Mastering Azure Managed Applications Hands on workshop Julio Colon Senior Software Engineer David Starr Principal Software Engineer
Mastering Azure Managed Applications
Hands on workshop
Julio Colon
Senior Software Engineer
David Starr
Principal Software Engineer
Microsoft Code of Conduct
Microsoft’s mission is to empower every person and every organization on the planet to achieve more. This includes all
Microsoft events and gatherings, including on digital platforms, where we seek to create a respectful, friendly, fun and
inclusive experience for all participants.
We expect all digital event participants to uphold the principles of this Code of Conduct, which covers the main digital
event and all related activities. We do not tolerate disruptive or disrespectful behavior, messages, images, or
interactions by any party participant, in any form, at any aspect of the program including business and social activities,
regardless of location.
Microsoft will not tolerate harassment or discrimination based on age, ancestry, color, gender identity or expression,
national origin, physical or mental disability, religion, sexual orientation, or any other characteristic protected by
applicable local laws, regulations, and ordinances.
We encourage everyone to assist in creating a welcoming and safe environment. Please report any concerns, harassing
behavior, suspicious, or disruptive activity to Business Conduct Hotline (1-877-320-MSFT or [email protected]).
Microsoft reserves the right to refuse admittance to or remove any person from Microsoft Build at any time at its sole
discretion.
Topics
• Azure Managed
Applications
• Artifacts
• Partner Center
• Integrating VM
Offers
• Metered Billing
• Custom UX
• Managing
Customer
Deployments
• Advanced
Deployment
Scenarios
• Test your
knowledge
• Managed
Idenitites
• And more…
Engagement
Put questions into chat at any
time
Speakers will monitor chat as
we go
Links on slides will be posted
to chat
Please hold verbal questions
until breaks or labs
Azure Applications
Azure Applications
• A type of offer in the
Azure Marketplace
• Deployed via ARM templates into
the customer subscription
• Custom installation UX for customer
Types of Azure Applications
Azure Solution Application
• Deploys into customer tenant
• Customer owns and maintains it
• The publisher has no maintenance
to do on the application
• Not transactable in the Azure
Managed Application
Azure Managed Application
• Deploys to customer subscription
• Publisher owns and maintains it
• The publisher controls the rights
the customer has to the solution
services
• Transactable in the Azure Managed
Application
Service Catalog Deployment
Service catalog
Managed App
definition
Package file in
Storage account
Azure Managed
Application
Azure Managed Applications
What is a Managed Application?
A type of Azure Application
Maintenance of deployed resources is the publisher’s responsibility
Resources are deployed to a resource group managed by the publisher
2 Types – Internal and external
Internal vs. External
Internal
Used for enterprise deployments
Deployed via the Service Catalog
External
Used for public offers
Deployed via the Azure
Marketplace
Why use a Managed Application?
• Protect IP
• Control environment updates
• Manage customer permissions
on resources created in their
subscription
• Enable different deployments
based on different plans
Managed Application components
• Managed Resource Group (MRG)
• Application Resource Group
• Security Group (SG)
• Service Principal (SP)
Purchasing a Managed App
https://azuremarketplace.microsoft.com/ https://portal.azure.com/
Purchasing a Managed App
Buyers View
17
Demo
Purchasing an Azure Managed
Application
1. Create Offer
2. Create Plan
3. Select Technical
Configuration
4. Open Package
Details
5. Add Package.zip
6. Review & Publish
Publish
Publishers’ View
20
Demo
Creating an Azure Managed
Application offer in Partner
Center
Azure Marketplace
Managed Application overview
Managed Application Resource Group
Managed Application
Managed Resource Group
Contributor
Customer
*/read
Offer
Platinum Plan
Gold Plan
Silver Plan
Customer’s Subscription
Provisions
Tenancy and isolation
10 Minute Break
23
Help us make this valuable for you!
Start of class survey
https://forms.office.com/r/FT1wVjS38H
Azure Managed Application artifacts
Managed Application deployment package
application.zip package file
mainTemplate.json
ARM file creates
Azure resources
viewDefinition.json Customizes the
Managed
Application UX
createUiDefinition.jsonCustomizes
installation
screens for users
Feeds
output to
ARM file
27
ARM Templates
Infrastructure as code
Deploy Azure resources from
declarative JSON files
May be checked into
version control
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/...#",
"contentVersion": "1.0.0.0",
"parameters": { … },
"variables": { … },
"resources": [ … ],
“outputs": [ … ],
}
mainTemplate.json – The ARM Template
29
CreateUIDefinition.json
Defines the installation
experience for the customer
Creates an install “wizard” for
the customer for installing
the Managed Application
createUIDefinition.json
31https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade
32
Demo
Creating the application
package
Hands On Lab 1
aka.ms/AMAWorkshopLabs
When you finish the
lab, please raise your
hand in Teams.
Using Partner Center to publish your offer
The Partner Center portal
Publish offers on the
Azure Marketplace and AppSource
Works with many different
offer types
View Marketplace Subscriptions
Bill and get paid
Partner Center Summary Reports
Summary reports
Orders
Customers
Usage
Marketplace insights
Views across countries
Billing Options
Microsoft Commercial Marketplace billing types
Virtual
Machine
Azure Apps
(Multi-VM)
Container
Image
Consulting
& Managed
Services
SaaS
App
Office
365
Dynamics
365
PowerApps
List (Contact)
List (Trial)
Free
BYOL
Transact
AppSourceAzure Marketplace Both
PaaS
Monetization
Virtual Machine Azure Apps
(Multi-VM)
SaaS
App
Billing Cycle Monthly * Monthly * Monthly or Annual *
Pricing ModelConsumption per core/per
hour
Managed Apps: optional flat
rate
Both: Leverage VM pricing
Flat-rate
Per-user
Consumption-based
(metered event)
Trial Options 1-month or 3-months Leverages VM pricing 1-month
Changing Plan Pricing
A plan’s price is immutable
To “upgrade” one must purchase a different plan
A plan may deploy its resources incrementally
What are Azure Marketplace Meters?
• Consumable
• Meter ID
• Unit of Measure
• Quantity
• Report
• 1 per hour
• 1 per day (batch)
$1/hour 2 units
$2
m_p
ark
ing
100W incl + $1/W extra 100 units
$100
m_c
harg
er
2 hours
200W
AMA offer Pricing Options: Metered
Pricing Option Description Example Plans for an Offer
VariableConsumption based on variable
usage.• Plan A - Number of Transactions $0.12/transaction
Fix + Variable Consumption based on a fix
amount, plus variable usage.
• Plan B - Basic $25/Month (2000 transactions
included) + $0.10/transaction
Multi-Dimension
Consumption based on
multiple dimensions. Up to 10
dimensions allowed.
• Plan C – Basic (Picture Send/Picture Received/
Bandwidth(Mb))
• D1 – Picture Send $0.10/unit
• D2 – Picture Received $0.12/unit
• D3 – Per Megabit Send $0.25/unit
Multi-Dimension
Fix + Variable
Combination of a fixed price
and multi-dimension based
consumption
• Plan D – Basic $10/Month (1000 Pictures Send,
1000 Received and 100 Megabits)
+ Picture Send/Picture Received/ Bandwidth(Mb)
• D1 – Picture Send $0.10/unit
• D2 – Picture Received $0.12/unit
• D3 – Per Megabit Send $0.25/unit
Metered: Basic
Metered: Multi-Dimension Fix + Variable
Azure App
ARM Template(mainTemplate.json)
VM Offer(s)
Azure Portal UI Definition(createUiDefinition.json)
Azure Services
Metering
Meter
Service
Marketplace
Billing API
(Once
Certified)
Azure Portal View
Definition(viewDefinition.json)
* Optional
Meter
Service
Getting Publisher Support
Publisher Guide
Offer Types Marketing Assets Lead Management Legal Documents Publishing TaT Support Information Technical Assets Technical Requirements
Virtual
Machines
Offer Images/Icons
Offer Description
Offer Category/SEO
Offer Documentation
(Videos and Docs.)
Define how do you
want to manage the
offer leads:
Table Storage
Dynamics CRM
Online
HTTPS endpoint
Marketo
Salesforce
Privacy Policy
Terms of Use
24 Hours
Engineering Contacts
Customer Support
Support URLs
Virtual Hard Disk (VHD) Virtual Machine VHD
Azure Apps
(Solution
Template)
7 Days
ARM Template
UI Definition File
Resources (libraries,
scripts, runtimes, etc…)
ARM Template
UI Definition File
Azure Apps
(Managed
Apps)
ARM Template
UI Definition File
Security Principal to
Manage the Offer
Azure Apps
(HDInsight)
ARM Template
UI Definition File
SaaS Apps 12 HoursFree/Trial: None
Transact: Billing API
Integration with Azure
Active Directory
Containers 48 Hours Container
Container Image
Azure Container Registry
(ACR) Credentials
IoT Edge
Modules48 Hours Container
Container Image
Azure Container Registry
(ACR) Credentials
Azure Marketplace Offers and Assets
TaT – Turn Around Time
Getting Publisher Support
http://aka.ms/MarketplacePublisherSupport
Hands On Lab 2
aka.ms/AMAWorkshopLabs
When you finish the
lab, please raise your
hand in Teams.
Integrated VM Offers
Azure Managed Application
ARM Template(mainTemplate.json)
VM Offer(s)
UI Definition(createUiDefinition.json)
Azure Services
VM Offer (hidden)
VM Template (.vhd)
Base VM(Azure or Customer .vhd)
App Code(binaries)
Integrated VM Model
Meter
Service
Marketplace
Billing API
(Once
Certified)
View Definition(viewDefinition.json)
* Optional
Creating the VM Technical Assets
Building the VM Image
Build the VM Image that will be used as a
base for the Offer. You can use an MS Stock
image or build your own custom image
Open Ports
Define the Open Ports you want to have in
the Offer
(Optional) Data Disk Images
For each VM, you can attach up to fifteen (15)
Data disks
55
Referencing a VM Offer
30 Minute Lunch Break
56
Start back up at 01:05 PST
Deployment Workflow
Azure Marketplace
Data Sharing Pilot Architecture
Share 1
Share 2
Share 3
Data Set
Data Set
Data Set
Data Set
Data Set
Offer 1
Offer 2
Plan 1
Plan 2
Plan 1
Publisher Subscription
Consumer Subscription
Webhook
Azure Function
Raw Data Resource Group
Provider Managed Resource Group
Data Share Resource Group
Data Share
service
Provider Managed Resource Group
Share
Snapshot
Data Share
service
Share
Subscription
Consumer
Managed
Resource
Group
Provider Managed Resource Group
Share
Snapshot
Data Share
service
Share
Subscription
Consumer
Managed
Resource
Group
Security
WebhookCustomer
provisions AMA
AMA and managed
resources deploy
Webhook is called
with status
Webhook is called
with status
Webhook
returns 200
Webhook
returns 200
Deployment Status Notifications (Webhook)
• Called by the Azure Managed Application deployment process
• Communicates application status to an endpoint
• Stops when it reads a 200 response from the endpoint
POST https://{your_endpoint_URI}/resource?{optional_parameter}={optional_parameter_value}&sig=Guid HTTP/1.1
{ "eventType": "PUT", "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>","eventTime": "2019-08-14T19:20:08.1707163Z", "provisioningState": "Succeeded", "billingDetails": {
"resourceUsageId":"<resourceUsageId>"}, "plan": {
"publisher": "publisherId", "product": "offer", "name": "skuName", "version": "1.0.1"
}}
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-notifications
Deployment Status Notifications (Webhook)
POST https://{your_endpoint_URI}/resource?{optional_parameter}={optional_parameter_value} HTTP/1.1
{ "eventType": "PUT", "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>","eventTime": "2019-08-14T19:20:08.1707163Z", "provisioningState": "Failed", "billingDetails": {
"resourceUsageId":"<resourceUsageId>"}, "plan": {
"publisher": "publisherId", "product": "offer", "name": "skuName", "version": "1.0.1"
}, "error": {
"code": "ErrorCode", "message": "error message", "details": [ {
"code": "DetailedErrorCode", "message": "error message"
} ]}
}
Webhook
Events in the Azure Managed Application lifecycle
EventType ProvisioningState Trigger for notification
PUT Accepted Managed resource group has been created and projected
successfully after application PUT (before the deployment
inside the managed resource group is kicked off).
PUT Succeeded Full provisioning of the managed application succeeded after a
PUT.
PUT Failed Failure of PUT of application instance provisioning at any
point.
PATCH Succeeded After a successful PATCH on the managed application
instance to update tags, JIT access policy, or managed
identity.
DELETE Deleting As soon as the user initiates a DELETE of a managed app
instance.
DELETE Deleted After the full and successful deletion of the managed
application.
DELETE Failed After any error during the deprovisioning process that blocks
the deletion.
Upgrading plans
Upgrade my plan
I purchased the “Silver” plan previously
I want to upgrade to the “Gold” plan
Complete or incremental deployments
Deploys all resources defined in
ARM
If selected resource group exists,
destroys it and re-installs
Replaces all resources
If selected resource group
exists, deploys only new
resources
Will not overwrite existing
resources
Deploys to the same RG as the
original solution
IncrementalComplete
Managing CustomerDeployments
Allowing Just In Time (JIT) Access
• Currently in preview
• Give consumers greater control over access to managed
resources
• Publisher sends a request for access to troubleshoot or update
the managed resources
• JIT is configured per plan
Azure LighthouseManage your customer Managed Applications
Metered Billing
Metered: Multi-Dimension Fix + Variable
Metering Usage
POST https://marketplaceapi.microsoft.com/api/usageEvent?api-version={{ApiVersion}}Content-Type: application/jsonAuthorization: Bearer {{access_token}}
{"resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer"
}
200 Response
{"usageEventId": "Unique identifier associated with the usage event","status": "Accepted","messageTime": "Time this message was created in UTC","resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer"
}
Metering Batch Usage
POST https://marketplaceapi.microsoft.com/api/batchUsageEvent?api-version={{ApiVersion}}Content-Type: application/jsonAuthorization: Bearer {{access_token}}
200 Response
{"count": 2,"result": [{"usageEventId": "Unique identifier associated with the usage event","status": "Accepted|Expired|Duplicate|Error|ResourceNotFound|ResourceNotAuthorized|InvalidDimension|BadArgument","messageTime": "Time this message was created in UTC","resourceId": "Identifier of the resource against which usage is emitted","quantity": 5.0,"dimension": "Dimension identifier","effectiveStartTime": "Time in UTC when the usage event occurred","planId": "Plan associated with the purchased offer","error": "Error object (optional)"
},
…]
}
Emitting a meter using the REST APIs
https://github.com/microsoft/commercial-marketplace-managed-application-metering-samples
# Get Resource URI$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl
# Get Subscription ID$metadataUrl = "http://169.254.169.254/metadata/instance?api-version=2019-06-01"$metadata = Invoke-RestMethod -Headers @{'Metadata'='true'} -Uri $metadataUrl
# Get AMA Details$Headers = @{}$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")$managementUrl = "https://management.azure.com/subscriptions/" + $metadata.compute.subscriptionId + "/resourceGroups/" + $metadata.compute.resourceGroupName + "?api-version=2019-10-01"$resourceGroupInfo = Invoke-RestMethod -Headers $Headers -Uri $managementUrl$managedappId = $resourceGroupInfo.managedBy
# Get Marketplace Token$marketplaceTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=20e940b3-4c77-4b0b-9a53-9e16a1b010a7" $marketplaceToken = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $marketplaceTokenUrl
# Get Usage from the last 5 minutes$lastHourMinusFiveMinutes = (Get-Date).AddMinutes(-65).ToString("yyyy-MM-ddTHH:mm:ssZ")$body = @{ 'resourceUri' = $managedappId; 'quantity' = 15; 'dimension' = 'dim1'; 'effectiveStartTime' = $lastHourMinusFiveMinutes; 'planId' = 'userassigned'} | ConvertTo-Json
# Post Meter$Headers = @{} $Headers.Add("Authorization","$($marketplaceToken.token_type) "+ " " + "$($marketplaceToken.access_token)")$response = Invoke-RestMethod 'https://marketplaceapi.microsoft.com/api/usageEvent?api-version=2018-08-31' -Method 'POST' -ContentType "application/json" -Headers $Headers -Body $body -Verbose
$managementTokenUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = Invoke-RestMethod -Headers @{"Metadata" = "true"} -Uri $managementTokenUrl
Calling Metering Operations in C#
Response<BatchUsageEventOkResponse> PostBatchUsageEvent( ... );
Task<Response<BatchUsageEventOkResponse>> PostBatchUsageEventAsync( ... );
Response<UsageEventOkResponse> PostUsageEvent( ... );
Task<Response<UsageEventOkResponse>> PostUsageEventAsync( ... );
Customizing the Managed ApplicationUI and Behavior
77
viewDefinition.json
Customize the Managed
Application itself
Add functionality to the
Azure Managed Application
CustomizedManaged Application
{
"$schema": "https://raw.githubusercontent.com/Azure/azure-resource-
manager-schemas/master/schemas/viewdefinition/0.0.1-
preview/ViewDefinition.json",
"views": [
{ "kind": "Overview” ... },
{ "kind": "Metrics” ... },
{ "kind": "CustomResources”...}
]
}
viewDefinition.json
80
Demo
Customizing Managed App
functionality with
viewDefinition.json
Hands On Lab 3
aka.ms/AMAWorkshopLabs
When you finish the
lab, please raise your
hand in Teams.
Advanced Deployment Scenarios
Storage Provider
Compute Device
Compute Device
Compute DeviceUtil/Billing Service
Metrics
Repo
2. Report Usage
3. Send Marketplace Meters (hourly)
Control Plane
Data Plane
1. Data Transfer
DD
D
DD
D
DD
D
DD
D
Managed Application
IoT
IoT Device
IoT Device
IoT Device
Util/Billing Service
Authorization
Service
Metrics
Repo
3. Send Marketplace Meters (hourly)
Managed Application
Delegated Manage Identities{
"type": "Microsoft.Authorization/roleAssignments","apiVersion": "2014-10-01-preview","name": "[guid(resourceGroup().id)]","dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('vm_name'))]"],"properties": {"roleDefinitionId": "[variables(parameters('roleType'))]","delegatedManagedIdentityResourceId": "[resourceId('Microsoft.ManagedIdentity/userAssignedI
dentities', variables('vm_name'))]","principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',varia
bles('msi_name'))).principalId]","scope": "[variables('scope')]"
}}
Containers
Util/Billing Service
Authorization
Service
Metrics
Repo
Private Container
Registry
1. Register the Customer Private Container Registry
2. Pull CIS Container Images
Container
Container
Container
3. Run the Images
Container
Metered Usage:
Per hour / Per Day
6. Send Marketplace Meters (hourly)
Virtual Machine
Container Runtime
Container
Container
Private Container
Registry
Managed Application
Custom Resources and Resource Providers
The feature is in preview
Only available in select regions
Works via Service Catalog today
Possible in AMAs today, but requires Swagger integration with Azure APIs
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider?tabs=azurecli-interactive
Azure Resource Providers
PowerShell | Azure CLI | Azure Portal
Azure Resource Manager (ARM)
Azure Resource Providers
REST
SUBSCRIPTION
RESOURCE
GROUP
/Microsoft.Storage/storageAccounts/{accountName}?api-version=2018-02-01
Custom Azure Resource Providers
PowerShell | Azure CLI | Azure Portal
Azure Resource Manager (ARM)
Custom Resource
Providers
REST
SUBSCRIPTION
MANAGED
RESOURCE
GROUP
CUSTOM
RESOURCE
/Microsoft.CustomProviders/resourceProviders/{resourceProviderName}?api-version=2018-09-01-preview
Service Catalog Deployment
Service catalog
Managed App
definition
Package file in
Storage account
Azure Managed
Application
92
Demo
Custom Resource Providers
Help us improve the workshop!
End of class surveyhttps://forms.office.com/r/zNKRp40ULA
Hands On Lab 4
aka.ms/AMAWorkshopLabs
When you finish the
lab, please raise your
hand in Teams.
Managed Identities
Managed Identities – Why?
• Security
• Eliminate managing credentials
• Credentials are not accessible
• Advantages
• AAD required
• No cost
Managed Identities
• System Assigned Identity
• User Assigned Identity
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity
• Application Settings
• Managed Application
Settings
Managed Identities – CustomUIDefinition.json{
"name": "appIdentity",
"type": "Microsoft.ManagedIdentity.IdentitySelector",
"label": "Managed Identity Configuration",
"toolTip": {
"systemAssignedIdentity": "Grant the managed application access to additional existing resources.",
"userAssignedIdentity": "Grant the managed application access to additional existing resources.“
},
"defaultValue": {
"systemAssignedIdentity": "Off"
},
"options": {
"hideSystemAssignedIdentity": false,
"hideUserAssignedIdentity": false,
"readOnlySystemAssignedIdentity": false
},
"visible": true
}
Resources & Closing
Solution Templates Resources and DocumentationTopic Description Links
Azure Templates Quick Starts Bootstrap samples https://github.com/Azure/azure-quickstart-templates
Best Practices ARM Template Guidehttps://github.com/Azure/azure-quickstart-templates/blob/master/1-CONTRIBUTION-GUIDE/best-
practices.md
Template Validation Tool Pre-certification tool https://github.com/Azure/azure-quickstart-templates/tree/master/test/template-validation-tests
Template Deployment Scripts
Resource Groups
Deployment Scripts
Samples
https://github.com/Azure/azure-quickstart-templates/blob/master/Deploy-AzureResourceGroup.ps1
https://github.com/Azure/azure-quickstart-templates/blob/master/az-group-deploy.sh
UI Testing SideLoad Scripts:Testing UI without
publishing
https://github.com/Azure/azure-quickstart-templates/blob/master/SideLoad-CreateUIDefinition.ps1
https://github.com/Azure/azure-quickstart-templates/blob/master/sideload-createuidef.sh
Template Reference Docs Reference Guide https://docs.microsoft.com/en-us/azure/templates/
CreateUIDefinition Docs Azure Portal https://docs.microsoft.com/en-us/azure/managed-applications/create-uidefinition-functions
Template Language Expressions ARM Functions Guide https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Azure PowerShell Azure PowerShell Module https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.7.0
Azure CLI Azure Command Line https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest
Visual Studio Code Extension ARM Template Formatter https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools
Marketplace Sample Code and Examples
https://aka.ms/marketplacesamples