Wednesday, December 23, 2020

Moving Resources Across Resource Groups /Subscriptions

 In this article ,we will talk about moving resources from one resource group to another or from one subscription to another .During this movement both the source and the target resource groups are frozen ,meaning we wont be able to add ,delete or modify any of the resources within the resource group .But there wont be any down time to the functioning of the underlying resources .For example If I am trying to move all resources from sourcerg resource group to destrg resource group ,I wont be able to add more resources /modify /delete any resources within sourcerg and destrg .But if there is a Sql server resource, it can still read and write data from the application and there is no downtime for this resource 

Certain resources cannot be moved and Microsoft has a list of those resources and whether they can be moved across to a different resource group/subscription

Also when moving resources to another subscription ,we need to make sure that both the source and the destination subscription are under the same tenant and also that both the source and the destination subscriptions are active as well

The destination subscription may not have been registered for the resource provider required for the resources that are getting moved .This would also result in error .Hence make sure you register all those resources in the destination subscription

The account moving the resources should have atleast the below resource providers registered .Move permission on the source resource group and write permission on the destination resource group/subscription

Before moving the resources make sure to check the destination subscription Quotas .If it exceeds the limit we might have to extend it 

One important thing to note is if you are moving the resources from one subscription to another the resource and all its dependent resources should be in the same resource group .for example if you are moving a vm in rg1 to another subscription ,first you need to move the dependent resources like subnets ,virtual networks everything to rg1 

follows a three step process 

step 1 :  move all dependent resources to the same resource group

step 2 : move the resources to the new subscription 

step 3 : redistribute the dependent resources to separate resource groups if needed 



Posted by at No comments:

PowerShell commands in Azure -Part 1

As I have been working with PowerShell for a while ,below are some of the common commands to work with PowerShell in Azure 

In this blog I cover the following topics 

  • How to Install Az Module in PowerShell
  • How to check the versions of Az available in PowerShell
  • How to connect to Azure using PowerShell
  • How to create or remove resource locks using PowerShell
  • How to create a policydefinition and Assign them to a resourcegroup using PowerShell

1. Install PowerShell module in local machine 

    Install-Module PowerShellGet -force -Scope CurrentUser 

2.Install AzureRM/Az packages : the latest recommended version is the az one 

    Install-Module -Name AzureRM -AllowClobber -Scope CurrentUser--older version 

    Install-Module -Name Az -AllowClobber -Scope CurrentUser

3 Get the list of Az versions installed in the machine 

Get-InstalledModule -Name Az -AllVersions

3 connect to Azure account 

Connect-AzAccount 

4 Get the list of resource groups within the subscription 

Get-AzResourceGroup

5 Get the list of resources within the resourcegroup

Get-AzResource -ResourceGroup <resource group name >

Implementing Resource Locks using PowerShell

Locks prevent the resources within a resource groups from being modified or deleted.There are two types of locks available .CanNotDelete and ReadOnly Locks 

CanNotDelete Locks : This will not allow any user to delete any resources within the resource group .When we try to delete any resource within the group ,it will throw an error 

ReadOnly Locks : This will prevent users from modifying any of the resources within the resource group .

The locks can be implemented both at the resource group level or we can set it up for individual resources within the resource group .

Now we can create locks using the portal /PowerShell/Azure CLI as well .Below are the commands which will help you get ,create and remove locks at both the resource group /or a particular resource within the resource group 

For the commands Below I have created a resource group called myrg180988 which has several resources including a SQL server database and I am trying to create two type of locks one which is a ReadOnly lock at the SQL server database resource and a CanNotDelete lock at the entire resource group level .Lets see how this can be accomplished using PowerShell commands 

#Step 1 : connecting to azure account -Connect-AzAccount

#Step 2 :removing the lock

Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 3 : adding a new lock at the DB level 

New-AzresourceLock -LockLevel ReadOnly -LockNotes "This will prevent the locks from being modified" -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 4 : List the locks available 

Get-AzResourceLock -ResourceGroupName "myrg180988" 

#Step 5 : Setting a delete lock on the entire resourcegroup

New-AzResourceLock -LockLevel CanNotDelete -LockName "mylckn180988" -ResourceGroupName "myrg180988"

#Step 6 : Listing the resourcelocks available for the resourcegroup

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

#Step 8 : Removing the resource level lock 

Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 9 : Listing the resource locks again 

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

#Step 10 : removing the lock at the resource group level

Remove-AzResourceLock -LockName "mylckn180988" -ResourceGroupName "myrg180988"

#Step 11 : Listing the locks again

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

Policy Creation /Assignment using PowerShell

to Demo this am creating a new resourcegroup and then creating a policydefinition and assign this definition to the resourcegroup .For instance I want to create a policy which will ensure all my sql servers have threat detection enabled .So if you goto the portal and check for the policies related to SQL servers you can see this policy .We need to assign this policy into our resourcegroup .for that we need to create a policy definition using AzPolicyDefinition  command  which captures this policy details from microsoft and then we will use a AzPolicyAssignment command to assign this policy to the resource group created 





##Step 1 : Creating a resource group called mytestpolicy and assigning it into a Variable 

$myrggrp=Get-AzResourceGroup -Name "mytestpolicy" -Location "South India"

echo $myrggrp

#Step 2 : Creating a Policy Definition and assigning it to a variable

$mypolicydef= Get-AzPolicyDefinition |Where-Object{$_.Properties.DisplayName -eq "Deploy Threat Detection on SQL servers"}

echo $mypolicydef

#Step 3 : Assign this policy definition to the new resource groups 

New-AzPolicyAssignment -Name "audit-sql-threat-detection" -DisplayName "This will ensure the SQL servers have threat detection enabled" -Scope $myrggrp.ResourceId -PolicyDefinition $mypolicydef -Location "South India" -AssignIdentity

Note :the AssignIdentity is a property which we need to give manually when we assign policy through scripting ,which will manage the identity of the policy .when giving this AssignIdentity we need to specify a location as well 

#Step 4 : To check whether the resources are compliant to the policy or not 

Get-AzPolicyState -ResourceGroupName $myrggrp -PolicyAssignmentName  "audit-sql-threat-detection" -Filter 'IsCompliant eq false'

This will return the Resource groups where the policy is violated 

#Step 5 : delete the policyassignment 

Remove-AzPolicyAssignment -Name "audit-sql-threat-detection" -Scope "/subscriptions/9c350b81-c8d7-40f1-831b-11a0ea6eda3c/resourceGroups/mytestpolicy"

Note : for removing policyassignment we should give the complete path of the resourcegroup from the subscription 

#Step6 : delete the policyDefinition

Remove-AzPolicyDefinition -Name $mypolicydef.Name -SubscriptionId "9c350b81-c8d7-40f1-831b-11a0ea6eda3c"






Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)