Is there any way to disable or stop a particular resource group temporarily? I know we can delete the resource group or we can stop certain services under the resource group but I am unable to find a way where I can just shut down the resource group or all of it's resources at once, temporarily.
Please let me know if I can provide few more details about this.
Thanks.
This does not seem to be possible at the moment but a request has been made here, however, no response from Microsoft on what it's status.
In general, if there are features that are not available in e.g. Azure, use the feedback site to suggest and vote on new features.
However, if you only got some specific type of resources in your resource group, like e.g. virtual machines, then you can stop them all in one PowerShell command like this:
Get-AzureRmResourceGroup <group name> | Stop-AzureRmVM -Force
Note: this approach is highly dependent on the type of resource and not a generic solutions like requested
A resource group is just a bounding-box, serving as a grouping mechanism and a security boundary. You cannot "stop" a resource group, as a resource group is never running. Yes, you can delete a resource group (along with everything in it), but that's a one-shot operation. It's not a fine-grained resource-management operation.
As for the services inside a resource group: some can be stopped, some cannot. For instance, you cannot stop a storage account. Others have very different behaviors when stopped: A VM simply sleeps/hibernates until restarted with everything preserved, while an HDInsight cluster, when stopped, deletes everything.
TL;DR there is currently no way to point to a resource group and have it stop all of its services, given the variability of behavior (and the fact there's no such supported API). You'll need to manage your resource starts/stops.
I just had a new "MSDN account" hit its budget limit and that made me realize this SHOULD be achievable!
When this happened Microsoft "disabled" my subscription.
In my case, I'm actually fine with having to "fence the resources" within a subscription if I had to. But at the moment, I haven't found a way to easily stop/start it in this manor. Anyone a guru with the Azure budgets? It looks like they can be applied at a Resource Group level as well.
Can you "enable/disable" resource groups or subscriptions this way?
Simply want to create something. Pay for it, of course. Pay for storage, sure. But 'disable' it, until I need to run it. Then, Enable it. Simple. :)
I've been upvoting and watching this "Feature Request" thread for some time:
https://feedback.azure.com/forums/217313-networking/suggestions/17670613-hibernate-pause-a-resource-group-or-subscription
Related
We manage an Azure subscription operated by several countries. Each of them is quite independant about they can do (create/edit/remove resources). A guide of good practices has been sent to them, but we (security team) would like to ensure a set of NSG is systematically applied for every new subnet/vnet created.
Giving a look to Azure Triggers, I am not sure that subnet creation belongs to the auditable events. I also was told to give a look to Azure policy, but once again I am not sure this will match our expectations which are : For every new vnet/subnet, automatically apply a set of predefined NSG.
Do you have any idea about a solution for our need ?
I have done work like this in the past (not this exact issue) and the way I solved it was with an Azure Function that walked the subscription and looked for these kinds of issues. You could have the code run as a Managed Identity with Reader rights on the subscription to report issues, or as a Contributor to update the setting. Here's some code that shows how you could do this with PowerShell https://github.com/Azure/azure-policy/tree/master/samples/Network/enforce-nsg-on-subnet
You could consider using a Policy that has a DeployIfNotExists Action, to deploy an ARM template that contains all the data for the NSG. https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources
You can get the ARM template by creating the NSG and getting the template:
GettingNSGTemplate
Note also that creating a subnet is audited, you can see it in the Activity Log for the VNet. See the screen shot.
AddingASubnet
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)
I am attempting to move a resource group (that contains a VM with its dependant resources e.g. network interface etc) to a new subscription and resource group. (the move works fine if done via the GUI)
My Script:
foreach ($resource in $resources) {Move-AzureRmResource
-DestinationResourceGroupName "newresourcegroup" -ResourceId $resource.resourceID -DestinationSubscriptionId 123456}
Its failing with
Move-AzureRmResource :
{"error":{"code":"ResourceMoveProviderValidationFailed","message":"Resource
move validation failed. Please see details. Diagnostic information:
timestamp
etc...
"The move resources request does not contain all the dependent
resources. Please check error details for missing resource
ids.\"}],\"code\":\"MissingMoveDependentResources\",\"message\":\"The
move resources request does not contain all the dependent resources.
Please check error details for missing resource
ids.\"}}"},{"target":"Microsoft.Network/networkInterfaces","message":"{\"error\":{\"code\":\"MissingMoveDependentResources\",\"message\":\"The
move resources request does not contain all the dependent resources.
Please check details for missing resource Ids
Clearly I need to specify the dependant resources somehow, but there doesn't appear to be a parameter for "dependant resources" for the Move-AzureRmResource module.
a. How can I determine what the dependant resources are?
b. How do I specify them in the move cmdlet?
The move resources request does not contain all the dependent resources
According to your scripts, it seems that you just traverse through resources and move them one by one to another resource group in new subscription. But as we know, some resource may have some dependent resources, to move this type of resource (such as virtual machine etc), we should make sure we also move all of the dependent resources, otherwise, the move operation will fail.
Before moving services, we need to know what services that enable move and limitations. Besides, please refer to Use Powershell to move a VM to know how to move resource that requires the dependent resources.
I would add that a move to a new subscription requires that dependent resources be moved at the same time. This requires first organizing resources in the same RG (at this time anyway) before the move operation can succeed. If you are merely moving resources between RGs, then you could do the move without a re-org in your RGs. Remember you may have VM extensions that are hidden objects that can fail, and things like Azure Backup that would need to be addressed before and after the move.
Answer:Here is a REST validation that can be performed to identify dependent resources before attempting the move.
https://learn.microsoft.com/en-us/rest/api/resources/resources/validatemoveresources
You could then get the Resource IDs using: "$Ids = Get-AzureRMResource -ResourceGroupName $sourceRgName.ResourceGroupName | Select-Object ResourceId" then move using "Move-AzureRmResource -DestinationResourceGroupName $targetRg.ResourceGroupName
-DestinationSubscriptionId $AzureTargetSubscription.SubscriptionId
-ResourceId $Ids.ResourceID"
I would like to keep each VM in separate resource group for ease for lifecycle management. I have a cluster containing n VLMs.
So I create one resource group for common things like public IP, load balancer and put availabilitySet declaration into it because is also must be shared between VMs.
Then I create VM in separate resource group and reference to availabilitySet with
"availabilitySet": {
"id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName'))]"
},
Of cause 'availabilitySetName' is defined.
When I deploy my template I get an error saying
{"error":{"code":"BadRequest","message":"Entity resourceGroupName in resource reference id /subscriptions/a719381f-1fa0-4b06-8e29-ad6ea7d3c90b/resourceGroups/TB_PIP_OPSRV_UAT/providers/Microsoft.Compute/availabilitySets/tb_avlbs_opsrv_uat is invalid."}}
I double checked that resource and availability set name are specified correctly.
Does it mean that I can't put a set in separate resource group from VM?
Unfortunately, having a VM use an availabilitySet in a different resource group is not supported :(.
First of all, let me ask you why you want different resource groups? I strongly believe that you're overthinking it with multiple resource groups. A resource group is basically your "Entire System" and within the boundaries of one solution, you should only have one resource group for production, one for beta/staging etc, but never mix.
If you're selling SaaS to your customers it would make sense to have one resource group for each of your customers.
And as you know, a Resource group is simply a way for you to link together and manage all of the assets in your solution; vm's, storage, databases etc under one common name. I am very doubtful as to why one would want to consider multiple resource groups in a single solution, however, I am always willing to learn :)
Availability groups
Now, Availability groups are a different thing. This has to do with "Update Domains" and "Fault Domains" for your VM instances. Because Azure does not keep 3 separate VM's for you, as it does with most of it's PaaS services, you have to manage these yourself to ensure full uptime. Basically, when you're adding two or more VM's in an Availability Set, you're ensured that planned or unplanned events, at least one of the VM's will be available to meet the SLA.
Trying to combine the two in an effort of preventing downtime may sound like a good idea, but it is not solving any problems that I'm aware of. Like the old saying goes: if it aint broke, don't fix it :)
After the new model was implemented, all of my websites now belong to individual Resource Groups called "Default-Web-East" and all of my SQL databases belong to individual Resource Groups called "Default-SQL-East".
This is confusing to say the least.
I would like to rename the groups to have some semantic meaning. I would also like to group the associated SQL database and Web Site in the same Resource Group.
However, I do not see anyway to do either. Is this possible?
1) Rename the Resource Group?
2) Combine an existing SQL DB and Website together into one Resource Group?
Edit: You can't rename an Azure Resource Group.
What you can do is move your resources to a new Resource Group instead. Moving all resources in Resource Group A to Resource Group B is the poor man's rename.
Unfortunately not all resource providers let you move resources between resource groups, and some that do might have strings attached that only let you move resources under certain conditions.
For Azure Web Apps (previously called Azure Websites) you can currently only move all the websites related resources in a single invocation. That "all websites related resources" means all resource under the provider "Microsoft.Web". This includes all websites, app hosting platforms, and certificates that are in the source resource group.
Via the portal
When viewing a group's resources, you can use the "Move" tab
Clicking the "Move" tab will show something this, allowing you to choose or create a new group:
Via Azure Powershell
The easiest way to do this is to use the Move-AzureRmResource powershell cmdlet.
The command would look like this:
Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>
source: https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
Via Rest API
The other way to do this is to use the MoveResource Rest API or with the ArmClient.
Here's the API call you'll want to make:
POST https://<endpoint>/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/moveResources?api-version={api-version}
Where {resourceGroupName} is the source resource group.
I'm pretty sure the endpoint should be "https://management.azure.com", but if you use the ArmClient the tool will just take care of the endpoint for you.
Request Body:
{
"targetResourceGroup": "/subscriptions/{subscriptionId}/resourceGroups/{targetResourceGroupNameName}",
"resources":
[
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}",
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}"
]
}
In addition to the main answer, Azure Portal has a feature of moving the Resources that is allowed to be moved to a new Resource group.
Go to your Resource Group that has Resources you want to move to an existing or a new created Resource Group.
Select the one, multiple or all (1) Resources you want to move and click on the Move (2) bottom as shown in image. (you can select moving to Resources with in the same subscription or to another subscription) A third option if you need just to change the Region) see the the figure at the end.
It will ask you to chose which Resource Group to move to.
Note: This process might take some time, be patient. When done, you
will see that the resource disappear from the old one and will be
found in the new one. That said some resources might be restricted
from been moved to other resources.
Move (Fixing) only region