Catégorie : Azure

16 février 2023

Azure Policy Export

Hi!

Azure Policy definitions, initiatives, and assignments can each be exported as JSON with Azure CLI.

Here an example to export an Azure Policy. In the first we will list all the Azure Policies which contains the display name « virtual machine ». In the second step we will export the Azure Policy in JSON.

maxime@Azure:~$ az policy definition list --query "[?contains(displayName, 'virtual machine')]" -o table
Name                                  PolicyType    Mode     DisplayName                                                                                                                       Description
------------------------------------  ------------  -------  ----------------
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56  BuiltIn       All      Audit virtual machines without disaster recovery configured                                                                       Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.
04c4380f-3fae-46e8-96c9-30193528f602  BuiltIn       Indexed  [Preview]: Network traffic data collection agent should be installed on Linux virtual machines                                    Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.


maxime@Azure:~$ az policy definition show -n 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 -o jsonc
{
  "description": "Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
  "displayName": "Audit virtual machines without disaster recovery configured",
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "metadata": {
    "category": "Compute",
    "version": "1.0.0"
  },
  "mode": "All",
  "name": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "parameters": {},
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Compute/virtualMachines",
        "Microsoft.ClassicCompute/virtualMachines"
      ]
    },
    "then": {
      "details": {
        "existenceCondition": {
          "field": "name",
          "like": "ASR-Protect-*"
        },
        "type": "Microsoft.Resources/links"
      },
      "effect": "auditIfNotExists"
    }
  },
  "policyType": "BuiltIn",
  "systemData": null,
  "type": "Microsoft.Authorization/policyDefinitions"
}

Maxime.

6 février 2023

AKS | Pricing Tiers

Hi!

Azure Kubernetes Service (AKS) is now offering two pricing tiers for cluster management: the Free tier and the Standard tier.

	Free tier	Standard tier
When to use	• You want to experiment with AKS at no extra cost • You’re new to AKS and Kubernetes	• You’re running production or mission-critical workloads and need high availability and reliability • You need a financially backed SLA
Supported cluster types	• Development clusters or small scale testing environments • Clusters with fewer than 10 nodes	• Enterprise-grade or production workloads • Clusters with up to 5,000 nodes
Pricing	• Free cluster management • Pay-as-you-go for resources you consume	• Pay-as-you-go for resources you consume
Feature comparison	• Recommended for clusters with fewer than 10 nodes, but can support up to 1,000 nodes • Includes all current AKS features	• Uptime SLA is enabled by default • Greater cluster reliability and resources • Can support up to 5,000 nodes in a cluster • Includes all current AKS features

# Create a new AKS cluster in the Free tier 
az aks create --resource-group myResourceGroup --name myAKSCluster --no-uptime-sla 

# Create a new AKS cluster in the Standard tier 
az aks create --resource-group myResourceGroup --name myAKSCluster --uptime-sla

# Update an existing cluster to the Free tier
az aks update --resource-group myResourceGroup --name myAKSCluster --no-uptime-sla

# Update an existing cluster to the Standard tier
az aks update --resource-group myResourceGroup --name myAKSCluster --uptime-sla

Documentation: https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers

Maxime.

19 décembre 202229 décembre 2022

Azure Policy | Deny Action

Hi,

In this new article, I will share with you a new Azure Policy action: « Deny Action ». DenyAction is used to block requests on intended action to resources. The only supported action today is DELETE. This effect will help prevent any accidental deletion of critical resources.

This new Azure Policy action could help you to remove the Lock Type « Delete » in place at the Resource Group level.

Please find below an example:

{
   "if": {
      "allOf": [
         {
            "field": "type",
            "equals": "Microsoft.DocumentDb/accounts"
         },
         {
            "field": "tags.environment",
            "equals": "prod"
         }
      ]
   },
   "then": {
      "effect": "DenyAction",
      "details": {
         "actionNames": [ "delete" ],
         "cascadeBehaviors": { "resourceGroup": "deny" }
      }
   }
}

Maxime.