I had great fun yesterday presenting at the Sydney Serverless Meetup on the currently in-preview support for Java on Azure Functions. Rather than throw the slides up somewhere online I thought I’d write a blog that covers the content with the added bonus of giving you the option to dig into items in more detail.
First some background
I started with a bit of an overview of Azure Functions and why it is we have two runtime versions (because two is better than one, right?!) Actually, there are two versions because the new v2 runtime is designed from the ground up to be cross-platform as a runtime and developer experience, along with providing much better language (.Net, Java, Node, etc) and Binding extensibility.
Azure Functions offers great productivity benefits, but you need to understand a bit about the basics to get going. Key items covered included:
Open Source – you can find everything the Functions team does on GitHub. Have a bug or feature request? File an issue (or even better… submit a PR ๐)
Triggers – control how Functions are invoked (on a schedule, on a HTTP request, on a new queue message).
Bindings – remove integration complexity by using Bindings to declaratively connect to input and output data sources.
Proxies – build clean REST APIs over Functions or other APIs without the need to setup and run a separate API gateway service.
Local Developer Experience – Functions development work (v2 runtime) can be done on Linux, Mac and Windows using whatever IDE you are used to. Java developers can build Java-based Functions locally using Eclipse, IntelliJ or Visual Studio Code
Monitoring – Application Insights is your go-to default experience but you have other options for your business logic use, particularly in v2 with the flexibility of the Logger design in .Net Core.
The Java story for Functions
At the time of the presentation (and this blog) the Functions team was actively working towards the General Availability (GA) of Java support for Functions. This work consists of two items: (1) the Java Worker that does the heavy lifting with the Functions Host of running the actual Java Functions you write; (2) the Maven Plugin that enable developers to quickly create, package, debug and deploy Java-based Functions.
You can see from the Worker repository how the team is working at the very core of Java to enable the language as a first class citizen on the Function runtime. This is not simply invoking java.exe ๐.
I demonstrated how you can create Functions using a Maven Archetype and then develop and test your business logic locally in IntelliJ with Maven. The main Docs site has the full details on how you can do this, so I won’t reproduce it here – go and try it out for yourself. If you need to import libraries as part of your solution you can add them to the pom.xml like you would in any standard modern Java project.
We talked about scenarios where Java Functions might make sense in your world. Scenarios discussed included:
Modernise cron / batch / background jobs โ you may have handed these to the ops folks in the past to write or run – now you can bring them into your development team’s SDLC.
Move @Scheduled Spring Boot or ExecutorService workloads out of other code into a stand-alone execution context.
Simplified event-based programming โ remove the need to have polling logic in your code.
Develop “Microservices”.
But that’s not all…
If you order now you get a free set of steak knives! No… wait… wrong context!
But… actually… *almost*.
Microsoft has been working with Azul Systems to provide support for Java on Azure using Azul’s Enterprise builds of the OpenJDK. The benefit of this, as announced recently, is that Java workloads on Azure using Azul will benefit from free LTS support after January 2019.
Developing your own Bindings
I rounded out the evening by talking about how you can extend Functions capabilities by leveraging the new extensibility model for Bindings. Unsurprisingly this is very well documented on GitHub by the team, along with examples. We covered that these extensions are developed using .Netย but can be consumed by any language bolted into the Functions runtime (which is awesome as a Binding provider – write once!)
I even threw together a very simple example of writing a text file to a cloud storage container that used an output binding to upload a blob where the Binding did the heavy lifting of connecting to the provider and writing the file! No more plumbing code mixed in with my business logic ๐!
Useful links
Here are the raw set of useful links from my slides:
If you are getting started working with Azure you might come across a few key terms that it’s important to have a good understanding of. In this post I’m going to cover what I think are four of the key ones.
Tenant
A Tenant, as it relates to Azure, refers to a single instance of Azure Active Directory, or, as it is often called “Azure AD”. Azure AD is a key piece of Microsoft’s cloud platform as it provides a single place to manage users, groups and the permissions they hold in relation to applications published in Azure AD.
Key Microsoft applications that Azure AD provides access to include Office 365, Dynamics 365 and Azure. Yes, you read that right, Azure is treated as an ‘application’. You can also use Azure AD to control access to many other third-party applications such as Salesforce and even the AWS admin console. As an application developer you can register your own applications in Azure AD for the purpose of allowing users access.
Azure AD Tenants are globally unique and are scoped using a domain that ends with ‘onmicrosoft.com’ (i.e. myazuread.onmicrosoft.com) and each has a ‘Tenant ID’ in the form of an UUID/GUID. Some customers choose to connect their internal Active Directory environment to Azure AD to allow single or same sign-on for their staff and will also use a custom domain instead of the default ‘onmicrosoft.com’.
When you access the Azure Portal, or leverage one of the command-line tools to manage Azure resources in a Subscription, you will always be authenticated at some point via the Azure AD Tenant associated with the Subscription you want to access. The actions you can take will depend on the Role you have been assigned in the target Subscription.
Finally, Azure AD Tenants can be associated with multiple Subscriptions (typically in larger organisations), but a Subscription can only ever be associated with a single Azure AD Tenant at any time.
Dev Tip: if you want to develop an application that uses Azure AD but don’t have permissions to register applications in your company’s Azure AD Tenant (or you want a ‘developer’ Azure AD Tenant) you can choose to create a new Azure AD Tenant in the Azure Portal. Make sure in your application that you can easily change Azure AD Tenant details to allow you to redeploy as required. Azure AD has a free tier that should be suitable for most development purposes.
IT Pro Tip: you can change the display name for your Tenant – something I strongly recommend, particularly as Azure AD B2B will mean others will see your Directory name if they are invited and may be confused if the display name is something unclear. Note that you are *not* able to change the default onmicrosoft.com domain.
Subscription
A Subscription in Azure is a logical container into which any number of resources (Virtual Machines, Web Apps, Storage Accounts, etc) can be deployed. It can also be used for coarse-grained access control to these resources, though the correct approach these days is to leverage Role Based Access Control (RBAC) or Management Groups. All incurred costs of the resources contained in the Subscription will also roll-up at this level (see a sample below).
As noted above, a Subscription is only ever associated with a single Azure AD Tenant at any time, though it is possible to grant users outside of this Tenant access. You can also choose to change the Azure AD Tenant for a Subscription. This feature is useful if you wish to transfer, say, a Pay-As-You-Go (PAYG) Subscription into an existing Enterprise Enrolment. Subscriptions have both a display name (which you can change) and a Subscription ID (UUID/GUID) which you can’t change.
Subscriptions are not tied to an Azure Region and as a result can contain resources from any number of Regions. This doesn’t mean that you will have access to all Regions, as some Geographies and Regions are restricted from use – we’ll talk more about this next.
Resources contained in a Subscription, but deployed to different Regions will still incur cross-Region costs (where applicable) for the resource.
People sometimes use the word ‘Tenant’ instead of ‘Subscription’ or vice-versa. Hopefully you can now see what the difference is between the two.
Regions and Geographies
Azure differs from the other major cloud providers in its approach to providing services close to the customer. As a result, and at time of writing (August 2018), Azure offers 42 operational Regions with 12 more announced or under development.
A Region is a grouping of data centres that together form a deployment location for workloads. Apart from geo-deployed services like Azure AD or Azure Traffic Manager you will always be asked what Region you wish to deploy a workload to.
Regions are named based on a general geography rather than after exactly where the data centres are. So, for example, in Australia we have four Regions – Australia East, Australia Southeast, Australia Central 1 and Australia Central 2.
A Geography, as it relates to Azure, can be used to describe a specific market – typically a country (Australia), though sometimes a geographic region (Asia, Europe). Normally within a Geography you will find two Regions which will be paired to provide customers with high availability options. Can anyone spot the one Region that doesn’t have its pair in the same Geography?
There are a few special Regions that aren’t open to everyone – US Government Regions, the entire German Geography and China. In Australia, in order to access Australia Central 1 and 2 you must undergo a white listing process to gain access.
When you replicate data or services between Regions you will pay an increased charge for either data transfer between Regions and / or duplicated hosting costs in the secondary Region. Some services such as Azure Storage and Azure SQL Database provide geo-redundant options where you pay an incremental cost to have your data replicated to the secondary Region. In other cases you will need to design your own replication approach based on your application and its hosting infrastructure.
Once you have deployed a service to a Region you are unable to move it – you have to re-provision it if you need the primary location to be somewhere else.
As a final note, while there is a Regional availability model (replication of services between Regions), Microsoft has also introduced the concept of Availability Zones. Availability Zones are still being rolled out globally, and are more than just a logical overlay over Regions. Interesting times!
So there we have it, a quick overview of some of the key terms you should be familiar with when getting started with Azure. As always, if anything’s unclear or you have any questions feel free to drop a comment below.
Microsoft has always been a company by, of, and for developers, and the renewed Microsoft commitment to meet the Australian developer community wherever they are continued this past weekend when we were at DDD Sydney.
DDD Sydney, like Perth before it, didn’t disappoint in its slick organisation and community-selected content. The unique spice to the Sydney event though was the dedicated junior developer track – a concept to be loudly applauded and, I hope, replicated elsewhere over time.
As this was my home city event I asked my oldest son if he’d like to be a paid attendee for the day – something he quickly said ‘yes’ to. As he’s only just started high school I didn’t expect him to understand all the content, but I thought it would be a good experience for him and hopefully he’d pick on some tips along the way. Well… I think he did pretty well out of the day based on the below Twitter post…
How many kids are lucky enough to have a private class with @damovisa?
… and now I’ve had to install Python on his computer and order a Raspberry Pi for him! (A big thanks to Damian Brady from the Microsoft CDA team for spending the time with my son!)
Carrying on though…
At the Microsoft stand we had a great time discussing the Azure platform with developers and getting to understand how we can help them do more with it. Some of the discussions I had covered:
– What’s the difference between an Azure Tenant, Subscription and Region. This is a good question, and I’ll post a follow-up blog post to cover this as understanding these three items are fundamental to working with Azure, particularly if you are working with many customers who each own a Subscription.
– How about extending Visual Studio Team Services (VSTS) to do Domain Drive Design (DDD)? Good idea! VSTS has an extensibility model you can tap into if you want to add to the platform’s capabilities or customise it to suit your requirements.
– We had a bunch of people sign-up and play our Azure Cognitive Services-based game “Where’s Bit?”. We’ll eventually open this up for everyone to have access to how we built the game, but for now keep an eye out for it at the upcoming events we’ll be at.
Two lucky winners of “Where’s Bit?” will receive invites to an upcoming Xbox triple A title launch event in Sydney in September (I can’t tell you what it is.. but it’s pretty damn cool.. wish I was going!)
Overall I was really happy with how the day went, and really pleased that we were able to support the organisers in their first sell-out year! Sydney developers care deeply about their personal development and being engaged with others in their community and the buzz on the day was hard to come down from once the day was over!
I’m always happy to take feedback or questions around Azure for developers – feel free to leave a comment below or to hit me up on Twitter if you have any.
We’ll be back in Sydney for NDC in September and YOW! in November – hope to see you there then!
๐
Keynote with Damian Brady on AI and ML.
Closing session – excess food was donated to OzHarvest.
This past weekend I was in Perth to attend DDD Perth as part of Microsoft’s sponsorship and thought I’d write up my experience.
For those of you unfamiliar with DDD (Developer! Developer! Developer!), it is a community-organised event that started in the United Kingdom in 2005 and has run in various cities in Australia over the last few years.
If you take a look through the published agenda for Perth for 2018 you will see a fantastic variety of content and speakers – ranging from deep tech through to personal well being – all voted for by the community. This is a clear guide that developers are looking far beyond what could be considered traditional interest areas and making the most of personal growth opportunities available at events like DDD.
I didn’t get a chance to take any photographs, but I’m sure the DDD Perth blog will post a bunch when the committee has recovered from running the event for 400+ people! What I can talk a bit about here though is the types of discussions I had at the Microsoft booth.
Are Azure Functions production-ready? Yes, they are. The confusion here stemmed from the ‘v1’ (production-ready) and the ‘v2’ (in-preview) versions of the runtime. This is a reminder to me that people not close to a platform often don’t get the subtleties and simply hear “not production ready” as the message.
How do I migrate between Azure Regions? Well… I could write an entire (never ending) series on the number of ways to achieve this! I will leave it at “it depends”….
What do I need to do to get a t-shirt, book or sticker? (Hint: play one of our games, give us feedback, join our OSS4Good project)
There were a lot of other discussions on the day with the team on the booth and we had our two games up and running (I’ll keep those under wraps for now as a surprise for others) as well as launching our Open Source for Good project which you can head over to Github to learn more about (if you’d like to get involved feel free to leave a comment below and we’ll invite you).
I tweeted how amazing this day was, and the organisers need to be proud to have built such an amazing and accessible event! If you didn’t get a ticket for this year, then I’d certainly keep an eye out for next year’s event.
If you live in the following cities then you’re in luck because your 2018 DDD is yet to happen. Sydney is up next on 18 August, so make sure to get your tickets soon!
I’ll be at these events so please drop by and say hello!
Sydney – Saturday 18 August – four tracks including a dedicated design and data track and a junior developer track.
The first IT job Iย had was training mature age students at college how to use PCs. While I was doing this I also wrote and delivered a course on how to build sites for the (new at the time) World Wide Web.
My work on the WWW course got me noticed by a business in London that was building websites for their customers. After joining them, one of the largest projects I worked on was the first website for Marks & Spencer which we developed using Active Server Pages (ASP) and hosted on Windows NT 4. We even ran a celebrity text chat session for M&S using Exchange 5.5’s chat service!
Clearly there have been a few years (my son: “yeah, like 10 billion years”) between the above and today, and I’ve done a lot of things in the interim: development, operations, delivery management and community organisation. But at my core I’ve always been a developer.
If you’ve read this far I am sure you’ve figured out that today I’m not solving a technical problem for you. ๐
So why am I reminiscing about times past? Well, really, I’m just calling back to where I started my career: helping people do more with technology, and particularly with new or unfamiliar technology.
Which leads me to the reason for this blog post.
I’m super excited to let everyone know that from August 2018 I’ll be joining Microsoft here in Australia as the Azure Pro Developer Lead, giving me the opportunity to return to my roots. I will be supporting developers in building their solutions on Azure using the platform’s wide range of innovative features, helping them move beyond Virtual Machines!
Azure enables rapid realisation of ideas you have and I want Australian developers to be empowered to deliver their ideas using Azure as their accelerator. I’m looking forward to starting and will see you at an event, at your office or over a coffee.
Happy Days ๐
Azure and Bit artwork from the talented Ashley McNamara. Thanks Ashley!
I also recently saw the below tweet which resonated with me around why I think Microsoft Azure is the best place for developers.
Given the recent announcement of the GA of Azure Kubernetes Service I thought I would take it for a spin in one of the new Regions it is now available in. I have previously deploy AKS in East US using the Azure Cloud Shell so didn’t expect to run into any issues. However, I hit a minor snag, which I’m documenting here in case you come across it too.
az group create --name rg-aks-01 --location westus2
az aks create –resource-group rg-aks-01 –name testaks01 –node-count 1 –generate-ssh-keys
The subscription is not registered for the resource type ‘managedClusters’ in the location ‘westus2’. Please re-register for this provider in order to have access to this location.
And this is the fix.
az provider register --namespace Microsoft.ContainerService
Registering is still on-going. You can monitor using ‘az provider show -n Microsoft.ContainerService’
Then a short while later I ran the ‘show’ command and can now see this service is available in all the new Regions for GA (snippet shown below).
If you run in an environment where you need to track changes to Tags on Resource Groups in Azure then you may find this PowerShell snippet useful as code to drop into a Runbook.
The snippet will enumerate all Resource Groups in a Subscription (we assume you are already logged into the Subscription you want to use) and then extract all Tags from each Resource Group and write the details to Azure Table Storage.
Once you run this snippet you will be able to use the data for reporting purposes, where each Resource Group’s Resource ID will be used as the Partition Key, with the Tag Name (Key) and the current Date / Time used as a Row Key. You now have a reporting source you can use in the likes of Power BI.
Over the years that I’ve been talking with public groups on cloud services, and Azure in particular, I will typically have at least one person in every group make a statement like this:
“Azure’s good, but the free tier isn’t as good as AWS.”
I’ve discussed this statement with groups enough times that I thought it would be good to capture my perspective on where Azure stands, provide some useful resources, and pose a question to those whose starting point is free services.
You want The Free? You can’t handle The Free!
When people talk about how a free tier isn’t that useful, typically what they are saying translates into is one of two scenarios:
The timeframe the free tier is offered for is not long enough for the person to achieve an acceptable learning outcome based on their time investment;
More commonly, the service limits are too low meaning the person cannot achieve an acceptable learning outcome before their credit runs outs (regardless of time).
The reality is, beyond basic scenarios (run a Virtual Machine, create a database), and where someone doesn’t have sufficient continuous time to allocate to their cloud environment, the more likely it is they will receive minimal value from free tier services.
Effective use of free tiers
So how to minimise these outcomes?
Be clear about what you want to achieve before you start a free tier subscription. If you don’t know *what* you want to do in advance you are likely to fritter away that free credit before you get to your eventual end goal. Additionally, if you know what you want to achieve then review the required cloud services you will use and determine if a free tier is going to provide you with sufficient resources to reach your goal.
Start with pre-built environments or quickstarts – find labs or similar that give you access to existing environments. Attend events that include credits as part of attendance and use those to achieve a goal. Look at tutorials and samples to find automation scripts / templates that can get you up and running quickly (but remember the previous tip – if you try to provision a ten node Kubernetes cluster will that actually succeed in a free tier? Would a one node cluster suffice to allow you to learn?)
All the cloud platforms will provide you with time-limited free tiers, with some services being offered as “always free” at certain low usage levels.
Azure has had free services trials or tiers in one way or another for some time. Traditionally, however it hasn’t offered a 12 month period, though fairly recently that’s changed and there is now an extended 12 month Free tier offering for Azure.
One Azure cloud… many ways to get ongoing credits
Where Azure does differ substantially from AWS in particular is in the number of offerings Azure has that get you access to Azure credits on ongoing basis, lifting you out of having to use just free tier services:
Microsoft Developer Network (MSDN) Azure Benefits – available as an add-on to existing MSDN subscribers (note: your organisation might not have access to this benefit depending on your licensing). This is an ongoing benefit while you pay for an MSDN subscription.
BizSpark Benefits – available to those who are leveraging the BizSpark programme for their business. Ongoing benefit while you are in the BizSpark program.
Azure for non-profits – go through the process to prove your status and gain access to Azure Credits.
Microsoft Azure Passes – typically when Microsoft runs training courses for Azure attendees will typically be provided with Azure credits in the form of an Azure Pass. We gave these away at the Global Azure Bootcamp this year. Time-limited offers (one to three months).
Investing in yourself or your idea
The reality of free tier services is they will only get you so far, whether the use you make of the cloud is to learn new concepts or to try an idea you have.
My take is this: if you aren’t prepared to invest your own money (i.e. I just want more free stuff) then you don’t put much value on your own education or idea.
If we had the cloud computing services we have now when the dotcom boom was happening we may well have seen a massively different outcome.
Startups wouldn’t have spent massive amounts of their funding on infrastructure and wasted months waiting for services to be provisioned before they even got to serving the first request.
Imagine if you had on-demand services when you were at school (maybe you still are) – the quality of your education would be improved by access to these sorts of services.
We are at a pivotal moment where we now have access to on-demand resources that a generation ago would have been unimaginable. If you are serious about an idea or personal development put your money where your brain is.
But I’m not an accountant!
Congratulations. Now you are! Didn’t hurt a bit either, did it?
It’s unavoidable for many of us that at some point it will come down to cost. I know there will be more than a few of you sitting there having previously paid a larger than expected cloud hosting bill. I bet you now manage those resources like a hawk. While this is a painful way to learn, you will have identified a key factor in how you design and run cloud native services.
Also, welcome to how businesses work – specifically how to control costs so they can remain viable. This is why your last request to the ops team for 10 servers was rejected, or why you had to finesse your design to fit into existing infrastructure constraints. ๐
So, where to next?
I highly recommend spending time familiarising yourself with services in the cloud too – avoid anti-patterns that will likely be where you will unexpectedly spend more money than you thought.
So, did I solve your problem? Make more of the Free? Unlikely I suspect.
Ultimately you need to consider that free tiers and services are designed as a taster, to get you thinking about how your could use those services for other things. While there are “always free” services, the reality is you will be unlikely to build the next Atlassian with it, but I’m pretty sure you can use them to pass exams or to get educated on cloud technology.
In this post I’m going to walk through how you can debug JWT-protected APIs where those JWTs are being issued by AAD B2C. Note that a lot of what I write here will probably be applicable in any scenario where you are working with JWTs as AAD B2C is standards compliant so any advice here can be applied elsewhere.
We aren’t going to get into the Identity Experience Framework (IEF) here because he’s a whole universe of detail beyond the basic policy engine we’ll cover here ๐
Your toolikit
Here’s the tools to get started with debugging.
Required tools:
A test AAD B2C tenant – a very strong recommendation *not* to use your production one!
Create a B2C Profile Edit Policy even if you never roll it out to customers. This policy can be invoked via the Azure Portal to allow you to initialise new profile attributes.
Use standard OAuth libraries in your clients
Microsoft has great first-party support for B2C with the Microsoft Authentication Library (MSAL) across multiple platforms, but as B2C is designed to be an OAuth2 compliant service so any library that supports the specification should work with B2C. Microsoft provides samples that show how libraries like AppAuth can be used.
Rolling out custom attributes
There is currently a limitation with B2C around rolling out new custom attributes. Until an attribute is referenced in at least once policy in your tenant the attribute isn’t available to applications that utilise Graph API. This is why I always create a profile edit policy even that I can add new custom attributes to and then invoke the policy via the Azure Portal to initialise the attribute.
Testing APIs
Create test users
This is where a service like Mailinator comes in handy – you can create multiple test users and easily access the email notifications sent by B2C to perform actions like initial account validation or password reset.
Note: free services like Mailinator may be good for simple testing, but you may have security or compliance requirements that mean it can’t be used. In that case consider moving to a paid tier or other services that provide secured mailboxes (a service like outlook.com).
Request Tokens – Test Client Application
Once you have one or more test users you can then use one of the following approaches to obtain test tokens to use when calling APIs.
If you aren’t using Postman to retrieve tokens to supply in API calls then you can use the test client application above (assuming you are developing on Windows – or at some future point when we get WPF ported to .Net Core :)) to request tokens for users in your test tenant.
Once you have the tokens you can copy them out and use them in Postman to make requests against your API by setting Authorization in Postman to use Bearer Tokens and then copying the value from the test tool into the ‘Token’ field.
If you’ve having issues with tokens being accepted by your API then you can leverage jwt.ms to review the contents of the token and see why it might be being rejected. A sample is shown below.
If you have access to the target API source code make sure to debug that at the same time to see if you can identify why the token is being rejected.
As a guide the common failure reasons will include: token expired (or not yet valid); scopes are incorrect (if used); incorrect issuer (misconfiguration of client or API where they are not from the same B2C tenant); invalid client or audience ID.
So there we are! I hope you found this post useful in debugging B2C APIs – I certainly wish that I’d had something to reference when I started developing with B2C! Now I do! ๐
This post covers an approach you can use to deploy compiled C# Functions using the tooling available in Visual Studio 2017 and various Build and Release Management Tasks contained in Visual Studio Team Services (VSTS).
I was lucky enough to speak with Damian Brady on the DevOps Labs show on Channel 9 and cover the first part of this blog. If you’ve watched that, or you’ve come here via the Github repository for the solution we used, then we’ll go down to the next level and really look at how you can recreate this setup in your environment.
1. Pre-requisites
There are a few moving pieces we need to get into place first in order to complete the configuration. Let’s take a look at those.
a. Connecting environments
Note that in order to complete these steps you may require elevated privileges in one or more of the mentioned services. If you do not have access to an admin-level account in any of the services you will likely need to ask someone to configure these for you.
> Github to VSTS
In our demonstration we’re using a Github repository as our source repository and allowing VSTS’ Build capability to perform Continuous Integration Builds when a commit occurs on the master branch. Microsoft has documented how to configure Github to connect with VSTS already, so go and take a read and head back here when you’re done setting up the integration.
> VSTS to Azure
We use the Azure Resource Manager Service Endpoint option in VSTS to configure our connection into Azure from VSTS. There is documentation from Microsoft around how you setup the connection, including steps to create a custom Service Principal (or use a pre-existing one your Azure admin has created for you). Once again, go have a read and once you have a working Service Endpoint in VSTS head back over here.
b. Configure SendGrid
If you’d like to run the Functions once deployed you will need to configure SendGrid so you can use the binding in the Functions being deployed. You can follow the official Azure documentation on setting up a (free) SendGrid account and then make sure to set the API key value for the AzureWebJobsSendGridApiKey App Setting for your deployed Functions.
c. Create target Azure Resources
Go ahead and also create a Function App in the Subscription you want to deploy to (ensure that the Service Principal you setup previously has Contributor-level access to, at minimum, the Resource Group that will contain the Function).
You can use the process we document here to deploy to either a Service Plan or Consumption Plan, though there is a minor difference we will see later in the post.
The Azure resources to deploy should include:
Application Insights
Cosmos DB Account – Add Database “quotedemo” with Collections “quotes” and “leases”
Function App (can be Consumption or Service Plan)
Storage Account (can be created at same time as Function App)
Before we move on, make sure to capture the following:
Application Insights Telemetry Key (shown on the ‘Essentials’ part of the Application Insights instance)
FUNCTIONS_EXTENSION_VERSION (most likely set to “~1”).
d. Configure Application Insights for Release Annotations
In this scenario we will need to enable the Application Insights API or order to support Release Annotations which make it possible to see new release markers on timelines.
Once again, Microsoft has this well documented, including the Task you need to add in VSTS to allow you to create Annotations.
OK! Now we are ready to configure the Build and Release Management steps in VSTS.
2. Configure the Build
In a Team Project in VSTS you wish to use host the Build and Release Management Definitions go ahead and create a new Build.
Remember to select Github as your source repository.
When you are prompted for a template, select the ASP.Net Core (.Net Framework) build.
If you want a Continuous Integration (CI) build then ensure you set the Trigger as required.
At this point we have a build that produces a packaged web application that can be pushed to the Azure App Service hosting the Function App. We could add more Tasks to the Build to do this, but we want to support multiple environments so this is where Release Management comes into play.
I recommend you run the Build to ensure it’s functional and to produce an artefact we can use in our next step.
3. Configure Release Management
Now we have a build that produces a build artefact we can now use VSTS Release Management (RM) to deploy and configure this artefact to any environment we can reach.
Let’s go ahead and choose to create a new Release Management Definition. When you have the option, select the “Azure App Service Deployment” template.
The resulting Definition will be very vanilla and contain a single Task. We need to make some changes to deploy our service exactly as we’d like.
a. Add the Build Artefact
First we need to tell Release Management what we want to deploy, so let’s go ahead and add our existing Build by clicking on the Artefacts box and selecting our Build as shown below.
If you wish to enable Continuous Deployment (CD) into Environments you can click on the lightning bolt on the Artefact and enable the CD trigger. Note that you can still stop automated deployments by putting in approvals or making deployments manual – by creating a Release you always have a build artefact to deploy.
b. Configure RM Tasks
This is where your previously completed configuration with the Azure Service Endpoint and in setting up the resources in Azure will come into play.
Click on the Tasks tab and the RM Definition will open.
Once open click on the Environment at the top of the Task list. As we are going to deploy all assets into a single Subscription we can set up a few items that will apply to all Tasks in the RM Definition.
The first thing we will do is to select the Service Endpoint we previously setup (below it is named “Service Principal for Demo”, but you can name it anything meaningful).
Once you select the method of connection to the Azure Subscription change the “App type” field to be “Function App” and then from the final picker, select the Function App instance you setup earlier. If you don’t see it, it could be that you placed it another subscription or that the Service Endpoint does not have sufficient rights to list the Function Apps in the Subscription.
Your setting should look something like the below.
We could deploy the sample code now, but it would fail to run because it is missing configuration.
c. Deploying configuration
You will notice that up until now we’ve not dealt with any of the runtime configuration settings for the Function. When you develop locally the Functions Tools in VSTS will generate a “local.settings.json” file, but it will be blocked from commit via the gitignore included in the project type. It’s recommended you don’t change this, and even if you it won’t help you on deployment anyway (so… y’know, why bother to change the ignore file?)
For this Task we are going to need to pull in a free Marketplace Task – the Azure WebApp Configuration from Pascal Naber (Xpirit). This Task is a wrapper around some Azure Cmdlets, but it does a great job of removing your overhead in managing that ๐
You will need to be a VSTS admin in order to install Marketplace Tasks (if you aren’t you can still request an admin to install them).
Once installed you can now add the Task to your Release Management Definition after the App Service Deployment (as shown below).
The Task expects any App Settings you need to deploy to be added as Variables to the Definition. So, for example, if we want to control the value we set for the ‘APPINSIGHTS_INSTRUMENTATIONKEY’ App Setting in our target Function we would create a Variable in our Release called ‘appsetting.APPINSIGHTS_INSTRUMENTATIONKEY’ and set the value to be the Telemetry Key we captured earlier in the post.
The beauty of this approach is that you can one-way save secrets and they won’t show up (or be recoverable) via the Variables tab again. There is also an option to write them to Azure Key Vault if you want.
Below is a sample of the Variables once setup.
The eagle-eyed amongst you might spot that I am also setting default Function values (FUNCTIONS_EXTENSION_VERSION, AzureWebJobsStorage, AzureWebJobsDashboard for a Service Plan).
This is because I force the Application Settings Task to overwrite all existing values in the App Service. This is on purpose – it ensures no manual fixes are ever safe in Azure and our Release Management Definition is the source of truth for both the Artefact and the Configuration.
Note: For Consumption Plans make sure you set WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, WEBSITE_CONTENTSHARE in addition to the above values. If you don’t your deployment will fail after the first deployment (this is the source of the error in the video).
The full set of Variables for our sample is listed below.
Common Variables
AppInsightsApiKey – API key you configured earlier for Application Insights (*not* Telemetry Key).
AppInsightsApp – Application ID configured earlier for Application Insights (also not Telemetry Key).
appsetting.APPINSIGHTS_INSTRUMENTATIONKEY – use telemetry key from Application Insights.
appsetting.AzureWebJobsDashboard – use exiting value from Function (before first deployment).
appsetting.AzureWebJobsSendGridApiKey – use SendGrid API key you setup earlier (should start ‘SG.’).
appsetting.AzureWebJobsStorage – use exiting value from Function (before first deployment).
appsetting.CosmosConnection – use Connection String from Cosmos Account you setup earlier.
appsetting.FUNCTIONS_EXTENSION_VERSION – use exiting value from Function (before first deployment).
appsetting.NotificationsSender – use an email address you control (to be used as From: in emails).
Service Plan deployment
None: above list is all you need
Consumption Plan deployment
appsetting.WEBSITE_CONTENTAZUREFILECONNECTIONSTRING – use exiting value from Function (before first deployment).
appsetting.WEBSITE_CONTENTSHARE – use exiting value from Function (before first deployment).
Once you’ve configured the Variables you should now be able to save the Release Management definition and create a Release to test out your deployment.
I’ve recorded a quick video (see below) that shows this end-to-end and also has an additional bonus step of hitting an HTTP Triggered endpoint on the Function as a post-deployment confirmation step (you will need to copy a Host key from the Function App and save it as ‘VersionApiKey’ in the Variable to use to call the API, then add the Smoke Web Test Task from the Marketplace).
So what should the demo Function do? It should trigger an email to a recipient when a record is added to Cosmos DB. The recipient is listed in the record that is inserted, samples of which are included in the Github project. If you can’t get it running make sure to leave a comment and I’ll help you out!
