 Okay, so my name is Peter Hoffman. I'm a software developer at Blue yander. We develop machine learning algorithms for retail So for example, we calculate optimized price decisions for online retailers or we calculate future demand for retailers and Implement replenishment on top of it so that the stores of the retailers neither go out of stock or have too much waste So that's yeah, we do this with machine learning and most of our stack is Python You can contact me via Twitter or on the conference or on the social event if you have any questions And the slides will be available on GitHub under our company account I'll show the link to the slides again at the end of the presentation. So yeah, you can take your notes So maybe before we start who thinks Microsoft is a really cool company That knows about open source embraces Python and it's really fun to work with Okay, nobody won one one hand. So probably That's the same. I thought I've been an open source guy for all my life And we have been self hosting our infrastructure at Blue yander for all the time therefore three digit number of servers and Sometime our CTO came to us and said, okay, we want to move to the cloud and we started evaluating AWS and everything went fine and we thought okay, let's go to AWS It's the cool cloud provider. Every cool company is going to AWS and Then some months later he came again and said, okay, now we are going to the cloud, but it will be Microsoft Azure So at first I thought oh no and now I have to administer a Windows server I have to learn PowerShell and I Yeah, I have I lose all my open source knowledge and all the stuff But it turned out turned out to be quite different I've learned a lot in the last half year. We have started to migrate all of our infrastructure to to to Azure We are following shift and lift approach. So in the first place We are just using the basic resources of Microsoft Azure that storage networking and computation as a virtual machines and Once we are done with the initial migration We are moving up the stack and are using much more sophisticated services like Managed database services HDFS services, or even the managed Hadoop stack So I've quite learned a lot about Microsoft in the last half here. I think they've changed a lot Probably they are still not the coolest open source company but they really embrace Python they Treat Python as a first-class citizens in their stack and I'll show you in the next 20 or 30 minutes a little bit how we deploy to Azure and what we've learned from our deployments So what is Microsoft Azure? Microsoft Azure is a cloud infrastructure provider from from MS and it's basically Infrastructure as a service. So you give them money and you get infrastructure It's a little bit the same with our ops guys guys We gave them money and they built us the infrastructure But the turnaround cycle with our ops team was about I don't know two to three months And she will get you have to buy the servers you have to put them in the rack You have to put the cables in there and get all the software on it on it So if really long cycles if you just want to try something out or want to scale up With infrastructure the service You probably have an API and you can get servers with one click get lots of them and Once you are done with testing thing out you can throw them away. So you are much faster And it really helps you to grow as a company You see here the Azure dashboard that's the UI how you can work with Azure you can click servers virtual machines all the stuff but Once you are beyond the initial phase with trying out stuff. You don't want to deploy your infrastructure via UI You want to use tools and in the best way a declarative declaration of your infrastructure That you always can deploy it again and probably can deploy the same version of your infrastructure In a testing environment and so you want to alter to automate all this stuff So now I'm going to show you how we automate it and how we learn what we learned about the tools that Microsoft provides Before we start I'll tell you a little bit about the architecture of Microsoft Azure so The basic concept in Azure is a resource and resource providers for example virtual machines are resources and The resource providers takes care that you can call an API and did you get the resources that you request? So for each different resource you have a different resource providers so for virtual machines Computations storage or higher level services And they all fulfill the resource provider contract. That's a standard API how you can interact with Azure and on top of the Resource manager you have different tools like the portal like a CLI command or a Python client library Or even the plane rest calls how you can provision your infrastructure in Azure Mostly we have used three different Deployment options the one that we don't use is the Microsoft PowerShell The next one is ARM templates that's a declarative deployment option and then you have on top of the rest API Microsoft chips you Python client libraries and you can talk to them We are the Python API or we are the a set command line client or we are Ansible Really nice thing nice thing is that they use swagger for all their API definitions and JSON schemas for the content of their APIs or for the payload so Beside Python they support Java C sharp I think PHP and they all generate the client libraries from the same swagger source definitions So you will always have the same version of the client libraries in the different programming languages That's really nice because with this approach a pysons always up to date and on par with the PowerShell library Another basic concept of Microsoft Azure are the resource groups You can you can group your resources into a resource group and you should do this as a you could of course Put your whole infrastructure in one resource group But it's better to put your resources in different resource groups Based on your deployment life cycle because normally will always deploy a whole resource group in a complete mode And you want to not if you just want for example to update your storage accounts You don't want to update the whole infrastructure, but just the resource groups that you're interested in On the left side you see a sample definition of a def pi server. That's a PI PI compatible internal Repository repository we use so we have an availability set and a load balancer And then we have some network interfaces against storage account and virtual machines And that defines the whole service internally and you could can use this resource group or the definition of the resources in this group To deploy this service in production in development and in testing What's important and what's a really complex topic in Azure is the role-based access control So for each operation you can do we are the command line or the portal You can have a role-based access control So you when you first create the Azure account you are kind of super user and you should really as soon if you have this account Start adding other accounts and drop your privileges and give the Deployment accounts just the privileges they need to deploy their resource groups You could even say some users are only allowed to view the resource groups to see what's what's inside your infrastructures And others are able to deploy it That you should really take care of this because it helps to prevent errors That's for example, what happened to me I just wanted in the beginning of our migration project I wanted to deploy a resource group and I missed that there was still a storage accounted it So I deleted it and all the data was gone In principle, I shouldn't have been able to do this because this storage account was not my business It was not my service, but we were on that far with role-based access management So I could delete it even if I haven't I shouldn't have to do it So what we are using as the primary deployment option is arm templates Arm templates are declarative JSON based description of the desired deployment state It's a JSON document and you submit it to the as a resource manager and the resource manager Takes care of the parallel provision of the resources the rollback and the deployment And the button I've shown you with a simple command line Interface how you can deploy a resource group you always have to tell Azure which resource group you want to deploy the name And the template where define all the JSON stuff You can deploy a template to different regions Different services and you can defy multiple resources in one template But each unique resource only can live in one template You have two different deployment options. It's always either complete or incremental if you don't incremental Deployment the Azure resource manager will only add new resources that are in the new template, but will not delete stuff That's okay for trying things out But on the normal way you want to do the complete Deployment where the Azure resource manager also takes care that it deletes resources that are not defined in your template Because you always want to have the declarative state that is in your template to be the one that is deployed on Azure So what does a minimal template look like? You always have to link to a JSON schema of your template You have to give the content versions and then you can specify resources parameters variables and outputs Microsoft has open sourced all the JSON schema definitions for the different templates You can go to GitHub and we'll see what what kinds of values are allowed in your template for which resources So let's define a sample storage account. That's a single resource Again, you have to tell the resource manager which type you want to deploy in this in this case It's Microsoft storage storage account You have to give him the API version you want to talk to so for One resource type. They are always different API versions you can use with different parameters You have to tell in which region West Europe US Asia you want to deploy your resource and then some specifics about the resource in this case It's just the type of storage account. You want to deploy locally redundant One thing we learned pretty soon and use very extensively is tagging of resources So for each resource you can apply a number of tags I think up to 250 and You can later on use the tags for grouping for example in billing or in monitoring and once you have You're going to have a larger infrastructure with I don't know sweet digit number of servers It really helps to see which service Is responsible for which which which costs or in monitoring to see which service fails. So My advice from the beginning think about a tagging scheme and really apply tags to all your resources The arm template is not simply a JSON Template or a JSON file, but you can use within the JSON file in the value parts You can use the arm template functions. So each time you use the bracket notation you basically call a function and During deployment the result of this function will be replaced in the template for the rollout For example The storage accounts in Azure they share one big namespace through all customers So probably if you take the name test for your storage account You can't deploy it because it's already used by some other guy and and you can hear use this unique string function Together with a group I resource group ID and it will generate you a unique ID That only you use and with this you have the unique name in the global name space another one is you Don't you all already specify in the command line client to which region you want to deploy and with the lower with the resolution resource group location you can get this value and don't have to type it again and again and Now you also can use this template to deploy it in different regions without changing the value of the location You have lots of different functions at hand you have array functions where I can use the first or the last Value of an array you can get an index of an array the length of an array You have numeric functions to do basic calculations and you have some string functions That you can use in the templates Another pattern you can use in your templates is the use of variables So as soon as you need to use one One variable more than once in a template you can define a variable with the storage account and then can use it Throughout your template in this case We are defining a storage account with a name and then we could can use the variable in the in the computation To get to attach the storage account to a to a server and the third thing you can use in in templates are the outputs So for each variable you generate inside the template you can define an output So that once you run your template on Azure you can see what the actual value once it is evaluated is in your template to use Resource template in different stages in our example It's we always have the test area than a staging area and then the production area You want to inject into your template external values and you can do this with parameters So you define the parameters you want to use in your in your template You can use it in your resources and once you want to deploy it You can specify an additional template and parameters file where you actually provide the real value so you have one template and Different parameters file and with this you can deploy it in different regions or in different staging areas of of your infrastructure What we've also learned pretty fast is don't put sensitive data in the templates so Microsoft Azure provides ways to inject sensitive data into your templates without having them in your Git repository and in plain text. So they have to secure string and secure option type objects They have front-end retrievals within the template function for the secure type objects And you can also reference the key value of secrets so you can in Azure Generate a key world with secrets and then you can use it into it in your templates and in Production always turn off debugging and logging because it could also dump out your secrets for rather simple deployments the Azure resource Is is pretty okay, but for complex ones. It's Really really fast gets out of hand because it's not just a JSON file where you define your resources But you have also content versioning for different resources. You have parameters and variables You have inline template expression language. You can also link template templates together so it's pretty fast gets a pretty hard to To edit all these templates by hand. So we have a pretty soon come to Visual studio which supports the Azure resource templates syntax and you have auto intelligence IntelliSense and highlighting and it makes it much more easier to really edit these templates we have also tried to Put some Python libraries around the templates and generate the stuff But that didn't work out that well So at the moment we still edit the templates by hand, but with a powerful tool like visual studio So how do you actually talk to the to the rest API from Microsoft Azure? Azure provide a Microsoft provides a command line interface The command line interface version one was built in Node.js But as the Microsoft guys told us that didn't work that well Because with the command line client they want to target Linux admins and users from the open source community And the Node.js clients just didn't behave Like the tools like you expected in this line Linux server server community So they developed the client CLE version 2 and they developed it in Python It's a really a nice command line interfaces with auto completion and nice documentation and different output formats it has support for searching via GMS path and It's also fully generated from this Vega definitions also rest API So I always up to date with this command line client and it really helps you to work with the rest API Yeah, for example, you can tell the the ASA Command line client to list you all the storage accounts inside our resource group and then you get back a JSON document with all the information That's fine if you want to use it to to Pre-processes in Python or some language that understands a JSON or even pipe it into a JQ and then select just some values But you can also use different output formats. So for example, you can dump it as a table The command line interface uses the tabulate library That's a common a library in Python to dump table your formats or you can dump it as topseparated values and then call your org script To to get the data out of it. So it really fits well into the command line chain on Linux If I said earlier can also use James pass the query language. So for example here I just want to list all storage accounts that standard RGS from the name and You just want to have the name and the endpoint of the blob. So that's really nice to interact with the twisted API We use Ansible exclusively in configuration management to a provision and deploy our server and services and we also Thought it was a good way to use it to provision our stuff on Azure because with this ansatz We don't have to have duplicate Configuration for example, we have network ranges or host names And you have to define them in the Azure template and we also had defined them in our Ansible scripts. So there's an Azure RM module for for Ansible and We are using this to interact with Azure through Ansible So there are three ways how we use it we use it to deploy the arm templates with Ansible There is the possibility to generate Resources directly via the rest API and we use it as a dynamic inventory script To bridge the server and services into our other Ansible scripts Simple Azure deployment It's pretty easy. It's not that different to demand command line client So at the bottom you defile your resource template You can also define some parameters that you want to use in the resource template You tell Azure which resource group you want to deploy in which your location and you have the same deployment modes I've as I said earlier the complete and the incremental deployment mode so that's Pretty in the same than the command line client, but what it really helps us Using the parameters from within Ansible there. We can use the same parameters that we use elsewhere Instead of providing a template file, you could also use the Azure RM mode for Ansible to specify the resources inline Ansible This works quite okay for for simple resources like computation storage and networking But for the most sophisticated ones, there's still no support from for in Ansible for the Azure modules And that's what I said. There's only support for this for for services So we'll still stick to the resource templates So this is a little more complex example. So we are using the resource Manager with Ansible to deploy virtual machine Again, you have some parameters where you'll tell it which size of machine you want to deploy which toyed account you want to use The initial SSH key set up and in which network you want to deploy the machine Microsoft offers quite a range of Linux distributions which you can use so in this case we just say okay give us the latest debian 8 And you'll always get an up-to-date version If you want if you deploy lots of machines, it probably helps if you tag them right and then you can use the Ansible Dynamic inventories feature to pull the actual information from your deployed Infrastructure and feed it in your Ansible scripts and reuse the groups that are definitely defined there For all your other actions you want to do later in the provisioning stage So Why we quite use Ansible with Azure in production? We are not There are some points where we are not that happy about it It does not work with the latest client libraries. So it's always a little bit behind Microsoft did the initial implementation of the Azure Ansible module But there's not real open-source community around it. So Until now, I'm not sure if let's see how it will further involve Using defining resources within Ansible is okay for Tim simple tasks For complex tasks, it's better to switch back to the resource templates and just call the template. We are Ansible The dynamic inventory was really helpful for us and we pretty much use it and it works and So now we kind of have a hybrid approach where we use to chase and templates to define all our infrastructure and Inject the parameters via Ansible So that's a rough overview of the deployment how we use Microsoft Azure as I said earlier if you have any questions you can ask them now or just Meet me at the conference. Thanks You said you were planning to shift to Azure and then start shifting up into the high-level services I wonder if you've got an idea yet of what those high-level services you're thinking of shifting to are For example until now we use only the simple blob storage, but we want to migrate to the HGFS services that Azure provides At the moment we are deploying all postgres databases at our own Microsoft Azure has On-demand service for prospect services where if you're automatic back up and Automatic upgrades and all the stuff so that are two examples where we want to to go up in the stick And even something like they have a full managed Hadoop service We don't have to care about deploying the stuff. That's also an option Thanks for your talk I was wondering how do you authenticate your tools like? Ansible or like any other script you have against the Azure APA Yeah, basically we have a Github repository with all your our deployments Installed there. We have requirement txt file and that's what everybody uses and once we want to migrate to a new version Yeah, we do a branch and then update the versions deploy it to the test develop Environment and see if everything works and then roll it out to the other stages. Yeah, but do you mention? role-based access control and I was wondering like how do you for example give to a Developer less privileges than other developer. Do we use individual accounts or do they use specific access keys? And now we have we have a sync tool We have an internal active directory or it's an open LDAP server and we've written a sync tool where he syncs the permissions that are in Internal the groups and the developers to Azure and then we have some some labels attached to each group or developer And that's the way we manage the role-based access. Is that via adfs that you showing a slide? Sorry No, we have that's a separate tool. We just use the API to sync our users inside. Okay, then thank you