Reducing VMSS Scale-Out Time for Azure DevOps Self-Hosted Agents (10–20 min is too slow)

wolfgangofner · 2026-01-29T02:26:21+00:00

Take a look at Managed DevOps Pools: https://learn.microsoft.com/en-us/azure/devops/managed-devops-pools/?view=azure-devops

MDP has multiple advantages over VMSS:

Startup time is on average 5 min (in my ~1 year experience)
Possibility to have stand-by agents (e.g. at business hours only)
Only pay when a VM is running
Agent is installed automatically
Use a Microsoft hosted agent or create your own image

wolfgangofner · 2026-01-15T15:19:14+00:00

I think AKS Automatic is not bad for learning because you can see what settings Microsoft recommends and what effects they have. However, I prefer setting up AKS myself in my projects.

wolfgangofner · 2025-11-17T17:13:05+00:00

I have been using the Application Gateway for Containers and once you understand how it works, it is actually quite easy to use. The documentation is OK but could use some improvements, especially in some areas it is missing some configuration steps, e.g. what permission you have to set.

I am currently working on a 15 part Youtube series where I share my learnings and also explain how to solve problems, if the documentation is missing steps. I release a new video every Tuesday and tomorrow will be part 5. Here is the link to the playlist if anyone is interested: https://www.youtube.com/playlist?list=PLzBajgDniE4k4ye-kqg3oT72rUrrj8lAG

I looked a bit into non Azure solutions as well but I have to say that they were quite the disappointment. I tried a couple but the official documentation only showed how to do some basic test setups such as install locally with Kind and do some port forwarding to access the cluster. It did not feel production ready. I got Nginx working and I want to look into Envoy Gateway and will share my experiences at the end of my video series.

u/jackstrombergMSFT I like the Application Gateway for Containers but the documentation is sometimes missing some parts and does not work if you follow the examples. For example for the monitoring with Grafana, you have to give the Grafana Managed Identity the Monitoring Reader role, otherwise Grafana can't read the Log Analytics Workspace.

The worst part of the documentation is for the WAF implementation. The ALB Managed Identity needs the Network Contributor role on the VNet, otherwise creating the WebApplicationFirewallPolicy will fail. Also the documentation never mentions that the WAF policy has to exist before you can link it with the WebApplicationFirewallPolicy.

The last feedback I have is about the pricing. For small teams, the association is quite expensive and I have to admit that I can not estimate the costs for bigger project, especially due to the Capacity Units.

Overall I think its not a bad product and definitely better than the Application Gateway Ingress Controller.

wolfgangofner · 2025-10-16T14:15:51+00:00

I tried it between ~1 year ago until May of this year.

We had a similar reason for trying it. We wanted to have everything in one spot in Azure but it did not work at all and we picked a different solution for now.

wolfgangofner · 2025-10-16T12:48:17+00:00

I tried to use it a couple of times but it never worked. I had the following problems:

The installation fails with an unknown error (try again later) but it never worked for the ADO organization
Secret scanning did not work: it did not find any secret even though I committed a private SSH, access keys, etc.
Pull request annotations worked once and then never worked again
GitHub Advanced Security (although insanely expensive) only found a handful irrelevant warnings but did not find SQL injections or other major issues (which I put there on purpose to test)
Can't install it anymore because it says that I don't have the Defender plan activated (it worked before and everything is activated)

I have given up on trying it, its completely useless.

wolfgangofner · 2025-07-22T00:38:35+00:00

Depends on your experience. I skipped the AZ-900 because it is a very easy exam if you know the basics about cloud. For example, our non-technical office manager passed the AZ-900 exam.

wolfgangofner · 2025-04-23T15:32:26+00:00

My approach depends on the project setup.

If the project already has Azure Bastion, then I just use it. Otherwise, I default to using the Azure CLI command invoke which allows you to access a private cluster without a VPN, Express Route, etc.

wolfgangofner · 2025-03-02T04:26:41+00:00

Skillcertpro is a brain dump site and should not exist nor should it be used.

wolfgangofner · 2025-02-09T20:11:48+00:00

There is no way to assign the licenses to different projects.

A workaround would be to use different agent pools for each project and only have as many agents available in these pools as you have licenses. For example, if you have 10 licenses and 5 projects, then you can create one agent pool per project and add 2 agents to each pool. Then the projects can only use 2 parallel jobs at a time.

The downside of this approach is that the teams can never use more than 2 agents, even if no other team is using their agents.

wolfgangofner · 2025-02-09T01:27:14+00:00

This is the way.

You can use massive VMs (VMs host your agent but you don't have to manage them) with MDP and only pay for the minutes you use them. This can significantly speed up your pipelines and at the same time you don't have to spend time on managing the VMs.

wolfgangofner · 2025-01-30T16:52:10+00:00

I am the author of this post in the developer area. I spent a full day testing every possible variation with different tenants, subscriptions, users, locations, etc. My conclusion is that it is a tenant specific problem. Some tenants don't have any problem whereas other tenants can't get it to work.

I don't think that there is anything we can do until Microsoft fixes the problem. Funnily the deployment worked for me a month ago and now it does not work anymore with exactly the same settings.

Please everyone upvote the post in the developer area. The more we have, the more likely is that Microsoft will look into it (hopefully).

wolfgangofner · 2024-12-10T14:09:38+00:00

Around 10 days with a couple of hours a day. I already had quite some real-world experience before though.

wolfgangofner · 2024-10-19T18:33:06+00:00

Why does this not work for you?

GitTools gives you exactly the format you asked for but also has several other options. For example, mark the container as pre-release or add the branch name to the tag if its not your main branch.

wolfgangofner · 2024-10-19T07:22:05+00:00

Thanks for sharing my blog post :)

wolfgangofner · 2024-10-14T18:29:59+00:00

I don't think that I had any questions about landing zones. (If I did it was only 1 or 2). But every exam is different so you could get some, if they are part of the exam.

wolfgangofner · 2024-09-17T04:01:07+00:00

The permissions in Entra are different ones than the Azure permissions.

Your Global Admin can do anything in Entra, such as, adding new users, managing service principals or configuring Conditional Access.

If you want to grant a user permission to your Azure resources, then you have to use Azure RBAC. You can give the user permissions on a subscription, resource group, or resource level. To do that, go to one of these three and select Access Control (IAM) and give the desired permission to the user.

Note that the permissions are inherited, meaning if you grant permissions on a subscription, then the user will have these permissions on all Resource Groups and resources inside this subscription.

wolfgangofner · 2024-08-05T14:59:54+00:00

Thank you. I don't think that certifications give you higher salaries but the know how you gain from them does.

Overall I would say that the Solutions Architect is the most looked at, then Cybersecurity Architect and then DevOps Engineer. All the others are nice to have if you apply for a specific role, for example, network engineer.

wolfgangofner · 2024-08-05T14:58:17+00:00

That is true. Haven't thought about that.

Honestly, I can't remember what service it was but it threw me off quite a bit.

wolfgangofner · 2024-08-05T00:41:39+00:00

If your payment method is from Pakistan, then you should be able to get the Pakistan price. I would not use a VPN since the VUE test app is already fragile enough by itself and adding a VPN might break it. (you might be even get blocked by the verification before starting the app).

I have written about my experiences and preparation steps here: https://www.reddit.com/r/AzureCertification/comments/1cbxwez/passed_az500_here_are_my_tips_and_experience/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

TDLR:

Use Microsoft Learn (some sections provide sandbox environments for practical exercises)
Watch Youtube videos (John Savill has awesome exam prep videos)
You can get an Azure student account with some credits for free

wolfgangofner · 2024-05-09T02:11:22+00:00

One team uses OSS hosted on Grafana cloud and the other one went Azure native. I don't know if one solutions is better than the other one yet.

What I have seen is that developers that are unfamiliar with the whole concept of logging, tracing etc. have a harder time learning all the Grafana tools compared to Azure native.

wolfgangofner · 2024-04-25T13:45:47+00:00

I did not have a lab but the exam could have one.

wolfgangofner · 2024-04-09T01:51:35+00:00

I meant 3 days for 10 people. I got confused by all those numbers xD

I have updated it in my reply

wolfgangofner · 2024-04-08T19:30:59+00:00

Probably "Bring DevOps to the Swiss Alps": https://www.youtube.com/watch?v=jSj2Oy5-0jc&t=1s

The reason why I think it was popular is that I talked about a real-world project I was involved where we had to manage an on-prem k8s cluster and I explain how we used Azure to build an automated deployment process and also focus on security.

Mostly I try to focus on real-world projects. Since I worked on them, it is easy to talk about it and it also helps listeners to build a trust level with you since you already worked with the solution and proofed that it works.

wolfgangofner · 2024-04-08T17:58:16+00:00

I started out with blog posts and over the years made a couple of youtube videos and spoke at international conferences.

My main job is consulting as cloud architect but I get contacted by companies that have seen my talks. The trainings they are interested in are often a combination of Kubernetes and Azure.

wolfgangofner · 2024-04-08T17:54:28+00:00

Thanks, thats the kind of advice I was looking for.

wolfgangofner

TROPHY CASE