Skip to content

Latest commit

 

History

History
273 lines (184 loc) · 9.74 KB

prod-deployment.md

File metadata and controls

273 lines (184 loc) · 9.74 KB
Raw

Steps to deploy the production deployment

This section describes the deployment steps for the reference implementation of a reliable web application pattern with .NET on Microsoft Azure. These steps guide you through using the jump box that is deployed when performing a network isolated deployment because access to resources will be restricted from public network access and must be performed from a machine connected to the vnet.

Diagram showing the network focused architecture of the reference implementation.

Prerequisites

We recommend that you use a Dev Container to deploy this application. The requirements are as follows:

If you do not wish to use a Dev Container, please refer to the prerequisites for detailed information on how to set up your development system to build, run, and deploy the application.

Note

These steps are used to connect to a Linux jump box where you can deploy the code. The jump box is not designed to be a build server. You should use a devOps pipeline to manage build agents and deploy code into the environment. Also note that for this content the jump box is a Linux VM. This can be swapped with a Windows VM based on your organization's requirements.

Steps to deploy the reference implementation

The following detailed deployment steps assume you are using a Dev Container inside Visual Studio Code.

1. Log in to Azure

  1. Start a powershell session in the dev container terminal:

    pwsh

  2. Import the Azure cmdlets:

    Import-Module Az.Resources

  3. Log in to Azure:

    Connect-AzAccount

  4. Set the subscription to the one you want to use (you can use Get-AzSubscription to list available subscriptions):

    $AZURE_SUBSCRIPTION_ID="<your-subscription-id>"
    Set-AzContext -SubscriptionId $AZURE_SUBSCRIPTION_ID

  5. Azure Developer CLI (azd) has its own authentication context. Run the following command to authenticate to Azure:

    azd auth login

2. Provision the app

  1. Create a new AZD environment to store your deployment configuration values:

    azd env new <pick_a_name>

  2. Set the default subscription for the azd context:

    azd env set AZURE_SUBSCRIPTION_ID $AZURE_SUBSCRIPTION_ID

  3. To create the prod deployment:

    azd env set ENVIRONMENT prod

  4. Production is a multi-region deployment. Choose an Azure region for the primary deployment (Run (Get-AzLocation).Location to see a list of locations):

    azd env set AZURE_LOCATION <pick_a_region>

    You want to make sure the region has availability zones. Azure App Service is configured with Availability zone support.

  5. Choose an Azure region for the secondary deployment:

    azd env set AZURE_SECONDARY_LOCATION <pick_a_region>

    We encourage readers to choose paired regions for multi-regional web apps. Paired regions typically offer low network latency, data residency in the same geography, and sequential updating. Read Azure paired regions to learn more about these regions.

  6. Run the following command to create the Azure resources (about 45-minutes to provision):

    azd provision

3. Upload the code to the jump box

WARNING

When the prod deployment is performed the Key Vault resource will be deployed with public network access enabled. This allows the reader to access the Key Vault to retrieve the username and password for the jump box. This also allows you to save data created by the create-app-registration script directly to the Key Vault. We recommend reviewing this approach with your security team as you may want to change this approach. One option to consider is adding the jump box to the domain, disabling public network access for Key Vault, and running the create-app-registration script from the jump box.

To retrieve the generated password:

  1. Retrieve the username and password for your jump box:

    • Locate the Hub resource group in the Azure Portal.
    • Open the Azure Key Vault from the list of resources.
    • Select Secrets from the menu sidebar.
    • Select Jumpbox--AdministratorPassword.
    • Select the currently enabled version.
    • Press Show Secret Value.
    • Note the secret value for later use.
    • Repeat the proecess for the Jumpbox--AdministratorUsername secret.

  2. Start a new PowerShell session in the terminal (In VS Code use Ctrl+Shift+~). Run the following command from the dev container terminal to start a new PowerShell session:

    pwsh

  3. We use the Azure CLI to create a bastion tunnel that allows us to connect to the jump box:

    az login
    $AZURE_SUBSCRIPTION_ID = ((azd env get-values --output json | ConvertFrom-Json).AZURE_SUBSCRIPTION_ID)
    az account set --subscription $AZURE_SUBSCRIPTION_ID

  4. Run the following to set the environment variables for the bastion tunnel:

    $bastionName = ((azd env get-values --output json | ConvertFrom-Json).BASTION_NAME)
$resourceGroupName = ((azd env get-values --output json | ConvertFrom-Json).BASTION_RESOURCE_GROUP)
$targetResourceId = ((azd env get-values --output json | ConvertFrom-Json).JUMPBOX_RESOURCE_ID)

  5. Run the following command to create a bastion tunnel to the jump box:

    az network bastion tunnel --name $bastionName --resource-group $resourceGroupName --target-resource-id $targetResourceId --resource-port 22 --port 50022

    NOTE

    Now that the tunnel is open, change back to use the original PowerShell session to deploy the code.

  6. Run the following command to restore packages and compile code.

    azd package

  7. From PowerShell use the following SCP command to upload the code to the jump box (use the password you retrieved from Key Vault to authenticate the SCP command):

    scp -r -P 50022 * [email protected]:/home/azureadmin/web-app-pattern

    If you were unable to connect due to Remote host identification has changed

  8. From PowerShell use the SCP command to upload the AZD environment to the jump box:

    scp -r -P 50022 ./.azure [email protected]:/home/azureadmin/web-app-pattern

  9. Run the following command to start a shell session on the jump box:

    ssh [email protected] -p 50022

4. Deploy code from the jump box

  1. Change to the directory where you uploaded the code:

    cd web-app-pattern

  2. Change the exeuatable permissions on the scripts:

    chmod +x ./infra/scripts/**/*.sh

  3. Start a PowerShell session:

    pwsh

  4. Sign in to Azure PowerShell interactively:

    Connect-AzAccount -UseDeviceAuthentication
    Set-AzContext -SubscriptionId ((azd env get-values --output json | ConvertFrom-Json).AZURE_SUBSCRIPTION_ID)

  5. Sign in to azd:

    azd auth login --use-device-code

  6. Deploy the application to the primary region using:

    azd deploy

    It takes approximately 5 minutes to deploy the code.

    WARNING

    In some scenarios, the DNS entries for resources secured with Private Endpoint may have been cached incorrectly. It can take up to 10-minutes for the DNS cache to expire.

  7. Deploy the application to the secondary region using:

    azd env set AZURE_RESOURCE_GROUP ((azd env get-values --output json | ConvertFrom-Json).SECONDARY_RESOURCE_GROUP)
    azd deploy

  8. Use the URL displayed in the console output to launch the Relecloud application that you have deployed:

    screenshot of Relecloud app home page

5. Teardown

  1. Close the PowerShell session on the jump box:

    exit

  2. Close your SSH session:

    exit

  3. Close your background shell that opened the bastion tunnel with the interrupt command Ctrl+C.

  4. To tear down the deployment, run the following command from your dev container to remove all resources from Azure:

    azd down --purge --force