How much does it cost to run a server

Running a Jenkins server on Azure

This scenario explains the architecture and considerations to keep in mind when installing and configuring Jenkins.

Download a Visio file that contains this architecture diagram.

This architecture supports disaster recovery with Azure services, but does not cover more complex scenarios with scale-out and multiple primary regions or high availability (HA) with no downtime. For general information about the various Azure components, such as a detailed tutorial on creating a CI / CD pipeline in Azure, see Jenkins in Azure.

This document focuses on the core Azure operations required to support Jenkins. These include using Azure Storage to store build artifacts, the security elements required for SSO, other embeddable services, and scalability for the pipeline. The architecture is designed to work with an existing source control repository. For example, a common scenario is starting Jenkins jobs based on GitHub commits.

construction

The architecture includes the following components:

  • Resource group: A resource group is used to group Azure resources so that they can be managed based on lifetime, owner, and other criteria. Use resource groups to provision and monitor Azure resources as a group and to track billing costs by resource group. You can also delete resources as a group. This is useful for test deployments.

  • Jenkins server: A virtual machine that acts as the primary Jenkins server is provisioned to run Jenkins as the automation server. The section on installing and configuring Jenkins explains how to install Jenkins on a new virtual machine.

    Note

    Nginx is installed on the VM and acts as a reverse proxy for Jenkins. You can configure Nginx to enable SSL for the Jenkins server.

  • Virtual network: A virtual network links Azure resources and provides logical isolation. In this architecture, the Jenkins server runs on a virtual network.

  • Subnets: The Jenkins server is isolated on a subnet to make it easy to manage and share network traffic without impacting performance.

  • Network security groups: Use network security groups to restrict network traffic from the Internet to a subnet of a virtual network.

  • Managed disks: A managed disk is a persistent virtual hard disk (VHD) that is used for application storage, as well as for storing the state of the Jenkins server and providing disaster recovery. Disks are stored in Azure Storage. Storage Premium is recommended for high performance.

  • Azure Blob Storage:Windows Azure Storage - Learn how to use Azure Blob Storage to store the build artifacts that are created and shared with other Jenkins builds.

  • Azure Active Directory (Azure AD):Azure AD supports user authentication so you can set up SSO. Azure AD service principals define the policy and permissions for each role authentication in the workflow using Azure Role-Based Access Control (Azure RBAC). Each service principal is associated with a Jenkins job.

  • Azure Key Vault: This architecture uses Azure Key Vault to manage secrets and cryptographic keys that are used to provision Azure resources when secrets are required.

  • Azure monitoring services: This service monitors the Azure virtual machine that is hosting Jenkins. This deployment monitors the virtual machine status, CPU usage, and sends alerts.

recommendations

The following recommendations apply to most scenarios. Unless you have special needs that take precedence, you should follow these recommendations.

Scalability Considerations

Jenkins can be dynamically scaled as needed to support workloads. For elastic builds, do not build on the primary Jenkins server. Instead, outsource build tasks to Jenkins agents, as these can be elastically scaled down and up horizontally. Consider two options for scaling agents:

Scaling virtual machines is generally more expensive than scaling containers. However, in order to use containers to scale, your build process must be done with containers.

You can also use Azure Storage to share build artifacts that other build agents might use in the next stage of the pipeline.

Scaling the Jenkins server

When you create a virtual machine and install Jenkins, you can specify the size of the virtual machine. Choosing the correct VM server size depends on the size of the expected workload. The Jenkins community provides a selection guide that can help you determine the configuration that best meets your needs. Azure offers a variety of sizes for Linux VMs to meet a wide variety of needs. For more information on how to scale the primary Jenkins server, see Jenkins Community Best Practices. There you will also find details about scaling Jenkins.

Availability considerations

Availability in the context of a Jenkins server means that you can restore any state information related to your workflow (such as test results, libraries you have created, or other artifacts). Critical workflow states or artifacts must be retained to restore the workflow if the Jenkins server fails. When evaluating availability requirements, consider two general metrics:

  • Recovery Time Objective (RTO) is how long you can perform operations without Jenkins.

  • Recovery Point Objective (RPO) is the amount of data that can be lost if an interruption in service affects Jenkins.

In practice, RTO and RPO indicate redundancy and security. Availability is not about hardware recovery (which is part of Azure), but rather about keeping the Jenkins server in good health. Microsoft offers a service level agreement (SLA) for individual VM instances. If this SLA does not meet your availability needs, make sure you have a disaster recovery plan or consider deploying a Jenkins multi-primary server (not covered in this document).

Consider using the disaster recovery scripts in step 7 of the deployment to create an Azure Storage managed disk account to store Jenkins server health. If Jenkins fails, the system can be restored to the state that is stored in this separate storage account.

safety instructions

Use the following procedures to protect a basic Jenkins server because a Jenkins server is not secure in its basic state.

  • Establish a secure method of logging into the Jenkins server. This architecture uses HTTP and has a public IP, but HTTP is not secure by default. Consider setting up HTTPS on the Nginx server that will be used for secure login.

  • Make sure the Jenkins configuration prevents cross-site request forging (Manage Jenkins> Configure Global Security). This is the standard option for a Microsoft Jenkins server.

  • Configure read-only access to the Jenkins dashboard using the matrix authorization strategy plug-in.

  • Use Azure RBAC to limit service principal access to the minimum requirements for job execution. This security level is used to limit the damage that can result from an unauthorized order.

Jenkins jobs often need secrets to access Azure services that require authorization, such as Azure Container Service. Use Key Vault to securely manage these secrets. Store service principal credentials, passwords, tokens, and other secrets using Key Vault.

You can get a central overview of the security status of your Azure resources with Azure Security Center. Security Center monitors potential security issues and gives you a complete picture of the security status of your deployment. Security Center is configured individually for each Azure subscription. Enable the collection of security data as described in the Azure Security Center quick start guide. After data collection is enabled, Security Center automatically scans virtual machines created under that subscription.

The Jenkins server has its own user management system and the Jenkins community provides best practices for securing a Jenkins instance in Azure.

Manageability Considerations

Use resource groups to organize the Azure resources provisioned. Deploy production and development / test environments in separate resource groups so that you can monitor the resources of each environment and aggregate billing costs by resource group. You can also delete resources as a group. This is useful for test deployments.

There are several features in Azure for monitoring and diagnosing the forest. Azure Monitor is provided in this architecture to monitor CPU usage. For example, you can use Azure Monitor to monitor CPU usage and send a notification when the CPU usage exceeds 80 percent.(High CPU usage indicates that you might want to upscale the virtual machine with the Jenkins server.) You can also notify a specified user when the virtual machine is down or unavailable.

Communities

The following online communities can answer questions and help you configure a successful deployment:

For more Jenkins community best practices, see Jenkins best practices.

Install and configure Jenkins

To create a VM and install Jenkins, follow the instructions in the Quickstart article: Configure Jenkins using the Azure CLI.

Next Steps