In this post, Senior App Dev Manager Doug Owens explores cloud hosted TFS options for government organizations.
In sharing notes with peers within Microsoft, it becomes clear that many of our PubSec customers can benefit from improved Application Lifecycle Management (ALM) and DevOps practices. The world-class features, low barriers to entry, scalability, reliability, and ease of management offered by Microsoft’s Visual Studio Team Service (VSTS) would seem made-to-order for PubSec entities looking for an on-ramp to the modern ALM/DevOps world.
However, VSTS currently cannot be used by many of these customers (ex. DoD) due to concerns regarding classified information and multi-tenancy. Although it is planned for government- and DoD-specific VSTS offerings to be made available, there is no announced timeline currently.
If you have these concerns, a pressing need to improve your ALM practices, and are open to managing Team Foundation Server (TFS) yourself, then installing TFS running on IaaS in Azure Government (MAG) or Azure Government for DoD can be a solution. Both are compliant with certifications and attestations from a number of different entities. Compliance is a vital consideration to ensure TFS on MAG is acceptable for your scenario.
The upsides of this approach are that you can start your path toward ALM/DevOps improvements sooner and, if new to the cloud, begin building your organization’s Azure skills. By being hosted in MAG, the infrastructure will be managed for you, but you will be responsible for administrating TFS and related applications just as you would be with on-premise TFS. Additionally, your distributed teams and the external partners will be capable of collaborating more freely over the internet using SSL.
After creating the base infrastructure in Azure, the mechanics of setting up TFS on IaaS will be familiar to anyone who has done so in an on-premise physical or virtualized environment. That said, there will be some areas in which deploying TFS for PubSec may be more challenging (or at least different) than doing so for commercial customers. These areas are:
1) User authentication and Identity Management
At a high-level, the main solutions are:
- Establishing a standalone domain within the Azure IaaS environment
- Extending the corporate domain into the Azure IaaS environment
- Setting up a one-way trust from a domain within the Azure IaaS environment to the corporate domain
These approaches have advantages and disadvantages relative to each other, especially when it comes to how external users are managed and single-sign on for corporate users.
An additional complicating factor may be the desire or requirement to use smartcard authentication in the environment. This is definitely possible; however, it is helpful to have knowledge of certificates and domain name registration.
Certificates are extremely likely to be part of your PubSec TFS on IaaS solution. They are necessary for SSL encryption, as well as for smartcard authentication. Depending on your circumstances, you may need to stand up a certificate authority within the Azure IaaS environment to issue certificates or obtain a certificate from your team which holds responsibility for issuing them. For PubSec customers, expect this process to be rigorous.
3) Domain name registration
Like certificates, the main challenge will be working through established processes for PubSec organizations to acquire domain names, such as *.mil or *.gov.
In conclusion, TFS running on IaaS in Azure Government or Azure Government for DoD can be a great starting point for PubSec organizations new to Azure. More importantly, it can enable you to have a greater impact for your customers now through improved ALM/DevOps capabilities.
Premier Support for Developers provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality. Contact your Application Development Manager (ADM) or email us to learn more about what we can do for you.