[CODE] Azure Resource Graph – Query! Fast!

You may or may not have seen how slow the Azure Portal can be (in the past). Especially when you are working in large environments with hundreds and thousands of resources it could take a while to get a view of, for example, you servers in Azure. This is where Azure Resource Graph comes into action.

But there is a lot more that Resource Graph can do for you…

What is Azure Resource Graph?!

Azure Resource Graph is a service built in to Azure, that is providing the option to do large scale queries across resources in different subscriptions (and for Managed Service Providers even in different tenants – #Lighthouse). So it is actually built with the idea of large scale deplyoments.

It is part of the Governance Toolset of Microsoft, as it can be used to:

• filter, group and search for defined resources
• explore resource in governance needs
• assess impact of policies you are developing
• follow up changes that are made to resources (preview)

The Azure Resource Graph can be used directly in the portal or via PowerShell, CLI, or REST.

In the Azure Portal you can find the Resource Graph Explorer. That is a good starting point for our first trials and errors … because you can just use without any preparation of environments, etc.

But how does this actually work …

How does Resource Graph work?!

You may now ask: „What is so special about this?“ Searching for resources was always possible via PowerShell and the Azure Resource Manager …

Yes … BUT

One of the main issues we had with the Azure Resource Manager was, that it by default just provided basic information about a resource, like ID, Name, Type. If you wanted to go deeper you had to query the resource provider.

If you think about an easy setup:

• 10 VMs
• 10 Managed Disks
• 1 VNET
• 1 Azure Firewall
• 1 Log Analytics Workspace

and you now try to get the following information:

• show me every VM where the disk is larger than 100 GB and the VM-Size is D2
• search for the system that uses the IP Adress 10.10.10.4
• …

Normally you would query different resource providers, or try to get a lot of detail… in a large environment this takes a while, as all resources are asked for detail … now with Azure Resource Graph it is a simple query and it is super fast:

What actually happens with Resource Graph is, that Microsoft pulls an Index of all details of your resources. This index is kept for 14 days, so you can even query for changes that happened over time.

Every time you change a resource in Azure, the Resource Graph is triggered to update its database with the new configuration. Besides this there is a regular „full scan“ which is checking on the current status and makes sure that no change was missed.

What is a query and what is KQL?!

A query in Azure Resource Graph is actually the information request that you have to put in in a specific way. If you ever used Log Analytics you may have seen the notation already. Everything is based on the Kusto Query Language (KQL)

When doing a query like:

resources
 | where type == "microsoft.network/networkinterfaces"
 | where properties.ipConfigurations[0].properties.privateIPAddress == "X"

you are actually following a trail into a table.

There are four tables currently available:

• Resources
• Resource Containers
• AlertsManagementResources
• SecurityResources

In those tables all details of the resources are kept … and this is what you can query for:

All queries are done with the RBAC rights of the user executing them. So take care that you at least have a read right to query for the information. If you do not have read permissions you will not get an answer from Resource Graph.

Where to start?!

If you want to start your first own queries … there are some prepared queries from Microsoft:

• Starter Resource Graph query samples
• Explore your Azure resources with Resource Graph

So enjoy graphing … or querying 🙂