question

PeterWu-5164 avatar image
0 Votes"
PeterWu-5164 asked NaveenBegurnagaraj-6327 answered

boot diagnostics policy enable by default and remediate with enabling if not enabled

How to enable boot diagnostics to troubleshoot virtual machines through policy and remediate with enabling if not enabled?
I know there is the documentation to enable boot diagnostics: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/boot-diagnostics
but how can we enforce this feature by default?

azure-virtual-machines
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bryanhaslip avatar image
1 Vote"
bryanhaslip answered

This is done through Azure policy. Please leverage this built in policy and target Microsoft.Compute virtualMachines. You will create a deployIfNotExists as a part of the policy definition. If not the default will audit and enforce for new resources.

https://github.com/krnese/azure-policy-samples/tree/master/samples/Monitoring/audit-diagnostic-setting

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EDDYGARCIAGALDAMES-4602 avatar image
0 Votes"
EDDYGARCIAGALDAMES-4602 answered

@bryanhaslip I don't see how Microsoft.Insights/diagnosticSettings is the same as Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics?

What this policy enables is Monitoring Insights, providing Platform logs. Where as Boot Diagnostics provides screenshots of the splash screen and serial console information. I understand this can be deployed via the portal or via powershell. https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/boot-diagnostics#enable-boot-diagnostics-on-existing-virtual-machine

However, I would also like to deploy this via a policy. I stumbled across what seemed like a gem. https://github.com/Azure/azure-policy/issues/154

Alas, I'm unable to fully understand if what is required is simply the storage account name or the storage account URI. Specially when wanting to use a storage account in a different subscription.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 answered

I tried the policy, but it is not worked as expected

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.