Select Page

More Kusto

You can tell where I’ve been working by the Kusto queries against Azure Resource Graph that I leave behind.

All Azure VNets and subnets, with subnet details:

// get all Azure VNETS and SUBNETS with associated subnets

resources

| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId

| where type == “microsoft.network/virtualnetworks”

| mv-expand subs=properties.subnets

| extend subnetname = subs.name

| extend subnetprefix= subs.properties.addressPrefix

| extend vnetprefix = substring(tostring(properties.addressSpace.addressPrefixes),2,strlen(tostring(properties.addressSpace.addressPrefixes))-4)

| project SubName, resourceGroup, name, vnetprefix, subnetname, subnetprefix

| sort by SubName, resourceGroup asc, name

This one for pulling back network security groups and metadata (this was originally at Thomas Balkeståhl’s blog) – tidied up:

Resources

| where type =~ “microsoft.network/networksecuritygroups”

| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId

| mv-expand rules=properties.securityRules

| extend direction = tostring(rules.properties.direction)

| extend priority = toint(rules.properties.priority)

| extend description = rules.properties.description

| extend destprefix = rules.properties.destinationAddressPrefix

| extend destport = rules.properties.destinationPortRange

| extend sourceprefix = rules.properties.sourceAddressPrefix

| extend sourceport = rules.properties.sourcePortRange

| extend subnet_name = split((split(tostring(properties.subnets), ‘/’))[10], ‘”‘)[0]

| project SubName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description

| sort by SubName, resourceGroup asc, name, direction asc, priority asc

More Kusto – The Everything Script

“The get everything about virtual machines” script.

This brings back pretty much everything – sub second queries. Far, far easier than the old methods using PowerShell.

Resources

| where type =~ ‘microsoft.compute/virtualmachines’

| extend nics=array_length(properties.networkProfile.networkInterfaces)

| mv-expand nic=properties.networkProfile.networkInterfaces

| where nics == 1 or nic.properties.primary =~ ‘true’ or isempty(nic)

| project subscriptionId, resourceGroup, vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id),location, tags.itowner, tags.businessowner, tags.application, tags.costcenter, tags.supportgroup, tags.[‘project’], powerstate=properties.extended.instanceView.powerState.displayStatus, os=properties.storageProfile.osDisk.osType, sku=properties.storageProfile.imageReference.sku

| join kind=leftouter (ResourceContainers | where type==’microsoft.resources/subscriptions’ | project SubName=name, subscriptionId) on subscriptionId

| join kind=leftouter (

  Resources

  | where type =~ ‘microsoft.network/networkinterfaces’

  | extend ipConfigsCount=array_length(properties.ipConfigurations)

  | mv-expand ipconfig=properties.ipConfigurations

  | where ipConfigsCount == 1 or ipconfig.properties.primary =~ ‘true’

  | project nicId = id, privIP = tostring(ipconfig.properties.privateIPAddress)) on nicId

| project-away subscriptionId, subscriptionId1, vmId, nicId, nicId1