Getting a grip on what is done in Azure



Tim (you know who you are) has kicked me back into life to start writing some stuff up again. The volume of work of late has just been so much that i had no inclination to write, maybe this new year can get me back into the saddle again.

So what am i going to talk about?

Azure Policy - perhaps the least sexy part of what Azure has to offer.... :-)

From a governance and control point of view though it's actually very good - you can read more of the general spiel about it here : https://docs.microsoft.com/en-us/azure/governance/policy/overview

In short it allows you to block/audit/change what is being deployed into Azure - it's much more than RBAC (which is essentially a yes/no permission on a task) - Policy enables much more granularity - for example you could have rules that say:

 - you can't deploy a VM into North Europe unless it's called XXXXX
 - you can deploy a PaaS storage account but it must only allow https comms to it.
 etc
etc

The possibilities are huge - made even more so by it being extended to actual VM configuration inside the VM - to so called guest configuration https://docs.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration

So that's a bit of background - now on to a concrete example - validating that all virtual machines have backup enabled - how do i do that (and how do i get the data out in a format that's more easily usable than the summary screens!)

I'm not going over how to define/assign the policy (there are other posts covering that sort of thing) -in my case the backup one is an inbuilt one and i just assigned it to all my subscriptions. Once that has deployed (which can take a while - and actually doesn't refresh that often).

What i wanted to show was the results and how annoying the normal format is (though it does look quite nice at first glance)


So here we can see that I'm 69% compliant - or 171 VM's that have no backup in place - the majority of these are because they are VM's that are implicitly deployed from PaaS services (AKS, Databricks primarily for us) so in that case no backups are required.

We can adjust the scope to exclude certain subscriptions/resource groups/resources to exclude these and get to our 100% compliance. Then any new resources that are flagged up as having no backups are genuine problems that we need to do something about.

To then extract the list we need to do in a useful format is when i then got very frustrated - there is no export option from the portal for this - you don't even seem to be able to do select all and do a basic copy/paste of the data.

Googling round when i first was looking at this i couldn't see an easy way to extract this in a different format - the only possibility seemed to be to use the REST interface to Azure policy and write some code around that  - that was just more effort than i was prepared to spend.

The log anlytics plugin seemed to do what i wanted until i realized that policy compliance is not part of the data that it records - so that's essentially useless - What you think is that field is just whether the policy has deployed or not - not whether it is compliant!

What has been released though more recently (not sure exactly when) is a powershell module for Azure policy which we can then use to extract the data (with a little bit of extra script round it). There is a link to this here on github https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/governance/policy/assign-policy-powershell.md

It can be installed using the standard powershell install/import commands.

Once it is installed you can do something like this basic script below to extract the data




Remove-Item testing.csv
$subscriptions=Get-AzureRMSubscription

ForEach ($sub in $subscriptions){
Select-AzureRmSubscription $sub.SubscriptionID

Get-AzPolicyState -Filter "(PolicyDefinitionName eq '013e242c-8828-4970-87b3-ab247555486d')" |select {$_.ResourceId -replace '.*/'},@{Name="subscription";Expression={$sub.Name}},ResourceId,COmplianceState|Export-Csv testing.csv -NoTypeInformation -Append

}


(Apologies for the basic level of powershell here - i was battling with '/"/{ and what was actually needed)

This will extract the result data for the specific policy in question - you can find the id needed for this from the definition screen of the policy - see example below


There doesn't seem to just extract all the results for all the subscriptions in one go so i do a small loop to set the context for each subscription in turn and append that data to the csv extract.

The extract is fetching the vmname, subscription name, full resource id and the compliance status (those are the 4 things that follow the select in the command above).

The finished csv then looks like this (heavily redacted :-))


You can then work through the results and fix the non compliant ones or filter them out if they are not required.

I've just scratched the surface here - it's capable of much more than this - including auto fixing or non compliant resources!

I'm sure the portal team will enhance the screens further to make them more friendly - the other missing thing is a 'deep link' to be able to go straight to policy results - for example i would like to be able to send some a direct link to review a list of non compliant resources - i have no way of doing that other than saying click here, type that then click here etc to find the results.

Overall though it's a really good feature and one I'm sure to be making more and more use of.

Comments