Microsoft is constantly announcing news regarding Azure management services. This summary, released on a monthly basis, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
New agent version for Windows Systems
A new version of the Log Analytics agent has been released this month for Window systemss. The new version includes a new tool for troubleshooting and handles changes to certificates in Azure services differently.
The uniqueness of the name of the Log Analytics workspaces is now per resource group
In the past, the uniqueness of the Azure Monitor Log Analytics workspace was globally for all subscriptions. This meant that when a workspace name was used by a customer, it could not be reused by others. Microsoft has changed the way in which the uniqueness of the workspace name is requested and is now managed in the context of the resource group.
New definitions built-in of the Azure Policy for data encryption in Azure Monitor
Azure Monitor provides built-in policies for data encryption governance and control over the key used for encryption at rest. Here are the new built-in policies available for data encryption:
- Azure Monitor logs clusters should be encrypted with customer-managed key – Audit if log analytics cluster is defined with customer-managed key.
- Azure Monitor logs clusters should be created with infrastructure-encryption enabled (double encryption) – Audit log analytics cluster is created with Infrastructure enabled.
- Azure Monitor logs for application insights should be linked to a log analytics workspace – Audit if application insights is linked to store data in log analytics workspace. Workspace can then be linked to a log analytics cluster for customer-managed key settings.
- Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption – Audit if workspace has linked storage account, which allows the encryption using customer-managed key.
- Log alert queries in Azure Monitor will be saved in customer storage account, if workspace has linked storage account, which allows the encryption using customer-managed key.
Improvements for Log Alerts
Log Alerts are available in Azure Monitor that allow users to use a Log Analytics query to evaluate the resources logs at a set frequency and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. In this context, two new highly requested features have been released (in preview):
- Stateful Log Alert: with this feature enabled, activated alerts are automatically resolved once the condition is no longer satisfied. In this way, the same behavior is adopted as in the alerts related to metrics.
- Frequency of 1 minute: with this feature enabled, the alert query is evaluated every minute to verify the specified condition, thus reducing the overall time for activating a Log Alert.
Availability in new regions
Azure Monitor Log Analytics is also available in the region South India.
To check the availability of the service in all the Azure regions you can consult this document.
Container insights: support for the monitor of Kubernetes Azure Arc enabled environment (preview)
Containers insights in Azure Monitor has extended its monitor capabilities to Azure Arc Kubernetes clusters as well, providing the same monitoring capabilities present for the Azure Kubernetes service (AKS), which:
- Visibility on the performance of the environment, through the memory and processor metrics for the controllers, nodes and containers.
- View information collected through workbooks and in the Azure portal.
- Alert and possibility of querying historical data for problem solving.
- Ability to verify Prometheus metrics.
Availability in new regions
Azure Automation is also available in the region South India.
Support for System Assigned Managed Identities for cloud and Hybrid job (public preview)
Azure Automation has introduced support for System Assigned Managed Identities for cloud and Hybrid jobs. Among the advantages of using Managed Identities we find:
- The ability to authenticate to any Azure service that supports Azure AD authentication.
- Elimination of the management overhead associated with managing Run As accounts in runbook code. This makes it possible to access resources via the Managed Identity of an Automation account from a runbook, without having to worry about creating RunAsCertificate, RunAsConnection, etc.
- It is not necessary to renew the certificate used by the Automation Run As account.
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent erroneous spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:
- Detail costs expressed in currencies other than the dollar
- New date selector in cost analysis (preview)
- News regarding Cost Management Labs
- New ways to achieve Azure cost savings
Azure Security Center
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
- Refreshed resource health page (preview)
- Container registry images that have been recently pulled are now rescanned weekly
- Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)
- Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 2019 and Windows 10 Virtual Desktop (WVD) released
- Recommendations to enable Azure Defender for DNS and Resource Manager (preview)
- Three regulatory compliance standards added: Azure CIS 1.3.0, CMMC Level 3, and New Zealand ISM Restricted
- Four new recommendations related to guest configuration (preview)
- CMK recommendations moved to best practices security control
- 11 Azure Defender alerts deprecated
- Two recommendations from “Apply system updates” security control were deprecated
- Azure Defender for SQL on machine tile removed from Azure Defender dashboard
- 21 recommendations moved between security controls
Azure Dedicated Host protection support
Azure Backup has introduced support for the backup and recovery of virtual machines residing on Azure Dedicated Host, physical servers dedicated to your organization whose capacity is not shared with other customers. This feature is available in all Azure regions where Azure Dedicated Host can be activated.
Azure VM Scale sets protection with orchestration templates (preview)
Azure Backup now allows you to backup and restore Azure VM Scale sets with orchestration models, which provide a logical grouping of virtual machines managed by the platform.
Improvements in encryption using customer managed keys (preview)
Azure Backup now allows you to use your own keys to encrypt backup data residing in the Recovery Services vaults. This new feature allows you to increase the control of the encryption of your data. Furthermore, you can use the Azure Policy to control and apply encryption using keys managed directly by the customer.
Azure Site Recovery
Support for Azure Policy (preview)
The ability to use Azure Policy is now provided to enable large-scale use of Azure Site Recovery for virtual machines. After creating a disaster recovery policy for a resource group, all new virtual machines that will be added to this resource group will have Site Recovery enabled automatically. Furthermore, through a Remediation process, Site Recovery can also be enabled for all virtual machines already present in the Resource Group.
Support for cross-continental disaster recovery (for 3 region pairs)
Azure Site Recovery introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected. This feature is currently available for the following 3 pairs of intercontinental regions:
- Southeast Asia and Australia East
- Southeast Asia and Australia Southeast
- West Europe and South Central US
Support of “proximity placement groups” in hybrid and cloud disaster recovery scenarios
Azure Site Recovery introduced support for “proximity placement groups (PPG)” in hybrid and cloud disaster recovery scenarios. With this support it will be possible to replicate an on-premises physical or virtual machine or an Azure virtual machine within a PPG, in the chosen Azure target area. Upon activation of the failover plan, Site Recovery will activate the failover VM within the target PPG selected by the user. This functionality is available both through the Azure portal and through PowerShell and REST API, across all Azure regions.
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult the this page, that provides information about new releases and features. In particular, this new release was released this month:
- The tools Azure Migrate: Discovery and Assessment and Azure Migrate: Server Migration can be used by connecting privately and securely to the Azure Migrate service via ExpressRoute or via a site-to-site VPN, using Azure private links. This connectivity method is recommended to use when there is an organizational requirement to access the Azure Migrate service and other Azure resources without crossing public networks or if you want to get better results in terms of bandwidth or latency.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.