Azure Service Governance using Event Grid and Logic Apps

Posted: September 3, 2017  |  Categories: Integration Logic Apps Microsoft Azure

Azure Event Grid is a new Platform service in Azure for managing events in a uniform centralized manner. In previous posts I have discussed some of the capabilities of this service including routing custom events, handle specific Azure Storage events and events in general. In this post I like to continue with another Event Grid use case. The service will play a role in simplifying policy enforcement in Ops Automation in particular providing governance in a resource group.

Governance in an Azure Resource Group using Event Grid

Suppose you have several resource groups. And each have to be in one region only because of data restrictions i.e. you do want to have data sitting in a data center outside of the designated region. And any Azure service in the resource group has to be in the same region. If not than the service will be deleted by a workflow application i.e. Logic App.

The following scenario a Service Bus namespace (service) provisioned in a different region than Central West US will be detected by a Logic App that subscribes to events with subject /subscriptions/0bf166ac-9aa8-4597-bb2a-a845afe01415/resourcegroups/RG_MyResourceGroup/deployments/.

In case the deployment of a service is outside of West Central US, the service in our scenario the Service Bus namespace will be deleted. See the diagram below.

Logic App reacting to a deployment in the Resource Group

A Logic App will enforce the policy of not having a resource i.e. service outside the designated region. Once the event is captured the Logic App be triggered by an event as depicted below.

The filter in Event Grid Action Trigger is specified to be triggered by events with a particular subject specified in the prefix filter. And the subsequent actions will verify if the operation is a deployment:

@equals(triggerBody()?[‘data’][‘operationName’], ‘Microsoft.Resources/deployments/write’)

Next a list resource is request, followed by a loop to find out if any is deployed in different region. We will use the Azure Resource Manager action list resources by resource group (preview). And one in our scenario is not in westcentralus!

This lead to a flag being raised i.e. variable set to 1. Subsequently, a condition checks if variable is 1 and have actions to deleted the resource. This is the Azure Resource Manager action deleted a resource. Note that both Azure Resource Manager actions are still in preview in Logic Apps.

Once a Service Bus namespace is created with a different region the Logic App will react once the provisioning is done. The result is an email (notification) and deletion of the resource.

The deletion of the resource succeeds, however the Logic App action with deletion of the resources fails i.e. 404 resource not found.  However, this does make sense if the resource is actually gone.

Summary

Event Grid has a lot to offer and it is still in preview. Wait until its fully matured and supports a wide set event publishers and subscribers. Moreover, this service fill the gaps with regards to event management in the serverless spectrum of Microsoft Azure. Stay tuned for more content for Event Grid in the near future!

Author: Steef-Jan Wiggers

Steef-Jan Wiggers is all in on Microsoft Azure, Integration, and Data Science. He has over 15 years’ experience in a wide variety of scenarios such as custom .NET solution development, overseeing large enterprise integrations, building web services, managing projects, designing web services, experimenting with data, SQL Server database administration, and consulting. Steef-Jan loves challenges in the Microsoft playing field combining it with his domain knowledge in energy, utility, banking, insurance, health care, agriculture, (local) government, bio-sciences, retail, travel and logistics. He is very active in the community as a blogger, TechNet Wiki author, book author, and global public speaker. For these efforts, Microsoft has recognized him a Microsoft MVP for the past 7 years.

  • Maik van der Gaag

    Looks great, but for this scenario I would use a Azure Resource Policy. The policy will make sure nothing is created in that specific region.

One Platform Operations, Monitoring and Analytics Software
BizTalk360

microsoft biztalk

Learn more

Over 500 customers across 30+ countries depend on BizTalk360

ServiceBus360

Azure service bus

Learn more

Start managing your Azure Service Bus namespaces in minutes

One Platform - Operations, Monitoring and Analytics Software
BizTalk360

microsoft biztalk

Learn more

Over 500 customers across 30+ countries depend on BizTalk360

One Platform - Operations, Monitoring and Analytics Software
ServiceBus360

Azure service bus

Learn more

Start managing your Azure Service Bus namespaces in minutes

Back to Top