Introduction to Azure Resource Graph for App Service

5 minute read • By Jordan Selig • October 29, 2021

Azure Resource Graph (ARG) is an Azure service that gives you the ability to query and explore your Azure resources across a given set of subscriptions so that you can effectively govern your environments, especially if you manage multiple large scale environments. Azure Resource Graph powers Azure portal’s search bar, the new browse ‘All resources’ experience, and Azure Policy’s Change history visual diff.

With Azure Resource Graph, you can:

  • Query resources with complex filtering, grouping, and sorting by resource properties
  • Iteratively explore resources based on governance requirements
  • Assess the impact of applying policies in a vast cloud environment
  • Detail changes made to resource properties (preview)

For more details on how to use Azure Resource Graph, see the documentation.

Benefits of Azure Resource Graph

Prior to Azure Resource Graph, you had access to services like Azure Resource Manager (ARM) to query your resources. Resource Manager only supports queries over basic resource fields and provides the ability for calling individual resource providers for detailed properties one resource at a time. With Azure Resource Graph, you can access these properties the resource providers return without needing to make individual calls to each resource provider. This increases investigation efficiency and simplifies escalation paths for monitoring, incident response, and investigation teams.

Azure Resource Graph and App Service

Limitations

As of publishing this post, the following Microsoft.web resource types are supported by Azure Resource Graph:

  • microsoft.web/apimanagementaccounts
  • microsoft.web/apimanagementaccounts/apis
  • microsoft.web/certificates
  • Microsoft.Web/connectionGateways (On-premises Data Gateways)
  • Microsoft.Web/connections (API Connections)
  • Microsoft.Web/customApis (Logic Apps Custom Connector)
  • Microsoft.Web/HostingEnvironments (App Service Environments)
  • Microsoft.Web/KubeEnvironments (App Service Kubernetes Environments)
  • Microsoft.Web/serverFarms (App Service plans)
  • Microsoft.Web/sites (App Services)
  • microsoft.web/sites/premieraddons
  • Microsoft.Web/sites/slots (App Service (Slots))
  • Microsoft.Web/StaticSites (Static Web Apps)
  • Microsoft.Web/WorkerApps (Container Apps)

For a full list of supported resource types, review the table and resource type reference.

Azure Resource Graph is currently receiving notifications for all resources tracked by ARM. If a resource or resource property changes outside of ARM (i.e. for resources not tracked by ARM), the team is currently working on onboarding these resources to enable users to have access to them using ARG. This is an ongoing process the ARG team is working through. Refer to the table and resource type reference for updates as additional resources gain support.

Querying resources

There are a number of quickstarts provided by the ARG team to help you get started with running queries. The Portal is a good place to start as it gives you a GUI based experience and formatted results that link to the queried resources for easy navigation. The query structure is based on Kusto Query Language (KQL).

To get you started with ARG for App Service, below are basic queries to give you an idea of what you can query as well as what these queries can be used for.

To see all sites across all subscriptions and resources groups:

resources
| where type == "microsoft.web/sites"

Below is a sample of the output. If you have more sites in your account, they will all be listed.

basic query

You can select “See details” at the end of the row to view additional information about your resources.

You can query on any of the available fields for the specific resource. For example, if you want to see all your sites that are located in Central US:

resources
| where type == "microsoft.web/sites"
| where location == "centralus"

Or if you want to see all of your running sites, you can drill into the “properties” object:

resources
| where type == "microsoft.web/sites"
| where properties.state == "Running"

Many of the fields, specifically in the “properties” object, at this time will be showing as “null.” For example, if you are looking for details about the “siteConfig” object, the resource provider does not expose them at this time. This is due to these properties not being tracked by ARM and not being onboarded to ARG yet. Review the limitations to understand what properties are currently available.

Additionally, you can use ARG to do analytics and create dashboards to monitor your resources.

To get a sites count by region:

resources
| where type == "microsoft.web/sites"
| summarize count() by location

And to create a visual, you can select “Charts” under the query box and choose from the given visualization options. Below is a map of the distribution of sites in a demo account.

region query

Change detection (preview)

Change detection is now in public preview for all resources that support complete mode deletion. For App Service, as of writing this article, the relevant resources that are supported include Microsoft.web/sites, Microsoft.web/sites/slots, Microsoft.Web/serverFarms as well as a couple additional resources that can be found here.

With change detection, the last 14 days of change history (properties that are added, removed, or altered) for the supported resources are available and can be accessed from the APIs directly or from the Portal which provides a visual diff for each change. Change history can assist in determining causes of non-compliance and help you determine when a change was made and by who so further investigation can be conducted.

For example, if you want to see when an app setting was modified, head over to the “Activity log” for your App Service and filter to your resource. Select the relevant “Operation name” and then “Change detection (preview)” in the flyout on the right. Double clicking into the operation in the list will take you to a visual diff so you can see exactly what changed in the json config of the resource.

app setting change

Or if you want to see when someone modifies access restrictions for an app, you can see all changes to your firewall rules:

security change

Change detection should enable you to view changes for any field in the json config of the supported resources as long as the field does not have a “null” value. A value of “null” indicates the resource provider is either not exposing this information at this time, or the field does not apply for your resource.

Wrapping up

The Azure Resource Graph team is continuously adding additional support for App Service to give users access to more information about their resources. Make sure to continuously check the table and resource type reference for updates as additional resource types get supported.