Category Archives: Azure Policy & Governance

The importance of Azure Policy in the context of Cloud Technical Governance

The adoption of cloud computing is becoming more widespread, but managing and controlling cloud resources can be a daunting challenge for organizations. In this context, Microsoft's Azure Policies represent a fundamental tool for cloud governance, able to help companies define, apply and enforce security and compliance policies in a consistent and automated manner. This article will explore the importance of Azure Policies in managing cloud services, illustrating the benefits of using this solution and some more common use cases. Furthermore, some useful tips for defining effective policies and for integrating Azure Policies into the overall cloud governance strategy will be presented.

The common need and possible approaches

The common requirement is to standardize, and in some cases impose, how resources are configured in the cloud environment. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of the different architectures.

Getting this result is not easy, especially in complex environments where you can find different Azure subscriptions on which different groups of operators develop and operate.

These goals can be achieved with a traditional approach, which provides for a block of operators in direct access to cloud resources (through the portal, API or cli):

Figure 1 – Traditional approach

However, this type of traditional approach is not very flexible, because it involves a loss of agility in controlling the deployment of resources.

In this regard, it is instead recommended to use a mechanism that is provided natively by the Azure platform, which allows you to pilot governance processes to achieve the desired control, but without impacting the speed, fundamental element in operations in modern IT with resources in the cloud:

Figure 2 – Modern approach with Azure Policy

What can be achieved thanks to Azure Policies

By activating the Azure Policy it is possible:

activate and carry out real-time evaluation of the criteria present in the policies;
evaluate policy compliance periodically or upon request;
activate operations for real-time remediation, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

How the Azure Policy mechanism works

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 3 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon specific request to evaluate the compliance status of existing resources.

Figure 4 – Working principle of Azure Policy in resource control

Azure already has many built-in policies ready to apply, or you can configure them to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described inthis Microsoft's document. You also have the possibility of creatingInitiatives, they are a collection of multiple policies.

When you have the desired policy definition, you can assign it to a Management Group, to a subscription and possibly in a more limited way to a specific Resource Group. The same goes for Initiatives. You also have the ability to exclude certain resources from applying the policy if necessary.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Use cases for Azure policies

The main areas that can be governed by appropriately adopting the Azure Policies are reported:

financial: resources deployed in Azure for which a consistent metadata strategy needs to be applied to achieve effective cost mapping;
data location: sovereignty requirements that require data to reside in certain geographic locations;
unnecessary expenses: resources that are no longer used or that have not been properly disposed of resulting in unnecessary expenses for the company;
management inefficiencies: an inconsistent resource naming and tagging strategy can make troubleshooting and routine maintenance demands of existing architectures difficult;
business interruption: SLAs are required to ensure that systems are built in accordance with business requirements. Therefore, architectures must be designed according to SLAs and must be investigated if they do not meet them.

Conclusions

In the context of Cloud Technical Governance it is essential to define and apply rules that make it possible to ensure that Azure resources always comply with the defined company standards. Thanks to the use of Azure Policies, also increasing the complexity and quantity of services, you can always ensure advanced control of your Azure environment.

How to maintain technological and economic control of Azure resources and beyond

Solutions related to the public cloud in recent years have registered considerable interest from many companies, attracted by the possibilities offered and the relative benefits. In fact,, among the main characteristics of the public cloud we find dynamism and speed of provisioning, which can be a great vector of innovation for organizations in the IT field. However, if you decide to apply procedures and practices already consolidated in the on-premise world also to cloud environments, you risk making serious mistakes. The cloud is by nature different and, applying the same processes of the on-premise environment, you are likely to have the same results, the same problems, almost similar implementation times and even higher costs. It is therefore essential to implement a process of Cloud Technical Governance through which to ensure effective and efficient use of IT resources in the cloud environment, in order to best achieve their goals. In particular, Governance of the Azure environment is made possible by a series of solutions specially designed to allow management and constant control of the various Azure resources on a large scale. This article will show some of the main Microsoft solutions to consider to better define and manage the governance of services in the Azure environment and beyond.

Public cloud: a double-edged sword

Talking about public clouds today means referring to resources and services that a company can hardly do without, but in some respects it can be a double-edged sword.

What are the main features and potential strengths, they can hide pitfalls if not governed properly:

The Self-service delega, this means the possibility of delegating the creation of resources to several working groups, greatly increases the agility and speed of provisioning, but at the same time it could lead to a total lack of control if this is not done in a correct and controlled way.
In the public cloud, almost everything is pay-per-consumption. If we combine this feature with the adoption of uncontrolled self-service delegations, where everyone creates resources without an appropriate government, the result can lead to very high and unnecessary costs.
When we talk about public cloud we also know that flexibility and scalability they are two great elements of strength and value, but this flexibility, the fact of being able to adopt hundreds of solutions, operating according to self-service logic, combined with hybrid connectivity environments must also focus our attention on new potential security threats.
Although Azure, as well as major public clouds, has a very large number of certifications, it introduces solutions based on new technologies which may be difficult to reconcile with corporate compliance requirements.

Adopt the cloud with proper Technical Governance

In the light of these considerations, the advice is to adopt solutions in the public cloud to remain competitive in this ever-changing digital world, but with the appropriate practices of Cloud Technical Governance that help the company mitigate risk and create guardrails. Governance policies within an organization, if properly managed, they also act as an early warning system to detect potential problems.

When it comes to cloud governance there are several disciplines that emerge. Thecost management it is one of the fundamental subjects that absolutely must be treated and managed. To this are added equally important arguments, as the definition of security and compliance baselines, the identity management, theacceleration of deployment processes and the standardization of created resources.

Therefore, declining the concept of governance for an ICT system in the cloud means defining, implement and continuously verify all those rules that make it:

with predictable costs;
secure according to the guidelines defined by corporate security at any level, not necessarily technical:
supportable by all working groups involved in the implementations;
subject to audit in terms of compliance with current and company regulations.

The main Microsoft tools for Governance

Cloud governance can be associated with a trip, where Microsoft provides several platform tools to make it run smoothly. The following paragraphs show some of the main solutions to be taken into consideration to implement functional governance.

Cloud Adoption Framework di Azure

From a design point of view, Microsoft provides the Cloud Adoption Framework di Azure, a set of documentation and tools that guide in the best practices of implementations of solutions in the Azure environment. Among these best practices, that it is good to adopt commonly and that it is appropriate to decline specifically for the various customers based on their needs, there is also a specific section for governance. This can be seen as a starting point for applying these practices in detail.

Figure 1 – Design and standardization: Cloud Adoption Framework for Azure

Azure Policy

Azure Policy, natively integrated into the platform, are a key element for governance as they allow you to control the environment and obtain consistency with respect to the activated Azure resources.

Azure Policies allow you to manage:

compliance:
- enable native or custom policies for all resource types;
- real-time policy assessment and enforcement:
- periodic and upon request conformity assessment;
large-scale distribution:
- application of policies to Management Group with control over the whole organization;
- applying multiple policies and aggregating policy states through initiatives;
- exclusion scope;
- Policy as Code con Azure DevOps.
remedies and automations:
- correction of existing assets to scale;
- automatic remediation upon implementation;
- activation of alerts when a resource is not compliant.

Defender for Cloud

The Microsoft Defender for Cloud solution provides a set of features that cover two important pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 2 – The security pillars covered by Microsoft Defender for Cloud

WithinCloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

visibility: to assess the current security situation;
guida all’hardening: to be able to improve security efficiently and effectively.

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. As regards the scopeCloud Workload Protection (CWP), Defender for Cloud delivers security alerts based onMicrosoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Microsoft Cost Management

To face the important challenge of being able to always keep under control and optimize the expenses to be incurred for the resources created in the cloud environment, the main tool is Microsoft Cost Management, that allows you to:

Monitor cloud spending: the solution tracks the use of resources and allows you to manage costs, also on AWS and GCP, with a single, unified vision. This allows access to a series of operational and financial information and to make decisions with the right awareness.
Increase accountability: allows you to increase the responsibility of the various company areas through budgets, using cost allocation and with chargeback policies.
Optimize costs: through the application of industry best practices

Microsoft Sustainability Manager

Today, an efficient and effective use of IT resources must also take into consideration the environmental impact and energy consumption. Microsoft Sustainability Manager is a Microsoft Cloud for Sustainability solution that unifies data to better monitor and manage the environmental impact of resources. Regardless of the stage you are in to achieve the zero emissions goal, this solution makes it possible to document and support the process for reducing emissions. In fact,, the solution allows you to:

gain the visibility needed to promote sustainability;
simplify data collection and emissions calculations;
analyze and report more efficiently the environmental impact and progress of a company in terms of sustainability.

Not just Azure, but a governance for all IT assets

In situations where a hybrid or multi-cloud strategy is being adopted, the question arises: “as you can view, govern and protect IT assets, regardless of where they are running?”

The answer to this question can be: “adopting Azure Arc”.

In fact,, the underlying principle of Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, even for on-premises environments.

Figure 3 – Azure Arc overview

To achieve this, Microsoft has decided to extend the modelAzure Resource Manager so that we can also support hybrid environments, thus facilitating the implementation of the control features present in Azure on all the infrastructure components.

Conclusions

To ensure effective use of the public cloud, it is important to adopt the right cloud governance practices that help mitigate risks and protect the company from improper use of IT resources. There are many disciplines to consider and the governance of your IT environment needs to extend across all resources, regardless of where they are. Microsoft offers a number of tools and solutions to address the governance challenge, however, a lot of experience is needed to implement established and reliable processes.

Azure Management services: what's new in February 2023

During the month of February some news regarding the Azure management services were announced. This article provides an overview of the month's top news, so that we can stay up to date on these topics and have the necessary references to conduct further insights.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Improved experience for creating and managing private endpoints for Recovery Services vaults

Azure Backup allows you to use private endpoints to perform backups and restores securely, using private IPs of virtual networks. Azure Backup recently introduced several enhancements that provide an easier experience for creating and using private endpoints for Recovery Service vaults. The main improvements made as part of this update are as follows:

Ability to create private endpoints without managed identities
Use fewer private IPs per vault
You no longer need to create separate private endpoints for blob and queue services

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 66 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concerns the discovery and assessment support for SQL Server Always On failover cluster instances and Always On availability groups.

Azure Database Migration

Database migrations with login and TDE

The new feature of the Azure SQL Migration extension makes the post database migration experience smoother. In fact,, you can have instance-level object migration support, such as SQL and Windows logins, the permissions, server roles and updated user mapping of previously migrated databases.

Furthermore, you can now perform TDE-enabled database migrations with a wizard that automates the backup process, copying and reconfiguring database encryption keys for Azure SQL Managed Instance targets.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in January 2023

The new year started with several announcements from Microsoft regarding news related to Azure management services. The monthly release of this summary allows you to have an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Certificate the IT Service Management Connector (ITSMC) with ServiceNow Tokyo version (preview)

The IT Service Management Connector (ITSMC) is certified on the Tokyo version of ServiceNow. This connector provides a two-way connection between Azure Monitor and ServiceNow, useful to help you track and fix problems faster.

Govern

Azure Cost Management

Management of billing accounts for EA customers

For Enterprise Agreement customers (EA) “indirect” the ability to manage your billing accounts directly from Cost Management and Billing has been introduced. All relevant information regarding department, account and subscription are available directly from the Azure portal. Furthermore, from the same point it is possible to view the properties and manage the policies of the indirect EA enrollments.

Updates related toMicrosoft Cost Management

Azure Arc

Active Directory Connector for Arc-enabled SQL MI

Azure Arc-enabled data services introduced Active Directory support (AD) for the management of Identity and Access Management (IAM). Indeed, the Arc-enabled SQL Managed instance can use an Active Directory domain (AD) existing on-premises for authentication. To facilitate this, Azure Arc-enabled data services introduce a new Custom Resource Definition (CRD) native Kubernetes called Active Directory Connector. This provides Azure Arc-enabled SQL Managed Instances running on the same data controller the ability to perform Active Directory authentication.

View SQL Server databases using Azure Arc (preview)

Today, customers and partners manage a large number of databases. For each of these databases, it is essential to be able to create an accurate mapping of the configurations. This may be for inventory or reporting purposes. Centralizing database inventory in Azure using Azure Arc allows you to create a unified view of all your databases in one place, regardless of the infrastructure in which they are located: in Azure, in the data center, at edge sites or even other clouds.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

the endpoint protection component (Microsoft Defender for Endpoint) it is now accessible on the Settings and monitors page;
new version of the recommendation to find missing system updates;
cleanup of deleted Azure Arc machines in linked AWS and GCP accounts.

Protect

Azure Backup

Updates and improvements regarding SAP HANA

The following updates and improvements have been made recently to Azure Backup for SAP HANA, the certified solution Backint for protecting SAP HANA databases residing in Azure virtual machines:

Long-term retention for backups “adhoc”: it is now possible to provide customized retention for backups that occur on demand, outside the scheduled policies.
Partial restore-as-files: Azure Backup for HANA allows recovery points to be restored as a file. If you download the entire chain for one recovery point and want to repeat the operation for another adjacent recovery point, you don't need to download the entire chain again. It is also possible to restore only the files you want.
Integration with native clients and with other tools: previously, for certain scenarios, it was necessary to deactivate backint before the request and reactivate it afterwards, thereby increasing the RPO. With the improvements introduced, these additional steps are no longer necessary and it will be sufficient to activate the requests from the native clients or from the other tools used.

Azure Site Recovery

Ability to use Azure Backup Center for ASR monitor

Azure Backup Center is the point of reference for those who use the native backup features of the Azure platform and allows them to govern, to monitor, manage and analyze backup tasks. Microsoft has extended its capabilities by including monitor capabilities for Azure Site Recovery, which:

Viewing the inventory of replicated items, from a single view, for all vaults.
Consultation through a control panel of all the replication jobs.

Azure Backup Center supports ASR replication scenarios involving Azure virtual machines, VMware and physical machines.

Migrate

Azure Migrate

New Azure Migrate releases and features

Possibility to plan savings with the ASP savings option (Azure Savings Plan for compute) with the Azure Migrate business case and assessment.
Support for exporting the business case report to an .xlsx workbook from the portal.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in December 2022

In December, several news regarding Azure management were announced by Microsoft services. The release of this summary, which occurs on a monthly basis, want to provide an overview of the main news of the month, in order to stay updated on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

Azure Monitor Agent: IIS logs and custom logs

The Azure Monitor agent allows you to collect text files and IIS logs and merge them into a Log Analytics workspace. In this regard, a new feature has been introduced to allow the collection of text logs generated in the application environment, exactly as it happens for Internet Information Service logs (IIS).

Azure Monitor Logs: custom log API and ingestion-time transformation

A new set of features is now available in Azure Monitor that allows you to fully customize the shape of the data that flows into your workspace, plus a new API for custom data merging. Thanks to these new features, it is possible to envisage customized transformations to the data at the time of ingestion. These transformations can be used to set up the extraction of fields during ingestion, obfuscate sensitive data, proceed to remove unnecessary fields or to delete complete events (useful for example to contain costs). Furthermore, it is possible to completely customize the data sent to the new API for custom logs. As well as being able to specify a transformation on the data sent to the new API, you can also explicitly define the schema of your custom table (including dynamic data structures) and leverage AAD authentication and ARM RBAC management.

Configure

Azure Automation

Extension for the Hybrid Runbook Worker

The User Hybrid Worker extension was announced in Azure Automation, which is based on the virtual machine extensions framework and offers an integrated installation experience. There is no dependency on the Log Analytics agent and workspace, and authentication is via System-assigned managed identities, eliminating the need to manage certificates. Furthermore, ensures automatic minor version upgrades by default and simplifies small-scale management of Hybrid Workers through the Azure portal, cmdlet PowerShell, Azure CLI, Bicep, ARM templates and the REST API.

Govern

Azure Cost Management

Use tag inheritance for cost management (preview)

Tag inheritance was announced in a public preview, which allows you to automatically apply subscription and resource group tags to child resources. This mechanism simplifies cost management pipelines.

Updates related toMicrosoft Cost Management

Azure Arc

Azure Arc enabled Azure Container Apps (preview)

Azure Container Apps enables developers to quickly build and deploy microservices and containerized applications. Deploying an Arc extension on Azure Arc enabled Kubernetes cluster, IT administrators gain control of the underlying hardware and environment, enabling high productivity of Azure PaaS services within a hybrid environment. The cluster can be on-premise or hosted in a third-party cloud. This approach allows developers to leverage the functionality and productivity of Azure Container Apps anywhere, not only in Azure environment. While, IT administrators can maintain corporate compliance by hosting applications in hybrid environments.

Server Azure Arc enabled in Azure China

Azure Arc-enabled servers are now also operable in two regions of Azure China: Est China 2 and North China 2.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protect

Azure Backup

Recovery of Azure virtual machines Cross Zonal

Azure Backup exploits the potential of Zonal Redundant Storage (ZRS), which stores three replicas of backup data in different Availability Zones, synchronously. This allows recovery points stored in the Recovery Services Vault to be used with ZRS storage even if the backup data in one of the Availability Zones is unavailable, ensuring data availability within a region.

The Cross Zonal Restore option can be considered when:

Zone-wide availability of backup data is critical, and backup data downtime is unacceptable. This allows you to restore Azure virtual machines and disks to any zone of your choice in the same region.
Backup data resilience is needed along with data residency.

Azure Kubernetes Service (AKS) Backup (private preview)

For the Azure Backup service, the private preview of AKS Backup was announced. Using this feature it is possible:

Back up and restore containerized applications, both stateless and stateful, running on AKS clusters
Back up and restore data stored on persistent volumes attached to clusters.
Perform backup orchestration and management from the Backup Center.

Azure Site Recovery

Increased the churn limit (preview)

Azure Site Recovery (ASR) increased the data churn limit by approx 2,5 times, bringing it to 50 MB/s per disk. This way you can configure disaster recovery (DR) for Azure VMs with a data churn of up to 100 MB/s. This allows you to enable DR for IO intensive workloads. This feature is only available for Azure-to-Azure replication scenarios.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 65 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. The main news of this month are described in detail in the following paragraphs.

Software inventory and agentless dependency analysis

Azure Migrate agentless software inventory and dependency analysis is now available for Hyper-V VMs, for bare-metal servers and for servers running on other public clouds such as AWS and GCP. It is therefore possible to inventory the applications, the roles and features installed on those systems. Furthermore, you can run dependency analysis on discovered Windows and Linux servers without installing any agents. Thanks to these features it is possible to build migration plans to Azure more effectively, going to group the servers related to each other.

Building a business case with Azure Migrate (preview)

Azure Migrate's business case feature helps you build business propositions to understand how Azure can drive the most value. In fact,, this solution allows you to understand the return on investment regarding the migration of server systems to Azure, of SQL Server deployments and ASP.NET web applications running in the VMware environment . The business case can be created with just a few clicks and can help you understand:

Total cost of ownership on-premises vs Azure and annual cash flow.
Resource utilization-based insights to identify ideal servers and workloads for the cloud and recommendations for right sizing in Azure.
Benefits for migration and modernization, including the end of support for Windows and SQL versions.
Long-term savings by moving from a capital expenditure model to an operating expenditure model, paying only for what you use.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in November 2022

In November, Microsoft released some important news regarding Azure management services. Through these articles released on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Configure

Azure Automation

Support for Availability Zones

Azure Automation has introduced support for Availability Zones so that it can provide greater resiliency and reliability to the service, runbooks and other automation resources. In case a zone is inactive, no user action is required to recover from a zone fault, in fact, the service will be made accessible through the other available areas. In addition to high availability, this feature is useful for implementing a disaster recovery strategy for the Automation Account, often a key component in DR plans in Azure.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Ability to use tag inheritance to group subscriptions and resource groups.
View cost change over previous period, in the cost analysis preview.

Azure Advisor: new cost recommendations for Virtual Machine Scale Sets

Azure Advisor has expanded the recommendations to include cost optimizations for Virtual Machine Scale Sets as well. Recommendations will include recommendations for shutting down resources that are not being used, recommendations for changing the SKU and downscaling for underutilized resources versus provisioning.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protecting containers in a GCP environment with Defender for Containers
Ability to validate Defender for Containers protections via sample alerts
Governance rules at scale (preview)

Protect

Azure Backup

Cross-subscription recovery for VMs in Azure (preview)

The Cross Subscription Restore feature was announced in preview and allows you to restore Azure virtual machines, by creating or restoring new disks, in any subscription, starting from the restore point created by Azure Backup. By default, Azure Backup restores in the same subscription where the recovery points are available. With this new feature, you get the flexibility to perform restores in any subscription of the tenant. Cross Subscription Restore is also supported for restore with Managed System Identities (MSI), while it is not currently supported for Azure encrypted virtual machines and Trusted Launch VMs.

Migrate

Azure Migrate

New Azure Migrate releases and features

Support for using a sudo account to perform agentless dependency analysis on Linux servers running in environments VMware, Hyper-V and for physical systems or in other cloud environments.
Support for selecting VNets and Subnets during test migration (Using PowerShell) for the agentless VMware scenario.
OS disk swap support for agentless VMware scenario.
Support for pausing and resuming replicas using PowerShell for VMware agentless scenario.

Azure Database Migration

Offline Azure SQL Database migrations with the Azure SQL Migration extension

To perform offline migrations of SQL Server databases running on-premises, SQL Server on Azure virtual machines or any virtual machine running in the cloud (private, public) to Azure SQL Database you can use the extension Azure SQL Migration

New Azure SQL Migration extension migration feature provides an end-to-end experience to modernize SQL Servers in Azure SQL Database. The extension allows you to check the readiness of the migration with actions for: remedying possible migration blocks, export assessment results and get appropriate Azure recommendations.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in October 2022

In October, Microsoft announced a considerable number of news regarding Azure management services, accomplice also the Microsoft Ignite conference 2022. Through these articles, issued on a monthly basis, I want to provide an overall overview of the main news of the month, so that you can always stay up to date on these topics and have the necessary references to carry out further studies.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Monitor

Azure Monitor

New migration tools for the Azure Monitor agent

The Azure Monitor Agent (AMA) provides a way that is secure , economical and performing to collect telemetry data from Azure virtual machines, scale set, Azure Arc-enabled servers and Windows client devices. Microsoft has announced that it is necessary to migrate from the log analytics agent (MMA or OMS agent) to this agent before August 2024. To address this migration you can use the following migration tools:

AMA migration helper: an Azure Monitor workbook-based solution that helps you find out what to migrate and monitor progress in moving from legacy agents to the new Azure Monitor agent.
DCR config generator: the Azure Monitor agent relies only on data collection rules (data collection rule) for configuration, while the legacy agent extracted all its configuration from the Log Analytics workspaces. Using this script, it is possible to analyze the configuration of the legacy agent from the workspaces and automatically generate the corresponding rules. You will be able to associate these rules with systems running the new agent, using the integrated association criteria.

Support of the Azure Monitor agent also for Windows clients

Azure Monitor agent and data collection rules now support client devices Windows 10 and 11. Client devices running the agent must be connected to AAD or hybrid AAD, since the agent relies on the identity of the AAD device for authentication. For client devices, while deploying the same agent that uses data collection rules to manage the configuration, only association is allowed (or targeting) at the AAD tenant level. Granular device targeting is not yet available. Furthermore, the agent is the same used for virtual machines or servers, that is, it has no specific optimization for client devices (ex. for the battery, the network, etc.).

Azure Service Map retirement announced

Microsoft announced that Azure Service Map will be officially retired on 30 September 2025. To monitor connections between servers, processes and connection latencies need to use Azure MonitorVM insights. The experience provided by VM Insights includes the same features as Service Map, beyond:

Improved scalability and support for more complex maps.
More detailed metrics for connections.
Integrated support for grouping machines.

Azure Monitor predictive autoscale for Azure Virtual Machine Scale Sets

The predictive autoscale uses machine learning to help manage and scale Azure Virtual Machine Scale Sets with cyclical workload models. This feature allows you to predict the overall CPU load for the set of virtual machines based on historical CPU usage patterns. This allows scale-out to be done in time to meet demand.

There are several key features released:

New virtual machine set instances are added when the system expects the CPU percentage to exceed the scale-out limit.
You can configure how far in advance you want to provision new instances.
It is possible to view the CPU usage forecasts without activating the scaling action, using the forecast-only mode.

Azure Monitor Logs: functionality to add value to data and reduce costs

For Azure Monitor Logs, interesting log analysis features have been announced that will help increase the cost effectiveness of logs:

Basic Logs: an economical solution for high-volume verbose logs. It is now possible to configure high-volume verbose log tables as basic logs and reduce the cost of storing data used for debugging, problem solving and auditing.
Long-term archiving of logs for security and compliance. The archiving of the logs allows you to extend the retention period of the Log Analytic table and to archive the logs up to seven years with a significant reduction in prices.
Archived logs can be accessed by using a search job or by temporarily restoring a set of logs.
Search Log: a new tool that asynchronously scans petabytes of data and retrieves all relevant records in a new persistent Log Analytics table.
Restoration: an operation that makes a specific time interval of table data available in the hot cache, to run high performance queries.

Azure Monitor Logs: RBAC creation in granular way for custom tables
Today, data access control can be managed at the workspace level, resource and table, but only for Azure standard tables. Previously, custom tables only supported one authorization method: “all or nothing”. The Log Analytics product team added the functionality to allow workspace administrators to manage more granular access to data, supporting table-level read permission, for both Azure tables and customer tables.

Integration of the Azure Monitor Agent with Connection Monitor (preview)
Connection Monitor is a multi-agent monitoring solution that can monitor connectivity in Azure and hybrid environments and measure packet loss, latency and jitter. Connection Monitor provides useful information for diagnosing and resolving network problems and provides end-to-end path visibility with a unified topology.

Microsoft's goal is to consolidate multiple monitor agents into a single agent. This feature allows you to meet the needs of collection of monitor logs related to connectivity and metrics on Azure and on on-premises Arc-enabled computers, eliminating the costs of managing and enabling multiple monitor agents. Furthermore, the Azure Monitor Agent offers improved security and performance features, real cost savings and easier problem solving. Thanks to this support, the dependence on the Log Analytics agent is eliminated, while increasing the coverage of on-premises computers with the support of Arc-enabled endpoints.

Azure Monitor Managed Service for Prometheus (preview)

Prometheus, the open source project of the Cloud Native Computing Foundation, is considered the de-facto standard when it comes to monitoring containerized workloads. Running self-managed Prometheus is often a great solution for smaller deployments, though scaling to manage workloads can be a major challenge. The new Prometheus-compatible and fully managed Azure Monitor service offers the best of what you like about the open source ecosystem, while automating complex tasks such as scaling, high availability and long-term data retention. This service is available as a standalone Azure Monitor service or as an integrated component of Container Insights and Azure Managed Grafana.

Rules for Azure Kubernetes Service resources and for Log Analytics (preview)

The Azure portal now allows you to easily enable a set of alert rules pertaining to the best practices recommended for Azure Kubernetes Service resources (AKS) and for Log Analytics workspace.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Azure Arc

Automatic extension update for Azure Arc-enabled servers

Microsoft has made the extension automatic update functionality available for Azure Arc-enabled servers.

Azure Automanage for Azure virtual machines and Arc-enabled servers
Azure Automanage is a service that automates the configuration of virtual machines to Azure services, as well as security operations and management of the entire life cycle of VMs in Azure or hybrid environments (enabled through Azure Arc). This saves time, reduce risks and improve workload uptime, automating daily configuration and management tasks. Azure Automanage is now available for Azure virtual machines and Arc-enabled servers.

Microsoft has added new features to further automate the configuration and management of any virtual machine, including:

the application of improved backup settings and different auditing modes for server baselines;
the ability to specify custom Log Analytics workspaces and Azure tags to identify resources;
support for Windows virtual machines 10;
support for enabling Microsoft Antimalware.

New features for Azure Arc-enabled SQL Servers

Azure Arc-enabled SQL Servers have several new features that increasingly allow customers to leverage a cloud-like experience, including:

single sign-on experience that integrates with Azure Active Directory (Azure AD).
improved security thanks to Microsoft Defender which allows customers to
evaluate and secure SQL Server properties in hybrid and multicloud environments.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for DevOps, a new solution that will provide visibility across multiple DevOps environments. This solution will make it possible to centrally manage security, strengthen cloud resource configurations in code and prioritize critical troubleshooting in code in multi-pipeline and multicloud environments. With this preview, major platforms such as GitHub and Azure DevOps are already supported and other major DevOps platforms will be supported shortly.
Microsoft cloud security benchmark: the complete multicloud security framework is now available with Microsoft Defender for Cloud, as part of the free Cloud Security Posture Management experience. This integrated benchmark is able to map best practices across different clouds and various industry frameworks, enabling security teams to ensure multicloud security compliance.
Microsoft Defender for Servers, as well as an agent-based approach to virtual machines (VM) in Azure e AWS, will support agentless scanning.
Defender for Servers P2 will provide the premium features of Microsoft Defender Vulnerability Management.
Microsoft Defender for Containers will expand multicloud threat protection with agentless scanning in AWS Elastic Container Registry.

Protect

Azure Backup

Smart tiering: automatic move to the vault-archive tier

Azure Backup has introduced the ability to configure policies to automate the use of the vault-archive tier for Azure virtual machines and for SQL Server / SAP HANA on board virtual machines. This ensures that the restore points are suitable and recommended (in the case of Azure virtual machines) are automatically moved to the vault-archive tier. This is done periodically and according to the backup policy settings. Furthermore, you can specify the number of days after which you want the recovery points to be moved to the vault-archive tier.

Support for zone-rendundant storage

In Azure Backup, support for redundant zone type vaults has been introduced. When configuring resource protection using a zone-redundant storage vault (ZRS), backups are synchronously replicated across three Availability Zones within a region. This allows you to perform data restores even in the event of outages in a specific area.

Immutable vaults for Azure Backup

With immutable vaults, Azure Backup offers an option to ensure that the recovery points created cannot be deleted before the expected deadline. Azure Backup does this by preventing any operation that could lead to the loss of backup data. This helps protect backups from threats such as ransomware attacks and malicious actors, preventing operations such as deleting backups or reducing retention in backup policies.

Soft delete functionality enhancements for Azure Backup

It is now possible to ensure better protection of backups against various threats, making soft delete irreversible. Furthermore, the soft delete functionality allows you to provide a customizable retention period for which deleted data must be kept.

Support for HANA System Replication in Azure Backup for HANA (preview)

Azure Backup protects HANA databases on Azure virtual machines with a streaming database backup solution, Backint certified. Previously, if the HANA database had HANA System Replication (HSR) as a disaster recovery solution (DR), after each failover, manual intervention was required to activate the backups. Now, with this new feature in preview, you get instant and continuous protection for your HANA System Replication configuration, without the need for any manual intervention.

Azure Site Recovery

New DR architecture for VMware machines

In ASR it has been made easier, reliable and modern mechanism to protect VMware virtual machines. Among the main improvements it is worth mentioning:

Stateless ASR Replication Appliance: the Configuration Server and its local components have been converted to a stateless ASR replication appliance. This choice simplifies the discovery and failback process, introducing the option to select any appliance, without having to configure any master target server or process server.
Automatic updates for the ASR replication appliance and for the mobility agent. A problem felt with the classic architecture was the need to manually update the various components of the Configuration Server and the mobility agents. To make things easier, automatic updates have been introduced.
More flexible scalability. The replication appliance constitutes a single management unit and all its components have been converted into microservices hosted in an Azure environment. This not only makes it easier to troubleshoot any problems, but managing scalability is also much easier.
High availability for appliances. With modern architecture, it is no longer necessary to perform regular backups of the appliance. In fact,, just start another appliance and switch all machines to the new appliance. The replicated items will be transferred to the new appliance, without having to repeat the full replication.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 64 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Discovery and assessment aimed at migrating SQL Server to Azure

The new SQL discovery and assessment capabilities in Azure Migrate allow you to map the environment and evaluate availability, the costs and any blocks in moving these instances to Azure IaaS and PaaS. Thanks to this tool it is possible to detect the most valid and convenient Azure target for the analyzed SQL instances. Furthermore, this information can be downloaded in a specific report.

New Azure Migrate releases and features

Azure Database Migration

Migration from Oracle to Azure with Database Migration Assessment for Oracle
Database Migration Assessment for Oracle, an Azure Data Studio extension powered by Azure Database Migration Service, now allows you to do an assessment for migration from Oracle Database to Azure Database for PostgreSQL. The assessment includes recommendations for database migration and an assessment of the code complexity of the databases. Through the same tool, customers can get recommendations on targeted sizing for Oracle Database migration to Azure Database for PostgreSQL and Azure SQL, including Azure SQL Database Hyperscale, ideal for large workloads up to 100 TB. With these new features, Migration planning is made easier for Oracle customers who want to modernize their data assets with Azure-managed databases.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in September 2022

In September there were several news that Microsoft announced regarding Azure management services. This article lists the main announcements, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Monitor

Azure Monitor

Monitors for VM and AKS clusters based on Arm

Azure Monitor introduced support for Ampere Altra Arm-based Azure virtual machines and Azure Kubernetes service consisting of Arm nodes.

Update required for MMA using SSL v1

Starting November 1st 2022, Azure will no longer accept connections from previous versions of the Operations Manager agent, also known as the Microsoft Monitoring Agent (MMA), using SSL V1. If the Operations Manager agent is configured to send data to Log Analytics, the agent must be updated to the latest version by that date.

Expected retirement of ITSM connector for ServiceNow

Microsoft announced that the 30 September 2025 the Azure Monitor ITSM connector for creating alerts in ServiceNow will be retired. For those who use this integration, it will be possible to create incidents or events using the appropriate Secure Webhook.

Govern

Azure Policy

Azure Policy built-in per Azure NetApp Files

Microsoft has introduced built-in policies related to Azure NetApp Files to allow administrators to restrict the creation of unprotected NFS volumes and to more easily control existing volumes.

Azure Cost Management

Updates related toMicrosoft Cost Management

Ability to monitor budgets from the Azure app for mobile devices.
Ability to obtain detailed information on possible savings directly from cost analysis (preview).

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Defender for Servers support for File Integrity Monitoring functionality using the Azure Monitor Agent.
The addition of identity recommendations.

Protect

Azure Backup

Reserved capacity per Azure Backup Storage

To optimize costs, it is possible to purchase the Azure Backup Storage capacity in reserved capacity mode. The reservation will automatically apply to the selected Backup Storage and will be available on an annual basis with a discount until 16% or on a three-year basis with a discount of 24%.

Alert in Azure Monitor

Thanks to this integration between Azure Monitor and Azure Backup it is possible to generate alerts for critical events related to the security of backups and in case of errors in the protection of resources. To monitor these alerts, you can use the Azure Monitor dashboard or the Backup center. Thanks to this integration it is also possible to route these alerts to different notification channels.

Migrate

Azure Migrate

New Azure Migrate releases and features

The introduction of support for suspending and resuming replicas of VMs in progress, without having to perform a full replication again.
Advanced notifications regarding migration completion status and migration testing.
Detection of Java web apps on Apache Tomcat running on Linux servers hosted in VMware environments.
For ASP.NET web apps the possibility of carrying out an advanced data collection, including detection of database connection strings, directories and authentication mechanisms.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in August 2022

Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

Monitor

Azure Monitor

Azure Monitor metric alerts: improvement in learning the thresholds

The “metric alerts” of Azure Monitor with dynamic threshold detection, use machine learning algorithms (ML) advanced tools to learn the historical behavior of metrics and identify patterns and anomalies that indicate possible problems in services. Thanks to the introduction of this new feature, prolonged interruptions are automatically recognized and these interruptions are removed from the trend in order not to distort the results. In this way, much better thresholds are obtained that adapt to the data and can detect problems in services with the same sensitivity before the interruption.

VM insights and the use of the new Azure Monitor agent (preview)

Currently, in order to use Azure Monitor VM insights you need to install, on board each virtual machine or virtual machine scale set to be monitored, the Log Analytics agent and the dependency agent. Thanks to the release of this new feature (preview) VM insights will use the new Azure Monitor agent, instead of the Log Analytics agent.

There are several features that are obtained with this preview:

Easy configuration, using the data collection rule, to collect the performance counters of VMs and specific data types.
Ability to enable and disable processes and dependency data that generate the Map view, thus obtaining a consequent cost optimization.
Improvement of security and performance resulting from the use of the Azure Monitor agent and managed identity.

Managed identity-based authentication to enable Azure Monitor container insights (preview)

Container insights now supports integration through the Azure Monitor agent for AKS clusters (Linux nodes) and for Arc-enabled clusters. This agent collects performance and event data from all cluster nodes and is automatically deployed and registered with the Log Analytics workspace. With the Azure Monitor agent, container insights also supports managed identity authentication for AKS and Arc-enabled clusters. This is a secure and simplified authentication model in which the monitor agent uses the managed identity of the cluster to send data to Azure Monitor. This new authentication mechanism replaces local authentication based on certificates and eliminates the need to add a specific role to the cluster. System-assigned identities and user-assigned identities are supported.

Availability in new regions

Azure Monitor Log Analytics is available in the following new regions:

China North 3
China East 3

To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Policy

Policy to block the deployment of potential vulnerable images

To protect Kubernetes clusters and their container-based workloads from potential attack attempts, it is now possible to create restrictions in the deployment of images that contain vulnerabilities in their software components. Thanks to this feature it is possible to use Azure Policy and Azure Defender for Containers to identify vulnerabilities and apply related patches before making deployments.

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported. In particular, it should be noted the possibility to consolidate and manage various Azure Active Directory tenants from a single Billing account of the Microsoft Customer Agreement (MCA).

Azure Arc

Azure Arc-enable Servers: availability in new regions

Azure Arc-enable Servers is available in the following new regions:

China East 2 (preview)
China North 2 (preview)
South Africa North

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Automatic deployment of the Azure Monitor agent (preview)
Deprecated alerts regarding suspicious activity related to a Kubernetes cluster

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 63 that solves several issues and introduces some improvements.

Among the main improvements introduced by this version of the ASR components, we find:

Oracle Linux support 8.6 for Linux OS/Azure to Azure and for VMware/Physical to Azure
The ability to migrate existing replication jobs from classic to modern mode for VMware virtual machines (see next paragraph “Upgrade to adopt VMware's modern VM replication experience”)

The details and the procedure to follow for the installation can be found in the specific KB.

Upgrade to adopt VMware's modern VM replication experience

In ASR the possibility of migrating has been introduced, VMware virtual machines protected by Azure Site Recovery, from the classical experience to the modern one recently introduced. The classic mode involves the replication of VMware VMs using the Configuration Server, while the modern mode involves the adoption of the ASR replication appliance. The migration process, towards the modern mode, which was introduced provides:

A detection mechanism that allows you not to have to repeat the initial replication of protected systems.
The calculation of the necessary migration times, in order to have all the elements necessary for proper planning.
A robust rollback mechanism, to restore the initial situation (classic mode) if any problems arise.

The adoption of the modern replication mechanism is recommended by Microsoft as it improves security, reduce the management effort and simplify the environment.

Migrate

Azure Migrate

New Azure Migrate releases and features

Ability to perform the discovery and assessment of SQL environments in Microsoft Hyper-V and physical / bare-metal systems, as well as on the IaaS services of other public clouds.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in July 2022

Microsoft is constantly announcing news regarding Azure management services and as usual this monthly summary is released. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Monitor

Azure Monitor

Azure Monitor for SAP Solutions (preview)

Azure Monitor has launched a new version, called Azure Monitor for SAP solutions (AMS), for the SAP solutions monitor (preview). This new version allows, for SAP workloads in Azure, to collect SAP information and telemetry. This solution is useful for both SAP BASIS teams and infrastructure teams who can consult the information collected in a single location.

Migration tools for the Azure Monitor Agent (preview)

The Azure Monitor Agent (AMA) offers a secure way, economically convenient, simplified and performing for the collection of telemetry data from Azure virtual machines, from Virtual Machine Scale Set, from Arc-enabled servers and Windows clients. Migration from the Log Analytics agent (MMA or OMS agents) it must take place by August 2024. To make this process easier for you, Microsoft is providing dedicated agent migration tools, that allow you to automate the migration process. For further details you can consult the Microsoft's official documentation.

Azure Monitor Agent: support for User-assigned Managed Identity (preview)

The new Azure Monitor Agent (AMA) now supports User-assigned Managed Identities in preview. Thanks to this support, it is possible to use the policies to distribute the extension of the AMA on virtual machines and on virtual machine scale sets. User-assigned Managed Identities allow for greater scalability and resilience than System Assigned Identities, thus becoming the recommended method for large-scale installations using extensions.

Configure

Update management center (preview)

Update management center is the new solution that helps centrally manage and govern updates of all machines. It works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics. Update management center is, today, able to manage and govern updates on:

Windows and Linux operating systems
Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc

Among the main strengths of the new solution we find:

Centralized visibility of updates

Native integration and zero onboarding

Integration with Azure roles and identities

High flexibility in managing updates

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Cloud-native security agent for Kubernetes runtime protection
Support for language package detection introduced in the VA of Defender for Container (preview)
Vulnerability protection CVE-2022-29149 of Operations Management Suite

Protect

Azure Backup

Smart tiering: automatic move to the vault-archive tier (preview)

Azure Site Recovery

Mitigated Azure Site Recovery vulnerabilities

Microsoft has corrected a number of Azure Site Recovery vulnerabilities (ASR) releasing updates on 12 July, during Microsoft's regular update cycle. These vulnerabilities affect all customers using ASR in a VMware / Physical to Azure replication scenario. These vulnerabilities have been corrected in the latest version of ASR 9.49. For more information you can consult this bulletin.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 62 which solves various problems and introduces some new features, among which:

Support for Linux OS / Azure to Azure: RHEL 8.6 and Cent OS 8.6
Support for VMware / Physical to Azure: RHEL 8.6 and Cent OS 8.6
Support for configuring “proxy bypass” for VMware and Hyper-V replicas, using private endpoints.

The related details and the procedure to follow for installation can be found in specific KB.