Link Search Menu Expand Document

Azure Environment

Azure Environment

The user account provisioned through the Katacoda environment will have access to an isolated resource group per user, defined under O’Reilly’s global subscription. Note that the temporary user account is active for 60-minutes then deactivated. Please see the beta Azure scenario example (through direct link only) on learning.oreilly.com and an example source.

Scenario Set-up

  1. Base imageID to configure in index.json: 
     "imageid": "orm-azure"
  2. index.json should be configured to auto-execute the set-env.sh script. 
     "intro": {
     "text": "intro.md",
     "courseData": "background.sh",
     "code": "set-env.sh",
     },
  3. The set-env.sh script should include: 
     chmod +x /opt/get-azure
 for i in {1..20}; 
 do 
     /opt/get-azure && . ~/.azureenv && break || sleep 1; 
 done

    The environment includes Azure credentials in the file ~/.azure-resp, and there is a helper script /opt/get-azure that configures the following environment variables:

  • Username: Active Directory user’s principal name. Follows the pattern user-*<random_characters>@oreilly-katacoda-cloudtraining.com.
  • Password: Active Directory user’s password.
  • Resource: Each user has one resource group associated under a common subscription (Azure subscription 1). The resource group has the same name as the active directory user. For example, if the user is user-zzzpzxkshdzs@oreilly-katacoda-cloudtraining.com, the resource group is user-zzzpzxkshdzs. This resource group name can also be referenced using the $resource variable.

The user is assigned the role CloudLabsOwner, for their associated resource group. This role is a custom role based on the built-in Owner role but with notActions:

    "notActions": [
               "Microsoft.Authorization/policyAssignments/write",
               "Microsoft.Authorization/policyAssignments/delete",
               "Microsoft.Authorization/policyAssignments/exempt/action",
               "Microsoft.Authorization/policyExemptions/read",
               "Microsoft.Authorization/policyExemptions/write",
               "Microsoft.Authorization/policyExemptions/delete",
               "Microsoft.Authorization/roleAssignments/read",
               "Microsoft.Authorization/roleAssignments/write",
               "Microsoft.Authorization/roleAssignments/delete",
               "Microsoft.Authorization/roleDefinitions/read",
               "Microsoft.Authorization/roleDefinitions/write",
               "Microsoft.Authorization/roleDefinitions/delete"
           ], These actions are disabled to prevent the users from manipulating internal policies and to restrict resource providers and manage costs.

Note: The resource group region is limited to the Eastern United States.

Resource Providers

Listed below are the resource providers currently allowed/disallowed for scenarios. If one is missing, please submit a support ticket for our evaluation. We are actively expanding our capacities.

Supported

If the resource provider is not explicitly stated in this list, it is not currently supported.

- Microsoft.ContainerRegistry
- Microsoft.ContainerService
- Microsoft.ContainerInstance
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.DocumentDB
- Microsoft.Web
- Microsoft.KeyVault
- Microsoft.EventHub
- Microsoft.ServiceBus
- Microsoft.Network
- Microsoft.Cdn
- Microsoft.Synapse
- Microsoft.Authorization/policyDefinitions/write
- Microsoft.Authorization/policyDefinitions/read
- Microsoft.DevTestLab
- Microsoft.OperationalInsights
- Microsoft.PolicyInsights
- Microsoft.OperationsManagement
- Microsoft.HDInsight
- Microsoft.CognitiveServices
- Microsoft.Databricks
- Microsoft.ManagedIdentity

Unavailable 

- Microsoft.Blueprint
- Microsoft.CostManagement/exports
- Microsoft.AzureActiveDirectory
- Subscription Management

Blocked Actions 

- Microsoft.ContainerService/managedClusters/users/impersonate/action
- Microsoft.ContainerService/unregister/action
- Microsoft.Sql/unregister/action
- Microsoft.Compute/unregister/action
- Microsoft.web/unregister/action
- Microsoft.KeyVault/unregister/action
- Microsoft.EventHub/unregister/action
- Microsoft.ServiceBus/unregister/action
- Microsoft.Network/unregister/action
- Microsoft.Cdn/unregister/action
- Microsoft.operationalinsights/unregister/action
- Microsoft.PolicyInsights/unregister/action

App Service Plan

Allowed Free and shared, basic, and standard service plans. Docs

  • SKU names F1, D1, B1, B2, B3, S1, S2, S3

Virtual Machines

Allowed General purpose VMs with vCpu <= 8 and memoryGB <=32. Docs

  • Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5.

Cognitive Services 

- Allowed SKUs: F0, S0, S1, S2.

Databricks 

- Allowed standard workspaces.

Elasticpools 

- Allowed Basic, Standard tiers.

Microsoft.SQL 

- Allowed SKUs (requestedServiceObjectiveName): Free, Basic, S0, S1, S2, S3, S4, S6, S7, S9, S12, DW100c, DW200c.

Synapse Big Data Pools 

- Allowed nodesizes: small and medium.

Virtual Machine Scale Sets

Allowed General purpose VMs with vCpu <= 8 and memoryGB <=32. Docs

  • Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5.

Guidelines

Resource Groups and Providers

Don’t create/delete new resource groups. Use the provided resource group instead of the one available in the $resource environment variable.

Don’t

az group create --name lesson38rg --location eastus
az group delete --name lesson38rg --no-wait --yes

Do

az vm create --name 'MyVM' \
--image UbuntuLTS \
--location eastus \
--resource-group $resource \
--admin-username azureuser \
--public-ip-sku Basic
az monitor activity-log list --resource-group $resource
az monitor autoscale list --resource-group $resource

Don’t register the resource provider. The resource provider should be already registered, and if it is not, let us know. If it falls within the current development scope, we can register the provider.

Azure Kubernetes Service

Don’t include the enable-addons monitoring option when creating a new cluster

Don’t

az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \
--enable-addons monitoring \.
--generate-ssh-keys

Do

az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \
--generate-ssh-keys

KeyVault

Don’t use keyvault commands that require access to resources created at subscription level. For example:

az keyvault list-deleted
az keyvault recover --location eastus --name $keyVaultName --resource-group $resource
az keyvault purge --name $keyVaultName