Below is a solution that I created to help monitor Public IPs, or to create an API allowing you to ingest for inventory.
Please note: The PiPs here are deleted as soon as I’ve blogged so don’t attack or scan them thinking they are me.
Firstly, we need our Public IPs:
Once we have that, you need to decided on your method. If local, you can simple use the script I uploaded here: [GitHub].
You will need to edit the Auth method to match your needs.
A simple example being:
This above includes a foreach loop so that you can check each subscription you have access too. Running this locally will give you similar output:
If you wanted to integrate this within a CMDB, or Inventory stack, you could utilize either Azure Function Apps or Automation Accounts. For myself, I tend to lend towards Function Apps due to their free tiers, and simplicity.
If I was to expand, and utilize reporting or schedules, I would move towards Automation accounts. It really depends on how you’re wanting to use it.
If you did want to use a Function App, we can do the following:
Create the Function App and create an Identity.
You will then need to click Azure role assignments and select what RBAC to grant. For this, I’ve granted Read-Only at the Subscription level. If this was production, I would look to grant granular access.
You need to think about the future, as if too granular, you may miss future instances. If for example you’ve applied the access at the resource group layer, if an admin creates a new one, your function app won’t be able to see it.
This goes the same for the Subscription layer. If a new Subscription was created without your knowledge, you wouldn’t be able to see.
Management groups can help with this, so if you are looking to implement; design accordingly. It’s all about governance.
Next, under App Files, we need to make sure this code is present under profile.ps1:
At the same time, check requirements.psd1 and uncomment the AZ line.
This will install the AZ module.
Next, we create the Function, and set to HTTP Trigger. This will allow our tools to lookup on demand via a HTTP request.
Once done, click Integration and select the authorization level:
If you are integrating into multiple systems, or sharing, remember you can create your own keys and distribute how you please.
Next, input my code into the function.
Remember that if you want to cover all subscriptions you will need to include your subscription loop mentioned at the start. If not, copy and paste, changing this value at the end:
You can change line 65 to say $PiPDets, however I set the above to allow me to easily change. I’ve also converted to JSON format as most will accept this format (| ConvertTo-Json).
Hit Save, and give it a test:
As you can see, it returns my Public IPs and resource information that I’ve set. You can obviously expand on this to gather the information you require.
You can now integrate or use however you please:
Hopefully this is useful, and if you want me to cover any topics, or create solutions, do let me know. 🙂
— — — Update — — –
I’ve now added the Get-AzPublicIPAddress to identify PiPs that may not be associated:
This is due to no attached resource creating the interface. A simple compare at the end compares the output with what we have:
Leave a Reply