Category Archives: Azure Governance

Azure Governance: how to control system configurations in hybrid and multicloud environments

There are several companies that are investing in hybrid and multicloud technologies to achieve high flexibility, that enables you to innovate and meet changing business needs. In these scenarios, customers face the challenge of using IT resources efficiently, in order to best achieve your business goals, implementing a structured IT governance process. This can be achieved more easily if you have solutions that, in a centralized way, allow you to inventory, organize and enforce control policies on your IT resources wherever you are. Azure Arc solution involves different technologies with the aim of supporting hybrid and multicloud scenarios, where Azure services and management principles are extended to any infrastructure. In this article we will explore how, thanks to the adoption of the Azure Guest Configuration Policy it is possible to control the configurations of systems running in Azure, in on-premises datacenters or other cloud providers.

The principle behind Azure Arc

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), also for on-premises and multicloud environments.

Figure 1 – Azure Arc overview

Enabling systems to Azure Arc

Enabling Azure Arc servers allows you to manage physical servers and virtual machines residing outside Azure, on the on-premises corporate network or at another cloud provider. This applies to both Windows and Linux systems. This management experience is designed to provide consistency with Azure native virtual machine management methodologies. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine"). The following operating systems are currently supported:

  • Windows Server 2008 R2, Windows Server 2012 R2 or higher (this includes core servers)
  • Ubuntu 16.04 and 18.04 LTS (x64)
  • CentOS Linux 7 (x64)
  • SUSE Linux Enterprise Server (SLES) 15 (x64)
  • Red Hat Enterprise Linux (RHEL) 7 (x64)
  • Amazon Linux 2 (x64)
  • Oracle Linux 7

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • The Guest Configuration agent that provides in-guest policy and guest configuration features.
  • TheExtension Manager agent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, see this Microsoft Official Document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 3 – Azure Management for all IT resources

Guest Configuration Policy di Azure

Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. Validation is performed by the client and by the Guest Configuration extension as regards:

  • Operating system configuration
  • Configuration or presence of applications
  • Environment settings

At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they don't apply configurations. The exception is a built-in time zone configuration policy operating system for Windows machines.


Before you can check the settings inside a machine, through guest configuration policies, you must:

  • Enable a’extension on the Azure VM, required to download assigned policy assignments and corresponding configurations. This extension is not required for "Arc Connected" machines as it is included in the Arc agent.
  • Make sure that the machine has a system-managed identity, used for the authentication process when reading and writing to the guest configuration service.


Azure provides built-in specification platform Initiatives and a large number of Guest Configuration Policy, but you can also create custom one both in Windows environment, both in Linux environment.

Guest Configuration policy assignment works the same way as standard Azure Policies, so you can group them into initiative. Specific parameters can also be configured for Guest Configuration Policies and there is at least one parameter that allows you to include Azure Arc-enabled servers. When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Following the assignment, it is possible to assess the compliance status in detail directly from the Azure portal.

Inside the machine, the Guest Configuration agent uses local tools to audit the configurations:

The Guest Configuration agent checks for new or modified guest policy assignments each 5 minutes and once the assignment is received the settings are checked at intervals of 15 minutes.

The Cost of the Solution

The cost of Azure Guest Configuration Policies is based on the number of servers registered to the service and which have one or more guest configurations assigned. Any other type of Azure Policy that is not based on guest configuration is offered at no additional cost, including virtual machine extensions to enable services such as Azure Monitor and Azure Security Center or auto tagging policies. The billing is distributed on an hourly basis and also includes the change tracking features present through Azure Automation. For more details on costs please visit the Microsoft's official page.


IT environments are constantly evolving and often have to deliver business-critical applications based on different technologies, active on heterogeneous infrastructures and which in some cases use solutions provided in different public clouds. The adoption of a structured IT governance process is easier also thanks to the Guest Configuration Policies and the potential of Azure Arc, that allow you to more easily control and support hybrid and multicloud environments.

Cloud Governance: how to control cloud costs through budgets

In the public cloud, the simplicity of delegation and the consumer-related cost model exposes companies to a risk of loss of control over them. Always having a supervision on the expenses to be incurred for the resources created in the cloud environment therefore becomes an aspect of fundamental importance to implement an effective governance process. The solutionAzure Cost Management provides a comprehensive set of cloud cost management features, including the ability to set up budgets and expense alerts. This article describes how to best use budgets to proactively control and manage cloud service costs.

Budgets are spending thresholds that can be set in the solution Azure Cost Management + Billing, capable of generating notifications when they are reached. Cost and resource utilization data are generally available within 20 hours and budgets are evaluated against these costs each 12-14 hours.

The procedure for setting budgets from the Azure portal involves the following steps.

Figure 1 – Add a budget from Cost Management

Figure 2 – Parameters required when creating budgets

During the budget configuration phase, you must first assign the scope. Depending on the type of Azure account, you can select the following scopes:

  • Azure role-based access control (Azure RBAC)
    • Management groups
    • Subscription
  • Enterprise Agreement
    • Billing account
    • Department
    • Enrollment account
  • Individual agreements
    • Billing account
  • Microsoft Customer Agreement
    • Billing account
    • Billing profile
    • Invoice section
    • Customer
  • AWS scopes
    • External account
    • External subscription

For more information about the use of scopes, see this Microsoft's document.

To create a budget that aligns with the billing period, you can select a reset period for the month, quarter or year of billing. If, on the other hand, you intend to create a budget aligned to the calendar month, you must select a reset period monthly, quarterly or yearly.

Later, it is possible to set the expiration date from which the budget becomes invalid and its cost evaluation is interrupted.

Based on the fields you choose when you define your budget, a chart is shown to help you set the spending threshold to be used. By default, the suggested budget is based on the higher expected cost that could be incurred in future periods, but the budget amount can be changed to suit your needs.

After you set up your budget, you are prompted to configure your alerts. Budgets require at least one cost threshold (% budget) and an email address to use for notifications.

Figure 3 – Configure alerts and e-mail addresses to use for notifications

For a single budget, you can include up to five thresholds and five email addresses. When a budget threshold is reached, email notifications are normally sent within an hour of the evaluation.

When creating or editing a budget, but only if the scope defined for the same is a subscription or a resource group, you can configure it to invoke an Action Group. TheAction Group allows you to customize notifications to suit your needs and can perform various actions when the budget threshold is reached, including:

  • Voice call or text message (for enabled countries)
  • Sending an email
  • Calling a webhook
  • Sending data to ITSM
  • Recalling a Logic App
  • Sending a push notification on mobile app of Azure
  • Running a runbook of Azure Automation

Figure 4 – Associating an Action Group when a threshold is reached

After you finish creating a budget, you can view it in the respective section.

Figure 5 – Budget created and its percentage of usage

The visualization of the budget with respect to the expenditure trend is one of the first actions that is generally taken into consideration in the cost analysis phase.

Figure 6 – View budget in cost analysis

When a certain threshold is reached in a budget, in addition to the notifications you set, an alert is also generated in the Azure portal.

Figure 7 – Alert generated when a certain threshold is reached

When the budget thresholds that you create are exceeded, notifications are triggered, but none of the cloud resources are changed and as a result consumption is not interrupted.

Integration with Amazon Web Services (AWS) Cost and Usage report (CUR) you can monitor and control AWS costs in Azure Cost Management and define budgets for AWS resources too.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consultthe pricing of Cost Management.


Cost control is a key component to maximize the value of your cloud investment. By using budgets, you can easily activate an effective mechanism to proactively control and manage the costs of cloud services located on both Microsoft Azure and Amazon Web Services (AWS).

Azure Governance: how to manage and optimize cloud costs

One of the main features of the cloud is the ability to create and deploy resources in an extremely agile and fast manner. Using optimized solutions to minimize costs and always control the costs to be incurred for resources created in the cloud environment is a key aspect. This article summarizes the principles and tools you should consider to manage and optimize cloud costs.

The cloud cost optimization process is definitely a theme that is very popular with different customers, to the point that for the fourth year in a row, turns out to be the main cloud initiative based on the report of Flexera:

Figure 1 – Top cloud initiatives for the year 2020

Principles to better manage costs

To achieve a successful position in cloud cost management, consider the principles below.


Only thanks to a structured design process, which includes a careful analysis of business requirements, you are able to customize the use of solutions in the cloud environment. It is therefore important to determine the infrastructure to be implemented and how it is used, all through a design process to maximize the efficiency of resources located in the Azure environment.


Having tools that allow you to have global visibility and allow you to receive notifications about Azure costs is an important aspect to consider.


It's a good practice to attribute cloud resource costs within your business organization, to ensure that the people responsible are aware of the costs attributable to their working group. This allows you to fully understand the organization's Azure expenses. To do this, you should organize your Azure resources to maximize your understanding of cost allocation.


Periodic review processes should act on Azure resources with the goal of reducing spending where possible. Thanks to the set of information available, it is possible to easily identify underutilized resources, remove waste and maximize cost savings opportunities.


IT staff should be continuously involved in the iterative cost optimization processes of Azure resources, as it is a key principle for a responsible cloud environment governance process.

What solutions to use?

During the design phase it is useful to have an estimate as precise as possible relating to the costs that must be incurred in adopting a solution in the Azure area. You can use the following tools to make these estimates::

The solution Azure Cost Management + Billing provides a comprehensive set of cloud cost management capabilities and is especially useful for:

  • Monitor and analyze your Azure invoice.
  • Set up budgets and expense alerts.
  • Assign costs to teams and projects.

Figure 2 – Azure Cost Management + Billing: cost analysis

Once you understand current and future cloud expenses, you can work to optimize the costs of your workloads in Azure. In this area, the Microsoft tools that you can use are:

  • Azure Advisor: It's a completely free solution that's included in Azure that makes it easy to optimize resources in your deployments, offering recommendations specific to different categories, among them Costs. Azure Advisor provides guidance for maximizing the economic return of investments in Azure. This solution can be useful, for example, to identify unused resources or to identify opportunities for better sizing services.

Figure 3 – Azure Advisor: Example of a recommendation

Policies to optimize costs

Regardless of the tools used, to optimize Azure costs you can adopt the following policies:

  • Turn off unused resources as the cost of various Azure services is calculated based on resource usage. For resources that do not need continuous execution and that allow, without loss of configurations or data, shutdown or suspension, you can use automation that, based on a default scheduling, optimizes the use and consequently the costs of the same.
  • Appropriately scale resources by consolidating workloads and intervening on underutilized resources.
  • For resources in the Azure environment that are being used continuously, you can evaluate the activation ofAzure Reservations. The Azure Reservation allow you to achieve cost savings up to 72% compared to the pay-as-you-go price , simply committing to payment, for one or three years, for the use of Azure resources. The purchase of these reservations can be made directly from the Azure portal and is contemplated for customers who have the following types of subscriptions: Enterprise agreement, Pay-As-You-Go and Cloud Solution Provider (CSP).
  • To reduce Azure costs it is also possible to adopt the’Azure Hybrid Benefit, that saves up to 40% on the cost of Windows Server virtual machines that are deployed on Azure. The savings is given from the fact that Microsoft allows you to pay only the cost of Azure infrastructure, while the licensing for Windows Server is covered by Software Assurance. This benefit is applicable both to the Standard and Datacenter version and is available for Windows Server 200 R2 or later.

Figure 4 – Cost structure for a Windows VM

The Azure Hybrid Benefit can also be used for Azure SQL Database and SQL Server installed on Azure virtual machines. These advantages facilitate the migration to cloud solutions and help to maximize the investments already made in terms of SQL Server licenses. For more information on how you can use the Azure Hybrid Benefit for SQL Server you can view FAQ in this document.

The Azure Hybrid Benefit can be used in conjunction with the Azure Reserved VM Instance, allowing overall savings that can reach 80% (in the case of purchase of Azure Reserved Instance for 3 years).

Figure 5 – Percentages of savings by adopting RIs and Azure Hybrid Benefit

  • For test and development environments it is possible to use DevTest subscriptions, which allow you to get considerable discounts on Azure rates. These subscriptions can be activated as part of an Enterprise Agreement.
  • Evaluate the adoption of new serverless technologies and apply improvements to existing architectures.


Using a methodical approach to cost management and adopting the right tools, are key to addressing cloud cost challenges. The various elements discussed in this article help you reduce expenses and maximize your investment in the cloud.

Azure Arc: new features to manage systems in hybrid environments

The complexity of IT environments is constantly expanding to the point of having reality with applications based on different technologies, active on heterogeneous infrastructures and perhaps using solutions in different public clouds. The need greatly felt by customers is to be able to adopt a solution that, in a centralized way, invent it, organize and enforce control policies on their IT resources wherever they are. Microsoft's response to this need is Azure Arc, the solution involving different technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article lists new features that were recently introduced to extend the management capacity of hybrid environments.

The servers enabled for the Azure Arc solution can already benefit from various features related to Azure Resource Manager such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 1 – Azure Management for all IT resources

Thanks to the new update that was recently announced you can use new extensions, calls Azure Arc Extensions, to expand functionality and further extend Azure management and governance practices to different environments. This allows to adopt more and more typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Azure Arc Extensions

The Azure Arc Extensions are applications that allow you to make configurations and perform post-deployment automation tasks. These extensions can be run directly from the Azure command line, PowerShell or Azure portal.

The following Azure Arc Extensions are currently available and can be deployed on Azure Arc-enabled servers.

Custom Script Extensions for Windows and Linux Systems

With this extension, you can perform post-provisioning tasks of the machine to perform customizations of your environment. By adding this extension, you can download custom scripts, for example from Azure Storage, and run them directly on the machine.

Figure 2 – Custom Script Extensions, for Windows systems enabled for Azure Arc, from the Azure Portal

When deploying the Custom Script Extension, you can add the file that contains the script to run and optionally add its parameters. For Linux Systems, this is a shell script (.sh), while for Windows is a Powershell script (.ps1).

Desired State Configuration extension on Windows and Ubuntu systems (DSCForLinux)

Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with a view to "configuration as code".

DSC for Windows provides new Windows PowerShell cmdlets and resources that you can use to declaratively specify how you want to configure your software environment. It also provides a useful tool for maintaining and managing existing configurations. This extension works like the extension for virtual machines in Azure, but it is designed to be deployed on Azure Arc-enabled servers.

Figure 3 – Powershell Desired State Configuration, for Windows systems enabled for Azure Arc, from the Azure Portal

The extension DSCForLinux allows you to install the OMI agent and DSC agent on Azure Arc-enabled Ubuntu systems. The DSC extension allows you to perform the following actions:

  • Register the VM with an Azure Automation account to extract (Pull) configurations (Register ExtensionAction).
  • Deploy MOF configurations (Push ExtensionAction).
  • Apply the MOF meta configuration to the VM to configure a pull server to extract the node configuration (Pull ExtensionAction).
  • Install custom DSC modules (Install ExtensionAction).
  • Remove custom DSC modules (Remove ExtensionAction).


OMS Agent for Linux – Microsoft Monitoring Agent

The installation of this agent allows you to collect the monitor data from the guest operating system and the application workloads of the systems and send them to a Log Analytics workspace. This agent is used by several Azure management solutions, including Azure Monitor, Azure Security Center, and Azure Sentinel. Although today it is possible to monitor non-Azure VMs even without Azure Arc, the use of this extension allows you to automatically detect and manage agents in VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

After you deploy the Azure Arc agent on the systems, you can install the Microsoft Monitoring Agent (MMA) using this extension, simply by adding the Log Analytics workspace ID and its key.

Figure 4 – Microsoft Monitoring Agent extension for Azure Arc from the Azure portal

Thanks to the availability of these new extensions, Azure Arc-enabled servers also have features such as Update Management, Inventory, Change Tracking and Monitor.

Update Management

The Update Management solution allows you to have an overall visibility into update compliance for both Windows and Linux systems. The search panel can quickly identify missed updates and provide the ability to schedule deployments for update installation within a specific maintenance window.


This feature allows you to retrieve inventory information relating to: installed software, files, Windows Registry keys, Windows Services and Linux Daemons.

Change Tracking

Change Tracking feature allows you to track system changes to Daemons, File, Registry, software and services on Windows . This feature can be very useful to diagnose specific problems and to enable alerts against unexpected changes.


Thanks to the availability of these new extensions, you can take advantage of greater functionality, in governance and management typical of Azure, also for hybrid cloud environments. This is an important evolution of this solution, at the moment still in preview, which is soon destined to be further enriched with important new features.

Azure Monitor: how to enable the monitor service for virtual machine through Azure Policy

The service that allows you to monitor virtual machines has been made available in Azure Monitor, called Azure Monitor for VMs. This service allows you to analyze system performance data and makes a map that identifies all dependencies of virtual machines and their processes. The recommended way to enable this solution for different systems is through Azure Policy adoption. This article describes the steps to take to activate it using this method, taking up various concepts related to Azure governance.

Key Features of Azure Monitor for VMs

Azure Monitor for VMscan be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers) and includes the following areas:

  • Performance: shows summary details of performance, from the guest operating system. The solution has powerful data aggregation and filtering capabilities that enable you to meet the challenge of monitoring performance for a very large number of systems. This allows you to easily monitor the resource usage status of all VMs and easily identify those that have performance issues.
  • Maps: generates a map with the interconnections between the various components that reside on different systems. Maps show how VMs and processes interact with each other and can identify dependencies on third-party services. The solution also allows you to check for connection errors, count connections in real time, network bytes sent and received by processes and latencies encountered at the service level.

Enabling through Azure Policy

The Azure Policy allow to apply and force compliance criteria and related remediation actions on a large scale. To enable this feature automatically on virtual machines in your Azure environment and achieve a high level of compliance, it is recommended that you use Azure Policies. Using Azure Policy, you can:

  • Deploy the Log Analytics agent and Dependency agent.
  • Having a report on the status of compliance.
  • Start remediation actions for non-compliant VMs.

One requirement to check before activating is the presence of the solution VMInsights in the Azure Monitor Log Analytics workspace that will be used to store monitor data.

Figure 1 – Configuring the Analytics log workspace

Selecting the desired workspace triggers the installation of the solution VM Insights which allows you to collect performance counters and metrics for all virtual machines connected to that workspace.

To activate Azure Monitor for VMs policy just select the relevant onboarding tile on the main screen of the solution.

Figure 2 – Selecting Azure Policy as a enable method

The following blade will show the coverage status of the service and provide the ability to assign policies for its activation.

Figure 3 – Assigning the Initiative at the Management Group level

The Azure Management Groups, organize different subscriptions into logical containers, on which define, implement and verify government policies needed.

The Initiatives, which are a set of multiple Azure Policy, can be assigned at the Resource Group level, Subscription or Management Group. It is also possible to exclude certain resources from the application of policies.

In this regard, the policies for enabling Azure Monitor for VMs are grouped into a single "initiative", "Enable Azure Monitor for VMs" that includes the following policies:

  • Audit Dependency agent deployment – VM image (OS) unlisted
  • Audit Log Analytics agent deployment – VM image (OS) unlisted
  • Deploy Dependency agent for Linux VMs
  • Deploy Dependency agent for Windows VMs
  • Deploy Log Analytics agent for Linux VMs
  • Deploy Log Analytics agent for Windows VMs

This Initiative is recommended to be assigned at the Management Group level.

Figure 4 – Configuring the association

Among the parameters you are prompted to specify the Log Analytics workspace and optionally you can specify any remediation tasks.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 5 – Verification of Initiative compliance status

Once the enable process is complete, you can analyze the system performance data and the maps created to identify all the dependencies of the virtual machines and their processes.

Figure 6 – Performance collected for systems

Figure 7 – Map with the interconnections between various systems

Figure 8 – Map showing connection details

An effective method to make these data easily accessible and to analyze them in a simple way is the use of Workbooks, interactive documents that allow you to better interpret information and do in-depth analysis. In this document of Microsoft you can consult the list of related Workbooks included in Azure Monitor for VMs and how to create your own custom.


This article demonstrates how you can enable the solution Azure Monitor for VMs thanks to the adoption of the Azure Policy in a simple way, fast and effective. The solution provides very useful information that typically needs to be collected on different systems in your environment. Increasing the complexity and amount of services on Azure makes it essential to adopt tools like Azure Policy, to have effective governance policies. Furthermore, with the introduction of Azure Arc it will be possible to extend these Azure management and governance practices to different environments, thus facilitating the implementation of features present in Azure on all infrastructure components.

Azure Governance: Azure Blueprints overview

IT governance enables you to create a process through which you can ensure that your business companies can efficiently use their IT resources, with the aim of being able to effectively reach their goals. Governance in the Azure Environment is made possible by a set of services specifically designed to enable large-scale management and control of various Azure resources. These tools include Azure Blueprints which allows for the design and creation of new components in Azure, fully complying with company specifications and standards. This article provides an overview of the solution to provide the necessary elements for its use.

Azure Blueprints allows Cloud Architects and Cloud Engineers, responsible for building architectures in Azure, to define and implement a set of Azure resources in a repeatable way, with the certainty of adhering to the standards, models and company-defined requirements. Azure Blueprints also allows you to quickly release new environments, adopting integrated components and accelerating development time and the delivery.

The main strengths of the solution Azure Blueprints can be summarized as follows.

Simplify the creation of Azure environments

  • Centralize the creation of new Azure environments using templates.
  • Allows you to add resources, policies and roles.
  • Allows you to track project updates through versioning.

Azure Blueprints through a declarative model allows you to orchestrate the deployment of various resource templates and other Azure artifacts. The service Azure Blueprints is based and supported by Azure Cosmos DB. Blueprint objects are replicated to multiple Azure regions, thus obtaining a low-latency, high availability and consistent access to them, regardless of the region in which the resources are deployed.

It allows to enforce compliance

  • Enables developers to create fully governed environments through self-service methodologies.
  • Provides the ability to centrally create multiple Azure environments and subscriptions.
  • Leverage integration with Azure Policies and devOps lifecycle.

Allows you to control locks on resources

  • It ensures that the base resources can not be modified.
  • It manages lock centrally.
  • It allows you to update the resources locked by means of changes to the definition of the blueprint model.

How to use Azure BluePrints

The article shows the steps to follow in order to adopt the solution Azure Blueprints.

Figure 1 - How Azure Blueprint works

The first steps include the creation of a blueprint that can be done via Azure portal, PowerShell or REST API.

Figure 2 - Initial screen of Bluprints in the Azure portal

By starting the creation process from the Azure portal it is possible to start from a blank blueprint or use some available examples.

Figure 3 - Creation of the blueprint by the Azure portal

The blueprint consists of different artifacts like: Role Assignments, Policy Assignments, Azure Resource Manager templates and Resource Group. After the creation you must publish the blueprint (at the end of creation will be in the draft state) specifying versioning. Azure Blueprints is very useful for companies that use the infrastructure-as-code model as it contemplates the processes of continuous integration and continuous deployment.

Only after publishing a blueprint you can assign it to one or more Azure subscriptions, specifying the lock type according to the following states:

  • Don’t Lock: means that resources created by Blueprints will not be protected.
  • Do Not Delete: means that resources can be changed, but not removed.
  • Read Only: the allocation results in locked and the resulting resources can not be modified or removed, even from subscription owners. In this case, it should specify that not all Azure resources support the lock and that the allocation of the lock can take up to 30 minutes to be effective.

Figure 4 – Blueprint Assignment

During the Blueprint assignment, you will also be prompted for the parameters to deploy the resources.

Figure 5 – Blueprint parameter request example

An interesting aspect of the solution Azure Blueprints is that the blueprints you create maintain a relationship with the assigned resources and can be monitored and audited, this is not possible using simple ARM templates and policies.


Azure Blueprints is a service that provides those involved to realize Azure architectures in the ability to define a set of resources into easily repeatable manner, in compliance with corporate standards and your organization's requirements. By adopting the blueprint you can rapidly build and deploy new environments, contemplating a series of integrated components. This allows not only to distribute consistent environments, but to do so in agile, enabling organizations to accelerate the development and delivery of solutions in Azure.

Azure Arc: a new approach to hybrid environments

The use of hybrid architectures in enterprise reality is more and more predominant, they allow you to continue to benefit from investments made in your on-premises environment and, at the same time, use the innovation introduced by the cloud. The adoption of hybrid solutions is a winner if it takes into account a shared policy for distribution, component management and security. Without consistency in the management of different environments, the costs and complexities are likely to grow exponentially. Microsoft has decided to respond to this need with the solution Azure Arc, involving a range of technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article presents the approach adopted by Azure Arc for hybrid environments.

The complexity of IT environments is constantly expanding to the point where we find reality with applications based on different technologies, active on heterogeneous infrastructures and maybe that adopt solutions in different public cloud. The need for customers is to be able to adopt a solution that centrally allows them to inventory, organize and enforce control policies on their IT resources wherever they are.

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Figure 1 – Azure Arc overview

To achieve this, Microsoft has decided to extend the model Azure Resource Manager so that we can also support hybrid environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Management for all resources

Azure Arc consists of a set of different technologies and components that allows you to:

  • Manage applications in Kubernetes environments: it provides the ability to deploy and configure Kubernetes applications in a consistent manner across all environments, adopting modern DevOps techniques.
  • Allow Azure data services to run on any infrastructure: everything is based on the adoption of kubernetes and allows achieving more easily meet compliance criteria, to improve the security of data and to have considerable flexibility in deployment time. At the time the services covered are Azure SQL Database and Azure Database for PostgreSQL.
  • Organize, manage and govern all server systems: Azure Arc extends Azure governance and management capabilities to physical machines and virtual systems in different environments. This solution is specifically called Azure Arc for servers.

Figure 3 – Azure Arc Technologies

Azure Arc involves the use of specific Resource Provider for Azure Resource Manager and the installation of Azure Arc agents is required.

By logging in to the portal, you can see that Azure Arc for Servers is already currently available in public preview, while you need to register to manage Kubernetes environments and data services in preview.

Figure 4 – Azure Arc in the Azure portal

Thanks to the adoption of Azure Arc which introduces an overall view, you can reach, for hybrid architectures, the following objectives, difficult to achieve otherwise:

  • Standardization of operations
  • Organization of resources
  • Security
  • Cost Control
  • Business Continuity
  • Regulatory and corporate compliance

Figure 5 – Cloud-native governance with Azure Arc


Azure Arc was recently announced and although still in an embryonic phase, I think that will evolve significantly enough to revolutionize the management and development of hybrid environments. To keep up to date on how this solution will develop you can register at this page.

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation


The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

Azure Data Share: the service to share data in a safe manner

Microsoft recently announced the availability of the new managed service Azure Data Share, specially designed for sharing data between different organizations. Azure Data Share allows you to share and combine data in an easy way, in order to ensure effective business collaboration between different realities, in respect of safety and governance. In this article are covered the principles of operation and shows the procedure to be followed for the corresponding configuration.

To date, the most commonly used solutions for the exchange and sharing of corporate data are based on the File Transfer Protocol (FTP) or on custom Web API, which in addition to having to manage a specific infrastructure, are unable to adhere to corporate standards in terms of security and governance. Furthermore, these solutions are not suitable for the exchange of large volumes of data. Azure Data Share is a fully managed service with the aim of simplifying, secure and controlled the process of sharing data between different business realities. Is not required to configure any specific infrastructure and service can rapidly scale to meet big data sharing needs. Meanwhile, your safety is critical for a service of this kind and Azure Data Share exploits the main intrinsic safety measures in Azure for data protection.

Activation of the service

The activation of the service Azure Data Share must be carried out primarily by those who must share data, as follows.

Figure 1 - Starting the process of creation

Figure 2 - Parameters required by the creation process

The deployment is very fast and after activating the service you can begin the process of sharing data.

Using the solution

Azure Data Share has an intuitive interface, can be used directly from the Azure portal, and with a few simple steps you can choose what information to share and with whom to share them.

Figure 3 – Start the process of sharing

Figure 4 – Definition of the name and details of the share

It is possible to govern the use of the data by binding specific terms of use for each share that is created. To allow receiving data, recipients must accept the terms of use specified.

Figure 5 – Added the Dataset and the selection of the type

For data sharing today you can use as Dataset Azure Blob Storage and Azure Data Lake Storage, but soon will be introduced also new Azure data sources.

Figure 6 – Selection of the container that contains the data to be shared

Figure 7 - Added email address of the person you share files

The service also provides the ability to schedule the sharing of new content or changes, while maintaining complete control of any share.

Figure 8 - Scheduling of snapshots

Figure 9 - Review and creation of the share

The recipient will receive at the end of the sharing process a notification by email.

Figure 10 - Notification received via email from the person to whom you want to send data

Figure 11 - Invitation of Data Share from the Azure portal

One who receives the shared data must have a service Azure Data Share to see the shared data.

Figure 12 – Accept invitation to Date Share

In accepts the invitation you must specify the target, in this case the storage account, on which to bring the data received. Such content you can choose to keep it synchronized according to the scheduling specified by the sender.

Figure 13 - Configuration of the storage account target

Figure 14 - Detail of a receipt sharing

In the received shares it is also given the option to manually trigger a snapshot (full or incremental).


In a world where the amount, the type and variety of data is growing, you must have services that enable organizations to work together by sharing information of any kind and size. Thanks to the Azure Data Share you can share data, between different companies, in a simple way, safe and respecting the governance policies. Adding new datasets for data sharing, expected in the short term, will make this service even more complete and effective.

Azure Governance: introduction to Azure Resource Graph

The Azure governance is possible thanks to a series of specially designed services to enable a management and a constant control of the various Azure resources on a large scale. Among these services are Resource Graph, a powerful tool that allows you to quickly obtain via command-line details regarding the different Azure artifacts. Using Resource Graph you can retrieve information that previously required necessarily complex and iterative scripting. This article lists the characteristics of the solution and how you can use it to find out the details of Azure resources on large scale.

Characteristics of the service

In the presence of complex Azure environments who see the presence of many subscriptions, maintain overall visibility of all Azure resources can be complex without the use of tools specifically developed. These requirements which typically need to be addressed:

  • Ability to view resources and their properties in a transversal way among different subscriptions.
  • Be able to efficiently perform queries on resources by setting filters, groupings and by imposing a specific sort order on their properties.
  • Explore iteratively the different resources.
  • Assessing the impact achieved by applying policies on a large number of cloud resources.

The service Azure Resource Graph allows, thanks to the use of an efficient and powerful language to perform the following actions:

  • Query on resources by applying filters, complex groupings and sorts.
  • Explore iteratively resources based on the governance requirements.
  • Assess the impact given by the application of the policy in a vast cloud.
  • Detailing the changes that are made to the Azure resource properties. Recently was introduced the ability to view the last 14 days of history regarding the changes made to resources, to identify which properties have been changed and when. This feature is particularly useful in the process of troubleshooting, to detect any change events in a specific time slot. Furthermore, it is functional to understand the properties that were changed when a resource has changed the status of compliance, to consider adopting Azure Policy to properly manage such properties. For further details please visit the Microsoft's official documentation.

All these actions provide important aspects in order to govern the most of their Azure environment.

When an Azure resource is updated, Resource Graph Resource Manager is notified by the relevant changes and updates its database accordingly. Resource Graph also regularly performs a complete scan of resources to ensure that your information is up to date in case of missing notifications or updates that take place outside of Resource Manager.

How to use Resource Graph

The query of Azure Resource Graph are based on the Kusto language, also used by Azure Data Explorer, Application Insights and Azure Log Analytics. For more details on using the query language of Azure Resource Graph you can see the Microsoft's official documentation, that shows how it is structured and what are the operators and supported features.

Resource Graph supports theAzure CLIAzure PowerShell and Azure SDK for .NET. Querying Resource Graph requires the addition of the relative extension in the Azure CLI environment , while in Azure PowerShell the installation of the Resource Graph module is required. The queries are always structured in an identical manner, regardless of where they are performed.

The use of Resource Graph requires that the user with which it performs the query has at least read permissions, through Role-based access control (RBAC), about resources that you intend to query. If you don't have at least read permission on specific resources, queries will not return results related to them.

The service Azure Resource Graph is also used when performing research in the search bar of the Azure portal, in the new list of resources (‘All resources’) and in the change history of Azure Policy.

Figure 1 – Experience of ‘All resources’ using Azure Resource Graph

Sample Query

Below are some examples of query of Resource Graph and its result.

Figure 2 - Query to count by resources type (Resource Type)

Figure 3 - Query to count the resources by geographic location

The query of Azure Resource Graph have the advantage that besides being able to achieve the desired result in a simple way, they are also very performant:

Figure 4 - Running time of the query to count the resources based on location

If anyone wanted to achieve this result using the classic PowerShell method in complex Azure environments, should join to the single Azure subscription, search the necessary information and move to the next subscription. This approach was the only possible until the arrival of Resource Graph, but it was more labor intensive and much less powerful.

Figure 5 - List of VMs with the OS disk not Managed


Azure Resource Graph allows you to quickly and efficiently explore and analyze Azure resources, allowing to maintain a total visibility even on particularly complex Azure environments, consisting of several subscriptions, each of which with a large number of elements. Particularly useful is the functionality that allows you to see the history of changes to Azure resources. Azure Resource Graph is a tool that allows you to make a significant contribution for the governance of the Azure environment.