prod-deployment.md

Steps to deploy the production deployment

This section describes the deployment steps for the reference implementation of a reliable web application pattern with Java on Microsoft Azure. These steps guide you through using the jump box that is deployed when performing a network isolated deployment because access to resources will be restricted from public network access and must be performed from a machine connected to the vnet.

Prerequisites

We recommend that you use a Dev Container to deploy this application. The requirements are as follows:

• Azure Subscription.
• Visual Studio Code.
• Docker Desktop.
• Permissions to register an application in Microsoft Entra ID.
• Visual Studio Code Dev Containers extension.

If you do not wish to use a Dev Container, please refer to the prerequisites for detailed information on how to set up your development system to build, run, and deploy the application.

Note

These steps are used to connect to a Linux jump box where you can deploy the code. The jump box is not designed to be a build server. You should use a devOps pipeline to manage build agents and deploy code into the environment. Also note that for this content the jump box is a Linux VM. This can be swapped with a Windows VM based on your organization's requirements.

Steps to deploy the reference implementation

The following detailed deployment steps assume you are using a Dev Container inside Visual Studio Code.

1. Log in to Azure

1. Start a terminal in the dev container and authenticated to Azure and have the appropriate subscription selected. Run the following command to authenticate:

   az login

   If you have multiple tenants, you can use the following command to log into the tenant:

   az login --tenant <tenant-id>

2. Set the subscription to the one you want to use (you can use az account list to list available subscriptions):

   export AZURE_SUBSCRIPTION_ID="<your-subscription-id>"

   az account set --subscription $AZURE_SUBSCRIPTION_ID

3. Azure Developer CLI (azd) has its own authentication context. Run the following command to authenticate to Azure:

   azd auth login

   If you have multiple tenants, you can use the following command to log into the tenant:

   azd auth login --tenant-id <tenant-id>

2. Provision the app

1. Create a new AZD environment to store your deployment configuration values:

   azd env new <pick_a_name>

2. Set the default subscription for the azd context:

   azd env set AZURE_SUBSCRIPTION_ID $AZURE_SUBSCRIPTION_ID

3. To create the prod deployment:

   azd env set ENVIRONMENT prod

4. Production is a multi-region deployment. Choose an Azure region for the primary deployment (Run az account list-locations --query '[].{Location: name}' to see a list of locations):

   azd env set AZURE_LOCATION <pick_a_region>

   You want to make sure the region has availability zones. Azure Database for PostgreSQL - Flexible Server zone-redundant high availability requires availability zones.

5. Choose an Azure region for the secondary deployment:

   azd env set AZURE_SECONDARY_LOCATION <pick_a_region>

   We encourage readers to choose paired regions for multi-regional web apps. Paired regions typically offer low network latency, data residency in the same geography, and sequential updating. Read Azure paired regions to learn more about these regions.

6. Optional: Set the App Registration Service Management Reference:

   azd env set AZURE_SERVICE_MANAGEMENT_REFERENCE <service_management_reference>

7. Run the following command to create the Azure resources (about 45-minutes to provision):

   azd provision

   When successful the output of the deployment will be displayed in the terminal.

     Outputs:
     
     bastion_host_name = "vnet-bast-nickcontosocams-prod"
     frontdoor_url = "https://fd-nickcontosocams-prod-facscqd0a2gqf2eh.z02.azurefd.net"
     hub_resource_group = "rg-nickcontosocams-hub-prod"
     jumpbox_resource_id = "/subscriptions/1234/resourceGroups/rg-nickcontosocams-hub-prod/providers/Microsoft.Compute/virtualMachines/vm-jumpbox"
     primary_app_service_name = "app-nickcontosocams-eastus-prod"
     primary_spoke_resource_group = "rg-nickcontosocams-spoke-prod"
     secondary_app_service_name = "app-nickcontosocams-centralus-prod"
     secondary_spoke_resource_group = "rg-nickcontosocams-spoke2-prod"

   Record the output. The values are required in order to run the next steps of the deployment.

3. Upload the code to the jump box

1. Run the following command to build the Contoso Fiber application:

   ./mvnw clean package

   This will create the jar file cams.jar in the src/contoso-fiber/target/ directory. This file will be used to deploy the application to Azure App Service.

2. Start a new terminal in the dev container

3. Run the following to set the environment variables for the bastion tunnel:

   bastion_host_name=$(azd env get-values --output json | jq -r .bastion_host_name)
   hub_resource_group=$(azd env get-values --output json | jq -r .hub_resource_group)
   jumpbox_resource_id=$(azd env get-values --output json | jq -r .jumpbox_resource_id)

   We use the Azure CLI to create a bastion tunnel that allows us to connect to the jump box:

4. Run the following command to create a bastion tunnel to the jump box:

   az network bastion tunnel --name $bastion_host_name --resource-group $hub_resource_group --target-resource-id $jumpbox_resource_id --resource-port 22 --port 50022

   NOTE

   Now that the tunnel is open, change back to use the original terminal session to deploy the code.

5. Install the SSH extension for Azure CLI:

   az extension add --name ssh

6. Obtain an SSH key from entra:

   az ssh config --ip 127.0.0.1 -f ./ssh-config

7. From the first terminal, use the following command to upload the code to the jump box.

   rsync -av -e "ssh -F ./ssh-config -p 50022" src/contoso-fiber/target/cams.jar 127.0.0.1:~/cams.jar

8. Run the following command to start a shell session on the jump box:

   az ssh vm --ip 127.0.0.1 --port 50022

4. Log in to Azure from the jump box

1. Run the following command to log in to Azure from the 1. Login into Azure using:

   az login --use-device-code

   If you have multiple tenants, you can use the following command to log into the tenant:

   az login --tenant <tenant-id> --use-device-code

2. Set the subscription id:

   az account set --subscription <subscription_id>

5. Configure Microsoft Entra authentication with Azure Database for PostgreSQL - Flexible Server

We will now configure the Contoso Fiber application to use Microsoft Entra authentication with Azure Database for PostgreSQL - Flexible Server. For more information, see Tutorial: Create a passwordless connection to a database service via Service Connector

Run the following command to install the serviceconnector-passwordless extension:

az extension add --name serviceconnector-passwordless --upgrade

Run the following commands to configure the application:

az webapp connection create postgres-flexible \
    --source-id <primary_app_service_id> \
    --target-id <primary_database_id> \
    --client-type springBoot \
    --system-identity

6. Deploy code from the jump box

1. Deploy the application to the primary region using:

   az webapp deploy --resource-group <primary_spoke_resource_group> --name <primary_app_service_name> --src-path cams.jar --type jar

2. Deploy the application to the secondary region using:

   az webapp deploy --resource-group <secondary_spoke_resource_group> --name <secondary_app_service_name> --src-path cams.jar --type jar

   WARNING

   In some scenarios, the DNS entries for resources secured with Private Endpoint may have been cached incorrectly. It can take up to 10-minutes for the DNS cache to expire.

3. Navigate to the Front Door URL in a browser to view the Contoso Fiber CAMS application.

   

   You can learn more about the web app by reading the Pattern Simulations documentation.

7. Teardown

1. Exit the jumpbox using:

   exit

2. Close the tunnel in the SEPARATE terminal using:

   CTRL+C

3. When you are done you can cleanup all the resources using:

   azd down --force --purge