使用 Azure Policy 大规模部署 Azure MonitorDeploy Azure Monitor at scale using Azure Policy

虽然某些 Azure Monitor 功能仅配置一次或有限的几次,但另一些功能必须针对要监视的每个资源重复配置。While some Azure Monitor features are configured once or a limited number of times, others must be repeated for each resource that you want to monitor. 本文介绍了如何使用 Azure Policy 大规模实施 Azure Monitor 以确保为所有 Azure 资源一致且准确地配置监视功能。This article describes methods for using Azure Policy to implement Azure Monitor at scale to ensure that monitoring is consistently and accurately configured for all your Azure resources.

例如,你需要为所有现有的 Azure 资源和你创建的每个新资源创建诊断设置。For example, you need to create a diagnostic setting for all your existing Azure resources and for each new resource that you create. 每次创建虚拟机时,你还需要安装并配置代理。You also need to have an agent installed and configured each time you create a virtual machine. 可以使用 PowerShell 或 CLI 等方法执行这些操作,因为这些方法可用于 Azure Monitor 的所有功能。You could use methods such as PowerShell or CLI to perform these actions since these methods are available for all features of Azure Monitor. 使用 Azure Policy,你可以实施逻辑,以便在每次创建或修改资源时自动执行相应的配置。Using Azure Policy, you can have logic in place that will automatically perform the appropriate configuration each time you create or modify a resource.

Azure PolicyAzure Policy

本部分简要介绍了 Azure Policy,它使得你可以在整个 Azure 订阅或管理组中以最少的工作量评估和强制实施组织标准。This section provides a brief introduction to Azure Policy which allows you to assess and enforce organizational standards across your entire Azure subscription or management group with minimal effort. 有关完整的详细信息,请参阅 Azure Policy 文档Refer to the Azure Policy documentation for complete details.

通过 Azure Policy,你可以为已创建的任何资源指定配置要求,并识别不合规的资源、阻止资源创建,或添加所需的配置。With Azure Policy you can specify configuration requirements for any resources that are created and either identify resources that are out of compliance, block the resources from being created, or add the required configuration. 它的工作方式是拦截创建新资源或修改现有资源的调用。It works by intercepting calls to create a new resource or to modify an existing resource. 它可以做出会带来拒绝请求(如果请求与策略定义中预期的属性不匹配)或将请求标记为不合规这样的后果的响应,也可以部署相关的资源。It can respond with such effects as denying the request if it doesn't match match with the properties expected in a policy definition, flagging it for noncompliance, or deploy a related resource. 你可以使用 deployIfNotExistsmodify 策略定义修正现有资源。You can remediate existing resources with a deployIfNotExists or modify policy definition.

Azure Policy 由下表中的对象构成。Azure Policy consists of the objects in the following table. 有关每个对象的更详细的说明,请参阅 Azure Policy 对象See Azure Policy objects for a more detailed explanation of each.

项目Item 说明Description
策略定义Policy definition 描述资源合规条件以及满足条件时会实现的效果。Describes resource compliance conditions and the effect to take if a condition is met. 这可能是特定类型的所有资源,也可能只是匹配某些属性的资源。This may be all resources of a particular type or only resources that match certain properties. 效果可能是简单地将资源标记为合规或者部署相关的资源。The effect may be to simply flag the resource for compliance or to deploy a related resource. 策略定义是使用 JSON 编写的,如 Azure Policy 定义结构中所述。Policy definitions are written using JSON as described in Azure Policy definition structure. 了解 Azure Policy 效果中介绍了各种效果。Effects are described in Understand Azure Policy effects.
策略计划Policy initiative 应当一起应用的一组策略定义。A group of policy definitions that should be applied together. 例如,你可能有一个策略定义用于将资源日志发送到 Log Analytics 工作区,有另一个策略定义用于将资源日志发送到事件中心。For example, you might have one policy definition to send resource logs to a Log Analytics workspace and another to send resource logs to event hubs. 可以创建一个包含这两个策略定义的计划,并向资源应用该计划而不是应用各个策略定义。Create an initiative that includes both policy definitions, and apply the initiative to resources instead of the individual policy definitions. 计划是使用 JSON 编写的,如 Azure Policy 计划结构中所述。Initiatives are written using JSON as described in Azure Policy initiative structure.
分配Assignment 策略定义或计划在分配到作用域之前不会生效。A policy definition or initiative doesn't take effect until it's assigned to a scope. 例如,将策略分配给某个资源组以将其应用于在该资源中创建的所有资源,或将其应用于某个订阅以将其应用于该订阅中的所有资源。For example, assign a policy to a resource group to apply it to all resources created in that resource, or apply it to a subscription to apply it to all resources in that subscription. 有关更多详细信息,请参阅 Azure Policy 分配结构For more details, see Azure Policy assignment structure.

Azure Monitor 的内置策略定义Built-in policy definitions for Azure Monitor

Azure Policy 包括多个与 Azure Monitor 相关的预生成定义。Azure Policy includes several prebuilt definitions related to Azure Monitor. 你可以将这些策略定义分配给现有订阅,也可以将它们作为基础来创建你自己的自定义定义。You can assign these policy definitions to your existing subscription or use them as a basis to create your own custom definitions. 有关“监视”类别中的内置策略的完整列表,请参阅 Azure Monitor的 Azure Policy 内置策略定义For a complete list of the built-in politics in the Monitoring category, see Azure Policy built-in policy definitions for Azure Monitor.

若要查看与监视相关的内置策略定义,请执行以下操作:To view the built-in policy definitions related to monitoring, perform the following:

  1. 在 Azure 门户中转到“Azure Policy”。Go to Azure Policy in the Azure portal.
  2. 选择“定义”。Select Definitions.
  3. 对于“类型”,请选择“内置”;对于“类别”,请选择“监视”。For Type, select Built-in and for Category, select Monitoring.

Azure 门户中“Azure Policy 定义”页的屏幕截图,其中显示了用于监视类别和内置类型的策略定义的列表。

诊断设置Diagnostic settings

诊断设置将资源日志和指标从 Azure 资源收集到多个位置,通常是收集到 Log Analytics 工作区,该工作区允许使用日志查询日志警报来分析数据。Diagnostic settings collect resource logs and metrics from Azure resources to multiple locations, typically to a Log Analytics workspace which allows you to analyze the data with log queries and log alerts. 使用 Policy 可在每次创建资源时自动创建诊断设置。Use Policy to automatically create a diagnostic setting each time you create a resource.

每个 Azure 资源类型都有需要在诊断设置中列出的一组唯一的类别。Each Azure resource type has a unique set of categories that need to be listed in the diagnostic setting. 因此,每个资源类型都需要一个单独的策略定义。Because of this, each resource type requires a separate policy definition. 某些资源类型具有无需修改便可分配的内置策略定义。Some resource types have built-in policy definitions that you can assign without modification. 对于其他资源类型,你需要创建自定义定义。For other resource types, you need to create a custom definition.

Azure Monitor 的内置策略定义Built-in policy definitions for Azure Monitor

每个资源类型都有两个内置的策略定义,一个用于将数据发送到 Log Analytics 工作区,另一个用于将数据发送到事件中心。There are two built-in policy definitions for each resource type, one to send to Log Analytics workspace and another to Event Hub. 如果你只需要一个位置,请为资源类型分配该策略。If you only need one location, then assign that policy for the resource type. 如果需要这两者,请为资源分配两个策略定义。If you need both, then assign both policy definitions for the resource.

例如,下图显示了 Data Lake Analytics 的内置诊断设置策略定义。For example, the following image shows the built-in diagnostic setting policy definitions for Data Lake Analytics.

“Azure Policy 定义”页中的部分屏幕截图,显示了 Data Lake Analytics 的两个内置诊断设置策略定义。

自定义策略定义Custom policy definitions

对于没有内置策略的资源类型,你需要创建自定义策略定义。For resource types that don't have a built-in policy, you need to create a custom policy definition. 可以在 Azure 门户中通过以下方式手动执行此操作:复制某个现有的内置策略,然后针对你的资源类型修改该策略。You could do this manually in the Azure portal by copying an existing built-in policy and then modifying for your resource type. 不过,使用 PowerShell 库中的脚本以编程方式创建策略更高效。It's more efficient though to create the policy programatically using a script in the PowerShell Gallery.

脚本 Create-AzDiagPolicy 为可使用 PowerShell 或 CLI 安装的特定资源类型创建策略文件。The script Create-AzDiagPolicy creates policy files for a particular resource type that you can install using PowerShell or CLI. 使用以下过程为诊断设置创建自定义策略定义。Use the following procedure to create a custom policy definition for diagnostic settings.

  1. 请确保已安装 Azure PowerShellEnsure that you have Azure PowerShell installed.

  2. 使用以下命令安装该脚本:Install the script with the following command:

    Install-Script -Name Create-AzDiagPolicy
    
  3. 运行该脚本,使用参数指定要将日志发送到何处。Run the script using the parameters to specify where to send the logs. 系统会提示你指定订阅和资源类型。You will be prompted to specify a subscription and resource type. 例如,若要创建将数据发送到 Log Analytics 工作区和事件中心的策略定义,请使用以下命令。For example, to create a policy definition that sends to Log Analytics workspace and Event Hub, use the following command.

    Create-AzDiagPolicy.ps1 -ExportLA -ExportEH -ExportDir ".\PolicyFiles"  
    
  4. 另外,还可以在命令中指定订阅和资源类型。Alternatively, you can specify a subscription and resource type in the command. 例如,若要为 Azure SQL Server 数据库创建将数据发送到 Log Analytics 工作区和事件中心的策略定义,请使用以下命令。For example, to create a policy definition that sends to Log Analytics workspace and Event Hub for Azure SQL Server databases, use the following command.

    Create-AzDiagPolicy.ps1 -SubscriptionID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -ResourceType Microsoft.Sql/servers/databases  -ExportLA -ExportEH -ExportDir ".\PolicyFiles"  
    
  5. 此脚本为每个策略定义创建单独的文件夹,每个文件夹都包含名为 azurepolicy.json、azurepolicy.rules.json 和 azurepolicy.parameters.json 的三个文件。The script creates separate folders for each policy definition, each containing three files named azurepolicy.json, azurepolicy.rules.json, azurepolicy.parameters.json. 如果要在 Azure 门户中手动创建策略,你可以复制并粘贴 azurepolicy.json 的内容,因为它包括整个策略定义。If you want to create the policy manually in the Azure portal, you can copy and paste the contents of azurepolicy.json since it includes the entire policy definition. 通过 PowerShell 或 CLI 从命令行使用其他两个文件创建策略定义。Use the other two files with PowerShell or CLI to create the policy definition from a command line.

    下面的示例展示了如何通过 PowerShell 和 CLI 安装策略定义。The following examples show how to install the policy definition from both PowerShell and CLI. 每个定义都包括元数据,用于指定一个“监视”类别,以便将新策略定义与内置策略定义分组到一起。Each includes metadata to specify a category of Monitoring to group the new policy definition with the built-in policy definitions.

    New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json -mode All -Metadata '{"category":"Monitoring"}'
    
    az policy definition create --name 'deploy-diag-setting-sql-database--workspace' --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace'  --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json' --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json' --subscription 'AzureMonitor_Docs' --mode All
    

计划Initiative

与为每个策略定义创建分配不同,一种常见的策略是创建一个计划,在其中包括策略定义,以便为每个 Azure 服务创建诊断设置。Rather than create an assignment for each policy definition, a common strategy is to create an initiative that includes the policy definitions to create diagnostic settings for each Azure service. 根据你管理环境的方式,在计划与管理组、订阅或资源组之间创建分配。Create an assignment between the initiative and a management group, subscription, or resource group depending on how you manage your environment. 此策略具有以下优势:This strategy offers the following benefits:

  • 为计划创建单个分配,而不是为每个资源类型创建多个分配。Create a single assignment for the initiative instead of multiple assignments for each resource type. 对多个监视组、订阅或资源组使用同一计划。Use the same initiative for multiple monitoring groups, subscriptions, or resource groups.
  • 当需要添加新的资源类型或目标时,只需修改计划即可。Modify the initiative when you need to add a new resource type or destination. 例如,你最初的要求可能是仅将数据发送到 Log Analytics 工作区,但之后想要添加事件中心。For example, your initial requirements might be to send data only to a Log Analytics workspace, but later you want to add Event Hub. 请修改计划,不需要创建新分配。Modify the initiative rather than creating new assignments.

有关创建计划的详细信息,请参阅创建和分配计划定义See Create and assign an initiative definition for details on creating an initiative. 请考虑以下建议:Consider the following recommendations:

  • 将“类别”设置为“监视”,以将其与相关的内置和自定义策略定义分组到一起。Set the Category to Monitoring to group it with related built-in and custom policy definitions.
  • 请使用一个通用的计划参数,而不是为计划中包含的策略定义指定 Log Analytics 工作区和事件中心的详细信息。Instead of specifying the details for the Log Analytics workspace and the Event Hub for policy definition included in the initiative, use a common initiative parameter. 这样你就可以轻松地为所有策略定义指定一个通用值,并根据需要更改该值。This allows you to easily specify a common value for all policy definitions and change that value if necessary.

计划定义

分配Assignment

根据要监视的资源的范围,将计划分配给 Azure 管理组、订阅或资源组。Assign the initiative to an Azure management group, subscription, or resource group depending on the scope of your resources to monitor. 管理组特别适用于限定策略作用域,尤其是当你的组织有多个订阅时。A management group is particularly useful for scoping policy especially if your organization has multiple subscriptions.

屏幕截图,显示了 Azure 门户中 Log Analytics 工作区诊断设置的“分配计划”部分中的“基本信息”选项卡设置。

通过使用计划参数,你可以同时为计划中的所有策略定义指定工作区或任何其他详细信息。By using initiative parameters, you can specify the workspace or any other details once for all of the policy definitions in the initiative.

计划参数

补救Remediation

该计划将在创建时应用于每个虚拟机。The initiative will apply to each virtual machine as it's created. 修正任务将该计划中的策略定义部署到现有资源,因此,你可以为已创建的任何资源创建诊断设置。A remediation task deploys the policy definitions in the initiative to existing resources, so this allows you to create diagnostic settings for any resources that were already created. 当使用 Azure 门户创建分配时,你可以选择同时创建修正任务。When you create the assignment using the Azure portal, you have the option of creating a remediation task at the same time. 有关修正的详细信息,请参阅使用 Azure Policy 修正不合规资源See Remediate non-compliant resources with Azure Policy for details on the remediation.

计划修正

后续步骤Next steps