVersion attribute like the previous schema but it also has a parameter attribute where you specify parameter names and values for your template deployment
Deployment using portal
Cut and past or create directly in the portal
Deployment using powershellLogin-AzureRmAccount$subscrName=“mysubscriptionname"Select-AzureRmSubscription -SubscriptionName $subscrName
$rgname = “demo44”New-AzureRmResourceGroupDeployment -Name testDeployment -ResourceGroupName $rgname -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json -Mode Incremental
Sample deploy directly from github using one of the quickstart templates
Deployment using cliAzure loginazure account set “mysubscription"azure config mode arm
azure group create -n examplegroup -l "West US“azure group deployment create -f "c:\MyTemplates\example.json" -e "c:\MyTemplates\example.params.json" -g examplegroup -n exampledeployment
Or
azure group deployment create --resource-group examplegroup --template-uri " https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json "
Creating hyperlink
Creating hyperlink you can create a hyperlink to open the deployment option in the portal and use an existing template that is available via a publicly accessible URL. For this option, you commonly see template authors use a URL to the latest version of the ARM template hosted in a version control system). You can create a URL with a hyperlink to deploy your template
https://portal.azure.com/#create/Microsoft.Template/uri/<replace with the encoded raw path of your azuredeploy.json>
You can also create a HTML button with a hyperlink to deploy your template with the following HTML code. This button can also use an image hosted at http://azuredeploy.net that reads “Deploy to Azure”.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/<replace with the encoded raw path of your azuredeploy.json>" target="_blank"> <img src="http://azuredeploy.net/deploybutton.png"/> </a>
Using visual studio
Using visual studio
Debugging
Debugging TemplatesTemplate ValidationTool with JSON validation (e.g. Visual Studio, Atom w/ JSONLint, etc.)
> Test-AzureRmResourceGroupDeployment-ResourceGroupName stirtrek2016 `-TemplateParameterFile .\azuredeploy.parameters.json `-TemplateFile .\azuredeploy.json
> azure group template validate stirtrek2016 --template-file .\azuredeploy.json --parameters-file .\azuredeploy.parameters.json
Deployment Debug Output-DeploymentDebugLogLevel
New-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName ` -TemplateFile "azuredeploy.json" ` -TemplateParameterFile "azuredeploy.parameters.json" ` -DeploymentDebugLogLevel All ` -Verbose `
{ All | None | Request | Response }
> azure group deployment create --debug-setting RequestContent{ All | None | RequestContent | ResponseContent }
Resource Group LoggingPortalPowerShellCLI
Resource Group LoggingPowerShell # Get logs for the resource group in the last 1 hourGet-AzureRmLog -ResourceGroup $resourceGroupName
# Get logs for the resource group since a specific time$startTime = (get-date).AddHours(-2).ToString('yyyy-MM-ddTHH:mm')Get-AzureRmLog -ResourceGroup $resourceGroupName -StartTime $startTime
# Get the logs for a resource provider since a specific time$startTime = (get-date).AddHours(-2).ToString('yyyy-MM-ddTHH:mm')Get-AzureRmLog -ResourceProvider "Microsoft.Compute" -StartTime $startTime ` -Status Failed -DetailedOutput
Resource Group LoggingCLI> azure group log show StirTrek2016 --json> azure group deployment show --resource-group StirTrek2016 --name MyDeployment> azure group deployment operation list --resource-group StirTrek2016 --name MyDeployment --json
Role Based Access Control
Granular Scopes
/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
subscription level – grants permissions to all resources in the sub
resource group level – grants permissions to all resources in the group
resource level – grants permissions to the specific resource
OOPS
Resource Locks Accidents happen. Resource locks help
prevent them :)
Resource locks allow administrators to create policies which prevent write actions or prevent accidental deletion.
Key Concepts Resource lock
Policy which enforces a "lock level" at a particular scope Lock level
Type of enforcement; current values include CanNotDelete and ReadOnly
Scope: The realm to which the lock level is applied. Expressed as a URI; can
be set at the resource group, or resource scope.
• ARM Quick Start Templates• https://azure.Microsoft.com/en-us/documentation/templates• https://github.com/Azure/azure-quick-start-templates
• ARM Schemas• https://github.com/Azure/azure-resource-manager-schemas/tree/master/schemas
• ARM Best Practices• https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-
design-templates/• https://docs.microsoft.com/nl-nl/azure/best-practices-resource-manager-state
• ARM Visualizer• http://armviz.io
• VS Code Extensions• https://github.com/Azure/azure-xplat-arm-tooling
• Getting Stated guide• http://download.microsoft.com/download/E/A/4/EA4017B5-F2ED-449A-897E-BD92E42479CE/
Getting_Started_With_Azure_Resource_Manager_white_paper_EN_US.pdf
ARM Resources
Thank you
Let us analyze one off the quickstart templates
https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-simple-windows
basic
Parameters
Parameters
A parameter requires a type, but can optionally contain a default value and allowed values. The type attribute specifies the expected type of input (string, int, bool, array, object, secureString). The default value is used if no value is specified by the tenant at deployment time. If a parameter does not contain a default value, the tenant is required to submit a value when deploying the template
Variables
Variables
The storageaccountname is concatenated a unique string to the text ‘sawinvm’. This is achieved by using the concat(), resourceGroup() and uniqueString() template functions.The storage account name is generated by concatenating a unique string that is derived from the id of the resource group that the template is being deployed to and the string ‘sawinvm'. Because the storage account resource already references the variable for the storageAccountName, the resource itself does not require a change to reflect the new value of the variable.
Resourceid function Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Resources
Resources All resource types require some common attributes like "name" and "type". Azure Resource Manager uses these attributes to ensure that the correct resource provider is handling the request. The following common attributes are required across all resources. • name is used to name the deployed resource. Each resource of the same
resource type within a single resource group must be uniquely named. Depending on the resource type it may also require uniqueness at either subscription, tenant or global scopes.
• type contains the resource provider and the resource type within that resource provider.
• apiVersion is used to identify the API version for the resource type. Multiple API versions can exist for a single resource type. These API versions are used to identify the available properties of a resource type.
• location sets the region for the resource to be deployed into. This can be a region in Microsoft Azure or a region in Microsoft Azure Stack, hosted by a service provider or running in your datacenter
Besides these required common attributes, each different resource can have optional common attributes like tags or comments and will have properties that are resource specific. For example, a storage account requires a replication policy while a virtual network requires a subnet. Resource specific properties are configured in the properties attribute. • properties contain resource specific information
You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location
The variable is referenced using the function: variables('variableName').
the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName')
ResourcesThe variable is referenced using the function: variables('variableName').
You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location
For a given resource, there can be other resources that must exist before the resource is deployed. For example, a SQL server must exist before attempting to deploy a SQL database. You define this relationship by marking one resource as dependent on the other resource. You define a dependency with the dependsOn element, or by using the reference function. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-define-dependencies
Resourceid function Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Resources the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName')
The variable is referenced using the function: variables('variableName').
Resourceid function. Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Concat function. Combines multiple string values and returns the concatenated string.https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Reference function Returns an object representing another resource's runtime state.https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Output