This design implements DevSecOps using Azure DevOps/GitHub Actions.
Topology: Self-Hosted Agents run in a Spoke VNet. This allows the pipeline to deploy code to private resources (like Private AKS) via the Hub.
+--------------+ +--------------------------+ +--------------+
| Developer | | HUB VNet | | SPOKE VNet |
| (Git Push) | | (Firewall) | | (Agents) |
+------+-------+ +------------+-------------+ +------+-------+
| | |
v | (Peering) |
+------+-------+ v v
| GitHub | +------------+-------------+ +------+-------+
| Actions |---------->| Azure Firewall |<--------->| Agent Pool |
| (Orch) | | (Allow Package Dnld) | | (VMSS) |
+--------------+ +--------------------------+ +------+-------+
|
v
+--------------+
| Target |
| (AKS/SQL) |
+--------------+
PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16) |
| +-----------------------+ |
| | Azure Firewall | |
| +-----------|-----------+ |
| | |
| v (Peering) |
+---------------|-------------------------------------------------------+
|
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-devops-spoke (10.1.0.0/16) |
| +-----------------------+ |
| | Subnet: Agents | |
| | [VM Scale Set] | |
| | (Docker Installed) | |
| | -> Connects to GitHub | |
| +-----------------------+ |
+-----------------------------------------------------------------------+
SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet |
| +-----------------------+ |
| | Agent Pool (DR) | |
| | (Standby) | |
| +-----------------------+ |
+-----------------------------------------------------------------------+
* Create a pool East-Agents and West-Agents.
* In pipeline YAML: runs-on: [self-hosted, east].
* If East fails, update YAML to west.
trivy (Container Scan) and sonar (Code Scan) before deploying.1. Push: Dev pushes code.
2. Trigger: GitHub Action starts.
3. Queue: Job queued for "Self-Hosted".
4. Pickup: Agent in Spoke picks up job.
5. Build: Agent builds Docker image.
6. Deploy: Agent runs kubectl apply. Since Agent is in VNet, it can reach Private AKS.
1. Search: "Virtual networks" -> + Create.
2. Resource Group: rg-devops-spoke.
3. Name: vnet-devops-spoke.
4. Region: East US.
5. Create.
6. Peer to vnet-hub.
1. Search: "Virtual machine scale sets" -> + Create.
2. Resource Group: rg-devops-spoke.
3. Name: vmss-agents.
4. Region: East US.
5. Orchestration mode: Uniform.
6. Image: Ubuntu 20.04 LTS.
7. Size: Standard_D2s_v3.
8. Networking:
* Virtual network: vnet-devops-spoke.
* Public IP address: None (Private Agents).
* *Note: Ensure you have a NAT Gateway or Firewall for outbound internet access to download packages.*
9. Create.
1. You need to install the GitHub Runner on boot.
2. Go to GitHub Repo -> Settings -> Actions -> Runners -> New self-hosted runner.
3. Copy the Download and Config commands.
4. Create a cloud-init.txt file:
```bash
#!/bin/bash
# Install Docker
apt-get update
apt-get install -y docker.io
# Install Runner
mkdir actions-runner && cd actions-runner
curl -o actions-runner-linux-x64-2.300.2.tar.gz -L https://github.com/actions/runner/releases/download/v2.300.2/actions-runner-linux-x64-2.300.2.tar.gz
tar xzf ./actions-runner-linux-x64-2.300.2.tar.gz
# Configure (Replace TOKEN)
./config.sh --url https://github.com/your-org/your-repo --token AABBCC... --unattended
# Install Service
./svc.sh install
./svc.sh start
```
5. In Azure Portal -> VMSS -> Settings -> Configuration -> Custom Data.
6. Paste the Base64 encoded content of cloud-init.txt.
7. Save and Update Instances.
1. Go to GitHub Repo -> Settings -> Actions -> Runners.
2. You should see vmss-agents listed as Idle.
3. Test: Create a workflow .github/workflows/test.yml:
```yaml
runs-on: self-hosted
steps:
- run: echo "Hello from Azure VNet!"
```
4. Commit and watch it run.