Category Archives: Azure Arc

The management of Kubernetes environments with Azure Arc

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt solutions and techniques, which are typically used in a cloud environment, even for on-premises environments. This article discusses how Azure Arc allows you to deploy and configure Kubernetes applications homogeneously across all environments, adopting modern DevOps techniques.

Thanks to Azure Arc-enabled Kubernetes it is possible to connect and configure Kubernetes clusters located inside or outside the Azure environment. By connecting a Kubernetes cluster to Azure Arc, this:

  • It appears in the Azure portal with an Azure Resource Manager ID and a managed identity.
  • It is inserted within an Azure subscription and a resource group.
  • Allows it to be associated with tags like any other Azure resource.

To connect a Kubernetes cluster to Azure, the agents must be installed on the various nodes. Such agents:

  • They run in the Kubernetes namespace "azure-arc".
  • They manage connectivity to Azure.
  • They collect Azure Arc logs and metrics.
  • They check for configuration requests.

Figure 1 - Agent architecture Azure Arc-enabled Kubernetes

Azure Arc-enabled Kubernetes supports SSL to protect data in transit. Furthermore, to ensure the confidentiality of inactive data, these are stored in an encrypted way in an Azure Cosmos DB database.

Azure Arc agents on Kubernetes systems do not require the opening of inbound ports on firewall systems, but you only need to be enabled to access outbounds to specific endpoints.

For more details on this and for the procedure to follow to connect a Kubernetes cluster to Azure Arc you can consult this official Microsoft documentation.

Supported distributions

Azure Arc-enabled Kubernetes can be enabled with any certified Kubernetes cluster Cloud Native Computing Foundation (CNCF)". In fact, the Azure Arc team collaborated with leading industry partners to validate compliance of their Kubernetes distributions with Azure Arc-enabled Kubernetes.

Supported scenarios

Enabling Azure Arc-enabled Kubernetes The following scenarios are supported:

  • Connecting Kubernetes clusters running in environments other than Azure, to perform inventory operations, grouping and tagging.
  • Application distribution and configuration management based on GitOps mechanisms. Related to Kubernetes, GitOps is the practice of declaring the desired state of Kubernetes cluster configurations (deployments, namespaces, etc.) in a repository Git. This declaration is followed by a poll and pull-based deployment of these cluster configurations using an operator. The Git repository can contain:
    • YAML format manifest describing any valid Kubernetes resources, including Namespaces, ConfigMaps, Deployments, DaemonSets, etc.
    • Chart Helm for application distribution.

Flux, a popular open source tool from GitOps, can be deployed on the Kubernetes cluster to facilitate the flow of configurations from a Git repository to a Kubernetes cluster.

For more details on the CI / CD workflow using GitOps for Azure Arc-enabled Kubernetes clusters you can refer to this Microsoft documentation.

  • View and monitor cluster environments using Azure Monitor for containers.
  • Threat Protection using Azure Defender for Kubernetes. The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end ofAzure Defender for Kubernetesin the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace. The extension allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.
  • Apply settings via Azure Policy for Kubernetes.
  • Creation of custom locations used as targets for the deployment of Azure Arc-enabled Data Services, App Services on Azure Arc (which includes web, function, and logic apps) and Event Grid on Kubernetes.

Azure Arc-enabled Kubernetes also supports Azure Lighthouse, which allows service providers to access their tenant to manage subscriptions and resource groups delegated by customers.

Conclusions

Companies that need to operate in a hybrid environment thanks to this technology will be able to minimize the effort of managing containerized workloads, extending services such as Azure Policy and Azure Monitor to Kubernetes clusters located in on-premises environments. Finally, through the GitOps approach, you will be able to simplify updates to cluster configurations in all environments, minimizing the risks associated with configuration problems.

Azure Arc for the management of server systems: benefits and usage scenarios

Heterogeneous infrastructures, applications based on different technologies and solutions located on different public clouds are increasingly common elements in corporate IT environments. These complexities, combined with a continuous evolution of their datacenters bring out more and more the need to visualize, govern and protect IT assets, regardless of where they are running. In Microsoft, this customer need was addressed by designing a solution that allows you to manage complex realities, also offering the possibility of bringing cloud innovation even using existing infrastructures: this solution is called Azure Arc. In particular, Azure Arc for servers extends the possibilities offered by Azure in governance and management also to physical machines and virtual systems that reside in environments other than Azure. In this article we will explore the main benefits and implementation scenarios that can be contemplated by adopting Azure Arc in the management of server systems.

Enabling Azure Arc servers allows you to manage physical servers and virtual machines residing outside Azure, on the on-premises corporate network or at other cloud providers. This management experience, valid for both Windows and Linux systems, is designed to provide consistency with the management methodologies of native virtual machines residing in the Azure environment. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, it is included in a resource group and benefits from standard Azure constructs.

Figure 1 – Azure Arc Management Overview

Main usage scenarios

The projection of server resources in Azure using Arc is a useful step to take advantage of the management and monitoring solutions described below.

Visibility and organization

In hybrid and multicloud environments, it can be particularly challenging to get a centralized view of all available resources. Some of these resources are running on Azure, some in a local environment, at branch offices or other cloud providers. By connecting resources to Azure Resource Manager via Azure Arc, it is possible to organize, centrally inventory and manage a wide range of resources, include Windows and Linux servers, server SQL, Kubernetes clusters and Azure services running in Azure and outside Azure. This visibility can be obtained directly from the Azure portal and specific queries can be performed using Azure Resource Graph.

Figure 2 - Azure Arc and resources in the Azure portal

Access management

With Azure Arc for servers it is possible to provide access to systems through Azure role-based access control (Azure RBAC). Furthermore, in the presence of different environments and tenants, Azure Arc also integrates with Azure Lighthouse. This scenario can be of particular interest to providers that offer managed services to multiple customers.

Monitor

Through VM Insights it is possible to consult the main performance data, from the guest operating system. Thanks to the powerful data aggregation and filtering functions, it is possible to easily monitor the performance for a very large number of systems and easily identify those that have performance problems. Furthermore, it is possible to generate a map with the interconnections present between the various components residing on different systems. Maps show how VMs and processes interact with each other and can identify dependencies on third-party services. The solution also allows you to check for connection errors, count connections in real time, network bytes sent and received by processes and latencies encountered at the service level.

Figure 3 – Monitoring: Performance

Figure 4 – Monitoring: Map

Azure Policy guest configurations

Guest Configuration Policies allow you to control settings within a system, both for virtual machines running in Azure environment and for "Arc Connected" machines. Validation is performed by the client and by the Guest Configuration extension as regards:

  • Operating system configuration
  • Configuration or presence of applications
  • Environment settings

At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they don't apply configurations. For more information on this scenario, you can consult the article Azure Governance: how to control system configurations in hybrid and multicloud environments.

Inventory

This feature allows you to retrieve inventory information relating to: installed software, files, Registry keys in a Windows environment, Windows Services and Linux Daemons. All this can easily be accessed directly from the portal Azure.

Change Tracking

The functionality ofChange Tracking monitors changes made to systems relatively to Daemons, File, Registry, software and services on Windows . This feature can be very useful in particular for diagnosing specific problems and for enabling alerts in the face of unexpected changes.

Figure 5 – Change Tracking e Inventory

Update Management

The solution ofUpdate Management allows you to have an overall visibility on the compliance of updates for both Windows and Linux systems. The solution is not only useful for consultation purposes, but it also allows you to schedule deployments for installing updates within specific maintenance windows.

Figure 6 – Update Management

Azure Defender
The projection of server resources in Azure using Arc is a useful step to ensure that all the machines in the infrastructure are protected by Azure Defender for Server. Similar to an Azure VM, it will also be necessary to deploy the Log Analytics agent on the target system. To simplify the onboarding process this agent is deployed using the VM extension, and this is one of the advantages of using Arc.

Once the Log Analytics agent has been installed and connected to a workspace used by ASC, the machine will be ready to use and benefit from the various security features offered in the Azure Defender for Servers plan.

Deployment Tools

Deployments can be simplified thanks to the use of Azure Automation State Configuration and of Azure VM extensions. This allows you to contemplate post-deployment configurations or software installation using the Custom Script Extension.

Conclusions

Maintain control and manage the security of workloads running on-premises, in Azure and on other cloud platforms it can be particularly challenging. Thanks to Azure Arc for Servers it is possible to easily extend the typical Azure management and monitoring services to workloads residing outside the Azure environment. Furthermore, Azure Arc allows you to obtain detailed information and organize various IT resources in a single centralized console, useful for effectively managing and controlling your entire IT environment.

How to extend Azure Security Center protection to all resources through Azure Arc

Azure Security Center (ASC) was originally developed with the intention of becoming the reference tool for protecting resources in the Azure environment. The much felt need of customers to protect the resources located in environments other than Azure has led to an evolution of the solution that, thanks to integration with Azure Arc, allows you to extend the protection and security management tools to any infrastructure. This article explains how Azure Security Center and Azure Arc allow you to protect non-Azure resources located on-premises or on other cloud providers, as virtual machines, Kubernetes services and SQL resources.

The adoption of Azure Defender using the principles of Azure Arc

Azure Arc allows you to manage workloads residing outside Azure, on the on-premises corporate network or at another cloud provider. This management experience is designed to provide consistency with native Azure management methodologies.

Thanks to the fact thatAzure Security Center and Azure Arc can be used jointly, you have the ability to offer advanced protection for three different scenarios:

Figure 1 - Protection scenarios

By enabling the Azure Defender protection of workloads at the subscription level in the Azure Security Center, it is also possible to consider the resources and workloads residing in hybrid and multicloud environments, all in an extremely simple way thanks to Azure Arc.

Azure Defender for Arc-enabled server systems

By connecting a server machine to Azure via Arc, it is considered to all intents and purposes as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging. This applies to both Windows and Linux systems.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine").

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • TheGuest Configurationagent that provides in-guest policy and guest configuration features.
  • TheExtension Manageragent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, seethis Microsoft Official Document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Activating Azure Defender for Server with Azure Arc

The projection of server resources in Azure using Arc is a useful step to ensure that all the machines in the infrastructure are protected by Azure Defender for Server. Similar to an Azure VM, it will also be necessary to deploy the Log Analytics agent on the target system. To simplify the onboarding process this agent is deployed using the VM extension, and this is one of the advantages of using Arc.

Once the Log Analytics agent has been installed and connected to a workspace used by ASC, the machine will be ready to use and benefit from the various security features offered in the Azure Defender for Servers plan.

For each resource, it is possible to view the status of the agent and its current security recommendations:

Figure 3 – Azure Arc Connected Machine in ASC

In case there is a need to onboard a non-Azure server in Azure Defender with an operating system version not yet supported by the Azure Arc agent, however, it is possible to perform onboarding by installing only the Log Analytics agent on the machine.

The icons in the Azure portal allow you to easily distinguish the different resources:

Figure 4 - Icons of the different resources present in ASC

 

Azure Defender for Arc-enabled Kubernetes resources

Azure Defender for Kubernetes also allows you to protect clusters located on-premises with the same threat detection features offered for Azure Kubernetes Service clusters (AKS).

For all Kubernetes clusters other than AKS, is necessary connect the cluster environment to Azure Arc. Once the cluster environment is connected, Azure Defender for Kubernetes can be activated as cluster extension on Azure Arc-enabled Kubernetes resources.

Figure 5 - Interaction between Azure Defender for Kubernetes and the Kubernetes cluster enabled for Azure Arc

The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end of Azure Defender for Kubernetes in the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace.

The extension also allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.

Azure Defender for Arc-enabled SQL Server resources

Azure Defender for SQL allows you to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable not only for virtual machines in Azure, but also for SQL Server activated in an on-premises environment and in multicloud deployment. Azure Arc-enabled SQL Servers are also part of Azure Arc for servers. To enable Azure services, the’SQL Server instance must be registered with Azure Arc using the Azure portal and a special registration script. After registration, the instance will be represented on Azure as a resource SQL Server – Azure Arc. The properties of this resource reflect a subset of the SQL Server configuration settings.

Figure 6 - Diagram illustrating the Azure Arc architecture for SQL Server resources


Conclusions

Manage security and maintain control of workloads running on-premises, in Azure and on other cloud platforms it can be particularly challenging. Thanks to Azure Arc, it is possible to easily extend Azure Defender coverage to workloads residing outside the Azure environment. Furthermore, Azure Security Center allows you to obtain detailed information on the security of your hybrid environment in a single centralized console, useful for effectively controlling the security of your IT infrastructure.

Azure Governance: how to control system configurations in hybrid and multicloud environments

There are several companies that are investing in hybrid and multicloud technologies to achieve high flexibility, that enables you to innovate and meet changing business needs. In these scenarios, customers face the challenge of using IT resources efficiently, in order to best achieve your business goals, implementing a structured IT governance process. This can be achieved more easily if you have solutions that, in a centralized way, allow you to inventory, organize and enforce control policies on your IT resources wherever you are. Azure Arc solution involves different technologies with the aim of supporting hybrid and multicloud scenarios, where Azure services and management principles are extended to any infrastructure. In this article we will explore how, thanks to the adoption of the Azure Guest Configuration Policy it is possible to control the configurations of systems running in Azure, in on-premises datacenters or other cloud providers.

The principle behind Azure Arc

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), also for on-premises and multicloud environments.

Figure 1 – Azure Arc overview

Enabling systems to Azure Arc

Enabling Azure Arc servers allows you to manage physical servers and virtual machines residing outside Azure, on the on-premises corporate network or at another cloud provider. This applies to both Windows and Linux systems. This management experience is designed to provide consistency with Azure native virtual machine management methodologies. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine"). The following operating systems are currently supported:

  • Windows Server 2008 R2, Windows Server 2012 R2 or higher (this includes core servers)
  • Ubuntu 16.04 and 18.04 LTS (x64)
  • CentOS Linux 7 (x64)
  • SUSE Linux Enterprise Server (SLES) 15 (x64)
  • Red Hat Enterprise Linux (RHEL) 7 (x64)
  • Amazon Linux 2 (x64)
  • Oracle Linux 7

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • The Guest Configuration agent that provides in-guest policy and guest configuration features.
  • TheExtension Manager agent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, see this Microsoft Official Document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 3 – Azure Management for all IT resources

Guest Configuration Policy di Azure

Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. Validation is performed by the client and by the Guest Configuration extension as regards:

  • Operating system configuration
  • Configuration or presence of applications
  • Environment settings

At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they don't apply configurations. The exception is a built-in time zone configuration policy operating system for Windows machines.

Requirements

Before you can check the settings inside a machine, through guest configuration policies, you must:

  • Enable a’extension on the Azure VM, required to download assigned policy assignments and corresponding configurations. This extension is not required for "Arc Connected" machines as it is included in the Arc agent.
  • Make sure that the machine has a system-managed identity, used for the authentication process when reading and writing to the guest configuration service.

Operation

Azure provides built-in specification platform Initiatives and a large number of Guest Configuration Policy, but you can also create custom one both in Windows environment, both in Linux environment.

Guest Configuration policy assignment works the same way as standard Azure Policies, so you can group them into initiative. Specific parameters can also be configured for Guest Configuration Policies and there is at least one parameter that allows you to include Azure Arc-enabled servers. When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Following the assignment, it is possible to assess the compliance status in detail directly from the Azure portal.

Inside the machine, the Guest Configuration agent uses local tools to audit the configurations:

The Guest Configuration agent checks for new or modified guest policy assignments each 5 minutes and once the assignment is received the settings are checked at intervals of 15 minutes.

The Cost of the Solution

The cost of Azure Guest Configuration Policies is based on the number of servers registered to the service and which have one or more guest configurations assigned. Any other type of Azure Policy that is not based on guest configuration is offered at no additional cost, including virtual machine extensions to enable services such as Azure Monitor and Azure Security Center or auto tagging policies. The billing is distributed on an hourly basis and also includes the change tracking features present through Azure Automation. For more details on costs please visit the Microsoft's official page.

Conclusions

IT environments are constantly evolving and often have to deliver business-critical applications based on different technologies, active on heterogeneous infrastructures and which in some cases use solutions provided in different public clouds. The adoption of a structured IT governance process is easier also thanks to the Guest Configuration Policies and the potential of Azure Arc, that allow you to more easily control and support hybrid and multicloud environments.

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) e Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.

Conclusions

The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.

Azure Arc: new features to manage systems in hybrid environments

The complexity of IT environments is constantly expanding to the point of having reality with applications based on different technologies, active on heterogeneous infrastructures and perhaps using solutions in different public clouds. The need greatly felt by customers is to be able to adopt a solution that, in a centralized way, invent it, organize and enforce control policies on their IT resources wherever they are. Microsoft's response to this need is Azure Arc, the solution involving different technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article lists new features that were recently introduced to extend the management capacity of hybrid environments.

The servers enabled for the Azure Arc solution can already benefit from various features related to Azure Resource Manager such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 1 – Azure Management for all IT resources

Thanks to the new update that was recently announced you can use new extensions, calls Azure Arc Extensions, to expand functionality and further extend Azure management and governance practices to different environments. This allows to adopt more and more typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Azure Arc Extensions

The Azure Arc Extensions are applications that allow you to make configurations and perform post-deployment automation tasks. These extensions can be run directly from the Azure command line, PowerShell or Azure portal.

The following Azure Arc Extensions are currently available and can be deployed on Azure Arc-enabled servers.

Custom Script Extensions for Windows and Linux Systems

With this extension, you can perform post-provisioning tasks of the machine to perform customizations of your environment. By adding this extension, you can download custom scripts, for example from Azure Storage, and run them directly on the machine.

Figure 2 – Custom Script Extensions, for Windows systems enabled for Azure Arc, from the Azure Portal

When deploying the Custom Script Extension, you can add the file that contains the script to run and optionally add its parameters. For Linux Systems, this is a shell script (.sh), while for Windows is a Powershell script (.ps1).

Desired State Configuration extension on Windows and Ubuntu systems (DSCForLinux)

Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with a view to "configuration as code".

DSC for Windows provides new Windows PowerShell cmdlets and resources that you can use to declaratively specify how you want to configure your software environment. It also provides a useful tool for maintaining and managing existing configurations. This extension works like the extension for virtual machines in Azure, but it is designed to be deployed on Azure Arc-enabled servers.

Figure 3 – Powershell Desired State Configuration, for Windows systems enabled for Azure Arc, from the Azure Portal

The extension DSCForLinux allows you to install the OMI agent and DSC agent on Azure Arc-enabled Ubuntu systems. The DSC extension allows you to perform the following actions:

  • Register the VM with an Azure Automation account to extract (Pull) configurations (Register ExtensionAction).
  • Deploy MOF configurations (Push ExtensionAction).
  • Apply the MOF meta configuration to the VM to configure a pull server to extract the node configuration (Pull ExtensionAction).
  • Install custom DSC modules (Install ExtensionAction).
  • Remove custom DSC modules (Remove ExtensionAction).

 

OMS Agent for Linux – Microsoft Monitoring Agent

The installation of this agent allows you to collect the monitor data from the guest operating system and the application workloads of the systems and send them to a Log Analytics workspace. This agent is used by several Azure management solutions, including Azure Monitor, Azure Security Center, and Azure Sentinel. Although today it is possible to monitor non-Azure VMs even without Azure Arc, the use of this extension allows you to automatically detect and manage agents in VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

After you deploy the Azure Arc agent on the systems, you can install the Microsoft Monitoring Agent (MMA) using this extension, simply by adding the Log Analytics workspace ID and its key.

Figure 4 – Microsoft Monitoring Agent extension for Azure Arc from the Azure portal

Thanks to the availability of these new extensions, Azure Arc-enabled servers also have features such as Update Management, Inventory, Change Tracking and Monitor.

Update Management

The Update Management solution allows you to have an overall visibility into update compliance for both Windows and Linux systems. The search panel can quickly identify missed updates and provide the ability to schedule deployments for update installation within a specific maintenance window.

Inventory

This feature allows you to retrieve inventory information relating to: installed software, files, Windows Registry keys, Windows Services and Linux Daemons.

Change Tracking

Change Tracking feature allows you to track system changes to Daemons, File, Registry, software and services on Windows . This feature can be very useful to diagnose specific problems and to enable alerts against unexpected changes.

Conclusions

Thanks to the availability of these new extensions, you can take advantage of greater functionality, in governance and management typical of Azure, also for hybrid cloud environments. This is an important evolution of this solution, at the moment still in preview, which is soon destined to be further enriched with important new features.

Azure Hybrid Cloud: overview of the new Azure Stack portfolio

In a corporate reality the adoption of solutions totally based in the cloud is not always be a viable choice or the absolute best, hybrid solutions often have to be adopted, which in any case include the possibility of using the innovations introduced by the cloud. Microsoft, aware of that, has recently announced several innovations in the proposition of its solutions in Hybryd Cloud extending its portfolio to make it more complete and more adaptable to the needs of customers. This article describes how the range of Microsoft solutions in Azure Stack has been expanded and changed.

Currently, the solutions included in the Azure Stack portfolio are as follows::

  • Azure Stack Hub (previously called only "Azure Stack")
  • Azure Stack Edge (previously called "Azure Data Box Edge")
  • Azure Stack HCI

Figure 1 – Azure Stack product family

Azure Stack Hub

Azure Stack Hub and, prior to this product portfolio review, was known by the name Azure Stack continues to be the offering for enterprise customers and for the public sector customers, needing a cloud environment but disconnected from the Internet, or need to meet specific regulatory and compliance requirements. Azure Stack Hub It allows you to deliver the Azure services in the location you want. The solution continues to evolve to cover an increasingly broad range of services, including:

  • Kubernetes with Azure Kubernetes Service integration (AKS) to automate the creation, upgrading and scaling cluster environments.
  • Support for N-Series virtual machines that include GPU support.
  • Event Hubs (expected the preview this year)
  • Azure Stream Analytics (expected the preview this year)
  • Windows Virtual Desktop (WVD) (expected the preview this year)
  • Azure Data Services with Azure Arc (expected the preview this year)

Azure Stack Edge

Azure Stack Edge, previously known as Azure Databox Edge, is an Azure managed appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer. The customer can place the order and the provisioning of Azure Stack Edge direct from the Azure Portal, and then use the classic Azure management tools to monitor and perform updates. No upfront costs are required to obtain this appliance, but it will be covered monthly in the billing of Azure services. The big news about Azure Stack Edge is that new features will be supported, among the main ones we find:

  • Execution of virtual machines
  • Cluster Kubernetes
  • NVIDIA GPU support
  • High availability support

Azure Stack Edge will also be available in a "rugged" version, to withstand extreme environmental conditions, and in a battery-powered version, to be easily transported.

Azure Stack HCI

With the arrival of Windows Server 2019, Microsoft introduced the solution Azure Stack HCI, which allows the execution of virtual machines and a wide access to different services offered by Azure. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. This is the evolution of the Windows Server Software-Defined solution (WSSD) available in the past with Windows Server 2016. Azure Stack HCI with Windows Server 2019, allows the use of Hyper-V, a solid and reliable hypervisor, along with Software Defined Storage and Software-Defined Networking solutions. To this is added Windows Admin Center, that allows you to fully manage and with a graphical interface the hyper-converged environment.

Azure Stack HCI shares the same software-defined technologies also used by Azure Stack Hub and requires the adoption of hardware tested and validated specifically for the solution. In order to obtain certification, the hardware is subjected to rigorous validation tests, that guarantee the reliability and stability of the solution. To see the different Azure Stack HCI solutions of the various hardware vendors, you can access this page. Azure Stack HCI can be used for smaller environments with a minimum of two nodes and can scale up to a maximum of 16 nodes. This makes it a suitable solution for different usage scenarios.

Conclusions

To better meet the needs of different clients in this area, Microsoft has revisited its product portfolio. The Azure Stack portfolio combined with Azure Arc, provides an environment where Azure services and management are reflected on validated and integrated infrastructure models, all in a complementary way.

Azure Arc: a new approach to hybrid environments

The use of hybrid architectures in enterprise reality is more and more predominant, they allow you to continue to benefit from investments made in your on-premises environment and, at the same time, use the innovation introduced by the cloud. The adoption of hybrid solutions is a winner if it takes into account a shared policy for distribution, component management and security. Without consistency in the management of different environments, the costs and complexities are likely to grow exponentially. Microsoft has decided to respond to this need with the solution Azure Arc, involving a range of technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article presents the approach adopted by Azure Arc for hybrid environments.

The complexity of IT environments is constantly expanding to the point where we find reality with applications based on different technologies, active on heterogeneous infrastructures and maybe that adopt solutions in different public cloud. The need for customers is to be able to adopt a solution that centrally allows them to inventory, organize and enforce control policies on their IT resources wherever they are.

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Figure 1 – Azure Arc overview

To achieve this, Microsoft has decided to extend the model Azure Resource Manager so that we can also support hybrid environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Management for all resources

Azure Arc consists of a set of different technologies and components that allows you to:

  • Manage applications in Kubernetes environments: it provides the ability to deploy and configure Kubernetes applications in a consistent manner across all environments, adopting modern DevOps techniques.
  • Allow Azure data services to run on any infrastructure: everything is based on the adoption of kubernetes and allows achieving more easily meet compliance criteria, to improve the security of data and to have considerable flexibility in deployment time. At the time the services covered are Azure SQL Database and Azure Database for PostgreSQL.
  • Organize, manage and govern all server systems: Azure Arc extends Azure governance and management capabilities to physical machines and virtual systems in different environments. This solution is specifically called Azure Arc for servers.

Figure 3 – Azure Arc Technologies

Azure Arc involves the use of specific Resource Provider for Azure Resource Manager and the installation of Azure Arc agents is required.

By logging in to the portal, you can see that Azure Arc for Servers is already currently available in public preview, while you need to register to manage Kubernetes environments and data services in preview.

Figure 4 – Azure Arc in the Azure portal

Thanks to the adoption of Azure Arc which introduces an overall view, you can reach, for hybrid architectures, the following objectives, difficult to achieve otherwise:

  • Standardization of operations
  • Organization of resources
  • Security
  • Cost Control
  • Business Continuity
  • Regulatory and corporate compliance

Figure 5 – Cloud-native governance with Azure Arc

Conclusions

Azure Arc was recently announced and although still in an embryonic phase, I think that will evolve significantly enough to revolutionize the management and development of hybrid environments. To keep up to date on how this solution will develop you can register at this page.