Category Archives: Azure Governance

Azure Governance 2.0: managing Hybrid and Multi-Cloud environments with AI support

Hybrid and multi-cloud IT environments are revolutionizing how companies manage their digital infrastructures, offering the flexibility to combine on-premise resources with cloud services. This approach allows for optimal workload management and unprecedented scalability, but it also brings challenges that organizations must address to maintain control and security over their IT environments. In this article, we will explore the challenges of hybrid and multi-cloud IT environments, examining best practices for effective governance and the growing role of artificial intelligence (AI) in simplifying the management of these complex infrastructures.

Challenges of Hybrid and Multi-Cloud IT Environments

The adoption of hybrid and multi-cloud IT environments offers companies flexibility and scalability, but it introduces a series of challenges that need to be addressed to ensure effective resource management.

High and Unnecessary Service Costs

One of the main difficulties lies in cost management. Companies often face unexpected or excessive expenses due to a poor understanding of cloud provider pricing models or the activation of unnecessary services. To avoid this, it’s crucial to implement cost management strategies, including constant resource monitoring and service optimization based on real business needs.

New Security Threats

The move to the cloud brings new security threats. Organizations must tackle risks such as unauthorized access, data breaches, and misconfigured cloud services. To mitigate these dangers, solid security strategies are essential, including data encryption, multi-factor authentication, and advanced identity management. Training IT personnel on security risks and protection best practices is another critical component.

Delegation of Service Activation and Risk of Losing Control

The ease of activating cloud services can lead to “shadow IT” scenarios, where departments activate services autonomously without centralized IT control. This can result in resource dispersion and overall loss of control over the infrastructure. Clear guidelines and a centralized approval process are needed to ensure each cloud service activation is carefully evaluated and monitored.

Compliance Challenges

Integrating cloud solutions poses complex compliance challenges, especially in highly regulated industries. Companies must understand and comply with the specific regulatory requirements of their sector, working with cloud service providers to ensure compliance. Regular audits and compliance assessments are essential to keep cloud systems aligned with current regulations.

Managing Complex Technologies with Reduced Staff

Managing complex, ever-evolving IT environments requires specific skills and a sufficient number of qualified personnel. However, many organizations face this challenge with small IT teams. In these cases, investing in staff training and adopting automation and AI technologies can help reduce the manual workload, improving operational efficiency and resource management.

Although hybrid and multi-cloud environments offer many benefits, it’s crucial for companies to proactively address these challenges by implementing robust governance strategies, advanced security solutions, and automation tools to ensure effective and efficient IT resource management.

Cloud Governance: Essential for Control

Cloud Governance is a set of processes and tools that maintain technological and financial control over IT environments. This includes cost management, security, and resource standardization. An emerging aspect of governance also involves energy consumption and sustainability. Monitoring tools for emissions and environmental impact data collection help companies to be more conscious and responsible in their cloud strategy. Therefore, it is crucial to adopt Cloud Governance based on solid, time-tested frameworks.

Technologies and Best Practices for Governance with Microsoft Solutions

Effective cloud governance also requires advanced tools and established best practices. Microsoft provides an integrated ecosystem of solutions to manage, optimize, and protect cloud resources, ensuring security, cost control, and compliance.

  • Azure Cloud Adoption Framework The Azure Cloud Adoption Framework (CAF) offers guidelines for planning, building, and managing cloud environments, with a dedicated section for governance. It helps companies structure security and compliance policies and optimize deployment processes, reducing risks.
  • Azure Policy Azure Policy ensures resources comply with company rules by applying automated security and compliance policies at scale. Policies identify and correct non-compliant configurations, ensuring constant control and protection.
  • Resource Lock Resource Locks prevent accidental modifications or deletions of critical resources, ensuring operational stability, particularly in production environments.
  • Resource Tagging Tagging simplifies the organization and management of components, particularly cloud resource costs, allowing clear budget division between projects or departments.
  • Microsoft Defender for Cloud Microsoft Defender for Cloud offers advanced multi-layered security, covering:
    • CSPM to monitor security and fix risky configurations.
    • CWP to protect workloads on Azure and multi-cloud environments.
    • DevSecOps by integrating security into development processes with Azure DevOps and GitHub.
  • Azure Cost Management and Azure Advisor Azure Cost Management provides tools to monitor resource usage and optimize costs, while Azure Advisor offers suggestions related to reliability, security, performance, operational excellence, and cost reduction.
  • Azure Arc Azure Arc extends Azure governance to on-premise and multi-cloud environments, allowing centralized and consistent management of all resources, regardless of their location, improving control and efficiency.

360° IT Governance Strategy

An effective IT governance strategy must go beyond the cloud to include on-premise and edge resources. This holistic approach ensures consistency, efficiency, and security across the entire IT ecosystem, preventing operational silos. In this context, Azure Arc plays a crucial role, extending Azure cloud management services to on-premise and edge environments. Additionally, it allows companies to apply uniform security and compliance policies to all resources, regardless of their location.

The Role of AI in IT Governance

AI is revolutionizing how organizations manage and govern IT environments, especially in hybrid and multi-cloud contexts. AI technologies help address the growing complexity and data volumes generated, offering tools that not only monitor but predict and proactively solve issues. This allows companies to make faster, more accurate decisions, improve security, optimize costs, and ensure regulatory compliance.

The following sections illustrate the main areas where AI has already introduced and will continue to bring significant innovations in Cloud Governance.

Predictive Monitoring and Analysis

AI can monitor IT resources distributed across various environments in real time, detecting anomalies or inefficiencies before they have a significant impact. Predictive analysis, one of AI’s key features, allows for the anticipation of failures or overloads, enabling proactive maintenance and more efficient resource lifecycle management. Through machine learning, these systems learn from historical data, continuously improving the accuracy of predictions and minimizing downtime.

Automating Operational Processes

AI plays a crucial role in automating repetitive and complex tasks that often require manual intervention by IT personnel. This includes automated management of cloud resources, infrastructure scalability, and service provisioning and de-provisioning. Intelligent automation reduces the risk of human errors and frees up resources for strategic tasks, improving the overall efficiency of the IT environment.

Financial Optimization

In terms of cost management, AI provides advanced tools to monitor cloud resource usage and suggest optimizations. For example, solutions like Azure Cost Management use AI algorithms to analyze consumption patterns, identify underutilized or unused resources, and offer recommendations to reduce costs. Additionally, AI helps create detailed spending forecasts and suggest dynamic resource resizing based on actual demand, ensuring efficient IT budget use.

Proactive Security and Incident Response

On the security front, AI offers advanced threat detection and response capabilities. Solutions like Microsoft Defender for Cloud use AI algorithms to analyze vast amounts of data, identify suspicious behaviors, and automatically respond to potential threats. This proactive approach allows companies to block malicious activities in real time, drastically reducing the risks of breaches and attacks. AI also facilitates the adoption of DevSecOps practices, integrating security in the early stages of application development and reducing vulnerabilities throughout the software lifecycle.

AI Integration for Innovation

Finally, AI not only optimizes operations but also acts as a catalyst for innovation. AI empowers companies to experiment with new solutions, test different scenarios, and optimize the performance of cloud applications. In DevOps and DevSecOps contexts, AI can speed up development cycles, improving efficiency and software quality while ensuring security is not compromised.

Conclusion

Hybrid and multi-cloud IT environments offer companies unprecedented opportunities for flexibility, scalability, and resource optimization. However, fully exploiting these advantages requires proactive management of challenges related to costs, security, compliance, and governance. Adopting advanced technologies such as artificial intelligence and specific management tools like Azure Policy and Microsoft Defender for Cloud is crucial to maintaining control over complex and distributed environments.

Additionally, a holistic IT governance approach, encompassing on-premise, edge, and cloud resources, is essential to avoid operational silos and ensure consistency, security, and efficiency. AI, with its capabilities for automation, predictive monitoring, and optimization, not only simplifies operational management but also fosters continuous innovation, enabling companies to improve performance, reduce costs, and strengthen security in an increasingly dynamic and complex IT ecosystem.

Azure Arc Site Manager: the solution for managing and governing on-premises IT resources

Azure Arc Site Manager is an innovative solution for system administrators, designed to offer centralized management of IT resources, associating them with the physical or logical locations of customer infrastructures and facilitating governance of these resources. This tool simplifies connection monitoring, alert management, and resource update statuses, enabling administrators to apply fixes and updates uniformly across all resources. Azure Arc Site Manager allows for the management and monitoring of on-premises environments as Azure Arc sites, providing a tailored experience for on-premises scenarios where infrastructure is often managed within common physical boundaries, such as stores or factories. With a unified view of distributed resources, this tool becomes indispensable for improving operational efficiency and ensuring optimal control of IT resources, supporting effective and targeted governance. This article will outline the main features of this solution.

Customer Challenges

Customers often face numerous challenges in managing on-premises infrastructures, especially when dealing with different types of resources distributed across various locations. In many situations, this requires using different dashboards to monitor the status and security of resources. This fragmented approach not only complicates overall management but can also significantly reduce operational efficiency, increasing the risk of errors and delays in responding to critical issues.

Arc Site Manager Features

Arc Site Manager has been developed to address the challenges of managing IT infrastructures, offering a range of key features:

  • Centralized Resource Management: Provides a unified platform for managing resources associated with the physical or logical locations of customers’ IT infrastructures, allowing an overview of resources distributed across different sites.
  • Connection Monitoring: Simplifies monitoring connections between Azure resources, ensuring they are always operational and connected. Administrators can quickly identify resources that need attention.
  • Alert Management: Integrates Azure Monitor alerts, providing timely notifications regarding security issues, updates, and performance that require intervention.
  • Update Status: Offers an interface to monitor the update status of resources, ensuring they are always up to date with the latest patches.
  • Uniform Application of Fixes: Enables IT administrators to apply fixes and updates uniformly to all resources through the Arc Site Manager portal, simplifying management and reducing the risk of errors.
  • Customized Experiences: Provides personalized experiences using tools like Azure Monitor, Update Manager, and other services to be added in the future, allowing for targeted and specific resource management.
  • Logical Representation of Resources: Allows grouping of resources based on technical and business criteria, creating a logical representation consistent with the company’s needs.

IMPORTANT NOTE: These features do not replace the Azure Arc control plane but enhance it, providing a more user-friendly view of resources, useful for managing complex environments with multiple types of resources distributed across different physical sites.

Figure 1 – Solution Overview

Technical Aspects

When creating a site, it is associated with a resource group or a subscription. The Arc site automatically collects all supported resources within its scope. Arc sites have a 1:1 relationship with resource groups and subscriptions: a site can only be associated with one resource group and one subscription, and vice versa.

Figure 2 – Arc Site Manager Console

Arc Site Manager allows customers managing on-premises infrastructures to view resources based on their site or physical location. However, sites do not necessarily have to be associated with a physical location; they can be used according to customer needs, grouping resources by function or type rather than location.

For more details, I invite you to watch this video with an interesting demo.

Future Developments

Future plans for Arc Site Manager include the ability to define dynamic site scopes, multiple hierarchical levels, more detailed monitoring views, and location-based capabilities. These new features aim to further enhance user experience and IT resource management, providing even more advanced and customized tools to meet the ever-evolving needs of IT administrators.

Conclusions

Azure Arc Site Manager represents a significant step forward in the management and governance of IT resources, offering administrators a centralized solution for monitoring, updating, and maintaining on-premises infrastructure. With advanced features such as centralized resource management, connection and alert monitoring, and the ability to apply updates uniformly, Arc Site Manager significantly simplifies the management of complex and distributed environments. Future expansions of its features promise to further improve operational efficiency and response capability to emerging challenges, making this tool highly valuable for companies looking to maintain optimal control over their IT resources.

Learn about foolproof strategies to optimize costs on Azure

The peculiarities and undeniable advantages of cloud computing can, in certain situations, hide pitfalls if not handled with due attention. Wise cost management is one of the crucial aspects of cloud governance. In this article, will be explored and outlined the principles and techniques that can be used to optimize and minimize expenses relating to the resources implemented in the Azure environment.

The issue of optimizing costs related to the cloud is a topic that is attracting increasingly greater interest among numerous customers. So that, for the seventh year in a row, emerges as the leading initiative in the cloud industry, as reported in Flexera's annual report 2023.

Figure 1 – Initiatives reported in the Flexera report of 2023

Principles to better manage costs

For effective management of costs associated with Azure, It is essential to adopt the principles outlined in the following paragraphs.

Design

A well-structured design process, which includes a meticulous analysis of business needs, it is essential to customize the adoption of cloud solutions. It therefore becomes crucial to outline the infrastructure to be implemented and how it will be used, through a design plan that aims to optimize the efficiency of the resources allocated in the Azure environment.

Visibility

It is vital to equip yourself with tools that offer a global view and allow you to receive notifications regarding Azure costs, thus facilitating constant and proactive monitoring of expenses.

Responsibility

Assigning cloud resource costs to the respective organizational units within the company is a smart practice. This ensures that managers are fully aware of the expenses attributable to their team, promoting an in-depth understanding of Azure spending at an organizational level. For this purpose, It is advisable to structure Azure resources in such a way as to facilitate the identification and attribution of costs.

Optimization

It is advisable to undertake periodic reviews of Azure resources with the intention of minimizing expenses where possible. Making use of available information, you can easily identify underutilized resources, eliminate waste and capitalize on cost saving opportunities.

Iteration

It is essential that IT staff are continuously engaged in the iterative processes of optimizing the costs of Azure resources. This represents a key element for responsible and effective management of the cloud environment.

Techniques to optimize costs

Regardless of the specific tools and solutions used, to refine cost management in Azure, you can adhere to the following strategies:

  • Turn off unused resources, given that the pricing of the various Azure services is based on the actual use of the resources. For those resources that do not require uninterrupted operation and that allow, without any loss of configurations or data, a deactivation or suspension, it is possible to implement an automation system. This system, regulated by a predefined schedule, facilitates the optimization of use and, consequentially, more economical management of the resources themselves.
  • Adequately size resources, consolidating workloads and proactively intervening on underutilized resources, allows us to avoid waste and guarantee a more efficient and targeted use of available capacities.
  • For resources used continuously in the Azure environment, evaluate the option of Reservations can prove to be an advantageous strategy. Azure Reservations offer the opportunity to benefit from a significant cost reduction, which can reach up to 72% compared to pay-as-you-go rates. This benefit can be obtained by committing to pay for the use of Azure resources for a period of one or three years. This payment can be made in advance or on a monthly basis, at no additional cost. The purchase of Reservations can be made directly from the Azure portal and is available to customers with the following subscription types: Enterprise Agreement, Pay-As-You-Go and Cloud Solution Provider (CSP).
  • To further mitigate costs associated with Azure, it is appropriate to consider the implementation of’Azure Hybrid Benefit. This advantage allows you to achieve significant savings, as Microsoft only allows you to bear the costs relating to the Azure infrastructure, while the licenses for Windows Server or SQL Server are covered by a Software Assurance contract or an existing subscription.

The Azure Hybrid Benefit can also be extended to Azure SQL Database, to SQL Servers installed on Azure virtual machines and SQL Managed Instances. These benefits facilitate the transition to cloud solutions, bidding up to 180 days of dual use right, and help leverage pre-existing investments in terms of SQL Server licenses. To learn more about how to use the Azure Hybrid Benefit for SQL Server, please consult the FAQs present in this document. It is important to note that this benefit is also applicable to RedHat and SUSE Linux subscriptions, further expanding the opportunities for savings and cost optimization.

The Azure Hybrid Benefit can be combined with Azure Reserved VM Instances, creating an opportunity for significant savings that can reach 80% of the total, especially when you opt for an Azure Reserved Instance purchase for the duration of 3 years. This synergy not only makes the investment cheaper, but also maximizes operational efficiency.

  • Considering the integration of new technologies and the application of architectural optimizations is crucial. This process involves the selection of the most appropriate Azure service for the specific needs of the application in question, ensuring not only optimal technological alignment, but also more efficient cost management.
  • Allocate and de-allocate resources dynamically is critical to meeting fluctuating performance needs. This approach is known as “autoscaling”, a process that facilitates the flexible allocation of resources to meet specific performance needs at any time. As the workload intensifies, an application may require additional resources to maintain desired performance levels and meet SLAs (Service Level Agreement). On the contrary, when demand reduces and additional resources are no longer essential, these can be de-allocated to minimize costs. Autoscaling capitalizes on the elasticity of cloud environments, allowing not only more effective cost management, but also reducing the administrative burden, as resources can be managed more smoothly and with less manual intervention.
  • For test and development environments, it is advisable to consider the use of Dev/Test subscriptions, which offer the opportunity to access significant discounts on Azure fees. These subscriptions can be activated under an Enterprise Agreement, thus facilitating more advantageous cost management and more agile and economical experimentation during the development and testing phases.

Conclusions

The adoption of a methodological approach in managing cloud costs, together with the use of appropriate strategies, represents a fundamental pillar for successfully navigating the complex challenge of cloud economic management. Drawing from the principles and techniques outlined in this article, users can not only optimize expenses, but also make the most of their investment in the cloud, ensuring a balance between costs and benefits.

Revolutionize cloud cost management with AI: discover the new Microsoft Cost Management co-pilot!

In the digital age, cloud computing has become an essential component for many companies, offering flexibility, scalability and agility. However, with the ever more widespread adoption of the cloud, the management of associated costs has become an increasingly complex challenge and companies are looking for innovative solutions to optimize their expenses in the cloud. In this context, Microsoft introduced “Copilot” in Cost Management, a new feature based on artificial intelligence, designed to help businesses navigate this complex landscape. This article shows the main features of this integration, that promises to revolutionize the way businesses manage and optimize their spending on cloud resources.

A clear view of costs with Microsoft Cost Management

Microsoft Cost Management, available directly from the Azure portal, offers a detailed view of operating costs, allowing businesses to better understand how their funds are being spent. This tool provides detailed information about your expenses, highlighting any anomalies and spending patterns. Furthermore, allows you to set budgets, share costs among different teams and identify opportunities for optimization.

AI at the service of cost management

With the introduction of AI in Microsoft Cost Management, users can now ask questions in natural language to quickly get the information they need. For example,, to understand a recent invoice, it is possible to request a detailed breakdown of expenses. The AI ​​will provide an overview of the different spending categories and their impact on the total.

As well as providing an overview of costs, the AI ​​offers suggestions on how to analyze expenses further. Users can compare monthly bills, examine specific expenses or investigate any anomalies. The AI ​​also provides detailed information on any changes in costs and suggests corrective actions.

The AI ​​integrated into Microsoft Cost Management interprets user intentions and retrieves the necessary data from various sources. This information is then presented to an advanced language model which generates a response. It is important to note that the retrieved data is not used to train the model, but only to provide the context needed to generate a relevant response.

Future perspectives

The capabilities of AI in Microsoft Cost Management are constantly evolving. In the future, users will be able to take advantage of simulations and modeling “what-if” to make informed decisions. For example,, will be able to explore how storage costs will vary as the business grows or evaluate the impact of moving resources from one region to another.

Figure 1 – Example of simulation and modeling “what-if”

Benefits

The introduction of AI in Microsoft Cost Management allows to obtain the following benefits:

  • Greater visibility and cost control: with greater visibility and understanding of cloud resource costs, organizations can make more informed decisions and better manage their budgets.
  • Operational efficiency: using AI to analyze and interpret data reduces the time and effort needed to gain valuable insights. Furthermore, users can ask specific questions in natural language and receive detailed answers, customized to their needs.

Figure 2 – Examples of questions

  • Optimization: with AI-driven tips and recommendations, organizations can identify and implement optimization opportunities to further reduce costs.

Conclusion

The integration of Copilot into Microsoft Cost Management represents a significant step forward in cloud cost management. With the help of artificial intelligence, businesses now have a powerful tool to optimize their spending and ensure they operate at peak efficiency. With the constant evolution of artificial intelligence, further and interesting innovations are expected in the field of cloud cost management and beyond.

The new solution to manage and govern system updates

Common cybersecurity practices provide, among the many tricks, the timely application of software updates. In fact,, this activity is also of fundamental importance to eliminate the vulnerabilities that allow the implementation of specific cyber attacks on company systems. To facilitate the application of patches, related to the operating system, to the machines of your infrastructure, Microsoft recently announced the availability of a new solution called "Update management center". This article reports the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance with regard to these aspects related to security.

What allows you to do this solution?

Update management center is the new solution that helps to centrally manage and govern the updates of all the machines present in your infrastructure. In fact,, by means of this solution it is possible:

  • Check update compliance for your entire fleet of machines.
  • Instantly distribute critical updates to protect your systems or plan installation within a defined maintenance window.
  • Take advantage of the different patching options, like Automatic VM guest patching in Azure, hot patching, and maintenance schedules defined by the customer.

To date, Update management center is able to manage and govern updates on:

  • Windows and Linux operating systems.
  • Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc.

The following diagram illustrates how Update management center performs the evaluation and application of updates on all Azure systems and Arc-enabled servers, both Windows and Linux.

Figure 1 - Update management center overview

Update Management Center is based on a new Azure extension designed to provide all the features necessary to interact with the operating system as regards the evaluation and application of updates. This extension is automatically installed at the start of any operation of Update Management Center. The distribution of the extension is supported on Azure virtual machines or on Arc-enabled servers and is installed and managed using:

  • The Windows agent or the Linux agent for Azure virtual machines.
  • The Azure Arc agent for non-Azure physical computers or servers (bot Linux, and Windows).

The installation and configuration of the extension is managed by the solution and no manual intervention is required, as long as the Azure VM Agents or Agents for Azure Arc are functional. The extension ofUpdate management center runs code locally on the computer to interact with the operating system and allows you to:

  • Retrieve evaluation information about the status of system updates, specified by the Windows Update agent or by the Linux package manager*.
  • Start the download and installation of approved updates from the Windows Update client or from the Linux package manager.
  • Get all the information on the results of installing updates, which are reported inUpdate management center from the extension and are available for analysis via the Azure Resource Graph. The visualization of the evaluation data can be consulted for the last seven days and the results regarding the installation of updates are available for the last thirty days.

* The machines deliver notifications on updates based on the origin with which they are configured for synchronization. Windows Update Agent (WUA) on Windows machines it can be configured to reference Windows Server Update Services (WSUS) or to Microsoft Update. Linux machines can be configured to reference a local or public YUM or APT package repository.

Benefits of the solution

Update management center works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics.

The main strengths of the new solution are summarized in the following paragraphs.

Centralized visibility of updates

Thanks to this solution it is possible to consult centrally, direct from the Azure Portal, the state of compliance with respect to the updates requested and distributed on the various systems.

Native integration and zero onboarding

Being a solution created as a native feature of the Azure platform, there is no dependency on Log Analytics and Azure Automation. Furthermore, the solution supports full integration with Azure Policy.

Integration with Azure roles and identities

The solution allows for granular access control at the resource level. Everything is based on Azure Resource Manager and therefore allows the use of RBAC and ARM-based roles in Azure.

High flexibility in managing updates

The ability to automatically check for missing or on-demand updates, as well as the ability to act by installing updates immediately or to schedule them for a later date are elements that guarantee high flexibility. Furthermore, it is allowed to keep the systems updated by adopting new techniques, such as automatic VM guest patching in Azure and hotpatching.

Integration with other solutions

In this context it is worth considering that Microsoft offers, in addition to this solution, also other features to manage updates for Azure virtual machines.  These features should be considered as an integral part of your overall update management strategy. Among the various features we find:

  • Automatic OS image upgrade
  • Automatic VM guest patching
  • Automatic extension upgrade
  • Hotpatch
  • Maintenance control
  • Scheduled events

To learn more about all these solutions, you can consult the Microsoft's official documentation.

Conclusions

This new feature, fully integrated into the Azure platform and able to exploit the potential of Azure Arc, it allows you to keep all the systems of your infrastructure up-to-date in a simple way, direct and with very little administrative effort. Furthermore, guarantees total visibility on update compliance for both Windows and Linux systems, fundamental element to increase the security posture of your infrastructure.

How to deal with the migration of the datacenter to Azure

The adoption of solutions and services in the public cloud is rapidly and steadily increasing and this increase is mainly due to the fact that many organizations have realized that moving existing workloads to Azure can bring significant benefits. These include the ability to rapidly deploy applications allowing you to benefit from an infrastructure present on a global scale, the reduction of maintenance requirements and costs and performance optimization. In this article we will examine the main aspects to consider in order to adopt a strategic approach regarding the migration of your IT infrastructure to Azure and how, thanks to this approach, you can take advantage of all the benefits of Microsoft's public cloud.

Main triggers for migration

Among the main aspects that lead customers to face a migration of their workloads to cloud solutions we find:

  • the deadlines of the data center contracts in use;
  • the need to quickly integrate new acquisitions;
  • the urgent need for skills and resources;
  • the need to keep the software and hardware in use updated;
  • the willingness to respond effectively to potential security threats;
  • compliance needs (e.g.. GDPR);
  • the need to innovate their applications and make them available faster;
  • the end of the software support purpose for certain products and the need to obtain extended security updates free of charge, also for Windows Server 2008/R2, both for Windows Server 2012 / R2, in addition to the corresponding versions of SQL Server.

Figure 1 – Main triggers for migration

Finding yourself in at least one of these triggers that could initiate a migration process is very common. To undertake this migration in the best possible way, it is necessary to take into consideration what is reported in the following paragraphs.

The path of adopting cloud solutions

In the path of adoption of cloud solutions defined in the Microsoft Cloud Adoption Framework for Azure six main actions emerge that should be considered:

  • Strategy definition: definition of the business justification and the expected results.
  • Plan: aligning the cloud adoption plan to business results, through:
    • Inventory of digital assets: cataloging of workloads, applications, data sources, virtual machines and other IT resources and assessments to determine the best way to host them in the cloud.
    • Create a cloud adoption plan by prioritizing workloads based on their business impact and technical complexity.
    • Definition of skills and support needs, to ensure that the company is prepared for change and new technologies.
  • Ready: preparation of the cloud environment.
  • Adopt: implementation of desired changes in IT and business processes. Adoption can take place through:
    • Migration: focuses on moving existing on-premises applications to the cloud based on an incremental process.
    • Innovation: focuses on the modernization of digital assets to drive business and product innovation. Modern approaches to implementation, operations and infrastructure governance make it possible to quickly bridge the gap between development and operations.
  • Govern: evaluation and implementation of best practices in governance.
  • Manage: implementation of operational guidelines and best practices.

Azure Landing Zone

Regardless of the migration strategy that you decide to adopt, it is advisable to prepare the Landing Zone, which represents, in the cloud adoption journey, the destination in the Azure environment. It is a horizontally scalable architecture designed to allow the customer to manage functional cloud environments, while maintaining best practices for security and governance. The architecture of the Landing Zone must be defined on the basis of business requirements and the necessary technical requirements.

Figure 2 – Conceptual example of an Azure landing zone

There are several options to implement the Landing Zone, thanks to which it will be possible to meet the deployment and operational needs of the cloud portfolio.

A structured and methodological approach and migration strategies

There are several paths for adopting solutions in Azure. To best address each of these paths, it is recommended to develop a complete business case and project plan in advance, containing information on benefits and costs (TCO) of moving workloads to the Microsoft Azure cloud, as well as recommendations on how to optimize the use model of Microsoft Azure services.

Figure 3 – Paths of adoption of cloud solutions

Based on the company's cloud strategy and general business objectives, it is advisable to examine the distribution and use of the workloads in use and evaluate their "cloud-ready" status to determine the best options and the most appropriate methods (lift&shift, refactor, rearchitect and rebuild) with a view to consolidation and migration to Microsoft Azure cloud services.

Figure 4 – Possible migration strategies

* These migration strategies are reported by Gartner research. Gartner also defines a fifth strategy called " Replace".

The following paragraphs describe the main migration strategies that can be useful.

Rehost application (i.e., lift & shift)

It involves redistributing an existing application on a cloud platform without modifying its code. The application is migrated “as well as”, which provides basic cloud benefits without facing high risk and without incurring the costs of making changes to the application code.

This migration technique is usually used when:

  • You need to quickly move applications from on-premise to the cloud
  • When application is necessary, but the evolution of its capabilities is not a corporate priority
  • For applications that have already been designed to take advantage of Azure IaaS scalability
  • In the presence of specific application or database requirements, that can only be satisfied using IaaS virtual machines in an Azure environment.
Example

Moving a line of business application on board virtual machines residing in the Azure environment.

Refactor application (i.e., repackaging)

This migration strategy involves minimal changes to the application code or configuration changes, necessary to optimize the application for Azure PaaS and make the most of the cloud.

This migration technique is usually used when:

  • You want to leverage an existing code base
  • Code portability is an important element
  • The application can be easily packaged to run in an Azure environment
  • The application must be more scalable and rapidly deployable
  • We want to promote business agility through continuous innovation (Devops)
Example

An existing application is refactored by adopting services such as App Service or Container Services. Furthermore, SQL Server is refactored to Azure SQL Database.

Rearchitect application

The re-design technique consists of modifying or extending the architecture and code base of the existing application, optimizing it for the cloud platform and thus ensuring better scalability.

This migration technique is usually used when:

  • The application needs major revisions to incorporate new features or to work more effectively on a cloud platform
  • They want to leverage the investments made in existing applications
  • There is a need to minimize the management of VMs in the cloud
  • You intend to meet your scalability requirements in a cost-effective way
  • We want to promote business agility through continuous innovation (Devops)
Example

Breakdown of a monolithic application into microservices in an Azure environment that interact with each other and are easily scalable.

Rebuild application

The rebuild of the application from scratch involves the use of cloud-native technologies on Azure PaaS.

This migration technique is usually used when:

  • Rapid development is needed and the existing application is too limiting in terms of functionality and duration
  • We want to take advantage of the new innovations present in the cloud as serverless, Artificial intelligence (AI) e IoT
  • You have the skills to build new cloud-native applications
  • We want to promote business agility through continuous innovation (Devops)
Example

Creation of green field applications with innovative cloud native technologies, such as Azure Functions, Logic Apps, Cognitive Service, Azure Cosmos DB and more.

Azure Cloud Governance

In the successful adoption of services in the public cloud, as well as requiring a structured and methodological approach, it becomes essential to adopt a precise strategy to migrate not only applications, but also governance and management practices, adapting them appropriately.

For this reason it becomes essential to put in place a process of Cloud Technical Governance through which it is possible to guarantee the Customer an effective and efficient use of IT resources in the Microsoft Azure environment, in order to achieve their goals. To do this, it is necessary to apply controls and measurements to help the client mitigate risks and create boundaries. Governance policies, within the customer's environment, they will also act as an early warning system to detect potential problems.

Conclusions

The digital transformation process that affects companies often involves the migration of workloads hosted in their data centers to the cloud to obtain better results in terms of governance, security and cost efficiency. The innovation given by the migration to the cloud frequently becomes a business priority, for this reason it is advisable to adopt your own structured approach, to address various migration scenarios, which allows to reduce complexity and costs.

Azure Governance: how to control system configurations in hybrid and multicloud environments

There are several companies that are investing in hybrid and multicloud technologies to achieve high flexibility, that enables you to innovate and meet changing business needs. In these scenarios, customers face the challenge of using IT resources efficiently, in order to best achieve your business goals, implementing a structured IT governance process. This can be achieved more easily if you have solutions that, in a centralized way, allow you to inventory, organize and enforce control policies on your IT resources wherever you are. Azure Arc solution involves different technologies with the aim of supporting hybrid and multicloud scenarios, where Azure services and management principles are extended to any infrastructure. In this article we will explore how, thanks to the adoption of the Azure Guest Configuration Policy it is possible to control the configurations of systems running in Azure, in on-premises datacenters or other cloud providers.

The principle behind Azure Arc

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), also for on-premises and multicloud environments.

Figure 1 – Azure Arc overview

Enabling systems to Azure Arc

Enabling Azure Arc servers allows you to manage physical servers and virtual machines residing outside Azure, on the on-premises corporate network or at another cloud provider. This applies to both Windows and Linux systems. This management experience is designed to provide consistency with Azure native virtual machine management methodologies. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine"). The following operating systems are currently supported:

  • Windows Server 2008 R2, Windows Server 2012 R2 or higher (this includes core servers)
  • Ubuntu 16.04 and 18.04 LTS (x64)
  • CentOS Linux 7 (x64)
  • SUSE Linux Enterprise Server (SLES) 15 (x64)
  • Red Hat Enterprise Linux (RHEL) 7 (x64)
  • Amazon Linux 2 (x64)
  • Oracle Linux 7

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • The Guest Configuration agent that provides in-guest policy and guest configuration features.
  • TheExtension Manager agent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, see this official Microsoft document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 3 – Azure Management for all IT resources

Guest Configuration Policy di Azure

Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. Validation is performed by the client and by the Guest Configuration extension as regards:

  • Operating system configuration
  • Configuration or presence of applications
  • Environment settings

At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they don't apply configurations. The exception is a built-in time zone configuration policy operating system for Windows machines.

Requirements

Before you can check the settings inside a machine, through guest configuration policies, you must:

  • Enable a’extension on the Azure VM, required to download assigned policy assignments and corresponding configurations. This extension is not required for "Arc Connected" machines as it is included in the Arc agent.
  • Make sure that the machine has a system-managed identity, used for the authentication process when reading and writing to the guest configuration service.

Operation

Azure provides built-in specification platform Initiatives and a large number of Guest Configuration Policy, but you can also create custom one both in Windows environment, both in Linux environment.

Guest Configuration policy assignment works the same way as standard Azure Policies, so you can group them into initiative. Specific parameters can also be configured for Guest Configuration Policies and there is at least one parameter that allows you to include Azure Arc-enabled servers. When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Following the assignment, it is possible to assess the compliance status in detail directly from the Azure portal.

Inside the machine, the Guest Configuration agent uses local tools to audit the configurations:

The Guest Configuration agent checks for new or modified guest policy assignments each 5 minutes and once the assignment is received the settings are checked at intervals of 15 minutes.

The Cost of the Solution

The cost of Azure Guest Configuration Policies is based on the number of servers registered to the service and which have one or more guest configurations assigned. Any other type of Azure Policy that is not based on guest configuration is offered at no additional cost, including virtual machine extensions to enable services such as Azure Monitor and Azure Security Center or auto tagging policies. The billing is distributed on an hourly basis and also includes the change tracking features present through Azure Automation. For more details on costs please visit the Microsoft's official page.

Conclusions

IT environments are constantly evolving and often have to deliver business-critical applications based on different technologies, active on heterogeneous infrastructures and which in some cases use solutions provided in different public clouds. The adoption of a structured IT governance process is easier also thanks to the Guest Configuration Policies and the potential of Azure Arc, that allow you to more easily control and support hybrid and multicloud environments.

Cloud Governance: how to control cloud costs through budgets

In the public cloud, the simplicity of delegation and the consumer-related cost model exposes companies to a risk of loss of control over them. Always having a supervision on the expenses to be incurred for the resources created in the cloud environment therefore becomes an aspect of fundamental importance to implement an effective governance process. The solutionAzure Cost Management provides a comprehensive set of cloud cost management features, including the ability to set up budgets and expense alerts. This article describes how to best use budgets to proactively control and manage cloud service costs.

Budgets are spending thresholds that can be set in the solution Azure Cost Management + Billing, capable of generating notifications when they are reached. Cost and resource utilization data are generally available within 20 hours and budgets are evaluated against these costs each 12-14 hours.

The procedure for setting budgets from the Azure portal involves the following steps.

Figure 1 – Add a budget from Cost Management

Figure 2 – Parameters required when creating budgets

During the budget configuration phase, you must first assign the scope. Depending on the type of Azure account, you can select the following scopes:

  • Azure role-based access control (Azure RBAC)
    • Management groups
    • Subscription
  • Enterprise Agreement
    • Billing account
    • Department
    • Enrollment account
  • Individual agreements
    • Billing account
  • Microsoft Customer Agreement
    • Billing account
    • Billing profile
    • Invoice section
    • Customer
  • AWS scopes
    • External account
    • External subscription

For more information about the use of scopes, see this Microsoft's document.

To create a budget that aligns with the billing period, you can select a reset period for the month, quarter or year of billing. If, on the other hand, you intend to create a budget aligned to the calendar month, you must select a reset period monthly, quarterly or yearly.

Later, it is possible to set the expiration date from which the budget becomes invalid and its cost evaluation is interrupted.

Based on the fields you choose when you define your budget, a chart is shown to help you set the spending threshold to be used. By default, the suggested budget is based on the higher expected cost that could be incurred in future periods, but the budget amount can be changed to suit your needs.

After you set up your budget, you are prompted to configure your alerts. Budgets require at least one cost threshold (% budget) and an email address to use for notifications.

Figure 3 – Configure alerts and e-mail addresses to use for notifications

For a single budget, you can include up to five thresholds and five email addresses. When a budget threshold is reached, email notifications are normally sent within an hour of the evaluation.

When creating or editing a budget, but only if the scope defined for the same is a subscription or a resource group, you can configure it to invoke an Action Group. TheAction Group allows you to customize notifications to suit your needs and can perform various actions when the budget threshold is reached, including:

  • Voice call or text message (for enabled countries)
  • Sending an email
  • Calling a webhook
  • Sending data to ITSM
  • Recalling a Logic App
  • Sending a push notification on mobile app of Azure
  • Running a runbook of Azure Automation

Figure 4 – Associating an Action Group when a threshold is reached

After you finish creating a budget, you can view it in the respective section.

Figure 5 – Budget created and its percentage of usage

The visualization of the budget with respect to the expenditure trend is one of the first actions that is generally taken into consideration in the cost analysis phase.

Figure 6 – View budget in cost analysis

When a certain threshold is reached in a budget, in addition to the notifications you set, an alert is also generated in the Azure portal.

Figure 7 – Alert generated when a certain threshold is reached

When the budget thresholds that you create are exceeded, notifications are triggered, but none of the cloud resources are changed and as a result consumption is not interrupted.

Integration with Amazon Web Services (AWS) Cost and Usage report (CUR) you can monitor and control AWS costs in Azure Cost Management and define budgets for AWS resources too.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consultthe pricing of Cost Management.

Conclusions

Cost control is a key component to maximize the value of your cloud investment. By using budgets, you can easily activate an effective mechanism to proactively control and manage the costs of cloud services located on both Microsoft Azure and Amazon Web Services (AWS).

Azure Arc: new features to manage systems in hybrid environments

The complexity of IT environments is constantly expanding to the point of having reality with applications based on different technologies, active on heterogeneous infrastructures and perhaps using solutions in different public clouds. The need greatly felt by customers is to be able to adopt a solution that, in a centralized way, invent it, organize and enforce control policies on their IT resources wherever they are. Microsoft's response to this need is Azure Arc, the solution involving different technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article lists new features that were recently introduced to extend the management capacity of hybrid environments.

The servers enabled for the Azure Arc solution can already benefit from various features related to Azure Resource Manager such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 1 – Azure Management for all IT resources

Thanks to the new update that was recently announced you can use new extensions, calls Azure Arc Extensions, to expand functionality and further extend Azure management and governance practices to different environments. This allows to adopt more and more typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Azure Arc Extensions

The Azure Arc Extensions are applications that allow you to make configurations and perform post-deployment automation tasks. These extensions can be run directly from the Azure command line, PowerShell or Azure portal.

The following Azure Arc Extensions are currently available and can be deployed on Azure Arc-enabled servers.

Custom Script Extensions for Windows and Linux Systems

With this extension, you can perform post-provisioning tasks of the machine to perform customizations of your environment. By adding this extension, you can download custom scripts, for example from Azure Storage, and run them directly on the machine.

Figure 2 – Custom Script Extensions, for Windows systems enabled for Azure Arc, from the Azure Portal

When deploying the Custom Script Extension, you can add the file that contains the script to run and optionally add its parameters. For Linux Systems, this is a shell script (.sh), while for Windows is a Powershell script (.ps1).

Desired State Configuration extension on Windows and Ubuntu systems (DSCForLinux)

Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with a view to "configuration as code".

DSC for Windows provides new Windows PowerShell cmdlets and resources that you can use to declaratively specify how you want to configure your software environment. It also provides a useful tool for maintaining and managing existing configurations. This extension works like the extension for virtual machines in Azure, but it is designed to be deployed on Azure Arc-enabled servers.

Figure 3 – Powershell Desired State Configuration, for Windows systems enabled for Azure Arc, from the Azure Portal

The extension DSCForLinux allows you to install the OMI agent and DSC agent on Azure Arc-enabled Ubuntu systems. The DSC extension allows you to perform the following actions:

  • Register the VM with an Azure Automation account to extract (Pull) configurations (Register ExtensionAction).
  • Deploy MOF configurations (Push ExtensionAction).
  • Apply the MOF meta configuration to the VM to configure a pull server to extract the node configuration (Pull ExtensionAction).
  • Install custom DSC modules (Install ExtensionAction).
  • Remove custom DSC modules (Remove ExtensionAction).

 

OMS Agent for Linux – Microsoft Monitoring Agent

The installation of this agent allows you to collect the monitor data from the guest operating system and the application workloads of the systems and send them to a Log Analytics workspace. This agent is used by several Azure management solutions, including Azure Monitor, Azure Security Center, and Azure Sentinel. Although today it is possible to monitor non-Azure VMs even without Azure Arc, the use of this extension allows you to automatically detect and manage agents in VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

After you deploy the Azure Arc agent on the systems, you can install the Microsoft Monitoring Agent (MMA) using this extension, simply by adding the Log Analytics workspace ID and its key.

Figure 4 – Microsoft Monitoring Agent extension for Azure Arc from the Azure portal

Thanks to the availability of these new extensions, Azure Arc-enabled servers also have features such as Update Management, Inventory, Change Tracking and Monitor.

Update Management

The Update Management solution allows you to have an overall visibility into update compliance for both Windows and Linux systems. The search panel can quickly identify missed updates and provide the ability to schedule deployments for update installation within a specific maintenance window.

Inventory

This feature allows you to retrieve inventory information relating to: installed software, files, Windows Registry keys, Windows Services and Linux Daemons.

Change Tracking

Change Tracking feature allows you to track system changes to Daemons, File, Registry, software and services on Windows . This feature can be very useful to diagnose specific problems and to enable alerts against unexpected changes.

Conclusions

Thanks to the availability of these new extensions, you can take advantage of greater functionality, in governance and management typical of Azure, also for hybrid cloud environments. This is an important evolution of this solution, at the moment still in preview, which is soon destined to be further enriched with important new features.

Azure Monitor: how to enable the monitor service for virtual machine through Azure Policy

The service that allows you to monitor virtual machines has been made available in Azure Monitor, called Azure Monitor for VMs. This service allows you to analyze system performance data and makes a map that identifies all dependencies of virtual machines and their processes. The recommended way to enable this solution for different systems is through Azure Policy adoption. This article describes the steps to take to activate it using this method, taking up various concepts related to Azure governance.

Key Features of Azure Monitor for VMs

Azure Monitor for VMscan be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers) and includes the following areas:

  • Performance: shows summary details of performance, from the guest operating system. The solution has powerful data aggregation and filtering capabilities that enable you to meet the challenge of monitoring performance for a very large number of systems. This allows you to easily monitor the resource usage status of all VMs and easily identify those that have performance issues.
  • Maps: generates a map with the interconnections between the various components that reside on different systems. Maps show how VMs and processes interact with each other and can identify dependencies on third-party services. The solution also allows you to check for connection errors, count connections in real time, network bytes sent and received by processes and latencies encountered at the service level.

Enabling through Azure Policy

The Azure Policy allow to apply and force compliance criteria and related remediation actions on a large scale. To enable this feature automatically on virtual machines in your Azure environment and achieve a high level of compliance, it is recommended that you use Azure Policies. Using Azure Policy, you can:

  • Deploy the Log Analytics agent and Dependency agent.
  • Having a report on the status of compliance.
  • Start remediation actions for non-compliant VMs.

One requirement to check before activating is the presence of the solution VMInsights in the Azure Monitor Log Analytics workspace that will be used to store monitor data.

Figure 1 – Configuring the Analytics log workspace

Selecting the desired workspace triggers the installation of the solution VM Insights which allows you to collect performance counters and metrics for all virtual machines connected to that workspace.

To activate Azure Monitor for VMs policy just select the relevant onboarding tile on the main screen of the solution.

Figure 2 – Selecting Azure Policy as a enable method

The following blade will show the coverage status of the service and provide the ability to assign policies for its activation.

Figure 3 – Assigning the Initiative at the Management Group level

The Azure Management Groups, organize different subscriptions into logical containers, on which define, implement and verify government policies needed.

The Initiatives, which are a set of multiple Azure Policy, can be assigned at the Resource Group level, Subscription or Management Group. It is also possible to exclude certain resources from the application of policies.

In this regard, the policies for enabling Azure Monitor for VMs are grouped into a single "initiative", "Enable Azure Monitor for VMs" that includes the following policies:

  • Audit Dependency agent deployment – VM image (OS) unlisted
  • Audit Log Analytics agent deployment – VM image (OS) unlisted
  • Deploy Dependency agent for Linux VMs
  • Deploy Dependency agent for Windows VMs
  • Deploy Log Analytics agent for Linux VMs
  • Deploy Log Analytics agent for Windows VMs

This Initiative is recommended to be assigned at the Management Group level.

Figure 4 – Configuring the association

Among the parameters you are prompted to specify the Log Analytics workspace and optionally you can specify any remediation tasks.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 5 – Verification of Initiative compliance status

Once the enable process is complete, you can analyze the system performance data and the maps created to identify all the dependencies of the virtual machines and their processes.

Figure 6 – Performance collected for systems

Figure 7 – Map with the interconnections between various systems

Figure 8 – Map showing connection details

An effective method to make these data easily accessible and to analyze them in a simple way is the use of Workbooks, interactive documents that allow you to better interpret information and do in-depth analysis. In this document of Microsoft you can consult the list of related Workbooks included in Azure Monitor for VMs and how to create your own custom.

Conclusions

This article demonstrates how you can enable the solution Azure Monitor for VMs thanks to the adoption of the Azure Policy in a simple way, fast and effective. The solution provides very useful information that typically needs to be collected on different systems in your environment. Increasing the complexity and amount of services on Azure makes it essential to adopt tools like Azure Policy, to have effective governance policies. Furthermore, with the introduction of Azure Arc it will be possible to extend these Azure management and governance practices to different environments, thus facilitating the implementation of features present in Azure on all infrastructure components.