Tao Yang's System Center Blog
1,325 FOLLOWERS
Welcome to my blog! My name is Tao Yang, I am a system engineer based in Melbourne, Australia. I spend most of my time working on Microsoft technologies. This blog provides a place for me to share my thoughts on various aspect of enterprise system management, especially SCOM, SCCM and PowerShell scripting.
Tao Yang's System Center Blog
1w ago
In the current customer engagement, we wanted to replace the Microsoft Defender for Cloud recommendation A maximum of 3 owners should be designated for subscriptions with an Azure Monitor Alert rule. This is because this defender for cloud assessment cannot be customized (in terms of increase or decrease the threshold of 3). We want to leverage Azure Resource Graph in the alert rule by configuring the alert rule to run a pre-defined Azure Resource Graph query on a schedule ..read more
Tao Yang's System Center Blog
1M ago
Previously, I have published a blog post about Azure Policies for Restricting Service Tag in Network Security Groups. In that post, I shared the policy definitions that can be used to restrict a specific service tag in either inbound or outbound Azure NSG rules. These policies were designed to prevent the use of specific service tags in NSG rules. But when there are too many tags to restrict, this approach may not be practical and introduces a lot of admin overhead ..read more
Tao Yang's System Center Blog
4M ago
Recently Tenable has reported a vulnerability on Azure Network Security Groups (NSG) related to the use of service tags in NSG rules You can read more about this vulnerability from Tenable’s blog post and Microsoft’s response HERE.
The customer that I’m working for right now raised the concern and we were asked if we can use Azure policy to restrict certain service tags from being used in NSG rules.
My colleagues and I spent some time and came up with the policy definitions that can be used to restrict a specific service tag from being used as the value of either sourceAddressPrefix or destina ..read more
Tao Yang's System Center Blog
8M ago
Introduction
I have used the Common Azure Resource Modules Library (CARML) modules for Azure Policies in several projects. I have seen few customers ran into limitations with the policy modules, especially the modules for policy definition and initiatives.
When using the CARML modules for policy definitions and initiatives to deploy custom policy definitions, in your Bicep template, you would call the module for every single definition. As we all know, in Bicep, every time when you call a module, it becomes a nested deployment. This means if you have 100 policy definitions to deploy, you will ..read more
Tao Yang's System Center Blog
9M ago
Introduction
Most of my work over the last couple of years has been focused on Azure Bicep and more specifically, CARML(Common Azure Resource Modules Library). I have presented this topic in various occasions (i.e. on the AzureTar’s YouTube Channel, and at Experts Live Australia 2023). I have also made several contributions to the CARML project.
In the YouTube videos and the Experts Live talk, I have teamed up with Ahmad Abdalla (@ahmadkabdalla) and Jorge Arteiro (@JorgeArteiro) and covered the concept and benefits of developing your own “overlay” Bicep modules based on CARML modules.
The CARM ..read more
Tao Yang's System Center Blog
11M ago
Using Azure policies to manage the configuration of resources has become a very common practice and there are already many articles covering this topic. When it comes to Azure Private Endpoints (PE), Pretty much all my customers using Azure Policy to register the DNS records for Private Endpoints. This process is well documented here: Private Link and DNS integration at scale.
Few weeks ago, I had a requirement to restrict Private Endpoints of certain Azure resources must be created with manual approval. This is because Private Endpoints for certain resources must only be created under very sp ..read more
Tao Yang's System Center Blog
1y ago
Introduction
This is the 3rd time I’m talking about the topic of monitoring Azure Policy compliance states using Azure Monitor. Previously in 2021, I have created a custom solution using an Azure Function app to ingest policy compliance data into Log Analytics. You can find the blog post here Monitoring Azure Policy Compliance States - 2021 Edition.
Over the last few years, I have spoken to the Azure governance product group numerous times on the topic of allowing people to query Azure Resource Graph (ARG) within Azure Monitor. Monitoring policy compliance state is a perfect use case for this ..read more
Tao Yang's System Center Blog
1y ago
Introduction
Being an DevOps consultant for Azure, most of the large enterprise customers I have worked with are using Azure DevOps (either the cloud version or the on-premises ADO servers).
For every project that I’m part of, the Self-Hosted agents have always been a pre-requisites that we request customers to provision before the start of our engagements. The project team would provide customers the requirements for the agents, such as Operating System type and version, list of required software, list of URLs need to be whitelisted on their Firewalls, etc.. Then in the ideal world the custom ..read more
Tao Yang's System Center Blog
1y ago
Over the last few months, I teamed up with my good friend Jorge Arteiro (@JorgeArteiro) and Ahmad Abdalla(@ahmadkabdalla) from Microsoft Australia and recorded a 2-part video series for Microsoft’s open source project Common Azure Resource Modules Library https://aka.ms/carml. CARML is a collection of fully tested and verified Azure Bicep modules that can be used to deploy Azure resources.
In part 1 we have given an introduction for CARML, what does it offer. In Part 2, we have dived deeper and demonstrated how we can use CARML modules to deploy Azure resources or further develop more refined ..read more
Tao Yang's System Center Blog
1y ago
In Azure ARM / Bicep templates, there is a function called guid() which allows you to generate a unique GUID. You can use this function as many times as you want, as long as the input strings are the same, the output GUID will always be the same.
I use the guid() function a lot when working on Bicep code, however, few weeks ago I needed to generate unique GUIDs within a PowerShell script. I couldn’t find any existing code examples, so I came up with my own:
Function GenerateGuid {
[CmdletBinding()]
param (
[parameter(Mandatory = $true)]
[string[]]$inputStrings
)
$enc = [syste ..read more