This section describes the deployment steps for the reference implementation of a reliable web application pattern with .NET on Microsoft Azure. These steps guide you through using the jump box that is deployed when performing a network isolated deployment because access to resources will be restricted from public network access and must be performed from a machine connected to the vnet.
We recommend that you use a Dev Container to deploy this application. The requirements are as follows:
- Azure Subscription.
- Visual Studio Code.
- Docker Desktop.
- Permissions to register an application in Microsoft Entra ID.
- Visual Studio Code Dev Containers extension.
If you do not wish to use a Dev Container, please refer to the prerequisites for detailed information on how to set up your development system to build, run, and deploy the application.
Note
These steps are used to connect to a Linux jump box where you can deploy the code. The jump box is not designed to be a build server. You should use a devOps pipeline to manage build agents and deploy code into the environment. Also note that for this content the jump box is a Linux VM. This can be swapped with a Windows VM based on your organization's requirements.
The following detailed deployment steps assume you are using a Dev Container inside Visual Studio Code.
-
Start a powershell session in the dev container terminal:
pwsh
-
Import the Azure cmdlets:
Import-Module Az.Resources
-
Log in to Azure:
Connect-AzAccount
-
Set the subscription to the one you want to use (you can use Get-AzSubscription to list available subscriptions):
$AZURE_SUBSCRIPTION_ID="<your-subscription-id>"
Set-AzContext -SubscriptionId $AZURE_SUBSCRIPTION_ID
-
Azure Developer CLI (azd) has its own authentication context. Run the following command to authenticate to Azure:
azd auth login
-
Create a new AZD environment to store your deployment configuration values:
azd env new <pick_a_name>
-
Set the default subscription for the azd context:
azd env set AZURE_SUBSCRIPTION_ID $AZURE_SUBSCRIPTION_ID
-
To create the prod deployment:
azd env set ENVIRONMENT prod
-
Production is a multi-region deployment. Choose an Azure region for the primary deployment (Run
(Get-AzLocation).Location
to see a list of locations):azd env set AZURE_LOCATION <pick_a_region>
You want to make sure the region has availability zones. Azure App Service is configured with Availability zone support.
-
Choose an Azure region for the secondary deployment:
azd env set AZURE_SECONDARY_LOCATION <pick_a_region>
We encourage readers to choose paired regions for multi-regional web apps. Paired regions typically offer low network latency, data residency in the same geography, and sequential updating. Read Azure paired regions to learn more about these regions.
-
Run the following command to create the Azure resources (about 45-minutes to provision):
azd provision
WARNING
When the prod deployment is performed the Key Vault resource will be deployed with public network access enabled. This allows the reader to access the Key Vault to retrieve the username and password for the jump box. This also allows you to save data created by the
create-app-registration
script directly to the Key Vault. We recommend reviewing this approach with your security team as you may want to change this approach. One option to consider is adding the jump box to the domain, disabling public network access for Key Vault, and running thecreate-app-registration
script from the jump box.
To retrieve the generated password:
-
Retrieve the username and password for your jump box:
- Locate the Hub resource group in the Azure Portal.
- Open the Azure Key Vault from the list of resources.
- Select Secrets from the menu sidebar.
- Select Jumpbox--AdministratorPassword.
- Select the currently enabled version.
- Press Show Secret Value.
- Note the secret value for later use.
- Repeat the proecess for the Jumpbox--AdministratorUsername secret.
-
Start a new PowerShell session in the terminal (In VS Code use
Ctrl+Shift+~
). Run the following command from the dev container terminal to start a new PowerShell session:pwsh
-
We use the Azure CLI to create a bastion tunnel that allows us to connect to the jump box:
az login
$AZURE_SUBSCRIPTION_ID = ((azd env get-values --output json | ConvertFrom-Json).AZURE_SUBSCRIPTION_ID)
az account set --subscription $AZURE_SUBSCRIPTION_ID
-
Run the following to set the environment variables for the bastion tunnel:
$bastionName = ((azd env get-values --output json | ConvertFrom-Json).BASTION_NAME) $resourceGroupName = ((azd env get-values --output json | ConvertFrom-Json).BASTION_RESOURCE_GROUP) $targetResourceId = ((azd env get-values --output json | ConvertFrom-Json).JUMPBOX_RESOURCE_ID)
-
Run the following command to create a bastion tunnel to the jump box:
az network bastion tunnel --name $bastionName --resource-group $resourceGroupName --target-resource-id $targetResourceId --resource-port 22 --port 50022
NOTE
Now that the tunnel is open, change back to use the original PowerShell session to deploy the code.
-
Run the following command to restore packages and compile code.
azd package
-
From PowerShell use the following SCP command to upload the code to the jump box (use the password you retrieved from Key Vault to authenticate the SCP command):
scp -r -P 50022 * [email protected]:/home/azureadmin/web-app-pattern
If you were unable to connect due to Remote host identification has changed
-
From PowerShell use the SCP command to upload the AZD environment to the jump box:
scp -r -P 50022 ./.azure [email protected]:/home/azureadmin/web-app-pattern
-
Run the following command to start a shell session on the jump box:
ssh [email protected] -p 50022
-
Change to the directory where you uploaded the code:
cd web-app-pattern
-
Change the exeuatable permissions on the scripts:
chmod +x ./infra/scripts/**/*.sh
-
Start a PowerShell session:
pwsh
-
Sign in to Azure PowerShell interactively:
Connect-AzAccount -UseDeviceAuthentication
Set-AzContext -SubscriptionId ((azd env get-values --output json | ConvertFrom-Json).AZURE_SUBSCRIPTION_ID)
-
azd auth login --use-device-code
-
Deploy the application to the primary region using:
azd deploy
It takes approximately 5 minutes to deploy the code.
WARNING
In some scenarios, the DNS entries for resources secured with Private Endpoint may have been cached incorrectly. It can take up to 10-minutes for the DNS cache to expire.
-
Deploy the application to the secondary region using:
azd env set AZURE_RESOURCE_GROUP ((azd env get-values --output json | ConvertFrom-Json).SECONDARY_RESOURCE_GROUP)
azd deploy
-
Use the URL displayed in the console output to launch the Relecloud application that you have deployed:
-
Close the PowerShell session on the jump box:
exit
-
Close your SSH session:
exit
-
Close your background shell that opened the bastion tunnel with the interrupt command Ctrl+C.
-
To tear down the deployment, run the following command from your dev container to remove all resources from Azure:
azd down --purge --force