In his October 2019 webinar The easiest, most efficient way to manage Azure subscriptions at scale, solutions architect and Microsoft MVP Stephane Lapointe (@s_lapointe) goes over the basics of Azure Resource Graph and shows you how to leverage it to streamline your subscription management and governance duties.
Watch the recording 🎬
In this on-demand webinar session, Azure pros Jussi Roine and Stephane Lapointe take a practical look at making the most of Azure Policy.
Learn how to use Azure Policy from Microsoft experts!
Managing Azure at scale: the old way
The previous method for querying subscriptions used Azure Resource Manager. With this method, you need to go through each subscription one at a time, so it’s a time-consuming, iterative process. If you have hundreds or thousands of subscriptions, this can quickly become a full-time job.
Say hello to Azure Resource Graph
Azure Resource Graph was designed to to extend Azure Resource Manager capabilities.
Azure Resource Graph enables efficient, high-performance resource exploration by giving you the ability to query at scale across a set of subscriptions. It gives you unprecedented visibility over your resources, regardless of which subscription they belong to. You can also use it extensively in conjunction with Azure Policy.
What is Azure Resource Graph, and what’s it for?
Azure Resource Graph is based on Azure Data Explorer. It gives you better visibility across your cloud resources and enables powerful querying to gain deeper insights on your environment, as well as:
- Rich aggregation and parsing of granular properties
- Tracking changes made to resource properties
- Support for Azure Delegated Resource Management (Azure Lighthouse), which is great for CSPs and others managing multiple tenants
- Assess the impact of policies
Azure Resource Graph query syntax and basics
Nice to know
- Queries are read-only and have a refresh frequency of around 15 seconds
- Not all resource types are supported in Azure Resource Graph queries
- You’ll likely need to implement a paging mechanism if you have more than 1000 subscriptions (the current Resource graph limit) or a very large result set
String operators overview
|Operator||Description||Case-sensitive?||Example (yields |
|RHS occurs as a subsequence of LHS||No|
|LHS contains a match for RHS||Yes|
Filters to the subset of rows that satisfies a predicate. More about the where operator.
Select the new columns to include, rename, or drop, and insert newly computed columns. More about the project operator.
Create calculated columns and append them to the result set. More about the extend operator.
Produces a table aggregating the content of the input table. More about the summarize operator.
Querying over tags
tags['name'] to query tags on resources.
Fresh off the presses: Azure Resource Graph tables
Microsoft released tables for Resource Graph just last week. Read more in the official documentation.
Here are the four main tables you can work with:
- Resources. This is the default table if none defined in the query. Most Resource Manager resource types and properties are here.
- ResourceContainers. Includes subscription and resource group resource types and data.
- AlertsManagementResources. Includes resources related to
- SecurityResources. Includes resources related to
Azure Resource Graph outside the portal
You can use PowerShell and Azure CLI to perform Azure Resource Graph queries.
How to use Azure Resource Graph in PowerShell
- Install Az modules
- Install Az.ResourceGraph module
- Use Search-AzGraph cmdlet
How to use Azure Resource Graph in Azure CLI
- Install Azure CLI
- Install the resource-graph extension
- Use the az graph query
Azure Resource Graph and Azure Policy
One of the best things about Resource Graph is the fact that you can easily turn Azure Resource Graph queries into policy rules. Check out the ConvertToPolicy utility on GitHub to easily convert queries into policy rules.
You can also test the impact of an Azure Policy thanks to Azure Resource Graph (more on that in an upcoming post!).
Azure Resource Graph Q&A with Stephane Lapointe
Save time and money in Azure with ShareGate Overcast
If you still have questions, feel free to leave them in the comments!
Q. Is Resource Graph only useful for a large number of subscriptions? How can it be used on a smaller number of subscriptions?
A. Even if you only have one subscription, Azure Resource Graph can definitely be of use and save you time. If you need to go deep inside your resources’ properties, you’ll need to do it programatically anyway – either with PowerShell, CLI, or the more limited Portal. With Resource Graph, however, one of the great things is that you can export your results as a CSV in a snap without having to script anything.
Q. What are some other applications for Azure Resource Graph? Can you use it to query the price of resources?
A. No, you cannot use Azure Resource Graph to query the price of resources. Some concrete applications off the top of my head include identifying expired certificates and automating a ton of preventative actions. It also helps visualize the impact of an Azure Policy. Any time you need visibility over your resources, Azure Resource Graph is the way to go. You can also query for changes on a resource (i.e. you have a deployment and your website settings change – practical for troubleshooting in production).
A. Is it possible to restrict users or roles for resource creation via Azure Resource Graph?
Q. This is usually controlled by RBAC (role-based access control).
Q. What are the top limitations of Azure Resource Graph?
A. Azure Resource Graph has come a long way in the year and a half I’ve been using it. However, some resources aren’t yet supported: you can’t currently query against containers or SQL server firewall rules, for instance, as they’re sub-resources.
Q. Is there an online repository for code snippets?
A. There are several great scripts on Microsoft’s Script Center (like this one I wrote, which lists outbound IP addresses for App Service web apps), but they aren’t entirely Resource Graph related. Have a look around!
Want to learn how to govern your Azure environment from the experts? At Deploy, ShareGate's online event focused on Azure governance, 9 Azure experts shared their experiences and insights to help you identify best practices to increase efficiency and visibility in the cloud. Watch the sessions on demand now!