Deploy a Cloud Service (extended support) using Azure PowerShell
This article shows how to use the Az.CloudService PowerShell module to deploy Cloud Services (extended support) in Azure that has multiple roles (WebRole and WorkerRole).
Pre-requisites
Review the deployment prerequisites for Cloud Services (extended support) and create the associated resources.
Install Az.CloudService PowerShell module.
Install-Module -Name Az.CloudServiceCreate a new resource group. This step is optional if using an existing resource group.
New-AzResourceGroup -ResourceGroupName “ContosOrg” -Location “East US”Create a storage account and container, which will be used to store the Cloud Service package (.cspkg) and Service Configuration (.cscfg) files. A unique name for storage account name is required. This step is optional if using an existing storage account.
$storageAccount = New-AzStorageAccount -ResourceGroupName “ContosOrg” -Name “contosostorageaccount” -Location “East US” -SkuName “Standard_RAGRS” -Kind “StorageV2” $container = New-AzStorageContainer -Name “contosocontainer” -Context $storageAccount.Context -Permission Blob
Deploy a Cloud Services (extended support)
Use any of the following PowerShell cmdlets to deploy Cloud Services (extended support):
Quick Create Cloud Service using a Storage Account
- This parameter set inputs the .cscfg, .cspkg and .csdef files as inputs along with the storage account.
- The cloud service role profile, network profile, and OS profile are created by the cmdlet with minimal input from the user.
- For certificate input, the keyvault name is to be specified. The certificate thumbprints in the keyvault are validated against those specified in the .cscfg file.
Quick Create Cloud Service using a SAS URI
- This parameter set inputs the SAS URI of the .cspkg along with the local paths of .csdef and .cscfg files. There is no storage account input required.
- The cloud service role profile, network profile, and OS profile are created by the cmdlet with minimal input from the user.
- For certificate input, the keyvault name is to be specified. The certificate thumbprints in the keyvault are validated against those specified in the .cscfg file.
Create Cloud Service with role, OS, network and extension profile and SAS URIs
- This parameter set inputs the SAS URIs of the .cscfg and .cspkg files.
- The role, network, OS, and extension profile must be specified by the user and must match the values in the .cscfg and .csdef.
Quick Create Cloud Service using a Storage Account
Create Cloud Service deployment using .cscfg, .csdef and .cspkg files.
$cspkgFilePath = "<Path to cspkg file>"
$cscfgFilePath = "<Path to cscfg file>"
$csdefFilePath = "<Path to csdef file>"
# Create Cloud Service
New-AzCloudService
-Name "ContosoCS" `
-ResourceGroupName "ContosOrg" `
-Location "EastUS" `
-ConfigurationFile $cscfgFilePath `
-DefinitionFile $csdefFilePath `
-PackageFile $cspkgFilePath `
-StorageAccount $storageAccount `
[-KeyVaultName <string>]
Quick Create Cloud Service using a SAS URI
Upload your Cloud Service package (cspkg) to the storage account.
$tokenStartTime = Get-Date $tokenEndTime = $tokenStartTime.AddYears(1) $cspkgBlob = Set-AzStorageBlobContent -File “./ContosoApp/ContosoApp.cspkg” -Container “contosocontainer” -Blob “ContosoApp.cspkg” -Context $storageAccount.Context $cspkgToken = New-AzStorageBlobSASToken -Container “contosocontainer” -Blob $cspkgBlob.Name -Permission rwd -StartTime $tokenStartTime -ExpiryTime $tokenEndTime -Context $storageAccount.Context $cspkgUrl = $cspkgBlob.ICloudBlob.Uri.AbsoluteUri + $cspkgToken $cscfgFilePath = "<Path to cscfg file>" $csdefFilePath = "<Path to csdef file>"Create Cloud Service deployment using .cscfg, .csdef and .cspkg SAS URI.
New-AzCloudService -Name "ContosoCS" ` -ResourceGroupName "ContosOrg" ` -Location "EastUS" ` -ConfigurationFile $cspkgFilePath ` -DefinitionFile $csdefFilePath ` -PackageURL $cspkgUrl ` [-KeyVaultName <string>]
Create Cloud Service using profile objects & SAS URIs
Upload your cloud service configuration (cscfg) to the storage account.
$cscfgBlob = Set-AzStorageBlobContent -File “./ContosoApp/ContosoApp.cscfg” -Container contosocontainer -Blob “ContosoApp.cscfg” -Context $storageAccount.Context $cscfgToken = New-AzStorageBlobSASToken -Container “contosocontainer” -Blob $cscfgBlob.Name -Permission rwd -StartTime $tokenStartTime -ExpiryTime $tokenEndTime -Context $storageAccount.Context $cscfgUrl = $cscfgBlob.ICloudBlob.Uri.AbsoluteUri + $cscfgTokenUpload your Cloud Service package (cspkg) to the storage account.
$tokenStartTime = Get-Date $tokenEndTime = $tokenStartTime.AddYears(1) $cspkgBlob = Set-AzStorageBlobContent -File “./ContosoApp/ContosoApp.cspkg” -Container “contosocontainer” -Blob “ContosoApp.cspkg” -Context $storageAccount.Context $cspkgToken = New-AzStorageBlobSASToken -Container “contosocontainer” -Blob $cspkgBlob.Name -Permission rwd -StartTime $tokenStartTime -ExpiryTime $tokenEndTime -Context $storageAccount.Context $cspkgUrl = $cspkgBlob.ICloudBlob.Uri.AbsoluteUri + $cspkgTokenCreate a virtual network and subnet. This step is optional if using an existing network and subnet. This example uses a single virtual network and subnet for both cloud service roles (WebRole and WorkerRole).
$subnet = New-AzVirtualNetworkSubnetConfig -Name "ContosoWebTier1" -AddressPrefix "10.0.0.0/24" -WarningAction SilentlyContinue $virtualNetwork = New-AzVirtualNetwork -Name “ContosoVNet” -Location “East US” -ResourceGroupName “ContosOrg” -AddressPrefix "10.0.0.0/24" -Subnet $subnetCreate a public IP address and set the DNS label property of the public IP address. Cloud Services (extended support) only supports Basic SKU Public IP addresses. Standard SKU Public IPs do not work with Cloud Services. If you are using a Static IP, you need to reference it as a Reserved IP in Service Configuration (.cscfg) file.
$publicIp = New-AzPublicIpAddress -Name “ContosIp” -ResourceGroupName “ContosOrg” -Location “East US” -AllocationMethod Dynamic -IpAddressVersion IPv4 -DomainNameLabel “contosoappdns” -Sku BasicCreate a Network Profile Object and associate the public IP address to the frontend of the load balancer. The Azure platform automatically creates a 'Classic' SKU load balancer resource in the same subscription as the cloud service resource. The load balancer resource is a read-only resource in Azure Resource Manager. Any updates to the resource are supported only via the cloud service deployment files (.cscfg & .csdef).
$publicIP = Get-AzPublicIpAddress -ResourceGroupName ContosOrg -Name ContosIp $feIpConfig = New-AzCloudServiceLoadBalancerFrontendIPConfigurationObject -Name 'ContosoFe' -PublicIPAddressId $publicIP.Id $loadBalancerConfig = New-AzCloudServiceLoadBalancerConfigurationObject -Name 'ContosoLB' -FrontendIPConfiguration $feIpConfig $networkProfile = @{loadBalancerConfiguration = $loadBalancerConfig}Create a Key Vault. This Key Vault will be used to store certificates that are associated with the Cloud Service (extended support) roles. The Key Vault must be located in the same region and subscription as cloud service and have a unique name. For more information, see use certificates with Azure Cloud Services (extended support).
New-AzKeyVault -Name "ContosKeyVault” -ResourceGroupName “ContosOrg” -Location “East US”Update the Key Vault access policy and grant certificate permissions to your user account.
Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -EnabledForDeployment Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -UserPrincipalName 'user@domain.com' -PermissionsToCertificates create,get,list,deleteAlternatively, set access policy via ObjectId (which can be obtained by running
Get-AzADUser).Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -PermissionsToCertificates create,get,list,deleteIn this example, we will add a self-signed certificate to a Key Vault. The certificate thumbprint needs to be added in Cloud Service Configuration (.cscfg) file for deployment on cloud service roles.
$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal Add-AzKeyVaultCertificate -VaultName "ContosKeyVault" -Name "ContosCert" -CertificatePolicy $PolicyCreate an OS Profile in-memory object. OS Profile specifies the certificates, which are associated to cloud service roles. This will be the same certificate created in the previous step.
$keyVault = Get-AzKeyVault -ResourceGroupName ContosOrg -VaultName ContosKeyVault $certificate = Get-AzKeyVaultCertificate -VaultName ContosKeyVault -Name ContosCert $secretGroup = New-AzCloudServiceVaultSecretGroupObject -Id $keyVault.ResourceId -CertificateUrl $certificate.SecretId $osProfile = @{secret = @($secretGroup)}Create a Role Profile in-memory object. Role profile defines a role sku specific properties such as name, capacity, and tier. In this example, we have defined two roles: frontendRole and backendRole. Role profile information should match the role configuration defined in configuration (cscfg) file and service definition (csdef) file.
$frontendRole = New-AzCloudServiceRoleProfilePropertiesObject -Name 'ContosoFrontend' -SkuName 'Standard_D1_v2' -SkuTier 'Standard' -SkuCapacity 2 $backendRole = New-AzCloudServiceRoleProfilePropertiesObject -Name 'ContosoBackend' -SkuName 'Standard_D1_v2' -SkuTier 'Standard' -SkuCapacity 2 $roleProfile = @{role = @($frontendRole, $backendRole)}(Optional) Create an Extension Profile in-memory object that you want to add to your cloud service. For this example we will add RDP extension.
$credential = Get-Credential $expiration = (Get-Date).AddYears(1) $rdpExtension = New-AzCloudServiceRemoteDesktopExtensionObject -Name 'RDPExtension' -Credential $credential -Expiration $expiration -TypeHandlerVersion '1.2.1' $storageAccountKey = Get-AzStorageAccountKey -ResourceGroupName "ContosOrg" -Name "contosostorageaccount" $configFile = "<WAD public configuration file path>" $wadExtension = New-AzCloudServiceDiagnosticsExtension -Name "WADExtension" -ResourceGroupName "ContosOrg" -CloudServiceName "ContosCS" -StorageAccountName "contosostorageaccount" -StorageAccountKey $storageAccountKey[0].Value -DiagnosticsConfigurationPath $configFile -TypeHandlerVersion "1.5" -AutoUpgradeMinorVersion $true $extensionProfile = @{extension = @($rdpExtension, $wadExtension)}ConfigFile should have only PublicConfig tags and should contain a namespace as following:
<?xml version="1.0" encoding="utf-8"?> <PublicConfig xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration"> ............... </PublicConfig>(Optional) Define Tags as PowerShell hash table that you want to add to your cloud service.
$tag=@{"Owner" = "Contoso"}Create Cloud Service deployment using profile objects & SAS URLs.
$cloudService = New-AzCloudService ` -Name “ContosoCS” ` -ResourceGroupName “ContosOrg” ` -Location “East US” ` -PackageUrl $cspkgUrl ` -ConfigurationUrl $cscfgUrl ` -UpgradeMode 'Auto' ` -RoleProfile $roleProfile ` -NetworkProfile $networkProfile ` -ExtensionProfile $extensionProfile ` -OSProfile $osProfile ` -Tag $tag
Next steps
- Review frequently asked questions for Cloud Services (extended support).
- Deploy a Cloud Service (extended support) using the Azure portal, PowerShell, Template or Visual Studio.
- Visit the Cloud Services (extended support) samples repository.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for