什么是 Azure Resource Graph?What is Azure Resource Graph?

Azure Resource Graph 是 Azure 中的一项服务,旨在通过提供高效和高性能的资源浏览来扩展 Azure 资源管理器,它能够跨给定的订阅组进行大规模查询,使你能够有效地管理环境。Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. 这些查询提供以下功能:These queries provide the following features:

  • 通过复杂筛选、分组和按资源属性排序来查询资源的功能。Ability to query resources with complex filtering, grouping, and sorting by resource properties.
  • 基于治理要求以迭代方式浏览资源的功能。Ability to iteratively explore resources based on governance requirements.
  • 评估在大量云环境中应用策略所产生的影响的功能。Ability to assess the impact of applying policies in a vast cloud environment.
  • 能够详细说明对资源属性所做的更改(预览版)。Ability to detail changes made to resource properties (preview).

在本文档中,你将逐一了解各项功能的详细信息。In this documentation, you'll go over each feature in detail.

Resource Graph 如何补充了 Azure 资源管理器How does Resource Graph complement Azure Resource Manager

资源管理器目前支持对基本的资源字段进行查询,具体说来,这些字段包括“资源名称”、“ID”、“类型”、“资源组”、“订阅”和“位置”。Resource Manager currently supports queries over basic resource fields, specifically - Resource name, ID, Type, Resource Group, Subscription, and Location. 资源管理器还提供设施,用于调用各个资源提供程序以获取详细的属性,每次仅限一个资源。Resource Manager also provides facilities for calling individual resource providers for detailed properties one resource at a time.

使用 Azure Resource Graph,可以访问资源提供程序返回的这些属性,无需对资源提供程序进行单独调用。With Azure Resource Graph, you can access these properties the resource providers return without needing to make individual calls to each resource provider. 有关支持的资源类型列表,请查阅表和资源类型参考For a list of supported resource types, review the table and resource type reference. 若要查看支持的资源类型,另一种方法是通过 Azure Resource Graph 资源管理器架构浏览器An alternative way to see supported resource types is through the Azure Resource Graph Explorer Schema browser.

使用 Azure Resource Graph,可以:With Azure Resource Graph, you can:

  • 访问资源提供程序返回的属性,而无需对每个资源提供程序进行单独调用。Access the properties returned by resource providers without needing to make individual calls to each resource provider.
  • 查看过去 14 天对资源所做的更改历史记录,以了解更改了哪些属性以及何时更改。View the last 14 days of change history made to the resource to see what properties changed and when. (预览版)(preview)

如何让 Resource Graph 保持最新How Resource Graph is kept current

更新 Azure 资源时,资源管理器会将所做的更改通知给 Resource Graph。When an Azure resource is updated, Resource Graph is notified by Resource Manager of the change. Resource Graph 然后就会更新其数据库。Resource Graph then updates its database. Resource Graph 也会定期进行完全扫描。Resource Graph also does a regular full scan. 此扫描可确保在缺少通知时,或者当资源是在资源管理器外部进行更新时,Resource Graph 数据能够保持最新。This scan ensures that Resource Graph data is current if there are missed notifications or when a resource is updated outside of Resource Manager.

备注

Resource Graph 使用每个资源提供程序的最新非预览版 API 的 GET 来收集属性和值。Resource Graph uses a GET to the latest non-preview API of each resource provider to gather properties and values. 因此,预期的属性可能不可用。As a result, the property expected may not be available. 在某些情况下,会覆盖所使用的 API 版本,以便在结果中提供更多当前或广泛使用的属性。In some cases, the API version used has been overridden to provide more current or widely used properties in the results. 有关环境中的完整列表,请参阅显示每种资源类型的 API 版本示例。See the Show API version for each resource type sample for a complete list in your environment.

查询语言The query language

现在,你已更好地了解了 Azure Resource Graph,我们来深入了解如何构造查询。Now that you have a better understanding of what Azure Resource Graph is, let's dive into how to construct queries.

务必要了解的一点是,Azure Resource Graph 的查询语言基于 Azure 数据资源管理器使用的 Kusto 查询语言It's important to understand that Azure Resource Graph's query language is based on the Kusto query language used by Azure Data Explorer.

首先,有关可以在 Azure Resource Graph 中使用的操作和函数,请参阅 Resource Graph 查询语言First, for details on operations and functions that can be used with Azure Resource Graph, see Resource Graph query language. 若要浏览资源,请参阅浏览资源To browse resources, see explore resources.

Azure Resource Graph 中的权限Permissions in Azure Resource Graph

若要使用 Resource Graph,必须在基于角色的访问控制 (RBAC) 中至少拥有对想要查询的资源的读取权限。To use Resource Graph, you must have appropriate rights in Role-based access control (RBAC) with at least read access to the resources you want to query. 必须至少有 Azure 对象或对象组的 read 权限,否则不会返回结果。Without at least read permissions to the Azure object or object group, results won't be returned.

备注

Resource Graph 使用主体在登录期间可用的订阅。Resource Graph uses the subscriptions available to a principal during login. 若要查看在活动会话期间添加的新订阅的资源,主体必须刷新上下文。To see resources of a new subscription added during an active session, the principal must refresh the context. 此操作在注销并重新登录时自动发生。This action happens automatically when logging out and back in.

Azure CLI 和 Azure PowerShell 使用用户有权访问的订阅。Azure CLI and Azure PowerShell use subscriptions that the user has access to. 直接使用 REST API 时,订阅列表由用户提供。When using REST API directly, the subscription list is provided by the user. 如果用户有权访问列表中的任何订阅,则返回用户有权访问的订阅的查询结果。If the user has access to any of the subscriptions in the list, the query results are returned for the subscriptions the user has access to. 此行为与调用 Resource Groups - List - 时相同,你可以获得有权访问的资源组,而不会指示结果可能是部分的。This behavior is the same as when calling Resource Groups - List - you get resource groups you've access to without any indication that the result may be partial. 如果订阅列表中没有用户具有适当权限的订阅,则响应为“403 (已禁止)”。If there are no subscriptions in the subscription list that the user has appropriate rights to, the response is a 403 (Forbidden).

备注

在 REST API 预览版 2020-04-01-preview 中,可能会省略订阅列表。In the preview REST API version 2020-04-01-preview, the subscription list may be ommitted. 如果未在请求中定义 subscriptionsmanagementGroupId 属性,范围将设置为“租户”。When both the subscriptions and managementGroupId properties aren't defined in the request, the scope is set to the tenant. 有关详细信息,请参阅查询范围For more information, see Scope of the query.

限制Throttling

为了为所有客户提供最佳体验和响应时间,对 Resource Graph 的查询(以免费服务的形式提供)将受到限制。As a free service, queries to Resource Graph are throttled to provide the best experience and response time for all customers. 如果你的组织希望使用 Resource Graph API 进行大规模的频繁查询,请使用 Resource Graph 门户页面中的门户“反馈”。If your organization wants to use the Resource Graph API for large-scale and frequent queries, use portal 'Feedback' from the Resource Graph portal page. 请提供你的业务案例并选中“Microsoft 可以针对你的反馈向你发送电子邮件”复选框,以便团队与你联系。Provide your business case and select the 'Microsoft can email you about your feedback' checkbox in order for the team to contact you.

Resource Graph 在用户级别对查询进行限制。Resource Graph throttles queries at the user level. 服务响应包含以下 HTTP 标头:The service response contains the following HTTP headers:

  • x-ms-user-quota-remaining (int):用户的剩余资源配额。x-ms-user-quota-remaining (int): The remaining resource quota for the user. 此值映射到查询计数。This value maps to query count.
  • x-ms-user-quota-resets-after (hh:mm:ss):在用户的配额消耗量重置之前的持续时间x-ms-user-quota-resets-after (hh:mm:ss): The time duration until a user's quota consumption is reset

有关详细信息,请参阅针对受限制请求的指南For more information, see Guidance for throttled requests.

运行自己的第一个查询Running your first query

Azure Resource Graph 资源管理器是 Azure门户的一部分,支持直接在 Azure 门户中运行 Resource Graph 查询。Azure Resource Graph Explorer, part of Azure portal, enables running Resource Graph queries directly in Azure portal. 将结果固定为动态图表,以便向门户工作流提供实时动态信息。Pin the results as dynamic charts to provide real-time dynamic information to your portal workflow. 有关详细信息,请参阅使用 Azure Resource Graph 资源管理器进行第一次查询For more information, see First query with Azure Resource Graph Explorer.

Resource Graph 支持 Azure CLI、Azure PowerShell、用于 Python 的 Azure SDK 等。Resource Graph supports Azure CLI, Azure PowerShell, Azure SDK for Python, and more. 对于每种语言,查询结构相同。The query is structured the same for each language. 了解如何使用以下项启用 Resource Graph:Learn how to enable Resource Graph with:

后续步骤Next steps