<<

Shifting Things to the Left

• Shift left = do things earlier in the dev process
  • Testing
  • Security
  • Deployment

As developers, we have to learn more about security

Azure Virtual Networks 🔗

• Similar to a traditional network, but in Azure
  • Address space, subnets
  • VNets can be connected through VNet Peering
  • Network Security Rules (NSGs) filter traffic to/from VNets
  • Can be connected to an on-premises network using VPN Gateway
• Private Endpoints bring Azure PaaS offerings into your VNet 🔗
  • Optionally, make your own services available through PEs
• Private DNS for managed DNS services inside VNet

Limit network accessability of services to a minimum

Challenges

• Limited knowledge about networking in dev teams

  • Traditionally, devs did not care so much about firewalls, proxies, routers, DNS, address ranges, etc.

• Troubleshooting challenges

  • How to access resources not accessible via Internet?

  • VPN hard to get right especially in larger enterprises

  • Azure Bastion 🔗 might be a possible solution. Challenge: VMs

• It is always DNS! 😅

Azure DNS Private Resolver 🔗

• Query Azure DNS private zones from an on-premises environment and vice versa

  • Important for scenarios with Azure VNets, Private Endpoints, and Enterprise VPN Gateways

  • Previously: Manage your own DNS solution based on VMs

• New solution is fully managed, no VMs needed

• Currently in public preview

Demo
Time!

Azure Frontdoor

• Integrated Routing, CDN, and security solution
  • Caching
  • Web Application Firewall
  • Reverse Proxy
• "Front door" to static and dynamic assets
• Premium tier support Private Endpoints
• Greatly simplified pricing 🔗
  • Now affordable in even smaller projects

Demo
Time!

Workload identity federation 🔒🔑

Token Exchange

• Goal: Turn external JWT into AAD token
• Use AAD token to access AAD-protected Azure resources
• Examples: GitHub, Google Cloud, K8s

Demo
Time!

GitHub Actions -> Azure

• https://github.com/rstropek/ContainerAppsDemo/blob/main/.github/workflows/build-images.yaml
• Deploy container images to ACR
• Copy SPA static files into Azure Storage

Azure Container Apps

What is ACA?

• Run container-based workload without maintaining a K8s cluster
• Scaling similar to Azure Functions
  • Scaling done with KEDA 🔗
  • Can scale down to zero -> attractive pricing for some apps 🔗
• Unopinionated about runtime or programming model

Yet another container option?

• App Service
  • Optimized for web sites and APIs
  • Serverless, event-driven with Functions,
    but Functions-specific programming model
• Container Instances
  • Single pod, Hyper-V isolated containers on demand
  • No scaling, load balancing, etc.
  • Building block for other services (e.g. AKS virtual nodes)
• Kubernetes Service, Red Hat Open Shift
  • Managed clusters
  • Configured by customers
• Container Apps
  • More general than App Service
  • Less configuration/maintenance work than AKS

Feature Highlights

• VNet support
• Optional support for Dapr 🔗
• Any Linux-based x86-64 container works
  • No Windows support yet
• Multiple containers per Container App (=Pod)
• Support for revisions
  • Support for traffic shaping
• Well suited for Microservices
  • Service discovery
  • Dapr integration
  • Independent scaling, versioning per app
• Authentication support
  • Similar to App Service Easy Auth

Demo
Time!

Demo Azure Container Apps

• Discuss app
  • https://github.com/rstropek/ContainerAppsDemo/
• https://itvinfotagweb.z6.web.core.windows.net/
  • Base URL:
    https://app-bff.delightfulbush-5aaf87f8.westeurope.azurecontainerapps.io
• Create Container App
• Deploy container image from ACR
• Discuss
  • CA Environment
  • Authentication
  • Containers
  • Scaling (change min. to 1)
  • Console

What else?

Azure Dev Box 🔗

Private Preview

Codespaces anybody?

Azure Load Testing 🔗

Public Preview

Copilot 🔗

Technical Preview