Inside Azure Management Book v4 Is Being Released for Preview

Few years ago, few of us started a book authoring project for then-called Microsoft Operations Management Suite (OMS). Since the technology is constantly evolving, we have renamed the book to Inside Azure Management on version 3 last year. We have started working on version 4 of the Inside Azure Management book couple of months ago.This time, we have sourced few additional talented authors to help out. Given the challenging time we are all facing right now, we are a little bit behind the original schedule. However, we are expecting to have the book released no later than 15th of May

Continue reading

Managing Azure Resource Tags using Azure Policy Modify Effect

The new Modify effect for Azure Policy was introduced few months ago. I was really excited about this new addition, but unfortunately I haven’t had time to write this post until today. The Modify effect is designed SPECIFICALLY for managing resource tags. You can use it to add / update / remove tags during resource creation or update (basically for both new and existing resources). Problem we had… Before the Modify effect was introduced, we were managing the tags using the “Deny” and “Append” effects: Deny: “Require tag and its value” policy “Require tag and its value on resource groups”

Continue reading

Puppet Facts Detecting Cloud Providers for Windows VMs

I’m currently working on a Puppet Module for Windows Server. This module needs to detect which public cloud platform is the Windows server running on. More specifically, Azure, or GCP or AWS. To do so, I can either write a custom Puppet fact in Ruby, or an external fact (i.e. in PowerShell). So I’ve written both. The custom fact (cloud.rb) is placed in the lib/facter folder in the module. The external fact (cloud.ps1) is placed in the facts.d folder in the module. Custom Fact: View the code on Gist. External Fact: View the code on Gist. To test, you can

Continue reading

Updated Azure Policy Definitions for Azure Diagnostics Settings Again

I firstly published a set of policy definitions for configuring Azure resource diagnostics settings last year. You can find the original post here: https://blog.tyang.org/2018/11/19/configuring-azure-resources-diagnostic-log-settings-using-azure-policy/. I have been keeping them up-to-date since then. I’ve updated the Policy Definitions for the resource Diagnostic Settings again today with the following updates: New Policies added: Azure Bastion Hosts Azure AD Domain Services Existing Policy Updated: Azure App Service – with the support for the additional logs announced at Ignite 2019. Also the name of the policy file has changed. Removed (since they were incorrectly written in the first place and never worked): VM VMSS

Continue reading

100 Days of Infrastructure as Code in Azure

I have been asked to contribute to the 100 Days of IaC in Azure project started by Ryan Irujo (@reirujo) and Pete Zerger (@pzerger). I accepted the invitation and have already contributed 4 articles for this project. Right now we are not even half way through the 100 articles yet, I’m planning to continue contributing in the coming weeks. Both Pete and Ryan are extremely talented in this field, I am very pleased to be part of this awesome project. If you are focusing on Azure, Infrastructure as Code or DevOps, I strongly recommend you to check this out: https://bit.ly/100DaysOfIaC.

Continue reading

Configuring Azure Management Group Hierarchy Using Azure DevOps

Previously, I have published a 3-part blog series on deploying Azure Policy Definitions via Azure DevOps (Part 1, Part 2, Part 3). It covered one aspect of implementing Azure Governance using code and pipelines. There are at least 2 additional areas I haven’t covered: Configuring Management Group hierarchy Policy & Initiative assignments In this post, I’ll cover how I managed to implement the management group hierarchy using Azure DevOps. I will cover policy & initiative assignment in a future blog post. Problem Statement Before I dive into the technical details, I’d like to firstly explain why is this required? In

Continue reading

Cross-Blog: How to Create Azure Monitor Alerts for Non-Compliant Azure Policies

Recently, I have been asked to contribute to Microsoft’s ITOps Talk blog. My first article “How to Create Azure Monitor Alerts for Non-Compliant Azure Policies” have just been published. You can read it here: https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/How-to-Create-Azure-Monitor-Alerts-for-Non-Compliant-Azure/ba-p/713466

Continue reading

Deploying Management Group Level Custom RBAC Role Using ARM Templates

Although custom RBAC roles can be deployed using subscription-level ARM templates, they are actually tenant level resources. When you deploy a custom RBAC role using a subscription-level template for the first time, it will work, but if you deploy the same custom role again to another subscription within the same tenant, the deployment will fail because the role already exists. To make the role available in additional subscriptions, you must modify the assignment scope of the role definition, making it available to other subscriptions. Recently, Microsoft has made custom RBAC roles available on Management Groups level. This greatly simplified the

Continue reading

Azure Automation Runbook to Export Data From Multiple Log Analytics Workspaces

I wrote a runbook a while back to export data from Azure Log Analytics workspaces using it’s search API https://dev.loganalytics.io/documentation/Using-the-API because a customer had a requirement to ingest the logs and metrics from Azure Log Analytics to other 3rd party systems. Recently, I updated this runbook to support searching all workspaces from all subscriptions in one or more management groups. For example, you can use this runbook to extract data from all log analytics workspaces in your AAD tenant if you pass in the root management group name to the runbook. You can find the runbook source code here: https://gist.github.com/tyconsulting/81cd2b80d8b151e38d5b52b80b4c6ee3

Continue reading

A Simple Dynamic DNS Solution Based on Azure PaaS Services

Background Many of us have used some kind of dynamic DNS services in the past. It is particularly useful for home network since it is very rare that ISPs provide static IP addresses free of charge nowadays. Most of the home broadband modem and routers support some kind of dynamic DNS services. I’ve used a popular dynamic DNS provider many years ago. Back then, it was free. Then they started charging people for using their service. I think having to pay $50+ per year is too much for such simple service. Luckily my home broadband plan came with a static

Continue reading
%d bloggers like this: