使用 Azure Resource Graph 排查错误Troubleshoot errors using Azure Resource Graph

使用 Azure Resource Graph 查询 Azure 资源时,可能会遇到错误。You may run into errors when querying Azure resources with Azure Resource Graph. 本文描述可能会发生的各种错误及其解决方法。This article describes various errors that may occur and how to resolve them.

查找错误详细信息Finding error details

大多数错误都是关于使用 Azure Resource Graph 运行查询时出现的问题。Most errors are the result of an issue while running a query with Azure Resource Graph. 当查询失败时,SDK 会提供有关失败查询的详细信息。When a query fails, the SDK provides details about the failed query. 此信息会指出存在的问题,以便可以修复问题并确保后续查询成功进行。This information indicates the issue so that it can be fixed and a later query succeeds.

常规错误General errors

场景:限制的请求数Scenario: Throttled requests

问题Issue

进行大量或频繁资源查询的客户受到了请求数限制。Customers making large or frequent resource queries have requests throttled.

原因Cause

Azure Resource Graph 基于时段为每个用户分配配额数量。Azure Resource Graph allocates a quota number for each user based on a time window. 例如,用户可以在每 5 秒的时段内最多发送 15 个查询,而不会受到限制。For example, a user can send at most 15 queries within every 5-second window without being throttled. 配额值取决于多种因素并可能会发生更改。The quota value is determined by many factors and is subject to change. 有关详细信息,请参阅 Azure Resource Graph 中的限制For more information, see Throttling in Azure Resource Graph.

解决方法Resolution

有多种方法可处理请求受限问题:There are several methods of dealing with throttled requests:

场景:订阅过多Scenario: Too many subscriptions

问题Issue

有权访问 1000 个以上订阅的客户无法通过单次调用 Azure Resource Graph 来提取所有订阅中的数据。Customers with access to more than 1000 subscriptions, can't fetch data across all subscriptions in a single call to Azure Resource Graph.

原因Cause

Azure CLI 和 PowerShell 仅将前 1000 个订阅转发到 Azure Resource Graph。Azure CLI and PowerShell forward only the first 1000 subscriptions to Azure Resource Graph. Azure Resource Graph 的 REST API 接受要对其执行查询的最大订阅数。The REST API for Azure Resource Graph accepts a maximum number of subscriptions to perform the query on.

解决方法Resolution

将对包含订阅子集的查询的批处理请求保持在 1000 个订阅的限制以下。Batch requests for the query with a subset of subscriptions to stay under the 1000 subscription limit. 解决方法是在 PowerShell 中使用 Subscription 参数。The solution is using the Subscription parameter in PowerShell.

# Replace this query with your own
$query = 'Resources | project type'

# Fetch the full array of subscription IDs
$subscriptions = Get-AzSubscription
$subscriptionIds = $subscriptions.Id

# Create a counter, set the batch size, and prepare a variable for the results
$counter = [PSCustomObject] @{ Value = 0 }
$batchSize = 1000
$response = @()

# Group the subscriptions into batches
$subscriptionsBatch = $subscriptionIds | Group -Property { [math]::Floor($counter.Value++ / $batchSize) }

# Run the query for each batch
foreach ($batch in $subscriptionsBatch){ $response += Search-AzGraph -Query $query -Subscription $batch.Group }

# View the completed results of the query on all subscriptions
$response

场景:不受支持的 Content-type REST 标头Scenario: Unsupported Content-Type REST header

问题Issue

客户查询 Azure Resource Graph REST API 时,返回 500(内部服务器错误)响应。Customers querying the Azure Resource Graph REST API get a 500 (Internal Server Error) response returned.

原因Cause

Azure Resource Graph REST API 仅支持“application/json”的 Content-TypeThe Azure Resource Graph REST API only supports a Content-Type of application/json. 某些 REST 工具或代理默认为“text/plain”,这不受 REST API 支持。Some REST tools or agents default to text/plain , which is unsupported by the REST API.

解决方法Resolution

验证用于查询 Azure Resource Graph 的工具或代理是否将 REST API 标头 Content-Type 配置为“application/json”。Validate that the tool or agent you're using to query Azure Resource Graph has the REST API header Content-Type configured for application/json.

场景:没有对列表中所有订阅的读取权限Scenario: No read permission to all subscriptions in list

问题Issue

客户使用 Azure Resource Graph 查询显式传递订阅列表时,获得 403(禁止)响应。Customers that explicitly pass a list of subscriptions with an Azure Resource Graph query get a 403 (Forbidden) response.

原因Cause

如果客户没有对提供的所有订阅的读取权限,则该请求将因缺乏相应安全权限而被拒绝。If the customer doesn't have read permission to all the provided subscriptions, the request is denied because of lack of appropriate security rights.

解决方法Resolution

在订阅列表中至少包含一个订阅,运行查询的客户对其至少具有读取访问权限。Include at least one subscription in the subscription list that the customer running the query has at least read access to. 有关详细信息,请参阅 Azure Resource Graph 中的权限For more information, see Permissions in Azure Resource Graph.

后续步骤Next steps

如果你的问题未在本文中列出,或者无法解决问题,请访问以下渠道之一获取更多支持:If you didn't see your problem or are unable to solve your issue, visit one of the following channels for more support:

  • 请通过 Azure 论坛获取 Azure 专家的解答。Get answers from Azure experts through Azure Forums.
  • 如需更多帮助,可以提交 Azure 支持事件。If you need more help, you can file an Azure support incident. 请转到 Azure 支持站点并选择“与我们联系”。Go to the Azure support site and select Contact us.