Setup continuous deployment to Azure Government using Visual Studio Team Services

Azure Government clouds provide private and semi-isolated locations for specific Government or other services, separate from the normal Azure services. Highest levels of privacy have been adopted for these clouds, including restricted data access policies.

Azure Government clouds are completely isolated environments and require unique Azure endpoints to manage the services offered there. They support authentication using management certificate, user credentials or service principal for requests to the service management APIs.

Visual Studio Team Services enables requests to Azure environments with a CD process using service endpoints (Azure classic service endpoint for requests using management certificate or credentials, Azure resource manager service endpoint for requests using service principal authentication).

Visual Studio Team Services is currently not available in Azure Government clouds.

In this article, we’ll look at how you can configure continuous deployment for an Azure web site in Azure Government with a team services account in Azure public. We’ll authenticate using service principal authentication.

Note that this process would the orchestrating builds & deployments, and storing the build artifacts outside the government cloud. In case you require stricter data restrictions for your application, you can configure a private agent in the isolated environment. Refer to this for more details.

Get set up

Begin with a CI build

Before you begin, you’ll need a CI build that publishes your Web Deploy package. To set up CI for your specific type of app, see:

Create the Azure app service

An Azure App Service is where we’ll deploy the Web App. Create a new web app in your subscription from the Azure Government portal.

azure-gov-new-webapp

Generate a service principal

Download & run this Powershell script in an Azure Powershell window to generate required data for Service Principal based Azure service connection. Running this script would prompt you for:

  • The name of your Azure Subscription name
  • A password that you would like to set for the Service Principal that is going to be created
  • You should also provide the Azure Government environment name for your subscription in the environmentName parameter.

Once successful, the script would output the following details for the Azure Service Endpoint.

  • Connection Name
  • Subscription Id
  • Subscription Name
  • Service Principal Client Id
  • Service Principal key
  • Tenant Id

Configure a service endpoint in Team Services

  • From your Team Services Account, navigate to your Team Project and click on gear icon.vsts_admin
  • Click Services tab and click on ‘New Service Endpoint’ in the left pane.vsts_endpoints
  • From the drop-down, select ‘Azure Resource Manager’ option.

vsts_newarm_endpoint_auto

  • In the dialog, click the link at end of the text “If your subscription is not listed or to specify an existing service principal, click here”, which will switch to manual entry mode.

azure-gov-vsts-arm-endpoint

  • Give the endpoint a friendly name, choose the Azure Government environment for your subscription and enter the details obtained from execution of the script while creating a service principal.

Setup release

  1. Open the Releases tab of the Build & Release hub, open the + drop-down in the list of release definitions, and choose Create release definition
  2. Select the Azure App Service Deployment template and choose Next.

createrd

  1. In Source… make sure your CI build definition for the Web deploy package is selected as the artifact source.

createrd2

  1. Select the Continuous deployment check box, and then choose Create.
  2. Select the Deploy Azure App Service task and configure it as follows:
Task step Parameters
Deploy: Azure App Service Deploy
Deploy the app to Azure App Services
Azure Subscription: Select the endpoint configured earlier
App Service Name: the name of the web app (the part of the URL without .azurewebsites.net)
Deploy to Slot: make sure this is cleared (the default)
Virtual Application: leave blank
Web Deploy Package: $(System.DefaultWorkingDirectory)\**\*.zip (the default)
Advanced:
Take App Offline:
If you run into locked .DLL problems when deploying, try selecting this check box.
  1. Edit the name of the release definition, choose Save, and choose OK. Note that the default environment is named Environment1, which you can edit by clicking directly on the name.

You’re now ready to create a release, which means to start the process of running the release definition with the artifacts produced by a specific build.

References