As part of my deployment I would like to call some endpoint in my application to smoke test it.
But we are using Access Restrictions and calls from Azure Devops Release Pipeline are rejected.
Is there a way around this?
Right after asking question I noticed there is new option in Preview in Access Restrictions page in Azure portal.
With this rule Azure Devops will be able to reach application endpoints.
Or using Powershell
Add-AzWebAppAccessRestrictionRule
-ResourceGroupName "resourcegroup"
-WebAppName "webapi"
-Priority 65000
-ServiceTag Azurecloud
-Action Allow
In future you should be able to use AzureDevOps service tag, but looks like it's not supported in Preview - Set a service tag-based rule (preview)
Related
I have a web application in azure and I want to make sure that only my build server (or any other VM on the same subnet) are the only ones which are able to access the SCM site. I thought the most obvious thing would be to create an access restriction rule and in fact that works, I am able to create it from the portal with no issue whatsoever.
The problem, however, happens when I try to automate this using powershell. My build server subnet is located on a subscription different from the one where my web application is.
I am executing the following powershell script:
$subnetId = "/subscriptions/$VNETSubscriptionId/resourceGroups/$VNETResourceGroup/providers/Microsoft.Network/virtualNetworks/$buildServerVNET/subnets/$buildServerSubNet"
Add-AzWebAppAccessRestrictionRule -ResourceGroup $webAppRg -WebAppName $webAppname -Name VNETAccess -Priority 1000 -Action Allow -SubnetId $subnetId
And I get the following error:
Add-AzWebAppAccessRestrictionRule : The client '{{my user credential}}' with object id '81fa4eb1-5553-4daa-af44-3c717b19eda2' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{{websiteSubscriptionId}}/resour
ceGroups/{{VNETResourceGroup}}/providers/Microsoft.Network/virtualNetworks/{{buildServerVNET}}/subnets/{{buildServerSubNet}}' or
the scope is invalid. If access was recently granted, please refresh your credentials.
The error seems to indicate that the cmdlet is searching for the subnet on the same subscription id than the website instead of the subscription where the subnet is located, since the resourceId string that is being returned on the error messsage has the wrong subscription Id. It is using the one where the website is instead of using the one where the build server is.
What else needs to be done in order to create this rule through powershell?
The error message is confused.
In fact, after my validation, you need to add the -IgnoreMissingServiceEndpoint parameter when adding a subnet from a different subscription. Read this GitHub case WebApp:Add-AzWebAppAccessRestrictionRule.md - incorrect use of subscription context over SubnetId param
When using a subnet from a different subscription, we cannot validate
the subnet to see if the correct service endpoint (Microsoft.Web) has
been set. If you use -IgnoreMissingServiceEndpoint the rule can be
added.
I am creating an ARM template for the Azure Log Analytics workspace.it has some queries which use azure VM's VMUUID. Is there is any way to fetch the azure VM's VMUUID inside the ARM template or any other way to fetch azure VMUUID?
ARM Template I just need to get the values of VMUUID of all VM's in that subscription.
You can also get this information programmatically from the Azure Instance Metadata Service (IMDS). It provides information about currently running virtual machine instances. You can use IMDS to manage and configure your virtual machines. This information includes the SKU, storage, network configurations, and upcoming maintenance events. For a complete list of the data available, see the Endpoint Categories Summary.
IMDS is a REST API that's available at a well-known, non-routable IP address 169.254.169.254. You can only access it from within the VM. Communication between the VM and IMDS never leaves the host.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
Try Azure Resource Explorer
You could easily find it in the Azure Resource Explorer.
//One more extra reference: What is Azure Resource Explorer?
Just navigate to the Microsoft.Compute => virtualMachines view:
There is one more way to find it, but for me seems more complicated as you need to connect to the VM:
https://azure.microsoft.com/en-us/blog/accessing-and-using-azure-vm-unique-id/
Update: Try PowerShell
The simple PowerShell script below returns a list of all VMUUIDs in the specified subscription:
Get-AzSubscription
Select-AzSubscription -SubscriptionId "Olga's Subscription"
$GetVM = Get-AzVM
Foreach ($vm in $GetVM)
{
$vmId =""
$vmId = $vm.vmid
$vmIdList +=$vmId + "`r`n"
}
Write-Output $vmIdList
Please let me know if above answers your question.
Scenario: You want to clone an app to another region, while configuring an Azure Resource Manager traffic manager profile that includes both apps.
Below are the commands I tried
$srcapp = Get-AzWebApp -ResourceGroupName SourceAzureResourceGroup -Name
source-webapp
$destapp = New-AzWebApp -ResourceGroupName DestinationAzureResourceGroup -Name dest-webapp -Location "South Central US" -AppServicePlan DestinationAppServicePlan -SourceWebApp $srcapp -TrafficManagerProfileName newTrafficManagerProfile
the above commands fail with ""Creating app with backup from 'subscriptiondetailshere' failed: Detail: Hostname \'abc.xyz.companydomain.com\' conflicts with an already existing hostname. ExtendedCode: 04005"
FYI : the apps are hosted in standard app service plan. I did read documentation saying only the premium apps can be cloned but I was able to clone this particular app in standard plan through Azure Portal UI.
I want to be able to automate this using the ps. Any pointers are appreciated
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-app-cloning
Update:
copied web app:
Traffic manager:
First, azure web app clone does support standard app service plan. Here is a screenshot from the doc:
Second, the code you're using is correct, I did a test at my side, it's working fine(The web app is copied from central us to west us, after copied, everything is working fine):
For the conflicting error, you should check in your destination resource group if there is a existing web app with that host name(you mentioned that you can copy from azure portal, maybe you didn't delete it when you were using code to copy it).
I have an ARM Template stored in Azure Templates.
Is there a way to reference this template from script (either in Azure Cloud Shell or PowerShell/CLI on local machine)? Right now it seems the only way to deploy the template is through the Azure portal UI.
Update
I wanted to clarify what I am asking. I am asking specifically about Azure Templates (Preview) service. It seems that once you store a template in Templates service the only way to access it is through the Azure portal.
For example, let's say I am creating a VM in Azure portal. I can save the ARM template to Templates service as shown in the images below.
You can click on Download Template and parameters link, on next page click on Add to library to save the template to Templates service (Templates service can be found in Azure portal through All Service > filter for "Templates").
I was doing the course on edX.org: Automating Azure Workloads and it was talking about this service, that's why I became interested in this service.
You can deploy a template with every possible mean you mention. Not only the portal UI.
There is documentation here - section Deploy a template from external reosurce (also explains how to deploy from a private resource using SAS:
New-AzureRmResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName ExampleResourceGroup `
-TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-account-create/azuredeploy.json `
-storageAccountType Standard_GRS
The referenced documentation also provides sample for use with Cloud Shell.
Is it possible to move an Azure Website to a different (or new) App Service Plan?
I have already tried both the old and new portals but cannot find the options for this.
The original accepted answer is more than a year old. In Azure world, that's an eternity. The "Change App Plan" button in the Azure Portal is no longer present it appears (as of 2016-06-17), so I'm throwing in the Powershell command I needed to use in order to move a Webapp to another App Service Plan.
Set-AzureRmWebApp -Name <webapp name> -ResourceGroupName <resource group name> -AppServicePlan <new app service plan>
Set-AzureRmWebAppSlot -Name <webapp name> -Slot <slot name> -ResourceGroupName <resource group name> -AppServicePlan <new app service plan>
The option "Change App Service plan" has been moved to the APP SERVICE PLAN menu.
Yes, you can do this from the Web app blade in the Azure portal. You have to expand the toolbar though to see the option. See below.
I needed to move things between different subscriptions, which is quite possible according to documentation. Much is shamelessly copied from the azure website. This solution is taking advantage of the Azure Powershell 1.0.
First off, if you need to move a Web app and it's connected webfarm there are some limitations:
You can move Azure Web App resources using the ARM Move Resources Api.
Azure Web Apps currently supports the following move scenarios:
Moving the entire contents of a resource group (web apps, app service plans, and certificates) to another resource group.
Note: The destination resource group can not contain any Microsoft.Web resources in this scenario
Moving individual web apps to a different resource group, while still hosting them in their current app service plan (the app service
plan stays in the old resource group)
Basically you need to get the resource id from the resources you want to move and use the Move-AzureRmResource command. You'll naturally need an Azure login which is able to read and write to the subscriptions involved.
$webapp = Get-AzureRmResource -ResourceGroupName OldGroup -ResourceName WebApp -ResourceType Microsoft.Web/sites
$plan = Get-AzureRmResource -ResourceGroupName OldGroup -ResourceName Plan -ResourceType Microsoft.Web/serverFarms
Move-AzureRmResource -DestinationResourceGroupName NewGroup -ResourceId ($webapp.ResourceId, $plan.ResourceId) -DestinationSubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
I'd point out that if you're moving the resources to another subscription, there are some caveats. First, that subscription must have rights to provision the website in that region, the API's for that are beyond this scope, but simply creating a website and removing it will give the subscription those rights. In my case i had a second error which is still unresolved, but i suspect that other resources that are connected to the resources being moved are the culprits. Will update with further information if i resolve the issue.
As a final note, there is also the possibility to use the REST API.