Getting Started with Azure Blueprints


By:   |   Updated: 2020-07-14   |   Comments   |   Related: More > Azure

Problem

There are many methods of provisioning Azure resources through Infrastructure as Code (IaC) by using Azure Resource Manager Templates (ARM) to define the Infrastructure as Code and then provision them through platforms such as Visual Studio, Terraform and others. Microsoft's recent addition of Azure Blueprints to the Azure portal has introduced a new method of deploying Azure Resources through ARM templates by following IaC best practices. How can one get started with Azure Blueprints?

Solution

The history of blueprints dates back to the mid-1800s as a process to document an Architect's visions and plans on paper which was then blended with chemicals, resulting in a blue page with letters or lines in the original white color of the paper, creating the process of blueprinting. Similarly, Azure Blueprints enables architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. This article will demonstrate how to provision Azure resources by using Azure Blueprints.

Create an Azure Blueprint

To get started with Azure Blueprints, search for blueprints in the Microsoft Azure portal.

BluePrint Search for Blueprint in Azure Portal

Azure Blueprints is a free Azure service that can be used to deploy Azure Resources and easily manage ARM templates through Infrastructure as Code. For more information on Azure Blueprints, click the Blueprints Overview link on the welcome page. There is also an option to create a blueprint with a REST API.

To begin creating an Azure Blueprint, click Create.

BlueprintHome Image of blueprint homepage

Next, there will be the option to either start with a blank template and bring your own template or use a pre-defined sample template that can be found and filtered in the Other Samples section. Azure Blueprint samples can also be found here.

Click Start with blank template to get started with a blank blueprint.

BlankBlueprint Start with blank blueprint

Next, define the basics of the blueprint including the blueprint name, description, and definition location.

CreateBlueprint Description of Create Blueprint

When selecting the definition location, there will be a selection for the Azure Subscription.

Select the desired Subscription and click Select.

DefLocation Image of definition Location

Once Basics section is complete, click Next: Artifacts to begin adding artifacts to the blueprint.

Basics Image of Blueprint basics

Add Blueprint Artifacts

Blueprint artifacts can include:

  • Role Assignments: Assign a role to previously created resource.
  • Policy Assignments: Implement a tagging policy to append tags to a previously created resource.
  • Azure Resource Manager templates: Use pre-defined or custom ARM templates to create and define the resources.
  • Resource Groups: Create a resource group to contain a group of related artifacts

Click Add artifact…to the begin selecting the desired artifacts.

Artifacts Image of Add Artifact

Select Resource Group from the Add Artifact type drop-down menu:

AddArtifact1 Image of artifact types

Give the resource group a name, location, and click Save.

Note that there are check boxes under the parameter entry section, which determine whether the value should be specified when the blueprint is assigned. For the purposes of this demo, I will uncheck theses boxes and define these parameters as static values within the blueprints. When deploying these blueprints using PowerShell for a more automated process, the parameters can be defined through a separate parameter file for each artifact.

RGParameters Image of RG Parameters

Once the resource group is created, click Add artifact under the newly created resource group artifact to add an ARM template for the resources.

Select Azure Resource Manager template to continue.

AddARM Image of add arm template

Add Azure Resource Manager (ARM) Templates

ARM Templates are a way to declare objects, types, names and properties in a JSON file which can be checked into source control and managed as Infrastructure as code files. Azure resources can be provisioned with ARM Templates that contain parameters that define and customize the deployed resources. These parameters can be entered statically, dynamically at runtime or managed through supplemental JSON parameter files when blueprints are deployed through REST APIs.

While Azure Blueprints has a vast collection of sample templates, it lacks the availability of many essential Azure resources in the gallery. For that reason, there have been many template contributions to the open-source Microsoft technical developer community. Many of these Azure quick-start templates can be found on GitHub.

For this demo, the following Azure resources will be provisioned:

  1. Data Factory V2
  2. Data Lake Gen2
  3. Key Vault

After navigating to the Azure quick-start templates on GitHub, navigate to the data factory v2 create template.

ARMQuickstart Image of ARM Templates on GitHub

Select the azuredeploy.json file. Notice that the azuredeploy.parameters.json file also exists for automated deployments of Azure Blueprints programmatically with PowerShell.

DeployJson Image of aszure.deploy.json file

Copy the following code.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "name": {
      "type": "string",
      "defaultValue": "adfdemo001"
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for your data factory"
      }
    }
  },
  "resources": [
    {
      "apiVersion": "2018-06-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
      "type": "Microsoft.DataFactory/factories",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {}
    }
  ]
}

Paste it in the template section. Verify that required fields have been completed.

ADFV2_ARM Image of adfv2 arm template

Navigate to the Parameters tab. Enter the desired parameters and click Save.

ADFParams Image of ADF Parameters

Follow the same step to locate Data Lake Storage in GitHub's list of Azure ARM Templates.

ADLSQuickStart Image of ADLS2 quickstart templates

Copy the following code.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "configuration": {
      "type": "object",
      "metadata": {
        "description": "Configuration for this resource"
      }
    },
    "storageAccounts_name": {
      "type": "string"
    },
    "location": {
      "type": "string"
    },
    "accountType": {
      "type": "string"
    },
    "kind": {
      "type": "string"
    },
    "accessTier": {
      "type": "string"
    },
    "supportsHttpsTrafficOnly": {
      "type": "bool"
    },
    "isHnsEnabled": {
      "type": "bool"
    }
  },
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[parameters('storageAccounts_name')]",
      "apiVersion": "2018-07-01",
      "location": "[resourceGroup().location]",
      "tags": "[parameters('configuration')]",
      "properties": {
        "accessTier": "[parameters('accessTier')]",
        "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
        "isHnsEnabled": "[parameters('isHnsEnabled')]"
      },
      "dependsOn": [],
      "sku": {
        "name": "[parameters('accountType')]"
      },
      "kind": "[parameters('kind')]"
    }
  ],
  "outputs": {}
}

Paste it in the template section. Verify that required fields have been completed.

ADLS_ARM Image of ADLS2 arm template in blueprints

Navigate to the Parameters tab. Enter the desired parameters and click Save.

{"Department":"IT","Environment":"Dev"}
ADLSParams Image of ADLS Parameters

Azure Key Vault will be the last required resource to complete the list of ARM Templates that need to be added to the blueprint.

Let's add one last ARM template for Key Vault. For this last ARM Template, I will demonstrate a different method of acquiring the desired template. This process includes navigating through the create new resource UI in Azure portal and then downloading the customized ARM Template for the blueprint.

For key vault, start by Creating a Key vault in Azure portal and filling in the required details.

CreateKeyVault Image of create key vault

After passing the review validation, Click Download a template for automation.

KeyVaultValidation Image of review and validate of create key vault

Next, Copy the following code from the template and paste it in the blueprint template for the Key Vault ARM template.

KeyVaultARM Image of downloaded key vault ARM Template
{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "name": {
      "type": "string"
    },
    "location": {
      "type": "string"
    },
    "sku": {
      "type": "string"
    },
    "accessPolicies": {
      "type": "array"
    },
    "tenant": {
      "type": "string"
    },
    "enabledForDeployment": {
      "type": "bool"
    },
    "enabledForTemplateDeployment": {
      "type": "bool"
    },
    "enabledForDiskEncryption": {
      "type": "bool"
    },
    "enableRbacAuthorization": {
      "type": "bool"
    },
    "enableSoftDelete": {
      "type": "bool"
    },
    "softDeleteRetentionInDays": {
      "type": "int"
    },
    "networkAcls": {
      "type": "object"
    }
  },
  "variables": {},
  "resources": [
    {
      "apiVersion": "2018-02-14",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
      "type": "Microsoft.KeyVault/vaults",
      "properties": {
        "enabledForDeployment": "[parameters('enabledForDeployment')]",
        "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
        "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
        "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]",
        "accessPolicies": "[parameters('accessPolicies')]",
        "tenantId": "[parameters('tenant')]",
        "sku": {
          "name": "[parameters('sku')]",
          "family": "A"
        },
        "enableSoftDelete": "[parameters('enableSoftDelete')]",
        "softDeleteRetentionInDays": "[parameters('softDeleteRetentionInDays')]",
        "networkAcls": "[parameters('networkAcls')]"
      },
      "tags": {},
      "dependsOn": []
    }
  ],
  "outputs": {}
}

Additionally, the following Parameters can also be copied and used for the blueprints.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "value": "demokv002"
        },
        "location": {
            "value": "westus"
        },
        "sku": {
            "value": "Standard"
        },
        "accessPolicies": {
            "value": [
                {
                    "objectId": "enter-objectid",
                    "tenantId": "enter-tenantid",
                    "permissions": {
                        "keys": [
                            "Get",
                            "List",
                            "Update",
                            "Create",
                            "Import",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore"
                        ],
                        "secrets": [
                            "Get",
                            "List",
                            "Set",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore"
                        ],
                        "certificates": [
                            "Get",
                            "List",
                            "Update",
                            "Create",
                            "Import",
                            "Delete",
                            "Recover",
                            "Backup",
                            "Restore",
                            "ManageContacts",
                            "ManageIssuers",
                            "GetIssuers",
                            "ListIssuers",
                            "SetIssuers",
                            "DeleteIssuers"
                        ]
                    }
                }
            ]
        },
        "tenant": {
            "value": "enter-tenant-id"
        },
        "enabledForDeployment": {
            "value": false
        },
        "enabledForTemplateDeployment": {
            "value": false
        },
        "enabledForDiskEncryption": {
            "value": false
        },
        "enableRbacAuthorization": {
            "value": false
        },
        "enableSoftDelete": {
            "value": true
        },
        "softDeleteRetentionInDays": {
            "value": 90
        },
        "networkAcls": {
            "value": {
                "defaultAction": "allow",
                "bypass": "AzureServices",
                "ipRules": [],
                "virtualNetworkRules": []
            }
        }
    }
}

Once all of the desired artifacts have been created in the blueprint and all parameters have been populated, click Save Draft.

SaveArtifact Image of completed artifact and save as draft blueprint

The DemoBlueprint has been saved as an un-published draft Blueprint definition.

Click on the DemoBlueprint to open and publish it.

BlueprintDefinitions2 Image of Blueprint definition list.

Publish the Blueprint

Publishing makes the blueprint available to be assigned to a subscription.

Click Publish blueprint.

PublishBlueprint Image of publish blueprint icon

Add a version label, detailed notes, and click Publish.

PublishVersionBlueprint Image of publish blueprint details.

The publishing status will be displayed to the upper right section of the portal.

Once the blueprint is successfully published, it will be ready to be assigned.

PublishStatus Image of blueprint publish status.

Assign the Blueprint

Assigning the blueprint to a subscription is the final step required to provision the Azure resources. It is important to note that a blueprint can only be assigned to the subscription that it is assigned to.

Once again, navigate to the DemoBlueprint and Click Assign blueprint.

Assign Blueprint Image of Assign Blueprint Icon

Within the 'Assign Blueprint' details section, give the assignment a name, select the location, along with the Blueprint definition version that was created previously.

AssignBlueprintv1 Image of details for assign blueprint

Lock Assignment

Lock assignments provide a mechanism to maintain the consistency of blueprint environment definitions at scale. There are currently the following three Lock Assignments available that must be configured during assignment and resource deployment. Locking modes cannot be changed outside of Azure Blueprints.

  • Don't Lock: Resources aren't protected by Azure Blueprints.
  • Do Not Delete: Resources can be altered, but can't be deleted.
  • Read Only: Resource can't be altered in any way; no changes and it can't be deleted.
LockAssignment Image for Lock Assignment options

Managed Identity

During the deployment of the Azure Resources, Blueprints are assigned to a subscription through the following managed identity assigned permission options:

  • System assigned: This is the default managed identity. Azure Blueprints creates the identity and grants the managed identity the owner role. If an existing assignment is upgraded, Azure Blueprints uses the previously created managed identity.
  • User assigned: Both the Owner and Blueprint Operator built-in roles must be defined and granted permissions before the blueprint assignment is created and must have the necessary blueprint Assignment/write permission to create an assignment.
ManagedIdentity Image for Managed Identity options

Artifact Parameters

Once the artifacts and parameters are reviewed and verified, click Assign to begin the resource deployment and Blueprint assignment process.

AssignBlueprintArtifacts Image showing review and assign of artifacts to blueprint.

Verify Assigned Blueprints

After the assignment has succeeded, the provisioned resources along with the assignment version, status, lock state will be displayed for additional verification that the process has succeeded.

Note the additional options to Update assignment and Unassign blueprint.

To add more resources to an existing blueprint, create a new version of the assignment and assign it to the existing blueprint.

AssignmentSucceeded Image of Status of resource deployment and details.

Additional details about the assigned blueprint can also be viewed in the Assigned blueprints section of Azure Blueprints.

AssignedBlueprints Image of list of assigned blueprints.

Summary

In this article, I demonstrated how to Get Started with Azure Blueprints to provision a few Azure Data Resources including Data Factory V2, Data Lake Gen2, and Key Vault using Quick Start ARM Templates. As a next step, it would be valuable to explore how to create and manage blueprint deployment and parameter JSON files via PowerShell for a more automated and streamlined process. Additionally, also explore how to integrate a multi-environment (DEV/QA/PROD) Azure Blueprint with Azure DevOps and learn how to create more complex blueprints that contain dependencies.

Next Steps


Last Updated: 2020-07-14


get scripts

next tip button



About the author
MSSQLTips author Ron L'Esteve Ron L'Esteve is a seasoned Data Architect who holds an MBA and MSF. Ron has over 15 years of consulting experience with Microsoft Business Intelligence, data engineering, emerging cloud and big data technologies.

View all my tips
Related Resources





Comments For This Article





download


Recommended Reading

Adding Users to Azure SQL Databases

Connect to On-premises Data in Azure Data Factory with the Self-hosted Integration Runtime - Part 1

Azure Data Factory vs SSIS vs Azure Databricks

Continuous database deployments with Azure DevOps

Azure Data Factory Lookup Activity Example





get free sql tips
agree to terms


Learn more about SQL Server tools