Azure Environment
Azure Environment
The user account provisioned through the Katacoda environment will have access to an isolated resource group per user, defined under O’Reilly’s global subscription. Note that the temporary user account is active for 60-minutes then deactivated. Please see the beta Azure scenario example (through direct link only) on learning.oreilly.com and an example source.
Scenario Set-up
- Base imageID to configure in index.json:
"imageid": "orm-azure"
- index.json should be configured to auto-execute the set-env.sh script.
"intro": { "text": "intro.md", "courseData": "background.sh", "code": "set-env.sh", },
- The set-env.sh script should include:
chmod +x /opt/get-azure for i in {1..20}; do /opt/get-azure && . ~/.azureenv && break || sleep 1; done
The environment includes Azure credentials in the file ~/.azure-resp, and there is a helper script /opt/get-azure that configures the following environment variables:
- Username: Active Directory user’s principal name. Follows the pattern user-*<random_characters>@oreilly-katacoda-cloudtraining.com.
- Password: Active Directory user’s password.
- Resource: Each user has one resource group associated under a common subscription (Azure subscription 1). The resource group has the same name as the active directory user. For example, if the user is user-zzzpzxkshdzs@oreilly-katacoda-cloudtraining.com, the resource group is user-zzzpzxkshdzs. This resource group name can also be referenced using the
$resource
variable.
The user is assigned the role CloudLabsOwner, for their associated resource group. This role is a custom role based on the built-in Owner role but with notActions:
"notActions": [
"Microsoft.Authorization/policyAssignments/write",
"Microsoft.Authorization/policyAssignments/delete",
"Microsoft.Authorization/policyAssignments/exempt/action",
"Microsoft.Authorization/policyExemptions/read",
"Microsoft.Authorization/policyExemptions/write",
"Microsoft.Authorization/policyExemptions/delete",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleDefinitions/delete"
], These actions are disabled to prevent the users from manipulating internal policies and to restrict resource providers and manage costs.
Note: The resource group region is limited to the Eastern United States.
Resource Providers
Listed below are the resource providers currently allowed/disallowed for scenarios. If one is missing, please submit a support ticket for our evaluation. We are actively expanding our capacities.
Supported
If the resource provider is not explicitly stated in this list, it is not currently supported.
- Microsoft.ContainerRegistry
- Microsoft.ContainerService
- Microsoft.ContainerInstance
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.DocumentDB
- Microsoft.Web
- Microsoft.KeyVault
- Microsoft.EventHub
- Microsoft.ServiceBus
- Microsoft.Network
- Microsoft.Cdn
- Microsoft.Synapse
- Microsoft.Authorization/policyDefinitions/write
- Microsoft.Authorization/policyDefinitions/read
- Microsoft.DevTestLab
- Microsoft.OperationalInsights
- Microsoft.PolicyInsights
- Microsoft.OperationsManagement
- Microsoft.HDInsight
- Microsoft.CognitiveServices
- Microsoft.Databricks
- Microsoft.ManagedIdentity
Unavailable
- Microsoft.Blueprint
- Microsoft.CostManagement/exports
- Microsoft.AzureActiveDirectory
- Subscription Management
Blocked Actions
- Microsoft.ContainerService/managedClusters/users/impersonate/action
- Microsoft.ContainerService/unregister/action
- Microsoft.Sql/unregister/action
- Microsoft.Compute/unregister/action
- Microsoft.web/unregister/action
- Microsoft.KeyVault/unregister/action
- Microsoft.EventHub/unregister/action
- Microsoft.ServiceBus/unregister/action
- Microsoft.Network/unregister/action
- Microsoft.Cdn/unregister/action
- Microsoft.operationalinsights/unregister/action
- Microsoft.PolicyInsights/unregister/action
App Service Plan
Allowed Free and shared, basic, and standard service plans. Docs
- SKU names F1, D1, B1, B2, B3, S1, S2, S3
Virtual Machines
Allowed General purpose VMs with vCpu <= 8 and memoryGB <=32. Docs
- Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5.
Cognitive Services
- Allowed SKUs: F0, S0, S1, S2.
Databricks
- Allowed standard workspaces.
Elasticpools
- Allowed Basic, Standard tiers.
Microsoft.SQL
- Allowed SKUs (requestedServiceObjectiveName): Free, Basic, S0, S1, S2, S3, S4, S6, S7, S9, S12, DW100c, DW200c.
Synapse Big Data Pools
- Allowed nodesizes: small and medium.
Virtual Machine Scale Sets
Allowed General purpose VMs with vCpu <= 8 and memoryGB <=32. Docs
- Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5.
Guidelines
Resource Groups and Providers
Don’t create/delete new resource groups. Use the provided resource group instead of the one available in the $resource environment variable.
Don’t
az group create --name lesson38rg --location eastus
az group delete --name lesson38rg --no-wait --yes
Do
az vm create --name 'MyVM' \
--image UbuntuLTS \
--location eastus \
--resource-group $resource \
--admin-username azureuser \
--public-ip-sku Basic
az monitor activity-log list --resource-group $resource
az monitor autoscale list --resource-group $resource
Don’t register the resource provider. The resource provider should be already registered, and if it is not, let us know. If it falls within the current development scope, we can register the provider.
Azure Kubernetes Service
Don’t include the enable-addons monitoring option when creating a new cluster
Don’t
az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \
--enable-addons monitoring \.
--generate-ssh-keys
Do
az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \
--generate-ssh-keys
KeyVault
Don’t use keyvault commands that require access to resources created at subscription level. For example:
az keyvault list-deleted
az keyvault recover --location eastus --name $keyVaultName --resource-group $resource
az keyvault purge --name $keyVaultName