Forum Discussion

Copper Contributor

Jun 21, 2021

Solved

KQL query for vnet peering count and storage public Access

Hi Team, I am looking to get the count of Vnet peering from specific subscriptions and storage container public access through KQL, Can someone please help me. Regards Dev

azure monitor

pazdedav
Jun 29, 2021
deb0093

Are you trying to get peering names or IDs of VNets the virtual networks you have access to are peered with? Or both?

Try this query, it should give you both properties and only list VNets that have some peering relationship:

resources
| where type =~ 'microsoft.network/virtualNetworks'
| mv-expand peering=properties.virtualNetworkPeerings
| where notempty(peering)
| project vnetId = id, vnetName = name, peeringName=tostring(peering.name), peeredVnetId=tostring(peering.properties.remoteVirtualNetwork.id)

pazdedav

MVP

Jun 22, 2021

Hi deb0093 ,

For network peering you could try something like:

resources

| where type =~ 'microsoft.network/virtualNetworks'

| mv-expand peering=properties.virtualNetworkPeerings

| where peering.properties.remoteVirtualNetwork.id contains "/subscriptions/xxx-xxx-xxxx-xxxx"

For blobs with public access:

Resources

| where type =~ 'microsoft.storage/storageaccounts'

| where properties.allowBlobPublicAccess == true

deb0093

Copper Contributor

Jun 24, 2021

pazdedav ,

resources

| where type =~ 'microsoft.network/virtualNetworks'

| mv-expand peering=properties.virtualNetworkPeerings

| where peering.properties.remoteVirtualNetwork.id contains "/subscriptions/xxx-xxx-xxxx-xxxx", Hope the "xxx-xxx-xxxx-xxxx" meant here as tenant id?

If I set my powershell to query
$subscription = Get-AzSubscription -TenantId "Teanant-id" | where-object{$_.Name -like '*-required subscriptionname-*'}
$subscription | Set-AzContext

And after that If I run the Search-AzGraph queries from powershell, will that work for specific subscriptions as a set above?

pazdedav
MVP
Jun 24, 2021
Hi deb0093,

Actually, the xxx-xxx-xxx-xxx string is a placeholder for a subscription ID (not a tenant ID). You said you wanted to query all VNET peerings coming from a particular subscription. You simply provide a subscription ID directly in the KQL query (if it's static).

The easiest way to test it is by using Azure Resource Graph Explorer directly in the Portal, where you select 1-n subscriptions from the drop-down as a scope for your query (i.e. subscriptions, where you want to look for peerings) and run the query (after you replace xxx-xxx... string with an actual subID you are interested in).

When you see it's working, you can switch to PowerShell or CLI to get the data programmatically.

I hope this answers your question.
- deb0093
  Copper Contributor
  Jun 24, 2021
  I have tried to get run the query as single subscription selected :
  
  resources
  | where type =~ 'microsoft.network/virtualNetworks'
  | mv-expand peering=properties.virtualNetworkPeerings
  | where peering.properties.remoteVirtualNetwork.id contains "/subscriptions/subscription -id"
  
  but it gives no result after running the query from Resource Group Explorer but when I see on portal peering do exist for that particular subscription id.
  - pazdedav
    MVP
    Jun 24, 2021
    deb0093
    
    Just to be clear on the scenario:
    let's say you have VNETA and VNETB in subscriptionA
    both VNETs are peered to VNETC that resides in subscriptionB
    If you want the query to return two entries - VNETA and VNETB, you need to:
    select subscriptionA in the Resource Graph Explorer as a scope for your query
    write subscriptionB ID to the query itself as a replacement for xxx-xxx-xxx-xxx string
    The query works in my environment. Perhaps if you send me a screenshot with the Graph Explorer, the query you tried and the result, I could look into it.