你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
多云连接器的清单解决方案显示 Azure 中来自其他公有云的资源的最新视图,提供一个单一位置来查看所有云资源。
目前,多云连接器支持从这些公有云连接资源:
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP) (预览版)
启用清单解决方案后,来自源云中的资产的元数据包含在 Azure 中的资产表示形式中。 还可以将 Azure 标记或 Azure 策略应用于这些资源。 此解决方案允许通过 Azure Resource Graph 查询所有云资源,例如查询以查找具有特定标记的所有 Azure、AWS 和 GCP 资源。
清单解决方案会定期扫描源云,以更新 Azure 中表示的视图。 可以在连接公有云和配置清单解决方案时,指定查询间隔。
支持的服务
今天,在 Azure 中扫描并表示与以下 AWS 和 GCP 服务关联的资源。 创建清单解决方案时,默认情况下会选择所有可用服务,但是你可选择包括任何服务。
下表显示了已扫描的 AWS 服务、与每个服务关联的资源类型,以及对应于每种资源类型的 Azure 命名空间。
| AWS 服务 | AWS 资源类型 | Azure 命名空间 |
|---|---|---|
| 访问分析器 | accessAnalyzerAnalyzers |
Microsoft.AwsConnector/accessAnalyzerAnalyzers |
| API 网关 | apiGatewayRestApis |
Microsoft.AwsConnector/apiGatewayRestApis |
| API 网关 | apiGatewayStages |
Microsoft.AwsConnector/apiGatewayStages |
| 应用同步 | appSyncGraphQLApis |
Microsoft.AwsConnector/appSyncGraphQLApis |
| 自动缩放 | autoScalingAutoScalingGroups |
Microsoft.AwsConnector/autoScalingAutoScalingGroups |
| 云形成 | cloudFormationStacks |
Microsoft.AwsConnector/cloudFormationStacks |
| 云形成 | cloudFormationStackSets |
Microsoft.AwsConnector/cloudFormationStackSets |
| Cloud Front | cloudFront |
Microsoft.AwsConnector/cloudFrontDistributions |
| 云线索 | cloudTrailTrails |
Microsoft.AwsConnector/cloudTrailTrails |
| 云监视 | cloudWatchAlarms |
Microsoft.AwsConnector/cloudWatchAlarms |
| 代码生成 | codeBuildProjects |
Microsoft.AwsConnector/codeBuildProjects |
| 代码生成 | codeBuildSourceCredentialsInfos |
Microsoft.AwsConnector/codeBuildSourceCredentialsInfos |
| 配置 | configServiceConfigurationRecorders |
Microsoft.AwsConnector/configServiceConfigurationRecorders |
| 配置 | configServiceConfigurationRecorderStatuses |
Microsoft.AwsConnector/configServiceConfigurationRecorderStatuses |
| Config | configServiceDeliveryChannels |
Microsoft.AwsConnector/configServiceDeliveryChannels |
| DAX | daxClusters |
Microsoft.AwsConnector/daxClusters |
| DMS | databaseMigrationServiceReplicationInstances |
Microsoft.AwsConnector/databaseMigrationServiceReplicationInstances |
| Dynamo DB | dynamoDBContinuousBackupsDescriptions |
Microsoft.AwsConnector/dynamoDBContinuousBackupsDescriptions |
| Dynamo DB | dynamoDBTables |
Microsoft.AwsConnector/dynamoDBTables |
| EC2 | ec2Instances |
Microsoft.HybridCompute/machines/EC2InstanceId/providers/Microsoft.AwsConnector/Ec2Instances |
| EC2 | ec2AccountAttributes |
Microsoft.AwsConnector/ec2AccountAttributes |
| EC2 | ec2Addresses |
Microsoft.AwsConnector/ec2Addresses |
| EC2 | ec2FlowLogs |
Microsoft.AwsConnector/ec2FlowLogs |
| EC2 | ec2Images |
Microsoft.AwsConnector/ec2Images |
| EC2 | ec2Ipams |
Microsoft.AwsConnector/ec2Ipams |
| EC2 | ec2KeyPairs |
Microsoft.AwsConnector/ec2KeyPairs |
| EC2 | ec2Subnets |
Microsoft.AwsConnector/ec2Subnets |
| EC2 | ec2Volumes |
Microsoft.AwsConnector/ec2Volumes |
| EC2 | ec2VPCs |
Microsoft.AwsConnector/ec2VPCs |
| EC2 | ec2NetworkAcls |
Microsoft.AwsConnector/ec2NetworkAcls |
| EC2 | ec2NetworkInterfaces |
Microsoft.AwsConnector/ec2NetworkInterfaces |
| EC2 | ec2RouteTables |
Microsoft.AwsConnector/ec2RouteTables |
| EC2 | ec2VPCEndpoints |
Microsoft.AwsConnector/ec2VPCEndpoints |
| EC2 | ec2VPCPeeringConnections |
Microsoft.AwsConnector/ec2VPCPeeringConnections |
| EC2 | ec2InstanceStatuses |
Microsoft.AwsConnector/ec2InstanceStatuses |
| EC2 | ec2SecurityGroups |
Microsoft.AwsConnector/ec2SecurityGroups |
| EC2 | ec2Snapshots |
Microsoft.AwsConnector/ec2Snapshots |
| ECR | ecrImageDetails |
Microsoft.AwsConnector/ecrImageDetails |
| ECR | ecrRepositories |
Microsoft.AwsConnector/ecrRepositories |
| ECS | ecsClusters |
Microsoft.AwsConnector/ecsClusters |
| ECS | ecsServices |
Microsoft.AwsConnector/ecsServices |
| ECS | ecsTaskDefinitions |
Microsoft.AwsConnector/ecsTaskDefinitions |
| EFS | efsFileSystems |
Microsoft.AwsConnector/efsFileSystems |
| EFS | efsMountTargets |
Microsoft.AwsConnector/efsMountTargets |
| EKS | eksClusters |
Microsoft.Kubernetes/connectedclusters/clusterName_region/providers/Microsoft.AwsConnector/eksClusters |
| EKS | eksNodegroups |
Microsoft.AwsConnector/eksNodegroups |
| Elastic Beanstalk | elasticBeanstalkApplications |
Microsoft.AwsConnector/elasticBeanstalkApplications |
| Elastic Beanstalk | elasticBeanstalkConfigurationTemplates |
Microsoft.AwsConnector/elasticBeanstalkConfigurationTemplates |
| Elastic Beanstalk | elasticBeanstalkEnvironments |
Microsoft.AwsConnector/elasticBeanstalkEnvironments |
| 弹性负载均衡器 V2 | elasticLoadBalancingV2LoadBalancers |
Microsoft.AwsConnector/elasticLoadBalancingV2LoadBalancers |
| 弹性负载均衡器 V2 | elasticLoadBalancingV2Listeners |
Microsoft.AwsConnector/elasticLoadBalancingV2Listeners |
| 弹性负载均衡器 V2 | elasticLoadBalancingV2TargetGroups |
Microsoft.AwsConnector/elasticLoadBalancingV2TargetGroups |
| 弹性负载均衡器 V2 | elasticLoadBalancingV2TargetHealthDescriptions |
Microsoft.AwsConnector/elasticLoadBalancingV2TargetHealthDescriptions |
| EMR | emrClusters |
Microsoft.AwsConnector/emrClusters |
| GuardDuty | guardDutyDetectors |
Microsoft.AwsConnector/guardDutyDetectors |
| 标识和访问管理 | iamAccessKeyLastUseds |
Microsoft.AwsConnector/iamAccessKeyLastUseds |
| 标识和访问管理 | iamAccessKeyMetaData |
Microsoft.AwsConnector/iamAccessKeyMetaData |
| 标识和访问管理 | iamMFADevices |
Microsoft.AwsConnector/iamMFADevices |
| 标识和访问管理 | iamPasswordPolicies |
Microsoft.AwsConnector/iamPasswordPolicies |
| 标识和访问管理 | iamPolicyVersions |
Microsoft.AwsConnector/iamPolicyVersions |
| 标识和访问管理 | iamRoles |
Microsoft.AwsConnector/iamRoles |
| 标识和访问管理 | iamManagedPolicies |
Microsoft.AwsConnector/iamManagedPolicies |
| 标识和访问管理 | iamServerCertificates |
Microsoft.AwsConnector/iamServerCertificates |
| 标识和访问管理 | iamUserPolicies |
Microsoft.AwsConnector/iamUserPolicies |
| 标识和访问管理 | iamVirtualMFADevices |
Microsoft.AwsConnector/iamVirtualMFADevices |
| KMS | kmsKeys |
Microsoft.AwsConnector/kmsKeys |
| Lambda | lambdaFunctions |
Microsoft.AwsConnector/lambdaFunctions |
| Lightsail | lightsailInstances |
Microsoft.AwsConnector/lightsailInstances |
| Lightsail | lightsailBuckets |
Microsoft.AwsConnector/lightsailBuckets |
| 日志 | logsLogGroups |
Microsoft.AwsConnector/logsLogGroups |
| 日志 | logsLogStreams |
Microsoft.AwsConnector/logsLogStreams |
| 日志 | logsMetricFilters |
Microsoft.AwsConnector/logsMetricFilters |
| 日志 | logsSubscriptionFilters |
Microsoft.AwsConnector/logsSubscriptionFilters |
| Macie | macieAllowLists |
Microsoft.AwsConnector/macieAllowLists |
| Macie2 | macie2JobSummaries |
Microsoft.AwsConnector/macie2JobSummaries |
| 网络防火墙 | networkFirewallFirewalls |
Microsoft.AwsConnector/networkFirewallFirewalls |
| 网络防火墙 | networkFirewallFirewallPolicies |
Microsoft.AwsConnector/networkFirewallFirewallPolicies |
| 网络防火墙 | networkFirewallRuleGroups |
Microsoft.AwsConnector/networkFirewallRuleGroups |
| 打开搜索服务 | openSearchDomainStatuses |
Microsoft.AwsConnector/openSearchDomainStatuses |
| 组织 | organizationsAccounts |
Microsoft.AwsConnector/organizationsAccounts |
| 组织 | organizationsOrganizations |
Microsoft.AwsConnector/organizationsOrganizations |
| RDS | rdsDBInstances |
Microsoft.AwsConnector/rdsDBInstances |
| RDS | rdsDBClusters |
Microsoft.AwsConnector/rdsDBClusters |
| RDS | rdsEventSubscriptions |
Microsoft.AwsConnector/rdsEventSubscriptions |
| RDS | rdsDBSnapshots |
Microsoft.AwsConnector/rdsDBSnapshots |
| RDS | rdsDBSnapshotAttributesResults |
Microsoft.AwsConnector/rdsDBSnapshotAttributesResults |
| RDS | rdsEventSubscriptions |
Microsoft.AwsConnector/rdsEventSubscriptions |
| Redshift | redshiftClusters |
Microsoft.AwsConnector/redshiftClusters |
| Redshift | redshiftClusterParameterGroups |
Microsoft.AwsConnector/redshiftClusterParameterGroups |
| 路线 53 | route53DomainsDomainSummaries |
Microsoft.AwsConnector/route53DomainsDomainSummaries |
| 路线 53 | route53HostedZones |
Microsoft.AwsConnector/route53HostedZones |
| SageMaker | sageMakerApps |
Microsoft.AwsConnector/sageMakerApps |
| SageMaker | sageMakerDevices |
Microsoft.AwsConnector/sageMakerDevices |
| SageMaker | sageMakerImages |
Microsoft.AwsConnector/sageMakerImages |
| SageMaker | sageMakerNotebookInstanceSummaries |
Microsoft.AwsConnector/sageMakerNotebookInstanceSummaries |
| 机密管理器 | secretsManagerResourcePolicies |
Microsoft.AwsConnector/secretsManagerResourcePolicies |
| 机密管理器 | secretsManagerSecrets |
Microsoft.AwsConnector/secretsManagerSecrets |
| 机密管理器 | secretsManagerSecrets |
Microsoft.AwsConnector/secretsManagerSecrets |
| S3 | s3Buckets |
Microsoft.AwsConnector/s3Buckets |
| S3 | s3AccessControlPolicies |
Microsoft.AwsConnector/s3AccessControlPolicies |
| S3 | s3ControlMultiRegionAccessPointPolicyDocuments |
Microsoft.AwsConnector/s3ControlMultiRegionAccessPointPolicyDocuments |
| S3 | s3BucketPolicies |
Microsoft.AwsConnector/s3BucketPolicies |
| S3 | s3AccessPoints |
Microsoft.AwsConnector/s3AccessPoints |
| SNS | snsTopics |
Microsoft.AwsConnector/snsTopics |
| SNS | snsSubscriptions |
Microsoft.AwsConnector/snsSubscriptions |
| SQS | sqsQueues |
Microsoft.AwsConnector/sqsQueues |
| SSM | ssmInstanceInformations |
Microsoft.AwsConnector/ssmInstanceInformations |
| SSM | ssmParameters |
Microsoft.AwsConnector/ssmParameters |
| SSM | ssmResourceComplianceSummaryItems |
Microsoft.AwsConnector/ssmResourceComplianceSummaryItems |
| WAF | wafWebACLSummaries |
Microsoft.AwsConnector/wafWebACLSummaries |
| WAFv2 | wafv2LoggingConfigurations |
Microsoft.AwsConnector/wafv2LoggingConfigurations |
Azure 中的资源表示形式
连接云并启用 清单 解决方案后,多云连接器将使用命名约定 <PublicCloud>_<AccountID>创建新的资源组。 使用上一部分所述的 AwsConnector 或 GcpConnector 命名空间值,在此资源组中创建您的资源的 Azure 表示形式。 可以将 Azure 标记和策略应用于这些资源。
使用 标准映射方案,在 Azure 中发现和投影的资源放置在 Azure 区域中。
注意
如果 EC2 实例或 GCP VM 之前已连接到 Azure Arc,则在 Arc 计算机所在的订阅中满足先决条件时,连接器将创建相关清单资源作为 Microsoft.HybridCompute/machines 的子资源。 否则,将不会创建清单资源。
权限选项
全局读取:提供对 AWS 帐户或 GCP 组织/项目中的所有资源的只读访问权限。 引入新服务后,连接器可以扫描这些资源,而无需在 AWS 的 CloudFormation 模板或 GCP 的 Terraform 模板中进行更新。
最小特权访问:仅提供对所选服务下资源的读取访问权限。 如果选择将来扫描更多资源,则必须上传新模板。
定期同步选项
配置 清单 解决方案时选择的定期同步时间决定了源云(AWS 或 GCP)扫描并同步到 Azure 的频率。 通过启用定期同步,源云资源的更改将反映在 Azure 中。 例如,如果在源云中删除资源,该资源也会在 Azure 中删除。
如果愿意,可以在配置此解决方案时关闭定期同步。 如果这样做,Azure 表示形式可能与源云资源不同步,因为 Azure 无法重新扫描和检测任何更改。
在 Azure Resource Graph 中查询资源
Azure Resource Graph 是一项 Azure 服务,旨在通过提供高效、高性能的资源探索来扩展 Azure 资源管理。 跨一组给定的订阅大规模运行查询可帮助你有效地控制环境。
可以使用 Azure 门户中的 Resource Graph 资源管理器运行查询。 此处显示了常见方案的一些示例查询。
查询所有载入的多云资产清单
resources
| where subscriptionId == "<subscription ID>"
| where id contains "microsoft.awsconnector"
| union (awsresources | where type == "microsoft.awsconnector/ec2instances" and subscriptionId =="<subscription ID>")
| extend awsTags= properties.awsTags, azureTags = ['tags']
| project subscriptionId, resourceGroup, type, id, awsTags, azureTags, properties
查询特定连接器下的所有资源
resources
| extend connectorId = tolower(tostring(properties.publicCloudConnectorsResourceId)), resourcesId=tolower(id)
| join kind=leftouter (
awsresources
| extend pccId = tolower(tostring(properties.publicCloudConnectorsResourceId)), awsresourcesId=tolower(id)
| extend parentId = substring(awsresourcesId, 0, strlen(awsresourcesId) - strlen("/providers/microsoft.awsconnector/ec2instances/default"))
) on $left.resourcesId == $right.parentId
| where connectorId =~ "yourConnectorId" or pccId =~ "yourConnectorId"
| extend resourceType = tostring(split(iif (type =~ "microsoft.hybridcompute/machines", type1, type), "/")[1])
查询 Azure 和 AWS 中的所有虚拟机及其实例大小
resources
| where (['type'] == "microsoft.compute/virtualmachines")
| union (awsresources | where type == "microsoft.awsconnector/ec2instances")
| extend cloud=iff(type contains "ec2", "AWS", "Azure")
| extend awsTags=iff(type contains "microsoft.awsconnector", properties.awsTags, ""), azureTags=tags
| extend size=iff(type contains "microsoft.compute", properties.hardwareProfile.vmSize, properties.awsProperties.instanceType.value)
| project subscriptionId, cloud, resourceGroup, id, size, azureTags, awsTags, properties
跨 Azure 和 AWS 查询所有函数
resources
| where (type == 'microsoft.web/sites' and ['kind'] contains 'functionapp') or type == "microsoft.awsconnector/lambdafunctionconfigurations"
| extend cloud=iff(type contains "awsconnector", "AWS", "Azure")
| extend functionName=iff(cloud=="Azure", properties.name,properties.awsProperties.functionName), state=iff(cloud=="Azure", properties.state, properties.awsProperties.state), lastModifiedTime=iff(cloud=="Azure", properties.lastModifiedTimeUtc,properties.awsProperties.lastModified), location=iff(cloud=="Azure", location,properties.awsRegion), tags=iff(cloud=="Azure", tags, properties.awsTags)
| project cloud, functionName, lastModifiedTime, location, tags
查询具有特定标记的所有资源
resources
| extend awsTags=iff(type contains "microsoft.awsconnector", properties.awsTags, ""), azureTags=tags
| where awsTags contains "<yourTagValue>" or azureTags contains "<yourTagValue>"
| project subscriptionId, resourceGroup, name, azureTags, awsTags
Next steps
- 了解多云连接器“Arc 载入”解决方案。
- 详细了解 Azure Resource Graph。