使用 Azure Arc 啟用的多雲端連接器檢視多雲端清查
多雲端連接器的清查解決方案顯示 Azure 中其他公用雲端的資源最新檢視,讓您可以在單一位置查看所有雲端資源。 目前支援 AWS 公用雲端環境。
啟用清查解決方案之後,來源雲端的資產中繼資料即會納入 Azure 中的資產表示。 您也可以將 Azure 標籤或 Azure 原則套用到這些資源。 此解決方案可讓您透過 Azure Resource Graph 查詢所有雲端資源,例如查詢以尋找具有特定標籤的所有 Azure 和 AWS 資源。
清查解決方案會定期掃描您的來源雲端,以更新 Azure 中呈現的檢視。 您可以指定連線公用雲端並設定清查解決方案時要查詢的間隔。
支援的 AWS 服務
現在,系統會掃描與下列 AWS 服務相關聯的資源並在 Azure 中呈現。 當您建立清查解決方案時,系統預設為選取所有可用的服務,但您可以選擇性地納入任何服務。
下表顯示已掃描的 AWS 服務、與每個服務相關聯的資源類型,以及對應至每個資源類型的 Azure 命名空間。
| AWS 服務 | AWS 資源類型 | Azure 命名空間 |
|---|---|---|
| Access Analyzer | accessAnalyzerAnalyzers |
Microsoft.AwsConnector/accessAnalyzerAnalyzers |
| API 閘道 | apiGatewayRestApis |
Microsoft.AwsConnector/apiGatewayRestApis |
| API 閘道 | apiGatewayStages |
Microsoft.AwsConnector/apiGatewayStages |
| 應用程式同步處理 | appSyncGraphQLApis |
Microsoft.AwsConnector/appSyncGraphQLApis |
| 自動調整 | autoScalingAutoScalingGroups |
Microsoft.AwsConnector/autoScalingAutoScalingGroups |
| Cloud Formation | cloudFormationStacks |
Microsoft.AwsConnector/cloudFormationStacks |
| Cloud Formation | cloudFormationStackSets |
Microsoft.AwsConnector/cloudFormationStackSets |
| Cloud Front | cloudFront |
Microsoft.AwsConnector/cloudFrontDistributions |
| 雲端線索 | cloudTrailTrails |
Microsoft.AwsConnector/cloudTrailTrails |
| Cloud Watch | cloudWatchAlarms |
Microsoft.AwsConnector/cloudWatchAlarms |
| 程式代碼組建 | codeBuildProjects |
Microsoft.AwsConnector/codeBuildProjects |
| 程式代碼組建 | codeBuildSourceCredentialsInfos |
Microsoft.AwsConnector/codeBuildSourceCredentialsInfos |
| Config | configServiceConfigurationRecorders |
Microsoft.AwsConnector/configServiceConfigurationRecorders |
| Config | configServiceConfigurationRecorderStatuses |
Microsoft.AwsConnector/configServiceConfigurationRecorderStatuses |
| Config | configServiceDeliveryChannels |
Microsoft.AwsConnector/configServiceDeliveryChannels |
| DAX | daxClusters |
Microsoft.AwsConnector/daxClusters |
| DMS | databaseMigrationServiceReplicationInstances |
Microsoft.AwsConnector/databaseMigrationServiceReplicationInstances |
| Dynamo DB | dynamoDBContinuousBackupsDescriptions |
Microsoft.AwsConnector/dynamoDBContinuousBackupsDescriptions |
| Dynamo DB | dynamoDBTables |
Microsoft.AwsConnector/dynamoDBTables |
| EC2 | ec2Instances |
Microsoft.HybridCompute/machines/EC2InstanceId, Microsoft.AwsConnector/Ec2Instances |
| EC2 | ec2AccountAttributes |
Microsoft.AwsConnector/ec2AccountAttributes |
| EC2 | ec2Addresses |
Microsoft.AwsConnector/ec2Addresses |
| EC2 | ec2FlowLogs |
Microsoft.AwsConnector/ec2FlowLogs |
| EC2 | ec2Images |
Microsoft.AwsConnector/ec2Images |
| EC2 | ec2Ipams |
Microsoft.AwsConnector/ec2Ipams |
| EC2 | ec2KeyPairs |
Microsoft.AwsConnector/ec2KeyPairs |
| EC2 | ec2Subnets |
Microsoft.AwsConnector/ec2Subnets |
| EC2 | ec2Volumes |
Microsoft.AwsConnector/ec2Volumes |
| EC2 | ec2VPCs |
Microsoft.AwsConnector/ec2VPCs |
| EC2 | ec2NetworkAcls |
Microsoft.AwsConnector/ec2NetworkAcls |
| EC2 | ec2NetworkInterfaces |
Microsoft.AwsConnector/ec2NetworkInterfaces |
| EC2 | ec2RouteTables |
Microsoft.AwsConnector/ec2RouteTables |
| EC2 | ec2VPCEndpoints |
Microsoft.AwsConnector/ec2VPCEndpoints |
| EC2 | ec2VPCPeeringConnections |
Microsoft.AwsConnector/ec2VPCPeeringConnections |
| EC2 | ec2InstanceStatuses |
Microsoft.AwsConnector/ec2InstanceStatuses |
| EC2 | ec2SecurityGroups |
Microsoft.AwsConnector/ec2SecurityGroups |
| EC2 | ec2Snapshots |
Microsoft.AwsConnector/ec2Snapshots |
| ECR | ecrImageDetails |
Microsoft.AwsConnector/ecrImageDetails |
| ECR | ecrRepositories |
Microsoft.AwsConnector/ecrRepositories |
| ECS | ecsClusters |
Microsoft.AwsConnector/ecsClusters |
| ECS | ecsServices |
Microsoft.AwsConnector/ecsServices |
| ECS | ecsTaskDefinitions |
Microsoft.AwsConnector/ecsTaskDefinitions |
| EFS | efsFileSystems |
Microsoft.AwsConnector/efsFileSystems |
| EFS | efsMountTargets |
Microsoft.AwsConnector/efsMountTargets |
| EKS | eksClusters |
Microsoft.AwsConnector/eksClusters |
| EKS | eksNodegroups |
Microsoft.AwsConnector/eksNodegroups |
| Elastic Beanstalk | elasticBeanstalkApplications |
Microsoft.AwsConnector/elasticBeanstalkApplications |
| Elastic Beanstalk | elasticBeanstalkConfigurationTemplates |
Microsoft.AwsConnector/elasticBeanstalkConfigurationTemplates |
| Elastic Beanstalk | elasticBeanstalkEnvironments |
Microsoft.AwsConnector/elasticBeanstalkEnvironments |
| 彈性負載平衡器 V2 | elasticLoadBalancingV2LoadBalancers |
Microsoft.AwsConnector/elasticLoadBalancingV2LoadBalancers |
| 彈性負載平衡器 V2 | elasticLoadBalancingV2Listeners |
Microsoft.AwsConnector/elasticLoadBalancingV2Listeners |
| 彈性負載平衡器 V2 | elasticLoadBalancingV2TargetGroups |
Microsoft.AwsConnector/elasticLoadBalancingV2TargetGroups |
| 彈性負載平衡器 V2 | elasticLoadBalancingV2TargetHealthDescriptions |
Microsoft.AwsConnector/elasticLoadBalancingV2TargetHealthDescriptions |
| EMR | emrClusters |
Microsoft.AwsConnector/emrClusters |
| GuardDuty | guardDutyDetectors |
Microsoft.AwsConnector/guardDutyDetectors |
| IAM | iamAccessKeyLastUseds |
Microsoft.AwsConnector/iamAccessKeyLastUseds |
| IAM | iamAccessKeyMetaData |
Microsoft.AwsConnector/iamAccessKeyMetaData |
| IAM | iamMFADevices |
Microsoft.AwsConnector/iamMFADevices |
| IAM | iamPasswordPolicies |
Microsoft.AwsConnector/iamPasswordPolicies |
| IAM | iamPolicyVersions |
Microsoft.AwsConnector/iamPolicyVersions |
| IAM | iamRoles |
Microsoft.AwsConnector/iamRoles |
| IAM | iamManagedPolicies |
Microsoft.AwsConnector/iamManagedPolicies |
| IAM | iamServerCertificates |
Microsoft.AwsConnector/iamServerCertificates |
| IAM | iamUserPolicies |
Microsoft.AwsConnector/iamUserPolicies |
| IAM | iamVirtualMFADevices |
Microsoft.AwsConnector/iamVirtualMFADevices |
| KMS | kmsKeys |
Microsoft.AwsConnector/kmsKeys |
| Lambda | lambdaFunctions |
Microsoft.AwsConnector/lambdaFunctions |
| Lightsail | lightsailInstances |
Microsoft.AwsConnector/lightsailInstances |
| Lightsail | lightsailBuckets |
Microsoft.AwsConnector/lightsailBuckets |
| 記錄 | logsLogGroups |
Microsoft.AwsConnector/logsLogGroups |
| 記錄 | logsLogStreams |
Microsoft.AwsConnector/logsLogStreams |
| 記錄 | logsMetricFilters |
Microsoft.AwsConnector/logsMetricFilters |
| 記錄 | logsSubscriptionFilters |
Microsoft.AwsConnector/logsSubscriptionFilters |
| Macie | macieAllowLists |
Microsoft.AwsConnector/macieAllowLists |
| Macie2 | macie2JobSummaries |
Microsoft.AwsConnector/macie2JobSummaries |
| 網路防火牆 | networkFirewallFirewalls |
Microsoft.AwsConnector/networkFirewallFirewalls |
| 網路防火牆 | networkFirewallFirewallPolicies |
Microsoft.AwsConnector/networkFirewallFirewallPolicies |
| 網路防火牆 | networkFirewallRuleGroups |
Microsoft.AwsConnector/networkFirewallRuleGroups |
| 開啟搜尋服務 | openSearchDomainStatuses |
Microsoft.AwsConnector/openSearchDomainStatuses |
| 組織 | organizationsAccounts |
Microsoft.AwsConnector/organizationsAccounts |
| 組織 | organizationsOrganizations |
Microsoft.AwsConnector/organizationsOrganizations |
| RDS | rdsDBInstances |
Microsoft.AwsConnector/rdsDBInstances |
| RDS | rdsDBClusters |
Microsoft.AwsConnector/rdsDBClusters |
| RDS | rdsEventSubscriptions |
Microsoft.AwsConnector/rdsEventSubscriptions |
| RDS | rdsDBSnapshots |
Microsoft.AwsConnector/rdsDBSnapshots |
| RDS | rdsDBSnapshotAttributesResults |
Microsoft.AwsConnector/rdsDBSnapshotAttributesResults |
| RDS | rdsEventSubscriptions |
Microsoft.AwsConnector/rdsEventSubscriptions |
| Redshift | redshiftClusters |
Microsoft.AwsConnector/redshiftClusters |
| Redshift | redshiftClusterParameterGroups |
Microsoft.AwsConnector/redshiftClusterParameterGroups |
| Route 53 | route53DomainsDomainSummaries |
Microsoft.AwsConnector/route53DomainsDomainSummaries |
| Route 53 | route53HostedZones |
Microsoft.AwsConnector/route53HostedZones |
| SageMaker | sageMakerApps |
Microsoft.AwsConnector/sageMakerApps |
| SageMaker | sageMakerDevices |
Microsoft.AwsConnector/sageMakerDevices |
| SageMaker | sageMakerImages |
Microsoft.AwsConnector/sageMakerImages |
| SageMaker | sageMakerNotebookInstanceSummaries |
Microsoft.AwsConnector/sageMakerNotebookInstanceSummaries |
| 秘密管理員 | secretsManagerResourcePolicies |
Microsoft.AwsConnector/secretsManagerResourcePolicies |
| 秘密管理員 | secretsManagerSecrets |
Microsoft.AwsConnector/secretsManagerSecrets |
| 秘密管理員 | secretsManagerSecrets |
Microsoft.AwsConnector/secretsManagerSecrets |
| S3 | s3Buckets |
Microsoft.AwsConnector/s3Buckets |
| S3 | s3AccessControlPolicies |
Microsoft.AwsConnector/s3AccessControlPolicies |
| S3 | s3ControlMultiRegionAccessPointPolicyDocuments |
Microsoft.AwsConnector/s3ControlMultiRegionAccessPointPolicyDocuments |
| S3 | s3BucketPolicies |
Microsoft.AwsConnector/s3BucketPolicies |
| S3 | s3AccessPoints |
Microsoft.AwsConnector/s3AccessPoints |
| SNS | snsTopics |
Microsoft.AwsConnector/snsTopics |
| SNS | snsSubscriptions |
Microsoft.AwsConnector/snsSubscriptions |
| SQS | sqsQueues |
Microsoft.AwsConnector/sqsQueues |
| SSM | ssmInstanceInformations |
Microsoft.AwsConnector/ssmInstanceInformations |
| SSM | ssmParameters |
Microsoft.AwsConnector/ssmParameters |
| SSM | ssmResourceComplianceSummaryItems |
Microsoft.AwsConnector/ssmResourceComplianceSummaryItems |
| WAF | wafWebACLSummaries |
Microsoft.AwsConnector/wafWebACLSummaries |
| WAFv2 | wafv2LoggingConfigurations |
Microsoft.AwsConnector/wafv2LoggingConfigurations |
Azure 中的 AWS 資源表示法
連接 AWS 雲端並啟用清查解決方案之後,多雲端連接器會使用命名慣例 aws_yourAwsAccountId 建立新的資源群組。 系統會使用上節所述的 AwsConnector 命名空間,在此資源群組中建立 AWS 資源的 Azure 表示。 您可以將 Azure 標籤和原則套用至這些資源。
使用標準對應配置,將 AWS 中探索到並在 Azure 中投影的資源放置在 Azure 區域中。
注意
如果您有已經 連線到 Azure Arc 的 EC2 實例,則連接器 會在 Arc 機器所在的訂用帳戶中符合必要條件 時,將建立 EC2 清查資源作為 Microsoft.HybridCompute/machines 的子資源。 否則,將不會建立清查資源。
權限選項
全域讀取:提供 AWS 帳戶中所有資源的唯讀存取權。 引進新的服務時,連接器可以掃描這些資源,而不需要更新的 CloudFormation 範本。
最低許可權存取:僅提供所選服務下資源的讀取許可權。 如果您選擇在未來掃描更多資源,則必須上傳新的 CloudFormation 範本。
定期同步處理選項
設定清查解決方案時選取的定期同步時間會決定您的 AWS 帳戶掃描及同步至 Azure 的頻率。 啟用定期同步後,AWS 資源的變更就會反映在 Azure 中。 例如,如果在 AWS 中刪除某資源,則該資源同樣會在 Azure 中遭到刪除。
您可以視需要在設定此解決方案時關閉定期同步處理。 如果您這樣做,則 Azure 表示可能會無法與您的 AWS 資源同步,因為 Azure 無法重新掃描和偵測任何變更。
查詢 Azure Resource Graph 中的資源
Azure Resource Graph 是一項 Azure 服務,旨在藉由提供有效率且高效能的資源探索來擴充 Azure 資源管理。 在一組指定的訂用帳戶中執行大規模查詢,可讓您有效率地控管環境。
您可以在 Azure 入口網站中使用 Resource Graph 總管來執行查詢。 以下是常見案例的一些範例查詢。
查詢所有上線的多雲端資產清查
resources
| where subscriptionId == "<subscription ID>"
| where id contains "microsoft.awsconnector"
| union (awsresources | where type == "microsoft.awsconnector/ec2instances" and subscriptionId =="<subscription ID>")
| extend awsTags= properties.awsTags, azureTags = ['tags']
| project subscriptionId, resourceGroup, type, id, awsTags, azureTags, properties
查詢特定連接器下的所有資源
resources
| extend connectorId = tolower(tostring(properties.publicCloudConnectorsResourceId)), resourcesId=tolower(id)
| join kind=leftouter (
awsresources
| extend pccId = tolower(tostring(properties.publicCloudConnectorsResourceId)), awsresourcesId=tolower(id)
| extend parentId = substring(awsresourcesId, 0, strlen(awsresourcesId) - strlen("/providers/microsoft.awsconnector/ec2instances/default"))
) on $left.resourcesId == $right.parentId
| where connectorId =~ "yourConnectorId" or pccId =~ "yourConnectorId"
| extend resourceType = tostring(split(iif (type =~ "microsoft.hybridcompute/machines", type1, type), "/")[1])
查詢 Azure 和 AWS 中的所有虛擬機器及其執行個體大小
resources
| where (['type'] == "microsoft.compute/virtualmachines")
| union (awsresources | where type == "microsoft.awsconnector/ec2instances")
| extend cloud=iff(type contains "ec2", "AWS", "Azure")
| extend awsTags=iff(type contains "microsoft.awsconnector", properties.awsTags, ""), azureTags=tags
| extend size=iff(type contains "microsoft.compute", properties.hardwareProfile.vmSize, properties.awsProperties.instanceType.value)
| project subscriptionId, cloud, resourceGroup, id, size, azureTags, awsTags, properties
查詢 Azure 和 AWS 中的所有函式
resources
| where (type == 'microsoft.web/sites' and ['kind'] contains 'functionapp') or type == "microsoft.awsconnector/lambdafunctionconfigurations"
| extend cloud=iff(type contains "awsconnector", "AWS", "Azure")
| extend functionName=iff(cloud=="Azure", properties.name,properties.awsProperties.functionName), state=iff(cloud=="Azure", properties.state, properties.awsProperties.state), lastModifiedTime=iff(cloud=="Azure", properties.lastModifiedTimeUtc,properties.awsProperties.lastModified), location=iff(cloud=="Azure", location,properties.awsRegion), tags=iff(cloud=="Azure", tags, properties.awsTags)
| project cloud, functionName, lastModifiedTime, location, tags
查詢具有特定標籤的所有資源
resources
| extend awsTags=iff(type contains "microsoft.awsconnector", properties.awsTags, ""), azureTags=tags
| where awsTags contains "<yourTagValue>" or azureTags contains "<yourTagValue>"
| project subscriptionId, resourceGroup, name, azureTags, awsTags
下一步
- 了解多雲端連接器 Arc 上線解決方案。
- 深入了解 Azure Resource Graph。