Configure Azure Deployment Environments

A dev center is the top-level resource for Azure Deployment Environments that contains the collection of development projects. In the dev center, you specify the common configuration for your projects, such as catalogs with application templates, and the types of environments to which development teams can deploy their code.

A platform engineering team typically sets up the dev center, attaches external catalogs to the dev center, creates projects, and provides access to development teams. Development teams then create environments by using environment definitions, connect to individual resources, and deploy applications.

After you complete this quickstart, developers can use the developer portal, the Azure CLI, or the Azure Developer CLI to create environments in the project to deploy their applications.

To learn more about the components of Azure Deployment Environments, see Key concepts for Azure Deployment Environments.

You need to perform the steps in this quickstart and then create a project before you can create a deployment environment. Alternatively to creating these resources manually, you can also follow this quickstart to deploy the dev center and project using an ARM template.

Prerequisites

• An Azure account with an active subscription. Create an account for free.
• Azure role-based access control role with permissions to create and manage resources in the subscription, such as Contributor or Owner.

Create a dev center

First, you create a dev center and attach a catalog to it. The catalog contains the application templates, called environment definitions, that development teams can use to create environments. In this quickstart, you attach the Microsoft quick start catalog, which contains sample environment definitions to help you get started.

To create and configure a dev center in Azure Deployment Environments by using the Azure portal:

1. Sign in to the Azure portal.

2. Search for Azure Deployment Environments, and then select the service in the results.

3. In Dev centers, select Create.

   

4. In Create a dev center, on the Basics tab, select or enter the following information:

   Name	Value
   Subscription	Select the subscription in which you want to create the dev center.
   Resource group	Either use an existing resource group or select Create new and enter a name for the resource group.
   Name	Enter a name for the dev center.
   Location	Select the location or region where you want to create the dev center.
   Attach a quick start catalog	Select the Azure deployment environment definitions checkbox. Clear the Dev box customization tasks checkbox.

5. Select Review + Create.

6. On the Review tab, wait for deployment validation, and then select Create.

7. You can check the progress of the deployment in your Azure portal notifications.

   

8. When the creation of the dev center is complete, select Go to resource. Confirm that you see the dev center overview pane.

   

Configure a managed identity for the dev center

To allow the creation of environments, the dev center requires permissions on the subscription. You can attach an identity to the dev center, and then assign the necessary permissions to that identity. You can attach either a system-assigned managed identity or a user-assigned managed identity. Learn about the two types of identities.

In this quickstart, you configure a system-assigned managed identity for your dev center. You then assign roles to the managed identity to allow the dev center to create environment types in your subscription.

Attach a system-assigned managed identity

To attach a system-assigned managed identity to your dev center:

1. In your dev center, on the left menu under Settings, select Identity.

2. Under System assigned, set Status to On, and then select Save.

   

3. In the Enable system assigned managed identity dialog, select Yes. It might take a few minutes for the rest of the fields to appear.

Assign roles for the dev center managed identity

The managed identity that represents your dev center requires access to the subscription where you configure the project environment types, and to the catalog.

1. In your dev center, on left menu under Settings, select Identity.

2. Under System assigned > Permissions, select Azure role assignments.

   

3. To give Contributor access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

   Name	Value
   Scope	Subscription
   Subscription	Select the subscription in which to use the managed identity.
   Role	Contributor

4. To give User Access Administrator access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

   Name	Value
   Scope	Subscription
   Subscription	Select the subscription in which to use the managed identity.
   Role	User Access Administrator

Create an environment type

Use an environment type to help you define the different types of environments your development teams can deploy. You can apply different settings for each environment type.

1. In the Azure portal, go to Azure Deployment Environments.

2. In Dev centers, select your dev center.

3. In the left menu under Environment configuration, select Environment types, and then select Create.

4. In Create environment type, enter the following information, and then select Add.

   Name	Value
   Name	Enter a name for the environment type.
   Tags	Optionally, enter a tag name and a tag value.

   

An environment type that you add to your dev center is available in each project in the dev center, but environment types aren't enabled by default. When you enable an environment type at the project level, the environment type determines the managed identity and subscription that are used to deploy environments.

Create a project

In Azure Deployment Environments, a project represents a team or business function within the organization. For example, you might create a project for the implementation of an e-commerce application, which has a development, staging, and production environment. For another project, you might define a different configuration.

When you associate a project with a dev center, all the settings for the dev center are automatically applied to the project. Each project can be associated with only one dev center.

To create an Azure Deployment Environments project in your dev center:

1. In the Azure portal, go to Azure Deployment Environments.

2. In the left menu under Configure, select Projects.

3. In Projects, select Create.

4. In Create a project, on the Basics tab, enter or select the following information:

   Name	Value
   Subscription	Select the subscription in which you want to create the project.
   Resource group	Either use an existing resource group or select Create new and enter a name for the resource group.
   Dev center	Select a dev center to associate with this project. All settings for the dev center apply to the project.
   Name	Enter a name for the project.
   Description (Optional)	Enter any project-related details.

5. On the Review + Create tab, wait for deployment validation, and then select Create.

6. Confirm that the project was successfully created by checking your Azure portal notifications. Then, select Go to resource. Confirm that you see the project overview pane.

Create a project environment type

In Azure Deployment Environments, project environment types are a subset of the environment types that you configure for the dev center. They help you preconfigure the types of environments that specific development teams can create.

To configure a project, add a project environment type:

1. In the Azure portal, go to your project.

2. In the left menu under Environment configuration, select Environment types, and then select Add.

   

3. In Add environment type to <project-name>, enter or select the following information:

   Name	Value
   Type	Select a dev center level environment type to enable for the specific project.
   Deployment subscription	Select the subscription in which the environment is created.
   Deployment identity	Select either a system-assigned identity or a user-assigned managed identity to perform deployments on behalf of the user.
   Permissions on environment resources > Environment creator role(s)	Select the roles to give access to the creator of the environment resources.
   Permissions on environment resources > Additional access	Select the users or Microsoft Entra groups to assign to specific roles on the environment resources.
   Tags	Enter a tag name and a tag value. These tags are applied on all resources that are created as part of the environment.

 Note

At least one identity (system-assigned or user-assigned) must be enabled for deployment identity. The identity is used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be assigned the Contributor and the User Access Admistrator roles for access to the deployment subscription for each environment type.

Give access to the development team

Before developers can create environments based on the environment types in a project, you must provide access for them through a role assignment at the level of the project. The Deployment Environments User role enables users to create, manage, and delete their own environments. You must have sufficient permissions to a project before you can add users to it.

1. In the Azure portal, go to your project.

2. In the left menu, select Access control (IAM).

3. Select Add > Add role assignment.

4. Assign the following role. For detailed steps, see Assign Azure roles using the Azure portal.

   Setting	Value
   Role	Select Deployment Environments User.
   Assign access to	Select User, group, or service principal.
   Members	Select the users or groups you want to have access to the project.

   

 

Create a chaos experiment that uses an agent-based fault with the Azure portal

You can use these same steps to set up and run an experiment for any agent-based fault. An agent-based fault requires setup and installation of the chaos agent. A service-direct fault runs directly against an Azure resource without any need for instrumentation.

Prerequisites

• An Azure subscription. If you don't have an Azure subscription, create an Azure free account before you begin.
• A Linux VM running an operating system in the version compatibility list. If you don't have a VM, you can create one.
• A network setup that permits you to SSH into your VM.
• A user-assigned managed identity that was assigned to the target VM or virtual machine scale set. If you don't have a user-assigned managed identity, you can create one.

Enable Chaos Studio on your virtual machine

Chaos Studio can't inject faults against a VM unless that VM was added to Chaos Studio first. To add a VM to Chaos Studio, create a target and capabilities on the resource. Then you install the chaos agent.

Virtual machines have two target types. One target type enables service-direct faults (where no agent is required). Another target type enables agent-based faults (which requires the installation of an agent). The chaos agent is an application installed on your VM as a VM extension. You use it to inject faults in the guest operating system.

Enable the chaos target, capabilities, and agent

 Important

Prior to finishing the next steps, you must create a user-assigned managed identity. Then you assign it to the target VM or virtual machine scale set.

1. Open the Azure portal.

2. Search for Chaos Studio in the search bar.

3. Select Targets and move to your VM.

   

4. Select the checkbox next to your VM and select Enable targets. Then select Enable agent-based targets from the dropdown menu.

   

5. Select the Managed Identity to use to authenticate the chaos agent and optionally enable Application Insights to see experiment events and agent logs.

   

6. Select Review + Enable > Enable.

   

7. After a few minutes, a notification appears that indicates that the resources selected were successfully enabled. The Azure portal adds the user-assigned identity to the VM. The portal enables the agent target and capabilities and installs the chaos agent as a VM extension.

   

8. If you're enabling a virtual machine scale set, upgrade instances to the latest model by going to the virtual machine scale set resource pane. Select Instances, and then select all instances. Select Upgrade if you're not on the latest model.

You've now successfully added your Linux VM to Chaos Studio. In the Targets view, you can also manage the capabilities enabled on this resource. Select the Manage actions link next to a resource to display the capabilities enabled for that resource.

Create an experiment

Now you can create your experiment. A chaos experiment defines the actions you want to take against target resources. The actions are organized and run in sequential steps. The chaos experiment also defines the actions you want to take against branches, which run in parallel.

1. Select the Experiments tab in Chaos Studio. In this view, you can see and manage all your chaos experiments. Select Create > New experiment.

   

2. Fill in the Subscription, Resource Group, and Location where you want to deploy the chaos experiment. Give your experiment a name. Select Next: Experiment designer.

   

3. You're now in the Chaos Studio experiment designer. You can build your experiment by adding steps, branches, and faults. Give a friendly name to your Step and Branch. Then select Add action > Add fault.

   

4. Select CPU Pressure from the dropdown list. Fill in Duration with the number of minutes to apply pressure. Fill in pressureLevel with the % of CPU utilization pressure that you want to apply. Leave virtualMachineScaleSetInstances blank. Select Next: Target resources.

   

5. Select your VM and select Next.

   

6. Verify that your experiment looks correct. Then select Review + create > Create.

   

Give the experiment permission to your virtual machine

When you create a chaos experiment, Chaos Studio creates a system-assigned managed identity that executes faults against your target resources. This identity must be given appropriate permissions to the target resource for the experiment to run successfully.

1. Go to your VM and select Access control (IAM).

   

2. Select Add > Add role assignment.

   

3. Search for Reader and select the role. Select Next.

   

4. Choose Select members and search for your experiment name. Select your experiment and choose Select. If there are multiple experiments in the same tenant with the same name, your experiment name is truncated with random characters added.

   

5. Select Review + assign > Review + assign.

Run your experiment

You're now ready to run your experiment. To see the impact, we recommend that you open an Azure Monitor metrics chart with your VM's CPU pressure in a separate browser tab.

1. In the Experiments view, select your experiment. Select Start > OK.

   

2. After the Status changes to Running, under History, select Details for the latest run to see details for the running experiment.