DevTest and DevOps for IaaS solutions

Azure Active Directory
DevTest Labs
Key Vault

Solution ideas

This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.

Infrastructure as a service (IaaS) is a form of cloud computing that provides virtualized computing resources. Development testing (DevTest) is a software development approach that integrates testing early in the development phase. In this solution, configuring DevTest operations for an IaaS application reduces the cost and overhead of development and test environments, while facilitating faster development through automated virtual machine (VM) and VM image integration and deployment.

DevOps is a set of practices that combine software development and IT operations to shorten the development cycle and provide high-quality continuous deployments (CD). Using Azure DevOps with DevTest environments lends power and focus to the IaaS development process.

Potential use cases

Departments that use this solution include:

  • IT operators
  • DevOps teams
  • Systems and database administrators
  • Developers that build and run applications


Diagram showing the configuration of DevTest and DevOps for an IaaS application.

Download a Visio file of this architecture.

Download a Visio file of this architecture.


  1. Instead of manually configuring development environments, developers can use Azure Virtual Desktop images, pre-configured with the libraries, tools, and runtimes they need for their projects. Adding a developer to an Azure DevTest Subscription makes the appropriate Azure Virtual Desktop image available to them from the DevTest environment.

  2. Source code is available in GitHub repos, which integrate seamlessly with Azure DevOps. The Visual Studio development environment combines GitHub source code editing with features like work-item and pull-request tracking.

  3. Azure Pipelines triggers automated continuous integration (CI) builds from GitHub repos and automatically delivers them to the DevTest environments, reaching quality assurance (QA) testing quickly with low developer overhead. Azure Pipelines uses Azure Key Vault to securely consume secrets like credentials and connection strings required for release and deployment configurations.

  4. Azure Boards connects back to the GitHub repos, letting developers track both code and tasks in one location. Automated testing also generates bugs for any build or release failures, feeding the results back into the development cycle.

  5. Azure Boards work items come from automated testing, manual QA testing, and added features. Developers create feature branches and associate them with work items to track development, creating more iterations of the development loop.

  6. Azure Pipelines deploys builds to the low-cost Azure DevTest Labs subscription environments, where developers and testers can rapidly provision VMs. Azure Policy regulates and limits DevTest VM numbers and costs, and audits VM usage to provide insight and tracking.

    Developers can deploy VMs as quickly as needed within the lab, while staying within resource and cost parameters set by managers and administrators. The flexibility of low-cost labs provides developers with all the environments they need for rapid iterative progress.

    Testers can operate within their own DevTest Labs environment, pulling ready-for-test images into the test team's labs separately from the development team. The ability of developers and testers to work in parallel DevTest Labs contributes to rapid iteration of ready-to-release image versions.

  7. As the developed VM images reach a release state, Azure Pipelines triggers releases, which generalize the targeted images for destinations like virtual machine scale sets, and promotes them out of DevTest and into a Production environment.

    User Acceptance Testing (UAT) validates a staged VM or virtual machine scale set before deployment to Production.

    Approvals are required for releases to higher-cost, client-facing Production destinations. Production remains isolated and protected from inadvertent or unapproved deployments.

This scenario uses a separate DevTest and Production Azure Active Directory (Azure AD) per subscription to create a distinct separation of concerns. To meet compliance requirements, the Production subscription's Azure AD might need to include a smaller cross section of users than the DevTest Azure AD.

Azure Monitor works across subscriptions to monitor VMs in both the Production and DevTest environments.


  • Azure DevTest Labs provides labs that have all the necessary tools and software to create environments. Developers can efficiently self-manage resources without waiting for approvals. With DevTest Labs, teams can control costs and regulate resources per lab, granting developers permission and flexibility to operate their sandboxes within cost constraints.

  • Azure VM Image Builder service provides baseline VM images that developers can customize. The service facilitates the creation and patching of images and can be called as an Azure Pipelines task.

  • Shared Image Gallery acts as a VM image repository for IaaS solutions. VM Image Builder can build directly into a Shared Image Gallery, facilitating an Azure Pipelines CI/CD process of versioning the VM-based application.

  • GitHub is a code hosting platform for version control and collaboration. A GitHub repository contains all project files and their revision history. Developers can work together to contribute, discuss, and manage code in the repository.

  • Azure Pipelines deploys the VM application images. Pipelines can also deploy the VM resources themselves, through Azure Resource Manager (ARM) templates. This infrastructure-as-code can be source controlled and configured for CI/CD, ensuring that the infrastructure remains up to date.

  • Azure Key Vault securely stores and tightly controls access to secrets like API keys, passwords, and certificates. For more information about Key Vault in DevOps scenarios, see DevSecOps in Azure.

  • Azure Boards is a service for managing work for software projects. Azure Boards brings a rich set of capabilities, including native support for Scrum and Kanban methodologies, customizable dashboards, and integrated reporting.

  • Azure Active Directory (Azure AD) enterprise identity platform provides single sign-on and multifactor authentication to govern user access to resources. In this scenario, a separate Azure AD per subscription creates a distinct separation of concerns between Azure users.

  • Azure Policy governs resources to meet organizational standards and compliance. In a DevTest role, Azure Policy can regulate and limit the number and costs of VMs in the subscription. Auditing can provide insights and track the usage of the DevTest VMs.

  • Azure Monitor can work across subscriptions to monitor VMs in both Production and DevTest environments. Azure Monitor can collect log data from VM operating systems and crash dump files, and aggregate them for viewing in Microsoft Defender for Cloud.


In situations where VM Image Builder and a Shared Image Gallery don't work, you can set up an image factory to build VM images from the CI/CD pipeline and distribute them automatically to any Azure DevTest Labs registered to those images. For more information, see Run an image factory from Azure DevOps.

Next steps