Azure

Azure Pipelines Multi-stage YAML Patterns: Templates, Approval Gates, Conditional, Matrix, Deployment Strategy

2026-05-24
NicheeLab Editorial Team

A Multi-stage YAML pipeline is a CI/CD pattern that defines multiple stages (Build / Test / Deploy) in a single YAML file, and it is the de facto standard for modern Production CI/CD. Supported by both Azure Pipelines and GitHub Actions, it is a core topic of AZ-400 exam domain 3 (40-45% weight). This article covers the hierarchy, Templates, Approval Gates, Conditionals, Matrix, and Deployment Strategy comprehensively.

Hierarchy (Stage / Job / Step / Task)

LevelRoleExample
PipelineTop level (one entire YAML)azure-pipelines.yml
StageLogical block (Sequential or Parallel)Build, Test, Deploy
JobParallel execution unit (1 Job per Agent)Linux Build, Windows Build
StepSequential execution unit (inside a Job)checkout・install・build・test
TaskStandard actions (Microsoft / 3rd party)NodeTool・AzureWebApp・AzureCLI

In production, a typical stage design is Build (multi-OS build with parallel Jobs) → Test (parallel Jobs) → Deploy (Sequential Dev → Stage → Prod).

Basic Multi-stage YAML Example

trigger:
  branches:
    include:
      - main

stages:
  - stage: Build
    jobs:
      - job: BuildJob
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'
          - script: npm install
          - script: npm run build
          - publish: dist
            artifact: webapp

  - stage: DeployDev
    dependsOn: Build
    condition: succeeded()
    jobs:
      - deployment: DeployToDev
        environment: dev
        strategy:
          runOnce:
            deploy:
              steps:
                - download: current
                  artifact: webapp
                - task: AzureWebApp@1
                  inputs:
                    azureSubscription: 'AzureServiceConnection'
                    appName: 'myapp-dev'

  - stage: DeployProd
    dependsOn: DeployDev
    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
    jobs:
      - deployment: DeployToProd
        environment: prod  # Approval Gate 設定済み
        strategy:
          runOnce:
            deploy:
              steps:
                - download: current
                  artifact: webapp
                - task: AzureWebApp@1
                  inputs:
                    azureSubscription: 'AzureServiceConnection'
                    appName: 'myapp-prod'

Modularize with Templates

Templates are reusable components of YAML pipelines.

Four Kinds of Templates

Template TypePurpose
Stage TemplateReuse an entire Stage (e.g. standard build stage)
Job TemplateJob-level reuse (e.g. standard test job)
Step TemplateReuse a sequence of Steps (e.g. NuGet install + Build)
Variable TemplateReuse sets of environment variables

Step Template Example

# templates/build-node.yml
parameters:
  - name: nodeVersion
    type: string
    default: '20.x'
  - name: workingDirectory
    type: string

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: ${{ parameters.nodeVersion }}
  - script: npm install
    workingDirectory: ${{ parameters.workingDirectory }}
  - script: npm run build
    workingDirectory: ${{ parameters.workingDirectory }}

Calling a Template

steps:
  - template: templates/build-node.yml
    parameters:
      nodeVersion: '20.x'
      workingDirectory: 'frontend'

In the enterprise, 10-20 standard Templates manage 100+ Pipelines, dramatically reducing maintenance cost.

Approval Gates and Manual Validation

Azure Pipelines Setup

  1. Create an Environment (e.g. 'prod')
  2. Under Environment Approvals and Checks, specify Approvers (1-3 required)
  3. Reference environment: prod from a Pipeline Stage
  4. On Stage execution, Approvers are notified by email and wait in the Azure DevOps UI
  5. Deploy runs after approval

GitHub Actions Setup

  1. Repository Settings → Environments → create 'prod'
  2. Specify Required Reviewers
  3. Reference environment: prod in a Workflow Job

Typical Gate Configurations

  • Production: 2 approvers (CISO + Engineering Lead) + business hours only (Time Window) + Azure Monitor alert quiet for the previous hour
  • DR Site: 1 approver
  • Dev / Stage: auto-deploy (no Approval)

Conditional Execution and Variables

Key Techniques

  1. Conditions: condition clause runs a Stage / Job / Step conditionally
  2. Expressions: $[] for Runtime evaluation, ${{ }} for Compile-time evaluation
  3. Variables (Pipeline-defined): variables: clause declares them
  4. Variable Groups: centrally managed in the Azure DevOps Library (e.g. per-environment connection strings)
  5. Output Variables: passing values between Jobs
  6. Conditional Variables: per-environment variable values
  7. Runtime Parameters: parameters chosen by users at Pipeline runtime

Example: Deploy only on the main branch

condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))

Example: Runtime Parameters

parameters:
  - name: deployTarget
    displayName: Deploy Target
    type: string
    default: 'all'
    values:
      - 'all'
      - 'us-only'
      - 'jp-only'

stages:
  - stage: DeployUS
    condition: in(${{ parameters.deployTarget }}, 'all', 'us-only')
    # ...
  - stage: DeployJP
    condition: in(${{ parameters.deployTarget }}, 'all', 'jp-only')
    # ...

Matrix Strategy

A feature that runs multiple combinations (OS × Runtime version × Configuration) in parallel.

Azure Pipelines Matrix

jobs:
  - job: Build
    strategy:
      matrix:
        Debug_x86:
          configuration: Debug
          platform: x86
        Debug_x64:
          configuration: Debug
          platform: x64
        Release_x86:
          configuration: Release
          platform: x86
        Release_x64:
          configuration: Release
          platform: x64
      maxParallel: 4
    steps:
      - script: msbuild /p:Configuration=$(configuration) /p:Platform=$(platform)

Typical Use Cases

  • Cross-platform OSS testing (a Node.js library tested in parallel across 3 OS × 3 versions = 9; 10 min → 1.5 min)
  • Container multi-arch builds (amd64, arm64, arm/v7 in parallel)
  • Visual Studio C++ multi-config builds
  • AWS / Azure / GCP multi-cloud deploys

Deployment Strategy

StrategyBehaviorWhen to Use
RunOnceCompletes in a single deploySimple production deploys (most common)
RollingUpdates instances sequentiallyVM Scale Sets, staged rollout
CanaryReleases to a small subset firstLimited testing of new features
Blue-GreenSwitches between two environmentsApp Service Deployment Slots, instant rollback

Canary Strategy Example

jobs:
  - deployment: DeployCanary
    environment: prod
    strategy:
      canary:
        increments: [10, 30, 60, 100]  # 段階的トラフィックシフト
        preDeploy:
          steps:
            - script: echo "Pre-deploy check"
        deploy:
          steps:
            - task: KubernetesManifest@1
              inputs:
                action: deploy
                strategy: canary
                percentage: $(strategy.increment)
        postRouteTraffic:
          steps:
            - script: ./scripts/verify-canary.sh
        on:
          failure:
            steps:
              - script: ./scripts/rollback.sh
          success:
            steps:
              - script: echo "Canary success"

Typical Selection

  • Simple web apps RunOnce + Deployment Slot Swap
  • Stateful VM Scale Sets Rolling
  • Microservices risk management Canary (1% 10% 50% 100%)
  • Mission-critical Blue-Green (instant rollback via Slot swap)

Variable Groups and Key Vault Integration

Variable Groups: shared variable sets across multiple Pipelines (managed in the Azure DevOps Library).

Key Vault Integration

  • Enable 'Link secrets from an Azure key vault' on the Variable Group
  • Map Azure Key Vault Secrets directly
  • Secret values bypass Azure DevOps and are pulled dynamically from Key Vault at Pipeline run time
  • Pipeline edits are unnecessary even when Secrets are rotated

Example

variables:
  - group: KeyVaultGroup  # Key Vault Reference 設定済み

jobs:
  - job: Deploy
    steps:
      - script: |
          echo "Connecting to DB..."
        env:
          DB_CONNECTION_STRING: $(DB_CONNECTION_STRING)

Output Variables (Passing Values Between Jobs)

jobs:
  - job: JobA
    steps:
      - script: |
          echo "##vso[task.setvariable variable=buildNumber;isOutput=true]20260524-001"
        name: setBuildNumber

  - job: JobB
    dependsOn: JobA
    variables:
      buildNum: $[ dependencies.JobA.outputs['setBuildNumber.buildNumber'] ]
    steps:
      - script: echo "Build Number from Job A: $(buildNum)"

Operational Best Practices

  1. Build Test Deploy as a standard Stage structure
  2. Centrally manage organization-wide logic with Pipeline Templates
  3. Manage Secrets via Variable Groups + Key Vault integration
  4. Secure production releases with Environment + Approval Gates
  5. Secret-less authentication via Workload Identity Federation
  6. Shorten CI time in parallel with Matrix Strategy
  7. Manage production release risk with Canary or Blue-Green
  8. Per-environment behavior control via Conditional Execution
  9. Deployment flexibility with Runtime Parameters
  10. Version-control Pipeline-as-Code in Git

Related Certifications

Frequently Asked Questions

What is a Multi-stage YAML pipeline?

A Multi-stage YAML pipeline is a CI/CD pattern that defines multiple stages (Build / Test / Deploy) in a single YAML file, configuring inter-stage dependencies, conditional logic, and Approval Gates. It is supported by both Azure Pipelines and GitHub Actions, and is the de facto standard format for modern Production CI/CD. Typical structure: 1) Build Stage (build from source + generate artifacts), 2) Test Stage (Unit Test, Integration Test, Security Scan), 3) Deploy to Dev Stage (automatic dev deployment), 4) Deploy to Stage Stage (Manual Approval + staging deployment), 5) Deploy to Prod Stage (Manual Approval + production deployment). The Environment feature lets you attach Approval Gates, Branch Restrictions, and Gates (Azure Monitor Alert checks, etc.) to each stage. This is a core topic of AZ-400 exam domain 3 (40-45% weight).

What is the Stage / Job / Step / Task hierarchy?

The Multi-stage YAML hierarchy (top → bottom): 1) Pipeline (top level, one YAML file), 2) Stage (logical block, Build / Test / Deploy, stages have dependencies + Approval between them), 3) Job (parallel execution unit, 1 Job per Agent, parallel multi-OS / multi-language builds), 4) Step (sequential execution unit, runs in order inside a Job), 5) Task (standard actions provided by Microsoft / 3rd parties, referenced via Use clause or uses:). Example: 5 Stages × 2 Jobs × 10 Steps = 100 Steps running in one Pipeline. Stages run Sequentially or in Parallel (no dependsOn clause); Jobs are Parallel by default. In production, the typical design is Build (parallel jobs for multi-OS build) → Test (parallel jobs for Unit / Integration / Security in parallel) → Deploy (sequential Dev → Stage → Prod).

How do you modularize with Templates?

Templates are reusable components of YAML pipelines that centralize common logic across multiple Pipelines. Four kinds: 1) Stage Template (reusing an entire Stage, e.g. standard build stage), 2) Job Template (Job-level reuse, e.g. standard test job), 3) Step Template (reusing a sequence of Steps, e.g. NuGet install + Build), 4) Variable Template (reusing sets of environment variables). Template files are kept in separate YAMLs (templates/ directory) and receive values from outside via parameters. Typical patterns: 1) templatizing the organization's standard Build → Test → Scan → Deploy stages, 2) GitHub Actions Reusable Workflows for cross-repository templates (centralized in the org/.github repo), 3) Azure Pipelines Resources to reference Templates from another repository. Enterprises typically manage 100+ Pipelines with just 10-20 standard Templates, dramatically reducing maintenance cost.

How do you configure Approval Gates and Manual Validation?

Approval Gates before production deployment are a critical security feature of Multi-stage Pipelines. Azure Pipelines setup: 1) create an Environment (e.g. 'prod'), 2) specify Approvers (1-3 required reviewers) under the Environment's Approvals and Checks, 3) reference environment: prod from a Pipeline Stage, 4) at Stage execution time, Approvers are notified by email and wait in the Azure DevOps UI, 5) deploy runs after approval. GitHub Actions setup: Repository Settings → Environments → create 'prod' → specify Required Reviewers; the Workflow Job references environment: prod for the same behavior. The Manual Validation Task also lets you send custom messages and questions to approvers. Typical gate configurations: 1) Production: 2 approvers (CISO + Engineering Lead) + business hours only (Time Window) + Azure Monitor alert quiet for the previous hour, 2) DR Site: 1 approver, 3) Dev / Stage: auto-deploy (no Approval). This dramatically improves production release safety.

How do you use Conditional Execution and Variables?

Dynamic control techniques in Multi-stage YAML: 1) Conditions: the condition clause runs a Stage / Job / Step conditionally (e.g. condition: eq(variables['Build.SourceBranch'], 'refs/heads/main') deploys only on main), 2) Expressions: $[] for Runtime evaluation, ${'

#x27;}{{}} for Compile-time evaluation, 3) Variables (Pipeline-defined): declared with variables:, referenceable from any Stage, 4) Variable Groups: centrally managed variable sets in the Azure DevOps Library (e.g. per-environment connection strings), 5) Output Variables: passing values between Jobs (taskOutputName and dependencies.JobA.outputs), 6) Conditional Variables: ${'
#x27;}{{ if eq(parameters.env, 'prod') }} for per-environment variable values, 7) Runtime Parameters: parameters users pick when running the Pipeline (e.g. Deploy Region selection). Concrete example: parameters.deployTarget being 'all' or 'us-only' controls the Region Loop in the Deploy Stage. Combining Conditionals with Variables lets one Pipeline cover multiple environments and scenarios, dramatically reducing maintenance effort.

How do you use Matrix Strategy?

Matrix Strategy runs multiple combinations (OS × Runtime version × Configuration) in parallel. GitHub Actions: define arrays under strategy.matrix (e.g. os: [ubuntu-latest, windows-latest, macos-latest] and node: [18, 20, 22] gives 3 × 3 = 9 parallel jobs). Azure Pipelines: strategy.matrix with multiple configs (configuration: { 'Debug-x86': { cfg: 'Debug', plt: 'x86' }, ... }) runs in parallel. Typical use cases: 1) cross-platform OSS testing (a Node.js library tested in parallel across 3 OS × 3 versions = 9 environments; 10 min → 1.5 min in parallel), 2) container multi-arch builds (amd64, arm64, arm/v7 in parallel), 3) Visual Studio C++ multi-config builds (Debug-x86, Debug-x64, Release-x86, Release-x64 in parallel), 4) AWS / Azure / GCP multi-cloud deploys (same code deployed to 3 environments in parallel). Matrix Builds dramatically shorten CI time and directly improve developer productivity.

What types of Deployment Strategy are available?

Strategies available in Azure Pipelines Deployment Jobs: 1) RunOnce (completes in a single deploy; simple production deploys; the most common), 2) Rolling (updates instances sequentially; VM Scale Sets; staged rollout; parallelism controlled with MaxParallel and HealthOption), 3) Canary (releases to a small subset first; gradual traffic shift across preDeploy / deploy / postRouteTraffic / on: { success / failure } phases; limited testing of new features), 4) Blue-Green (deploys by switching between two environments; App Service Deployment Slots; instant rollback via traffic swap). Typical selection: 1) simple web apps → RunOnce + Deployment Slot Swap, 2) stateful VM Scale Sets → Rolling, 3) microservices risk management → Canary (1% → 10% → 50% → 100% gradual expansion), 4) mission-critical → Blue-Green (instant rollback via slot swap). Production deploy strategies are chosen by business criticality; Canary + Application Insights with automatic rollback is the modern best practice.

What related certifications exist?

AZ-400 (DevOps Engineer Expert) is the flagship cert for this area, with Multi-stage YAML probed deeply in domain 3 (Build and Release Pipelines, 40-45% weight). Pipeline Templates, Variable Groups, Environment + Approval Gates, Deployment Strategy, Matrix Strategy, and Conditional Execution are all tested. AZ-204 (Developer Associate, retiring 2026-07) covers CI/CD from the developer angle; AZ-104 (Administrator) covers fundamentals; AZ-305 (Solutions Architect Expert) covers DevOps strategy from the architect angle. This is core skill territory for Azure DevOps Engineers and essential for anyone owning production Pipeline design.

Related Articles and Technical Deep Dives

Azure Pipelines YAML 完全ガイド|Stages/Jobs/Steps・Templates・Variable Groups・Approval Gate【2026 年版】

Azure Pipelines YAML パイプラインの完全ガイド。基本構造 (Stages/Jobs/Steps)・Pipeline Templates・Variable Groups と Key Vault 統合・Environments と Approval Gate・Service Connections と Workload Identity Federation・関連認定試験 (AZ-400 / AZ-204 / AZ-305) を日本語で網羅。実装パターン集付き。

Azure DevOps エンジニア キャリアロードマップ|AZ-104 → AZ-400 → SC-100 シニア DevOps への道【2026 年版】

Azure DevOps Engineer になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-400 の王道ルート、GitHub と Azure DevOps の両方を扱う AZ-400 の構成、Kubernetes 認定 (CKA / CKAD / CKS) との二刀流、IaC (Bicep / Terraform) 戦略、年収レンジまで日本語で網羅。

Azure Bicep チュートリアル|ARM 後継 IaC の基本構文・モジュール化・What-If・CI/CD 統合【2026 年版】

Azure 純正 IaC ツール Bicep の完全チュートリアル。ARM JSON との違い・基本構文 (param/var/resource/module/output)・モジュール化ベストプラクティス・What-If デプロイ・GitHub Actions / Azure Pipelines 統合・ARM からの移行手順・関連認定試験 (AZ-104 / AZ-204 / AZ-400 / AZ-305) を日本語で網羅。

AZ-104 vs AZ-204 完全比較|Microsoft Azure Administrator vs Developer Associate の違いと選び方【2026 年版】

Microsoft Azure の 2 大 Associate 認定 AZ-104 (Administrator) と AZ-204 (Developer) を完全比較。対象ロール・出題範囲・難易度・学習時間・受験料・キャリアパスを表形式で整理。AZ-204 2026 年 7 月リタイア後の判断材料、両方取る価値、次の認定への進路まで日本語で網羅。

Technical information in this article is based on the Azure Pipelines YAML Schema Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship with Microsoft. Microsoft, Azure, Azure DevOps, and GitHub are trademarks of the Microsoft group of companies. Information is based on publicly available official material as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.