Azure DevOps provides a suite of tools that your development team needs to plan, create, and ship products. It comes in two flavors:

  • Azure DevOps Services – the SaaS option hosted by Microsoft.
  • Azure DevOps Server – the IaaS option hosted by you.

When comparing the two to decide which option enables your team to deliver the most value in the least amount of time, Azure DevOps Services is the clear winner, but velocity alone is not the only consideration for most government teams. The services you use must also be compliant with standardized government-wide security, authorization, and monitoring requirements.

Azure DevOps Services are hosted by Microsoft in Azure regions. At the time of this writing, you do not yet have the option to host Azure DevOps in an Azure Government region so you must use one of the available Azure Commercial regions. As a public service, it has also has not yet achieved compliance with any FedRAMP or DoD CC SRG audit scopes. This may sound like a non-starter, but as it states on the FedRAMP website, it depends on your context and how you use the product.

Depending on the services being offered, the third-party vendor does not necessarily have to be FedRAMP compliant, but there are security controls you must make sure they adhere to. If there is a connection to the third-party vendor, they should be listed in the System Security Plan in the Interconnection Table.

This is the first of two blog posts that will share solutions to common Azure DevOps Services concerns:

  1. In “Azure DevOps Services for Government: Access Control” (this post), I will cover common access control concerns.
  2. In “Azure DevOps Services for Government: Information Storage”, I will address common concerns with storing information in the commercial data centers that host Azure DevOps Services.

Managing User Access

All Azure DevOps Organizations support cloud authentication through either Microsoft accounts (MSA) or Azure Active Directory (AAD) accounts. If you’re using an MSA backed Azure DevOps organization, users will create their own accounts and will self-manage security settings, like multi-factor authentication. It is common for government projects to require a more centralized oversight of account management and policies.

The solution is to back your Azure DevOps Services Organization with an AAD tenant. An AAD backed Azure DevOps organization meets the following common authentication and user management requirements:

  • Administrators control the lifecycle of user accounts, not the users themselves. Administrators can centrally create, disable, or delete user accounts.
  • With AAD Conditional Access, administrators can create policies that allow or deny access to Azure DevOps based on conditions such as user IP location.
  • AAD can be configured to federate with an internal identity provider, which could be used to enable CAC authentication.

Controlling Production Deployment Pipelines

The value added by Continuous Delivery (CD) pipelines includes increasing team velocity and reducing the risks associated with introducing a change. To fully realize these benefits, you’ll want to design your pipeline to begin at the source code and end in production so that you can eliminate bottlenecks and ensure a predictable deployment outcome across your test, staging, and production environments.
It is common for teams to grant limited production access to privileged administrators, so some customers raise valid concerns with the idea of a production deployment pipeline when they realize that an action triggered by a non-privileged developer could initiate a process that ultimately changes production resources (ex: deployment pipeline triggered from a code change).

The solution is to properly configure your Azure DevOps pipeline Environments. Each environment in Azure DevOps represents a target environment of a deployment pipeline. Environment management is separate from pipeline configuration which creates a separation of duties:

  • Team members who define what a deployment needs to do to deploy an application.
  • Team members who control the flow of changes into environments.

Example

A developer team member has configured a pipeline that deploys a Human Resource application. The pipeline is called “HR Service”. You can see in the YAML code below, the developer intends to run the Deploy.ps1 scripts on the Production pipeline Environment.

Production Environment

If we review the Production environment configuration, we can see that an approval check has been configured. When the deployment reaches the stage that will attempt to run against the production environment, a member of the “Privileged Administrators” AAD group will be notified that deployment is awaiting their approval.

Approvals and Checks

Only the Privileged Administrators group has been given access to administer the pipeline environment, so the team member awaiting approval would not be able to bypass the approval step by disabling it in the environment configuration or in the pipelines YAML definition.

Security Production

By layering environment configuration with other strategies you’ll establish the boundaries needed to protect your environment but will also empower your development team to work autonomously and without unnecessary bottlenecks. Other strategies to layer include:

  • Governance enforces with Azure Policies
  • Deployment gates based on environment monitoring
  • Automated quality and security scans into your pipeline

It is also important for all team members involved with a release to be aware of what is changing so that you are not just automating a release over the wall of confusion. This is an example of how a product alone, such as Azure DevOps, is not enough to fully adopt DevOps. You must also address the process and people.

Deployment Pipeline Access to Private Infrastructure

How will Azure DevOps, a service on a commercial Azure region, be able to “see” my private infrastructure hosted in Azure Government? That’s usually one of the first questions I hear when discussing production deployment pipelines. Microsoft has a straight-forward answer to this scenario: self-hosted pipeline agents. Azure DevOps will have no line of sight to your infrastructure. The high-level process to follow when deploying an agent into your environment looks like this:

  • Deploy a virtual machine or container into your private network.
  • Apply any baseline configuration to the machine, such as those defined in the DISA’s Security Technical Implementation Guides (STIG).
  • Install the pipeline agent software on the machine and register the agent with an agent pool in Azure DevOps.
  • Authorize pipelines to use the agent pool to run deployments.

With this configuration, a pipeline job queued in Azure DevOps will now be retrieved by the pipeline agent over 443, pulled into the private network, and then executed.

Azure DevOps Configuration

Conclusion

In this post, I’ve introduced you to several practices you can use to develop applications faster without sacrificing security. Stay tuned for the next post in this series where we will discuss common concerns from Government clients around the storage of data within Azure DevOps.

Welcome to part five of our blog series based on my latest PluralSight course: Applied Azure. Previously, we’ve discussed Azure Web Sites, Azure Worker RolesIdentity and Access with Azure Active Directory and Azure Service Bus and MongoDB.

Motivation

Let’s face it, security, privacy and compliance are the key concerns when it comes to adopting any public cloud platform. To alleviate such concerns, Windows Azure team has setup a Windows Azure Trust Center website to provide the latest updates on these topics. Windows Azure complies with several international, country and industry-specific compliance requirements including ISO 27001, FedRAMP, PCI-DSS and HIPAA. In this blog post we are going to focus on building HIPAA compliant applications on the Windows Azure platform.  Read More…

If you have found yourself thinking…

“We want the cloud to be a seamless extension of our data center, not a walled garden. We want to use our existing IT setup and tools to manage on-premises and cloud-based applications.”

“We want to seamlessly move virtual machines from on-premises to the cloud and back.”

“We want to move existing applications to the cloud without the need to change the applications in any way.”

…then our upcoming Introduction to Windows Azure IaaS session is for you.

This free half-day session is for anyone who wants to better understand the Windows Azure Infrastructure as a Service (IaaS) offering. After a brief overview of the Azure Platform as a Service (PaaS) model, we will focus on key IaaS concepts. Additionally, we will walk you through a number of scenarios enabled by Azure IaaS and several demonstrations. Learn about the new generally available features including virtual machines (with more size options), virtual networks, new image types (including SQL Server and BizTalk), lower pricing and much more. Read More…

It was great fun presenting at Windows AzureConf 2013. I would like to thank the entire AzureConf team (Cory Fowler and Brady Gaster in particular) and my fellow speakers for their valuable feedback.

Click here to watch the video recording of my session on channel 9.

You can find recordings to all other sessions (including Scott Guthrie’s keynote) via this link.

Many of you asked me for a copy of the code I used during my session. You can find all my code snippets and slides here. (Of course this is just sample code so please treat it as such!)

Additionally, Pluralsight has graciously offered to make my newly-released Windows Azure IaaS Course for Developers available for FREE beginning Monday, April 29 at 9:00 a.m. MDT, and keep it freely available for 48 hours (ending 9:00 a.m. MDT on Wednesday, May 1). This is a three-hour course that goes in much more detail on the Windows Azure IaaS topics:

Windows Azure IaaS Course for Developers

Please feel free to send me additional questions via my Twitter account. Thanks!

Yesterday, Microsoft announced the general availability of its offering of Infrastructure as a Service (IaaS). They join an already-crowded market of IaaS providers, but this offering gives all companies the ability to offload workloads that have traditionally run in a company data center to the cloud. Welcome, Microsoft — the water is fine.

This announcement also represents a major chunk of Microsoft’s family of Azure offerings…and in my opinion, a stepping stone many companies simply must take in moving out of the traditional data center and into the cloud.  The following diagram shows the stepping stones out of the traditional data center:

Read More…

We recently deployed a five-node CRM 2011 topology using Windows Azure IaaS with the following objectives:

  • Understand how a multiple node CRM setup can be provisioned using Windows Azure IaaS. Specifically, how the networking capabilities offered by the Windows Azure platform (i.e. stateless load balancing) map to the CRM requirements.
  • Develop an automated way to provision and de-provision a CRM setup. This is not only useful for dev and test scenarios, but also for production scenarios where it is notoriously difficult to conduct capacity planning before acquiring the necessary hardware. For example, it is hard to know upfront what CRM functional building blocks (aka CRM roles) the business stakeholders will want to focus on, such as async processes, sandbox, reports, etc. By dynamically scaling out the “needed” features on demand, we can enhance the business agility of the CRM.
  • Offer our customers an educated choice between CRM Online (no setup costs but less control) and CRM On-Premises (extensive setup costs but complete control).
  • Take advantage of hybrid apps that combine CRM capabilities with Windows Azure services, such as Windows Azure Active Directory, mobile services, etc.

Read More…

Please be our guest at the next Azure ‘n’ Action Café online session on April 10th from 12 p.m. to 1 p.m. This is a jump-start overview session, including demos and best practices focusing on Windows Azure Virtual Machines: IaaS “On Your Terms.” You will experience how easy it is to bring your own customized virtual machine images — or select from a gallery and retain full control of your images — and maintain them as your business requires. You’ll also be the first to see how to provision a brand-new SharePoint 2013 farm in Azure IaaS.

The Azure ‘n’ Action Café is a series of “lunch and learn” online sessions on a variety of topics related to the Windows Azure Platform. Please register for Windows Azure Virtual Machines: IaaS “On Your Terms” by clicking on the link below and adding the meeting to your calendar from the registration page.

Click here to register to secure your seat at the Café.

In a previous blog post I discussed Windows Azure PaaS / IaaS hybrid scenarios. Together with my colleague Jack O’Connell (Infrastructure Specialist extraordinaire), we set up each of the four scenarios outlined in the previous post including:

  • Using Windows Azure Virtual Network to provision a VPN to connect our on-premised infrastructure with a Windows Azure datacenter.
  • Set up front-end and back-end subnets.
  • Provision a set of Azure IaaS Virtual Machines and Azure Web Roles.
  • Install System Center Monitoring Pack for Windows Azure Applications on Azure-based machines.
  • Install System Center Operations on-premises in order to manage Azure-based resources.

Watch the following video for a quick walkthrough of the scenarios in action:

Thanks to everyone who joined us for AIS and Microsoft’s Introduction to Azure IaaS event last month. As promised (and for anyone who missed it), here’s the full presentation from Vishwas Lele and Jack O’Connell. Click through the slideshow below, and feel free to ask any follow-up questions in the comments or contact us.

If you’re in the Philadelphia area, Vishwas and Jack will be presenting this session again TOMORROW at Microsoft’s Malvern, PA office. All the details on that event can be found here. We hope to see you there, and please keep up with our Events Calendar for other presentations in your area.

In the past, I have written about the benefits of Platform as a Service (PaaS) style of applications. While I continue to believe that PaaS offers the best ROI for hosting custom applications in the cloud, there are a number of scenarios where inserting elements of Infrastructure as a Service (IaaS) to a PaaS solution can help alleviate some of the limitations that have prevented the adoption of PaaS. In this blog post we will look at a few compelling scenarios that are enabled by combining PaaS with the recently announced IaaS features within a Windows Azure Cloud Service. Read More…