I assume that you have a HUB/Spoke design where there is a route table, that has a default route that points all traffic to the Firewall in the hub.
On the Function App you deploy in a spoke, you need to configure outbound network integration.
It is important to enable: “Outbound internet traffic”
The configuration on the Function App needs the setting: “vnetRouteAllEnabled” = 1
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
$body = "<html><body>"
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
# Interact with query parameters or the body of the request.
$InputString += $Request.Query.TextString
if ($InputString -eq $null) {$InputString = "Default string"}
$body += $InputString
$body += "<br><p>Version: 11</p>"
$body += "</body></html>"
$statusCode = $Request.Query.StatusCode
if ($statusCode -eq $null) {$statusCode = "OK"}
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::$statusCode
ContentType = "text/html"
Body = $body
})
This will get last month consumption for a subscription including the money spend on marketplace.
$subscriptioname = "CHANGETHIS"
$roundDecimals = 2
$lastMonthBilling = (Get-Date).AddMonths(-1).ToString('yyyyMM')
# Set context to subscription
Set-azcontext -SubscriptionName $subscriptioname
# Get billing period
$BillingPeriod = Get-AzBillingPeriod -Name $lastMonthBilling
$startDate = $BillingPeriod.BillingPeriodStartDate.ToString("dd-MM-yyyy")
$endDate = $BillingPeriod.BillingPeriodEndDate.ToString("dd-MM-yyyy")
# Collect cost data
$currentCost = Get-AzConsumptionUsageDetail -StartDate $startDate -EndDate $endDate
$currentCost += Get-AzConsumptionMarketplace -StartDate $startDate -EndDate $endDate
# Write output to screen
Write-Host "Current Cost of Subscription" (Get-AzContext).Subscription.Name ":" ([math]::Round(($currentCost | Measure-Object -Property PretaxCost -Sum).sum,$roundDecimals))
$topLvlMgmtGrp = "CHANGETHIS" # Name of the top level management group
$subscriptions = @() # Output array
# Collect data from managementgroups
$mgmtGroups = Get-AzManagementGroup -GroupId $topLvlMgmtGrp -Expand -Recurse
$children = $true
while ($children) {
$children = $false
$firstrun = $true
foreach ($entry in $mgmtGroups) {
if ($firstrun) {Clear-Variable mgmtGroups ; $firstrun = $false}
if ($entry.Children.length -gt 0) {
# Add management group to data that is being looped throught
$children = $true
$mgmtGroups += $entry.Children
}
else {
# Add subscription to output object
$subscriptions += New-Object -TypeName psobject -Property ([ordered]@{'DisplayName'=$entry.DisplayName;'SubscriptionID'=$entry.Name})
}
}
}
$subscriptions
Normally you can only cancel/disable a subscription by code if the subscription is empty.
If you add IgnoreResourceCheck=true and thereby still cancel the subscription. This give you the grace time before deletion. Remember to change {subscriptionId} in the URI
Documentation on grace period
$startDate = Get-Date $endDate = $startDate.AddYears(80) $ObjectID = "132645645-d39e-4658-ab92-306cbb637421" $Name = "SecretName" Connect-AzureAD $aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId $ObjectID -CustomKeyIdentifier $Name -StartDate $startDate -EndDate $endDate $aadAppsecret01.value
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
$server = $Request.Query.Server
$port = $Request.Query.Port
try { (new-object Net.Sockets.TcpClient).Connect($server,$port) }
catch { $closed = $true }
if ($closed) { Write-host "nogo"; $body = "nogo for " + $server + ":" + $port }
Else { Write-host "yeah" ; $body = "yeah, clear paths to " + $server + ":" + $port }
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $body
})
Can now be done with either Azure CLI
az policy state trigger-scan --resource-group !!!resource-group-name!!!
Or powershell
Start-AzPolicyComplianceScan -ResourceGroupName !!!resource-group-name!!!
Old school with API rest call
$subscriptionId = "!!!SUBSCRIPTION ID!!!"
$uri = "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"
$azContext = Get-AzContext
$azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
$token = $profileClient.AcquireAccessToken($azContext.Tenant.Id)
$authHeader = @{
'Content-Type'='application/json'
'Authorization'='Bearer ' + $token.AccessToken
}
Invoke-RestMethod -Method Post -Uri $uri -UseBasicParsing -Headers $authHeader
{
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Network/publicIPAddresses"
},
{
"field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod",
"match": "Dynamic"
}
]
},
"then": {
"effect": "deny"
}
}
}