Deploying Azure Policy Definitions via Azure DevOps (Part 3)

This is the 3rd and final installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through how I configured the build and release pipelines for deploying policy and initiative definitions at scale. Pre-requisites The following pre-requisistes are required before start creating the pipelines: 1. Creating Azure AD Service Principals We need to create service principals in each

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 2)

This is the 2nd installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through the PowerShell module I have developed to pester-test policy and initiative definitions. My intention is to uses these tests to perform syntax validation in the build pipeline, ensure all the definition files are valid before being deployed in the release pipelines. You can

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 1)

Introduction Recently I needed to deploy a large number of Azure policy and initiative definitions at customer’s environments using Azure DevOps. These definitions needed to be deployed to different environments (different Management Group hierarchies in different Azure AD Tenants). I faced some difficulties when working on this solution, due to the following limitations: 1. Currently templates do not support Management Groups So I can’t use ARM templates in this case. But, I still needed to develop a solution no matter where should the definitions being deployed (either to a management group or a subscription). 2. Limitations in Azure PowerShell cmdlet

Continue reading

Sharing My Azure Resource Graph Resources

I have created a public GitHub repo to store and share resources I created around Azure Resource Graph: https://github.com/tyconsulting/AzureResourceGraph I have add queries, scripts I have developed over the last few months, as well as few how-to articles. I will continue updating this repo whenever I have developed new contents to add. Feel free to clone it, fork it, and submit issues, PRs if you’ve spotted any errors.

Continue reading

New Book Release: Inside Azure Management

I have been pretty busy over the last few months, largely because I was working on the new book titled Inside Azure Management with few MVP friends. We have finally got to a stage to publish the preview version few days ago. The Inside Azure Management book is the successor of our popular book Inside Microsoft Operations Management Suite. It contains 16 chapters and covered the following areas: Implementing Governance in Azure Migrating Workloads in Azure Configuring Data Sources for Azure Log Analytics Monitoring Applications Monitoring Infrastructure Alerting and Notification Monitoring Databases in Azure Monitoring Containers in Azure Implementing Process

Continue reading

Extracting High Resolution Icons from the Azure Portal

I found myself and friends are constantly looking for high resolution icons for various Azure products when working on design documents, presentation slide decks, or designing stickers to put on our laptops. Although Microsoft provides free download for the Azure icon set, unfortunately, the icon set does not get updated often. at the time of writing this blog, the latest version of the icon set is over 1 year old (https://www.microsoft.com/en-us/download/details.aspx?id=41937). There are few posts out there showing you how to extract icons from the Azure portal, but they all require 3rd party tools. I had requirements for some icons

Continue reading

Configuring Azure Resources Diagnostic Log Settings Using Azure Policy

In an Azure Policy definition, the “effect” section defines the behaviour of the policy if defined conditions are met. For example, the “Deny” effect will block the resource from being deployed in the first place, “Append” will add a set of properties to the resource you are deploying before being deployed by the ARM engine, and “DeployIfNotExists” deploys a resource if it does not already exist. In the old days, the biggest limitation I have faced was the use of “DeployIfNotExists” effect was only limited to built-in policies. In another word, If Microsoft hasn’t already created a policy for you,

Continue reading

Sneak Peak of Azure Blueprints

Azure Blueprints have been announced and made available for public preview last month at Microsoft Ignite 2018. I have been on the private preview for few months now, and I’m really excited that it’s finally gone public and we can start talking about it. If you haven’t heard of Blueprints, according to the Blueprints PM Alex Frankel, Blueprints is designed for: deploy and update cloud environments in a repeatable manner using composable artifacts. I have heard an analogy before – An Azure subscription is just like an empty canvas, and your developers are like painters. But we all know that

Continue reading

Azure Policy to Restrict Storage Account Firewall Rules

Back in the Jan 2018, I posted a custom Azure Policy definition that restricts the creation of public-facing storage account – in another word, if the storage account you are creating is not attached to a virtual network Service Endpoint, the policy engine will block the creation of this storage account. You can find the original post here: https://blog.tyang.org/2018/01/08/restricting-public-facing-azure-storage-accounts-using-azure-resource-policy/. When a storage account is connected to a Service Endpoint, you can also white-list one or more IP address ranges to allow them accessing the storage account from the outside of your Azure virtual network (i.e. the Internet). Therefore, in order

Continue reading

My Views on the Native Source Control Option in Azure Automation

Few weeks ago, I saw a two separate discussions in different closed community channels regarding to the Source Control option in Azure Automation accounts, more specifically – when will the support for VSTS become available. In the Azure Portal, it has been showing “coming soon”. According to Wikipedia, “Visual Studio Online” has been renamed to Visual Studio Team Services (VSTS) in November 2015: On 13 November 2013, Microsoft announced the release of a software as a service offering of Visual Studio on Microsoft Azure platform; at the time, Microsoft called it Visual Studio Online. Previously announced as Team Foundation Services,

Continue reading
%d bloggers like this: