To prevent unnecessary high bills because I forgot to turn off services, I want to pause everything in my Azure 'playground' subscription. However I want to give my co-workers more control to decide which machines and services they don't want to pause each night. Your current solution works with a centralized exception list that needs to be maintained by someone. Is there an alternative solution?
Pause everything v2 |
Solution
You should of course make some agreements about being careful with pricey services, but you can support that with a 'simple' technical solution: run a PowerShell script in Azure Automation Runbook that pauses all often used services each night. In this version of the script, exceptions are handled with tags that people can add to their own server or service. Here is how you can add a tag to for example Azure Analysis Services.
Add tags to your service or server |
For this example we will pause the following Azure parts:
- Azure Virtual Machines (not classics)
- Azure SQL Data Warehouses
- Azure Analysis Services
1) Automation Account
First we need an Azure Automation Account to run the Runbook with PowerShell code. If you don't have one or want to create a new one, then search for Automation under Monitoring + Management and give it a suitable name like 'maintenance', then select your subscription, resource group and location. For this example I will choose West Europe since I'm from the Netherlands. Keep 'Create Azure Run As account' on Yes. We need it in the code. See step 3 for more details.
Azure Automation Account |
2) Credentials
Next step is to create Credentials to run this runbook with. This works very similar to the Credentials in SQL Server Management Studio. Go to the Azure Automation Account and click on Credentials in the menu. Then click on Add New Credentials. You could just use your own Azure credentials, but the best options is to use a service account with a non-expiring password. Otherwise you need to change this regularly.
Create new credentials |
3) Connections
This step is for your information only and to understand the code. Under Connections you will find a default connection named 'AzureRunAsConnection' that contains information about the Azure environment, like the tendant id and the subscription id. To prevent hardcoded connection details we will retrieve these fields in the PowerShell code.
Azure Connections |
4) Modules
The Azure Analysis Services methods (cmdlets) are in a separate PowerShell module which is not included by default. If you do not add this module you will get errors telling you that the method is not recognized. See below for more details.
The term 'Get-AzureRmAnalysisServicesServer' is not recognized as the name of a cmdlet, function, script file, or operable program. |
Go to the Modules page and check whether you see AzureRM.AnalysisServices in the list. If not then use the 'Browse gallery' button to add it, but first add AzureRM.Profile because the Analysis module will ask for it. Adding the modules could take a few minutes!
Add modules |
5) Runbooks
Now it is time to add a new Azure Runbook for the PowerShell code. Click on Runbooks and then add a new runbook (There are also several example runbooks of which AzureAutomationTutorialScript could be useful as an example). Give your new Runbook a suitable name like 'PauseEverything' and choose PowerShell as type.
Add Azure Runbook |
6) Edit Script
After clicking Create in the previous step the editor will be opened. When editing an existing Runbook you need to click on the Edit button to edit the code. You can copy and paste the code below to your editor. Study the green comments to understand the code. Notice that this version doesn't use Runbook variables.
Edit the PowerShell code |
# PowerShell code # Connect to a connection to get TenantId and SubscriptionId $Connection = Get-AutomationConnection -Name "AzureRunAsConnection" $TenantId = $Connection.TenantId $SubscriptionId = $Connection.SubscriptionId # Get the service principal credentials connected to the automation account. $null = $SPCredential = Get-AutomationPSCredential -Name "Administrator" # Login to Azure ($null is to prevent output, since Out-Null doesn't work in Azure) Write-Output "Login to Azure using automation account 'Administrator'." $null = Login-AzureRmAccount -TenantId $TenantId -SubscriptionId $SubscriptionId -Credential $SPCredential # Select the correct subscription Write-Output "Selecting subscription '$($SubscriptionId)'." $null = Select-AzureRmSubscription -SubscriptionID $SubscriptionId ################################ # Pause AnalysisServicesServers ################################ Write-Output "Checking Analysis Services Servers" # Get list of all AnalysisServicesServers that are turned on (ProvisioningState = Succeeded) # but skip AnalysisServicesServers that have an Environment tag with the value Production $AnalysisServicesServers = Get-AzureRmAnalysisServicesServer | Where-Object {$_.ProvisioningState -eq "Succeeded" -and $_.Tag['Environment'] -ne "Production"} # Loop through all AnalysisServicesServers to pause them foreach ($AnalysisServicesServer in $AnalysisServicesServers) { Write-Output "- Pausing Analysis Services Server $($AnalysisServicesServer.Name)" $null = Suspend-AzureRmAnalysisServicesServer -Name $AnalysisServicesServer.Name } ################################ # Pause Virtual Machines ################################ Write-Output "Checking Virtual Machines" # Get list of all Azure Virtual Machines that are not deallocated (PowerState <> VM deallocated) # Filtering on tags is not supported for Azure Virtual Machines $VirtualMachines = Get-AzureRmVM -Status | Where-Object {$_.PowerState -ne "VM deallocated"} #-and $_.Tag['Environment'] -ne "Production"} # Loop through all Virtual Machines to pause them foreach ($VirtualMachine in $VirtualMachines) { # Get-AzureRmVM does not show tags therefor # filtering in Where-Object does not work. # Workaround: if statement within loop if ($VirtualMachine.Tags['Environment'] -ne "Production") { Write-Output "- Deallocating Virtual Machine $($VirtualMachine.Name) " $null = Stop-AzureRmVM -ResourceGroupName $VirtualMachine.ResourceGroupName -Name $VirtualMachine.Name -Force } } # Note: Classic Virtual machines are excluded with this script because they don't support Tags. ################################ # Pause SQL Data Warehouses ################################ Write-Output "Checking SQL Data Warehouses" # Get list of all Azure SQL Servers $SqlServers = Get-AzureRmSqlServer # Loop through all SQL Servers to check if they host a DWH foreach ($SqlServer in $SqlServers) { # Get list of all SQL Data Warehouses (Edition=DataWarehouse) that are turned on (Status = Online) # but skip SQL Data Warehouses that have an Environment tag with the value Production $SqlDatabases = Get-AzureRmSqlDatabase -ServerName $SqlServer.ServerName -ResourceGroupName $SqlServer.ResourceGroupName | Where-Object {$_.Edition -eq 'DataWarehouse' -and $_.Status -eq 'Online' -and $_.Tag['Environment'] -ne "Production"} # Loop through all SQL Data Warehouses to pause them foreach ($SqlDatabase in $SqlDatabases) { Write-Output "- Pausing SQL Data Warehouse $($SqlDatabase.DatabaseName)" $null = Suspend-AzureRmSqlDatabase -DatabaseName $SqlDatabase.DatabaseName -ServerName $SqlServer.ServerName -ResourceGroupName $SqlDatabase.ResourceGroupName } } Write-Output "Done"
Note 1: This is a very basic script. No error handling has been added. Check the AzureAutomationTutorialScript for an example. Finetune it for you own needs.
Note 2: There are often two versions of an method like Get-AzureRmSqlDatabase and Get-AzureSqlDatabase. Always use the one with "Rm" in it (Resource Managed), because that one is for the new Azure portal. Without Rm is for the old/classic Azure portal.
Note 3: Because Azure Automation doesn't support Out-Null I used an other trick with the $null =. However the Write-Outputs are for testing purposes only. Nobody sees them when they are scheduled.
Note 4: The code for Data Warehouses first loops through the SQL Servers and then through all databases on that server filtering on edition 'DataWarehouse'.
Note 5: The method to get Virtual Machines (Get-AzureRmVM) doesn't show tags. Therefor we cannot use the Where-Object filter to filter out certain tags. Workaround: if-statement within foreach loop.
7) Testing
You can use the Test Pane menu option in the editor to test your PowerShell scripts. When clicking on Run it will first Queue the script before Starting it. If nothing needs to be paused the script runs in about a minute, but pausing or deallocating items takes several minutes.
Testing the script in the Test Pane |
8) Publish
When your script is ready, it is time to publish it. Above the editor click on the Publish button. Confirm overriding any previously published versions.
Publish the Runbook |
9) Schedule
And now that we have a working and published Azure Runbook, we need to schedule it. Click on Schedule to create a new schedule for your runbook. For this pause everything script I created a schedule that runs every day on 2:00AM (02:00). This gives late working colleagues more than enough time to play with all the Azure stuff before there service will be paused.
Add Schedule |
Summary
In this post you saw how you can pause all expensive services in an Azure playground environment. If a co-worker don't wants to pause his/her service then he/she can skip that by adding a tag to the specific server or service. As mentioned before: this is not a complete list. Feel free to suggest more services, that can be paused, in the comments.