Azure Management services: what's new in March 2023

In March there were several news announced by Microsoft regarding Azure management services. In this series of articles, published on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Ingestion client libraries

Microsoft announces the initial release of the Azure Monitor Ingestion client libraries for .NET, Java, JavaScript e Python. Libraries allow you to:

Upload custom logs to a Log Analytics workspace.
Modernize security standards by requiring Azure Active Directory token-based authentication.
Complete Azure Monitor Query libraries, used to query logs in a Log Analytics workspace.

Collecting Syslog from AKS nodes using Azure Monitor Container Insights (preview)

Customers can now use Azure Monitor Container Insights to collect Syslog from their Azure Kubernetes Service cluster nodes (AKS). In combination with SIEM systems (Microsoft Sentinel) and monitor tools (Azure Monitor), syslog collection tracks security and health events of IaaS and containerized workloads.

The Azure Monitor for Prometheus managed service now supports querying PromQL

Thanks to Azure Workbooks support for Azure Monitor Prometheus managed service, users are provided with the ability to use Prometheus workbooks to run PromQL queries in the portal. Furthermore, users have the benefit of creating custom reports for Prometheus workbooks.

Azure Monitor supports Availability Zones in new regions

Azure Monitor continues to expand its availability zone support by adding three regions: Canada Central, France Central and Japan East.

Azure Monitor alerts support cloning

When viewing the details of an alert rule in the Azure portal, a new option is now available “duplicate”, which allows you to duplicate the alert rule. When selecting this option for an existing alert rule, the rule creation wizard starts, pre-populated with the original alert rule configuration, while allowing you to make changes.

Configure

Azure Automation

Announced the retirement of the agent-based Hybrid Worker (Windows and Linux) for the 31 August 2024

Azure Automation is deprecating the agent-based Hybrid Runbook Worker (Windows and Linux) and this will definitely happen on 31 August 2024. You must migrate to extension-based Hybrid Workers by that date (Windows and Linux).

The main advantages of the extension-based Hybrid Runbook Worker are:

uses system-assigned managed identities, so you don't need to manage certificates for authentication;
offers automatic updating of minor versions;
simplify hybrid worker management at scale with native integration with Azure Resource Manager and governance with Azure Policy.

Migrating authentication from Run As account to Managed Identity in ASR

It is now possible to migrate the authentication type of accounts, moving to managed identities, using Azure Site Recovery from the Azure portal. Authentication of runbooks via Run As accounts will be deprecated on 30 September 2023. Before that date, runbooks need to be migrated to enable the use of Managed Identities.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article the latest improvements and updates concerning this solution are reported.

Azure Arc

Improved Azure Arc integration with Datadog

Microsoft is improving the ability to observe and manage IT infrastructure thanks to the integration of Microsoft Azure Arc with Datadog. Based on the consolidated collaboration, Microsoft is integrating Datadog with Azure Arc natively, to meet Datadog customers, providing rich insights from Azure Arc-enabled resources directly into Datadog dashboards. Customers can monitor real-time data during cloud migrations and performance of applications running in both public cloud and hybrid or multicloud environments.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

availability of a new Defender for Storage plan, which includes near real-time scanning for malware and detection of threats to sensitive data;
data-aware security posture (preview);
new experience for managing Azure default security policies;
Defender per CSPM (Cloud Security Posture Management) is now available (GA);
ability to create custom security standards and recommendations in Microsoft Defender for Cloud;
Microsoft Cloud Security Benchmark (MCSB) version 1.0 is now available (GA);
some regulatory compliance standards are now available in government clouds;
new preview recommendation for Azure SQL Servers;
new notice in Defender for Key Vault.

Protect

Azure Backup

Immutable vaults for Azure Backup

Immutable vaults are now also available for production environments and offer greater security for backups, ensuring that recovery points created once cannot be deleted before they expire. Azure Backup prevents any operation on immutable vaults which could lead to backup data loss. Furthermore, you can lock immutable vault ownership to make it irreversible. This helps protect your backups from threats such as ransomware attacks and malicious actors, preventing operations such as deleting backups or reducing retention in backup policies.

Backup per Azure Kubernetes Service (preview)

Organizations using Azure Kubernetes Services (AKS) increasingly run stateful applications on their clusters, deploying workloads such as Apache Kafka-based messaging queues and databases such as Postgres and MongoDB. With data storage within the cluster, backup and recovery become a major concern of IT managers. Make sure Kubernetes backup capabilities are scalable, flexible and purpose-built for Kubernetes is central to an overall data protection plan. Azure Backup introduced now Backup for AKS. This solution simplifies the backup and recovery of containerized applications and data and allows customers to configure a scheduled backup for both cluster state and application data. Backup for AKS is aligned with the Container Storage Interface (CSI) to offer Kubernetes-aware backup capabilities. The solution allows customers to unlock different scenarios, such as data backup for application security and regulatory requirements, cloning of development/test environments and rollback management.

Azure Backup allows you to keep backups in vaults for Azure Blob and for Azure File (preview)

Azure Backup now supports transferring Azure Blob and Azure File backups to vaults. A vault is a logical entity that stores backups and recovery points created over time. In this regard, you can define a backup schedule for creating recovery points and specify retention settings that determine how long backups will be stored in the vault. Backups in the vault are isolated from the source data and allow you to tap into the data even if the source data has been compromised, performing resets.

Listed below are some of the main features that can be achieved by placing backups in vaults:

Offsite copy of data: allows you to restore mission-critical data from backups, regardless of the state of the source data.

Long-term retention of backup data, which helps you meet compliance requirements, particularly in the financial and healthcare sectors, with strict guidelines on the data retention period.

Recovery in alternate location: allows you to restore data to an alternate account if the source storage account is compromised or create different copies of your data for testing or development purposes.

Centralized management through the backup center: backups in vaults can be monitored and analyzed at scale alongside other protected workloads using Azure Backup.

Safe backups. The built-in security features of Azure Backup, such as multi-user authorization (MUA) for critical backup operations, data encryption and role-based access control (RBAC), help protect the backups in the vault and meet your backup security needs.

Azure Site Recovery

Improved the ability to rename network interfaces and disks of protected virtual machines

ASR introduces a new, easier way to name and rename network interfaces (NIC) and the virtual machine disks in the recovery service vaults.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, This month, the biggest news is support for web app discovery and assessment for Azure app service for Hyper-V and physical servers.

Azure Database Migration

Offline Azure SQL Database migrations with the Azure SQL Migration extension

Offline migrations of SQL Server databases running on-premises, on Azure virtual machines or any virtual machine running in the cloud (private, public) to Azure SQL Database it is possible to do it through the Azure SQL Migration extension. The new migration feature of the Azure SQL Migration extension for Azure Data Studio provides an end-to-end experience to modernize SQL Server on Azure SQL Database. The extension allows you to prepare for the migration with actions to remediate any blockages and allows you to obtain recommendations to adequately size the Azure SQL Database targets, including hardware configuration in the Hyperscale service tier.