This month, Microsoft announced a series of significant updates to the Azure management services. Through this sequence of monthly articles, we aim to provide a detailed overview of the most noteworthy new features. The primary goal is to keep readers up-to-date on these advancements, offering the crucial information needed to delve further into these topics.
The following diagram shows the different areas related to management, which are covered in this series of articles:
Monitor
Azure Monitor
Expansion and improvements to the Azure Monitor for Prometheus service
The managed Azure Monitor for Prometheus service, which facilitates the collection and analysis of metrics through a monitoring solution compatible with the Prometheus project of the Cloud Native Computing Foundation, has announced significant updates:
- The service is now available in 13 additional Azure regions, extending its geographical coverage.
- Introduction of support for TLS (Transport Layer Security) and mTLS (Mutual TLS) based metrics scraping, aimed at Prometheus configurations that use TLS. This feature adds a significant layer of security for authenticated and protected communication between Azure Monitor and Prometheus instances, enhancing data protection in transit.
Billing for “stateful” log search alerts in Azure Monitor (preview)
Starting from May 1, 2024, “stateful” log search alerts in Azure Monitor will be subject to charges. These alerts allow for the execution of a log analysis query on monitored resources at regular intervals, triggering an alert based on the results obtained. The distinctive feature of “stateful” alerts is their ability to automatically resolve when the alert condition is no longer true, thus reducing alert noise and focusing on issues that require attention. This feature is currently in preview and will become publicly available in May. Details on the pricing for log search alert rules can be found on the Azure Monitor pricing page.
Govern
Azure Advisor
Assessment of the Well-Architected Framework on Azure Advisor (preview)
The introduction of the Well-Architected Framework (WAF) assessment on Azure Advisor (in preview) represents a significant step forward in providing users with a deep and holistic understanding of their architectures. This assessment allows for the examination and optimization of architectures across multiple crucial aspects, including resilience, security, cost optimization, operational excellence, and performance efficiency. Implementing and monitoring the recommendations from the WAF assessment through Azure Advisor are valuable tools for improving the effectiveness and efficiency of cloud infrastructures.
Azure Policy
New feature: simple assignment of regulatory compliance policies to the Azure Landing Zone (ALZ)
Microsoft has announced a new feature for the Azure Landing Zone portal accelerator that will make large-scale regulatory compliance more consistent and simpler to implement. Azure Policy initiatives can now be assigned to Management Groups at deployment with just a few clicks.
Azure Cost Management
Support for the AWS connector in Cost Management will end on March 31, 2025
The connector for AWS in Microsoft Cost Management, designed to consolidate cost data from Microsoft Azure and AWS, will be retired. Users are encouraged to consider an alternative solution before the retirement date to complete the transition in a timely manner. After March 31, 2024, it will no longer be possible to add new AWS Connectors in Cost Management for all users, and from March 31, 2025, access to the AWS Connector as well as cost reports that include AWS data will be discontinued. In addition, all AWS cost data present on Microsoft Cost Management will be deleted, except for Cost and Usage Report (CUR) files which will remain available in the user’s S3 bucket on the AWS console.
Cost analysis add-on for AKS (General Availability)
The cost analysis add-on for Azure Kubernetes Service (AKS) is now available. This native Azure experience offers visibility into the underlying infrastructure costs associated with AKS workloads, with a cost breakdown based on Kubernetes constructs like clusters and namespaces, as well as Azure asset categories. Additionally, cost allocation data can be viewed directly in the Azure portal’s cost management section. The add-on helps monitor, allocate, and optimize AKS costs.
Updates related to Microsoft Cost Management
Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.
Secure
Microsoft Defender for Cloud
Azure Defender for Microsoft Azure Database for PostgreSQL – Flexible Server
Microsoft has made Defender for Cloud available for Azure Database for PostgreSQL – Flexible Server, thus enhancing database security with advanced detection capabilities. This sophisticated solution is designed to detect suspicious activities that may indicate unusual and potentially dangerous attempts to access or compromise databases. With its implementation, Defender for Cloud introduces an additional significant layer of protection for Azure Database for PostgreSQL – Flexible Server, complementary to the already integrated security measures, ensuring an even more robust defense against threats.
New features, bug fixes, and deprecated features of Microsoft Defender for Cloud
The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:
- Agentless scanning for VMs encrypted with CMK in Azure: this functionality, already available for AWS and GCP, is now present for Azure. It uses a unique approach to scan VMs encrypted with CMK without Defender for Cloud managing the keys or the decryption process, which is instead handled transparently by Azure Compute. The unencrypted VM disk data is not copied or re-encrypted with another key, and the original key is not replicated. During the public preview, this capability is not enabled automatically, but is available for those using Defender for Servers P2 or Defender CSPM with VM disks encrypted with CMK.
- New recommendations for endpoint detection and response: announced new recommendations that discover and assess the configuration of supported endpoint detection and response solutions. These agentless recommendations are available for those who have activated Defender for Servers Plan 2 or the Defender CSPM plan, but do not support on-premises machines.
- Custom security standards and recommendations based on KQL for Azure in public preview: it is now possible to create custom security standards and recommendations based on KQL for Azure, available in public preview and supported in all clouds.
- Inclusion of DevOps recommendations in the Microsoft Cloud Security Benchmark (MCSB): it is now possible to monitor the security and compliance posture of DevOps in the MCSB, which provides prescriptive details on how to implement its security recommendations agnostic to the cloud.
- General availability (GA) integration with ServiceNow: announced the general availability of the integration with ServiceNow.
- Protection of critical assets in Microsoft Defender for Cloud (preview): Defender for Cloud now includes a feature to identify and protect critical assets through risk prioritization, attack path analysis, and cloud security explorer.
- Enhanced recommendations for AWS and GCP with automatic remediation scripts: improved recommendations for AWS and GCP with automatic remediation scripts that allow for large-scale application of remedies.
- Addition of compliance standards to the compliance dashboard (preview): based on user feedback, new compliance standards have been added in preview to the compliance dashboard for AWS and GCP resources protected by Defender for Cloud.
- Retirement of the container vulnerability assessment by Defender for Cloud powered by Qualys: this assessment has been retired. Customers who were using this assessment should switch to the vulnerability assessments for Azure with Microsoft Defender Vulnerability Management.
Protect
Azure Backup
Azure Backup for VMs: agentless backup of multiple disks with crash consistency (preview)
Azure VM backup introduces support for agentless backup of multiple disks with crash consistency, currently in public preview. This feature allows for the backup of VMs without the need to install additional software, such as the VM agent or the snapshot extension, inside the VM itself. This feature can also be used if the operating system is not supported for backup with application-level consistency.
Migrate
Azure Migrate
New releases and features of Azure Migrate
Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.
Azure Evaluation
For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.