Shulou(Shulou.com)06/02 Report--

Today, let's share a wave of experience in Azure management. friends who are familiar with Azure all know that Azure can be divided into managed disks and unmanaged disks. Early VM was all unmanaged disks, which required manual maintenance and planning of disk usage, as well as 20000 IOPS restrictions. In order to solve this problem, Microsoft introduced the concept of managed disks, which have many advantages over unmanaged disks. The main points are as follows:

Simple and scalable VM deployment

Managed disks process storage behind the scenes. Previously, you had to create a storage account to store Azure VM's disks (VHD files). "when extending, you must ensure that additional storage accounts are created so that no disk exceeds the IOPS limit for storage." When using managed disks to process storage, it is no longer subject to storage account restrictions (for example, 20000 IOPS per account). In addition, you no longer need to copy custom images (VHD files) to multiple storage accounts. You can manage custom images (one storage account per Azure area) in a central location and use them to create hundreds of VM in a subscription.

Managed disks support the creation of up to 50000 VM disks of the same type in one subscription per region, which makes it possible to create tens of thousands of VM in a single subscription

Higher reliability of availability sets

Managed disks provide better reliability for availability sets by ensuring that the disks of the VM in the availability set are completely isolated from each other to avoid a single point of failure. The disk is automatically placed in a different storage scaling unit (module). If a module fails due to a hardware or software failure, only VM instances with its disks on that module will fail. For example, suppose an application is running on five VM and the VM is in one availability set. These VM disks are not stored in the same module, so if one module fails, other instances of the application can continue to run.

Highly durable and available

Azure disks have 99.999% availability. There are three copies of the data, and high persistence gives users peace of mind. If there is a problem with one or two of the copies, the remaining copies can ensure the persistence of the data and high tolerance to failures. This architecture helps Azure to continuously provide enterprise-class persistence for IaaS disks, with an annualized failure rate of 0%, reaching an industry-leading level.

Granular access control

You can use Azure role-based access control (RBAC) to assign specific permissions to managed disks to one or more users. Managed disks expose a variety of operations, including read, write (create / update), delete, and retrieve the disk's shared access signature (SAS) URI. You can grant access to only the actions that a person needs to perform his or her work. For example, if you do not want someone to copy a managed disk to a storage account, you can choose not to grant access to the export operation on that managed disk. Similarly, if you do not want someone to copy a managed disk using SAS URI, you can choose not to grant that permission to that managed disk.

So now Microsoft is also vigorously promoting the use of managed disks. Well, in practical applications, enterprise IT administrators certainly hope that users can use managed disks more often, but how to implement this? just talking about it may not work well in many cases. It is best to have some technical means to restrict the creation of unmanaged disk VM.

Azure Policy is a good solution.

Azure Policy is a service in Azure that can be used to create, assign, and manage policies. These policies will enforce different rules and effects across resources so that these resources comply with corporate standards and service-level agreements. Azure Policy meets this requirement by evaluating whether the resource conforms to the specified policy. For example, you can set a policy to allow only virtual machines of a specific SKU size in the environment. When this strategy is implemented, the compliance of new and existing resources is evaluated. By using the correct policy type, you can ensure the compliance of existing resources. You can also explicitly prohibit some actions that administrators do not want to occur through Policy.

Let's take a look at how to implement policy. Policy is also defined in the form of JSON files, so we only need to write some JSON files of policy.

The JSON files that restrict the unmanaged disk VM are as follows:

{"if": {"allOf": [{"field": "type", "equals": "Microsoft.Compute/virtualMachines"}, {"field": "Microsoft.Compute/virtualMachines/osDisk.uri" "exists": true}]}, "then": {"effect": "deny"}}

How do you translate this definition into Policy? You can use PowerShell

Run the following PowerShell command

Step 1: create a policydefinition

Step 2: create a role assignment

Later, you can see these contents in the policy of Azure Portal.

Let's give it a try. Create a Linux VM of an unmanaged disk in Portal

It can be found that in the final verification, it will be prompted to be dropped by policy deny!

Azure Policy is a very good thing, later have the opportunity to continue to share with you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.