Azure Managed Applications Deployment and Management

Azure Managed Applications offer a convenient way to deploy and manage applications on Azure. This approach streamlines the process, reducing administrative overhead.

Azure Managed Applications provide a consistent and predictable deployment experience, leveraging Azure Resource Manager (ARM) templates to define infrastructure and application resources.

By using Azure Managed Applications, you can simplify your application deployment and management, reducing the complexity associated with managing multiple resources.

A key benefit of Azure Managed Applications is the ability to manage applications at scale, using a centralized management model that simplifies operations and reduces costs.

To get started with Azure managed applications, create a public HTTPS endpoint that logs incoming POST requests and returns 200 OK. This will serve as the foundation for receiving managed application notifications.

You'll need to add this endpoint to the service catalog application definition or Azure Marketplace offer, which is explained in the article.

The recommended steps to get started quickly are outlined below:

To get started with deploying a Voyage Azure managed application, you'll need to meet some basic prerequisites. Ensure you have an existing Azure subscription.

You'll also need to have an existing virtual network into which you'll deploy the application. If you don't have one, you can create a new one by following the instructions in the article's "Create a Virtual Network" section.

To deploy the application, you'll need to have a quota of 24 Standard NCADS_A100_v4 Family vCPUs in your Azure subscription and region. This quota is specific to your subscription and region, so be sure to check your current quota and request an increase if necessary.

Here's a quick rundown of the prerequisites you'll need to meet:

To begin receiving managed application notifications, create a public HTTPS endpoint. This will be the foundation of your notification system.

First, create a public HTTPS endpoint that logs incoming POST requests and returns 200 OK. This will allow you to track and verify the notifications you receive.

Next, add the endpoint to the service catalog application definition or Azure Marketplace offer as explained later in this article. This is a crucial step in setting up the notification system.

Create a managed application instance that references the application definition or Azure Marketplace offer. This will enable the notifications to be sent to your endpoint.

Once you've set up the endpoint and application instance, validate that the notifications are being received. This will ensure that your system is working correctly.

To complete the setup, enable authorization as explained in the Endpoint authentication section of this article. This will secure your notification system and prevent unauthorized access.

Finally, follow the instructions in the Notification schema section of this article to parse the notification requests and implement your business logic based on the notification.

Here are the recommended steps to get started quickly:

Azure Managed Applications are a great way to simplify the deployment and management of applications in Azure. They're essentially a package deal that includes everything needed to deploy and run an application, making it easy for customers to get started.

To offer managed applications, you need to meet certain requirements, including billing and metering. This means that resources are provided in the customer's Azure subscription, and they're billed via their subscription, unless they're using bring-your-own-license VMs, in which case you'll need to transact software licensing fees directly with the customer.

Customer usage attribution is also an important consideration. This allows customers to see how their usage is attributed to their Azure subscription, and you can enable it for more information.

A deployment package is necessary for managed applications to be deployable through Azure Marketplace. This package will let customers deploy your plan, and if you have multiple plans that require the same technical configuration, you can use the same package.

Azure Government services have specific requirements for data that's subject to government regulations, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. To bring awareness to your certifications for these programs, you can provide up to 100 links that describe them.

Here are some examples of the types of links you can provide:

These links will be visible to Azure Government customers only.

In an Azure managed application, you can customize allowed customer actions by specifying which actions customers can perform on the managed resources in addition to the default */read actions.

This allows you to tailor the experience to your specific needs. You can define the portal experience to create the managed application, including how users provide input for each parameter using control elements like drop-downs and text boxes.

The createUiDefinition.json file generates the portal's user interface, and you can use the uniqueString function to append a 13-character string to the name prefix so the name is globally unique across Azure.

When defining pricing for your Managed Application, keep in mind that it must only account for the management fee, not IP/software costs, Azure infrastructure, or add-ons.

You'll need to provide a per-month price for each plan, which is in addition to any Azure infrastructure or pay-as-you-go software costs incurred by the resources deployed by your solution.

Pricing is set in USD and is converted into local currency using current exchange rates. This means prices are published in local currency and aren't updated as exchange rates fluctuate.

You can set the per-month price to zero and charge exclusively using metered billing, which is useful for non-standard units.

To specify customer prices for each market, you'll need to export the prices, update the respective market and currency, save, and import the file.

You can optionally specify which actions customers can perform on the managed resources in addition to the */read actions that is available by default.

This is an optional feature, but it can be really useful if you want to give customers more control over their managed resources.

To customize allowed customer actions, you can specify additional actions that customers can perform on the managed resources.

For example, you can allow customers to create, update, or delete resources in addition to reading them.

Here are some examples of actions you can allow customers to perform:

Keep in mind that you should only allow customers to perform actions that are necessary for them to use the managed resources effectively.

It's also a good idea to document the allowed actions in your plan so customers know what they can and can't do.

Managed applications must be deployable through Azure Marketplace. This means you'll need to ensure your application meets the requirements for deployment in the marketplace.

Billing and metering is a key requirement for managed applications. Resources are provided in the customer's Azure subscription, and VMs that use the pay-as-you-go payment model are transacted with the customer via Microsoft and billed via their Azure subscription.

Customer usage attribution is also important. For more information on how to enable it, see Azure partner customer usage attribution.

A deployment package is necessary for customers to deploy your plan. You can use the same package for multiple plans that require the same technical configuration. For details, see the next section.

If you're dealing with sensitive data that's subject to government regulations, such as FedRAMP or ITAR, you'll need to provide links to your certifications. These links can be to your listing on the program directly or to descriptions of your compliance on your own website.

Here are the requirements for a deployment package:

If customer communication is a concern, reach out to interested customers after you've enabled lead sharing.

Associations are a powerful way to link existing resources to your managed application. You can define multiple views of this type.

You can extend existing Azure resources based on the targetResourceType. This allows you to create an onboarding request to the public custom provider, which can apply a side effect to the resource.

The target resource type is a required property, and it's displayed for resource onboarding. This means you need to specify the type of resource you want to target.

Here are the properties you need to define for an Associations view:

You can also define the create UI definition schema for the create association resource command. This is optional, but it can be useful if you want to customize the UI for creating associations.

To create an ARM template, you'll need to open Visual Studio Code and create a file named mainTemplate.json. This template defines the Azure resources to deploy and is no different than a regular ARM template.

You'll define the resources to deploy an App Service and App Service plan, using the App Service Basic plan (B1) that has pay-as-you-go costs. This plan can be found in Azure App Service on Linux pricing.

The template will use the App Service name prefix and App Service plan's name, which are input by the user through a user interface. This interface prompts the user to input the App Service name prefix and App Service plan's name.

You'll need to add the following JSON code to the file and save it. This code defines the resources to deploy an App Service and App Service plan.

In Visual Studio Code, open a new Bash terminal session and sign in to your Azure subscription. This is where you'll create a storage account in a new resource group.

Enabling management access gives publisher access to the managed resource group that hosts your application in the customer tenant.

To manage your Azure managed application, you'll need to specify the Azure tenant and Principal ID that will manage the application. This is a crucial step, as it determines who has access to your application's resources.

Publisher management access can't be modified after the plan is published to live in marketplace, so it's essential to get it right upfront.

To ensure a smooth deployment of your Azure managed application, you need to check your quota first.

You can do this by going to the Azure portal and selecting the subscription you want to use. Make sure you have sufficient quota for the number of Voyage Azure managed applications you want to deploy.

Each Voyage Azure managed application requires 24 Standard NCADSA100_v4 Family vCPUs. If you don't have enough quota, you'll need to request a quota increase.

To check your quota, follow these steps:

This will give you an idea of your current quota and whether you need to request more.

When configuring a managed application plan, you can choose between Complete and Incremental deployment modes. The choice between these modes can significantly impact how your application is redeployed.

In Complete mode, a redeployment of the application by the customer results in the removal of resources in the managed resource group if they're not defined in the mainTemplate.json. This means you'll need to carefully manage your resources to avoid losing existing ones.

In Incremental mode, a redeployment of the application leaves existing resources unchanged, which can be beneficial for applications with complex resource configurations.

A deployment package is a zip file that contains all the template files needed for your Azure application, as well as any additional resources. It's a crucial part of making your application deployable through Azure Marketplace.

The deployment package must include two specific files in the root folder: a Resource Manager template file named mainTemplate.json, and a user interface definition for the Azure application creation experience named createUiDefinition.json. For examples of Resource Manager templates, you can check out the Azure Quickstart Templates gallery or the corresponding GitHub repository.

The mainTemplate.json file defines the resources to deploy into the customer's Azure subscription, while the createUiDefinition.json file enables consumers to provide parameter values through the user interface. Make sure to include these two files in your deployment package.

Here are the two required files that must be included in the deployment package:

Your deployment package should not include binaries such as Virtual Machine images. Instead, all images deployed by the Azure Application must be images referenced from the marketplace.

Plan visibility is a key aspect of deployment and management. You can configure each plan to be visible to everyone or only to a specific audience.

You can create up to 100 plans, with up to 45 of them being private. Private plans are useful for offering different pricing options or technical configurations to specific customers.

To grant access to a private plan, you use Azure subscription IDs, which must be in lowercase. You can add up to 10 subscription IDs manually or up to 10,000 using a CSV file.

Azure subscription IDs are represented as GUIDs, and you can include a description for each ID. Keep in mind that private plans aren't supported with Azure subscriptions established through a reseller of the Cloud Solution Provider program.

If you publish a private plan, you can later change its visibility to public. However, once you publish a public plan, you can't switch it back to private.

Just-in-time (JIT) access enables you to request elevated access to a managed application's resources for troubleshooting or maintenance. You always have read-only access to the resources, but for a specific time period you can have greater access.

To support JIT access, be sure to update your createUiDefinition.json file.

Enabling customer access gives customers full access to the managed resource group deployed to their Azure tenant. Restricting Access with deny assignments disables customer access to the managed resource group in their Azure tenant.

Customer Access can't be modified after the offer is live in marketplace.

You can customize allowed customer actions by specifying which actions customers can perform on the managed resources in addition to the */read actions that is available by default.

To manage a managed application, you must indicate who can manage it in each of the selected clouds: Public Azure and Azure Government Cloud. You'll need to collect the Microsoft Entra tenant ID and the Microsoft Entra object ID of each user, group, or application that you want to grant permission to.

Customer access is a crucial aspect of security and access. Enabling customer access gives customers full access to the managed resource group deployed to their Azure tenant.

To enable customer access, you'll need to restrict access with deny assignments. This disables customer access to the managed resource group in their Azure tenant. However, keep in mind that disabling customer access with deny assignment removes customer access, but allows publishers to customize allowed customer actions.

Customer Access can't be modified after the offer is live in marketplace. This means you'll need to get it right the first time.

Here's a quick rundown of what you need to know about customer access:

Remember, customer access is a critical aspect of security and access, and getting it right is essential.

Just in Time (JIT) Access allows you to request elevated access to a managed application's resources for troubleshooting or maintenance.

You always have read-only access to the resources, but for a specific time period, you can have greater access.

This feature is enabled by updating your createUiDefinition.json file to support it.

For more information, see Enable and request just-in-time access for Azure Managed Applications.