Azure Pipelines - CI/CD That Actually Handles Windows

Azure Pipelines is like GitHub Actions except it doesn't make you want to punch a hole in the wall when you need Windows builds. You write YAML files, Microsoft runs them. No more Jenkins dying at 2am or wondering why your self-hosted agent decided to take a vacation.

The Agent Situation - Microsoft-Hosted vs Self-Hosted

Microsoft-hosted agents work fine until you need something weird installed. You get Ubuntu, Windows Server, and macOS VMs that wipe clean after each job. My Selenium tests kept timing out around 6 hours because testing every browser combination takes forever.

What pisses me off:

• Windows agents take 3-5 minutes to boot while Linux is ready in 30 seconds
• Can't SSH in when everything breaks - you get logs and that's it
• Limited to whatever Microsoft decided to install (fuck you and your niche Python library)
• 6-hour timeout is per job, not pipeline - learned this when our integration tests hit 4 hours

Self-hosted agents let you install whatever you want and keep state between builds. But then you're back to patching VMs and cleaning up disk space like it's 2015.

YAML Pipelines - Where The Real Power Lives

The visual designer is fine for basic stuff, but YAML is where you actually get work done. Pipeline files live in your repo as .azure-pipelines.yml and version with your code.

What will ruin your week:

• YAML spacing errors - spent 3 hours debugging because one fucking invisible character was wrong
• Template inheritance that works in dev then shits the bed in production
• Variable scoping is broken by design - stage variables don't cross job boundaries, discovered this at 2am
• Parallel job costs - our bill jumped from $40 to $200 when someone added Windows and Mac builds

## This actually works, unlike most documentation examples
trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- script: |
    npm install
    npm run build
    npm test
  displayName: 'Build and test'

Platform Support - The Good and The Ugly

Azure Pipelines handles most dev stacks, but some are way smoother than others:

What doesn't make you cry:

• .NET apps - Microsoft's own stuff, they can't completely break this
• Node.js - npm/yarn support is decent, caching works most of the time
• Docker - integrates okay with Azure Container Registry when it's not having a bad day
• Python - works fine, pip caching actually saves time

What makes you question your life choices:

• Ruby - works but you can tell Microsoft doesn't give a shit
• iOS builds - macOS agents cost more than your car payment and boot slower than Windows Vista
• Anything niche - hope you're good at bash scripting

The Azure Container Registry thing is decent - push to ACR, deploy to AKS, and it usually works. Multi-stage builds are fine once you decode Microsoft's YAML syntax.

Enterprise Features That Don't Suck

RBAC is decent once you decipher Microsoft's permission matrix. You can control who approves deployments, edits pipelines, or touches environments.

Deployment gates and approvals pause deployments for manual checks or tests. Good for compliance, terrible for velocity if you overdo it.

Audit logging captures everything - and I mean everything. Every click gets logged, which compliance loves but creates mountains of useless data.

Azure Pipelines pricing will fuck you if you're not watching. The free tier looks generous until you realize you're burning through it in two weeks.

Free Tier - Sounds Great Until Reality Hits

The free tier gives you:

• 1 Microsoft-hosted job with 1,800 minutes per month
• 1 self-hosted job with unlimited minutes
• Full feature access - no gimped functionality

1,800 minutes sounds like a lot until you do the math. Your builds take 15 minutes, your team pushes 20 commits a day, and suddenly you're hitting the limit by week two. Add cross-platform testing and you're fucked.

Open source projects get 10 free parallel jobs with unlimited minutes, which is honestly pretty good compared to other platforms.

Where The Money Goes - Parallel Jobs

Past the free tier, it's $40/month per parallel job. The math gets ugly fast:

• 2 parallel jobs = $40/month
• 5 parallel jobs = $160/month
• 10 parallel jobs = $320/month

That adds up fast for any real team. Each job runs on fresh agents that Microsoft keeps updated.

Self-hosted jobs are $15/month each - you provide the servers, Microsoft orchestrates. Sounds cheaper until you remember:

• Server costs (AWS/Azure VM fees)
• Maintenance time (OS updates, security patches)
• Storage costs (build artifacts, caches)
• Networking (bandwidth for pulling dependencies)

What Actually Cuts Costs

Cache everything - seriously, cut our Node builds from 8 minutes to 3 after I finally figured out the cache key syntax

Actually measure usage - we were paying for 8 jobs but never used more than 3, even during crunch time

Self-hosted for the big shit - moved our 45-minute integration tests to a $20/month VM instead of burning $40/month on hosted agents

Stop building everything - added path filters so README changes don't trigger builds (this one change saved us $80/month)

Hidden Costs That Will Bite You

Artifact storage: Azure Artifacts bills after 2GB. Docker images eat this fast - our bill jumped $15/month when we started storing container images.

Double-paying for repos: Azure DevOps includes repos, but if you're already paying GitHub you're basically paying twice for version control.

Extensions that cost extra: Some marketplace tasks have their own licensing fees on top of what you're already paying Microsoft.

Data transfer between regions: Found this out when moving artifacts from US East to West Coast added $8/month to our bill.

Enterprise Options - Azure DevOps Server

Azure DevOps Server is the on-prem option starting around $6k+ for 5 users. Good if you need data to stay local or want total control.

Learned the hard way that Windows agents cost the same as Linux but take 3x longer to boot. Self-hosting saves money at scale, but then you're back to babysitting servers and cleaning up disk space like it's 2015.

Getting Azure Pipelines working means connecting your repo, writing YAML that doesn't explode, and not getting fired when the bill arrives. Here's what I learned the hard way.

Setup That Won't Make You Hate Life

Go to dev.azure.com, make an org, connect your repos. GitHub OAuth setup is painless, enterprise Git servers will make you want to drink.

Visual designer is a trap: Looks pretty but you'll hit limits fast. Use it to learn, then switch to YAML because that's where actual functionality lives.

Agent choice: Start with Microsoft-hosted agents - let them deal with the infrastructure headaches. Ubuntu boots in 30 seconds, Windows takes 3-5 minutes because it's Windows. Self-hosted agents when you need weird software or speed.

Pipeline Templates - Don't Reinvent The Wheel

Templates save you from copy-paste madness. Make templates for the shit you repeat:

• Build steps - npm install, dotnet build, docker build
• Testing - unit tests, integration tests, security scans
• Deployment - blue/green, canary, whatever your team uses

Template inheritance sounds awesome until you're debugging why variables don't resolve. Start simple and add complexity slowly:

## templates/build-node.yml
parameters:
  nodeVersion: '18'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: ${{ parameters.nodeVersion }}
- script: npm ci
- script: npm run build

Service connections: Better than hardcoding API keys like an amateur. Set them up for Azure, AWS, whatever you deploy to. The UI is garbage but still better than secrets in YAML.

Caching That Doesn't Suck

Most teams waste money on more parallel jobs when caching would cut build times more:

Node.js caching:

- task: Cache@2
  inputs:
    key: 'npm | \"$(Agent.OS)\" | package-lock.json'
    restoreKeys: 'npm | \"$(Agent.OS)\"'
    path: '$(npm_config_cache)'

Docker layer caching: Use buildkit and multi-stage builds. Microsoft-hosted agents don't keep layers between builds, so optimize your Dockerfile:

## Put dependency installation first - changes less frequently
COPY package*.json ./
RUN npm ci --production
## App code goes last - changes most frequently  
COPY . .

Parallel jobs: Only worth it if you have independent work. Paying for 5 parallel jobs to run 5 sequential stages is just wasting money.

Security Without The Theater

Branch protection that actually matters:

• Require PR reviews
• Build validation must pass before merge
• No direct pushes to main/master

Secret management: Use Azure Key Vault or pipeline secret variables. Don't put API keys in YAML - they'll end up in version control.

Container scanning: Microsoft Defender for Containers works if you're in Azure already. Otherwise, ADO Security Scanner from the open source community is decent.

Deployment approvals: Good for compliance, terrible for speed. Only use on production, not dev/test. Environment approvals let you require manual signoff before prod deployments.

What Actually Goes Wrong

Template debugging is a nightmare when variables don't resolve. Add debug output:

- script: echo \"Build.SourceBranch = $(Build.SourceBranch)\"
- script: echo \"my parameter = ${{ parameters.myParam }}\"

Agent pool contention: If you're hitting agent limits regularly, you're over-parallelizing or your builds are slow. Fix the builds first, buy more agents second.

Artifact retention costs money: Default is 30 days but you probably only need 7. Configure retention policies to avoid surprise bills.

Most failures are config issues, not platform bugs. When stuck, Stack Overflow has better answers than Microsoft's docs.