Follow me:
Listen on:

Day Two Cloud 139: Azure Bicep Is (Not) ARM

Episode 139

Play episode

Today’s Day Two Cloud episode is about Infrastructure as Code (IaC). More specifically, we work out with Azure Bicep. According to Microsoft, Bicep is “a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. In a Bicep file, you define the infrastructure you want to deploy to Azure, and then use that file throughout the development lifecycle to repeatedly deploy your infrastructure.”

In other words, the goal of Bicep is to help folks deploy Azure cloud resources consistently using a human-readable syntax.

Our guides to Bicep are Ben Weissman at Solisyon, Rob Sewell of Sewells Consulting.

We discuss:

  • Why IaC might take a long time on your first deployment, but then make future deployments faster
  • Details on Azure Bicep
  • How Azure Bicep relates to Azure Resource Manager (ARM)
  • A Bicep workflow
  • Bicep and the DevOps pipeline
  • Security guidelines
  • Bicep vs. Terraform
  • More

Sponsor: StrongDM

StrongDM is secure infrastructure access for the modern stack. StrongDM proxies connections between your infrastructure and Sysadmins, giving your IT team auditable, policy-driven, IaC-configurable access to whatever they need, wherever they are. Find out more at

Tech Bytes: Singtel

We chat with Mark Seabrook, Global Solutions Manager at Singtel to learn about Singtel WAN offerings that can help make your legacy network cloud-ready.

Show Links:

Azure Bicep – Azure

Deploying Azure Resources Using Bicep – Pluralsight

Rob Sewell’s blogs on Bicep

@sqldbawithbeard – Rob Sewell on Twitter

Rob Sewell on LinkedIn

@bweissman – Ben Weissman on Twitter

Ben Weissman on LinkedIn

Day Two Cloud 126: Azure Arc And Building A Hybrid Cloud – Packet Pushers



[00:00:01.570] – Ethan
Strongdm is secure infrastructure access for the modern stack, StrongDM proxies connections between your infrastructure and Sysadmins, giving your It team auditable, policy driven IEC configurable access to whatever they need wherever they are. Find out PacketPushers.

[00:00:25.350] – Ned
Welcome to Day Two Cloud. Today we’re going to be talking about an Azure thing called Azure Bicep which is a replacement for Arm templates. You get it? Arm Bicep. It’s kind of what we’re talking about. But we have brought on two experts in Azure Bicep to guide us through this. We have Ben Weissman, a return guest, and Rob Sewell, a new guest, and they are going to tell us all about this crazy thing called Azure Bicep. Ethan, what jumped out to you in the conversation?

[00:00:55.250] – Ethan
It’s another in the chapter of infrastructure as code. And one of the points that comes up actually earlier in the episode that stuck out to me was I’ve been getting mired down Ned and this whole IAC thing. You got to have a pipeline and all this crazy stuff and maybe actually you don’t, you can start simpler and Bicep would be one of the ways to start simpler with infrastructure as code.

[00:01:16.060] – Ned
Yeah, it really does simplify, which if anybody out there has worked with Arm templates, you know how verbose they are, bicep makes it easier and easier to get started. So if that’s of interest to you, please listen in to Ben Weissman, a data Passionist from Solaceion, and Rob Sewell, a beard Twizzler from Sewell’s Consulting. Well, Ben and Rob, welcome to Day Two Cloud. I’m very excited to have both of you here. Ben, you are a returning guest. And for folks who haven’t listened yet to your previous episode, which they should, they absolutely should. But if they haven’t, definitely. Can you tell us a little bit about who you are and what you do?

[00:01:56.970] – Ben
It’s a very philosophical question. Again, I’m not going to answer it again with who are we and why are we here? Because last time that took 3 hours that you all had to edit out. So why do all that? Again, I’m a data Passionist for Solicia in Nuremburg, Germany. So now you may be wondering what does that even mean? Yes, I have no idea, but I think it sounds pretty cool. It means I love all things data. I’ve been working with data for the last 25 eight years. Basically all my professional life has evolved around data in some way. But also I am passionate about data. So I love talking about data at events. I love talking about data in blog posts or videos or whatever. I think data is a pretty cool and pretty powerful thing. I’m mainly from the Microsoft field, to be honest. Whenever there is coming out, anything coming out there, even if I don’t see an actual use case for it, or even if I don’t have an actual customer like hey, he’s been waiting for exactly this. I try to get my hands on that and just see what new, cool things we can do with new data.

[00:02:57.530] – Ned
Yeah, sometimes the marketing materials don’t do an offering justice or they don’t actually know what it can do. So it’s always good to poke around a little bit. Now, Rob Sul, you are new to the day two Cloud Group, and your Twitter handle is SQL DBA with beard. And your title at Sewell’s Consulting is beard Twirler. For those who are not watching the video, can you tell us you’re clean shaving, right? Like there’s no beard.

[00:03:24.180] – Rob
There totally. There’s nothing her suit about me at all.

[00:03:31.230] – Ned
Did you grow the beard for the Covids or is this something that you’ve had for a while?

[00:03:36.690] – Rob
Oh, no. This has been a fixture on my physiology for 20 or 30 years.

[00:03:45.370] – Ned
Okay, so you’re before the trend got popular. Yeah, you’re a trend setter, one might say.

[00:03:52.350] – Rob
Well, in the beard world now.

[00:03:57.010] – Ned
Aside from growing an epic beard, what would you say you do for Sewell’s Consulting?

[00:04:04.170] – Rob
It’s really hard because what I do is help people deploy stuff from being an ex production sequel DBA. So the one that went, no, you can’t have the SA password. No, that’s not what we do know. Your queries may not have no log. All of these things. That’s what I did. And then gradually from looking after many tens of thousands of databases and instances in defense and then for private companies, I’ve kind of morphed into somebody who does Azure DevOps and infrastructure deployments, but mainly in the data world. So all the cool stuff that Ben does with his new fangled data, I like to be the one that builds that and make sure that they’ve got a test environment and a Dev environment in production is the same.

[00:05:09.270] – Ned
Got you. Okay, makes sense. Now, I know that the topic for today’s podcast is Azure Bicep, which is infrastructure, AKS code or a type of it. But maybe we can start with just what your views are on deploying infrastructure in general. And Ben, I’ll hand that off to you first.

[00:05:26.350] – Ben
I mean, deploying stuff, no matter if it’s data related or not, that’s kind of the beauty of the cloud. And it’s also kind of one of the biggest issues in the cloud. You can just easily go ahead, clicky drag and dropping and deploy all kinds of stuff without really thinking it through. So, hey, I just need a VM real quick. Cool. It’s going to take me like five minutes these days. Whereas in previous years or decades it would have taken me days to weeks or two months because now I don’t have to buy any hardware anymore. Now I don’t have to talk to Rob’s counterparts like the infrastructure administrators anymore and be like, no, you’re not going to get that VM. No, you’re not going to get that password. You know why you’re not getting those fun projects, by the way, Rob? Because you’re a non data fun person. If you don’t give people the SA password, what is the fun in that? I mean, seriously. No, we don’t do no lock. Yes we do. Because this is what makes things interesting.

[00:06:24.670] – Rob
It’ll suddenly make your bank account balance interesting if you use no lock money. I’ve got many money. I’ve got no money.

[00:06:33.410] – Ben
You had me at many money. That’s where it’s got an interesting for me. But no, it is super easy to deploy stuff. And in the clicky drag world, it is super hard to deploy repeatable stuff. That is kind of my so many times before I discovered the beauty of infrastructure as code, I was like, okay, this is not working in this Azure VM. And then I found out how to fix it. And then six months later I had the same issue again in another VM. Well, I’m Super smart, so of course I remembered I had that problem before. I’m not that smart, so I didn’t remember how I fixed it the last time. So I basically went through all the same Google searches and stuff over and over again.

[00:07:15.590] – Rob
And find your own blog post.

[00:07:17.370] – Ned

[00:07:18.260] – Ben
No, because I’m not smart enough to write a blog post about that every single time. Maybe I should. It sounds a little narcissistic, but at the same time, it might actually be the answer to that problem.

[00:07:29.040] – Ned
Yes it is. I have searched for a problem before and found my own blog post from like two years ago. I’m like, oh God, okay, embarrassing.

[00:07:38.330] – Ben
At the same time.

[00:07:41.030] – Rob
I’ve done exactly the same. And I’ve actually sort of thought, I’m sure I’ve read something about this before. I’m sure somebody’s written about this. And I’ve searched through my notes of cool things I’ve read about. Oh no, with a beard. He wrote something about it.

[00:08:00.410] – Ethan
Then as you were talking about clicky clicky versus infrastructure as code. Okay, infrastructure code is repeatable.

[00:08:06.320] – Ben
Clicky clicky is not.

[00:08:07.470] – Ethan
You got to remember what you did. And so if you’re doing the same sort of infrastructure deployments over and over again, you want to move to infrastructure as code. The downside being you have to figure out how to work with infrastructure as a code. So how do you get over that hurdle? Is it just like jump in and start doing it and it’ll come to your kind of thing?

[00:08:28.130] – Ben
Well, deploying something with infrastructure as code will take longer, but it’s a good thing. Well, it will take longer on the first deployment, not on the repeatable ones. The repeatable ones will be much faster. It will take longer on the first because it’s going to ask you for all these settings and all that stuff that you usually don’t think about because you just go with the defaults. If you could see Rob’s T shirt right now that says don’t accept the default, that’s basically what, hey, I’m on the Azure Port, like click next. Next. Yes, you do. End up with the VM, but it may not be the smartest thing, because all of a sudden that thing is accessible from all of the Internets, from all over the world. That wasn’t super smart, but that’s the default. So they probably thought that through. Why would they do it otherwise? So infrastructure as code. Besides the huge advantage of me not having to find my nonwritten blog post six months later, Infrastructure as code forces me to think a little bit about what I’m actually trying to do. So in that case, hey, I really just need a VM because I want to try something on a clean machine.

[00:09:31.440] – Ben
It doesn’t need to have to be anything special. I may just go to the portal and hit next, next, because, well, I’m going to delete this machine five minutes later and I don’t care about performance, I don’t care about cost and all that because it’s really that ephemeral. But if it’s something more meaningful, it might make sense to spend a little more time thinking about what you actually need rather than taking that portal advantage and just hit that next button. It also gets you to some kind of result, but most probably not exactly what you were looking for.

[00:10:01.370] – Rob
I was going to say Infrastructure AKS code doesn’t have to be anything more complicated with Azure than using the Azure PowerShell or AZ CLI or an AWS using their CLI tooling to write a few lines of code that will do something.

[00:10:19.140] – Ethan
Yeah, that’s a good point. Because sometimes we get into these infrastructure AKS code conversation. It’s like, well, you got to have a pipeline and you got to have a bunch of testing and you got to have and you build this very complex deployment infrastructure to push to use your infrastructure as code in the right way, like a Dev would with all this stuff.

[00:10:39.220] – Ethan
And it seems so overwhelming.

[00:10:40.550] – Ethan
But I think you just made a great point.

[00:10:42.330] – Ethan
Rob, you can start with something as simple as a basic script, right?

[00:10:47.670] – Ned
And in a way, scripting is infrastructure as code. It’s just not declarative. And there’s definitely some advantages to going the declarative route. Now, Rob, we’re here to talk about Bicep, and if I understand it correctly, I haven’t used it. But if I understand correctly, it is an infrastructure AKS code tool. Can you give me the 10,000 foot view of where it fits into the Infrastructure’s code landscape?

[00:11:13.790] – Rob
Azure Bicep is a DSL for domain specific language for deploying Azure resources. So what that means is it’s a way of creating human readable files that when they are applied, Azure going to create resources for Azure only.

[00:11:35.810] – Ned
Okay, that makes sense. And is it a replacement for Arm templates? Because that’s what I’ve used in the past. That’s what it spits out when you do clicky clicking next, it’ll say, hey, do you want a template? And you go, sure. And it gives you this ridiculously long JSON thing that is an Arm template. That’s what I’m used to. Does it replace that?

[00:11:56.690] – Rob
I don’t know what the official Microsoft view is on whether it replaces that. I’ll tell you what it does for the beard and for the beard. It absolutely replaces templates. Since I started doing Bicep and I was lucky to pick up a client who needed Azure infrastructure deployed as Bicep came into supported preview and they were like, yes, we will take this. And since that moment in time, the things that I have deployed into Azure have been with Bicep and I have not touched an Arm template, and I am very pleased about that.

[00:12:34.610] – Ben
So Bicep will not take Arm away because Bicep is an abstraction of Arm. So if you deploy a Bicep template, what it will do in the background, it will make that very beautiful Bicep template into a very nasty Arm template before actually deploying something. You don’t care about any of that because it’s all happening transparently in the background. But that most probably means that Arm will never go away. Never say never. But I wouldn’t see the advantage of that because I’m with Rob on that. For me, Arm is basically gone. I don’t write any Arm templates. It’s not that it wrote many Arm templates before that because Arm templates are how do I put well, I’m not going to put it because it would have to be redacted anyway. All the words I could say about Arm templates.

[00:13:18.250] – Ned

[00:13:20.870] – Ben
Why would I care if Microsoft goes with a way of making my Bicep template and Arm template, as long as it’s happening transparently in the background and I don’t have to do any intermediate and manual steps and that’s not the case. So, yeah, to your question, I don’t think Arm is going anywhere from an infrastructure and system perspective. You can completely forget about it from a user perspective. And I guess that’s the key part.

[00:13:44.750] – Rob
I think the important thing is both of them are making use of the same Azure Resource Manager APIs in the background to deploy the resources. So it’s just two different ways to get into the same place, right?

[00:14:00.550] – Ned
I’ve been using Azure long enough that I remember the previous thing that was Azure Service Manager.

[00:14:05.930] – Rob
Service Manager, yes.

[00:14:07.730] – Ned
Which did not have a nice infrastructure, AKS code language, really. And it was very difficult to use if you weren’t just scripting or using the portal. So Arm was a great leap forward, but it also meant that it took forever to retire, ASM I don’t think Microsoft wants to go through that pain again. So what you’re saying is Bicep, when you use it, the artifacts it produces is not a deployment up in Azure. It’s actually Arm templates that are then used to deploy infrastructure in Azure. Is that correct? I have that right in my mind.

[00:14:44.770] – Ben
Technically, yes and no, because you can deploy a Bicep template. And what will happen is that Bicep code will be transposed to standard Arm template JSON in the background, but it will immediately deploy. So you can use the Azure CLI or the PowerShell template or Azure DevOps pipelines or pick your poison or anything you could deploy an Arm template with. You could do the same thing with Bicep so you will end up with that immediate resource in Azure. There’s just that transparent step in the background that’s happening that will always generate that Arm template for you.

[00:15:19.720] – Ned
I’m going to ask a question. You might not like this. If I’m using an abstraction to deploy stuff on Azure, why wouldn’t I just use TerraForm? Oh, you knew it was coming though, right?

[00:15:40.050] – Rob
I know it was coming. And as you can tell, it’s a question that I hear a lot. And look, I’ve used TerraForm to deploy things in Azure. I’ve used TerraForm to deploy things in AWS. It is a fantastic tool for deploying infrastructure. The problem that I most frequently have with TerraForm when I’m deploying Azure infrastructure is that unless your organization is so mature that you can turn off the ability to make changes through the portal which I have, I know of a single organization who has done that. If you don’t do that, then what happens is somebody goes, hey Ned, thing is broken. Please can you fix thing? And you go, sure. And you have a look and you see what is wrong with thing and you go, I need to change this. Maybe I need to give it more things or add another storage account or whatever it is. You make a change in the portal to things and now you’ve broken your TerraForm deployments because TerraForm is using state files to understand what it needs to compare against. And I know people are probably shouting that, yeah, there’s this, you can do this and you can import and you can make sure, yeah, absolutely, you can do all of those things, but they are painful and you will find the edge cases where they don’t work and that will lead you to a place where you have a set of TerraForm to deploy some infrastructure that you cannot deploy onto your infrastructure because we can’t do the comparison between what actually exists and what happens in the State Farm.

[00:17:42.470] – Rob
And for me, this is the biggest, most beautiful thing about Bicep in that Bicep still does the comparison, but the comparison that it does is against what exists. So it’s literally going, hey, results group, what have you got? You’ve got all of these things, okay. And hey, code, what have you got? You’ve got all of these things, right? I’m going to make what is there the same as what the code says it wants and it’ll go into it.

[00:18:17.610] – Ned
Hopefully it tells you what it’s going to do before it does that thing.

[00:18:21.570] – Rob
Of course you can use the what if switch, if you’re using PowerShell to do your deployments and then you can see so in the same way as with a TerraForm, you would do a plan, hey, TerraForm, if I run this code, what would you do? Terraform will say, hey, well, I’m going to do this, and that will work. If Ned changed the resource group and added more storage Council, whatever he’s done, it’s only at the MPLS that it would fall over.

[00:18:51.600] – Ned

[00:18:52.150] – Rob

[00:18:55.750] – Ned
Fair criticism of some of the shortcomings of TerraForm. I’ve certainly bumped my head on them once or twice. So I completely understand where you’re coming from, but it’s important to ask the question.

[00:19:06.550] – Ben
And in TerraForm defense, I mean, Rob already said it, but Bicep is Azure only. So one of the advantages of TerraForm, Besides the downsides of TerraForm, I mean, we could go on, there’s more downsides than just state files. But if you’re running a true multi cloud operation, you say, hey, I want to do infrastructure as code, but I want to use it with one tool. You could not use Bicep because Bicep is Azure only. And I don’t think it will ever change because again, Bicep is an abstraction of Arm and Arm is Azure only. And again, don’t think we’re going to see changes to that.

[00:19:43.340] – Ned
Okay, Ben, since we’re still talking about Bicep, I understand from a conceptual level, but can you walk me through an actual workflow, like what does it look like to write Bicep code? And then what’s the actual process by which I turn that Bicep code into a deployment?

[00:20:04.270] – Ben
So it kind of depends if you’re really starting something from scratch or if you’re trying to build upon something that you’ve already built before. Because what you can do is you can turn any Arm template or any existing Azure resource into a Bicep file. So in many cases, that might be a good start. Either way, Bicep has a very beautiful, amazing Vs code extension. And that Vs code extension comes with two things. One thing is full IntelliSense, and basically all you need to know is, hey, there’s stuff like parameters, variables and resources.

[00:20:40.070] – Ned
There’s a little more.

[00:20:40.790] – Ben
But if you know these three things, you’re basically good to go. Because then you can just say, okay, I want to write a Bicep file that’s going to deploy a resource. So you type resource and give that resource a name. And the next thing you do is, hey, what kind of resource is that? And then you say, I don’t really know what it’s called, but I know it’s something with SQL Server and then you just type SQL and it comes up with, hey, there’s a SQL database, there’s a SQL managed instance, there’s a SQL, this, there’s equal that. Okay, cool. Yeah, I want to manage instance and I want to go with the latest API version because I’m not doing anything on that because as Arm templates, you could go with an older API version if you need to deploy something that is no longer supported or that was just different in the past. And then, oh, that super fancy extension will then go ahead and say hey, you can just go ahead and really type all the properties that you need from scratch. Or how about that? I give you all of the required properties filled in with blanks, but at least you know what I really need for this to work.

[00:21:40.340] – Ben
So there’s all these tiny little helpers in there if it gets too complex. What you can do is you can split out your bicep into multiple files, into multiple modules, which also helps with reusing stuff. Hey, there might be 170,000 instances where I need a network security group. I understand. I have a network security group module and I reuse that in all of my deployments where I’m going to deploy in NSG, no matter if it’s for a managed instance, if it’s for VMs and all of that. And bicep is more than just a little bit of IntelliSense and all that. But bicep, it is a true programming language with limitations, but there’s stuff like loops and all that in there. And that extension, it helps you so much authoring that. So compared to what it takes to author traditional Arm, it is really day and night and it helps you so much to get there on the error message that you get are way easier to read, at least for me. So you either take an existing Arm template or existing resource and turn that into a bicep file, or you restart from scratch. Depending on what you’re doing.

[00:22:51.550] – Ben
You could use Notepad or Vim or whatever you want to code. It doesn’t matter, because in the end you need that bicep file, which looks a bit like Jason, but it’s not. By the way, one of the nice things in Arm template that’s like this. And since people only hear me, I’m basically stretching my arms as wide as I can become this again. You don’t see me, but I was basically showing people how I turned 50 lines into three or something like that because it’s so much more condensed, so much more stuff that you can leave out. There’s so much stuff that has to be in an Arm template that bicep does not need by default. So it’s cleaner, it’s easier to author. And then you just deployed the same way you would deploy an Arm template using the Azure CLI, using PowerShell, you use the same command. The only difference is instead of saying somethingsomethingarm JSON, you say somethingsomething bicep.

[00:23:41.680] – Ned
Okay, and that’s the marker. So it knows it’s a bicep file as opposed to a template. Got you to get back to the modules thing, which I think that’s a super important part of Infrastructure’s code is building out this library of modules. Is there an existing library of modules that I can pick from? Is there like a registry or just a collection on GitHub? You can go and grab a bunch of Bicep building blocks to put together your template.

[00:24:07.030] – Ben
There’s a bunch of samples out there, but there’s not like a proper registry. Then again, I don’t know about Europe, but I’ve never felt like I would actually need it because the IntelliSense is so helpful and these extra hints are so helpful as they are that you basically get that register almost built in.

[00:24:27.910] – Rob
What I would say is totally I agree. The intelligence is magical. The Bicep Playground enables you to in a Gui, do a decompile of an Arm template and compile it into a Bicep template. You can do that at the command line as well, but all of the Arm templates that are available on GitHub as suggestions. You can go and pull those in the Bicep Playground as a drop down and then you can pick any of those to give you a good example. But this is normally where I just go, real world is hard and you absolutely need modules. And why would you need modules? You need modules to ensure that when Ben creates a virtual machine, he doesn’t leave an RDP Port available to the rest of the world. When he creates a storage account, he makes sure that public access is disabled. And you want to enforce those sort of company wide policies using modules. So you say, Ben, you’re allowed to create a storage account and you may use this. This is the module that you will use. It doesn’t just make the code easy for you because it’s dry. It also enables you to enforce your naming conventions, your security guidelines, and all of those things.

[00:25:54.280] – Rob
Because we’re all going to need to build storage accounts and our company is going to need to ensure that they are all in the correct location because of GDPR or other requirements that we have as an organization. Or they’re going to need to make sure that they Azure only connectable to these networks, or they must always have a private endpoint. All of these things that we know that get written down in Jira or in one note or in other documentation, we can actually put that into the code. And that’s a lovely thing I think about infrastructure as code is it’s not just the thing that does the deployment. It is also the thing that records what you have deployed.

[00:26:43.250] – Ned
Okay, expand on that a little bit. What do you mean? It records what you’ve already deployed.

[00:26:48.350] – Rob
So in the way that if I have a set of code that is going to call some modules to build Nets Resource Group with three VMs, four storage accounts, and six Azure SQL databases all set up with private endpoints according to my company policy named correctly, I will have a record of calling those modules and the values that I’ve used to call them if I choose to do it that way. So when I come back and I look in my source control and I see that on January 27, which is when we’re recording this, we deployed this and it’s all recorded there.

[00:27:27.830] – Ned
Okay. If I already have some infrastructure deployed and I want to use that as I got it all tweaked it’s exactly the way that I want it and I want to sort of make that the golden standard. Can I take that existing deployed infrastructure that’s in a resource group, maybe, and turn that easily into a bicep template?

[00:27:46.610] – Rob
Easily, no.

[00:27:48.660] – Ned

[00:27:49.620] – Rob
But can you? Yes. As we’ve said, there Azure ways of decompiling Arm templates into bicep code. You can do it in a gear, or you can do it on the command line so you can export the template of the existing resource and then do a conversion. You still want to go and I’ve all it. You still want to go and make it named correctly because you’ll have those wonderful long names that you get. It’s possible, yes.

[00:28:18.980] – Ned
I have exported Arm templates before from deployed resources, and you got to do a little clean up on that because it fills in a lot of fields that are a default field you don’t normally have to even mention because Arm takes care of it for you.

[00:28:33.830] – Ethan
We PaaS the podcast for a couple of minutes to introduce sponsors strongDM’s Secure Infrastructure Access Platform and if those words are meaningless, StrongDM goes like this.

[00:28:43.570] – Ethan
You know how managing servers.

[00:28:44.950] – Ethan
Network gear, cloud VPC, databases, and so on. It’s this horrifying mix of credentials that you saved in putty and in super secure spreadsheets and SSH keys on thumb drives. And that one dock in SharePoint. You can never remember where it is. It sucks, right? Strong DM makes all that nasty mess go away. Install the client on your workstation and authenticate policy syncs and you get a list of infrastructure that you can hit when you fire up a session. The client tunnels to the Strong DM gateway and the gateway is the middleman. It’s a proxy architecture. So the client hits the gateway and the gateway hits the stuff you’re trying to manage. But it’s not just a simple proxy, it is a secure gateway. The Strong DM admin configures the gateway to control what resources users can access. The gateway also observes the connections and logs who is doing what, database queries and Cube cuddle commands, et cetera. And that should make all the security folks happy. Life with StrongDM means you can reduce the volume of credentials you’re tracking. If you’re the human managing everyone’s infrastructure access, you get better control over the infrastructure management plane.

[00:29:50.090] – Ethan
You can simplify firewall policy. You can centrally revoke someone’s access to everything they had access to with just a click. Strongdm invites you to 100% doubt this ad and go sign up for a no BS demo. Do packet pushers they suggested. We say no BS, and if you review their website, that is kind of their whole attitude. They solve a problem you have and they want you to demo their solution and prove to yourself it will work. packet pushers and join other companies like Peloton, Sulfi, YXT and Chime. packet pushers. And now back to the podcast.

[00:30:34.430] – Ned
Another thing that we’ve covered before on the show when it comes to infrastructure AKS code is the idea of scanning the code before it gets deployed for potential security or compliance violations. Is there a tool or something along those lines that works with Bicep to scan through and go to flag things like having RDP open to the world?

[00:30:57.230] – Rob
Not that I am aware of. I know that there have been some attempts to codify some of the interaction with the Bicep API. So there are some parachute modules. I’m a PowerShell dude. There’s some parachute modules that are involved in that. Personally, I have taken a look at a Bicep file with PowerShell and then scanned it to make sure that things are correct using Pester, which is a unit testing framework for PowerShell, but I love to use it as an infrastructure testing thing so you can do things like that. But Arm is only Crikey. Biceps only been under support for less than twelve months, so these sort of additional things that come around the outside are still in progress. I think as people start to understand what it is that’s required.

[00:32:03.450] – Ned
Got you.

[00:32:04.160] – Ben

[00:32:05.110] – Ned
The other thing that was kind of difficult, not difficult, but it was not intuitive with our templates is creating multiples of the same resource. Is that kind of a little bit easier with Bicep Ben?

[00:32:16.570] – Ben
I mean, you got tons of ways of doing that, but you can even do it right in your Bicep templates. If you say, for example, hey, I’m doing a training tomorrow and I have 30 people joining the training and I want them to have the exact same training. So I need 30 resource groups and all those 30 resource groups will have the same SQL database and the same VM and stuff and all that. You can define all that. And then you either built in a loop into your Bicep template or if you’re like, yeah, but I’m only getting started with Biceps. I want to keep this clean and you will just loop in PowerShell over that deployment command and PaaS in a parameter through it. A couple of other ways of doing that, but it is super simple and that is one of the things I love about it, actually, that you can get those repeatable results, not just in a way of okay, at some point I messed up that VM so much that I’m going to deploy a new one. But also, hey, I need this VM, but I don’t need it once.

[00:33:11.210] – Ben
But I need it 500 times or 30 times or however many times.

[00:33:15.850] – Rob
All of those things that you’re used to doing in your Arm templates where you are doing your counts and your braces and making sure everything works, you can do all of that in Bicep. It’s just much nicer to read and easier to understand.

[00:33:30.070] – Ned
Okay, AKS sense. The other thing that I wanted to dig into just a little bit would be I’ve started using Bicep, let’s say, and now I want to integrate this into a larger thing. I know we talked about like there’s this golden idea of the DevOps pipeline and deploying infrastructure AKS code through that pipeline. Everything. Let’s say I started using Bicep. I’m ready to try that. How easily does this integrate into a DevOps pipeline that I might be trying to develop?

[00:34:00.430] – Ben
I’m going with just as easy as an Arm template, because from a pipeline perspective, that’s what it is. You can use the exact same tooling for deployment, so whatever your pipeline is calling it is doing the exact same thing.

[00:34:16.930] – Rob
My answer is normally pretty much the same when you’re talking about whichever type of deployment tool that you wish to use. If you can do something from the command line. So if you have a TerraForm file, if you have a bicep file and you can do your deployment arm template as well, as soon as you can do that, then putting it into Azure, DevOps, into Jenkins, into whatever it is tooling that’s going to do this. It’s just a case of getting the script and putting it in the right place, giving it the right parameters just the same as you. When you type out the command Linode, you need to make sure that you’re connected to the right subscription and you’re using the right resource group for your template or whatever. You just need to make sure that in your Azure DevOps pipeline, which I hope you’d be using YAML. And you’re keeping it all in code because source control is awesome even for infrastructure folk. And then you can make sure that you define what it is that you write and then you put it into your pipeline and then you can deploy it as many times as you wish.

[00:35:22.770] – Ned
All right, now this may sound like a silly question, but there’s no cost to using Bicep. I don’t have to pay for a license or anything like that.

[00:35:30.950] – Rob
Right before Ben answers, I’d say it’s going to cost you an arm and a leg.

[00:35:38.690] – Ned
I walked into that. I’m sorry, what Azure you going to say, Ben?

[00:35:43.250] – Ben
Well, it’s free as a puppy. I mean, Bicep is free, the tooling is free, but obviously all the stuff that you deploy is not. So I’ve seen people enjoying the ease of deploying those 30 resource groups. I’m not thinking about what’s it going to cost them in the end. So then again, that’s kind of the issue with automation of any kind. I guess if you’re automating crap, you’re getting a lot of crap much faster than if you would do it manually. But it’s still going to be crap in this case. Expensive crap, potentially.

[00:36:15.050] – Ned
Well, guys, this has been a pretty interesting conversation about a major improvement in the world of Azure Arm templates with this Bicep thing. For folks that are interested in knowing more, let’s go through a few key takeaways and then where they can go to learn more about Bicep. Ben, why don’t you start us off with a few key takeaways?

[00:36:35.390] – Ben
Sure, I would say Bicep is everything that Arm is, but it’s also everything that Arm is not. So it’s a full feature parity with Arms. Anything that you can do today with Arm, you can do it with Bicep, but in a much nicer way, but also in a way that’s way easier to adopt. So if you want to get started with infrastructure as code in Azure, don’t do Arm because it’s a pain. It’s a major pain. We’ve been there. It’s no fun. Bicep is fun because it makes these deployments easy. And I think or I hope that this is what will take more people to use infrastructure as code so they don’t become six months from now, Ben trying to find his own blog post.

[00:37:15.830] – Ned
Okay, Rob, what do you have?

[00:37:19.070] – Rob
I’d like to point out that once you’ve got a handle on how Bicep works, you can integrate it with Azure DevOps or any other deployment tooling and you can deploy as many things as you want to keep them under source control. And that is a good thing.

[00:37:36.170] – Ned
Okay, you also mentioned Bicep Playground. Is that somewhere people can go? Is that a hosted service you can go and check out Bicep?

[00:37:43.860] – Rob
Absolutely. The easiest way to find it is to just type the word Bicep and playground into your favorite search engine and go and grab them.

[00:37:54.360] – Ben
Did you just tell people on a technical podcast how to Google? I did.

[00:37:59.690] – Rob
Okay, I’m not judging, I’m just asking because it’s easier than them remembering the name of a thing that currently I can’t remember as well.

[00:38:13.250] – Ned
Well, I’m glad you didn’t tell us to Bing it, so that’s at least better.

[00:38:19.610] – Rob
The reason for using Bicep Playground is that it gives you access to the Bicep files for all of the Azure Git templates and it enables you to put your own Arm template in and get a Bicep template or file out.

[00:38:42.470] – Ned
Okay, makes sense. And Ben, I think you have somewhere you could direct people to go if they want to learn more about Bicep.

[00:38:50.810] – Ben
I do. Glad you’re asked. I do have a plural cycle course on Bicep where I’m basically all the stuff that we’ve talked about today. I’m walking through that in a little more generality. So I’m actually building Bicep hosts. I’m showing the extension, I’m showing how to deploy it and stuff, but it’s like a 30 minutes course. So if you’re expecting a course that will show you for every single resource type that Azure has to offer, how you can deploy it, you’re in the wrong place. If you’re like, hey, how do I do something? I want something, anything, twice or I want just to work with parameters and stuff. That’s the kind of stuff that I’m doing there. So it’s not the 10,000 meters view, but it’s also not every single thing. I hope it’s useful to those that try to get started with all by step, no matter if they’ve used Arm before or not.

[00:39:39.120] – Ned
I like the fact that it’s short because that makes sense. Just get you enough to get started and then go build something on your own. If folks want to follow you or hear more from you, where can they find you on the Internet?

[00:39:50.420] – Ben
Ben best way to find me on the Internet is either on Twitter. I’m be Weissman or on LinkedIn, where I’m Weissman. Ben.

[00:39:59.930] – Ned
All right. And Rob, same question to you.

[00:40:03.530] – Rob
Easiest way to find me is or Sequel DBA with beard on Twitter. I’m a heavy Twitter person.

[00:40:12.110] – Ned
Alright, sounds good. We will include links for all of that in the show notes. And thank you so much, Ben and Rob, for joining us on day two Cloud. Please stay tuned for a Tech Bite from Singtel that’s talking about how you can advance your cloud networking and improve your wide area network.

[00:40:32.330] – Ethan
Welcome to the Tech Bites portion of our episode. We are in a six part series with Singtel about cloud networking that is how to take your existing wide area network and make it communicate with cloud services in an effective way that maybe your legacy win isn’t able to. Today, part five of six.

[00:40:49.950] – Ethan
We are chatting once again with Mark Seabourk, Global Solutions Manager at Singtel.

[00:40:53.810] – Ethan
Mark is going to share Singtel SDWAN offerings that can help make your legacy network cloud ready.

[00:40:59.680] – Ethan
This is the stuff that Singtel can give you that makes your network cloud ready. That’s the big idea.

[00:41:03.860] – Ethan
Here, Mark, one of your key solutions and we’ve mentioned this in some of the earlier Tech Bites, but we need to review this. Sdwan.

[00:41:11.290] – Ethan
Why, in your view.

[00:41:12.390] – Ethan
Is SDWAN a critical network feature for accessing cloud?

[00:41:17.390] – Mark

[00:41:17.740] – Mark
Hi guys. So I guess SDWAN just gives that level of intelligence across the whole global network so it allows you to manage all of the amazing things you can do with overlays and what underlays it’s running on. So before SDWAN at a site level and at an orchestrator level, we just didn’t have that control of the access. And that 10,000 foot overview from the customer’s perspective.

[00:41:48.050] – Ethan
I like the way that you put it. Amazing because without being overly dramatic, that’s sort of how I felt about SDWAN. If you’re used to as a network engineer setting up routing protocols that route things in a particular way, you get into the SDWAN world with overlays and now you can begin pushing traffic around the network kind of however you want in according with policy.

[00:42:08.040] – Ethan
You get into service chaining.

[00:42:09.500] – Ethan
There is truly what we would have said back in the day you could kind of hack together a little bit with policy based routing, but I mean, not end to end. It was always a point in time, and managing it was awful. So SDWAN does feel a bit amazing at times. Okay, Mark, but we do have to have a moment of honesty here.

[00:42:28.590] – Ethan
Because I can buy my own SDWAN.

[00:42:31.450] – Ethan
I could buy an SDWAN capability from you folks at Singtel. So why SDWAN from a service provider like Singtel instead of doing it by myself?

[00:42:41.510] – Mark
A lot of customers start off with SDWAN, and it’ll run great. They’ll do very well if it stays in one country, if the total number of sites is fairly small. Once you get to global, regional multiple in the thousands of sites and literally thousands of tunnels and policies, you really need some help. Also, from an orchestrator point of view, you have to host that orchestrator somewhere so we can give you a managed orchestrator across the world, which is backed up. You have a lot of models with customers where we have the keys, they have the keys. So we can change things. They can change things. If they need help, we can come in and fix stuff for them.

[00:43:37.030] – Ned
Right. And to a certain degree, I think you’re implying that design matters when you start hitting that number of sites. So I imagine that you also assist with the design and architecture components of SDWAN.

[00:43:47.540] – Mark
Yeah, absolutely. I mean, one of my favorite kind of models is what I call design and construct. So we’ll get a brief from the customer. We know the problem, we know what we’ve got to solve, but we’ll do it in a sort of a step by step process. So we’ll keep their existing network up, we’ll build infrastructure underlay for the new network, will roll out sites, we’ll add regions or countries at a time. We’ll do proof of concepts.

[00:44:19.370] – Ethan
Well, Mark, I know we’re going to talk about design and construct services in the final part of our series, but for this one, I want to understand more about the SDWAN offering. What makes it up? What are the strategic advantages? I know you’ve mentioned along the way in this series that you have alliances with folks like Silver Peak, and you mentioned Cisco Thousand Eyes along the way.

[00:44:40.710] – Ethan
So let’s start at the beginning.

[00:44:42.110] – Ethan
If I’m getting SDWAN from Singto, what does that offering look like? What am I buying here?

[00:44:49.910] – Mark
We’ve had a lot of success with customers, and we’ve put them on what we call our uCPE model. So our universal CPE. So we typically use a Dell server, and we’ll load a number of images already on that Dell server. So, for example, we’re already put on Cisco VIP, Teller VMware, Multicloud Fortinet, HP, Aruba, Silver Peak. We’ll put $1,000 Enterprise Agent and a Cisco switch. So the reason we love doing the uCPE is that it doesn’t lock a customer in with a certain flavor of SDWAN. And it also disconnects the hardware from the software. So basically, we’re not locking a customer into a flavor of SDWAN, and we’re not locking a customer into the particular hardware that that SDWAN manufacturer uses.

[00:45:46.310] – Ethan
So this Dill server, you’re saying universal CPA customer premise equipment. And it’s preloaded with all of this stuff, like Cisco Votella VMware, VeloCloud, and depending on what you’re looking at in the Fortinet catalog, something from Fortinet and something from Silver Peak. If we just take those. Those are all SDWAN products with different models. Sdwan is not a standard, it’s proprietary. And so you got to plumb all these up to like, like, if you’re going with Cisco Vipela, you’re plumbing tunnels to other Cisco Baptela gear, etc. E. So your point is you ship the server and the customer is going to work with Singtell to figure out what should we be lighting up or is it maybe they’ve got Viptella in house already and you’re going to interoperate with their existing Viptella.

[00:46:34.790] – Mark
Kind of all of the above, really. Most customers that we’re rolling out SDWAN for, they’ve already settled on a flavor of SDWAN. So, for example, they might want to go with Silver Peak. So we’ll still put all those images on the uCPE, but we’ll just use the Silver Peak image. One of the other great things with the uCPE is that we can make use of all the redundant power supplies, the data center grade interfaces, especially at the hub level. We’ve got a lot of, like, tangy baselr interfaces.

[00:47:13.070] – Ethan
Now, Thousand Eyes is kind of a separate piece of software on there, but you can use that. I’m assuming you’re using that for network monitoring so you can see what’s going on end to end.

[00:47:23.190] – Mark
Yeah, absolutely. One of the great things about putting the $1,000 Enterprise Agent on the CPA is that you’ve got it everywhere. You’ve got it at every single site, Ie, an Enterprise agent, and you’ve got it all of your hub data centers, a lot of people that overlook it. You need somewhere to host it. And if the customer has to host it on some spare server or mini PC, it can get a bit messy. I love having it on a GCP, so that it’s everywhere and we can see it and we can control it.

[00:48:01.350] – Ethan
Okay, so you kind of let into my next question, which was you ship me this uCPE, this Dell box with all the software preloaded, and then what happens? It sounds like Singtel is managing this box for me.

[00:48:13.390] – Mark

[00:48:13.790] – Mark
We’ll set it up initially. So we’ll work with the customer, we’ll set up each site with various BIOS and rules, et cetera, what they want to do, BIOS, business intent overlays and we monitor it. So we’ll set up a particular region, we might set up a few test sites and we’ll test it for a few months, and then we’ll make adjustments and then roll it out across the country. And then we might come up with a standard in that country and then roll that out globally.

[00:48:47.850] – Ned

[00:48:48.200] – Ned
And you said Dell box, but in reality, are you usually shipping like two for high availability and failover purposes?

[00:48:55.890] – Ethan
Yeah, absolutely.

[00:48:56.830] – Mark
Most of the sites we’re going to have two SDWAN boxes running together in a high availability set up. And then at the Hub sites, we’re basically going to have at the Hub sites, what we like to do is have a stack of nine K switches, have all the underlays coming into the data centers. We’ll then set up a VLAN fabric in those nine case switches, feed that off to the GCP in the data center. Now, in the data centers, we’ll typically have anywhere up to seven or eight stacked, all running together. So we’ve got a lot of foul over a lot of redundancy. And then on the back end of those SDWAN instances, another set of nine K switches that handles all the foul over.

[00:49:50.120] – Ethan
You just said a lot there. You say nine K switches. I assume you mean Cisco, Nexus nine K or something else.

[00:49:55.670] – Mark
Nexus nine K. So, yeah, we created a VXLAN fabric. So we’re bringing in all these different underlays that come from all the different providers. A lot of customers will set up in each region or each country will set up two Equinix data centers. We’ll have those nine K, all those stacks of St WANs running in two different Equinix. We’ll put a ten gig ring around those two data centers and then feed those two data centers also back to, like a private data center that the customer might have. So we’ve got like a kind of a regional hub within each territory, and then we’ll link them globally via points to points, large MPLS, et cetera.

[00:50:45.090] – Ethan

[00:50:45.370] – Ethan
This is a very grown up setup.

[00:50:47.040] – Ethan
That’s what I’m hearing here.

[00:50:48.070] – Ethan
This is not well, we had this one line and we lit it up and put some VLANs on it, and it was great. This is like robust amount of bandwidth and redundancy built in because you said redundancy. But I mean, capacity is another piece of this.

[00:51:05.140] – Ethan
You can push a lot of package through this set up.

[00:51:08.130] – Mark
Yeah, absolutely. And I mean, I think that’s a little trap that a lot of people going to esteem fall into initially where they might move away from an MPLS network, they’ll go to a Dia because it’s cheaper. Sure, they’ll get more bandwidth, but by the time they start multiplying and multiplying tunnels on tunnels and making things more complicated, they suddenly find out that they might be in a worse situation than when they had the MPLS. So, yeah, you’ve really got to underlay. I like to think of underlay as the foundations to a building or a house. If you don’t get that right, everything else is going to look pretty wonky.

[00:51:51.750] – Ethan
How big are the links here? You’re describing a ring connecting the Hub sites through the nine K stacks. What kind of capacity are we talking about between the hubs?

[00:52:01.070] – Mark
So typically these days we’re not really seeing anything less than ten gigs. So we’re seeing ten or 100 gigs standard. So that can be either some customers like a pure wave handoff between points. Some people want a layer to Ethernet handoff. We’ve even done connectivity through our SD connect, so that’s our cloud product, but we can tweak it to do DC to DC rather than Day Two Cloud.

[00:52:28.740] – Ethan
Okay, Mark, so with Singtel.

[00:52:30.470] – Ethan
We’Ve built a robust ring topology, ten or 100 gig links in between sites and so on. And it kind of feels like we’ve built our own private network to really effectively that we have. But we’ve got the SDWAN overlay. Okay. One of the things I can do with SDWAN overlay is break out to things like Zscaler. I know that’s a pretty common feature. Even though I built this whole internal ring and stuff between my hub sites, can I still break out to Z scaler and use some of those fancy value ad services?

[00:53:03.030] – Mark
Yeah, absolutely. That’s one of the beauties of SDWAN at the site level. So first packet inspection, depending on what the clients rules are, we’ll break out that traffic directly to the cloud to AWS, to Google, and we’ll point it through a Z scaler node for the protection. Other instances, for example, in China, the local Internet, the cloud traffic will be broken out to a local Chinese cloud, target the Internet Wan that’ll hop on a SDWAN underlay and maybe go to somewhere like Hong Kong or somewhere else.

[00:53:48.070] – Ethan
Excellent. That’s what I anticipated that you were going to say, Mark, but as the solution gets complex, all of a sudden the brain goes, oh, how do I do this?

[00:53:57.590] – Ethan
Oh, how do I do that?

[00:53:59.710] – Ethan
Long story short is you folks, you’ve thought about that and that’s all fine. And so you have maximum flexibility despite having built a very fast and robust architecture.

[00:54:10.710] – Ethan
Well, Mark, thank you for joining us once again.

[00:54:12.980] – Ethan
And if you’ve made it to the end of the Tech Bite.

[00:54:14.990] – Ethan
Hey, thanks to you for listening. You awesome, human.

[00:54:17.790] – Ethan
This was part five of a six part series.

[00:54:20.230] – Ethan
So we are going to hear more on building cloud ready networks with Singtel in an upcoming episode. Part six, our final entry in this Tech Bite series is going to be in a couple of weeks. And we will be reviewing underlay network architecture for a cloud ready wide area network, the circuits that you need to have between global regions and the management required to make the most of them.

[00:54:41.650] – Ned
Thank you to our guests for appearing on Day Two Cloud. And thanks to Singtel for the Sponsored Tech Bite. And thanks to you, dear listener, for tuning in. If you have suggestions for future shows, we would love to hear them. You can hit either of us up on Twitter at Day Two Cloud show or fill out the form of my fancy website, if you like engineering oriented shows like this one visit PacketPushers net slash subscribe all of our podcasts newsletters and websites are there. It’s all nerdy content designed for your professional career development. Until then, just remember cloud is what happens while it is making other plans.

More from this show

Day Two Cloud 147: Google Cloud Is Not Just For Devs

Today on Day Two Cloud we peel back the curtains on Google Cloud with a GCP insider to find out how Google Cloud differentiates itself, its embrace of a multi-cloud approach, and more. Our guest is Richard Seroter, Director of Outbound Product Management...

Episode 139