The following article will discuss in detail Azure Blueprints, what is their lifecycle and deployment stages, how to create them, publish them, and lastly, how to assign them.
The topics covered in this blog are:
- What are Azure Blueprints?
- Why Azure Blueprints?
- Azure Blueprint Lifecycle
- Azure Blueprint Deployment Stages
- How to Create Azure Blueprints
- How to Publish Azure Blueprint
- How to Assign Azure Blueprint
What are Azure Blueprints?
An Azure blueprint is a repackaged set of standards and requirements for configuring the implementation of Azure services – by establishing specific sets of rules, conventions, or designs that can be reused. Microsoft Azure Blueprint is a package of packages that you can use to create the specifics of Azure services, security, and design.
Why Azure Blueprints?
Azure Blueprints takes an organization’s best practices and evaluates them to the current technology stack. It then creates a plan that is comprised of resources that are well suited for an organization’s needs and ensures compliance with standards, which in turn helps an organization adopt modern development techniques.
Blueprints are a way of being able to describe exactly what you want for yourself to be able to then begin and into the process of getting it done. It involves defining:
- Policy Assignments
- Role Assignments
- Resource Groups
- Azure Resource Manager Templates (ARM Templates)
Check out: Our Blog post on Azure Data Factory
Azure Blueprint Lifecycle
Azure Blueprints has very much a natural lifecycle like a lot of the different resources within Azure. They’re created, enabled, or deployed, and eventually deleted when they’re not used anymore or after they have served their purpose.
Azure Blueprints supports actions that happen during its lifecycle like deploying infrastructure as code. It then takes it a step further by adding status for Azure Blueprints that are more detailed than what you might be accustomed to with other resources types in your organization. It involves the following steps:
1. Creating and Editing a Blueprint
When creating a blueprint, add artifacts to it, save them in an Azure management group and/or subscription, and provide a unique name as well as a unique version. The blueprint is now in Draft mode. While in this mode the blueprint can be updated to complete the creation of your desired multi-tenant service.
2. Publishing a Blueprint
All blueprints begin as Draft blueprints. These can be saved and opened later. Published blueprints have a new icon and are identified by the provided version number in the Latest Version column.
3. Creating and Editing a new version of the Blueprint
A blueprint is similar in a way to an old-school text that has had multiple rounds of edits. When one creates a new blueprint, they are essentially publishing the initial version of the blueprint, but they can go back at any point and make changes to update the information with new useful materials and links accordingly.
4. Publishing a new version of the Blueprint
When a Blueprint is either Published or Unpublished, the appropriate buttons will be displayed on the Edit Blueprint page. If you cannot see these buttons, it means that there are no unpublished changes to the blueprint and it has already been Published. To issue a blueprint with unpublished changes, use the same steps for publishing a new blueprint.
5. Deleting a specific version of the Blueprint
Each version of a blueprint is unique, and as such, it can be individually published. As we know, blueprints can be deleted as well – but deleting a blueprint will not affect other versions of that same blueprint. It involves the following steps to be completed:
a). Select All services in the left pane. Scroll down until you find Blueprints, then select it.
b). Select Blueprint definitions from the page on the left and use the filter options to locate the blueprint you want to delete a version of. Select it to open the edit page. Once there, select the Delete Version button at the top of your screen and confirm deletion in the pop-up that appears.
c). Select the Published versions tab, select the version to be deleted, and click “Delete selected version”
d). Right-click on the version to delete and select Delete this version.
6. Deleting the Blueprint
When a blueprint is deleted, both the draft and blueprints are removed – as well as any rules & items associated with them. However, if you delete a blueprint version, this does not affect any of the items, rules, or restrictions which had been used to create assignments on projects designed using the blueprint.
Also Check: Azure Data Factory Interview Questions
Azure Blueprint Deployment Stages
When an Azure Service Blueprint is deployed, several steps take place which are detailed here.
1. Azure Blueprints Granted Owner Rights
When you use a system-assigned managed identity, the Azure Blueprints service principal is granted user rights to the tenant. The granted role allows Azure Blueprints to create and later revoke the system-assigned managed identity. If using a user-assigned managed identity, Azure Blueprints doesn’t need user-assigned rights on the tenant.
To programmatically assign rights through Azure Resource Manager, the consent attribute must be set to explicit. The Service Principal Name (SPN) of your application is not enough. The rights are permitted automatically if the assignment is done through the portal. However, if the assignment is done through an API call, you must use a separate API call to grant these rights.
The Azure Blueprints App ID for this solution is f71766dc-90d9-4b7d-bd9d-4499c4331c3f, but the service principal varies by the tenant. Use Azure Active Directory Graph API and REST endpoint service Principals to get the service principal and then grant it Owner rights with Portal, Azure CLI, or PowerShell. The Azure Blueprints service does not deploy the resources for you.
2. The Blueprint Assignment Object is Created
When a blueprint is assigned to a subscription, the association is stored in a separate object. The original assigning entity isn’t part of that relationship. In this case, it means there would be no link between the service principal/user who assigns the blueprint and the corresponding IaaS VM resources created based on that blueprint.
When a blueprint assignment is created, two different types of managed identities can be used: System-assigned and User-assigned. A System-assigned managed identity is one provided by the system while a user-assigned managed identity is one that you made (and therefore defines permissions). As an example, if you created a blueprint for “Alice and her projects”, Alice should have permission to create the assignment using your employee as the assigned identity because she will be using it within your team.
The Owner and Blueprint Operator built-in roles have the permission necessary to create assignments that use a user-assigned managed identity.
3. Optional: Azure Blueprints Creates System-Assigned Managed Identity
When a system-assigned managed identity is selected during the assignment, Azure Blueprints creates the identity and grants the managed identities the role of the Owner. If an existing assignment is upgraded, the managed identity(s) are used.
Blueprint assignments are used to deploy or redeploy resources defined in the blueprint you will create. This assignment may be used when you want to take some control over the security of a resource being deployed. For example, if you wanted to make sure that only authorized users could get into a particular virtual machine instance, this might be an approach you’d use.
4. The Managed Identity Deploys Blueprint Artifacts
The managed identity of the application is used to deploy the dependencies and framework components sequentially. The framing of these artifacts occurs when a user or tool uses the maven command-line interface to execute the commands that were created during project creation.
If a deployment failed, it is most likely because your managed identity does not have sufficient access to perform the task it has been assigned. The Azure Blueprints service does not manage the user-assigned managed identity, which means you will need to manage access and rights for this type of identity yourself.
5. Blueprint Service and System-Assigned Managed Identity Rights are Revoked
After the deployments are completed, Azure Blueprints invalidates the rights of its system-assigned managed identity from the subscription. The Azure Blueprints service also nullifies its rights from the subscription. Rights removal stops Azure Blueprints from becoming a permanent owner on a subscription.
How to Create Azure Blueprints
1. log in to the Azure Portal. If you don’t have a Microsoft Azure account then check out this blog on how to create Microsoft Azure free account.
2. In the Azure Portal, click on the All Services and then choose -> Management + Governance -> Blueprints.
3. On the next page click on the Create Button.
4. On the next page (Create blueprint page), click on the Start with a blank blueprint button.
5. Under the Basics tab, enter the name of the new blueprint. Next, click on the ellipsis button to the right of the Definition location box to open the scope selector. On the Definition location select the subscription and then click on the select button. After choosing the subscription, click on the Next: Artifacts button.
6. Under the Artifacts tab, you will see a blank list of artifacts because you have not added any list yet. so click on the Add artifact under the Subscription Tab. On the next page click on the Artifact type dropdown menu and select Resource group and then click on the Add button.
7. Next, click on the Add artifact button under the Resource group branch and then choose Contributor role under the Role dropdown.
8. Finally, to create the blueprint, click on Save Draft and after that, you will see a draft blueprint on the list of blueprint definitions.
Also Read: Our blog post on Azure Certification Path
How to Publish Azure Blueprint
1. On the list of blueprint definitions, click the draft blueprint that you have previously saved while creating the blueprint.
2. Next, Click on the Publish blueprint to start the next publishing steps.
3. On the next page choose the version and fill the description in the change notes box and then click on the publish button.
4. After successfully publishing the blueprint, you can see the new updated version.
Also Check: Our blog post on Azure Traffic Manager.
How to Assign Azure Blueprint
To assign the Azure blueprint, follow these steps.
1. On the blueprint page, click on the tab Assign blueprint.
2. On the next page, fill in all the required details.
- Subscription(s) – In this option, you will see the subscription name where you created the blueprint.
- Assignment Name – Enter the name for this blueprint assignment.
- Blueprint definition version – Select the blueprint version.
- Lock Assignment – Choose the resource locking mode according to your requirement.
- Managed Identity – Choose the first option if you want to create a temporary owner otherwise go with the second option to choose an existing user.
3. On the next page, fill out the Artifact parameters that you previously left blank when you created the blueprint and then click on the Assign button.
- Resource Group: Name – Choose the name for the new resource group.
- Resource Group: Location – Select the location where you want to create the new resource group.
- [User group or application name]: Contributor – Choose the user, group, or application as a Contributor to the resource group.
Azure Blueprints is a service that allows cloud architects to design a repeatable set of Azure resources that adhere to the organization’s rules and needs. Azure Blueprints make it possible to quickly build and deploy new environments with a set of built-in components.