Documentation: DevOps & CI/CD Best Practices

This document provides further details and context for implementing DevOps practices and CI/CD pipelines for your Azure workloads.

• Implement CI/CD pipelines for application deployment

• Why: Manual deployments are error-prone, slow, and inconsistent. Automated CI/CD pipelines ensure that every code change goes through a repeatable process of building, testing, and deploying, reducing human error and accelerating delivery velocity.
• How: Use GitHub Actions or Azure DevOps Pipelines to define workflows that trigger on code changes. Include steps for building your application, running unit and integration tests, performing static analysis, and deploying to your target Azure services (App Service, Container Apps, AKS, Functions, etc.).
• Resources:
  • GitHub Actions for Azure
  • Create your first Azure DevOps pipeline
  • Deploy to Azure App Service using GitHub Actions
  • Deploy to Azure Container Apps with GitHub Actions

• Automate infrastructure deployment with IaC pipelines

• Why: Running Bicep or Terraform deployments manually from developer machines introduces drift, inconsistency, and security risks. Infrastructure changes should follow the same rigor as application code—version-controlled, peer-reviewed, and deployed through automated pipelines.
• How: Store your IaC templates (Bicep or Terraform) in source control alongside your application code. Create dedicated pipelines that validate, plan, and apply infrastructure changes. Use pull request workflows to review infrastructure changes before they are deployed. Separate infrastructure pipelines from application deployment pipelines where appropriate.
• Resources:
  • Deploy Azure resources by using Bicep and GitHub Actions
  • Deploy Azure resources by using Bicep and Azure Pipelines
  • Automating Terraform with GitHub Actions
  • Azure Developer CLI (azd) for CI/CD

• Use deployment strategies to minimize risk

• Why: Deploying changes to all instances simultaneously creates a large blast radius—if something goes wrong, every user is affected. Progressive deployment strategies allow you to validate changes with a subset of traffic before full rollout, limiting the impact of defects.
• How: Implement blue/green deployments using Azure App Service deployment slots or Azure Container Apps revisions. Use canary deployments to gradually shift traffic to new versions. For AKS workloads, leverage rolling update strategies or tools like Flagger for automated canary analysis. Define rollback procedures for every deployment.
• Resources:
  • Set up staging environments in Azure App Service
  • Blue-green deployment in Azure Container Apps
  • Azure Deployment Environments
  • Deployment strategies for Azure Kubernetes Service

• Implement environment promotion workflows

• Why: Promoting code through a series of environments (development → staging → production) with increasing levels of validation ensures that only thoroughly tested changes reach production. This reduces the risk of outages and gives teams confidence in their releases.
• How: Define separate environments (dev, staging, production) in your CI/CD platform. Configure approval gates and manual reviews for promotions to higher environments. Run automated tests at each stage—unit tests in dev, integration and load tests in staging, smoke tests after production deployment. Use environment-specific configurations managed through Azure App Configuration or pipeline variables.
• Resources:
  • Using environments for deployment in GitHub Actions
  • Define approvals and checks for Azure DevOps environments
  • Azure App Configuration
  • Release engineering with continuous deployment

• Secure your CI/CD pipelines

• Why: CI/CD pipelines have privileged access to your cloud environments and are a high-value target for attackers. Compromised pipelines can lead to unauthorized deployments, credential exfiltration, or supply chain attacks. Securing the pipeline is as important as securing the application itself.
• How: Use OpenID Connect (OIDC) workload identity federation to authenticate pipelines to Azure—this eliminates the need to store long-lived credentials as secrets. Enable branch protection rules to prevent unauthorized code from being deployed. Use environment protection rules and required reviewers. Scan dependencies for vulnerabilities with GitHub Dependabot or Azure DevOps dependency scanning. Audit pipeline runs and maintain logs for compliance.
• Resources:
  • Use GitHub Actions to connect to Azure with OpenID Connect
  • Create a workload identity federation for Azure DevOps
  • Security best practices for Azure Pipelines
  • GitHub Advanced Security for Azure DevOps
  • See also: Identity — Workload Identity Federation · GitHub Integration — OIDC

---

📚 Recommended Reading

• Azure Support Slack Bot on Azure Container Apps: Production-Ready Guide — Automate Azure support ticket creation directly from Slack instead of navigating the Azure Portal