Azure ARM getting startedHerman Keijzer PTS HMSP

Azure Templates can:• Ensure Idempotency• Simplify Orchestration• Simplify Roll-back• Provide Cross-Resource

Configuration and Update Support

Azure Templates are: • Source file, checked-in• Specifies resources and

dependencies (VMs, WebSites, DBs) and connections (config, LB sets)

• Parametized input/output

Instantiation of repeatable config.Configuration Resource Group

Power of Repeatability

SQL - A Website VirtualMachines

SQL-AWebsite[SQL CONFIG] VM (2x)

DEPENDS ON SQLDEPENDS ON SQL

SQLCONFIG

template-driven declarative idempotent multi-service multi-region extensible

Deploying with Azure Resource Manager

Why IaaS under ARM? Cloudformation Compete

Complex application templates Role based Access Control

Enterprise grade security Tags based billing

Superior cost management on the Cloud Deep Integration with

Azure Services Ex: Websites with Virtual Machines Enhanced Portal experiences

Azure Marketplace Solution templates

Regional ArchitectureIncreased Subscription ScaleIncreased throttling scaleEngineering Agility for features/fixes

Decoupled network modelClean separation of compute and network conceptsNetwork model resembles traditional physical devices

Reduced locking semanticsMassively parallel deployment of virtual machines

Enhanced Compute Capabilities Improved SSH Experience 3 fault domains and 20 update domains

Unified Azure StackOne single model to interact with the Microsoft Cloud

Simplified Manageability of Applications on IaaS

Upgrade

• complexity made simple• master template can be used to rollout

upgrades• imperative APIs, Client tools support to update

the resourcesManageability, Auditing

• operations can be tracked upto 90 days• management Locks to lock down resources from

deletion

Wide range of Quickstart Templates

Github Repo Indexed on Azure.com Community & Microsoft contributed

Integration of IaaS with Azure Services

Getting Started with Azure Templates

https://azure.microsoft.com/en-us/documentation/templates/

Github

https://github.com/Azure/azure-quickstart-templates

Cache

Consistent Management Layer

Azure Resource Manager

Website VM SQL DB

Resource Provider

…..

Provider Contract

https://management.azure.com/subscriptions/{{subscriptionId}}/providers?api-version={{apiVersion}}

Tools

?

REST API

Resource Manager: Building a VMResource Group

Subnet

Storage

VM

VNET

Public IP storageAccount- accountType

publicIPAddress- allocationMethod- domainNameLab

el

virtualNetwork- addressSpace- Subnet

- addressPrefix

networkInterface- privateIPAllocati

onMethod

virtualMachine- hardwareProfile- osProfile- storageProfile- networkProfile

NIC

Templates 101The Basics

Inside vs. Outside the boxARM Template

PowerShell DSCChef

PuppetCustom Script Ext (.ps1, .sh)

Inside vs. Outside the boxOutside – part of the templateVM, network topology, tags, RBAC, references to certs/secrets, etc.

Inside – executed by template onlyConfigure server roles, configure software, deploy a website, manage services, manage local users, etc.Extensions for PowerShell DSC, Chef, Puppet, and custom scripts.

The Basics{"$schema": "","contentVersion": "1.0.0.0","parameters":{},"variables": {},"resources": []}

The Basics - Parameters{"$schema": "","contentVersion": "1.0.0.0","parameters":{ "adminUsername": { "type": "string", "minLength": 1 }, "windowsOSVersion": { "type": "string", "defaultValue": "2012-R2-Datacenter", "allowedValues": [ "2008-R2-SP1", "2012-Datacenter", "2012-R2-Datacenter" ], "metadata": { "description": "The Windows version for the VM." } }},}

The Basics - Variables{"$schema": "","contentVersion": "1.0.0.0","parameters":{…}"variables": { "imagePublisher": "MicrosoftWindowsServer", "subnetName": "Subnet", "virtualNetworkName": "MyVNET", "vhdStorageType": "Standard_LRS", "vhdStorageName": "[concat('vhdstorage', uniqueString(resourceGroup().id))]", "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", "subnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]",},}

The Basics - Resources{"$schema": "","contentVersion": "1.0.0.0","parameters":{…}"variables": {…}"resources": [ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('vhdStorageName')]", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "tags": { "displayName": "StorageAccount" }, "properties": { "accountType": "[variables('vhdStorageType')]" } }, ]}

DSC Extension{ "name": "DSCExt1", "type": "extensions", "location": "[resourceGroup().location]", "apiVersion": "2015-05-01-preview", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" ], "properties": { "publisher": "Microsoft.Powershell", "type": "DSC", "typeHandlerVersion": "2.8", "settings": { "modulesUrl": "[parameters('modulesUrl')]", "configurationFunction": "ConfigureWebServer.ps1\\Main", "properties": { "MachineName": "[parameters('vmName')]", "WebDeployPackagePath": "[parameters('webdeploypkg')]", "UserName": "[parameters('adminUserName')]", "Password": "[parameters('adminPassword')]", } }, }}

URL to DSC ZIP

URL to WebDeploy ZIP

URLs must be publically accessible (not local files)* SAS Token

Template Language ExpressionsBuilding Blocks

Most Commonparameters('parameterName')variables('variableName')

concat('string', 'to', 'join')

Usage"variables":{"authorizationHeader": "[concat('Basic ', base64(variables('password')))]}

copyIndex()"parameters": { "numberOfInstances": { "type": "int", },"resources":[ { "apiVersion": "[variables('apiVersion')]", "type": "Microsoft.Compute/virtualMachines", "name": "[concat('myvm', copyIndex())]", "location": "[variables('location')]", "copy": { "name": "virtualMachineLoop", "count": "[parameters('numberOfInstances')]" }, "dependsOn": [ "[concat('Microsoft.Network/networkInterfaces/', 'nic', copyindex())]", "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" ],……}

Create me N of these

myvm0myvm1….myvmN

Other FunctionsresourceGroup()resourceId(‘provider/resourceType', 'resourceName')

listKeys('storageAccountResourceId', '2015-05-01')]

uniqueString(resourceGroup().id)]toLower('mystring')

Complete list available at:https://azure.microsoft.com/en-us/documentation/articles/resource-group-template-functions/

Your First TemplateLet’s Do This!

orAny text editor!

Adding resources to the template"resources": [ { "name": "myStorageAccount", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "Standard_LRS" } } ],

Within the resources array we added a new object with an open and closing curly bracket. Within that object the common attributes (name, type, apiVersion, location and properties) are specified. The value of the properties attribute is enclosed in curly brackets, indicating that the value allows for multiple different child attributes. This template deploys a storage account configured with the type set to the Local Redundant Storage option in the East US region.

All resource types require some common attributes like "name" and "type". Azure Resource Manager uses these attributes to ensure that the correct resource provider is handling the request. The following common attributes are required across all resources. • name is used to name the deployed resource. Each

resource of the same resource type within a single resource group must be uniquely named. Depending on the resource type it may also require uniqueness at either subscription, tenant or global scopes.

• type contains the resource provider and the resource type within that resource provider.

• apiVersion is used to identify the API version for the resource type. Multiple API versions can exist for a single resource type. These API versions are used to identify the available properties of a resource type.

• location sets the region for the resource to be deployed into. This can be a region in Microsoft Azure or a region in Microsoft Azure Stack, hosted by a service provider or running in your datacenter

Besides these required common attributes, each different resource can have optional common attributes like tags or comments and will have properties that are resource specific. For example, a storage account requires a replication policy while a virtual network requires a subnet. Resource specific properties are configured in the properties attribute. • properties contain resource specific information

Adding parameters to the template"parameters": { "storageAccountType": { "type": "string", "defaultValue": "Standard_LRS", "allowedValues": [ "Standard_LRS", "Standard_GRS", "Standard_RAGRS" ] } },

The values for these parameters are requested from the tenant when a template is deployed. The values for the parameters can be passed to the template deployment in different ways.

A parameter requires a type, but can optionally contain a default value and allowed values. The type attribute specifies the expected type of input (string, int, bool, array, object, secureString). The type can also be used to render a user interface field when deploying the template from the tenant portal. The default value is used if no value is specified by the tenant at deployment time. If a parameter does not contain a default value, the tenant is required to submit a value when deploying the template

Adding parameters to the template, dynamic"resources": [ { "name": "storageAccount", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],

While the parameter has been specified, the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName') enclosed by two square brackets. The square brackets allow Azure Resource Manager to identify the content as a function to be evaluated instead of a static string.

Adding variables to the template"variables": { "storageAccountName": "myStorageAccountName" },

"resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "East US", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],

Where parameters are used to request a value from the tenant at deployment time, a variable is a value that can be reused throughout the template without requiring user input

The variable can be referenced using the function: variables('variableName'). The function, just like the parameter function, is enclosed by two square brackets indicating that it should be evaluated by Azure Resource Manager accordingly.

Using functions in the template"variables": { "storageAccountName": "[concat(uniquestring(resourceGroup().id),'storage')]" },

we can concatenate a unique string to the text ‘storage’. This can be achieved by using the concat(), resourceGroup() and uniqueString() template functions.The storage account name is generated by concatenating a unique string that is derived from the id of the resource group that the template is being deployed to and the string 'storage'. Because the storage account resource already references the variable for the storageAccountName, the resource itself does not require a change to reflect the new value of the variable.

Using functions in the template"resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "properties": { "accountType": "[parameters('storageAccountType')]" } } ],

Although we have created a parameter for the storageAccountType, each time the template is deployed the storage account will always be created in "East US". That fixed value is specified in the location attribute of the resource. The obvious solution would be to define parameter for the location and ask the user for the region.. A template function solves this challenge. You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location, the template remains reusable across clouds and requires one less input from the tenant. Using this function each resources location ensures that all resources will be deployed in the same region as the resource group.

Adding output to the template"outputs": { "storageAccountEndpoint": { "type": "string", "value": "[variables('storageAccountName')]" } }

A template can also contain outputs. The outputs and their values are displayed and recorded when the deployment is finished. Outputs can be useful to display properties of a deployed resource (e.g. the FQDN of a web server). Each output requires a type (string, int, bool, array, object, secureString) and can contain template functions, parameters and variables.

Template deployment{ "$schema": "https://schema.management.azure.com/schemas/2015-0101/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountType": { "type": "string", "defaultValue": "Standard_LRS", "allowedValues": [ "Standard_LRS", "Standard_GRS", "Standard_RAGRS" ] } }, "variables": { "storageAccountName": "[concat(uniquestring(resourceGroup().id),'storage')]" }, "resources": [ { "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2015-06-15", "location": "[resourceGroup().location]", "properties": { "accountType": "[parameters('storageAccountType')]" } } ], "outputs": { "storageAccountEndpoint": { "type": "string", "value": "[variables('storageAccountName')]" } }}

Parameter file{ "$schema": "https://schema.management.azure.com/schemas/2015-0101/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountType": { "value": " Standard_GRS" } } }If you are frequently deploying your template during the authoring process, the values for the parameters need to be resubmitted each time. A parameter file can automate this process. A parameter file contains values for the parameters in the template, and can be parsed when the template is deployed. Instead of manually typing in the parameters, the values are pulled from the parameter file. You can create multiple parameter files, representing different stages of an environment (Development, Testing, Acceptance and Production – or, DTAP), different regions or different clouds.

Notice that the file has a different schema? This new schema has a contentVersion attribute like the previous schema but it also has a parameter attribute where you specify parameter names and values for your template deployment

Deployment using portal

Cut and past or create directly in the portal

Deployment using powershellLogin-AzureRmAccount$subscrName=“mysubscriptionname"Select-AzureRmSubscription -SubscriptionName $subscrName

$rgname = “demo44”New-AzureRmResourceGroupDeployment -Name testDeployment -ResourceGroupName $rgname -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json -Mode Incremental

Sample deploy directly from github using one of the quickstart templates

Deployment using cliAzure loginazure account set “mysubscription"azure config mode arm

azure group create -n examplegroup -l "West US“azure group deployment create -f "c:\MyTemplates\example.json" -e "c:\MyTemplates\example.params.json" -g examplegroup -n exampledeployment

Or

azure group deployment create --resource-group examplegroup --template-uri " https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json "

Creating hyperlink

Creating hyperlink you can create a hyperlink to open the deployment option in the portal and use an existing template that is available via a publicly accessible URL. For this option, you commonly see template authors use a URL to the latest version of the ARM template hosted in a version control system). You can create a URL with a hyperlink to deploy your template

https://portal.azure.com/#create/Microsoft.Template/uri/<replace with the encoded raw path of your azuredeploy.json>

You can also create a HTML button with a hyperlink to deploy your template with the following HTML code. This button can also use an image hosted at http://azuredeploy.net that reads “Deploy to Azure”.

<a href="https://portal.azure.com/#create/Microsoft.Template/uri/<replace with the encoded raw path of your azuredeploy.json>" target="_blank"> <img src="http://azuredeploy.net/deploybutton.png"/> </a>

Using visual studio

Using visual studio

Debugging

Debugging TemplatesTemplate ValidationTool with JSON validation (e.g. Visual Studio, Atom w/ JSONLint, etc.)

> Test-AzureRmResourceGroupDeployment-ResourceGroupName stirtrek2016 `-TemplateParameterFile .\azuredeploy.parameters.json `-TemplateFile .\azuredeploy.json

> azure group template validate stirtrek2016 --template-file .\azuredeploy.json --parameters-file .\azuredeploy.parameters.json

Deployment Debug Output-DeploymentDebugLogLevel

New-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupName ` -TemplateFile "azuredeploy.json" ` -TemplateParameterFile "azuredeploy.parameters.json" ` -DeploymentDebugLogLevel All ` -Verbose `

{ All | None | Request | Response }

> azure group deployment create --debug-setting RequestContent{ All | None | RequestContent | ResponseContent }

Resource Group LoggingPortalPowerShellCLI

Resource Group LoggingPowerShell # Get logs for the resource group in the last 1 hourGet-AzureRmLog -ResourceGroup $resourceGroupName

# Get logs for the resource group since a specific time$startTime = (get-date).AddHours(-2).ToString('yyyy-MM-ddTHH:mm')Get-AzureRmLog -ResourceGroup $resourceGroupName -StartTime $startTime

# Get the logs for a resource provider since a specific time$startTime = (get-date).AddHours(-2).ToString('yyyy-MM-ddTHH:mm')Get-AzureRmLog -ResourceProvider "Microsoft.Compute" -StartTime $startTime ` -Status Failed -DetailedOutput

Resource Group LoggingCLI> azure group log show StirTrek2016 --json> azure group deployment show --resource-group StirTrek2016 --name MyDeployment> azure group deployment operation list --resource-group StirTrek2016 --name MyDeployment --json

Role Based Access Control

Granular Scopes

/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}

subscription level – grants permissions to all resources in the sub

resource group level – grants permissions to all resources in the group

resource level – grants permissions to the specific resource

OOPS

Resource Locks Accidents happen. Resource locks help

prevent them :)

Resource locks allow administrators to create policies which prevent write actions or prevent accidental deletion.

Key Concepts Resource lock

Policy which enforces a "lock level" at a particular scope Lock level

Type of enforcement; current values include CanNotDelete and ReadOnly

Scope: The realm to which the lock level is applied. Expressed as a URI; can

be set at the resource group, or resource scope.

• ARM Quick Start Templates• https://azure.Microsoft.com/en-us/documentation/templates• https://github.com/Azure/azure-quick-start-templates

• ARM Schemas• https://github.com/Azure/azure-resource-manager-schemas/tree/master/schemas

• ARM Best Practices• https://azure.microsoft.com/en-us/documentation/articles/best-practices-resource-manager-

design-templates/• https://docs.microsoft.com/nl-nl/azure/best-practices-resource-manager-state

• ARM Visualizer• http://armviz.io

• VS Code Extensions• https://github.com/Azure/azure-xplat-arm-tooling

• Getting Stated guide• http://download.microsoft.com/download/E/A/4/EA4017B5-F2ED-449A-897E-BD92E42479CE/

Getting_Started_With_Azure_Resource_Manager_white_paper_EN_US.pdf

ARM Resources

Thank you

Let us analyze one off the quickstart templates

https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-simple-windows

basic

Parameters

Parameters

A parameter requires a type, but can optionally contain a default value and allowed values. The type attribute specifies the expected type of input (string, int, bool, array, object, secureString). The default value is used if no value is specified by the tenant at deployment time. If a parameter does not contain a default value, the tenant is required to submit a value when deploying the template

Variables

Variables

The storageaccountname is concatenated a unique string to the text ‘sawinvm’. This is achieved by using the concat(), resourceGroup() and uniqueString() template functions.The storage account name is generated by concatenating a unique string that is derived from the id of the resource group that the template is being deployed to and the string ‘sawinvm'. Because the storage account resource already references the variable for the storageAccountName, the resource itself does not require a change to reflect the new value of the variable.

Resourceid function Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Resources

Resources All resource types require some common attributes like "name" and "type". Azure Resource Manager uses these attributes to ensure that the correct resource provider is handling the request. The following common attributes are required across all resources. • name is used to name the deployed resource. Each resource of the same

resource type within a single resource group must be uniquely named. Depending on the resource type it may also require uniqueness at either subscription, tenant or global scopes.

• type contains the resource provider and the resource type within that resource provider.

• apiVersion is used to identify the API version for the resource type. Multiple API versions can exist for a single resource type. These API versions are used to identify the available properties of a resource type.

• location sets the region for the resource to be deployed into. This can be a region in Microsoft Azure or a region in Microsoft Azure Stack, hosted by a service provider or running in your datacenter

Besides these required common attributes, each different resource can have optional common attributes like tags or comments and will have properties that are resource specific. For example, a storage account requires a replication policy while a virtual network requires a subnet. Resource specific properties are configured in the properties attribute. • properties contain resource specific information

You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location

The variable is referenced using the function: variables('variableName').

the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName')

ResourcesThe variable is referenced using the function: variables('variableName').

You can configure each resource to deploy to the same location as the target resource group using the template function resourceGroup().location

For a given resource, there can be other resources that must exist before the resource is deployed. For example, a SQL server must exist before attempting to deploy a SQL database. You define this relationship by marking one resource as dependent on the other resource. You define a dependency with the dependsOn element, or by using the reference function. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-define-dependencies

Resourceid function Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Resources the parameter is not used in the resource yet. The hard-coded value of the storage account type needs to be replaced with the parameter. The value must refer to the correct parameter in the format parameters('parameterName')

The variable is referenced using the function: variables('variableName').

Resourceid function. Returns the unique identifier of a resourcehttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Concat function. Combines multiple string values and returns the concatenated string.https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Reference function Returns an object representing another resource's runtime state.https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions

Output