- Overview
- Create the Resource Reader and Operator Custom Role
- Deploy BudgetDeallocator Logic App
- Deploy BudgetDeallocatorOrchestrator Logic App
- Create an Azure Cost Management Budget & Alert
Budget Deallocator's intent is to protect budgets from crossing over a specified threshold. This is done by taking action to deallocate Azure resources upon being triggered by an Azure Cost Management Budget Alert trigger.
Generally, a resource which is in the deallocated, paused, shutdown, or similar state in Azure no longer incurs compute charges. However, it is important to understand that not all resources in Azure are eligible to be deallocated, and that other charges for deallocated resources, such as storage, will continue to accrue.
Today, the following resource types can be deallocated by Budget Deallocator:
- Azure Virtual Machines
- Azure Synapse Analytics Dedicated Pools
- Azure Kubernetes Service Clusters
Budget Deallocator has been split into two separate Logic Apps so that an ITSM, workflow manager, or similar may be placed in between to handle additional logic such as an approval workflow.
The first Logic App, BudgetDeallocatorOrchestrator, is triggered by the Azure Cost Management Budget alert. Its logic is as follows:
The second Logic App, BudgetDeallocator, is triggered by BudgetDeallocatorOrchestrator and does the actual work of identifying active resources that are candidates to be deallocated and changing their state so they no longer incur compute charges. Its logic is as follows:
You will need to create a custom Azure Role Based Access Control Role so that the BudgetDeallocator Logic App's System Assigned Managed Identity is able to take action on Azure resources on your behalf. This custom role will clone the Reader role so that it may enumerate all resources. You will then extend the role to allow it take the following actions:
- Microsoft.Compute/virtualMachines/start/action
- Microsoft.Compute/virtualMachines/restart/action
- Microsoft.Compute/virtualMachines/deallocate/action
- Microsoft.Synapse/workspaces/sqlPools/pause/action
- Microsoft.Synapse/workspaces/sqlPools/resume/action
- Microsoft.ContainerService/managedClusters/stop/action
- Microsoft.ContainerService/managedClusters/start/action
From your Azure subscription, click Access Control (IAM), then click Roles. Locate the Reader role, click on the ellipsis (…) on the far right and select Clone.
In the Basics tab, enter Resource Reader and Operator for the Custom role name.
Feel free to add a description.
Leave everything else as default. -
In the JSON tab, click Edit, add the following at the end of the "*/read", line, and then click Save.
Note: Please ensure you add the comma after
., "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Synapse/workspaces/sqlPools/pause/action", "Microsoft.Synapse/workspaces/sqlPools/resume/action", "Microsoft.ContainerService/managedClusters/stop/action", "Microsoft.ContainerService/managedClusters/start/action"
Click Review + Create, followed by Create.
From the Azure Portal, click on the + Create a resource icon on the top of the far-left navigation blade, search for Logic App and select Logic App from the results.
Fill out the Basics form with the appropriate information following the guidance below:
Field Name Recommended Value Subscritpion A centrally managed or "hub" Azure Subscription. Resource Group budgetDeallocator-RG
(Click Create new and follow your organization's naming convention.)Type Consumption Logic App Name budgetDeallocator
(Follow your organization's naming convention.) -
Leave all other fields as default, click Review + Create and upon validation, click the Create button.
From your new Logic App's resource page, click Identity, then toggle the System Assigned Managed Identity to On and click Save. Click Yes to confirm.
Click Azure Role Assignments.
Next, click + Add role assignment, select Subscription as Scope and the appropriate subscription as Subscription. Select the custom role created earlier, Resource Reader and Operator as Role. Then click Save.
This will allow the Logic App to enumerate and deallocate resources in your environment.
You might find the custom role at the bottom of the list.
Click Logic App Code View from the left-hand navigation blade. Next, select and delete all default code on the right-hand side. Once deleted, paste in the JSON contents of the budgetDeallocator Logic App found here and click Save.
Finally, click Properties on the left-hand navigation blade and copy the Access Endpoint URL to your clipboard.
Preserve the URL for use in the BudgetDeallocatorOrchestrator Logic App.
From the Azure Portal, click on the +Create a resource icon on the top of the far-left navigation blade, search for Logic App and select Logic App from the results.
Fill out the Basics form with the appropriate information following the guidance below:
Field Name Recommended Value Subscription Same as above. Resource Group Same as above. Type Consumption. Logic App Name budgetDeallocatorOrchestrator -
Leave all other fields as default, click Review + Create and upon validation, click Create.
From your new Logic App's resource page, click Identity, then toggle the System Assigned Managed Identity to On and click Save. Click Yes to confirm.
Click Azure Role Assignments.
Next, click + Add role assignment, select Subscription as Scope, the appropriate subscription as Subscription, and Reader as Role. Then click Save.
This will allow the Logic App to enumerate resources in your environment.
Click Logic App Code View from the left-hand navigation blade. Next, select and delete all default code on the right-hand side. Once deleted, paste in the JSON contents of the budgetDeallocatorOrchestrator Logic App found here and click Designer.
Expand the Define budgetDeallocatorURI by clicking on its title and replace the Value with the URI for your Budget Deallocator Logic App and click Save.
Optionally, you can instead replace the value with another API endpoint such as an ITSM solution or other Logic App to extend functionality.
In Azure Cost Management + Billing, you define Azure Budgets at specific scopes, such as an Enrollment, Management Group, Subscription, and Resource Group. Within these budgets, you can also set thresholds (e.g., 75% of budget) for alerting. Within each threshold, you can send notifications and trigger Azure Action Groups. Azure Action Groups can trigger an ITSM solution or REST API; however, you will focus on triggering the budgetDeallocatorOrchestrator Logic App.
From the Azure Portal, click Cost Management + Billing on the far-left navigation pane. Next, click Cost Management, followed by Budgets.
Set your scope to the appropriate scope you would like to protect against budget overruns. This can be set to an Enrollment, Management Group, Subscription, or Resource Group.
The scope you select here must match or be a child of the scope where you assigned the Reader and Resource Reader and Operator roles to the system assigned managed identities.
Click + Add.
From the Create budget page, give your budget an appropriate Name, Reset period, and Amount. If appropriate, set the Creation date to today's date, then click Next.
Use the following table as guidance for the Alert conditions section.
Field Name Recommended Value Note Type Actual Triggers when actual consumption (versus forecast) reaches this threshold. % of budget 90 Triggers when actual consumption reaches 90% of the budget amount. -
Under Alert recipients (email), enter the email address(es) that should receive a notification. Next, click Manage action group.
From the Action Groups page, click + Create. Fill out the appropriate details in the Basics tab and then go to the Actions tab.
Create the action group in the subscription where the budget is being created.
From the Actions tab, choose Logic App for Action type, then select your budgetDeallocatorOrchestrator Logic App and click OK.
DO NOT enable the Common Alert Schema.
Next, give your action and appropriate name and click Review + Create, followed by Create.
Close the Manage action group window, which will take you back to the Create budget page. You will now be able to choose your new action group as an option from within the Action Group drop down, then Click Create.
You now have a Budget Alert trigger that triggers the budgetDeallocatorOrchestrator Logic App that subsequently triggers the budgetDeallocator Logic App to deallocate compute resources in Azure!
For a detailed overview of the solution, please go to the Overview at the top of the page.