Rolliong out things using policy e.g new agents

Bombbe 1,616 Reputation points

let's that I have 10 servers in my resource group and I want to install something to them using Azure policy (Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity) e.g Azure Monitor Agent. If I put policy to rg level it will by default install that agent to all vms but what if I don't want all them to be installed at the time because if something breaks (testing first) so I would want basically roll out agents few vms at time time.

I know that policy allows to exclusions to resource level but are they 'supporting' this kinda scenario were I would drop out vms one by one from the exclusions and when dropped out they would receive that agent automatically after policy has done evaluating (because they are dropped out from exclusions) or should I look out for something else as installation method for this kinda scenarios?

We really would like to use policy but just wondering are they really suited for this kinda tasks.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
829 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,841 Reputation points Microsoft Employee

    I can't speak the exclusion option but policy-based extension deployments are very reliable. The monitoring agents are low impact. Rolling back is as easy as removing the extension. Scoping the policy to the RG level would only onboard the VMs in that RG. You can also manually onboard individual VMs manually for testing. There is also a policy remediation task option if you find that the exclusion updates take longer than expected.

    0 comments No comments

0 additional answers

Sort by: Most helpful