Category Archives: Azure Policy & Governance

Azure Management services: what's new in June 2023

In June, Microsoft announced a considerable number of news regarding Azure management services. Through these articles released monthly we want to provide an overall overview of the main news, in order to stay up to date on these arguments and have the necessary references for further information.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

AKS Network Observability add-on (preview)

The new AKS Network Observability add-on provides the ability to monitor the health of the network and connectivity of the AKS cluster. Integrating seamlessly with Azure-managed Prometheus and Azure-managed Grafana, this add-on provides better monitor capabilities in a unified experience.

These are the main features:

access to cluster-level network metrics, such as packet losses, connection statistics and more;
access to pod-level metrics and network debugging features;
support for all Azure CNIs;
support for all AKS node types: Linux and Windows;
ease of deployment using native Azure tools: AKS CLI, ARM models, PowerShell, etc.;
integration with Azure-managed Prometheus and Grafana offerings.

Azure Monitor Alert resources are now visible in the Azure portal

Historically, alert resources (alert rules, alert processing rules and action groups) have always been hidden resources in the Azure portal. This prevented them from appearing when searching or in the resource list and limited their viewing experience. Now Microsoft is making these resources “first-class citizens” in the Azure portal, so that they become visible in all places where the assets can be viewed in the portal, and more precisely the alerting resources:

appear in the search results in the top search bar of the Azure portal;
they appear when listing resources within a subscription or resource group;
they can now be viewed in a standard resource pane and will soon be editable as well (the same way you edit any other Azure resource).

Azure Monitor container insights for AKS cluster with ARM64 nodes

Container insights is a feature designed to monitor the performance of container workloads deployed in the cloud. Provides performance visibility by collecting processor and memory metrics from controllers, nodes and containers available in Kubernetes through the Metrics API. Azure Monitor container insights is now available for AKS clusters with ARM64 nodes.

Managed identity authentication in Azure Monitor Container Insights

Managed Identity is a secure and streamlined authentication model where the Azure Monitor monitoring agent uses the cluster's managed identity to send data to the Azure Monitor backend. This mechanism replaces the current certificate-based local authentication and eliminates the need to add a monitoring metrics publisher role to the cluster. Managed Identity will now be the default authentication mechanism for Container Insights.

Azure Virtual Desktop Insights powered by Azure Monitor agent (preview)

Administrators working with Azure Virtual Desktop Insights can now use the Azure Monitor Agent (AMA) to collect data from session hosts. This preview introduces the ability to use an updated workbook to help orchestrate configuration and management of all required components.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

simplified onboarding of multicloud accounts;
support for private endpoints in malware scanning in Defender for Storage;
updates to NIST standards 800-53 in compliance with regulations;
cloud migration planning with an Azure Migrate business case now includes Defender for Cloud;
express configuration for vulnerability assessments in Defender for SQL is available;
added more scopes to Azure DevOps connectors;
replacing agent-based detection with agentless detection for container capabilities in Defender CSPM.

Protect

Azure Backup

Multiple backups per day for Azure virtual machines

Azure Virtual Machine Backup allows you to create advanced policies to take multiple snapshots per day. This allows you to protect virtual machines with an RPO as low as four hours.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:

security cost savings with Microsoft Defender for Cloud (MDC), using the Azure Migrate business case;
troubleshooting issues affecting performance data collection and accuracy of Azure VM and Azure VMware Solution evaluation recommendations.

Azure Database Migration

Online migrations for Azure Database for MySQL instances

Azure Database Migration Service Online Migration for Azure Database for MySQL now allows you to migrate an Azure Database for MySQL instance – Single Server, a MySQL on-premises instance or MySQL servers in other clouds to Azure Database for MySQL – Flexible Server. This new feature helps minimize the downtime of critical applications and limit the impact on the availability of service levels.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in May 2023

To stay up to date on news regarding Azure Management services, this summary is released monthly, allowing you to have an overview of the main new features of the month. In this article you will find the announcements, summarized, accompanied by the necessary references to be able to carry out further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Azure Monitor for SAP solutions

Azure Monitor for SAP Solutions is now available. It is a solution for customers running SAP applications in a Microsoft Azure environment and allows end-to-end monitoring. With Azure Monitor for SAP, customers can centrally collect end-to-end telemetry data from SAP NetWeaver, database, Linux Pacemaker clusters in high availability and Linux operating systems. The solution Azure Monitor for SAP can be configured with no infrastructure to implement and maintain for customers. Some new features of Azure Monitor for SAP include SAP Landscape Monitor, which provides a single destination to understand the health of the entire SAP landscape, and SAP Insights (preview), which allows you to easily identify the root cause of SAP application availability or performance issues. Furthermore, Azure Monitor for SAP Solutions offers Transport Layer Security and new CPU performance alert templates, memory and disk I/O, plus many other features. With the release of this release, the version of Azure Monitor for SAP solutions (Classic) will be collected by 31 may.

Availability of the Azure Monitor managed service for Prometheus

Prometheus, the open-source project of the Cloud Native Computing Foundation, is considered the de-facto standard when it comes to monitoring containerized workloads. Running Prometheus in self-managed mode is often a great solution for smaller implementations, but scaling it to handle enterprise workloads can be a challenge.

Azure Monitor's fully managed service for Prometheus offers the best of what we like about the open-source ecosystem, while automating complex tasks such as scaling, high availability and long-term data retention. It is available as a standalone feature of Azure Monitor or as an integrated component of Container Insights, Azure Monitor Alerts and Azure Managed Grafana.

Azure Monitor Managed Service for Prometheus for Kubernetes enabled for Azure Arc (preview)

The Azure Monitor managed service for Prometheus extends support for monitoring Kubernetes clusters managed by Azure Arc. The Azure Arc-enabled Azure Monitor for Prometheus on Kubernetes managed service allows customers to monitor their Kubernetes clusters running anywhere and maintains the same functionality as monitoring Azure Kubernetes Service (AKS).

Azure Monitor Agent: support for CIS and SELinux hardening

The AMA has introduced support for hardening standards for CIS and SELinux. For SELinux, AMA works by activating a signed built-in policy. Through CIS, AMA supports select distros, also available on the Azure Marketplace.

Alert support for Azure Data Explorer (preview)

Azure Monitor alerts let you monitor Azure and application telemetry to quickly identify issues affecting various services. More specifically, Azure Monitor log alert rules allow you to set up periodic log telemetry queries to identify potential problems and receive notifications or trigger actions.

Until now, these alert rules supported querying Log Analytics and Application Insights data. Now Microsoft is introducing support for querying Azure Data Explorer tables as well (ADX) and to merge data between these data sources into a single query.

Cost optimization with transformations on Log Analytics for troubleshooting of Cosmos DB

Azure Cosmos DB now supports transformations on Log Analytics workspaces. To help reduce costs when you enable Log Analytics to troubleshoot Cosmos DB resources, transformations have been introduced. These transformations in the Log Analytics workspace allow you to filter columns, reduce the number of results returned and create new columns before the data is sent to the destination.

Configure

Azure Automation

Support for Python runbooks 3.8

Azure Automation has introduced support for Python runbooks 3.8. This feature allows you to create and run Python runbooks 3.8 for orchestrating the management tasks of hybrid and multi-cloud environments.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Alert to optimize reservation purchases

Azure Reservations can provide cost savings by committing to annual or three-year plans. However, sometimes reservations can remain unused or underused, resulting in financial losses. As a user of a billing account or a reservation, it is possible to examine the percentage of use of the reservations purchased in the Azure portal, but important changes may be missed. Enabling alerts on the use of reservations, solves the problem by receiving email notifications whenever any of the reservations have low usage. This allows for timely intervention and optimization of reservation purchases to achieve maximum cost efficiency.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

new alerts in Defender for the Key Vault;
support encrypted disks in AWS for agentless scanning;
inclusion of new AWS Regions;
changes to identity recommendations;
new recommendations of Defender for DevOps to include Azure DevOps scan results;
release of the Vulnerability Assessment of containers based on Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM.

Protect

Azure Backup

Azure Backup Server V4

The V4 version of Microsoft Azure Backup Server (MABS) has been released and introduces the following improvements:

Workload support: Azure Backup Server V4 supports installation on Windows Server 2022 using SQL Server 2022 come database MABS. Furthermore, adds support for backup of virtual machines running on Azure Stack HCI 22H2 and VMware 8.0, as well as Windows Server backup 2022 and SQL Server 2022.
Performance: Azure Backup Server V4 adds the ability to select and restore individual files/folders from online recovery points for Hyper-V and Azure Stack HCI virtual machines running Windows Server, without having to download the entire restore point. MABS V4 also adds support for parallel restores and features more parallel online backup jobs.
Security: with Azure Backup Server V4 you can use private endpoints to send backups to the Recovery Services vault.

Azure Backup Reports: support for more workloads

Azure Backup Reports now includes support for other workloads: Azure Database for PostgreSQL Servers, Azure Blobs and Azure Disks. Thanks to this update it is now possible to enable the logging of metadata related to the backup (such as job, backup item, policy, usage) for these workloads and retain these records for a customizable period of time depending on compliance and audit requirements. This way you can take advantage of the reporting views, already provided natively by the Backup Reports solution, to view information about protected items corresponding to these workloads.

Soft deletion of recovery points for Azure Backup (preview)

Azure Backup's soft delete feature now supports soft deletion of recovery points. This feature allows you to recover data from recovery points that may have been deleted as a result of backup policy changes. Soft deleting recovery points allows you to keep these recovery points for an additional duration, based on the retention specified for soft delete in the vault settings.

Support for confidential virtual machines using Customer Managed Keys (private preview)

Azure Backup is introducing support for backup of operating system disk encrypted confidential VMs, done using customer managed keys.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 67 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Database Migration

Database Migration Service Pack for Oracle (preview)

The Database Migration Service Pack for Oracle is a collection of four extensions that provide a complete solution to modernize Oracle workloads and migrate them to databases in the Azure environment. This extension pack offers several benefits, including in-depth end-to-end assessments, correct sizing of Azure resources, code conversion, remediation planning and near real-time data migration in Azure environment (see next paragraph).

Data Migration for Oracle (preview)

The Data Migration for Oracle extension is a powerful tool that allows you to easily migrate Oracle databases to the Azure platform. This solution offers a seamless migration experience, from the source Oracle database to the target platform (SQL), using Azure Database Migration Service. The extension offers both offline and online data migration for critical databases, ensuring minimal downtime for the migration process.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in April 2023

Microsoft is constantly announcing news regarding Azure management services. This summary, published monthly, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Azure Monitor for Prometheus has updated the AKS add-on to support Windows nodes

Azure Monitor for Prometheus managed service has updated the AKS metrics add-on to support collection of Prometheus metrics from Windows nodes in AKS clusters. Azure Monitor Metrics add-on integration allows Windows pod DaemonSets to start running on node pools. Are supported both Windows Server 2019 also Windows Server 2022.

Azure Monitor Metrics Dataplane API released

The Azure Metrics Dataplane API is a new approach to Azure Monitor that improves the collection of resource information enabling greater query capacity and efficiency. With this API it is possible to retrieve data on metrics, for a maximum of 50 ID of resources in the same subscription and region, in one batch API call. This improves query throughput, reduces the risk of throttling and provides a smoother experience for customers who want to gather information about Azure resources.

Configure

Update management center

Hotpatch availability for Windows Server VMs in Azure with Desktop Experience
Hotpatch is now available for preview images of Windows Server Azure Edition virtual machines with the Desktop Experience installation mode.

Hotpatch is a feature that allows you to patch and install updates to Windows Server Azure Edition virtual machines in an Azure environment, without requiring a restart. It was previously available for Server Core installation mode, but now also Windows Server Azure Edition virtual machines installed with Desktop Experience installation mode can take advantage of this security update installation mode, by providing:

less impact on workloads by having to do fewer reboots;
faster deployment of updates, as the packages are smaller, they install faster and patch orchestration is easier with Azure Update Manager;
better protection, because hotpatch update packages are dedicated to Windows security updates that install faster without reboots.

Govern

Azure Cost Management

Azure Advisor: advice for the right sizing of VM/VMSS with a custom reference time

Customers using Azure Advisor can improve the relevance of recommendations to make them more actionable, resulting in additional cost savings. In fact,, right sizing recommendations help optimize costs, identifying idle or underutilized virtual machines based on their CPU activity, storage and network over the default seven-day reporting period. Now, thanks to the latest update, customers can set the reporting period to get recommendations based on 14, 21, 30, 60 or even 90 days of use. The configuration can be applied at the subscription level. This feature is especially useful when workloads peak biweekly or monthly.

Updates related toMicrosoft Cost Management

Secure

Microsoft Defender for Cloud

Integration between Azure API Management and Microsoft Defender for API (preview)

It is now possible to obtain a higher level of API security thanks to the integration between Azure API Management and Microsoft Defender for APIs. This integration enables a comprehensive defense strategy for:

gain visibility into Azure APIs;
understand their security posture;
prioritize vulnerability fixes;
detect and respond to active threats in runtime, using anomalous and suspicious API usage detections based on machine learning.

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protect

Azure Backup

Support for Azure VMs using Premium SSD v2 (preview)

In Azure Backup it is now possible to enable the protection of Azure virtual machines that use Premium SSD v2. Enabling these backups is currently available in select regions, and Microsoft plans to add support in more regions in the coming weeks..

Azure Site Recovery

Large disk support for disaster recovery of Hyper-V virtual machines

In Azure Site Recovery it is now possible to enable disaster recovery of Hyper-V virtual machines with data disks up to 32 TB. This applies to Hyper-V VMs replicating to managed disks in any Azure region.

Migrate

Azure Migrate

New Azure Migrate releases and features

possibility to create a business case by importing the list of servers through a .csv file;
building a business case using Azure Migrate for:
- servers and workloads running in Microsoft Hyper-V and physical/bare-metal environments, as well as IaaS services from other public clouds;
- SQL Server Always On Failover Cluster instances and Always On availability groups.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in March 2023

In March there were several news announced by Microsoft regarding Azure management services. In this series of articles, published on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Ingestion client libraries

Microsoft announces the initial release of the Azure Monitor Ingestion client libraries for .NET, Java, JavaScript e Python. Libraries allow you to:

Upload custom logs to a Log Analytics workspace.
Modernize security standards by requiring Azure Active Directory token-based authentication.
Complete Azure Monitor Query libraries, used to query logs in a Log Analytics workspace.

Collecting Syslog from AKS nodes using Azure Monitor Container Insights (preview)

Customers can now use Azure Monitor Container Insights to collect Syslog from their Azure Kubernetes Service cluster nodes (AKS). In combination with SIEM systems (Microsoft Sentinel) and monitor tools (Azure Monitor), syslog collection tracks security and health events of IaaS and containerized workloads.

The Azure Monitor for Prometheus managed service now supports querying PromQL

Thanks to Azure Workbooks support for Azure Monitor Prometheus managed service, users are provided with the ability to use Prometheus workbooks to run PromQL queries in the portal. Furthermore, users have the benefit of creating custom reports for Prometheus workbooks.

Azure Monitor supports Availability Zones in new regions

Azure Monitor continues to expand its availability zone support by adding three regions: Canada Central, France Central and Japan East.

Azure Monitor alerts support cloning

When viewing the details of an alert rule in the Azure portal, a new option is now available “duplicate”, which allows you to duplicate the alert rule. When selecting this option for an existing alert rule, the rule creation wizard starts, pre-populated with the original alert rule configuration, while allowing you to make changes.

Configure

Azure Automation

Announced the retirement of the agent-based Hybrid Worker (Windows and Linux) for the 31 August 2024

Azure Automation is deprecating the agent-based Hybrid Runbook Worker (Windows and Linux) and this will definitely happen on 31 August 2024. You must migrate to extension-based Hybrid Workers by that date (Windows and Linux).

The main advantages of the extension-based Hybrid Runbook Worker are:

uses system-assigned managed identities, so you don't need to manage certificates for authentication;
offers automatic updating of minor versions;
simplify hybrid worker management at scale with native integration with Azure Resource Manager and governance with Azure Policy.

Migrating authentication from Run As account to Managed Identity in ASR

It is now possible to migrate the authentication type of accounts, moving to managed identities, using Azure Site Recovery from the Azure portal. Authentication of runbooks via Run As accounts will be deprecated on 30 September 2023. Before that date, runbooks need to be migrated to enable the use of Managed Identities.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article the latest improvements and updates concerning this solution are reported.

Azure Arc

Improved Azure Arc integration with Datadog

Microsoft is improving the ability to observe and manage IT infrastructure thanks to the integration of Microsoft Azure Arc with Datadog. Based on the consolidated collaboration, Microsoft is integrating Datadog with Azure Arc natively, to meet Datadog customers, providing rich insights from Azure Arc-enabled resources directly into Datadog dashboards. Customers can monitor real-time data during cloud migrations and performance of applications running in both public cloud and hybrid or multicloud environments.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

availability of a new Defender for Storage plan, which includes near real-time scanning for malware and detection of threats to sensitive data;
data-aware security posture (preview);
new experience for managing Azure default security policies;
Defender per CSPM (Cloud Security Posture Management) is now available (GA);
ability to create custom security standards and recommendations in Microsoft Defender for Cloud;
Microsoft Cloud Security Benchmark (MCSB) version 1.0 is now available (GA);
some regulatory compliance standards are now available in government clouds;
new preview recommendation for Azure SQL Servers;
new notice in Defender for Key Vault.

Protect

Azure Backup

Immutable vaults for Azure Backup

Immutable vaults are now also available for production environments and offer greater security for backups, ensuring that recovery points created once cannot be deleted before they expire. Azure Backup prevents any operation on immutable vaults which could lead to backup data loss. Furthermore, you can lock immutable vault ownership to make it irreversible. This helps protect your backups from threats such as ransomware attacks and malicious actors, preventing operations such as deleting backups or reducing retention in backup policies.

Backup per Azure Kubernetes Service (preview)

Organizations using Azure Kubernetes Services (AKS) increasingly run stateful applications on their clusters, deploying workloads such as Apache Kafka-based messaging queues and databases such as Postgres and MongoDB. With data storage within the cluster, backup and recovery become a major concern of IT managers. Make sure Kubernetes backup capabilities are scalable, flexible and purpose-built for Kubernetes is central to an overall data protection plan. Azure Backup introduced now Backup for AKS. This solution simplifies the backup and recovery of containerized applications and data and allows customers to configure a scheduled backup for both cluster state and application data. Backup for AKS is aligned with the Container Storage Interface (CSI) to offer Kubernetes-aware backup capabilities. The solution allows customers to unlock different scenarios, such as data backup for application security and regulatory requirements, cloning of development/test environments and rollback management.

Azure Backup allows you to keep backups in vaults for Azure Blob and for Azure File (preview)

Azure Backup now supports transferring Azure Blob and Azure File backups to vaults. A vault is a logical entity that stores backups and recovery points created over time. In this regard, you can define a backup schedule for creating recovery points and specify retention settings that determine how long backups will be stored in the vault. Backups in the vault are isolated from the source data and allow you to tap into the data even if the source data has been compromised, performing resets.

Listed below are some of the main features that can be achieved by placing backups in vaults:

Offsite copy of data: allows you to restore mission-critical data from backups, regardless of the state of the source data.

Long-term retention of backup data, which helps you meet compliance requirements, particularly in the financial and healthcare sectors, with strict guidelines on the data retention period.

Recovery in alternate location: allows you to restore data to an alternate account if the source storage account is compromised or create different copies of your data for testing or development purposes.

Centralized management through the backup center: backups in vaults can be monitored and analyzed at scale alongside other protected workloads using Azure Backup.

Safe backups. The built-in security features of Azure Backup, such as multi-user authorization (MUA) for critical backup operations, data encryption and role-based access control (RBAC), help protect the backups in the vault and meet your backup security needs.

Azure Site Recovery

Improved the ability to rename network interfaces and disks of protected virtual machines

ASR introduces a new, easier way to name and rename network interfaces (NIC) and the virtual machine disks in the recovery service vaults.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Database Migration

Offline Azure SQL Database migrations with the Azure SQL Migration extension

Offline migrations of SQL Server databases running on-premises, on Azure virtual machines or any virtual machine running in the cloud (private, public) to Azure SQL Database it is possible to do it through the Azure SQL Migration extension. The new migration feature of the Azure SQL Migration extension for Azure Data Studio provides an end-to-end experience to modernize SQL Server on Azure SQL Database. The extension allows you to prepare for the migration with actions to remediate any blockages and allows you to obtain recommendations to adequately size the Azure SQL Database targets, including hardware configuration in the Hyperscale service tier.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

The importance of Azure Policy in the context of Cloud Technical Governance

The adoption of cloud computing is becoming more widespread, but managing and controlling cloud resources can be a daunting challenge for organizations. In this context, Microsoft's Azure Policies represent a fundamental tool for cloud governance, able to help companies define, apply and enforce security and compliance policies in a consistent and automated manner. This article will explore the importance of Azure Policies in managing cloud services, illustrating the benefits of using this solution and some more common use cases. Furthermore, some useful tips for defining effective policies and for integrating Azure Policies into the overall cloud governance strategy will be presented.

The common need and possible approaches

The common requirement is to standardize, and in some cases impose, how resources are configured in the cloud environment. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of the different architectures.

Getting this result is not easy, especially in complex environments where you can find different Azure subscriptions on which different groups of operators develop and operate.

These goals can be achieved with a traditional approach, which provides for a block of operators in direct access to cloud resources (through the portal, API or cli):

Figure 1 – Traditional approach

However, this type of traditional approach is not very flexible, because it involves a loss of agility in controlling the deployment of resources.

In this regard, it is instead recommended to use a mechanism that is provided natively by the Azure platform, which allows you to pilot governance processes to achieve the desired control, but without impacting the speed, fundamental element in operations in modern IT with resources in the cloud:

Figure 2 – Modern approach with Azure Policy

What can be achieved thanks to Azure Policies

By activating the Azure Policy it is possible:

activate and carry out real-time evaluation of the criteria present in the policies;
evaluate policy compliance periodically or upon request;
activate operations for real-time remediation, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

How the Azure Policy mechanism works

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 3 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon specific request to evaluate the compliance status of existing resources.

Figure 4 – Working principle of Azure Policy in resource control

Azure already has many built-in policies ready to apply, or you can configure them to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described inthis Microsoft's document. You also have the possibility of creatingInitiatives, they are a collection of multiple policies.

When you have the desired policy definition, you can assign it to a Management Group, to a subscription and possibly in a more limited way to a specific Resource Group. The same goes for Initiatives. You also have the ability to exclude certain resources from applying the policy if necessary.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Use cases for Azure policies

The main areas that can be governed by appropriately adopting the Azure Policies are reported:

financial: resources deployed in Azure for which a consistent metadata strategy needs to be applied to achieve effective cost mapping;
data location: sovereignty requirements that require data to reside in certain geographic locations;
unnecessary expenses: resources that are no longer used or that have not been properly disposed of resulting in unnecessary expenses for the company;
management inefficiencies: an inconsistent resource naming and tagging strategy can make troubleshooting and routine maintenance demands of existing architectures difficult;
business interruption: SLAs are required to ensure that systems are built in accordance with business requirements. Therefore, architectures must be designed according to SLAs and must be investigated if they do not meet them.

Conclusions

In the context of Cloud Technical Governance it is essential to define and apply rules that make it possible to ensure that Azure resources always comply with the defined company standards. Thanks to the use of Azure Policies, also increasing the complexity and quantity of services, you can always ensure advanced control of your Azure environment.

How to maintain technological and economic control of Azure resources and beyond

Solutions related to the public cloud in recent years have registered considerable interest from many companies, attracted by the possibilities offered and the relative benefits. In fact,, among the main characteristics of the public cloud we find dynamism and speed of provisioning, which can be a great vector of innovation for organizations in the IT field. However, if you decide to apply procedures and practices already consolidated in the on-premise world also to cloud environments, you risk making serious mistakes. The cloud is by nature different and, applying the same processes of the on-premise environment, you are likely to have the same results, the same problems, almost similar implementation times and even higher costs. It is therefore essential to implement a process of Cloud Technical Governance through which to ensure effective and efficient use of IT resources in the cloud environment, in order to best achieve their goals. In particular, Governance of the Azure environment is made possible by a series of solutions specially designed to allow management and constant control of the various Azure resources on a large scale. This article will show some of the main Microsoft solutions to consider to better define and manage the governance of services in the Azure environment and beyond.

Public cloud: a double-edged sword

Talking about public clouds today means referring to resources and services that a company can hardly do without, but in some respects it can be a double-edged sword.

What are the main features and potential strengths, they can hide pitfalls if not governed properly:

The Self-service delega, this means the possibility of delegating the creation of resources to several working groups, greatly increases the agility and speed of provisioning, but at the same time it could lead to a total lack of control if this is not done in a correct and controlled way.
In the public cloud, almost everything is pay-per-consumption. If we combine this feature with the adoption of uncontrolled self-service delegations, where everyone creates resources without an appropriate government, the result can lead to very high and unnecessary costs.
When we talk about public cloud we also know that flexibility and scalability they are two great elements of strength and value, but this flexibility, the fact of being able to adopt hundreds of solutions, operating according to self-service logic, combined with hybrid connectivity environments must also focus our attention on new potential security threats.
Although Azure, as well as major public clouds, has a very large number of certifications, it introduces solutions based on new technologies which may be difficult to reconcile with corporate compliance requirements.

Adopt the cloud with proper Technical Governance

In the light of these considerations, the advice is to adopt solutions in the public cloud to remain competitive in this ever-changing digital world, but with the appropriate practices of Cloud Technical Governance that help the company mitigate risk and create guardrails. Governance policies within an organization, if properly managed, they also act as an early warning system to detect potential problems.

When it comes to cloud governance there are several disciplines that emerge. Thecost management it is one of the fundamental subjects that absolutely must be treated and managed. To this are added equally important arguments, as the definition of security and compliance baselines, the identity management, theacceleration of deployment processes and the standardization of created resources.

Therefore, declining the concept of governance for an ICT system in the cloud means defining, implement and continuously verify all those rules that make it:

with predictable costs;
secure according to the guidelines defined by corporate security at any level, not necessarily technical:
supportable by all working groups involved in the implementations;
subject to audit in terms of compliance with current and company regulations.

The main Microsoft tools for Governance

Cloud governance can be associated with a trip, where Microsoft provides several platform tools to make it run smoothly. The following paragraphs show some of the main solutions to be taken into consideration to implement functional governance.

Cloud Adoption Framework di Azure

From a design point of view, Microsoft provides the Cloud Adoption Framework di Azure, a set of documentation and tools that guide in the best practices of implementations of solutions in the Azure environment. Among these best practices, that it is good to adopt commonly and that it is appropriate to decline specifically for the various customers based on their needs, there is also a specific section for governance. This can be seen as a starting point for applying these practices in detail.

Figure 1 – Design and standardization: Cloud Adoption Framework for Azure

Azure Policy

Azure Policy, natively integrated into the platform, are a key element for governance as they allow you to control the environment and obtain consistency with respect to the activated Azure resources.

Azure Policies allow you to manage:

compliance:
- enable native or custom policies for all resource types;
- real-time policy assessment and enforcement:
- periodic and upon request conformity assessment;
large-scale distribution:
- application of policies to Management Group with control over the whole organization;
- applying multiple policies and aggregating policy states through initiatives;
- exclusion scope;
- Policy as Code con Azure DevOps.
remedies and automations:
- correction of existing assets to scale;
- automatic remediation upon implementation;
- activation of alerts when a resource is not compliant.

Defender for Cloud

The Microsoft Defender for Cloud solution provides a set of features that cover two important pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 2 – The security pillars covered by Microsoft Defender for Cloud

WithinCloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

visibility: to assess the current security situation;
guida all’hardening: to be able to improve security efficiently and effectively.

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. As regards the scopeCloud Workload Protection (CWP), Defender for Cloud delivers security alerts based onMicrosoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Microsoft Cost Management

To face the important challenge of being able to always keep under control and optimize the expenses to be incurred for the resources created in the cloud environment, the main tool is Microsoft Cost Management, that allows you to:

Monitor cloud spending: the solution tracks the use of resources and allows you to manage costs, also on AWS and GCP, with a single, unified vision. This allows access to a series of operational and financial information and to make decisions with the right awareness.
Increase accountability: allows you to increase the responsibility of the various company areas through budgets, using cost allocation and with chargeback policies.
Optimize costs: through the application of industry best practices

Microsoft Sustainability Manager

Today, an efficient and effective use of IT resources must also take into consideration the environmental impact and energy consumption. Microsoft Sustainability Manager is a Microsoft Cloud for Sustainability solution that unifies data to better monitor and manage the environmental impact of resources. Regardless of the stage you are in to achieve the zero emissions goal, this solution makes it possible to document and support the process for reducing emissions. In fact,, the solution allows you to:

gain the visibility needed to promote sustainability;
simplify data collection and emissions calculations;
analyze and report more efficiently the environmental impact and progress of a company in terms of sustainability.

Not just Azure, but a governance for all IT assets

In situations where a hybrid or multi-cloud strategy is being adopted, the question arises: “as you can view, govern and protect IT assets, regardless of where they are running?”

The answer to this question can be: “adopting Azure Arc”.

In fact,, the underlying principle of Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, even for on-premises environments.

Figure 3 – Azure Arc overview

To achieve this, Microsoft has decided to extend the modelAzure Resource Manager so that we can also support hybrid environments, thus facilitating the implementation of the control features present in Azure on all the infrastructure components.

Conclusions

To ensure effective use of the public cloud, it is important to adopt the right cloud governance practices that help mitigate risks and protect the company from improper use of IT resources. There are many disciplines to consider and the governance of your IT environment needs to extend across all resources, regardless of where they are. Microsoft offers a number of tools and solutions to address the governance challenge, however, a lot of experience is needed to implement established and reliable processes.

Azure Management services: what's new in February 2023

During the month of February some news regarding the Azure management services were announced. This article provides an overview of the month's top news, so that we can stay up to date on these topics and have the necessary references to conduct further insights.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protect

Azure Backup

Improved experience for creating and managing private endpoints for Recovery Services vaults

Azure Backup allows you to use private endpoints to perform backups and restores securely, using private IPs of virtual networks. Azure Backup recently introduced several enhancements that provide an easier experience for creating and using private endpoints for Recovery Service vaults. The main improvements made as part of this update are as follows:

Ability to create private endpoints without managed identities
Use fewer private IPs per vault
You no longer need to create separate private endpoints for blob and queue services

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 66 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Database Migration

Database migrations with login and TDE

The new feature of the Azure SQL Migration extension makes the post database migration experience smoother. In fact,, you can have instance-level object migration support, such as SQL and Windows logins, the permissions, server roles and updated user mapping of previously migrated databases.

Furthermore, you can now perform TDE-enabled database migrations with a wizard that automates the backup process, copying and reconfiguring database encryption keys for Azure SQL Managed Instance targets.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in January 2023

The new year started with several announcements from Microsoft regarding news related to Azure management services. The monthly release of this summary allows you to have an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Certificate the IT Service Management Connector (ITSMC) with ServiceNow Tokyo version (preview)

The IT Service Management Connector (ITSMC) is certified on the Tokyo version of ServiceNow. This connector provides a two-way connection between Azure Monitor and ServiceNow, useful to help you track and fix problems faster.

Govern

Azure Cost Management

Management of billing accounts for EA customers

For Enterprise Agreement customers (EA) “indirect” the ability to manage your billing accounts directly from Cost Management and Billing has been introduced. All relevant information regarding department, account and subscription are available directly from the Azure portal. Furthermore, from the same point it is possible to view the properties and manage the policies of the indirect EA enrollments.

Updates related toMicrosoft Cost Management

Azure Arc

Active Directory Connector for Arc-enabled SQL MI

Azure Arc-enabled data services introduced Active Directory support (AD) for the management of Identity and Access Management (IAM). Indeed, the Arc-enabled SQL Managed instance can use an Active Directory domain (AD) existing on-premises for authentication. To facilitate this, Azure Arc-enabled data services introduce a new Custom Resource Definition (CRD) native Kubernetes called Active Directory Connector. This provides Azure Arc-enabled SQL Managed Instances running on the same data controller the ability to perform Active Directory authentication.

View SQL Server databases using Azure Arc (preview)

Today, customers and partners manage a large number of databases. For each of these databases, it is essential to be able to create an accurate mapping of the configurations. This may be for inventory or reporting purposes. Centralizing database inventory in Azure using Azure Arc allows you to create a unified view of all your databases in one place, regardless of the infrastructure in which they are located: in Azure, in the data center, at edge sites or even other clouds.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

the endpoint protection component (Microsoft Defender for Endpoint) it is now accessible on the Settings and monitors page;
new version of the recommendation to find missing system updates;
cleanup of deleted Azure Arc machines in linked AWS and GCP accounts.

Protect

Azure Backup

Updates and improvements regarding SAP HANA

The following updates and improvements have been made recently to Azure Backup for SAP HANA, the certified solution Backint for protecting SAP HANA databases residing in Azure virtual machines:

Long-term retention for backups “adhoc”: it is now possible to provide customized retention for backups that occur on demand, outside the scheduled policies.
Partial restore-as-files: Azure Backup for HANA allows recovery points to be restored as a file. If you download the entire chain for one recovery point and want to repeat the operation for another adjacent recovery point, you don't need to download the entire chain again. It is also possible to restore only the files you want.
Integration with native clients and with other tools: previously, for certain scenarios, it was necessary to deactivate backint before the request and reactivate it afterwards, thereby increasing the RPO. With the improvements introduced, these additional steps are no longer necessary and it will be sufficient to activate the requests from the native clients or from the other tools used.

Azure Site Recovery

Ability to use Azure Backup Center for ASR monitor

Azure Backup Center is the point of reference for those who use the native backup features of the Azure platform and allows them to govern, to monitor, manage and analyze backup tasks. Microsoft has extended its capabilities by including monitor capabilities for Azure Site Recovery, which:

Viewing the inventory of replicated items, from a single view, for all vaults.
Consultation through a control panel of all the replication jobs.

Azure Backup Center supports ASR replication scenarios involving Azure virtual machines, VMware and physical machines.

Migrate

Azure Migrate

New Azure Migrate releases and features

Possibility to plan savings with the ASP savings option (Azure Savings Plan for compute) with the Azure Migrate business case and assessment.
Support for exporting the business case report to an .xlsx workbook from the portal.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in December 2022

In December, several news regarding Azure management were announced by Microsoft services. The release of this summary, which occurs on a monthly basis, want to provide an overview of the main news of the month, in order to stay updated on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Azure Monitor Agent: IIS logs and custom logs

The Azure Monitor agent allows you to collect text files and IIS logs and merge them into a Log Analytics workspace. In this regard, a new feature has been introduced to allow the collection of text logs generated in the application environment, exactly as it happens for Internet Information Service logs (IIS).

Azure Monitor Logs: custom log API and ingestion-time transformation

A new set of features is now available in Azure Monitor that allows you to fully customize the shape of the data that flows into your workspace, plus a new API for custom data merging. Thanks to these new features, it is possible to envisage customized transformations to the data at the time of ingestion. These transformations can be used to set up the extraction of fields during ingestion, obfuscate sensitive data, proceed to remove unnecessary fields or to delete complete events (useful for example to contain costs). Furthermore, it is possible to completely customize the data sent to the new API for custom logs. As well as being able to specify a transformation on the data sent to the new API, you can also explicitly define the schema of your custom table (including dynamic data structures) and leverage AAD authentication and ARM RBAC management.

Configure

Azure Automation

Extension for the Hybrid Runbook Worker

The User Hybrid Worker extension was announced in Azure Automation, which is based on the virtual machine extensions framework and offers an integrated installation experience. There is no dependency on the Log Analytics agent and workspace, and authentication is via System-assigned managed identities, eliminating the need to manage certificates. Furthermore, ensures automatic minor version upgrades by default and simplifies small-scale management of Hybrid Workers through the Azure portal, cmdlet PowerShell, Azure CLI, Bicep, ARM templates and the REST API.

Govern

Azure Cost Management

Use tag inheritance for cost management (preview)

Tag inheritance was announced in a public preview, which allows you to automatically apply subscription and resource group tags to child resources. This mechanism simplifies cost management pipelines.

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article the main improvements and updates of this solution are reported for the year 2022.

Azure Arc

Azure Arc enabled Azure Container Apps (preview)

Azure Container Apps enables developers to quickly build and deploy microservices and containerized applications. Deploying an Arc extension on Azure Arc enabled Kubernetes cluster, IT administrators gain control of the underlying hardware and environment, enabling high productivity of Azure PaaS services within a hybrid environment. The cluster can be on-premise or hosted in a third-party cloud. This approach allows developers to leverage the functionality and productivity of Azure Container Apps anywhere, not only in Azure environment. While, IT administrators can maintain corporate compliance by hosting applications in hybrid environments.

Server Azure Arc enabled in Azure China

Azure Arc-enabled servers are now also operable in two regions of Azure China: Est China 2 and North China 2.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protect

Azure Backup

Recovery of Azure virtual machines Cross Zonal

Azure Backup exploits the potential of Zonal Redundant Storage (ZRS), which stores three replicas of backup data in different Availability Zones, synchronously. This allows recovery points stored in the Recovery Services Vault to be used with ZRS storage even if the backup data in one of the Availability Zones is unavailable, ensuring data availability within a region.

The Cross Zonal Restore option can be considered when:

Zone-wide availability of backup data is critical, and backup data downtime is unacceptable. This allows you to restore Azure virtual machines and disks to any zone of your choice in the same region.
Backup data resilience is needed along with data residency.

Azure Kubernetes Service (AKS) Backup (private preview)

For the Azure Backup service, the private preview of AKS Backup was announced. Using this feature it is possible:

Back up and restore containerized applications, both stateless and stateful, running on AKS clusters
Back up and restore data stored on persistent volumes attached to clusters.
Perform backup orchestration and management from the Backup Center.

Azure Site Recovery

Increased the churn limit (preview)

Azure Site Recovery (ASR) increased the data churn limit by approx 2,5 times, bringing it to 50 MB/s per disk. This way you can configure disaster recovery (DR) for Azure VMs with a data churn of up to 100 MB/s. This allows you to enable DR for IO intensive workloads. This feature is only available for Azure-to-Azure replication scenarios.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 65 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Software inventory and agentless dependency analysis

Azure Migrate agentless software inventory and dependency analysis is now available for Hyper-V VMs, for bare-metal servers and for servers running on other public clouds such as AWS and GCP. It is therefore possible to inventory the applications, the roles and features installed on those systems. Furthermore, you can run dependency analysis on discovered Windows and Linux servers without installing any agents. Thanks to these features it is possible to build migration plans to Azure more effectively, going to group the servers related to each other.

Building a business case with Azure Migrate (preview)

Azure Migrate's business case feature helps you build business propositions to understand how Azure can drive the most value. In fact,, this solution allows you to understand the return on investment regarding the migration of server systems to Azure, of SQL Server deployments and ASP.NET web applications running in the VMware environment . The business case can be created with just a few clicks and can help you understand:

Total cost of ownership on-premises vs Azure and annual cash flow.
Resource utilization-based insights to identify ideal servers and workloads for the cloud and recommendations for right sizing in Azure.
Benefits for migration and modernization, including the end of support for Windows and SQL versions.
Long-term savings by moving from a capital expenditure model to an operating expenditure model, paying only for what you use.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in November 2022

In November, Microsoft released some important news regarding Azure management services. Through these articles released on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Configure

Azure Automation

Support for Availability Zones

Azure Automation has introduced support for Availability Zones so that it can provide greater resiliency and reliability to the service, runbooks and other automation resources. In case a zone is inactive, no user action is required to recover from a zone fault, in fact, the service will be made accessible through the other available areas. In addition to high availability, this feature is useful for implementing a disaster recovery strategy for the Automation Account, often a key component in DR plans in Azure.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Ability to use tag inheritance to group subscriptions and resource groups.
View cost change over previous period, in the cost analysis preview.

Azure Advisor: new cost recommendations for Virtual Machine Scale Sets

Azure Advisor has expanded the recommendations to include cost optimizations for Virtual Machine Scale Sets as well. Recommendations will include recommendations for shutting down resources that are not being used, recommendations for changing the SKU and downscaling for underutilized resources versus provisioning.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protecting containers in a GCP environment with Defender for Containers
Ability to validate Defender for Containers protections via sample alerts
Governance rules at scale (preview)

Protect

Azure Backup

Cross-subscription recovery for VMs in Azure (preview)

The Cross Subscription Restore feature was announced in preview and allows you to restore Azure virtual machines, by creating or restoring new disks, in any subscription, starting from the restore point created by Azure Backup. By default, Azure Backup restores in the same subscription where the recovery points are available. With this new feature, you get the flexibility to perform restores in any subscription of the tenant. Cross Subscription Restore is also supported for restore with Managed System Identities (MSI), while it is not currently supported for Azure encrypted virtual machines and Trusted Launch VMs.

Migrate

Azure Migrate

New Azure Migrate releases and features

Support for using a sudo account to perform agentless dependency analysis on Linux servers running in environments VMware, Hyper-V and for physical systems or in other cloud environments.
Support for selecting VNets and Subnets during test migration (Using PowerShell) for the agentless VMware scenario.
OS disk swap support for agentless VMware scenario.
Support for pausing and resuming replicas using PowerShell for VMware agentless scenario.

Azure Database Migration

Offline Azure SQL Database migrations with the Azure SQL Migration extension

To perform offline migrations of SQL Server databases running on-premises, SQL Server on Azure virtual machines or any virtual machine running in the cloud (private, public) to Azure SQL Database you can use the extension Azure SQL Migration

New Azure SQL Migration extension migration feature provides an end-to-end experience to modernize SQL Servers in Azure SQL Database. The extension allows you to check the readiness of the migration with actions for: remedying possible migration blocks, export assessment results and get appropriate Azure recommendations.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.