Through the ARM REST API, I want to read a resource (an NSG) modify it and then write it back. I want the last step (writing it back) to fail if something came along and modified the resource in between my read and my write operation. Is that possible? I see there is an ETAG property when I do a GET, perhaps there is some way to utilize it to make the write fail if the resource is modified?
As I known, Azure Table Storage has the ETag in ITableEntity which is used for optimistic concurrency during updates. While the Azure REST API Network Security Groups about etag:
A unique read-only string that changes whenever the resource is updated.
I have tried to leverage Azure Portal and resources.azure.com to simulate the concurrent update operations on my NSG, and I found that there is no concurrency control on the update operation, the configurations would be overrided by the later request.
Per my understanding, there is no build-in feature for you to handle optimistic concurrency. For NSG, I assumed that you would not frequently modify it. So, I think you could try to limit the permission for a few people to update your NSG, or you could build your custom REST API for updating NSG, and get the latest NSG info, then compare the etag with your prior etag to determine that whether the NSG is modified before you update it. Also, you could add your feedback here.
Related
I have created a template to deploy a service bus (ServiceBus/namespace) and three "nested"/"tiered" resources: topics (ServiceBus/namespace/topics), queues (ServiceBus/namespace/queues), and authorisation rules (ServiceBus/namespace/authorizationrules). And the resources are built correctly.
However, I want the entire service bus and it's tiered resources to be fully customisable from the parameter file. for the tiered resources this works when adding new resources, and adjusting existing resources in the parameter file however I cannot find a way to delete tiered resources that are not deployed by the template.
I have tried complete deployment mode (even though I only want resources in the service bus hierarchy to be deleted) however the tiered resources are not destroyed in the same was as resources directly beneath the resource group (i.e. the service bus itself). I have tried entirely deleting the service bus and rebuilding it, but this causes all the keys for the authorisation rules (shared access policies) to change.
If anyone knows if, and how, I can get the functionality I desire it would be greatly appreciated
If you want to "clean up" child resources that were not defined in the template that may or may not work depending on how ARM recognizes the resources. TL;DR if it's not working with complete mode as you tried it, ARM doesn't recognize those resources in a way that would clean up the extra ones.
There is an upcoming feature called deploymentStacks that will help with this scenario but today the capabilities are as you have it.
You could script a more surgical removal of those resources after deployment finishes by leveraging deploymentOperations but there's nothing more "built-in" today.
This question may sound a little odd, but here it goes: A customer of ours would like to get access to certain metrics of his environment of our product which we host on Azure for the customer. It's a pretty complicated deployment, but in the end it consists of an Application Gateway, some virtual machines and a dedicated Azure SQL database.
The customer now would want to get select metrics from this deployment forward to their own DataDog subscription, e.g. VM CPU metrics, database statistics and those things. DataDog obviously supports all this information (which is good), but as a default would slurp in information from all resources within our subscription (which is not OK).
Is there a way to fine-granularly define which data is forwarded to DataDog, e.g. the resources and also which type of metrics to forward for each resource? What are my options here? Is it enough to create a service principal with a limited reading right, or can I configure this somewhere else? I am unfortunately not familiar with DataDog.
The main thing which must be prevented is that the customer due to the metrics forwarding could get access to other metrics in our subscription - we need to control the exact scope of the metrics.
The pretty straightforward solution to this issue is to create a service principal via command line, and then to assign the monitoring role to this service principal only exactly for the resources you need. This even works down to a level of specific databases for example.
Kicker: This is not possible to do in such a granularity from the UI, but the az command line accepts assigning the monitoring reader permission on a deep resource ID level, even if the UI for this is not there. By finding the resource ID from the UI, and then using the resource ID from the command line, it's possible to achieve exactly this behaviour.
Is it possible to change the operation name (a.k.a. operationId) of an Azure APIM operation after it has been created?
In the example below, I would like the auto-generated name of 5dk6e437e1fd991b3df455ff to be get-branding-information:
Changing the name is not currently supported through the Azure portal UI, but perhaps it is possible through another method? Since this URL only relates to the APIM documentation pages and is not the actual API URL, changing the name wouldn't be a breaking API change for our customers.
Developers who created the original operations on my team got a little lazy and just let the Azure portal assign an auto-generated name to multiple operations. As a result, I cannot create relative URL reference to different operations within the APIM documentation as the name value is unique in our development, QA, and production APIM environments.
Your screenshot didn't go quite high enough to show the 'OpenAPI specification View' button. Click this and you can edit the name.
How to manage concurrency in Azure Search
here it is said that Azure Search offers an optimistic concurrency model. There are no locks on a resource. Instead, there is an ETag for every resource that identifies the resource version so that you can craft requests that avoid accidental overwrites.
But Add, Update or Delete Documents (Azure Search Service REST API) has not mentioned anything about etags. Does Azure Search Provides Etags for managing concurrency for Add, Update or Delete Documents?
Unfortunately we do not yet support using document version for managing concurrent add/delete/update operations on documents. As of now, as you mentioned, we only provide etags when managing "non-documents" resources (such as index definitions, synonym maps, data sources, etc.)
Please upvote the following user voice suggestion to help us prioritize the work to add support for document versioning
https://feedback.azure.com/forums/263029-azure-search/suggestions/10413003-document-version-support-for-data-consistency-and
Using Resource Management API I can remove Azure resource (https://learn.microsoft.com/en-us/rest/api/resources/resources#Resources_DeleteById). This API returns 202 that removal is accepted - the resource is not removed right away though. The response header in my case contains "x-ms-request-id" value. How can I use it to get the status of this operation? Did the operation succeed? In my case I am removing the Log Analytics Solution resource.
Any help is greatly appreciated.
According to your description, I have checked this issue. I assumed that azure would take some time to handle your request, you could leverage Azure resource Get By Id to check your azure resource as follows:
For a simple way, you could leverage resources.azure.com, choose your resource and check the details. I removed my Log Analytics, then I could retrieve the following result:
UPDATE
According to your latest comment, I have checked the REST API again and both tested the operations on ASM and ARM, you could refer to them as follows:
For classic Azure Services (ASM)
You could use Get Operation Status with authentication using a management certificate to check the operation status.
For ARM
You could follow this tutorial about tracking asynchronous Azure operations. You could use the header values returned by the asynchronous REST operations, then request the related URL with authentication using Azure Active Directory to determine the status of your operation.
Based on your azure service, you need to use the ARM approach.