Query your Azure Virtual Network Manager using Azure Resource Graph (ARG)
This article covers the usage of Azure Resource Graph with Azure Virtual Network Manager. Azure Resource Graph (ARG) extends Azure Resource Management allowing you to query a given set of subscriptions for better governance of your environment. With ARG integration, you can query ARG to get insights into their Azure Virtual Network Manager (AVNM) configurations. Insights are provided through customized Kusto queries offering resource level or at the regional level status data.
Using ARG with virtual network manager
The following are some of the scenarios where Azure Resource Graph can be used for insight into Azure Virtual Network Manager:
- Retrieve regional goal state data to understand the configurations that are deployed in each region and their status.
- Discover all the resources that have a particular configuration applied.
- Retrieve effective configurations that are applied to a virtual network and its provisioning state.
- Identify the number of virtual networks that succeeded, failed, or are in progress during a deployment process.
Available resources
The following resources are available for querying security admin configurations in ARG:
- microsoft.network/effectivesecurityadminrules
- microsoft.network/networkmanagers/securityadminconfigurations/rulecollections/snapshots
- microsoft.network/networkmanagers/securityadminconfigurations/rulecollections/rules/snapshots
- microsoft.network/networkmanagers/securityadminconfigurations/snapshots
- microsoft.network/networkmanagers/securityadminregionalgoalstates
Get started
To get started with querying your virtual network manager data in ARG, follow these steps:
Search for Resource Graph Explorer in the Azure portal and select the same to get redirected to the ARG query editor.
Enter your Kusto queries in the query editor and select Run Query.
You can download the output of these queries as CSV from the Resource Graph Explorer. You can also use these queries in custom automation using any automation clients supported by ARG, such as PowerShell, CLI, or SDK. You can also create custom workbooks in the Azure portal using ARG as a data source.
Note
ARG allows you to query the resources for which you have the appropriate RBAC rights.
Sample queries
The following are sample queries you can run on your virtual network manager data. You can use in them in custom dashboards and automations. Listed with each query is the input involved and the output returned.
List all virtual network managers impacting a given virtual network
Input: Enter the vnetId of the virtual network. It uses the following syntax: 00000000-0000-0000-0000-000000000000 Output: List of virtual network manager IDs.
networkresources
| where type == "microsoft.network/effectivesecurityadminrules"
| extend vnetId = "00000000-0000-0000-0000-000000000000"
| where id == strcat(vnetId,"/providers/Microsoft.Network/effectiveSecurityAdminRules/default")
| mv-expand properties.EffectiveSecurityAdminConfigurations
| mv-expand properties.effectiveSecurityAdminConfigurations
| extend configId = tolower(iff(properties_EffectiveSecurityAdminConfigurations.Id == "", properties_effectiveSecurityAdminConfigurations.id, properties_EffectiveSecurityAdminConfigurations.Id))
| extend networkManagerId = substring(configId, 0, indexof(configId, "/securityadminconfigurations/"))
| distinct networkManagerId
List commit details of latest security admin commit for a given network manager
Input: Enter id of the virtual network manager. It uses the following syntax: /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkManagers/myVirtualNetworkManager
Output: List of commit details for security admin configurations including CommitId, CommitTimestamp, location, SecurityAdminConfigurationId, SecurityAdminRuleIds, SecurityAdminRuleCollectionIds, status, and errorMessage.
networkresources
| where type == "microsoft.network/networkmanagers/securityadminregionalgoalstates"
| where id contains tolower("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkManagers/myVirtualNetworkManager")
| extend adminConfigurationId = tolower(iff(properties.securityAdminConfigurations[0].id == "", properties.SecurityAdminConfigurations[0].Id, properties.securityAdminConfigurations[0].id))
| extend adminRuleCollectionIds = todynamic(iff(properties.securityAdminRuleCollections == "", properties.SecurityAdminRuleCollections, properties.securityAdminRuleCollections))
| extend adminRuleIds = todynamic(iff(properties.securityAdminRules == "", properties.SecurityAdminRules, properties.securityAdminRules))
| extend commitId = iff(properties.commitId == "", properties.CommitId, properties.commitId)
| extend timeStamp = todatetime(iff(properties.commitTimestamp == "", properties.CommitTimestamp, properties.commitTimestamp))
| extend status = iff(properties.status == "", properties.Status, properties.status)
| extend errorMessage = iff(properties.errorMessage == "" and properties.ErrorMessage == "", "", iff(properties.errorMessage == "", properties.ErrorMessage, properties.errorMessage))
| order by timeStamp desc
| project commitId, timeStamp, location, adminConfigurationId, adminRuleCollectionIds, adminRuleIds, status, errorMessage
Count of virtual networks impacted by a given security admin configuration
Input: Enter the adminConfigurationID of the security admin configuration snapshot. It uses the following syntax:
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkManagers/myVirtualNetworkManager/securityAdminConfigurations/config_2023-05-15-15-07-27/snapshots/0"
Output: List the virtual networks impacted including Region, successCount, and failedcount.
Note
The adminConfigurationId of the security admin configuration snapshot. You can get this id from the output of List commit details query.
networkresources
| where type == "microsoft.network/effectivesecurityadminrules"
| extend snapshotConfigIdToCheck = tolower("/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkManagers/myVirtualNetworkManager/securityAdminConfigurations/config_2023-05-15-15-07-27/snapshots/0")
| mv-expand properties.effectiveSecurityAdminConfigurations
| mv-expand properties.EffectiveSecurityAdminConfigurations
| extend configurationId = tolower(iff(properties_effectiveSecurityAdminConfigurations.id == "", properties_EffectiveSecurityAdminConfigurations.Id, properties_effectiveSecurityAdminConfigurations.id))
| extend provisioningState = tolower(iff(properties.ProvisioningState == "", properties.provisioningState, properties.ProvisioningState))
| where configurationId == snapshotConfigIdToCheck
| summarize count() by location, provisioningState
Next steps
Create an Azure Virtual Network Manager instance using the Azure portal.