In my previous article, I explored how Azure Arc enables organizations to harness the power of the Azure cloud in managing SQL Servers, regardless of where the databases reside: on-premises, at the edge, or in other cloud environments. This extension of the Azure platform allows for centralized governance, enhanced security, and advanced features without requiring a full migration to the cloud.

But once this new management approach is enabled, what services are available, and how is licensing handled? What models are available, and how do they differ from traditional SQL Server licensing?

In this article, we’ll answer these questions by delving into the SQL Server licensing model enabled by Azure Arc and comparing the different approaches to help organizations choose the solution that best fits their needs.

Features Included at No Additional Cost

Azure Arc for SQL Server provides many features at no extra charge, depending on the type of license held. If the organization already has a SQL Server license with Software Assurance (L+SA) or opts for the PAYG (Pay-As-You-Go) model, it can access advanced tools for free, such as:

Best practices assessment
Automated patching
Automated local backups
Point-in-time restore
TDE encryption via Azure Key Vault

For customers with a License-only (L-only) model, even without SA, key governance features are still included—such as resource inventory, failover cluster management, and support for Always-On Availability Groups.

These capabilities allow for a cloud-like management experience, even while keeping databases on local infrastructure.

Figure 1 – SQL Server enabled by Azure Arc pricing model

Value-Added Advanced Services

Naturally, Azure Arc also enables the extension of feature sets through optional paid services, which can be activated selectively based on need:

Microsoft Defender for SQL Server, for advanced protection
Log Analytics and Azure Monitor, for deep monitoring
Azure Policy, for configuration and compliance management
Purview, for data governance
Cluster-aware patching and long-term backups to Azure or Amazon S3, for resilient and modern operations

This modularity allows organizations to scale their management capabilities based on actual needs while maintaining control over costs.

A New Perspective on Licensing Management

Traditionally, SQL Server licensing has been based mainly on Enterprise Agreements and Software Assurance contracts, binding companies to three-year purchases and requiring accurate forecasting of future usage. However, this approach doesn’t align well with modern IT environments, which are marked by workload fluctuations, hybrid adoption, and the need for more dynamic cost optimization.

Limitations of Traditional Licensing

In the face of this new flexibility, it’s worth highlighting the shortcomings of the traditional model. In addition to rigid contracts and lack of flexibility for workloads, organizations often face:

Difficulty tracking actual usage
Risk of under- or over-provisioning
Unexpected and costly true-ups
Complexities in managing across multiple teams and locations

In hybrid and distributed scenarios, these limitations can slow down processes and increase costs.

This is exactly where Azure Arc comes in—not only to extend management functionalities but also to introduce new licensing models that overcome past limitations.

The PAYG Model: Licensing That Fits

To meet these needs, Azure Arc offers a Pay-As-You-Go (PAYG) model for SQL Server, allowing organizations to pay strictly for what they use—hourly or monthly.

The benefits are significant:

No upfront costs: Ideal for temporary environments, testing, or seasonal workloads.
Adaptability: Licensing follows actual usage, reducing waste.
Targeted billing: Costs can be broken down by project, department, or individual server.
Visibility and control: The Azure portal enables continuous monitoring, compliance checks, and role-based access.
Cost-saving opportunities: PAYG licenses can be included in MACC agreements and treated as OpEx, making spending more predictable.

Conclusion

The true value of Azure Arc for SQL Server lies not only in its technical capabilities but in the innovative operating model it enables: greater visibility, centralized control, process automation, and cost optimization.

Whether it’s environments under strict regulatory requirements, intermittent workloads, or gradual modernization journeys, Azure Arc offers a flexible licensing approach that aligns perfectly with real business needs.

Azure Arc truly revolutionizes SQL Server license management, moving beyond a traditional, often rigid and complex model, to embrace a dynamic, transparent model that is natively integrated with Azure cloud tools.

This evolution allows organizations to respond more agilely to the challenges of an increasingly distributed IT landscape, making the most of existing infrastructure and accelerating digital transformation.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

Retirement of D, Ds, Dv2, Dsv2, and Ls Series Virtual Machines

Microsoft has announced the retirement of the D, Ds, Dv2, Dsv2, and Ls series virtual machines, effective May 1, 2028. After this date, these VM series will no longer be available for use or purchase. Customers currently utilizing these VM types are advised to begin planning their migration strategies toward newer VM generations to ensure ongoing compatibility and support for their applications. As part of the phased retirement process, three-year reserved instances for these VMs will no longer be available for purchase or renewal starting May 1, 2025. One-year reservations will continue to be offered until 2027. For those with active three-year reservation contracts, the benefits will remain valid until contract expiration. Beyond that point, instances will revert to pay-as-you-go pricing. To avoid billing surprises and ensure continuity, customers should review their reservations and take action to transition affected workloads.

Networking

Azure Firewall Updates – Parallel IP Group Updates

Azure Firewall now supports Parallel IP Group Updates, enabling administrators to update multiple IP Groups simultaneously as part of their firewall or firewall policy changes.

Key Benefits

Faster & Scalable Updates: Update up to 20 IP Groups in parallel, achieving up to 2x faster update times compared to sequential updates.
Improved Visibility: Enhanced error messaging allows administrators to quickly identify and resolve issues. Even if one IP Group fails, other updates continue uninterrupted, preserving overall system integrity.

This update significantly improves management efficiency and scalability for large-scale or dynamic firewall policy environments.

New Regions for Azure Front Door Premium with Private Link-Enabled Origins

Azure Front Door Premium now supports Private Link-enabled origins in West US 2 and Southeast Asia regions. This feature allows content to be delivered through public Front Door endpoints while keeping backend origins inaccessible from the public internet, enhancing security and privacy. With the addition of these new regions, organizations can now deploy Private Link-enabled architectures in more geographies, improving network performance and meeting regional compliance requirements.

Network isolated cluster in AKS

Azure Kubernetes Service (AKS) now offers network isolated clusters, enabling a simplified approach to securing network access to Kubernetes workloads. While customers have traditionally relied on Azure Firewall to control egress traffic and enforce isolation, this approach often introduces added complexity and cost. With network isolated clusters, organizations can reduce the risk of unintentional exposure of public endpoints and strengthen the security posture of their AKS deployments. This built-in feature helps minimize attack surfaces by ensuring tighter control over how clusters connect to external networks, supporting compliance and data protection goals with greater ease.

ExpressRoute Resiliency Enhancements (preview)

Microsoft has introduced new resiliency validation and insight capabilities for ExpressRoute, now available in public preview. These enhancements aim to improve the assessment and monitoring of ExpressRoute-enabled workloads, offering more robust and transparent insights into network reliability. The resiliency validation feature allows customers to simulate site failovers on their Virtual Network Gateways, enabling proactive testing during planned migrations or outage scenarios. This helps verify failover mechanisms and ensures continued connectivity to Azure services. In addition, the new resiliency insights capability introduces a resiliency index — a percentage-based score that evaluates ExpressRoute reliability based on criteria such as route resilience, use of zone-redundant gateways, advisory feedback, and test results from resiliency validation. These metrics allow organizations to identify weak points in their network architecture and make informed improvements to enhance the robustness of their connectivity.

Increased VNet limits for Private Endpoints (preview)

Microsoft has introduced High Scale Private Endpoints, now in public preview, enabling significantly increased limits for deploying Azure Private Endpoints within Virtual Networks (VNets) and across peered VNets. Previously, customers could only create up to 1,000 private endpoints within a single VNet, and exceeding this limit required a support request. Additionally, Microsoft recommended a soft limit of 4,000 private endpoints across peered VNets to avoid connectivity issues. With the introduction of High Scale Private Endpoints, these limits are substantially raised—allowing up to 5,000 private endpoints within a single VNet and 20,000 across peered VNets. This capability is especially beneficial for large-scale, service-rich environments where extensive use of private connectivity is essential. Customers seeking greater scalability for their private networking configurations are encouraged to adopt High Scale Private Endpoints to support growing infrastructure needs without the complexity of manual quota increases.

Storage

Vaulted Backup for Azure Files

Azure Backup has announced the general availability of Vaulted Backup support for Azure Files – Standard tier, providing a robust, enterprise-grade solution to protect data and applications hosted on Azure SMB file shares.

Key Features & Benefits

Integrated Protection Policy: Combine snapshot and vaulted backup in a single policy to protect data in a secure Recovery Services vault.
Regional Recovery: Ensure data resilience with support for cross-region restore.
Advanced Protection Capabilities:
- Ransomware protection and immutability
- Restore capability even if the file share is deleted
Azure File Sync Integration: Seamlessly protect cloud-tiered data from Azure File Sync, enabling long-term retention in a cost-effective way.

With this release, customers can meet compliance, security, and business continuity requirements while simplifying backup management and reducing data protection costs.

Azure File Sync support for managed identities

Azure File Sync now supports managed identities, a feature that has reached general availability. This enhancement replaces the need for shared keys with a more secure and streamlined authentication mechanism through system-assigned managed identities provided by Microsoft Entra ID. By configuring managed identities within an Azure File Sync deployment, these identities will handle authentication in several key scenarios: the Storage Sync Service authenticating to the Azure file share, registered servers authenticating to the Azure file share, and registered servers authenticating to the Storage Sync Service. To further simplify the setup and improve security, managed identities are now enabled by default for all new Storage Sync Services. Configuration can be completed directly through the Azure portal, eliminating the previous dependency on PowerShell. This updated experience is being gradually rolled out across all Azure regions. The feature is available at no additional cost in all Azure Public and Government cloud regions, making it a recommended approach for customers seeking enhanced security and simplified identity management.

Azure NetApp Files Flexible Service Level (Preview)

Azure has introduced a Flexible Service Level for Azure NetApp Files, now in public preview, allowing customers to independently configure storage capacity and throughput for greater cost and performance optimization.

Key Features & Benefits

Customizable Throughput: Scale throughput independently from capacity, up to 640 MiB/s per provisioned TiB, which is up to 5x higher than the Ultra tier.
Manual QoS Pools: Supported with manual QoS capacity pools, offering a baseline throughput of 128 MiB/s at no additional cost.
Right-Sized Performance:
- High throughput for smaller pools – Ideal for SAP HANA, Oracle, and other demanding workloads.
- Cost savings for high-capacity/low-throughput workloads – Reduce cost without compromising storage footprint.
No Volume Moves Required: Avoid service disruptions or reconfigurations when scaling performance or storage.

This new service level offers unprecedented flexibility, allowing customers to fine-tune Azure NetApp Files performance and cost based on exact workload requirements.

Azure Local

Azure Local – 2503 Update Released

The 2503 update for Azure Local has been officially released as of March 31st, introducing a set of baseline enhancements focused on improving registration, deployment, and overall management experience. This update reflects ongoing efforts to simplify operations and bolster security within Azure Local environments.

Key changes include a shift in the extension installation process: extensions are no longer installed during the registration phase but are now deployed during machine validation. Additionally, the local UI used for bootstrapping has been deprecated in favor of the Configurator app, providing a more modern and flexible onboarding experience. The Arc registration flow has also been streamlined—Service Principal Name (SPN) is deprecated, and a simplified Arc installer script now relies solely on the Start-ArcBootstrap command.

The update also supports composed images for OEMs and enables deployment of both current and previous versions of Azure Local. While the Azure portal supports the latest version, prior versions must be deployed using dedicated Azure Resource Manager templates.

Other notable improvements include enhanced security for the Bootstrap service, integrated environment checks for connectivity and validation, improved update applicability logic, and support for downloading platform update packages via URLs. Finally, users can now connect to Azure Local VMs over SSH or RDP from within the host network, removing the requirement for line-of-sight access.

Azure Local Performance Metrics Dashboard

Microsoft has introduced the Azure Local Performance Metrics Dashboard, a powerful new tool designed to provide comprehensive visibility into the health and performance of Azure Local systems. With over 60 metrics collected by default—at no additional cost—this out-of-the-box solution delivers actionable insights across storage, network, and compute resources.

Metrics are automatically gathered by the TelemetryAndDiagnostics agent, which is configured during deployment, enabling seamless access to system telemetry without requiring manual setup. The dashboard offers deep visibility into several critical performance areas:

Storage Performance: Includes disk read/write operations and throughput, volume latency, and insights into VHD and physical disk activity to help optimize storage usage.
Network Performance: Monitors data transmission metrics such as Netadapter Bytes Sent/Received, RDMA traffic, and VM-level network activity for early detection of bottlenecks or connectivity issues.
Compute Metrics: Tracks memory usage (available, assigned, used, pressure) across host and guest environments, along with CPU utilization metrics for both host and virtual machines.

This centralized performance dashboard empowers administrators to proactively manage their Azure Local environments, facilitating data-driven decisions to maintain system efficiency and reliability.

Support for 4-node switchless configuration

Microsoft has introduced official documentation to support 4-node switchless configurations, expanding the deployment options for Azure Stack HCI and other Azure-integrated infrastructure solutions.

This update provides organizations with the flexibility to deploy smaller, cost-effective clusters without the need for dedicated network switches between nodes. The switchless architecture simplifies the physical setup and reduces hardware requirements while maintaining essential performance and connectivity capabilities for supported scenarios.

By adding support for this topology, Microsoft continues to enhance deployment versatility, especially for edge and branch environments where simplicity and space efficiency are crucial.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.