Professional Documents
Culture Documents
AZ 400 Master Cheat Sheet
AZ 400 Master Cheat Sheet
1. Introduction
Introduction
DevOps
What
Misconceptions
o It fits every organization
o It can be applied to any application lifecycle process
o Leads to failure when it comes to implementing DevOps
As per Wikipedia:
o Set of software development practices
Why
pg. 1
SKILLCERTPRO
Other resources
Whitepapers
Free
Brownfield projects
pg. 2
SKILLCERTPRO
Brownfield Greenfield
pg. 3
SKILLCERTPRO
pg. 4
SKILLCERTPRO
Team Collaboration
💡 Recommended: Microsoft Teams, Slack
Allows you to:
o Create multiple channels for communication
o Highly accessible as it's available in the browser.
o Collaborate with external suppliers and contractors
o You can integrate slack with Azure DevOps
E.g. by installing Azure Pipeline app for Slack.
a. Log-in through app
b. Run /azpipelines subscribe [project url] inside a channel
pg. 5
SKILLCERTPRO
Azure CLI
You can use Azure CLI with the Azure DevOps extension to work with Azure
DevOps
o Enables automate everything as you can script anything and hook it in a
build pipeline.
Run on Linux, macOS or Windows
Accessible via browser using Azure Cloud Shell
It structures as group, sub group and commands
o az –help: display all groups, sub groups and commands
e.g. vm is sub group of az so you can run az vm -help too
o Find command: az find -q MyCommand
Azure PowerShell
pg. 6
SKILLCERTPRO
pg. 7
SKILLCERTPRO
On cloud
Licensing
o Individual services:
e.g. Azure Pipelines & Azure Artifacts
Free tier available
o User licenses
Basic Plan: First 5 users free then cheap price per user
Basic + Test plans: More expensive per user
o Management:
Automated: group-based licensing using AD groups, just add &
remove people from the group.
Manually: Assign & remove users and assign access level (basic etc.)
Service hooks
Trigger tasks in external services from Azure DevOps
o E.g. if code is pushed => create a new card in Trello or just call a webhook
You can integrate with (see updated list in official docs)
o Build and release: AppVeyor, Bamboo, Jenkins, MyGet, Slack,
o Collaborate: FlowDock, HuBot, Office 365
o Customer support: UserVoice, ZenDesk
o Plan and track: Trello
o Integrate: Service Bus, Azure Storage, Grafana, Web Hooks, Zapier
pg. 8
SKILLCERTPRO
Notifications
You're notified when changes occur to work items, code reviews, pull requests,
source control files, and builds.
You can be notified via email.
Notifications are managed in 4 levels:
o Your own notifications in your organization menu, managed by you
o Team notifications, managed by a team administrator
o Project notifications, managed by a member of the Project Administrators
group
o Organization/collection-level notifications, managed by a member of the
Project Collection Administrators group
Extensions
Install extensions
o Extensions are installed on organization level.
o Allows you to e.g.:
Introduce new tasks in Azure Pipelines
Integrate with e.g. JIRA
Solve pull request conflicts
2.1. Migrations
pg. 9
SKILLCERTPRO
o Using web portal by clicking import repository (180 days history & less
complex)
o Using git-tfs command line tool (more than 180 and complex)
git tfs clone https://tfs:8080/tfs/DefaultCollection $/Project1
Git to Git
o Using web portal by clicking import repository
o Using git mirror
pg. 10
SKILLCERTPRO
pg. 11
SKILLCERTPRO
Scrum
1. Have a vision / goal
2. User stories: describes what customer / end user wants
3. Product backlog
o Start taking tasks from user stories
4. Pick tasks from product backlog to sprint backlog
5. Work with them during a sprint
o Sprint = 1-2 weeks
o Sprint results in working functionality
6. Retrospective & review meetings
pg. 12
SKILLCERTPRO
o
o Cycle time
How long it takes to complete one production cycle
Calculated by work completion time - start of doing work
o Lead time
Measures work completion time - work requested time
pg. 13
SKILLCERTPRO
o Burndown: Shows remaining work within a specific time period.
Burnup is exactly like burndown, except that it plots work
completed, rather than work remaining.
o Velocity
Indication of how much work a team can complete during a sprint
based.
pg. 14
SKILLCERTPRO
o Cumulative Flow Diagram
See the count of work items over time of a Kanban board.
pg. 15
SKILLCERTPRO
Azure Boards
Allows teams to follow an agile project management approach.
Has native support for Scrum & Kanban type projects
Has customizable dashboards
Has integrating reporting
Terminology
Work item
o Track your project features & requirements
pg. 16
SKILLCERTPRO
📝 Choose a process
Separate
Name When to choose Hierarchy
items
change
CMMI Need to follow more Same as agile but feature
request, issue,
Process formal project process instead of user story
review, risk
pg. 17
SKILLCERTPRO
Flow
Log in to dev.azure.com with your Microsoft account
You create an organization or use default organization for your user name.
Create a project
You have
o Boards
Boards: Create work items
Backlogs: See all items from backlog
Sprints: you see also tasks inside work items
Can create new sprints with start & end date
You assign work-items as part of sprints
Queries
o Repos, Pipelines, Test plans, Artifacts
You can create work items
o Can be issue, issue or task
In boards you have columns such as to-do, doing, done
o They are customizable
o You can move work items between them
You can create tasks inside a work item.
Connecting to GitHub
Enables linking between
o GitHub commits, pull requests, and issues to work items
Steps
i. Add connection
Project settings => Boards => GitHub connections
Add a new connection
To authenticate you can use
Username + Password
pg. 18
SKILLCERTPRO
Test Tools
Load Testing
o Load Runner
o Apache JMeter
UI Testing
pg. 19
SKILLCERTPRO
Cobertura Java ✔️
JaCoCo Java ✔️
BullseyeCoverage C++ ❌
MSTests .NET ❌
NCover .NET ❌
Coverlet .NET ❌
Coverage.py Python ❌
Test cases
Each work item in Azure Boards can have multiple test cases.
o Create by clicking on Add test
Each test case consists of multiple steps
pg. 20
SKILLCERTPRO
Load Tests
See how well your application can behave under certain types of load or stress.
Types
o You can create URL based load tests
o Import tests from tools such as Visual Studio or Apache JMeter.
o Run HTTP-archive based tests
Record HTTP sessions.
Tests from Fiddler can be important this way
You can set:
o Load pattern that can be:
Constant: Same amount of users
Step: Set amount of initial users x, after period of y seconds,
increment number of users by z.
o Set time duration, maximum amount of users, initial user count, warmup
duration, and which browsers to mimic.
o Select user agents:
Automatically provisioned: You can select the geo-location
Your own provisioned agents
After execution you get summary, charts (performance, throughput, errors, tests),
diagnostics and logs.
5. Continuous Feedback
pg. 21
SKILLCERTPRO
Continuous Feedback
You can integrate Azure DevOps with Slack & Microsoft teams
You can then integrate Azure Boards & Pipelines to e.g. :
o Create issues, monitor pipeline results, approve release requests
Continuous Experimentation mindset
o Design practices to measure end-user satisfaction
o Design processes to capture and analyze user feedback
o Design process to automate application analytics
Analytics
o Developers need to be able to look for patterns in log messages to
identify if there is a problem in the code.
o Operations need to do root cause analysis across multiple log files to
identify the source of the problem in complex application and systems.
pg. 22
SKILLCERTPRO
PMD, CheckStyle and FindBugs support for Maven and Gradle is currently
available in Azure DevOps Services (official docs)
o PMD
PMD is a source code analyzer.
It finds common programming flaws like unused variables, empty
catch blocks, unnecessary object creation, and so forth
o CheckStyle
Help programmers write Java code that adheres to a coding
standard
o FindBugs
Program which uses static analysis to look for bugs in Java code
- task: Maven@3
inputs:
#mavenPomFile: 'pom.xml'
#publishJUnitResults: true
#testResultsFiles: '**/surefire-reports/TEST-*.xml' # Required when
publishJUnitResults == True
#codeCoverageToolOption: 'None' # Optional. Options: none, cobertura,
jaCoCo. Enabling code coverage inserts the `clean` goal into the Maven goals
list when Maven runs.
#codeCoverageClassFilter: # Optional. Comma-separated list of filters to
include or exclude classes from collecting code coverage. For example:
+:com.*,+:org.*,-:my.app*.*
#codeCoverageClassFilesDirectories: # Optional
#codeCoverageSourceDirectories: # Optional
#codeCoverageFailIfEmpty: false # Optional
#...
#sonarQubeRunAnalysis: false
#sqMavenPluginVersionChoice: 'latest' # Required when
sonarQubeRunAnalysis == True# Options: latest, pom
#checkStyleRunAnalysis: false # Optional
#pmdRunAnalysis: false # Optional
#findBugsRunAnalysis: false # Optional
pg. 23
SKILLCERTPRO
Azure Monitor
Allows continuous monitoring.
Collect & analyze & act on telemetry data from cloud & on-prem environment
It collects Metrics (e.g. CPU usage) and Logs
Tools:
o Insights
Application Insights
Containers
Virtual Machines
Diagnostics (Microsoft docs)
pg. 24
SKILLCERTPRO
Service Map
Graphical representation of a service, its dependencies
and its settings
Automatically discovers application components on
Windows and Linux systems and maps the
communication between services
Monitoring Solutions (easy to go monitoring setups)
o Visualizations
Dashboards
Views (from log queries)
Power BI
Workbooks (interactive reports, dashboards on steroids)
o Optimizations
Analyze
Metric Analytics to query metrics
Log Analytics to query logs
Uses ad-hoc query language Kusto
pg. 25
SKILLCERTPRO
Respond
Alerts
The IT Service Management Connector (ITSMC)
Provides a bi-directional connection between
Azure and ITSM tools to help you resolve issues
faster.
E.g. ServiceNow, System Center Service
Manager, Provance, Cherwell
Allows you to
Create work items in ITSM tool, based
on your Azure alerts
metric alerts, Activity Log alerts
and Log Analytics alert).
Sync your incident and change request
data from your ITSM tool to an Azure
Log Analytics workspace.
Autoscale
Integrate
Logic Apps
Export APIs
Application Insights
Monitor and diagnose availability, usage & performance of web apps
Availability tests: Alerts if your application isn't responding, or if it responds too
slowly.
o URL tests test URL for status code or ping.
o Multi-step tests: Test recorded sequence of URLs and interactions
o Performance tests: Set user load & duration
o or can run custom Azure Functions
pg. 26
SKILLCERTPRO
o
Profiler captures data & provides performance traces.
pg. 27
SKILLCERTPRO
o
Application Map
o Helps you spot performance bottlenecks or failure hotspots
o KPIs such as load, performance and failures, availability test failures
o
Smart Detection
pg. 28
SKILLCERTPRO
pg. 29
SKILLCERTPRO
User Flows shows the events that happened before and afterwards
during user sessions
Lines of varying thickness show how many times each path was
followed by users
o Impact
It discovers how any dimension of a page view, custom event,
or request affects the usage of a different page view or custom
event.
e.g. how load times influence conversation rates
6. Package Management
Package management
It's possible to manage all aspects of software such as installation, configuration,
upgrade, and uninstall.
Benefits:
o Reusability: reuse same package in multiple solutions
o Download a package into your solution whenever required.
o Leads to faster development
Issues with public package managers
o Maintaining governance and control
E.g. people can use different versions of packages
o Security
Does it have loopholes? Concerns?
Developer can use any package to ensure application works.
Need for managing dependencies
o Applications can just get swarmed into using application dependencies
o There can be no control over the packages being used in application
o Security can also be concern when you are looking at working with public
packages
pg. 30
SKILLCERTPRO
pg. 31
SKILLCERTPRO
Azure Artifacts
Service that allows you to organize and control access to packages
Upstream sources
o Stores your produced packages and proxies & caches packages form
remote feeds
o Remote feeds can be one of the official public sources or a private source.
Package Graph
o Ensure that any dependencies of your package are also available in your
feed
o You can
republish them directly (not recommended)
or consume them from an upstream source.
pg. 32
SKILLCERTPRO
Permissions
Push packages ✓ ✓
Unlist/deprecate packages ✓ ✓
Delete/unpublish package ✓
Feeds
Developers download & use packages from feeds itself
You can create multiple feeds
Each feed can have its own set of packages
Public feeds (project-scoped)
o If the project is private, the feed will be private;
If the project is public, the feed will be public e.g. accessible by
everyone on internet.
Private feeds (organization-scoped or project-scoped)
o Can be accessed by whole organization or specific selected people in the
organization.
o Consumers need Personal Access Token with read access to packaging to
download packages.
Feeds can proxy public sources such as NuGet, npm, Maven and Python.
You need to create Personal Access Token with write access to packaging to push
packages.
pg. 33
SKILLCERTPRO
Feed views
Default: @local, @prerelease, @release, you can add more & delete (except @local)
o The default URI of the feed points to @local that contains:
all packages published directly to the feed e.g. by npm publish
packages saved from upstream resources
You can promote packages to them
They get URL like ...feed@view/nuget/...
Best practices
Creating packages as part of a build
o Each repository should only reference one feed
o On package creation, automatically publish packages back to the feed.
o Enable retention policies to automatically cleanup old package versions
o Promote your package to the correct view (have good quality
in @release view)
o If external teams are consuming your package, ensure that
your @release view and @prerelease view are visible across the organization
and/or organization
Consuming packages from public and internal sources as part of a build
o Each repository should have a unique feed
o Configure upstream sources for public and internal sources
o Sources not in your organization but in the same AAD tenant should be
added using the feed locator
o Ensure that the order of the sources matches your desired package
resolution order
The feed will check each upstream in order, returning the package
from the first source that has it.
o To avoid confusion, place any public upstreams FIRST in your resolution
order
pg. 34
SKILLCERTPRO
Continuous Delivery
Compliments your continuous integration process.
Automates deployment of your changes after build.
Track of your release process quality
o Visualizations about the quality of all the releases pipeline. e.g. adding a
dashboard widget which shows the status of every release.
Release Notes, functional and technical documentation
o Generate Release Notes Build Task (VSTS)
o WIKI Updater Tasks (VSTS)
o 💡 Treat release documentation & manuals as source-code
When the product changes, the documentation needs to change as
well
Multi-configuration deployments
pg. 35
SKILLCERTPRO
Feature Flags
Allows you to separate your functional release from your technical release
Decide to have a feature on runtime; enable/disable a feature based on a
boolean
Deployment rings
Deployment slots
o Allows you to create a new deployment for the web app.
o ❗ Requires Standard or higher plan to be able to use deployment slots.
o App content and configurations elements can be swapped between two
deployment slots, including the production slot.
o Use-cases:
Create staging environment easily in Web Apps
Validate in staging before swapping to production
You can apply Blue Green deployments
Zero downtime deployment with a auto swap
Allows you to ensure that all instances of the slot are
warmed up before being swapped into production
pg. 36
SKILLCERTPRO
Deployment Patterns
Feature toggles
Feature toggles are booleans in code that activates or deactivates a feature in
run-time
You can deploy first
o Measure soundness of your release in backwards compatibility/bug
perspective
o Release new functionality gradually to different users, or vice versa (scale
down or even rollback functionality and/or binaries).
o Allows for splitting availability of functionality from deployment of
binaries, and gives much more fine-grained decision making then only
"deploy/rollback"
💡 Always using it a good way to increase your confidence in a new version, since
the new version functions exactly like the old until someone flips a feature toggle.
pg. 37
SKILLCERTPRO
Canary Deployments
The essence of canary deployment is deploying incrementally
Deploys in small, incremental steps, and only to a small group of people
It is about to get an idea of how new version will perform (integrate with other
apps, CPU, memory, disk usage, etc).
Rolling deployment
Slowly replaces currently running instances of the application with newer ones.
Noting that the old one is removed only when the new is has passed health
checks is important
Azure Pipelines
Continuous integration & delivery service
You can group pipeline steps into jobs, and jobs into stages.
o Building, testing, and release can be automated using stages
Before Azure had 2 different type of pipelines:
o Build pipeline that results in artifact (.yaml file)
o Release pipeline that takes the artifact and pushes it (UI only)
It's now the "old way" and new way only uses .yaml same pipeline
for both
A job is a series of tasks that run sequentially on the same agent
o It has tasks, e.g. install packages & build solution
Manual Intervention task
Pauses an active workflow to do a manual task, can have
instructions
Can continue or reject deployment on time out
o Build is done on an agent (VM or a container), you can design your own
agents.
o Timeouts before job cancelled:
Forever on self-hosted agents
360 minutes (6 hours) on Microsoft-hosted agents with public
project or repository
pg. 38
SKILLCERTPRO
Variables
Variable
Store values used in the pipeline
pg. 39
SKILLCERTPRO
Usage
variables:
configuration: debug
steps:
- task: MSBuild@1 # Use them once
inputs:
configuration: $(configuration) # Use the variable
- task: MSBuild@1 # Use them again
inputs:
configuration: $(configuration) # Use the variable
Variable Groups
o Usage:
o variables:
o - group: my-variable-group
o steps:
o - script: echo $(myhello) # uses macro syntax
- script: echo $[variables.myhello] # uses runtime expression
Triggers
Pipelines are triggered by triggers e.g. commits to repository, webhooks etc.
Defined in .yaml file but ❗ can override YAML continuous integration trigger in
pipeline settings.
Batch changes
o When a build is running, the system stacks other changes and build them
all at once.
o In yaml:
o trigger:
batch: false
Filters
pg. 40
SKILLCERTPRO
o E.g.:
o trigger:
o branches:
o include: [ 'master', 'release/*' ]
o paths:
o exclude: [ '/Code/Previous' ]
o tags:
include: [ '*' ]
Pipeline as code
Triggers, agent, all tasks are defined as a yaml.
o Schema:
o Example:
o name: $(Date:yyyyMMdd)$(Rev:.r)
o variables:
o var1: value1
o jobs:
o - job: One
o steps:
- script: echo First step!
Agents
You can choose Microsoft agents.
pg. 41
SKILLCERTPRO
Agent pools
Organize agents into agent pools for easier management.
Pools are scoped to & visible in the entire organization
Default agent pools
o Default pool: Use it to register self-hosted agents that you've set up.
o Azure Pipelines hosted pool with various Windows, Linux, and macOS
images.
Examples 📝:
Ubuntu 1604: Run jobs on a Linux based VM
macOS: Build & release on Mojave macOS
❗ For builds and releases running on Microsoft-
provided macOS agents, your data will be transferred
to third party data centers in US or EU (offical docs).
Windows:
Windows 2019 with VS2019
VS2017
Hosted: Older versions of Visual Studio installed on
Windows Server 2012
Hosted Windows Container
Removed after March 23, 2020
The list here can be outdated, check the latest from the docs
📝 Permissions:
o Organization- or collection-level:
Reader: can view agent pool & its agents to e.g. monitor health
Service Accounts: Can create an agent pool in a project
pg. 42
SKILLCERTPRO
Environment
Collection of resources that can be targeted by deployments from a pipeline.
Can include Kubernetes clusters, Azure web apps, virtual machines, databases.
- stage: deploy
jobs:
- deployment: DeployWeb
displayName: deploy Web App
pool:
vmImage: 'Ubuntu-latest'
pg. 43
SKILLCERTPRO
Approvals
Manually control when a stage should run using approval from user(s)
Can be pre-deployment, or post-deployment approvals
Defined in environment level or (legacy) release pipeline UI
💡 Commonly used to control deployments to production environments.
You can assign a timeout for the approval for auto-rejection after time is out.
Parallel Jobs
Parallel job = One job at a time in a pipeline
o Pipeline = collection of jobs
o Each job consumes a parallel job that runs on an agent
When there aren't enough parallel jobs available for your organization
o the jobs are queued up and run one after the other.
Free tier
o Public project:
10 free Microsoft-hosted parallel jobs that can run up to 360
minutes each time
10 free self-hosted parallel jobs (unlimited parallel jobs)
o Private project:
1 free Microsoft hosted parallel job, can run up to 60 minutes each
time
Limit of 30 hours per month
1 free self-hosted parallel job (unlimited parallel jobs)
Service connections
Allows you to connect to external and remote services to execute tasks in a job.
Service connections are created at project scope
pg. 44
SKILLCERTPRO
pg. 45
SKILLCERTPRO
Container agents
The agent will first fetch and start the container.
o Then, each step of the job will run inside the container
or you can set agent on task level
Linux agents
E.g.:
pool:
vmImage: 'ubuntu-16.04'
container: ubuntu:16.04
steps:
- script: printenv
o Docker is installed
o Agent has permission to access the Docker daemon
Container requirements:
o Bash
o glibc-based
o Can run Node.js (which the agent provides)
o Does not define an ENTRYPOINT
o USER has access to groupadd and other privileges commands without sudo
Windows agents
E.g.
pool:
vmImage: 'windows-2019'
container: mcr.microsoft.com/windows/servercore:ltsc2019
steps:
- script: set
Service containers
pg. 46
SKILLCERTPRO
pool:
vmImage: 'ubuntu-16.04'
container: my_container
services:
nginx: nginx
redis: redis
steps:
- script: |
apt install -y curl
curl nginx
apt install redis-tools
redis-cli -h redis ping
Fetches the latest nginx and redis containers from Docker Hub and then starts
the containers
The containers are networked together so that they can reach each other by
their services name.
Pipeline then runs the apt, curl and redis-cli commands inside
the ubuntu:16.04 container.
From inside this job container, the nginx and redis host names resolve to the
correct services using Docker networking
All containers on the network automatically expose all ports to each other
pg. 47
SKILLCERTPRO
pg. 48
SKILLCERTPRO
Gates
Not yet available for multi-stage pipelines, see GitHub issue
Collect information from external services
o then decide if a stage should run or not.
Use-cases:
o Incident and issues management, e.g. :
Ensure deployment occurs only if no priority zero bugs exist
Validate that there are no active incidents takes place after
deployment
o Seek approvals outside Azure Pipelines, e.g.:
Notify legal approval departments, auditors, or IT managers about a
deployment by integrating with approval collaboration systems
such as Microsoft Teams or Slack
o Quality validation, e.g. :
Allow release only if code coverage >= 90
o Security scan on artifacts, e.g.:
Anti-virus checking, code signing, and policy checking..
o User experience relative to baseline, e.g.:
Ensure the user experience hasn't regressed from the baseline state
o Change management, e.g.:
Wait for change management procedures in ServiceNow before
deployment
pg. 49
SKILLCERTPRO
pg. 50
SKILLCERTPRO
7.3. Jenkins
Jenkins
Tool for continuous integration & delivery, see jenkins.io
Multi-OS & open-source
Supports many languages with rich set of plugins
You can use webhooks for auto-trigger from GitHub
pg. 51
SKILLCERTPRO
7.4. SonarQube
SonarQube
Open-source code Analysis tool, sonarqube.org
Helps you to see your projects technical debt
Detect bugs, vulnerabilities, code smells, coverage...
pg. 52
SKILLCERTPRO
8. DevSecOps
DevSecOps (Security)
Philosophy of integrating security practices within the DevOps process.
Makes security a responsibility of everyone on the team
Best Practices
pg. 53
SKILLCERTPRO
Provide training
Define requirements
o Minimum-security baseline that takes account of both security and compliance
controls
o Ensure these are baked into the DevOps process and pipeline
o Check at least for OWASP Top 10, SANS Top 25
Top 5 from the Top 10
a. Injection
Never trust any user input
b. Broken authentication
Use custom or own authentication system rather than well
known authentication systems
c. Sensitive data exposure
d. XML external entities
e. Broken access control
Roles and permission poorly implemented or not
implemented at all
Define metrics and compliance reporting
Use software composition analysis (SCA) and governance
o Evaluate third party components for security & licensing
Perform threat modeling
o Helps you to
More effectively and less expensively identify security vulnerabilities
Determine risks from those threats
Make security feature selections and establish appropriate mitigations
o At the very least, threat modeling should be used in environments where there is
meaningful security risk.
Use tools and automation
o Integrate Static Application Security Testing (SAST) into your IDE
o Integrate Dynamic Analysis Security Testing (DAST) tools into CI/CD
o Choosing tools:
Tools must be integrated into the CI/CD pipeline.
Tools must not require security expertise.
Tools must avoid a high false-positive rate of reporting issues.
Keep credentials safe
o Do not store credentials in code
Consider using a bring-your-own-key (BYOK) solution that generates keys
using a hardware security module (HSM).
Use continuous learning and monitoring
pg. 54
SKILLCERTPRO
Threat Modeling
Do it as soon as and often as possible
o Not only when releasing a new feature because single line of code can change
everything
Microsoft Threat Modeling tools is a tool for threat modeling.
Steps:
i. Defining security requirements.
ii. Creating an application diagram.
iii. Identifying threats.
iv. Mitigating threats.
v. Validating that threats have been mitigated.
Security tools
OWASP ZAP
pg. 55
SKILLCERTPRO
Cloud security and compliance solution using native security capabilities in Azure
Scans Azure subscriptions and resource configurations across multiple subscriptions
Next level AzSK, similar to AzSK Continuous Assurance (CA) in central-scan mode.
Integrates with Azure/Azure Security Center policies
Requires installation on Azure with a management identity with reader permissions
Stores results in Log Analytics Workspace that can be sent to Power BI
Secret management
Azure Key Vault
pg. 56
SKILLCERTPRO
Penetration testing
To find out weaknesses in the system
Passive Tests or Passive Scan
o Scan the target site as is but don't try to manipulate the requests to expose
additional vulnerabilities.
o Runs fast and good candidate for CI as they complete in minutes
Active Tests or Active Scan
o Also called as dynamic or fuzz tests because
o Used to simulate many techniques that hackers commonly use to attack websites
o Tries a large number of different combinations to see how the site reacts to verify
that it doesn't reveal any information
o CI/CD pipeline should run within a few minutes, so you don't want to include any
long-running processes.
Nightly tests are a good idea.
OWASP ZAP is a free penetration testing tool for beginners to professionals
o OWASP Zap/Weekly docker container within Azure Container Services ensures
the image is always updated.
Example pipelines:
o Application CI/CD:
a. Build
b. Static Security Scan
c. Package
d. Deploy
e. Passive Pentest: Pull OWASP Zap Weekly => Start Container => Run
Baseline (1 to 2 min) => Report Results => High alerts - Fail, Release, All
Alerts - Create bugs
o Nightly OWASP ZAP Pipeline
Nightly Schedule
Application Full Active Scan: Pull OWASP Zap Weekly => Start
Container => Spider Site => Run Active Scan => Report Results => High
Alerts - Fail, Release, All Alerts - Create Bugs
pg. 57
SKILLCERTPRO
• Static Code
IDE / • Code Review
Analysis • Code
Pull Comments • Static Code -
Review • Work Item
request Rule Warnings
Linking
• Load and
• Passive Pen Test • • Pen Test Issues • SSL Performance Testing •
Dev SSL Scanner • Issues • Performance Automated Regression
Infrastructure Scan Issues • Regression Bugs Testing •
Infrastructure Scan
CI/CD steps:
pg. 58
SKILLCERTPRO
Container Security
Container security best-practices: (whitepaper)
o Scan for vulnerabilities before pushing images to registry.
o Continue scanning in the registry because new vulnerabilities are discovered all
the time.
Continuous Assurance
Tracks configuration drift
o Checks for "drift" from what is considered a secure snapshot of a system
Treat security truly as a 'state' as opposed to a 'point in time' achievement
o important in today's context when 'continuous change' has become a norm.
2 types of drift:
o Drift involving 'baseline' configuration
Often pre-defined/statically determined ones
E.g. SQL DB can have TDE encryption turned ON or OFF
o Drift involving 'stateful' configuration
Cannot be constrained within a finite set of well-known states.
E.g. the IP addresses configured to have access to a SQL DB
pg. 59
SKILLCERTPRO
For more info & scripts, see Secure DevOps Kit for Azure
Access Policies
On vault level
pg. 60
SKILLCERTPRO
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminLogin": {
"value": "exampleadmin"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/<rg-
name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
},
pg. 61
SKILLCERTPRO
"secretName": "ExamplePassword"
}
},
"sqlServerName": {
"value": "<your-server-name>"
}
}
}
Authorize access
Using RBAC
i. Ensure entity to give access to user/application exists:
For application
Create service principal az ad sp create-for-rbac -n
"http://mySP"
For users, you can add following to RBAC list of the vault:
Add individual users (not recommended)
💡 Add AD groups (recommended)
ii. Then give your principal access to the vault:
az keyvault set-policy -n <your-unique-keyvault-name> --spn
<ApplicationID-of-your-service-principal> --secret-permissions
get list set delete --key-permissions create decrypt delete
encrypt get list unwrapKey wrapKey
Using managed identity
i. In application => add system-assigned identity
E.g. for web-app: az webapp identity assign --name myApp --
resource-group myResourceGroup
Or Identity section on portal.
ii. In key vault => Allow access:
az keyvault set-policy --name myKeyVault --object-id
<PrincipalId> --secret-permissions get list
pg. 62
SKILLCERTPRO
Helps developers create & maintain versions for their source code.
Developers can collaborate on code & track changes
Required for any development project.
git is most commonly used.
Azure DevOps has Azure Repos that support git and Team Foundation Version
Control.
Flow
o Each developer has their own copy
o They make changes
o Push their changes into central repository
o Other developers pull changes into their repositories
Conflicts
pg. 63
SKILLCERTPRO
Azure
descriptio Repos Terminolog
name type license
n suppor y
t
most
distribute open-
git popular, a ✔️ pull & push
d source
lot tooling
branches
= paths,
centralize proprietar granular check-in &
TFVC ✔️
d y permission check-out
s down to
a file level
used by
.eg.
distribute open- Facebook
mercurial ❌ pull & push
d source & Mozilla,
simpler
than GIT
branches
= paths,
svn (apache centralize open- granular commit &
❌
subversion) d source permission update
s down to
a file level
branches
= paths,
Helix
centralize proprietar granular check-in &
Core (Perforc ❌
d y permission check-out
e)
s down to
a file level
pg. 64
SKILLCERTPRO
Azure
descriptio Repos Terminolog
name type license
n suppor y
t
file-based
architectur
e (where
everything
centralize proprietar
ClearCase happens ❌
d y
e.g.
tagging at
the file
level)
❗ The mutability and lack of history with TFVC labels can add risk of
change control.
o Development isolation
pg. 65
SKILLCERTPRO
o Feature isolation
Special derivation of the development isolation
Branch one or more feature branches from main, as shown, or from
your dev branches
o Release isolation
Introduces one or more release branches from main
Never forward integrate (FI) from main.
Patches and hot fixes made to the release can be reverse
integrated (RI) back to the main.
o Servicing and Release isolation
Allows e.g. service packs
release branch should never be modified
Never forward integrate from main to servicing,
and servicing to release.
Although not recommended, you can continue to evolve by
introducing e.g. hotfix branches to releases=> Servicing, Hotfix,
Release isolation
pg. 66
SKILLCERTPRO
9.1. Git
Using git
You can use git CLI
You can also use other tools such as Visual Studio (through Team Explorer)
o Connect directly to Azure DevOps with your Microsoft account to work with
Azure Repos.
Git CLI
Create a repository
i. Download git
ii. run git init on a folder where you'll want to have your repository
You get master branch ready
HEAD shows the current branch in start it's master
iii. Create a file called filename.txt
iv. Run git add filename.txt or git add . (for all files in the folder)
v. Commit your changes with a message git commit -m "first commit"
Useful commands
o git log: to show all commits
Each commit has SHA hash you can see here.
You can revert a commit using git revert commit-sha (or first 3 chars of
the sha)
o git fetch: to download remote-tracking branches
o git pull: does git fetch followed by a git merge FETCH_HEAD to update your
files to latest in remote.
Branching
pg. 67
SKILLCERTPRO
Working with multiple developers -> Changing master branch is not good.
o Some changes may not be complete or working as it should.
o Making changes to master branch itself can make other developers get incorrect
or non-working code.
Instead create another branch from master and each developer work on their own
branches
o Main master branch remains intact with working code.
o You can create multiple branches
o Branches are lightweight
o Copies of your code are not made.
o E.g. separate branch for each bug fix / feature.
In git:
o Run git status to see the base you're currently working from
o Create new branch using git branch <branch-name>
o Switch to the new branch using git checkout <branch-name>
o At any point, when you want to merge your changes, you can run git merge
First you need to be on master git checkout master
Then you run git merge feature-branch
Branching Workflows
Long-Running Branches
o e.g entirely stable in their master branch
Topic branches
o Short-lived branches for particular feature / work
o There are usually multiple topic branches
Progressive-stability branching
o Long-running stable master
o Another parallel branch named develop or next to test stability
o It isn't necessarily always stable, but whenever it gets to a stable state, it can be
merged into master
o Used to pull in topic branches & test so they don't introduce bugs.
pg. 68
SKILLCERTPRO
Centralized Workflow
Gitflow Workflow
pg. 69
SKILLCERTPRO
Release-flow
Forking Workflow
Cloning
Once the code is in a shared repository, a developer can clone the repository
They can then create a branch out of the current master branch
They then make changes on their branch
Forking
Copy of the entire repository
Commits do not go against the original repository
Use-cases:
o Main repository might have issues, so clean new repository is forked for making
changes
o Building application for multiple clients and each client has client-specific
features
pg. 70
SKILLCERTPRO
Pull requests
A dev has cloned a repo > created a new branch > made changes > commited to branch
> pushed branch to remote repo > wants to merge the branch into the branch.
Developer initiates a pull-requests
o If there are conflicts between main & uploaded branch
o They need to be resolved
o Approval needs to be put into place for the pull request
Trade-off:
o Pros
It gives the most insight into how a branch evolves
Illustrates exactly how a developer (or developers) worked on a pull
request
o Cons: since it preserves every commit is may be very verbose.
pg. 71
SKILLCERTPRO
Squash commit
Creates a single new commit
o leads to a just a simple, straight, linear history
Emulates running git merge pr --squash from the master branch.
The resulting commit is not a merge commit; those individual commits that made
up the pull request are discarded.
💡 As individual commits are lost, it's best for teams that use "fix up" commits or
do not carefully craft individual commits for review before pushing them.
Rebase
Takes each individual commit in the pull request and cherry-pick them onto the
master branch.
Emulates running
i. git rebase master on the pull request branch
ii. git merge pr --ff-only on the master branch.
History is straight and linear, like it is with the "squash" option but each individual
commit is retaine.
💡 Useful for teams that practice careful commit hygiene, where each individual
commit stands on its own.
Semi-linear merge
Also known as "rebase and merge"
o The commits in the pull request are rebased on top of the master branch
o Then rebased pull requests are merged into master branch
Emulates running
i. git rebase master on the pull request branch
ii. git merge pr --no-ff on the master branch
pg. 72
SKILLCERTPRO
Azure Repos
Supports git, TFVC
o TFVC = Team Foundation Version Control
branches = paths
more granular permissions down to file level
In Azure DevOps we have Azure Repos
o It comes with default repository for the project
You can import repositories form GitHub, TFVC..
You can create PRs in either direction: from fork to upstream, or upstream to fork.
o Most common = From fork to upstream
o The destination repository's permissions, policies, builds, and work items will
apply to the PR.
Service connections
Helps you to connect to external and remote services to execute tasks in a job.
o e.g. connect to Microsoft Azure subscription, to services you install on remote
computers.
Created at project scope
Permissions
o User: Creator, Reader, User, Administrator roles
o Pipeline: Which pipelines can access
o Project permissions: which other projects can access the project (only its project
scope by default)
Permissions
Azure Repos supports Git and Team Foundation
o In Team Foundation Version Control, you can set permissions at the file level.
pg. 73
SKILLCERTPRO
Groups
Reader: Clone, fetch, explore contents of a repository. Can also create, comment on,
vote and contribute to pull requests.
Contributor & Build Admins: Contribute to a repository, create branches, create tags,
manage notes.
Project Admins: Create, delete and rename repositories.
You can modify permissions in each group.
Branch policies
pg. 74
SKILLCERTPRO
10. Containers
Containers
Has everything packaged in it to allow software to run (e.g. which OS, packages)
Lightweight
Code, runtime, system tools, and libraries
Architecture: Infrastructure -> Host Operating System -> Container Service
(Docker) -> Container Apps
Docker
Tool to create container based applications.
Includes code + any other dependencies to run your code.
Makes easier to run your container on different computing environments
Architecture
o Daemon => Rest API => CLI
o Docker daemon
Only runs on Linux because it depends on a number of Linux kernel
features
There's ways to run it in Windows / MacOS
o The Docker daemon itself exposes a REST API
o Command line tool that lets you talk to the Docker daemon
Dockerfile is a text file that defines the environment
o Each line in file creates a layer
o FROM ubuntu
The first statement in the Dockerfile. It refers to the parent image
that this new image will be based upon
An image that doesn't have a parent is called a base image and FROM
scratch can be used instead.
Commands:
pg. 75
SKILLCERTPRO
Multi-stage builds
Problem
o It was popular to maintain two Dockerfiles one for development one for
production (slimmed)
E.g. production merged different bash commands with && to avoid
creating additional layers.
Because each RUN instruction creates a new layer in the
container image
E.g. with using \ to wrap lines:
RUN powershell.exe -Command \
$ErrorActionPreference = 'Stop'; \
Invoke-WebRequest
https://www.python.org/ftp/python/3.5.1/python-3.5.1.exe -
OutFile c:\python-3.5.1.exe ; \
Start-Process c:\python-3.5.1.exe -ArgumentList '/quiet
InstallAllUsers=1 PrependPath=1' -Wait ; \
Remove-Item c:\python-3.5.1.exe -Force
o Another And then a build.sh was used to copy contents from one docker
image to another.
Solution
pg. 76
SKILLCERTPRO
o
o # Build runtime image
o FROM mcr.mcrosoft.com/dotnet/core/aspnet:2.2 # for running application
o WORKDIR /app
o COPY --from=build-env /app/out .
ENTRYPOINT [ "dotnet", "serverappname.dll" ]
a. Build application
b. Run the application
Read more at docker.com
Docker compose
Kubernetes
Kubernetes helps to:
o Orchestrate containers
o Deploy containers
o Maintain and monitor containers
o Scale applications
Architecture:
o Master: Deploy the Docker and Kubernetes tools
o Nodes: Hosts the actual containers.
pg. 77
SKILLCERTPRO
Solution making it simple to package, deploy, and manage scalable and reliable
containers and microservices.
Assists with the developing and managing cloud native applications.
Intended for container-based applications running on enterprise-class, cloud-
scale environments.
To be able to deploy using Azure Pipelines:
o Add new Service Fabric Connection
Requires a cluster endpoint
Authentication options:
Azure Active Directory
Add Server certificate thumbprint of the server cert.
used to create the cluster.
Also the cluster credentials
in Username and Password fields.
Certificate Based
Requires:
Server certificate thumbprint of the server
cert. used to create the cluster.
Client certificate
or cluster/server certificate
Password for the certificate
pg. 78
SKILLCERTPRO
Or you can create the yaml file yourself using Docker task:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build job
pool:
vmImage: $(vmImageName)
steps:
- task: Docker@2
displayName: Build and push an image to container
registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry:
$(dockerRegistryServiceConnection)
tags: |
$(tag)
pg. 79
SKILLCERTPRO
Creating a cluster
Creates all infrastructure NSG, route table, VNET, VMs, NICs., Availability set,
storage account..
o See Microsoft walkthrough for more information
Configurations
o Select a DNS name
o Choose node VM size
o Select amount of initial nodes
o Authorization
Create / select a service principal
Service principals are used to ensure that the cluster can
work with other Azure services
RBAC: Use Azure AD to limit access to cluster resources based a
user's identity or group membership.
o Network: Use existing VNet or create new
o Monitoring: Collected from containers to Log Analytics Workspace
through Azure Monitor.
Using CLI
Create a resource group az group create --name test-rg --location eastus
Create cluster: az aks create --resource-group test-rg --name testcluster --
node-count 1 --enable-addons monitoring --generate-ssh-keys
Install kubectl CLI: to manage the cluster: az aks install-cli --install-
location=./kubectl
Connect: To configure kubectl to connect to your Kubernetes cluster, use az aks
get-credentials --resource-group test-rg --name testcluster
To verify connection use kubectl get nodes
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-apache-app
spec:
pg. 80
SKILLCERTPRO
replicas: 1
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
apsps: test-app
spec:
containers:
- name: testappserver
image: httpd
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service # To expose the container to outside world
metadata:
name: test-app
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: test-app
Using ARM
pg. 81
SKILLCERTPRO
pg. 82
SKILLCERTPRO
pg. 83
SKILLCERTPRO
pg. 84
SKILLCERTPRO
Automate & manage the lifecycle of iOS; Android, Windows and macOS
applications.
o Connect to your repositories & automate your builds
o Test builds on real devices in the cloud
o Distribute apps to beta testers
o Monitor real-world usage with crash and analytics data
o Enable get feedback from users on the new features
📝 It's used to:
o Manage mobile target device sets and distribution groups
o Managed target UI test device sets
o Provision tester devices for deployment
o Create public and private distribution group
Distribution groups
Controls access to releases
Set of users e.g. QA Team, Canary users etc. releases, such as Staging.
Release the application to users via distribution groups
Types 📝
o Private: Invited by e-mail to test application
o Public: Unauthenticated users, download application with a link.
o Shared: Shared across multiple applications in a single organization.
Created at organization level, not application level.
Device registration - example for iOS application
o Devices have to be specified in the provisioning profile for the application
o App Center will help register the tester device IDs into the Apple
Development account
o You will need the .p12 certificate which was used to sign the application at
build time.
Releasing an application
Android
o Ensure you have updated the manifest and have a correctly configured
Gradle build.
pg. 85
SKILLCERTPRO
o In Android Studio, choose Build > Generate Signed Bundle / APK and
follow the steps in the wizard to build the app bundle or APK.
iOS / macOS
o ❗ Register each testers devices on Apple Developer portal as test devices.
o In Xcode, go to Product > Archive to archive your app.
o Export the archive using the proper provisioning profile.
Windows: .appx, .appxbundle, .appxupload, .msi, .msix, .msixbundle, .msixupload,
or .zip
Other OS: .zip
Infrastructure as code
DevOps + Agile => Needs faster techniques to provision infrastructure
o E.g. create test environments & terminate quickly
Good for disaster recovery.
There are many tools to automate the underlying infrastructure
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-
01/deploymentTemplate.json#",
"contentVersion": "", // (Required) Your own version to ensure right template is
deployed
"apiProfile": "", // API versions for resource types.
"parameters": { }, // prompted when deployment is executed.
"variables": { },
"functions": [ ],
"resources": [ ], // (Required) Resource types that are deployed or updated
"outputs": { } // Values that you want to return after deployment.
}
pg. 86
SKILLCERTPRO
Nested templates
💡 Recommended way to deploy multiple ARM templates.
Reasons
o Template can grow long and unmanageable
o Difficult to deploy the template for customized environments
E.g. an environment needs everything template except one component.
o Automation becomes difficult to accomplish
Solution
o Modularize your templates for the minimum e.g. per resource
o You then create a main template and add you can
nest other templates into the main template by defining them there
or add URL's to child templates as linked template
Pros: Child templates are reusable!
Cons: All templates must exist in the remote.
To create multiple instances of a resource with a nested template
o you can add a copy element to copy an existing child template.
Managing secrets
E.g. username & password for a VM.
pg. 87
SKILLCERTPRO
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-
id>/resourceGroups/examplegroup/providers/Microsoft.KeyVault/vaults/<vault-name>"
},
"secretName": "examplesecret"
}
}
Pros
o Existing ARM templates are not changed.
o Only parameter files are changed to include Azure Key Vault references.
Cons
o Within the parameter file, Azure Key Vault resource ID must be hard-coded.
o The hard-coded resource ID includes the subscription ID, which might be
considered as a sensitive data.
Use this when you do not want to hardcode the Key Vault ID with e.g. subscription id.
Dynamically construction ID does not work in ARM template, neither in parameters file.
Nested templates are the key to using this dynamic id.
Notice templateLink
o It links to another ARM file that will use secret value as string
o Template must exist in the remote location
pg. 88
SKILLCERTPRO
{
"apiVersion": "2015-01-01",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(parameters('templateBaseUri'), 'my-nested-
template.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"resourcegroup": {
"value": "[parameters('resourcegroup')]"
},
"vaultName": {
"value": "[parameters('vaultName')]"
},
"secretToPass": { // here vault ID & secret name is dynamically
generated
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId,
parameters('resourcegroup'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "examplesecret"
}
}
}
}
Pros
o There is no hard-coded value required.
Cons
o Additional linked templates should be written increasing maintenance effort.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
pg. 89
SKILLCERTPRO
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "dynamicSecret",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": { // nested child template
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": { // gets from the parent
"type": "securestring"
}
},
// ... stripped rest of the template
},
"parameters": {
"adminPassword": { // here vault ID & secret name is dynamically generated
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'),
parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults',
parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
}
}
}
}
],
pg. 90
SKILLCERTPRO
"outputs": {
}
}
13. Configuration as Code (PowerShell DSC & Azure Automation & Custom Script)
Configuration as Code
PowerShell Desired State Configuration
Management platform in PowerShell
Manage IT infrastructure with configuration as code
PowerShell DSC consists of Configurations.
o Declarative PowerShell scripts
o Used to define the configuration of the underlying resources they are
attached to.
Resources
o Contain the code that keep the target of a configuration in a specified
state.
E.g. if VM changes, ensure IIS (server) will be in its configured state
o configuration IISInstall {
o node "localhost" { # Ensure applied to this node
o WindowsFeature IIS {
o Ensure = "Present"
o Name = "Web-Server"
o }
o }
}
Azure Automation
pg. 91
SKILLCERTPRO
Official walkthrough
pg. 92
SKILLCERTPRO
📝 Steps
i. Create an automation account (New-AzureRmAutomationAccount)
Enable option to create an Azure Run As account
It's an AD service principal Azure will create & assign
Contributor RBAC role to it.
Allows you to authenticate with Azure when managing
resources
Automate the use of global runbooks configured in
Azure alerts
ii. Upload the Desired State configuration (Import-
AzureRmAutomationDscConfiguration)
Create a DSC configuration script & upload it
iii. Compile the Configuration (Start-AzureRmAutomationDscCompilationJob )
A DSC configuration must be compiled into a node configuration
before it can be assigned to a node.
� Behind the scenes it compiles the PowerShell script to
a .moc (Managed Object Format) file that has C++-like syntax.
iv. Register a VM as node to the automation account (Register-
AzureRmAutomationDscNode)
Add VM in DSC → Nodes.
Configuration settings:
The Local Configuration Manager (LCM) is the engine of
Desired State Configuration (DSC)
Configuring LCM:
pg. 93
SKILLCERTPRO
o Add using:
o Import-Module ServerManager
Install-WindowsFeature Web-Server -IncludeAllSubFeature
{
"name": "MyCustomScriptExtension",
"type": "extensions",
// ...
pg. 94
SKILLCERTPRO
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
// ...
"settings": {
"fileUris": [
"[concat('https://', variables('storageName'),
'.blob.core.windows.net/customscripts/start.ps1')]"
],
"commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -
File start.ps1"
}
}
pg. 95