EventStore on Azure and Ubuntu - it's a piece of cake! #4

Finally - the last but not least post about setting your own EventStore instance using Ubuntu on Azure. We've already prepared the majority of work needed here, so it shouldn't be difficult to adjust is just a bit to use DNS instead of hardcoded IPs.

Configuration

Currently our configuration looks like this:

/
---
RunProjections: None
ClusterSize: 3
GossipSeed: 10.0.3.6:2112,10.0.3.5:2112
DiscoverViaDns: False
ExtIp: 10.0.3.4
IntIp: 10.0.3.4

Clearly the first change is to get rid of the DiscoverViaDns property. The reason why we're going to remove it is the fact, that it's set to true by default. However, it appears that we need two more properties: ClusterDns and ClusterGossipPort. Additionally we'll remove the GossipSeed property as it also won't work here anymore. Let's get to work!

Network, DNS and Azure

When we created Ubuntu VMs in Azure we're given a single instance of a virtual network. You can think about it as a logical representation of your network in Azure - you manage IPs, DNS and other settings without installing physical devices. It gives you isolation and security - if you want to, you can forbid both inbound and outbound traffic. What we're interested in right now is its DNS capability. Currently you have two options:

  • use a DNS provided by Azure
  • use your own DNS 

Unfortunately using the former won't work here - we have to add records manually, what is not allowed when using Azure DNS. Obtaining and configuring a DNS server is beyond the scope of this post - if you're interested take a look here. The good thing is that it's still possible within Azure and additional tools are required. Once you have your DNS, the configuration should look similar to:

/
---
RunProjections: None
ClusterSize: 3
ExtIp: 10.0.3.4
IntIp: 10.0.3.4
IntTcpPort: 1111
ExtTcpPort: 1112
IntHttpPort: 2113
ExtHttpPort: 2114
ClusterDns: domain.com
ClusterGossipPort: 2113

DNS entries

The tricky thing here is to set correct entries in your DNS server. What you have to do here is to add an A entry pointing to your private IPs inside a network. Note that there's no concerns in doing this - it's a common practice. The one issue here is that it describes a little how your local network looks like - while accessing domain from an Azure network will point to the correct machine, when one tries to access it from an external network, he will be redirected to the private IP being the same as the one used in an entry.

Summary

This is it - we've went through installing, configuring and managing EventStore using Ubuntu and Azure. I strongly encourage you to discover other OSS solution, which could be run using such configuration and play with them, it becomes more and more fun.

Policies in Azure Resource Manager for better conventions management

Conventions are a really good idea in general - they prevent you from handling the whole mess which appears sooner or later. While it's pretty obvious when working with your codebase(we have plenty of different tools), it's still not so popular when you're managing your resources in the cloud. This post is going to encourage you to use them and present possible use cases.

Why not roles?

In Azure you can also find a term RBAC, which stands for role-bases access control. While you can find it useful to assign e.g. admin role only for those few people "who know, what they're doing", it's still more user-centric. You can imagine a situation, when you have different teams working on different projects. Different people have different opinions and experience and their choices are dictated by their current point of view. 

Now imagine giving them access to the production environment(I'm aware of the fact that normally access restricted - let's pretend we forgot about this rule). You can select who can do anything on production. What you cannot do is to restrain him or her from provisioning a G5 VM for 5k Euros per month. This is where policies come to play.

Creating and assigning a policy

You have multiple options when it comes to selecting a tool to manage your policies. In fact, you can choose either a REST API, Powershell or Azure CLI. For me the easiest way to work with policies was to use Powershell cmdlets, I strongly encourage you to select tool which suits you the most. 

To make a policy effective you have to perform 2 steps - create it and assign it to the resource group. This is another great feature - you can have your policies predefined and attach them to different resource groups as you wish. It's super easy to automate also if you wish.

To create aand assign policy you can use following command:

/
$policy = New-AzureRmPolicyDefinition -Name regionPolicyDefinition -Description "Allow only one region" -Policy '{    
  "if" : {
    "not" : {
      "field" : "location",
      "in" : ["northeurope"]
    }
  },
  "then" : {
    "effect" : "deny"
  }
}'

New-AzureRmPolicyAssignment -Name regionPolicyAssignment -PolicyDefinition $policy -Scope /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}

I used examples from this page and modified them slightly. What this code does can be shortened to "create a policy in subscription & assign it to the resource group". Now let's try to create any kind of resource in this resource group, which is not in the North Europe region. It seems it's not so easy now:

When you go to the details of this error, you'll see something similar to following:

/
{
  "error": {
    "code": "RequestDisallowedByPolicy",
    "message": "The resource action 'Microsoft.Network/virtualNetworks/write' is disallowed by one or more policies. Policy identifier(s): '[{\"policyDefintionId\":\"/subscriptions/{SubscriptionId}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition/\",\"policyAssignmentId\":\"/subscriptions/{SubscriptionId}/resourceGroups/FunctionApp//providers/Microsoft.Authorization/policyAssignments/regionPolicyAssignment/\"}]'."
  }
}

Managing policies

When you take a look at the documentation of policies, you'll see other options available for policies like viewing already created ones or removing them. I strongly encourage you to read them - there're many different properties, which can be set like the size of VM, storage SKU or even ensuring that storage blob is encrypted. It's a really powerful tool and using it wisely can really ease operations and management.