Category Archives: Azure Arc

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) and Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.

Conclusions

The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.

Azure Arc: new features to manage systems in hybrid environments

The complexity of IT environments is constantly expanding to the point of having reality with applications based on different technologies, active on heterogeneous infrastructures and perhaps using solutions in different public clouds. The need greatly felt by customers is to be able to adopt a solution that, in a centralized way, invent it, organize and enforce control policies on their IT resources wherever they are. Microsoft's response to this need is Azure Arc, the solution involving different technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article lists new features that were recently introduced to extend the management capacity of hybrid environments.

The servers enabled for the Azure Arc solution can already benefit from various features related to Azure Resource Manager such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 1 – Azure Management for all IT resources

Thanks to the new update that was recently announced you can use new extensions, calls Azure Arc Extensions, to expand functionality and further extend Azure management and governance practices to different environments. This allows to adopt more and more typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Azure Arc Extensions

The Azure Arc Extensions are applications that allow you to make configurations and perform post-deployment automation tasks. These extensions can be run directly from the Azure command line, PowerShell or Azure portal.

The following Azure Arc Extensions are currently available and can be deployed on Azure Arc-enabled servers.

Custom Script Extensions for Windows and Linux Systems

With this extension, you can perform post-provisioning tasks of the machine to perform customizations of your environment. By adding this extension, you can download custom scripts, for example from Azure Storage, and run them directly on the machine.

Figure 2 – Custom Script Extensions, for Windows systems enabled for Azure Arc, from the Azure Portal

When deploying the Custom Script Extension, you can add the file that contains the script to run and optionally add its parameters. For Linux Systems, this is a shell script (.sh), while for Windows is a Powershell script (.ps1).

Desired State Configuration extension on Windows and Ubuntu systems (DSCForLinux)

Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with a view to "configuration as code".

DSC for Windows provides new Windows PowerShell cmdlets and resources that you can use to declaratively specify how you want to configure your software environment. It also provides a useful tool for maintaining and managing existing configurations. This extension works like the extension for virtual machines in Azure, but it is designed to be deployed on Azure Arc-enabled servers.

Figure 3 – Powershell Desired State Configuration, for Windows systems enabled for Azure Arc, from the Azure Portal

The extension DSCForLinux allows you to install the OMI agent and DSC agent on Azure Arc-enabled Ubuntu systems. The DSC extension allows you to perform the following actions:

  • Register the VM with an Azure Automation account to extract (Pull) configurations (Register ExtensionAction).
  • Deploy MOF configurations (Push ExtensionAction).
  • Apply the MOF meta configuration to the VM to configure a pull server to extract the node configuration (Pull ExtensionAction).
  • Install custom DSC modules (Install ExtensionAction).
  • Remove custom DSC modules (Remove ExtensionAction).

 

OMS Agent for Linux – Microsoft Monitoring Agent

The installation of this agent allows you to collect the monitor data from the guest operating system and the application workloads of the systems and send them to a Log Analytics workspace. This agent is used by several Azure management solutions, including Azure Monitor, Azure Security Center, and Azure Sentinel. Although today it is possible to monitor non-Azure VMs even without Azure Arc, the use of this extension allows you to automatically detect and manage agents in VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

After you deploy the Azure Arc agent on the systems, you can install the Microsoft Monitoring Agent (MMA) using this extension, simply by adding the Log Analytics workspace ID and its key.

Figure 4 – Microsoft Monitoring Agent extension for Azure Arc from the Azure portal

Thanks to the availability of these new extensions, Azure Arc-enabled servers also have features such as Update Management, Inventory, Change Tracking and Monitor.

Update Management

The Update Management solution allows you to have an overall visibility into update compliance for both Windows and Linux systems. The search panel can quickly identify missed updates and provide the ability to schedule deployments for update installation within a specific maintenance window.

Inventory

This feature allows you to retrieve inventory information relating to: installed software, files, Windows Registry keys, Windows Services and Linux Daemons.

Change Tracking

Change Tracking feature allows you to track system changes to Daemons, File, Registry, software and services on Windows . This feature can be very useful to diagnose specific problems and to enable alerts against unexpected changes.

Conclusions

Thanks to the availability of these new extensions, you can take advantage of greater functionality, in governance and management typical of Azure, also for hybrid cloud environments. This is an important evolution of this solution, at the moment still in preview, which is soon destined to be further enriched with important new features.

Azure Hybrid Cloud: overview of the new Azure Stack portfolio

In a corporate reality the adoption of solutions totally based in the cloud is not always be a viable choice or the absolute best, hybrid solutions often have to be adopted, which in any case include the possibility of using the innovations introduced by the cloud. Microsoft, aware of that, has recently announced several innovations in the proposition of its solutions in Hybryd Cloud extending its portfolio to make it more complete and more adaptable to the needs of customers. This article describes how the range of Microsoft solutions in Azure Stack has been expanded and changed.

Currently, the solutions included in the Azure Stack portfolio are as follows::

  • Azure Stack Hub (previously called only "Azure Stack")
  • Azure Stack Edge (previously called "Azure Data Box Edge")
  • Azure Stack HCI

Figure 1 – Azure Stack product family

Azure Stack Hub

Azure Stack Hub and, prior to this product portfolio review, was known by the name Azure Stack continues to be the offering for enterprise customers and for the public sector customers, needing a cloud environment but disconnected from the Internet, or need to meet specific regulatory and compliance requirements. Azure Stack Hub It allows you to deliver the Azure services in the location you want. The solution continues to evolve to cover an increasingly broad range of services, including:

  • Kubernetes with Azure Kubernetes Service integration (AKS) to automate the creation, upgrading and scaling cluster environments.
  • Support for N-Series virtual machines that include GPU support.
  • Event Hubs (expected the preview this year)
  • Azure Stream Analytics (expected the preview this year)
  • Windows Virtual Desktop (WVD) (expected the preview this year)
  • Azure Data Services with Azure Arc (expected the preview this year)

Azure Stack Edge

Azure Stack Edge, previously known as Azure Databox Edge, is an Azure managed appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer. The customer can place the order and the provisioning of Azure Stack Edge direct from the Azure Portal, and then use the classic Azure management tools to monitor and perform updates. No upfront costs are required to obtain this appliance, but it will be covered monthly in the billing of Azure services. The big news about Azure Stack Edge is that new features will be supported, among the main ones we find:

  • Execution of virtual machines
  • Cluster Kubernetes
  • NVIDIA GPU support
  • High availability support

Azure Stack Edge will also be available in a "rugged" version, to withstand extreme environmental conditions, and in a battery-powered version, to be easily transported.

Azure Stack HCI

With the arrival of Windows Server 2019, Microsoft introduced the solution Azure Stack HCI, which allows the execution of virtual machines and a wide access to different services offered by Azure. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. This is the evolution of the Windows Server Software-Defined solution (WSSD) available in the past with Windows Server 2016. Azure Stack HCI with Windows Server 2019, allows the use of Hyper-V, a solid and reliable hypervisor, along with Software Defined Storage and Software-Defined Networking solutions. To this is added Windows Admin Center, that allows you to fully manage and with a graphical interface the hyper-converged environment.

Azure Stack HCI shares the same software-defined technologies also used by Azure Stack Hub and requires the adoption of hardware tested and validated specifically for the solution. In order to obtain certification, the hardware is subjected to rigorous validation tests, that guarantee the reliability and stability of the solution. To see the different Azure Stack HCI solutions of the various hardware vendors, you can access this page. Azure Stack HCI can be used for smaller environments with a minimum of two nodes and can scale up to a maximum of 16 nodes. This makes it a suitable solution for different usage scenarios.

Conclusions

To better meet the needs of different clients in this area, Microsoft has revisited its product portfolio. The Azure Stack portfolio combined with Azure Arc, provides an environment where Azure services and management are reflected on validated and integrated infrastructure models, all in a complementary way.

Azure Arc: a new approach to hybrid environments

The use of hybrid architectures in enterprise reality is more and more predominant, they allow you to continue to benefit from investments made in your on-premises environment and, at the same time, use the innovation introduced by the cloud. The adoption of hybrid solutions is a winner if it takes into account a shared policy for distribution, component management and security. Without consistency in the management of different environments, the costs and complexities are likely to grow exponentially. Microsoft has decided to respond to this need with the solution Azure Arc, involving a range of technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article presents the approach adopted by Azure Arc for hybrid environments.

The complexity of IT environments is constantly expanding to the point where we find reality with applications based on different technologies, active on heterogeneous infrastructures and maybe that adopt solutions in different public cloud. The need for customers is to be able to adopt a solution that centrally allows them to inventory, organize and enforce control policies on their IT resources wherever they are.

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Figure 1 – Azure Arc overview

To achieve this, Microsoft has decided to extend the model Azure Resource Manager so that we can also support hybrid environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Management for all resources

Azure Arc consists of a set of different technologies and components that allows you to:

  • Manage applications in Kubernetes environments: it provides the ability to deploy and configure Kubernetes applications in a consistent manner across all environments, adopting modern DevOps techniques.
  • Allow Azure data services to run on any infrastructure: everything is based on the adoption of kubernetes and allows achieving more easily meet compliance criteria, to improve the security of data and to have considerable flexibility in deployment time. At the time the services covered are Azure SQL Database and Azure Database for PostgreSQL.
  • Organize, manage and govern all server systems: Azure Arc extends Azure governance and management capabilities to physical machines and virtual systems in different environments. This solution is specifically called Azure Arc for servers.

Figure 3 – Azure Arc Technologies

Azure Arc involves the use of specific Resource Provider for Azure Resource Manager and the installation of Azure Arc agents is required.

By logging in to the portal, you can see that Azure Arc for Servers is already currently available in public preview, while you need to register to manage Kubernetes environments and data services in preview.

Figure 4 – Azure Arc in the Azure portal

Thanks to the adoption of Azure Arc which introduces an overall view, you can reach, for hybrid architectures, the following objectives, difficult to achieve otherwise:

  • Standardization of operations
  • Organization of resources
  • Security
  • Cost Control
  • Business Continuity
  • Regulatory and corporate compliance

Figure 5 – Cloud-native governance with Azure Arc

Conclusions

Azure Arc was recently announced and although still in an embryonic phase, I think that will evolve significantly enough to revolutionize the management and development of hybrid environments. To keep up to date on how this solution will develop you can register at this page.