Background
Azure resources can be deploy and configure automatically by using ARM Templates, Azure Policy, PS scripts etc… those automation ways have it’s limit to sets of allows and deny functions, And in particular, it can be configure only on the subscription level, with Azure Blueprint [Preview] you can manage policies and target it on Management group level to assign the same policies on all of your subscriptions.
On this post I will show you, how to use Blueprint service to create Log Analytics workspace in all of your subscriptions, Additionally how to enables Azure Monitor policies on all your VMs in those subscriptions, that will connected to this Log Analytics workspace you just deployed, by using this capabilities you can configure all aspects of monitors in your environment.
Steps:
- Add Management group and link the subscriptions.
- Add Blueprint targeted to Management Group
- Add Artifacts to the blueprint:
- Artifact to add resource group.
- Artifact to add Log Analytics Workspace in resource group that you just created.
- Add Policy artifact with built-In policy to – “Enable Azure Monitor for VMs”.
- Publish the blueprint.
- Assign blueprint to subscriptions in Management Group .
Step by Step
Azure Management Group
When you are managing multiple subscriptions its recommended use Management group, using management groups helps you manage access, policy, and compliance by grouping multiple subscriptions together.
For example, you can create a hierarchy that applies a policy, for example, which limits VM locations to the “West Europe” Region in the group called “Production”. This policy will inherit onto both EA subscriptions under that management group and will apply to all VMs under those subscriptions.
The following diagram shows an example of creating a hierarchy for governance using management groups:
Existing subscription can linked to new Management Group.
As you can see in the screen below My Management group “Monitor Team” contain my subscriptions:
Azure Blueprint [PREVIEW]
Assign policies, deploy ARM templates & Roles on Subscriptions and Management Groups
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
- Role Assignments
- Policy Assignments
- Azure Resource Manager templates
- Resource Groups
In first artifacts we will create New Resource group and Log Analytics Workspace
Create Blank blueprint
Artifacts types
Add Resource group
Add new Resource group, the name and location can be specified also when blueprint would be assigned.
Similar to ARM deployment, that mean after you assign to subscription the Resource group will be deployed
Add Azure RM template
“+ Add Artifact” under Resource group, and select Azure resource manager template, the template can contain ARM template, with any resources and parameters, the parameters can be send manually in the parameters tab, or can be part of the deployment.
I found an easier way to build the template, by creating the resource once in Azure Portal, then export the template and copy paste in policy template filed
For example, I created the Workspace and download to zip file.
Open template.json file you just download, and remove the row with provisioning state:
Remove the row from Template file: <“provisioningState”: “Succeeded”,>
Copy the json file to artifact, you can also import the templates and only remove this row, and click Add.
Be aware that Workspace name must be globally unique across all Azure Monitor subscriptions, that way you need assign it separately on each subscription
For example, this is small json template, contain the deployment of Log Analytics Workspace:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaces_loganalyticstemplate_name": {
"defaultValue": "loganalyticstemplate",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.operationalinsights/workspaces",
"apiVersion": "2015-11-01-preview",
"name": "[parameters('workspaces_loganalyticstemplate_name')]",
"location": "eastus",
"properties": {
"sku": {
"name": "pergb2018"
},
"retentionInDays": 30
}
} ]
}
Add Policy Artifact
The second artifact will be – enabled Az Policy: “Enable Az Monitor on all your VMs”, this artifact should be selected from the top of Resource group artifact, it should be enabled on all of VMs deploy in your subscription.
Select “Add Artifact” then “Policy Assignment” search monitor in Initiative definitions, choose the “Enable Azure Monitor for VMs” policy and click on Add:
Publish blueprint
Only when you publish the blueprint you can assign it, you can assign also previews versions, but you can edit only the last one.
Every time you publish after you made the changes you need to select higher version, start with 1.0 and continue to 1.1 and so forth, every version are saved, so you can assign later the previous version also.
After publishing is completed, on top of this windows you can “assign blueprint” on subscriptions in your Management group.
When you assign the blueprint, you need insert the artifact parameters you selected before, it should be supplied when it will be assigned, in this example showing bellow I wrote the Log Analytics Workspace [Unique Name] the same parameter should be for the LA Workspace and for the Workspace that VMs should be connected to.
TIP - Run the task each time on single subscription to provide the unique Log Analytics Workspace name.
In the Assigned blueprint blade, you can follow the status of deployment you deploy in this assignment, select the assignment currently in deploy state.
To edit the definitions in blueprint, go back to the “blueprint definition” blade, select “Edit blueprint”, change the settings, save the draft and publish in a higher version
You now have two options, or reassign the same task that you created before , choose the new version in the layout, or reassign a new one.
The reason for assigning with a new name is, if you need to select new parameters in the resources you want to publish, for example if the name is not unique and you need to re-enter the parameters with a new name, then assign.
Deployment Status
- In the assignment you can see the status of deployment
- Go to Activity log of subscriptions you deployed the artifact, and detect the success or error events.
- In resource group you crate, go to Deployment tab, and track the status of your deployment.
- Policy can be seen in every resource group on policies tab, or in policy resource.
