Post on 11-Jan-2017
Automating Your Azure Environment
Michael S. CollierCloud Solution Architect,
Microsoft
Level: Intermediate
Michael S. CollierCloud Solution ArchitectMicrosoft
michael.collier@microsoft.com
@MichaelCollierwww.MichaelSCollier.comhttp://aka.ms/csablog
http://aka.ms/fundamentalsofazure
Today’s Agenda1. Why Automation in Azure?
2. Azure Management Library
3. Azure PowerShella) Azure Service Managementb) Azure Resource Manager
4. Azure Automation
Why Automate in Azure?
Why Automation?• Time to provision full environments
– Compute, storage, etc.
• Deployment to multiple geographies– Change only configuration / parameters
Why Automation?#1 source of failed projects (IMO)
Humans TERRIBLE at repetitive tasks
A Few Options
REST API• Service
Management• Resource
Manager
A Few Options
REST API• Service
Management• Resource
Manager
Azure Management Library
A Few Options
REST API• Service
Management• Resource Manager
Azure Management Library
PowerShell• Invoke REST• Service
Management• Resource Manager
A Few Options
REST API• Service
Management• Resource Manager
Azure Management Library
PowerShell• Invoke REST• Service
Management• Resource Manager
XPlat CLI• ??
A Few Options
REST API• Service
Management• Resource Manager
Azure Management Library
PowerShell• Invoke REST• Service
Management• Resource Manager
XPlat CLI• ??
Azure Automation
A Few Options
REST API• Service
Management• Resource Manager
Azure Management Library
PowerShell• Invoke REST• Service
Management• Resource Manager
XPlat CLI• ??
Azure Automation
Azure Management Library
Azure Management Library• Consistent modern libraries over the Azure
REST API– NET, Java, Python, Go, & Ruby
Source: http://www.BradyGaster.com
Azure Management Library
Source: http://www.BradyGaster.com
Source: http://www.BradyGaster.com
Azure Management Library• Scenarios
– Integration Testing– Custom provisioning of services (SaaS)– Dev/Test– Resource Governance
• Almost anything you may want to automate
Azure Management Library• Microsoft.WindowsAzure.*
– Older RDFE version– Not recommended
• Microsoft.Azure.*– Based on new Azure Resource Manager (ARM)– Recommended
Azure Management Library• Get all or
just the ones you need
Authentication• Azure Active Directory
• Create a service principal– Password (PowerShell or CLI)– Certificate (PowerShell)
• Assign necessary ROLE to the service principal
Create the Service PrincipalSwitch-AzureMode AzureResourceManager
Select-AzureSubscription -SubscriptionName “My MSDN Azure”
$appName = "VSLiveNYC2015"$appHomePage = "http://localhost"$appUri = "http://localhost"$pwd = "test!123"
# Create a new Azure AD application$azureAdApp = New-AzureADApplication -DisplayName $appName -HomePage $appHomePage -IdentifierUris $appUri -Password $pwd -Verbose
# Create a service principalNew-AzureADServicePrincipal -ApplicationId $azureAdApp.ApplicationId
# Assign a role to the service principalNew-AzureRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApp.ApplicationId
# Get the subscription for the role assignment$subscription = Get-AzureSubscription | where { $_.IsCurrent }
# Create a new credential object to contain the credentials$creds = Get-Credential -UserName $azureAdApp.ApplicationId -Message "enter your creds"
Add-AzureAccount -Credential $creds -ServicePrincipal -Tenant $subscription.TenantId
Get this at http://aka.ms/uognfb
Get the Authentication Token
private const string SubscriptionId = “[YOUR_AZURE_SUBSCRIPTION_ID]";private const string TenantId = “[YOUR_AZURE_AD_TENANT_ID]";private const string ApplicationId = “[YOUR_NEWLY_REGISTERED_APP_id]";private const string ApplicationPwd = "test!123";
public static string GetAToken(){ var authenticationContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", TenantId)); var credential = new ClientCredential(clientId: ApplicationId, clientSecret: ApplicationPwd); var result = authenticationContext.AcquireToken(resource: "https://management.core.windows.net/", clientCredential: credential);
if (result == null) { throw new InvalidOperationException("Failed to obtain the JWT token"); }
string token = result.AccessToken; return token;}
Get this at http://aka.ms/uognfb
DemoAuthenticate and Browse
Demo Recap1. Create a Service Principal in Azure AD2. Get the JWT authentication token3. Create a credential object with token and
subscription4. Create a resource client5. Execute actions against the client
PowerShell Cmdlets• Get the goods
http://azure.microsoft.com/en-us/downloads/ https://github.com/Azure/azure-powershell/releases
PowerShell• Use cmdlets and/or REST APIs• Ability to script complex environments
– Template with an XML parameters file– PowerShell learning curve– Your responsibility to handle errors & ensure
consistency• Consistent Deployments
– Build server or developer machine
Authentication Options• Interactive
– Azure ADPS C:\> Add-AzureAccount
* Tip – Profile data stored in C:\Users\<user>\AppData\Roaming\Windows Azure Powershell
Authentication Options• Interactive
– Azure ADPS C:\> Add-AzureAccountVERBOSE: Account "michael.collier@live.com" has been added.VERBOSE: Subscription "MSFT Azure Internal - Collier" is selected as the default subscription.VERBOSE: To view all the subscriptions, please use Get-AzureSubscription.VERBOSE: To switch to a different subscription, please use Select-AzureSubscription.
Id Type Subscriptions Tenants-- ---- ------------- -------michael.collier@live.com User 0bbbc191-0023-aaaa-yyyy-xxxxxxxxxxxx 9b6b07ee-3eb1-aaaa-yyyy-xxxxxxxxxxxx 278b93db-29ab-aaaa-yyyy-xxxxxxxxxxxx 715f4ed0-544a-aaaa-yyyy-xxxxxxxxxxxx 3acf171d-3d34-aaaa-yyyy-xxxxxxxxxxxx 72f988bf-86f1-aaaa-yyyy-xxxxxxxxxxxx c68d7703-d6ed-aaaa-yyyy-xxxxxxxxxxxx 20acfbf0-4318-aaaa-yyyy-xxxxxxxxxxxx 57c8cb4e-3ce2-aaaa-yyyy-xxxxxxxxxxxx a28aed54-1dc8-aaaa-yyyy-xxxxxxxxxxxx b5fb8dfb-3e0b-aaaa-yyyy-xxxxxxxxxxxx 362755da-bfb2-aaaa-yyyy-xxxxxxxxxxxx 9a94b816-e790-aaaa-yyyy-xxxxxxxxxxxx 7805bdb6-17da-aaaa-yyyy-xxxxxxxxxxxx cd978409-0ac9-aaaa-yyyy-xxxxxxxxxxxx
* Tip – Profile data stored in C:\Users\<user>\AppData\Roaming\Windows Azure Powershell
Authentication Options• Programmatic
– Management certificate– New –credentials option
$userName = "<your work/school account user name>"
$securePassword = ConvertTo-SecureString -String "<your work/school account password>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($userName, $securePassword)
Add-AzureAccount -Credential $cred
http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/
DemoCreate a VM with Custom Script ExtensionDeploy a Cloud Service
Demo Recap1. Authenticate PowerShell with Azure2. Upload to blob storage a .ps1 script to format
drives3. Provision new Azure VM via PowerShell.
a) Custom script extension to format data disks
4. Create Cloud Service (web role) project5. PowerShell script to upload and deploy
Azure Resource ManagerWhat is Azure Resource Manager?
Resource Group
Unit of Management• Lifecycle• Identity• Grouping
One Resource -> One Resource Group
ARM BenefitsDesired-state deployment
Faster deployment
Role-based access control (RBAC)
Resource-provider model
Orchestration
Resource configuration
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Image source - http://channel9.msdn.com/Events/Build/2014/2-607
Cache
Consistent Management Layer
Azure Resource Manager
Website VM SQL DB
Resource Provider
…..
Provider Contract
https://management.azure.com/subscriptions/{{subscriptionId}}/providers?api-version={{apiVersion}}
Tools
?
REST API
ARM FunctionsARM Templates supports small set of built-in functions
parameters, variablesreference, resourceGroup, resourceIdbase64, concat, padLeft, padLeft, replace, toLower, toUpperdeployment, provider, subscriptionlistKeys
Not supportedUser-defined functionsControl constructs – if, while, etc.
Loops and Nested TemplatesLoops
Provide basic copy capabilityUseful in cloning resource configurationFor example, deploying multiple VMs
Nested TemplatesOne template can invoke anotherSimplifies creation of sophisticated templatesSupports parametersSupports output variables
ARM Deployment LogsLogs
ProviderResource groupResource
AvailabilityKept for 15 daysDefault is last hour (PowerShell)Filter by Status e.g., Failed
PowerShellGet-AzureResourceProviderLogGet-AzureResourceGroupLogGet-AzureResourceLog
DemoCreate a new Azure Web App + SQL DB
Demo Recap1. Get latest Azure SDK for Visual Studio2. Create new ‘Azure Resource Group’ project3. Add Web App + SQL template4. Provide parameters5. Deploy via PowerShell
What is Azure Automation?• IT process automation solution for Azure
– Creation, monitoring, deployment, & maintenance
– Runbooks & Assets– Leverage existing PowerShell scripts
Runbook Types• PowerShell Workflow
– Windows Workflow Foundation• Checkpoint, suspend, & resume
– Parallel or serial execution– Compilation (time increases as complexity increases)
• PowerShell (native)– No checkpoint, suspend, or resume– Serial execution only– No compile step! Fast!
DemoStop VMs nightly
Demo Recap1. Create Azure Automation account
a) Create an AAD user for Azure Automationb) Create an Azure Connection Asset
2. Create Runbook to Stop VMs1. Connect to Azure subscription2. Iterate over all services and VMs
3. Test Runbook4. Publish Runbook5. Link Runbook to a Schedule
Choices . . . When to UseMAML
• PCL (WinPhone/WinStore)• Higher level languages
PowerShell
• DevOps• Templates• Build Servers• Quicker than portal
Azure Automation
• Schedule Tasks• Integrate with Other Services• System Center scripts
Azure Resource Manager
• Future for Azure API• New, well-defined topology• Unable to export from cloud
Resources• Azure Resource Manager Preview SDKs
– https://azure.microsoft.com/en-us/blog/azure-resource-manager-preview-sdks/
• Authenticating a service principal with Azure Resource Manager– https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-
service-principal/
• Keith Mayer’s blog posts on Azure Automation– http://
blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx
Questions?
Thank You!
Michael S. Collier@MichaelCollier | www.michaelscollier.com
michaelscollier@gmail.com | michael.collier@microsoft.com