UiPath Orchestrator new features and deployment in Azure App Service
I recently deployed UiPath Orchestrator 2019.10.17 to Azure App Service and here is few thoughts about the deployment.
UiPath has come long away since the first Orchestrator releases that did not really support features which cloud can offer. Don’t get me wrong, there has been long experience of development of Orchestrator in Azure environment, but there has been need to run Orchestrator with full PaaS capabilities. Now it is more mature than ever before.
Few key Orchestrator features with nice integration with Azure:
Azure KeyVault integration for storing Robot credentials and secrets Azure Storage for storing packages Tenant level encryption with Azure KeyVault Webhooks for integrations Azure AD authentication Media recording Azure App Service has also developed in more customer friendly direction.
Limit connections coming from machines running in Azure VNET subnet, instead of allowing traffic from all Azure cloud IP’s. VNET integration (preview) which enables private connections to SQL Database and Azure Storage without requirement to allow other all Azure IP’s to connect (how it was before) Orchestrator features First thing I want to mention, is Azure AD Authentication. I has been around for couple years already. With the latest version of Orchestrator, UiPath has put a lot of effort to features around Windows Authentication, which is of course give huge benefits for scenarios like Attended robots, where Orchestrator can create Robots automatically for user, and also populate users based on AD group membership. But, what comes to Azure AD Authentication, it has not changed much in last year. Authentication still works basically mapping Azure AD UPN (User Principal Name) to Orchestrator user email address, and if those match, Orchestrator trust Azure to have done successful authentication. We ware waiting to have more development in this area, where Tenant users and roles could be managed using Azure AD groups and application roles.
Azure KeyVault integration for storing Robot credentials and secrets This was one of the most expected features from UiPath. Until now, there has been possibility to utilize CyberArk or native SQL Database credential storage to store credentials. Now you are able to integrate Azure KeyVault(s) to store Robot credentials (which robot uses to login to windows) and credentials Assets (which Robot uses to login to target applications).
In simple, as you will need to register new application to enable Azure AD Authentication, you can use this same application as service principal to access KeyVault by creating dedicated secret to access the KeyVault.
Orchestrator will create randomized string as key to reference KeyVault secret to Orchestrator Asset. Behind the secret, you can find the Username and Password stored in json.
When you update the credentials in Orchestrator, it will automatically create new version of the KeyVault Secret. Basically, this allows you or customer to update the secret in KeyVault directly and Robot will be able to use the new password in automations.
Azure Storage for storing packages enables highly scalable storage when storing packages in blob. Orchestrator will automatically create containers for each Tenant and Libraries. Orchestrator keeps index of all changes done in SQL Database. Storage is also used with new feature called Media recording, which allows you to record / automatically take screenshots of what Robot sees just before the job fails. These screenshots are then downloadable through the Orchestrator
Tenant level encryption is new feature which allows Orchestrator to encrypt data for each Tenant whit is’s own key. Surprisingly, this is fully depending on Azure KeyVault. So unless you have Azure subscription, you cannot utilize this solution at this time.
Last but not least, Orchestrator Webhooks are one of my favorite feature. It allows us to create outgoing web requests to external API’s. Example, I have created Azure Functions API which receives Orchestrator Webhook when Robot, Job, Transaction or Schedule fails and creates Work Item in Azure DevOps for team to investigate.
Findings: Deployment of Orchestrator to Azure App Service with the installation script, first finding was that UiPath had updated the script to require registered application id in Azure and secret to make the deployment. Previous release required only the App Service publishing settings. Next thing was the NLog specific deployment parameters which I could not get to work at all. Documentation regarding these is really poor. You can see them used in this example, but executing the script, I got an error that -nlog parameter is not recognized. But, eventually when I was able to solve this, the deployment went through without issues. Only thing left was to edit the web.config file NLog configuration. Earlier, we needed to take FTP connection to the site and edit the file (or edit in zip before update), but I found awesome new feature in Azure which allowed me editing the file in browser. Microsoft has provided new App Service Editor (in preview) which allowed me to edit the NLog configuration in web.config. (More about NLog configuration for App Service can be found here)
I deployed App Service with VNET Integration (new) to dedicated subnet. From this subnet, I allowed connections to SQL Database, Azure Storage, Azure KeyVault and everything works fast and stable.
Those were my short notes about the new features and App Service deployment. I will keep writing posts as we see how the steady state progresses, thanks.