Is it possible to disable user-level credential deployment in a particular App Service Plan?
In a development environment deploying directly to the AppService is fine, however a production environment should require more gates e.g. via a release pipeline.
User-level credentials are shared across an entire azure account, is it possible to disable them for production?
The portal indicates the ability to disable ftp, but it doesn't suggest this covers deployments in general.
Is it possible to disable app-level credentials as well? I'm wary of it's audit-ability not being tied to an individual user.
EDIT:
The release pipeline is currently using the MSDeploy extension within an ARM template. For this app we're currently not using deployment slots, but that's a good point we would use them for other applications.
Unfortunately, no at this moment. As long as the user is a contributor to the site, he/she will be able to browse to the relevant SCM site (meaning making changes/deployment). Similarly, for app-level cred. Could you clarify what type of cred is being used to do release pipeline? Does it mean deploy to slot and swap is the only mean of deployment?
Related
Our company website will soon be hosted in an App Service in Azure. The website communicates with an API layer that also hosted in Azure and links to our internal systems and databases. The architecture at this level cannot be changed at this time and has quite a bit of background history, etc.
We are looking at implementing always on deployments using Deployment Slots in the App Service in Azure. The API layer will have non-breaking changes for each deployment and deploying the APIs will be the first part of any release, with the website following.
Is have a clear separation between our environments and the release will be tested in Dev, Test and Pre-Prod environments before the production deployment begins. Overall the whole process is fairly simple until it comes to post-implementation (PI) testing that is currently this is mandatory in our company.
We need to be able to test the production deployment prior to the customers using the site. Currently we feature toggle the site into maintenance mode unless its being accessed from a select IP address list. We now need to perform the PI testing on the new version of the site whilst the customer continues to use the older version of the site. I wasn't sure of the best way of achieving this.
One idea I did have is having a subdomain that links directly to the websites _staging deployment slot bypassing the deployment slot settings. In turn some logic in here could go direct to the API _staging deployment slot. This would give the option to post implement the change just prior to clicking the 'Swap' button to swap over the deployment slots.
I know the overall process isn't ideal, but at the moment this can't be changed. Does anyone have any thoughts or other suggestions on the above please?
Azure makes it easy to create deployment slots for App Services. Itβs available in the Standard or Premium App Service plan mode. Deployment slots are actually live apps with their own hostnames. App content and configuration elements can be swapped between two deployment slots, including the production slot.
Azure customers can easily perform the following steps
- Deploy the web application to an online deployment slot.
- Run the tests on a deployment slot, within the live environment that potential testers are going to use. Testing environment and production environment exist side-by-side and provide the similar environment.
- Perform an internal swapping of the IP addresses of both slots (via load balancing and traffic management for both the nodes β slots)
- Update applications with zero downtime
- Swap back to a previous version of your app instantly, with zero downtime for users.
References
https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots
The overall reason to have deployment slots enabled is that it helps your team to run live testing on the production environment, and in case there are some problems on the production slot, it lets you roll back the swap without having to take your application down for maintenance.
I'm using Azure DevOps pipelines and for 'builds' I can define 'Hosted Ubuntu' agent (in my pipelines.yml file). But for 'releases' there's no way to edit yaml just the UI. The agent pool drop down list shows 'Default (no agents)'. I assume my problem is probably related to project permissions but haven't figured out what controls the visibility. On another account I see all the hosted agent options available.
For the possible security permissions issue
Check that you are part of the group(s) assigned as User to the security of the app pool in question.
If this security operates like other Allow, Deny, NotSet permissions, then your occupation in a group that has less than User permission will revoke that permission, but I haven't seen any documentation about this.
For the use of YAML in release pipelines
Yaml usage in the formal release pipeline hub is not supported. If you want to use yaml for your CD release, you're going to need to enable the new multi-stage pipelines experience.
This allows you to create stages in your .yml file that relate to deployment functions in addition to the classic build functions.
I believe this removes your release tracking from the release hub and integrates it directly into the build hub.
This is still a new concept for Azure DevOps, as is the documentation and writing about it. I found this article to be helpful.
Because this new feature seems to be centered around AKS (or other Kubernetes services) and Docker, I'm not sure if this will help you by allowing you to specify the host in yaml, but you mentioned "release" and "yaml" in the same sentence, so I thought I would address that.
I am updating my Azure App Service from Azure DevOps. Currently, my release is like this:
Stop the App Service,
Update the App Service, and
Start the App Service.
My question is whether it reasonable to stop the App Service during the update? When I select a release template from Azure DevOps for Azure App Service, there are't any stop/start steps, only the update step. So I am wondering if the stop/start is even needed?
What we have done mostly is:
Stop staging slot
Deploy to slot
Start slot
Swap staging to production
Stop staging slot
Martin's suggestion on Take app offline is also a good one!
We prefer to deploy to slots and then swap so we incur minimal impact to production and can also rollback easily.
Stopping/taking app offline can prevent file locking issues.
It probably depends on your app. If you don't have any issues when you just update your app (such as the a file is in use issue) you can consider to use the Take App Offline flag which will place an app_offline.htm file in the root directory of the App Service during the update (then it will be removed). This way user will recognize that something is happening with the app.
However, I often ended up doing the same like you: Stop, Update, Start π
There are (5) options for safe-deployment (atomic updates) to Azure Web Apps. Here is my preferred order ranked by priority and feature richness:
Run-from-Package + ZipDeploy (makes site read-only)
ZipDeploy (using kudu REST api - automatically takes site offline)
Azure CLI (az webapp)
msdeploy (-enableRule:AppOffline, or stop/start site to enforce atomicity)
FTP (using publish profile, make sure to upload appoffline.htm)
There are numerous other deployment options like cloud sync, github continuous, local git, etc - but they are all built upon Kudu APIs (as is Azure CLI).
Note: If you're using Azure DevOps - it's supports nearly all these options - leverage the Azure App Service Deploy task
Agree with both Martin and juunas. If you want to deploy without impacting users then you need to use the slot swap approach. juunas brings up the great point of easily rolling back too. Our approach includes another slot we call "hotfix". This adds a few benefits:
Having an environment with production configs so that you can optionally do additional testing before actually doing the swap.
Roll back in prod even when devs have already deployed into a staging environment.
Allows you to test bugs in the current and previous versions of the code. Helpful when someone says "well it worked before this deployment"...
This is what it looks like.
I have an app service running on Azure with an associated SQL server DB.
I would like to create a test environment for the project.
I looked at a few Azure Dev/Test tutorials but they are for setting up VMs and I couldn't see anything indicating it can be used for a app service.
Is my only option to duplicate the appservice, db, ssl certs, custom domains and effectively double my azure bill?
Bruno gave good advice, but here's a few more things to consider.
If you use deployment slots, you are sharing your Web App CPU and memory between all slots. If something goes horribly wrong with a test build that's deployed to a slot on your production machine, your production environment can end up resource starved. I personally don't recommend using slots for testing for this reason. Slots are more for smoke testing/warming up a build that you're about to swap into your production slot.
If you want to save money yet still have the benefit of separate environments, consider looking into ARM templates. ARM templates let you script the provisioning of Azure resources. You can create ARM templates based on your production environment, including scripting the App Settings section of your Web App to hold test configuration settings. You can then deploy your ARM template that spins up a test environment right from a Visual Studio project. If you put all of your test resources into the same resource group, tearing down your test environment is a few mouse clicks to delete the test resource group.
For the App Service, you have something called Slots. This allows you to have multiple environments on the same App Service. You can also have multiple Web Apps under the same App Service Plan as well instead of using Slots, so in this case, you only pay for 1 backend. App Service has a Free Tier, but with limitations such as not supporting custom domains.
Set up staging environments in Azure App Service
For SQL Databases you have to pay for each DB or use Elastic Pools (1 backend for multiple DBs) but that's only worth when you're using at least 100DTUs DBs. The minimum database you can have is the Basic one, but that's $6/month.
What I want to accomplish:
I want to deploy an Azure Cloud Service via Release Management. I managed to get this working by following the steps outlined in this post. In the post the Azure publishsettings file is added to the project and used in Release Management to deploy the Azure package to a Cloud Service. So far so good.
What is the issue:
The Azure publishsettings file will also contain information about the production environment. I don't want that information to be available to all the developers and therefor I would like to have a more secure alternative.
What did I try:
I created a custom action which takes 3 arguments: subscription id, subscription name and certificate key. This way the Azure information stays in Release Management and can be passed to a script. This didn't work because the action is not shown in the Release Template Toolbox.
What is my question:
What is the best way to pass Azure credentials to a deployment script via Release Management on a secure manner?
We have a solution for Build today that will work for RM in the future.
Publish Settings file is an important one with which anybody can get access to certain activities. And once how ever the way you pass on the publish settings file, it can be misused (if tried).
So along with the publish settings file, you need to add a bit of process to the deployment like -
Inactive or remove the management certificate which will in turn invalidate the given publish settings and anyone should request for a new set of publish settings file before they actually start any release procedures.
Even though it adds a rough edge to your smooth flow of deployment process, as it is a live or production system, it is always better to tight the process and make it idiot proof.