What can you do if you want to allow your users to create new resources inside of Azure…within limits? For example, do they really need a VM with 16 cores and 448GB RAM just to run their basic application? Does certain data stored inside of Azure need a higher level of security protection?
Azure Managed Applications stored in a Service Catalog can provide sensible parameters. A Managed Application is an Azure Resource Management (ARM) Template combined with a User Interface Definition file that informs Azure what needs to be created and what parameters to set. Azure Service Catalog provides a location in which to publish these applications, so that only your users can access them.
If you have ever created a resource using the Azure Portal, then you have used a Managed Application (one that Microsoft published). Using Azure Managed Applications, you can now create and publish your own applications with restrictions and business logic. The user interface looks just like it would if you were creating an Azure resource (like a VM) since it uses the same UI elements, including VM size selector and the Virtual Network/Subnet configuration element.
By creating your own templates, you have nearly complete control over what fields need to be filled in (certain fields like Resource Group Name and Location are currently required and will always be shown). Follow these steps to create your own Service Catalog:
- Create an Azure Blob storage account if you do not already have one.
- Create the ARM Template to create the Azure Resources.
- Create the UI definition. This file MUST be named “createUiDefinition.json” exactly, as it is case-sensitive.
- Zip the files together. It does not matter what the file name is, so make it something that will describe what the file does, e.g. “CreateStorage.zip”. Upload this compressed file into the location from step 1. Make sure to get the full URL, including the Shared Access Security key.
- From inside the Azure Portal, create a “Service Catalog Managed Application Definition” resource.
- Fill in the fields, making sure to use the URL from step 4 in the “Package File URI” field.
- Make sure the “Name”, “Display Name”, and “Description” fields are descriptive enough so that users understand what this template will accomplish.
- At the bottom of the screen, select “Add Authorization” to add the users/groups that will manage the application.
Now that you have one or more managed applications created, you can use them to create other Azure resources:
- Create a “Service Catalog Managed Application” resource.
- Select the application from the list provided.
- Fill in any fields that the managed application requires, which may include “Subscription”, “Location”, “Storage account type”, etc.
Managed Applications allow users with the proper access to create applications that can help ensure other users don’t create applications that have not been approved. By using pre-defined UI components provided by Microsoft, users can create applications in almost the same way as they can create other Azure resources.