{"id":12336,"date":"2023-10-12T13:04:13","date_gmt":"2023-10-12T20:04:13","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=12336"},"modified":"2023-11-28T16:58:50","modified_gmt":"2023-11-29T00:58:50","slug":"building-a-secure-and-efficient-self-service-application-using-azure-aci-azure-compute-gallery-and-the-microsoft-azure-sdk","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/building-a-secure-and-efficient-self-service-application-using-azure-aci-azure-compute-gallery-and-the-microsoft-azure-sdk\/","title":{"rendered":"Building a secure and efficient self-service application using Azure ACI, Azure Compute Gallery, and the Microsoft Azure SDK"},"content":{"rendered":"

\"MicrosoftEditor\u2019s note: This is the second in an ongoing series on moving our network to the cloud internally at Microsoft.<\/em>\u00a0<\/em><\/p>\n

At Microsoft, the Microsoft Digital Employee Experience (MDEE) team\u2014our company IT organization\u2014is using the Azure SDK, Azure Container Instances, and the Azure Compute Gallery to create a platform for deploying our virtual labs into secure, user-defined hub-and-spoke networks in Microsoft Azure. These labs provide isolated environments where our employees can create their own on-demand, scalable virtual machine and network environments for testing and development purposes.<\/p>\n

This collection of technologies enables our employees to create virtual lab environments across multiple Azure tenants at scale, using infrastructure as code (IaC) to quickly deploy lab templates using the Azure Compute Gallery.<\/p>\n

\"Azure-based
Here\u2019s an architecture diagram that shows the flow of our Microsoft Azure-based virtual lab platform.<\/figcaption><\/figure>\n

[Read the first blog in our \u201cMoving our network to the cloud\u201d series<\/a>.]<\/em><\/p>\n

ACI for flexibility and scalability<\/h2>\n

Azure Container Instances (ACI) is a critical component of our provisioning process. ACI is a fully managed service offered by Azure that enables users to deploy and run containerized applications in the cloud without having to manage virtual machines or learn new tools. It offers exceptional flexibility and scalability, making it ideal for managing our virtual labs environment.<\/p>\n

ACI enables simplified orchestration of containers, especially when compared to more complex solutions like Kubernetes. ACI offers simple configuration for isolated containers, eliminating the need for deep knowledge of the network stack and the need to create complex YAML-based configurations. This simplicity streamlines the development process, reduces complexity, and ensures that container security measures are always included.<\/p>\n

ACI also supports a wide variety of container images, including Docker containers and containers from other sources, such as Azure Container Registry, Docker Hub, or private container registries. In our experience, it scales very well with lightweight .Net Core images.<\/p>\n

ACI offers rapid container deployment and orchestration. Our containers are available quickly to coordinate virtual lab deployment and can be shut down promptly when their work is completed. This dynamic allocation ensures that resources are only utilized when necessary. This works well in our stateless workload scenarios and is especially useful for batch processing. It also eliminates the overhead of cluster management tasks and lets us focus on deploying containers immediately.<\/p>\n

We configure ACI to ensure graceful region-based failover. ACI offers versatile options for region failover and makes our business continuity and disaster recovery scenarios simple to implement. We use an Azure function to initialize failover groups based on region availability, creating a seamless user experience.<\/p>\n

We use ACI for data processing, batch jobs, and event-driven functions where the workload varies and can be executed independently from the API services. We use messaging queues like Azure Service Bus to coordinate between the APIs running in Azure Kubernetes Service (AKS) and the background processing tasks in ACI. This configuration ensures that the API services can trigger or communicate with the background processing components when necessary.<\/p>\n

Due to its ability to scale horizontally and quickly spin up instances without delay, we could continue delivering high performance to our users, even during heavy loads on our system. Our platform creates almost 40 thousand ACI instances each month.<\/p>\n

The dynamic nature of ACI ensures that the resources are only utilized when necessary, keeping costs at a minimum. Additionally, we initialize containers with the fewest vCPU and memory resources required for their specific tasks to optimize resource allocation and cost tracking.<\/p>\n

Getting started with containers can be intimidating, but ACI makes it very simple to deploy a container. With Hyper-V isolation by default, support for burst workloads, and a wide array of powerful capabilities, we can scale to the highest performance applications.<\/p>\n

\u2014 Justin Song, senior software engineering manager, Azure Container Instances team<\/p>\n<\/blockquote>\n

This fine-grained resource allocation ensures efficient utilization and simplifies cost tracking for each lab deployment, resulting in highly available, high-performing, cost-effective operations.<\/p>\n

ACI\u2019s serverless infrastructure allows developers to focus on developing their applications, not managing infrastructure. ACI provides the capacity to deploy containers and apply platform updates promptly to ensure security and compliance.<\/p>\n

\u201cGetting started with containers can be intimidating, but ACI makes it very simple to deploy a container,\u201d says Justin Song, a senior software engineering manager on the Azure Container Instances team at Microsoft. \u201cWith Hyper-V isolation by default, support for burst workloads, and a wide array of powerful capabilities, we can scale to the highest performance applications.\u201d<\/p>\n

\"Paranjpe
Anjali Sujatha Nair (left) and Anish Paranjpe are part of the team in Microsoft Digital Employee Experience that\u2019s built a self-service virtual lab deployment application internally at Microsoft. Nair and Paranjpe are software engineers.<\/figcaption><\/figure>\n

Azure Compute Gallery for rapid VM provisioning<\/h2>\n

We use the Azure Compute Gallery to bring efficiency and scalability to VM provisioning for our labs.<\/p>\n

Azure Compute Gallery enables us to manage lab virtual machine images globally, with replication across multiple Azure regions.<\/p>\n

Managed replication helps us ensure that VM images are readily available wherever our users need them. We\u2019re also using custom least recently used (LRU) cache logic on top of the Gallery Image SDK to reduce the costs associated with hosting images across multiple regions. This custom logic ensures that unused replications are cleaned when not needed, reducing costs while still maintaining the accessibility and reliability of our virtual labs.<\/p>\n

We allow our users to deploy pre-configured lab environments called templates. We can create versioned labs using Azure Compute Gallery\u2019s versioning capabilities, effectively capturing unique lab configurations at different development stages. This feature enables our users to save and share meticulously crafted lab setups through templates, fostering global collaboration and knowledge sharing.<\/p>\n

They can effortlessly create snapshots of their labs, simplifying collaboration, promoting consistency, and providing control over their virtual lab experiences. Azure Compute Gallery\u2019s versioning puts lab management in the hands of our users, offering flexible, streamlined collaboration.<\/p>\n

Role-based access control provides the core access management functionality for Azure Compute Gallery images. Using RBAC and Azure Active Directory identities, access to images and image versions can be shared or restricted to other users, service principals, and groups.<\/p>\n

Azure SDK for efficient resource orchestration at scale<\/h2>\n

The Azure SDK for .NET provides the foundation for our platform\u2019s scalability and resource management. We\u2019re using the Azure SDK\u2019s comprehensive set of open-source libraries, tools, and resources to simplify and expedite application and service development in Azure. The Azure SDK enables our development teams to ensure uniform features and design patterns for Azure applications and services across different programming languages and platforms.<\/p>\n

Azure SDK packages adhere to common design guidelines\u2014the Azure.Core package that is included in the SDK supplies a broad feature set, including HTTP request handling, authentication, retry policies, logging, diagnostics, and pagination. We\u2019ve used the SDK to develop additional APIs that are easily integrated with other cloud-based services.<\/p>\n

With the Azure SDK APIs, our developers have a unified interface to Azure services without needing to learn distinct APIs for each resource type. Development and resource management are streamlined across the entire Azure platform.<\/p>\n

With a unified approach, we can use the Azure SDK to manage diverse resources across multiple Azure subscriptions and accounts.<\/p>\n

\"Key<\/h2>\n

Here are some tips for getting started with the Azure SDK, Azure Container Instances, and the Azure Compute Gallery at your company:<\/p>\n