With a new solution for Microsoft Azure Resource Manager (ARM) templates, engineers on our Microsoft Cloud Engineering Services team have successfully reduced engineering hours spent on developing ARM templates by 50 percent. Simultaneously, they have improved security compliance and implemented an infrastructure as code (IaC) solution that enables continuous integration/continuous improvement (CI/CD).
For years before this new solution, Microsoft Azure customers have relied on JSON-developed virtual machine (VM) ARM templates for deploying resources to Azure. Initially, VM ARM templates served as an excellent solution, simplifying the VM creation process and facilitating a smooth transition to the cloud.
However, these templates haven’t always aligned with the security requirements required for both internal and external stakeholders.
Additionally, from a developmental perspective, JSON-based ARM templates couldn’t be shared seamlessly across an organization. Updates had to be done manually by Microsoft engineers, and often, external customers needed their engineers to spend time customizing fixes for security controls.
There was also an absence of role-based access control (RBAC) that hindered collaboration and led to security concerns.
With BICEP, we’ve been able to transform Azure resource creation and deployment. It’s a seamless IaC solution that not only retains the strengths of JSON-based ARM templates but surpasses them. BICEP isn’t just a tool, it’s a catalyst for efficiency, security, and innovation in Azure development.
—Angus Lin, senior software engineer, Cloud Engineering Services team
To create a better solution, our Cloud Engineering Services team in Microsoft Digital (MSD), the company’s IT organization, embarked on a transformative journey, shifting from using JSON-based ARM templates to implementing BICEP and IaC.
BICEP, as a domain-specific language designed for IaC solutions, is a domain-specific language (DSL) that uses a declarative syntax for deploying Azure resources.
“With BICEP, we’ve been able to transform Azure resource creation and deployment,” says Angus Lin, a senior software engineer on the Cloud Engineering Services team. “It’s a seamless IaC solution that not only retains the strengths of JSON-based ARM templates but surpasses them. BICEP isn’t just a tool, it’s a catalyst for efficiency, security, and innovation in Azure development.”
Benefits of switching to BICEP-based ARM templates
Our engineers found that BICEP retained all the benefits of JSON-based ARM templates while addressing its shortcomings.
The templates being created in a secure by default fashion means that customers have much less to worry about. When we build these templates, we design configurations that align with security requirements. Customers no longer need to customize their own configurations for templates.
—John Dellenbaugh, senior software engineering manager, Microsoft Digital
Transitioning to BICEP has provided the following advantages:
- All provisioned template resources are secure by default, aligning with internal Microsoft security standards.
- Engineering hours spent on developing templates have been reduced by around 50 percent, improving engineering effort reduction.
- Customer engineering hours spent on remediating failed security controls have been 100 percent eliminated.
- Access to the latest template versions is streamlined for over 1,100 users, ensuring seamless adoption of updates.
- Implementation of modern CI/CD solutions via Azure DevOps enhances code quality and diminishes maintenance overhead.
- Over 1,100 users are granted access through a security group via RBAC, using a granular template reader Azure role for specifications, eliminating the need for write access to deploy new resources.
Modern Microsoft Azure resource provisioning prioritizes efficiency, security, and innovation at each step.
The secure-by-default design for ARM templates has been a particular highlight for external customers.
“The templates being created in a secure by default fashion means that customers have much less to worry about,” says John Dellenbaugh, a senior software engineering manager in MSD. “When we build these templates, we design configurations that align with security requirements. Customers no longer need to customize their own configurations for templates.”
Before fully adopting BICEP and realizing positive outcomes for internal and external customers, the Cloud Engineering Services team first refined the procedures surrounding ARM resource deployment to enhance efficiency and security compliance.
Reconfiguring ARM resource deployment with BICEP
To implement BICEP and transition from using JSON ARM templates, our team designed a new system.
Key components of the new system included secure storage and management of ARM templates within Azure, using Azure RBAC for defining controls, and introducing “template specs” for versioning purposes. A CI/CD pipeline process was also put into place to deploy template specs, enabling automated integration of the latest iterations and configurations into the Azure environment.
ARM templates are now stored securely within Azure, ensuring that only authorized personnel, after joining a designated security group, can gain access.
Authorized personnel are determined through RBAC, which is employed to define and manage access to resources within Azure. This ensures that only authorized individuals have the necessary permissions for template deployment, reducing the risk of security breaches.
The introduction of template specs for versioning has been a breakthrough. Now, organizations can maintain a consistent and secure repository of ARM templates, ensuring that deployment processes are always aligned with the latest security and compliance requirements.
—Mark Forte, software engineer, Cloud Engineering Services team
Another game-changer in the new system is template specs. Template specs are first-party, secure storage for ARM templates that enable RBAC.
Template specs also allow versioning within the same resource, ensuring that users always have access to the latest iterations of ARM templates across an organization. This eliminates the challenges associated with inconsistent versioning, promoting collaboration, and reducing the risk of deploying outdated or non-compliant templates.
“The introduction of template specs for versioning has been a breakthrough,” says Mark Forte, a software engineer on the Cloud Engineering Services team. “Now, organizations can maintain a consistent and secure repository of ARM templates, ensuring that deployment processes are always aligned with the latest security and compliance requirements.”
The idea is to employ infrastructure as code alongside an enterprise library, empowering internal application owners and users to deploy and manage resources consistently in alignment with the organization’s standards. Automating these practices sets businesses up for success and helps customers excel in the cloud, saving time and securing sensitive data.
—Pete Apple, principal technical program manager architect, Microsoft Digital
Also critical for the new BICEP ARM template system is IaC, a methodology that uses code to automate the deployment of resources to the cloud. IaC proves highly beneficial in ensuring uniformity throughout the deployment process, and functions particularly well when internal developers have access to an extensive internal library.
“The idea is to employ infrastructure as code alongside an enterprise library, empowering internal application owners and users to deploy and manage resources consistently in alignment with the organization’s standards,” says Pete Apple, a principal technical program manager architect in MSD. “Automating these practices sets businesses up for success and helps customers excel in the cloud, saving time and securing sensitive data.”
Looking forward
The transition from JSON-based ARM templates to the implementation of BICEP and IaC marks a transformative journey for our Cloud Engineering Services team at Microsoft. This shift not only addressed the shortcomings of the previous system but ushered in a new era of efficiency, security, and innovation in Azure development.
The Cloud Engineering Services team continues to refine and optimize the new ARM template deployment system, committed to providing secure, efficient, and collaborative solutions that will benefit Azure users and organizations embracing cloud technologies.
These are some of the top things we learned shifting from JSON to BICEP:
- Implementing BICEP retains the benefits of JSON-based ARM templates but has significantly improved security compliance, ensuring that all provisioned template resources are secure by default.
- As part of the transition to BICEP, we designed a new system surrounding ARM resource deployment that enhances security and efficiency.
- The implementation of modern CI/CD solutions via Azure DevOps has not only enhanced code quality but has also significantly reduced maintenance overhead, ensuring a smoother development lifecycle.
- IaC, as an automation process, should be used alongside an internal enterprise library for best results.
Find guidance for each phase of your cloud adoption journey.
- Discover how we’re deploying our VWAN infrastructure using infrastructure as code and CI/CD.
- Unpack managing Microsoft Azure solutions on Microsoft’s expedition to the cloud.
- Explore transforming Microsoft’s enterprise network with next-generation connectivity.
- What is Azure Resource Manager?
- What is Bicep?
Want more information? Email us and include a link to this story and we’ll get back to you.
Tags: Azure Resource Manager, Cloud Infrastructure and Agility
