MonitorFQDN is an Azure Automation solution that monitors a list of FQDN's (Fully Qualified Domanin Names) for IP address changes. Every time an FQDN is resolved to a different IP address than the one resolved in the previous run, one or more runbooks are invoked, in order to:
- Send email notifications about the IP address changes;
- Update Azure NSG (Network Security Group) rules that reference the IP address that has changed;
- Update Azure UDR's (User Defined Routes) that reference the IP address that has changed.
MonitorFQDN uses an Azure "RunAs" account to log into your subscription(s) and searches through all the available NSG's and UDR's. MonitorFQDN only manages the rules whose name ends with a configurable suffix (by defualt, "___MONITORED___").
This repository contains the following files:
- CreateAutomationAccount.ps1: Installation script. It creates the Automation Account and the required runbooks and assets.
- CreateSchedules.ps1: Post-Installation script to create schedules and automate exceution.
- README.md: This file.
- RunAsAccount\CreateAzureRunAsAccount.ps1: Helper script that proovides functions to create the Azure RunAs Account in your Automation account.
- Runbooks\MonitorFQDN.ps1: Main runbook. It resolves FQDNs and maintains the list of the corresponding IP addresses. When needed, it invokes child runbooks.
- Runbooks\AzureLogin.ps1: Child runbook that logs into your subscription using the RunAs account.
- Runbooks\SendMail.ps1: Child runbook. It sends email notifications using SendGrid.
- Runbooks\UpdateNSG.ps1: Child runbook. It updates NSG's.
- Runbooks\UpdateUDR.ps1: Child runbook. It updates UDR's.
-
Clone the repository to your local machine.
-
Create a SendGrid account if you do not have one already. Create an API key and save it (you will need it in step 3).
-
Launch Powershell as Administrator (this is required to create the RunAs account).
-
Launch .\CreateAutomationAccount.ps1 and provide a value for the mandatory parameters:
- resGroupName: Name of the resource group to which you want to deploy the Automation Account
- resGroupLocation: Location of the resource group
- subscriptionId: your subscriptionId
- password: strong password that will be used to secure access to the self signed certificate used by the RunAs account
- automationAccountName: Name of the Automation Account that will be created
- sendGridApiKey: API Key for your SendGrid Account
- Log into the Azure portal, browse to your newly created Azure account, update the Azure Modules and install the module AzureRM.Network. To do so,
- browse to "Modules" and then click "Update Azure Modules";
- In the same pane, click "Browse Gallery", search AzureRM.Network, and import it.
- In your Azure Automation Account, open the "Variables" pane and update them according to your monitoring needs:
- monitoredFqdns: Comma-separated list of FQDN that you want to monitor
- monitoredRuleTag: Name suffix for the rules (NSG rules and UDR's) that you want to be automatically updated in case of IP address changes
- recipients: Comma-separated list of email addresses you want notifications to be sent to
- sender: Email account you want email notifications to come from
-
Test the solution by running the runbook "MonitorFQDN". Please note that, in the first run, the script will learn and store the current IP address for each monitored FQDN, and will send out notifications for each FQDN, just like it IP address had changed.
-
Run ./CreateSchedules.ps1 to create schedules in your Automation Account, and link them to the "MonitorFQDN" runbook.
- resGroupName: Name of the resource group that will contain the Automation account
- automationAccountName: Name of the Automation account (shown in the portal)
- subscriptionId: Subscription Id
- EnvironmentName: Environemnt to log in to (allowed values: "AzureCloud",AzureUSGovernment)
- pollingInterval: How frequently (minutes) to perform DNS resolution for monitored FQDN's