Say I have a https end point that can serve as a webhook url for azure event grid that I can provide in the Azure template. But that endpoint has not been validated yet. I also have an azure template that I wish for a tenant/customer to deploy. What is the way for me to receive an event that deployment of the template has finished successfully?
You may leverage Azure Monitor's capability to view activity logs to monitor actions on resources. More specifically, you'll be interested in events from the Deployments resource (Microsoft.Resources/deployments).
From there you may create an alert rule + action group that will push the event to a webhook of your choice. You may also scope your alerting to a single resource group or a whole subscription. See Create an alert rule and Create and manage action groups in the Azure portal.
Related
The requirement is when a file gets uploaded to a storage account container, a logic should be in force to encrypt the file and place it in another container and source file should not get affected. For this I setup an event subscription in storage account, which would publish event to an event grid system topic, in turn triggers an Azure function. Below is the screenshot of event subscription setup.
The issue is the event gets published to event grid system topic but not getting delivered to subscription. I set up diagnostic settings for the event grid system topic. Below is the error that I found in logs. Can anyone tell me what am I doing wrong?
outcome=Forbidden,deliveryResponse=Forbidden, errorCode=Forbidden, HttpRequestMessage: httpVersion=1.1, HttpResponseMessage: HttpVersion=1.1, StatusCode=Forbidden(Forbidden), StatusDescription=Ip Forbidden, ConnectionInfo=defaultConnectionLimit=1024, reusePortSupported=True, reusePort=True,
To the Azure function app, add an inbound traffic rule under Networking option to allow traffic from Azure EventGrid
In Azure, I'm trying to send event notifications from a Storage Account in one Active Directory to an Event Hub in another Active Directory.
I'm having trouble figuring out how to share/link the resource.
In AWS, I was able to accomplish this by creating a role in the receiver account, adding the source account by ID, adding the SQS Writer resource permission, and adding the SQS Queue ARN as the bucket notification destination. I'm guessing something similar is possible in Azure..
At the moment, I am looking at Active Directory IAM, which appears to have the EventGrid EventSubscription Contributor property. In the destination account I have added the source account as a contributor, and I received a notification in the source account that I had permissions in the destination account, but when I try to create an event subscription in the source account, the Event Hubs in the destination account don't show as an option.
How can I write event notifications to Event Hubs in one account from a Storage Account in another?
Absolutely yes. I think there are many ways to do that across different subscriptions, such as the two below.
Solution 1 to use Azure Functions. You can use Azure Function with Blob Trigger to get the event notifications of blob changes, and then to request the other Azure Function with HttpTrigger via PUT/POST method to transfer the event message of blob information like blob url with SAS token for accessing in other subscriptions.
Solution 2 to use Azure Logic Apps. You can use the logic flow below to get the blob change events to send the notification message to EventHub in other subscriptions, because Azure Logic Apps allows to configure their connection information manually as below.
Fig 1. The logic flow to get events from Blob Storage and send to EventHub
Fig 2. Click the Manually enter connection information to configure for a service in other subscriptions.
Fig 2-A.
Fig 2-B.
Basically, there are supported two ways in the Azure Event Grid Pub/Sub model for delivery events across the multi-tenants environment, such as:
Tightly coupled delivery of the event messages to the subscriber resource based on the RBAC. At the subscriber (destination) resource, you can
add a built-in role assignment such as EventGrid EventSubscription Contributor for Azure AD user, etc.
or add co-administrator at the Azure subscription level
The following screen snippet shows an example of the case when I am a co-administrator two Azure subscriptions such as the Stage and Development.
Creating an Event Subscription for event driven blob storage topic in the AEG provider at the Stage azure account and delivery its notification events across the azure account boundary to the Subscriber such as an Event Hub located in the Development azure account is straightforward:
Loosely decoupled delivery of the event messages to the Subscribers across the multi-tenants boundary based on the WebHook event handler endpoint. For Pub/Sub integration across the tenant boundary can be used an EventGridTrigger function with an output binding to the Event Hub resource. The following screen snippet shows this example:
The above solution is very straightforward with capability to mediate (pre-processing) an event message to the Event Hub resource.
In the case for distributing the events to another subscribers, etc. in the Fan-Out pattern manner, the Azure Event Grids can be cascaded like is shown in the following screen snippet:
In the above solution, each tenant has own Azure Event Grid provider and there are cascaded via the "plumbing" WebHook event handler endpoint and custom topic endpoint.
More details about the AEG cascading implementation can be found here.
Usecase: Trigger Azure Function only for predefined Azure activity logs.
I tried to configure Azure Activity logs and Export to Event Hub, but it won't allow Filter set on it. As per Azure document, the filter settings do not have an impact on export settings.
My usecase is to trigger an Azure Function only for a specific set of activity logs (say VM, VNet, NSG Create/Delete/Modify). What other Azure services can I use to accomplish this?
One option, but with some constraints, is to create Alerts at Resource Group level or even for specific resources. Alerts provide some flexibility in filtering specific events for which you would want to trigger an Action, say an Azure Func in your case.
I was thinking Azure Logic Apps would do this as well. However, to my surprise I could not find an option to add Activity Log as a trigger. Probably, it would come in the future. As Azure is updated quite frequently, keep checking every now and then to see if you get any new options to do this.
I would like to run some automation to take some actions whenever a new resource is created in One of my subscriptions in Azure. Is this possible?
You can use Azure Event grid for this, a solution that is built for exactly this purpose. Taken from https://learn.microsoft.com/en-us/azure/event-grid/overview
Azure Event Grid allows you to easily build applications with event-based architectures. You select the Azure resource you would like to subscribe to, and give the event handler or WebHook endpoint to send the event to. Event Grid has built-in support for events coming from Azure services, like storage blobs and resource groups.
You basically create a subscription to a certain event (such as specific resources being created) that can then be picked up by a webhook, or processed by Azure Automation or Azure Functions
Actually I am working on an event based notification which will call a webhook/send an email in case a new resource gets added to my subscription. I could not find any Azure native service which will send me alerts/notification in case a new resource gets added to my subscription, but using powershell we can keep on polling on the resource list and workaround it, but if there is any native Azure service or function which can help me out, please inform.
You can use the azure activity log alerts to create a web hook/sms/email notification. This allows you to create a direct avenue straight from the Azure tooling. You can also use a variety of other methods to monitor your azure subscription including Log Analytics (event based logging, alerting and analytics) and App Insights (application logging and alerting)