{"id":41767,"date":"2024-02-24T00:00:45","date_gmt":"2024-02-24T07:00:45","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=41767"},"modified":"2024-02-21T13:59:28","modified_gmt":"2024-02-21T20:59:28","slug":"azure-devops-pipelines-discovering-the-ideal-service-connection-strategy","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/azure-devops-pipelines-discovering-the-ideal-service-connection-strategy\/","title":{"rendered":"Azure DevOps Pipelines: Discovering the Ideal Service Connection Strategy"},"content":{"rendered":"<p><a href=\"https:\/\/www.linkedin.com\/in\/john-folberth\/\" target=\"_blank\" rel=\"noopener\">John Folberth<\/a> explores various configurations, decisions, and pros\/cons that should be evaluated when deciding how your DevOps environment will deploy code into Azure.<\/p>\n<hr \/>\n<h2 id=\"toc-hId--589025992\">About<\/h2>\n<p>This post is part of an overall series on\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/healthcare-and-life-sciences\/bg-p\/HealthcareAndLifeSciencesBlog\/label-name\/YAML%20Pipeline%20Series\" target=\"_self\" rel=\"noopener\">Azure DevOps YAML Pipelines<\/a>. The series will cover any and all topics that fall into the scope of Azure DevOps Pipelines. I encourage you to check it out if you are new to this space.<\/p>\n<h2 id=\"toc-hId-1898486841\">Introduction<\/h2>\n<p>When an organization is trying to configure their Azure DevOps (ADO) environment to deploy into Azure, they are immediately met with the dilemma on how their DevOps instance will execute the deployment against their Azure Environment. This article will go over the various configurations, decisions, and pros and cons that should be evaluated when deciding how your DevOps environment will deploy code into Azure.<\/p>\n<p>This article will not talk about the nitty gritty details on how to configure the connection. This is covered in\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/pipelines\/library\/service-endpoints?view=azure-devops&amp;tabs=yaml\" target=\"_self\" rel=\"noopener noreferrer\">MS documentation<\/a>. Nor will we discuss which type of authentication should be created. There are additional resources that will cover this. This article instead will focus on questions such as &#8220;How many Service Connections should I have?&#8221;, &#8220;What access should my Service Connection have?&#8221;, &#8220;Which pipelines can access my Service Connection?&#8221;, etc&#8230;<\/p>\n<h2 id=\"toc-hId-91032378\">Deployment Scope<\/h2>\n<p>This question on how to architect our\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/pipelines\/library\/service-endpoints?view=azure-devops&amp;tabs=yaml\" target=\"_self\" rel=\"noopener noreferrer\">Service Connections<\/a>, the means by which Azure DevOps communicates to Azure, will be the main focal point of this piece. Deployment Scope, for the purposes of this article, will refer to what Azure Environment and resources our Azure DevOps Service Connection can interact with.<\/p>\n<p>This answer will vary depending on your organization&#8217;s security posture, scale, and maturity. The most secure will be the smallest deployment scope and will then entail the most amount of overhead, while on the flip side the least secure will have the largest deployment scope and least amount of overhead associated with it. We will cover three scenarios and the associated pros and cons: One Service Connection to Rule Them All, a Service Connection per Resource Group, as well as a Service Connection Per Environment.<\/p>\n<p data-unlink=\"true\">As for what access the identity from ADO should have in Azure I typically recommend starting with\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/built-in-roles#contributor\" target=\"_self\" rel=\"noopener noreferrer\">Contributor<\/a>\u00a0as this will provide the ability to create Azure resources and interact with the Azure Management Plane. If your organization in leveraging\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/devops\/deliver\/what-is-infrastructure-as-code\" target=\"_self\" rel=\"noopener noreferrer\">Infrastructure as Code (IaC)<\/a>\u00a0I would also recommend leveraging<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/built-in-roles#user-access-administrator\" target=\"_self\" rel=\"noopener noreferrer\">\u00a0User Access Administrator<\/a>, to provision\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/overview\" target=\"_self\" rel=\"noopener noreferrer\">Role Based Access Controls<\/a>\u00a0and allow Azure to Azure resource communication leveraging\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/managed-identities-azure-resources\/overview\" target=\"_self\" rel=\"noopener noreferrer\">Managed Identities<\/a>. This is effectively the same permission combo as Owner; however, if you are familiar with Azure recommended practices, Owner permission assignment is not recommended in the majority of cases.<\/p>\n<p data-unlink=\"true\">Check out\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/healthcare-and-life-sciences\/azure-devops-pipelines-discovering-the-ideal-service-connection\/ba-p\/4013027\" target=\"_blank\" rel=\"noopener\">the series in the Healthcare and Life Sciences Tech Community here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>John Folberth explores various configurations, decisions, and pros\/cons that should be evaluated when deciding how your DevOps environment will deploy code into Azure. About This post is part of an overall series on\u00a0Azure DevOps YAML Pipelines. The series will cover any and all topics that fall into the scope of Azure DevOps Pipelines. I encourage [&hellip;]<\/p>\n","protected":false},"author":582,"featured_media":41465,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25,22],"tags":[24,2571],"class_list":["post-41767","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops","tag-azure","tag-azure-devops"],"acf":[],"blog_post_summary":"<p>John Folberth explores various configurations, decisions, and pros\/cons that should be evaluated when deciding how your DevOps environment will deploy code into Azure. About This post is part of an overall series on\u00a0Azure DevOps YAML Pipelines. The series will cover any and all topics that fall into the scope of Azure DevOps Pipelines. I encourage [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/41767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=41767"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/41767\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/41465"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=41767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=41767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=41767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}