Azure DevOps Server in Azure Government

[MUSIC]>>Hi, this is Steve Michelotti of the Azure Government
Engineering team. I’m joined here today
by Jason Ingram, Cloud Solution Architect focused on federal customers. Welcome Jason.>>Thank you very much.>>So we are here today to talk about Azure DevOps Server
on Azure Governments. So why don’t we start off, give us a little bit about
what Azure DevOps Server is. How is that different
than what we think of as regular Azure DevOps so we
understand that distinction there.>>So Azure DevOps Server
used to be called TFS. So we had TFS Server 2018
and then whenever we re-branded Visual Studio services
to Azure DevOps Services, we re-branded TFS these server
deployment to Azure DevOps Server. Azure DevOps Server is the
same software that runs in our Cloud environment but
you can deploy it onto a VM inside your own environment,
customer owned environment. DevOps Servers enables
DevOps philosophy for enablement software development. So CICDs, pipelines, repositories, commits the entire workflow for like an Agile
deployment methodology. That’s what DevOps
Server does for us.>>Okay. So we our own
private instance of Azure DevOps Server and
whatever environment we want. Our environment as a customer.>>That’s right. You can
put it wherever you want. For today’s demo, we’re
actually deploying it as a VM in Azure Government. Azure Government is different
from Azure Commercial. A completely physically and logically
separated instance of Azure dedicated to the US regulated
industry space, Federal customers.>>I can therefore, since I’m
putting it in my own environment, I can set up the network
topology however I want?>>That’s exactly right. I’m
so glad you brought that up because most of the session we’ll be focused on secure deployment of
Azure DevOps Server, and at the end we’re
going to bring in like an actual rate repo and introduce it. So you could look at this
as how to get started? How to deploy it? How to get
started with your very first repo.>>Great. All right. So
why don’t you give us a high level and what you’re
going to demo here today.>>All right. This is
going to a be awesome. You guys you’re going to love this. So before we get started, this is a whiteboard app and
I’m going to draw on this. Yes. I don’t actually have
very much PowerPoint. The PowerPoint slide you
saw was the one and only. So we’re going to deploy Azure
DevOps Server with Azure SQL. That’s the whole point. We want to
use past services where we can. So we have Azure DevOps
Server down here. This is our DevOps Server box. It has MSI on it. As part of the deployment pattern->>So MSI?>>So Managed Service Identities.>>Okay.>>So you have an identity. You login with a
username and password. The virtual machine
has an identity too. That’s what an MSI is. It’s a Managed Service Identity.>>Great.>>Right. As part of this deployment,
it’s a secure deployments. So this is really important. So
you have the internet out here. For a Federal customers,
the internet, generally, is not permitted
whenever you’re talking about server deployments
for internal resources. So we’re going to demonstrate a
template that deploys an image.>>So when we say template,
you’re talking about like an ARM template we can use
to deploy resources on it?>>That’s right. ARM template
is Infrastructure as Code. It is the template that tells
the Azure Resource Manager, that’s the API that
manages Azure what to do.>>Okay. Great.>>So when you have
a template, you get guarantee consistency.
That’s the bottom line. You can deploy it the same
way over and over again. Infrastructure as Code. If you’ve ever heard that term,
that’s what a template is. It’s the real world implementation. So you have ant image, you
have a storage account, you have Azure SQL, which
is the past service. You don’t actually
manage it but you do deploy a server behind the scenes. You also have Key Vault. This entire session is
aimed at Federal customers. So what we’re going to do
here is we’re going to deploy Azure DevOps Server
except going to die. I loved necessarily
fun as part of my day. We’re going to X out the internet
all together. No internet.>>So we’re doing this
from an environment that is cut off from the Internet?>>That’s it.>>The other takeaway I am
getting here from your diagram is even though more slowly on the VM, we can still take advantage of these paths services like Azure SQL. I don’t have to install SQL on a VM.>>That’s exactly right. We’re using something called
VNet service and points that provide private IP
connectivity to past services. So we have two systems,
we’re primarily. One, so would willingly
then go to the workflow so you can see how this
works. So you have an image. This image is what the
DevOps service based offer. You deploy the image and
DevOps is pre-installed but not configured at run-time when you first
execute the template. The image when it starts up
logs into Key Vault using the managed service
identity and pulls down the credentials necessary
to configure Azure SQL.>>Nice.>>Then the configuration is
actually a PowerShell script.>>Okay. Cool.>>So it pulls the stress, the PowerShell script
and any other artifacts, MSI, it execute, install files, whatever you want out
of a storage account. All private. No internet
connectivity required. Then it configures Azure SQL, and the system boots up, and now you’re bootstrapped
you’re ready to rock and roll. So that’s what the template does. This is a very rough
diagram of how it works. The biggest takeaway
there is no internet, is a specifically into
Federal customers. I work with Federal
customers all day long. So this is near and dear to my heart.>>All right. So with that as it makes sense at this point
for flip over to a demo?>>Yes. Let’s do it. So we are going to
flip over to the demo, and just so you can kind
of see how this works. Like if you wanted to actually
execute and do this. Very simple. I put all the code
out on the Internet, which I know we just
said no Internet. But I’m trying to make it easy on
people wanted to be accessible. So you’d go to
US Regulated Industries. USRI. The only thing out there right now is deployed DevOps Server Azure SQL.>>Nice. Okay. Is a very
easy to get started.>>Very easy to get started.>>Use our URL.>>Because it’s
Infrastructures as Code, and it’s all documented on here. You can come out here and look at
everything we just talked about, additional resources notes, everything, IContribution,
and everything. But we don’t have time to
talk about all of that today. But to get started quickly, all you do is you hit “Deploy
to Azure Gov”. Piece of cake.>>So all those things you
mentioned when you’re diagram, the pre-installed image, it’s
all contained in that template.>>That’s right.
>>It’s just a one-click here.>>The template has
references to everything it deploys exactly what
I told it to deploy. Right. I can tell it what
resource groups that have led. A resource group is just a
container for resources. I can tell it what location I want to deploy in. Here’s a list of them. If you’ve never seen Azure
Government, here you go, right here. All the regions that
we can deploy to. Then you see the actual information. SQL Server, name, and password. You actually define
credentials that are passed securely as part of
the template deployment. Now, one of the things that’s
interesting here is you don’t actually see an Azure
Active Directory, Admin, username, you don’t see
the password request, you only see the username. The reason is because I’m pulling the password from Key Vault
as part of the deployment. So I’m protecting
very sensitive data. It’s very secure deployment and
the Key Vault is HSM backed.>>What we’re deploying here is, we can go into any VNet we want to, and the template out of the box is that VNet that’s cut
off from the Internet. Is that correct? Or
you configure that?>>So I should’ve said this earlier. Thank you for bringing such that. So this assumes you’re deploying
into a pre-existing environment.>>Okay.>>It’s incredibly rare to deploy
into a greenfield environment.>>Yeah.>>So but inside the template, in the read me file, I actually have a section that teaches you how to deploy
the actual infrastructure. If you don’t have an infrastructure, you want to deploy
infrastructure really fast. It will deploy the
Active Directory Domain, the Virtual Network all
of it for you right away. But my template only
deploys DevOps Server.>>Which is more
common for customers.>>That’s way more common. They already have everything else. They’re deploying into
an existing environment. So I wrote this with that in mind.>>Awesome. All right. Cool.>>You see virtual network
name, resource group, subnet name, these are
not creation resources. This is purely reference that
those things already exist.>>Awesome.>>Okay. One last thing
I want to call this out because sharp-eyed people might
notice that File, this is the PowerShell script that configures SQL on the DevOps
that I referenced earlier. You’ll notice there’s no secure
access signature on the end. The reason is because I actually use the virtual network firewall
in conjunction with VNet service endpoints to only enable access from the subnet
where DevOps is deployed. So this subnet, adSubnet1, is the only subnet that can access
this storage account, right?>>Make sense.>>So it keeps it very simple. You don’t have to worry about storage access, signature generation, and also you could totally do that if you want to, but
you don’t need to.>>Okay.>>Still completely secure. So I’m not actually going hit “Purchase” on here because
it takes too long.>>Okay.>>When I say takes too
long, it takes five minutes, 20 seconds which is
still too long for us.>>All right. So we’ll go into our Martha
Stewart quick bake oven here.>>That’s exactly right.>>All right.>>So what we’re
looking at right here is the actual resource group
that I already deployed to. You could see all the things that
I drew on the screen earlier, you could see them all listed here. This is a complete deployment. You could see if I open
this up a little bit, databases were deployed,
virtual machines are deployed. I configured SQL
administrators so we had Azure Active Directory
integration storage accounts. Everything that you need is deployed and ready to
rock and roll right here. Virtual network rules, that
was the rule I talked about. What a storage account. You can come in here and look at all of it. All 100 percent legit, totally locked and
loaded, good to go. So I’m just showing that you can see what it looks like in action from a
deployment standpoint. Now, let’s actually go
into one of the systems. So I deployed a two systems. One system is installed
but not configured, and one is fully configured. So we’re going to step
through the uri real quick.>>So we can see what that
experience looks like.>>Exactly right.>>Cool.>>So this is my DevOps
server number one.>>Okay. So this is installed,
but not configured?>>Installed but not configured .>>Got it. Okay.>>Very easy to tell the
difference because whenever you actually launch DevOps, it’ll just tell you, “Hey,
you’ve got work to do.”>>Yeah.>>You can see it, configure
installed features. Totally mind-numbing easy. You’ve already done
all the hard work. I could promise you that much.>>No, you did the hard work
for us by doing the template.>>It was fun. I’m a geek about
that sort of stuff. I love it. Okay. So we’re going
to start the wizard, and we’re going to try to
step through this process. I’m not going to actually
let it go and configure it. I have one already fully baked and done, and
we’ll step over to that.>>Okay.>>But this is a new server
deployment, licensing. I’m going to go ahead and just
go with the trial for now. Interestingly enough,
because I’m using MSI, the New Deployment – Azure shows up. This feature is grayed out, unless you had MSI installed
and running on that VM.>>MSI being the managed
service identity.>>Yeah, the managed
service identity. Put the template deploys MSI. But if you actually
just deployed a VM out of the marketplace and
then tried to do this, you wouldn’t be able to because
it would be grayed out. You must assign a
managed identity first.>>Well, cool.>>You can also see the
advanced operation is done, because it’s assuming
you’re going to do Azure. So and we are in fact,
going to do Azure. So next, English. Another interesting thing here
is the DevOps server actually references the Azure
commercial endpoints for as a default Server
SQL instance name. So I’m going to show you
the actual real server for our environment, right?>>Right, because we’re in
Azure Government.>>That’s exactly right,
we’re in Azure Government. Let me see here if I
had it up already. I do and you can see right here. All I’m looking at is the SQL Server that was deployed as
part of my script.>>Right.>>So I do, and you
can see server name. That’s what you want. Just grab that guy.>>So the>>That’s right., that’s where we want to deploy.
So you just come in here. Again, you don’t actually have
to provide any credentials. The reason is because the system
is providing them itself.>>Through managed identity.>>Through managed
identity. That’s right. Let’s talk about that
for one brief second.>>Okay.>>So for Azure Active
Directory integration to work, you must have a Azure
Active Directory user assigned as an admin
to Azure SQL, right?>>Okay.>>That’s the only way
the SQL scripts that configure Azure SQL will
function correctly. So if you go look at my template, you’ll see information
all about it in there.>>In the README FILE.>>It’s all in there. So
just keep that as a gotcha. It will get you if you’re
not careful about it. So now back to this. So I put the SQL Server
instance name in, it uses MSI naturally. So it recognizes MSI
as a sign of system, it grabs the credentials
associated with MSI, logs into Azure SQL, and test connectivity. Boom.>>Even more secure
because we’re not.>>That’s right.>>The passwords around everywhere.>>Nobody knows the password.
Nobody’s even seen it. We don’t have a clue, right? It’s just done. We are
going to accept defaults. But in a more enterprise environment, you probably would consider using the main user accounts and that stuff. But we’re doing a very
simple deployment as a part of our
getting started today. Again, we’re going to accept
defaults if you wanted to. If you had SSL, obviously
you probably wouldn’t access this over port in our
production environment. You going to install your own
certificate and handle a binding. For Azure Search, this is
if you have work items, you need to actually
be able to search. We’re going to enable
basic authentication, which the search service
actually resides on the system. So this is going to work
out pretty well for us.>>But overall, this is just
a pretty simple wizard based, next, next, next experience.>>That’s exactly right.
There’s nothing to it. The hard work has already been done.>>Yeah.>>Now, one thing you’re
going to see right here. It’s going to do verification checks. When it does, the verification checks are going to come out and say, “Hey, Jason, you forgot something”, and I did in fact forget something. When I built my base image, I forgot to include the
Java Runtime Environment.>>Okay.>>So it’s actually going
to tell me about that. So in reality, what I would do is I would either,
you could see it right here. It just came up Java 8 required. When in reality, what I would
do is I would take the MSI for that Java installer and put
it in my storage account. Go through whatever process I need to from an
organization standpoint.>>When you said MSI,
you meant the installer?>>The installer. Oh, my God. I’m so confusing, right?
Yes, I meant the installer.>>Yeah.>>You take the installer, you
put it in the storage account, and then you just pull it down just like you would your
chop PowerShell script, and either install it or you
put it into your base image.>>Okay.>>The DevOps Server offline
installer is about a gig, and so I baked it
into the image versus trying to pull it down
during deployment time because it’s a big file, right?>>Yeah.>>But, it works just the same. If I click “Accept” here, it will go ahead and
attempt to install, and configure Java and
it’ll be successful. It’ll work. It’ll do a good job.>>Okay.>>But before it can configure, we’re going to flip over to the actually already
completed environment.>>Great.>>So I’m going to minimize this guy, and we’re going to step
right over here to our already deployed environment. If I fire up DevOps over here, you’ll actually be able to see that it already is fully configured.>>Right. So it’s not giving the
message that we saw last time, which is you need to
have some work to do, you need to configure now.>>It is.>>We can see it’s ready to go.>>That’s right. It is completely
done, ready to rock and roll. You can see Azure
DevOps 2019 Update 1. This is our very latest data
tier database.usgovcloud.>>Okay.>>Right. Now the interesting
thing about this is, you don’t deploy DevOps
for fun to deploy, you deploy it to actually utilize it, you actually want to
do something with it. So that’s where it
actually gets to be fun. So now we have it deployed, it’s actually up and running. I’m a software developer,
I want to do some work. So I have a project and just because we’re
working on DevOps today, we’re going to call our
project deployDevOps.>>Okay, great name.>>Creative name for it.>>Like a software engineer,
we don’t have to name stuff.>>That is so right.
We have options here, version control almost
everybody’s going to use Git. Work item process, if your deployment methodology or developing methodology
is Agile, use Agile. If it’s Scrum, use Scrum. I’m going to stick with basic, I mean just has to do with how we measure work item
and spans, and those things. So we’re going to create a project, and it’s going to go out and
actually create this project for us. Now that we have a project, the project is our actual solution, something we want to deploy, or create, or iterate on. So the first thing you need for
any project is source files, something you could actually work on.>>What’s interesting
here is, you’re already just based on what we see
on your browser here. We’re in the experience that we would expect from if we’re using Azure, DevOps, the SaaS offering. But now here we are using
it in our own environment, that is cut off from the Internet.>>That is exactly right. Exactly right.>>We’re seeing same
nice user experience.>>So if you were in Azure DevOps, our service, it would
look exactly the same. It would be very hard
to tell the difference. It’s super close, so you can
think of it like a stair-step. We make improvements in the Cloud, it gets released as
an update on-prem.>>Right.>>So as long as you have a refresh
cycle for deploying updates, you will generally stay within shouting distance
of our actual Cloud.>>Yeah. Just to be super precise even though you
use the term on-prem, you’re basically meaning
it in the context of our controlled
install on Azure DevOps.>>Yes, that’s right.>>Yeah.>>It’s still in the Cloud.>>Yeah.>>I mean when I say on-prem, I really wouldn’t radically.>>Theoretically, you
could put it on-prem.>>Totally doable.
When I say on-prem, what I mean is
Infrastructure as a Service, like virtual machines is what
I’m thinking about in my head. So now that we have this, first thing we’re going to do is we’re actually going
to import a registry. Well, what registry should we import? Well, we actually have
one out here already. It’s already here,>>This is getting very meta here. We’re importing the
repository that created us.>>I know right. But this is totally to every software developer in the world who will get this. No matter how good you do it,
there’s always room for improvement. There is room for
improvement in my template, and there is someone out there right now who can make those improvements. So as an organization if you’re
like that’s a decent start, but there are things that would be more relevant to our organization, our security controls, our CSOs. We need to make some
improvements on it. Well, guess what? That’s
what DevOps is for. Take the Infrastructure as Code. I’m going to click on Import
and it’s going to pull that entire environment into
our Azure DevOps server. So now we have source files, our internal developers can make code commits against
this to improve it, to make it better and
willingly. Go ahead.>>That’s your questions. So in order to do the import you just did, this machine was able to
reach out to the Internet.>>That’s correct. So
I did do it that way, but typically for a commit
to an on-prem server, what you will you would do
as a developer would follow the same lifecycle as like
the OpenJDK installation. They would pull it down to a
local laptop or develop it on their local laptop
and then do a push.>>Then do a push. So we took
the liberty for demo purposes, but you could absolutely
cut this off.>>Totally. The whole point
is that the architecture I utilize is based on
no Internet access. The architecture works if the DevOps server does not have
any access to the Internet. Good to go. Typically, I would use a laptop and do a push to
the system from inside, but I don’t have those laptops available, so I’m just
doing it this way. But you could see here, configSQL. This is the SQL script
downloaded from the storage account that
actually does all the work. You could see in here,
this Invoke-webRequest. This is me calling out to get
them managed service identity. This is me talking to
my Azure Key Vault,,
and this is me down here. I actually configuring
SQL according to our user documentation for Azure
DevOps server deployments. You can come here and look
at all of the master, but here is the actual SQL queries I’m running against all of
it to make it all work.>>Basically, all the steps that we saw being voted
beginning of the demo.>>Everything. You nailed it.>>Okay. Cool.>>Of course, the Infrastructure
as Code that’s hosted here. From here, what you would
normally do if you were building a CICD pipeline is you’d
go to Azure Pipelines. From here, you do Azure build pipelines and Azure release
pipeline built to do testing, to make sure everything’s legit, and then released to actually
put it out there to work with.>>Yeah. So at this point,
everything is up and running, we can configure it
however we want like you said CICD pipelines builds, kanban boards, whatever
the case may be.>>Exactly right. Work item tracking, all of it, altogether we
call it ethics and stories. You define an epic,
you attach work items, and then you have sprints
to fulfill those visions, whatever those features
are for your software.>>Okay, cool. So just to close, I guess the question is how does
someone get started with this? I have a feeling what your answer is going to be because
you showed us that GitHub repo just give us a couple of words about that to close out here.>>So to get started, if you want to just kick the tires, here’s what I recommend. One of my coworkers wrote this Azure AD hybrid
deployment templates. This will deploy the necessary infrastructure
Azure Active Directory. We knows deploy Active
Directory domains. It’ll deploy an active
directory domain controller, it’ll to create a virtual network, deploy that in your
inner test environment. Then you can use this template to deploy DevOps server
into that environment. Of course, you can use this
template to deploy into a test environment or into
a production environment, whatever works best for you. But that’s the easiest
way to get started. One thing I’ll call out. Just so you’re aware of it. When you do the deployment, if
you actually try to tackle it, be sure that you don’t
forget to enable VNET service end points on
your actual virtual networks. If you don’t, then the connectivity won’t work
when you do deployment.>>Just a pro-tip. So
anyone can access this, they can fork it, they can submit
PRs, whatever the case maybe.>>That’s exactly right. They
can do whatever they want. I own this repository. So if someone doesn’t
make an improvement, I would love it so much if someone would make an improvement
and then submit a pull request and get a merged back end so we can
make it better for everyone.>>Awesome. Great.>>All right.>>All right. Well,
thanks for talking to us today about Azure DevOps server. This has been Steve Michelotti
with Jason Ingram talking about Azure DevOps server on Azure
government. Thanks for watching. [MUSIC]