Þessi vafri er ekki lengur studdur.
Uppfærðu í Microsoft Edge til að nýta þér nýjustu eiginleika, öryggisuppfærslur og tæknilega aðstoð.
This quickstart provides an introduction to bring your own storage (BYOS) for an Azure Managed Application. You create and publish a managed application definition in your service catalog for members of your organization. When you use your own storage account, your managed application definition can exceed the service catalog's 120-MB limit.
To publish a managed application definition to your service catalog, do the following tasks:
If your managed application definition is less than 120 MB and you don't want to use your own storage account, go to Quickstart: Create and publish an Azure Managed Application definition.
You can use Bicep to develop a managed application definition but it must be converted to ARM template JSON before you can publish the definition in Azure. For more information, go to Quickstart: Use Bicep to create and publish an Azure Managed Application definition.
You can also use Bicep deploy a managed application definition from your service catalog. For more information, go to Quickstart: Use Bicep to deploy an Azure Managed Application definition.
To complete this quickstart, you need the following items:
Every managed application definition includes a file named mainTemplate.json. The template defines the Azure resources to deploy and is no different than a regular ARM template.
Open Visual Studio Code, create a file with the case-sensitive name mainTemplate.json and save it.
Add the following JSON and save the file. It defines the managed application's resources to deploy an App Service, App Service plan, and a storage account.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"appServicePlanName": {
"type": "string",
"maxLength": 40,
"metadata": {
"description": "App Service plan name."
}
},
"appServiceNamePrefix": {
"type": "string",
"maxLength": 47,
"metadata": {
"description": "App Service name prefix."
}
}
},
"variables": {
"appServicePlanSku": "B1",
"appServicePlanCapacity": 1,
"appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",
"linuxFxVersion": "DOTNETCORE|8.0"
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2023-01-01",
"name": "[parameters('appServicePlanName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[variables('appServicePlanSku')]",
"capacity": "[variables('appServicePlanCapacity')]"
},
"kind": "linux",
"properties": {
"zoneRedundant": false,
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[variables('appServiceName')]",
"location": "[parameters('location')]",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
"httpsOnly": true,
"redundancyMode": "None",
"siteConfig": {
"linuxFxVersion": "[variables('linuxFxVersion')]",
"minTlsVersion": "1.2",
"ftpsState": "Disabled"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
]
}
],
"outputs": {
"appServicePlan": {
"type": "string",
"value": "[parameters('appServicePlanName')]"
},
"appServiceApp": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2023-01-01').defaultHostName]"
}
}
}
As a publisher, you define the portal experience to create the managed application. The createUiDefinition.json file generates the portal's user interface. You define how users provide input for each parameter using control elements like drop-downs and text boxes.
In this example, the user interface prompts you to input the App Service name prefix and App Service plan's name. During deployment of mainTemplate.json the appServiceName variables uses the uniqueString function to append a 13-character string to the name prefix so the name is globally unique across Azure.
Open Visual Studio Code, create a file with the case-sensitive name createUiDefinition.json and save it.
Add the following JSON code to the file and save it.
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"basics": [
{}
],
"steps": [
{
"name": "webAppSettings",
"label": "Web App settings",
"subLabel": {
"preValidation": "Configure the web app settings",
"postValidation": "Completed"
},
"elements": [
{
"name": "appServicePlanName",
"type": "Microsoft.Common.TextBox",
"label": "App Service plan name",
"placeholder": "App Service plan name",
"defaultValue": "",
"toolTip": "Use alphanumeric characters or hyphens with a maximum of 40 characters.",
"constraints": {
"required": true,
"regex": "^[a-z0-9A-Z-]{1,40}$",
"validationMessage": "Only alphanumeric characters or hyphens are allowed, with a maximum of 40 characters."
},
"visible": true
},
{
"name": "appServiceName",
"type": "Microsoft.Common.TextBox",
"label": "App Service name prefix",
"placeholder": "App Service name prefix",
"defaultValue": "",
"toolTip": "Use alphanumeric characters or hyphens with minimum of 2 characters and maximum of 47 characters.",
"constraints": {
"required": true,
"regex": "^[a-z0-9A-Z-]{2,47}$",
"validationMessage": "Only alphanumeric characters or hyphens are allowed, with a minimum of 2 characters and maximum of 47 characters."
},
"visible": true
}
]
}
],
"outputs": {
"location": "[location()]",
"appServicePlanName": "[steps('webAppSettings').appServicePlanName]",
"appServiceNamePrefix": "[steps('webAppSettings').appServiceName]"
}
}
}
To learn more, go to Get started with CreateUiDefinition.
Add the two files to a package file named app.zip. The two files must be at the root level of the .zip file. If the files are in a folder, when you create the managed application definition, you receive an error that states the required files aren't present.
Upload app.zip to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the command, replace the placeholder <pkgstorageaccountname> including the angle brackets (<>), with your unique storage account name.
New-AzResourceGroup -Name packageStorageGroup -Location westus
$pkgstorageparms = @{
ResourceGroupName = "packageStorageGroup"
Name = "<pkgstorageaccountname>"
Location = "westus"
SkuName = "Standard_LRS"
Kind = "StorageV2"
MinimumTlsVersion = "TLS1_2"
AllowBlobPublicAccess = $true
AllowSharedKeyAccess = $false
}
$pkgstorageaccount = New-AzStorageAccount @pkgstorageparms
The $pkgstorageparms variable uses PowerShell splatting to improve readability for the parameter values used in the command to create the new storage account. Splatting is used in other PowerShell commands that use multiple parameter values.
After you create the storage account, add the role assignment Storage Blob Data Contributor to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see Assign an Azure role for access to blob data and Assign Azure roles using the Azure portal.
After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file.
$pkgstoragecontext = New-AzStorageContext -StorageAccountName $pkgstorageaccount.StorageAccountName -UseConnectedAccount
New-AzStorageContainer -Name appcontainer -Context $pkgstoragecontext -Permission blob
$blobparms = @{
File = "app.zip"
Container = "appcontainer"
Blob = "app.zip"
Context = $pkgstoragecontext
}
Set-AzStorageBlobContent @blobparms
Use the following command to store the package file's URI in a variable named packageuri. You use the variable's value when you deploy the managed application definition.
$packageuri=(Get-AzStorageBlob -Container appcontainer -Blob app.zip -Context $pkgstoragecontext).ICloudBlob.StorageUri.PrimaryUri.AbsoluteUri
You store your managed application definition in your own storage account so that its location and access can be managed by you for your organization's regulatory needs. Using your own storage account allows you to have an application that exceeds the 120-MB limit for a service catalog's managed application definition.
Athugasemd
Bring your own storage is only supported with ARM template or REST API deployments of the managed application definition.
Create the storage account for your managed application definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers.
This example creates a new resource group named byosDefinitionStorageGroup. In the command, replace the placeholder <byosaccountname> including the angle brackets (<>), with your unique storage account name.
New-AzResourceGroup -Name byosDefinitionStorageGroup -Location westus
$byostorageparms = @{
ResourceGroupName = "byosDefinitionStorageGroup"
Name = "<byosaccountname>"
Location = "westus"
SkuName = "Standard_LRS"
Kind = "StorageV2"
MinimumTlsVersion = "TLS1_2"
AllowBlobPublicAccess = $true
AllowSharedKeyAccess = $true
}
$byosstorageaccount = New-AzStorageAccount @byostorageparms
After you create the storage account, add the role assignment Storage Blob Data Contributor to the storage account scope. Assign access to your Microsoft Entra user account. You need access for a step later in the process.
After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then create the context needed to create the container and upload the file.
$byosstoragecontext = New-AzStorageContext -StorageAccountName $byosstorageaccount.StorageAccountName -UseConnectedAccount
Use the following command to store the storage account's resource ID in a variable named byosstorageid. You use the variable's value when you deploy the managed application definition.
$byosstorageid = (Get-AzStorageAccount -ResourceGroupName $byosstorageaccount.ResourceGroupName -Name $byosstorageaccount.StorageAccountName).Id
Before you deploy your managed application definition to your storage account, assign the Contributor role to the Appliance Resource Provider user at the storage account scope. This assignment lets the identity write definition files to your storage account's container.
You can use variables to set up the role assignment. This example uses the $byosstorageid variable you created in the previous step and creates the $arpid variable.
$arpid = (Get-AzADServicePrincipal -SearchString "Appliance Resource Provider").Id
New-AzRoleAssignment -ObjectId $arpid -RoleDefinitionName Contributor -Scope $byosstorageid
The Appliance Resource Provider is a service principal in your Microsoft Entra tenant. From the Azure portal, you can verify if it's registered by going to Microsoft Entra ID > Enterprise applications and change the search filter to Microsoft Applications. Search for Appliance Resource Provider. If it isn't found, register the Microsoft.Solutions resource provider.
The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor.
This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder <managedAppDemo> including the angle brackets (<>), with your group's name. You use the variable's value when you deploy the managed application definition.
To create a new Microsoft Entra group, go to Manage Microsoft Entra groups and group membership.
$principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id
Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition.
$roleid=(Get-AzRoleDefinition -Name Owner).Id
Use a Bicep file to deploy the managed application definition in your service catalog. After the deployment, the definition files are stored in your own storage account.
Open Visual Studio Code, create a file with the name deployDefinition.bicep and save it.
Add the following Bicep code and save the file.
param location string = resourceGroup().location
@description('Name of the managed application definition.')
param managedApplicationDefinitionName string
@description('Resource ID for the bring your own storage account where the definition is stored.')
param definitionStorageResourceID string
@description('The URI of the .zip package file.')
param packageFileUri string
@description('Publishers Principal ID that needs permissions to manage resources in the managed resource group.')
param principalId string
@description('Role ID for permissions to the managed resource group.')
param roleId string
var definitionLockLevel = 'ReadOnly'
var definitionDisplayName = 'Sample BYOS managed application'
var definitionDescription = 'Sample BYOS managed application that deploys web resources'
resource managedApplicationDefinition 'Microsoft.Solutions/applicationDefinitions@2021-07-01' = {
name: managedApplicationDefinitionName
location: location
properties: {
lockLevel: definitionLockLevel
description: definitionDescription
displayName: definitionDisplayName
packageFileUri: packageFileUri
storageAccountId: definitionStorageResourceID
authorizations: [
{
principalId: principalId
roleDefinitionId: roleId
}
]
}
}
For more information about the template's properties, go to Microsoft.Solutions/applicationDefinitions.
The lockLevel on the managed resource group prevents the customer from performing undesirable operations on this resource group. Currently, ReadOnly is the only supported lock level. ReadOnly specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level.
The managed application definition's deployment template needs input for several parameters. The deployment command prompts you for the values or you can create a parameter file for the values. In this example, we use a parameter file to pass the parameter values to the deployment command.
In Visual Studio Code, create a new file named deployDefinition-parameters.bicepparam and save it.
Add the following to your parameter file and save it. Then, replace the <placeholder values> including the angle brackets (<>), with your values.
using './deployDefinition.bicep'
param managedApplicationDefinitionName = 'sampleByosManagedApplication'
param definitionStorageResourceID = '<placeholder for you BYOS storage account ID>'
param packageFileUri = '<placeholder for the packageFileUri>'
param principalId = '<placeholder for principalid value>'
param roleId = '<placeholder for roleid value>'
The following table describes the parameter values for the managed application definition.
| Parameter | Value |
|---|---|
managedApplicationDefinitionName |
Name of the managed application definition. For this example, use sampleByosManagedApplication. |
definitionStorageResourceID |
Resource ID for the storage account where the definition is stored. Use your byosstorageid variable's value. |
packageFileUri |
Enter the URI for your .zip package file. Use your packageuri variable's value. |
principalId |
The publishers Principal ID that needs permissions to manage resources in the managed resource group. Use your principalid variable's value. |
roleId |
Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your roleid variable's value. |
To get your variable values:
$variableName to display a variable's value.echo $variableName to display a variable's value.When you deploy the managed application's definition, it becomes available in your service catalog. This process doesn't deploy the managed application's resources.
Create a resource group named byosAppDefinitionGroup and deploy the managed application definition to your storage account.
New-AzResourceGroup -Name byosAppDefinitionGroup -Location westus
$deployparms = @{
ResourceGroupName = "byosAppDefinitionGroup"
TemplateFile = "deployDefinition.bicep"
TemplateParameterFile = "deployDefinition-parameters.bicepparam"
Name = "deployDefinition"
}
New-AzResourceGroupDeployment @deployparms
During deployment, the template's storageAccountId property uses your storage account's resource ID and creates a new container with the case-sensitive name applicationdefinitions. The files from the .zip package you specified during the deployment are stored in the new container.
You can use the following commands to verify that the managed application definition files are saved in your storage account's container.
Get-AzStorageContainer -Name applicationdefinitions -Context $byosstoragecontext |
Get-AzStorageBlob | Select-Object -Property Name | Format-List
Athugasemd
For added security, you can create a managed applications definition and store it in an Azure storage account blob where encryption is enabled. The definition contents are encrypted through the storage account's encryption options. Only users with permissions to the file can access the definition in your service catalog.
After a successful deployment, to improve the storage account's security, disable the shared access key property. When the storage account was created, you added a role assignment for Storage Blob Data Contributor that gives you to access the container and blobs without using storage keys.
To review and update the storage account's shared access key settings, use the following commands:
(Get-AzStorageAccount -ResourceGroupName $byosstorageaccount.ResourceGroupName -Name $byosstorageaccount.StorageAccountName).AllowSharedKeyAccess
Set-AzStorageAccount -ResourceGroupName $byosstorageaccount.ResourceGroupName -Name $byosstorageaccount.StorageAccountName -AllowSharedKeyAccess $false
You have access to the managed application definition, but you want to make sure other users in your organization can access it. Grant them at least the Reader role on the definition. They might have inherited this level of access from the subscription or resource group. To check who has access to the definition and add users or groups, go to Assign Azure roles using the Azure portal.
If you're going to deploy the definition, continue with the Next steps section that links to the article to deploy the definition.
If you're finished with the managed application definition, you can delete the resource groups you created named packageStorageGroup, byosDefinitionStorageGroup, and byosAppDefinitionGroup.
The command prompts you to confirm that you want to remove the resource group.
Remove-AzResourceGroup -Name packageStorageGroup
Remove-AzResourceGroup -Name byosDefinitionStorageGroup
Remove-AzResourceGroup -Name byosAppDefinitionGroup
You published the managed application definition. Now, learn how to deploy an instance of that definition.
Þjálfun
Eining
Build your first deployment stack - Training
Learn how to build and deploy deployment stacks.
Vottorð
Microsoft Certified: Azure Developer Associate - Certifications
Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.
Skjöl
Deploy a service catalog managed application - Azure Managed Applications
Describes how to deploy a service catalog's managed application for an Azure Managed Application using Azure PowerShell, Azure CLI, or Azure portal.
Tutorial - custom actions & resources - Azure Managed Applications
This tutorial describes how to create an Azure Managed Application with an Azure Custom Provider.
Overview of Azure Managed Applications - Azure Managed Applications
Describes the concepts for Azure Managed Applications that provide cloud solutions that are easy for customers to deploy and operate.