Microsoft Azure Arc Servers On-Premises and Azure Cloud Services
Earlier I wrote a blogpost about Microsoft Azure Arc services installation to manage on-premises Servers with Azure Cloud Services, like Azure Monitor and Azure Security Centre from the Cloud.
Here in this post you will see the Newest Microsoft Azure Cloud Services to Manage and Monitor your Servers on-premises with security and compliance included.
Azure Arc Extensions settings of the Server.
Here you can see we have installed the Microsoft Monitoring Agent for Azure Monitor and log analytics, second we have installed the dependency Agent for Windows for
insights, Performance and Service maps. Here you find more information about Virtual machine extension management with Azure Arc for servers (preview)
After initial deployment of the Azure Arc for servers (preview) Connected Machine agent for Windows or Linux, you may need to reconfigure the agent, upgrade it, or remove it from the computer if it has reached the retirement stage in its lifecycle. You can easily manage these routine maintenance tasks manually or through automation, which reduces both operational error and expenses.
The Azure Arc Insights Performance monitor is there by default and installed with the following dashboards :
CPU Utilization
Available Memory
Logical disk IOPS
Logical disk MB/s
Logical disk Latency
Max logical disk used %
Bytes Sent Rate
Bytes Received Rate
Azure Arc Logs Analytics
Of course you can make your own custom Dashboards in the Azure Portal with your own triggers, so in this way you get the same Azure Monitor Innovative Tools for your On-Premises Servers. 😉
Within Microsoft Azure Arc Insights, you can also see a Service Map of the Server
Here is were the dependency agent comes in, you get a service map of the Server and see the communication lines with other resources. In this picture you see Server Yoda01 a Domain Controller of my MVPLAB.
You can see that there are three Clients are logged on the domain controller.
Microsoft Azure Security Center for Azure Arc Servers
One of the most powerful and important features of Microsoft Azure Cloud platform is Security! Microsoft Azure Security Center (ASC) is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud – whether they’re in Azure or not – as well as on premises.
Here you see my Azure Arc Servers (On-Premises) in Azure Security Center.
Azure Arc Server in Azure Security Center recommendations Summary
Five security assessments passed the test, but Azure Security assessment has two recommendations one is Medium Risk and one low.
Here you see the Security advise and the Remediation to take action on your Server.
Microsoft Azure Security Center Overview with the Overall Secure Score.
Security controls – Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. A control is a set of security recommendations, with instructions that help you implement those recommendations. Your score only improves when you remediate all of the recommendations for a single resource within a control.
To immediately see how well your organization is securing each individual attack surface, review the scores for each security control.
To get your Azure Arc Servers (On-premises) complaint for the business and security, you can use Microsoft Azure Arc Policies
Azure Arc Policies to meet your Compliance state.
Conclusion
Microsoft is bringing Azure Cloud Power tools everywhere with Azure Arc Services to give you modern tools like Azure Monitor and Azure Security Center to keep you in control, Secure and Compliant for your business. Keep following Microsoft for Hybrid IT Management, because more awesome features are added every day in Microsoft Azure Cloud Services. Let’s start to get your Azure Security Score UP and UP 😉
Azure Private Link provides the following benefits:
Privately access services on the Azure platform: Connect your virtual network to services in Azure without a public IP address at the source or destination. Service providers can render their services in their own virtual network and consumers can access those services in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.
On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints. There’s no need to set up public peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure.
Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides protection against data leakage risks.
Global reach: Connect privately to services running in other regions. The consumer’s virtual network could be in region A and it can connect to services behind Private Link in region B.
Extend to your own services: Enable the same experience and functionality to render your service privately to consumers in Azure. By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link. The consumer can then connect directly to your service using a private endpoint in their own virtual network. You can manage the connection requests using an approval call flow. Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants.
Learn how to secure your Azure PaaS resources with Azure Private Link today at The Azure Academy :
Microsoft Windows Admin Center for Hybrid IT Management
I really like to work with Microsoft Windows Admin Center for managing my Hybrid workloads Windows Servers in Azure Cloud Services but also our On-premises Servers on Hyper-V and VMware platform. Even our physical Windows Servers can be managed from Windows Admin Center.
You can extend on-premises deployments of Windows Server to the cloud by using Azure hybrid services. These cloud services provide an array of useful functions, including the following:
Protect virtual machines and use cloud-based backup and disaster recovery (HA/DR) with Azure Site Recovery.
Track what’s happening across your applications, network and infrastructure with the help of advanced analytics and machine learning in Azure Monitor.
Simplify network connectivity to Azure with Azure Network Adapter.
Keep virtual machines up to date with Azure Update Management.
Azure hybrid services work with Windows Servers in the following configurations:
Stand-alone physical servers and virtual machines (VMs)
I’m working with Windows Admin Center since day one, and you see the hybrid management tool evolving with great new features to make your life as an Administrator more easier. For example you get notifications when there are updates in extensions.
Notification details about update Extensions
When you click on the link “Go to Extensions” you will see the Extensions installed and the Updates which you can install from there.
Here you see an Azure Security Center Extension update.
There are not only Microsoft extensions, but also third party solution extensions and you could build your own extension for your solution. Here you find all the information about Windows Admin Center Extensions
Third Party Windows Admin Center Extensions
Installing a New extension is easy to do, the Azure Cloud Shell (Preview) was the last extension I installed in my Azure MVP Lab to work with. Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. Cloud Shell enables access to a browser-based command-line experience built with Azure management tasks in mind. So how does this look in Windows Admin Center?
Install the Azure Cloud Shell (Preview) Extension
You find the Installed Azure Cloud Shell in the pulldown menu of WAC
For Management of your Windows Servers you need some tools and consoles. Windows Admin Center is supporting you to get the Management consoles in one place to do your administration and updates.
The next tree Features are in Windows Admin Center to manage your Windows Server.
Powershell inside WAC of my Domain Controller
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
Here you find more information about Windows Commands
Windows Update in Windows Admin Center.
Of course you need to update your Windows Servers, and what I like in WAC is that you get the information if an update needs a reboot before you click on Install Updates. This option is good for my Azure MVP Lab but when you need to update more then 100 Servers, you would do that centrally managed like with Update Management solution in Azure
Windows Remote Desktop in WAC
Remote Desktop is one of the Features of Windows Admin Center, to take over the desktop for installations of Applications for example.
Windows Admin Center got a lot more Features and Tools to Manage your Windows Servers in a Hybrid world.
Like these :
Storage
Security
System Insights
Scheduled Tasks
Installing Roles and Features of Windows Server
Registry
Processes running on your Windows Server
Managing and deploying Clusters
and much More………
You can install the following Resources to Manage with WAC
Windows Admin Center Overview
Conclusion:
Microsoft Windows Admin Center is the New Management tool for your Hybrid IT Management to Controle your Servers for your Business. It got all the Management consoles covered of Windows Servers to manage from one tool.
It’s easy to use and It keeps you Up-to-date of what is happening on your Windows Server but also what is New and updated. With Microsoft Windows Admin Center your are learning on the job and that’s what I Like 😉
Hope you will use Microsoft Windows Admin Center too for your Business, download it here for Free!
The world of data is moving and changing a lot with new IT technologies coming up like leaves on a tree.
Data is everywhere, on Servers, workstations, BYOD Devices in the Cloud but how do you keep your data save and protected for your business today and in the future? There are a lot of reasons why you should Backup your data :
One of your employees accidentally deleted important files for example.
Your data got compromised by a virus.
Your Server crashed
You have to save your data for a period of time by Law
And there will be more reasons why you should do backup…………….
A lot of Enterprise organizations are moving to the Cloud with workloads for the Business, but how is your Backup and Disaster Recovery managed today? A lot of data transitions are made but what if your Backup and Disaster Recovery solution is out dated or reaching end of Life? You can have a lot of Questions like :
What data should I backup?
Should I just upgrade the Backup Solution?
How can I make my Data Management Backup -DR Solution Cheaper and ready for the future?
How can I make my new Backup-DR Solution independent? ( Vendor Lockin)
And there will be more questions when you are in this scenario where you have to renew your Backup – DR Solution.
Here we have the following Great Backup Solution from 2014 :
Offsite Microsoft DPM Backup Solution since 2014
Here we have 3 System Center Data Protection Manager Backup Pods with a Tape library and One DPM pod connected with a Microsoft Azure Backup Vault in the Cloud. You do the Security updates and the Rollups for Windows Server 2012 R2 and System Center Data Protection Manager 2012 to keep the Solution save and running.
Long Time Protection to Tape
DPM 2012 Server with direct attached Storage for Short time protection
The four DPM Backup Pods have the same Storage configuration for short time protection with a retention time of 15 days. After that Longtime protection is needed with Backup to tape and Backup to Microsoft Azure Backup Vault.
Since 2014 the Backup data is depending on these solution configurations.
Tape Management cost a lot of time and money
The fourth DPM Backup pod got a Azure Backup Vault in the Cloud to save Tape Management time.
DPM Backup to Microsoft Azure Cloud Backup Vault.
So this is the Start of the Journey to a New Data Management Backup – DR Solution transformation. The next Couple of weeks I will search for the different scenarios and solutions on the Internet and talk with the Community looking for Best Practices. I will do Polls on Social Media and a Serie of blogposts for the Data Management Backup – DR Solution to keep the business continuity.
Will it be a Cloud Backup – DR Solution?
Will it be a Hybrid Cloud Backup – DR Solution?
Everything in One Management Console?
Or More then One Backup -DR Solution for the right Job?
We will see what the journey will bring us based on Best Practices 😉
Microsoft Azure Cloud Services is evolving really fast with New solutions and features every day for your business. In the following step-by-step guide we will see all the options and features when you create a virtual machine in the Azure Cloud. For this you need a Microsoft Azure subscription to start. When you are in the Azure Portal you begin with + Create a Resource and from there you see all the create items. Click on Computeand you will see the picture above what you can create. I’m going to create a Windows Server 2019 datacenter edition Virtual Machine in the Microsoft Azure Cloud. In the Azure Portal is a step by step wizard to help you with your choices.
Basic tab
We start by selecting the right Azure subscription ( if you have Multiple) like a Hub-Spoke model design
you can choose for your deployment. Then select a Resource Group or Create New. I made a new Resource Group called RSG-Winserv.
When you go further down, you must give your Virtual Machine a name and select the Microsoft Azure region where your VM will run. I Choose West Europe because I life in the Netherlands. For availability options of the Virtual Machine you can choose out of three options :
No infrastructure redundancy required
Availability zone
Availability set
Availability Zones is a high-availability offering that protects your applications and data from datacenter failures. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking
An Availability Set is a logical grouping capability that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they are deployed within an Azure datacenter. Azure ensures that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches
Microsoft Azure got a lot of software operating images, I installed Windows Server 2019 Datacenter but have a look at Browse all Public and Private images :
Small Disk Images
More images like Kali and Red Hat
The next step is the VM Size, the “hardware” requirements of the Virtual Machine. When you choose your VM size you have to know the possibilities and feature set of the Virtual Machine. This articledescribes the available sizes and options for the Azure virtual machines you can use to run your Windows apps and workloads. It also provides deployment considerations to be aware of when you’re planning to use these resources.
Here is Microsoft Azure showing 250 different VM sizes
In this window you see the following items of the Virtual Machine specs :
VM Size
Offering
Family
vCPUs
Memory RAM
Data Disks
Max IOPS
Temporary Storage
Premium Disks (Yes or No)
Cost / Month Estimated
So pick the right VM Size for your solution to do the job.
Allow Public Internet Inbound Port Rules
If you need this for example a website, then you can set it right away, but you can set it on None and change the Network Security Group (NSG) or Azure App Gateway or Azure Firewall later and keep it Closed for now. I will show this in the NSG later to get RDP access.
Hybrid Benefit
You can enable great savings in Azure with Windows Server Software Assurance by using Azure Hybrid Benefit for Windows Server. Azure Hybrid Benefit for Windows Server allows you to use your on-premises Windows Server licenses and run Windows virtual machines in Microsoft Azure at a reduced cost (i.e. at Linux rates). You can use your licenses for Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. The Azure Hybrid Benefit for Windows Server is applicable to Windows Server Standard and Datacenter editions as well as other versions obtained via custom images. With Azure Hybrid Benefit for Windows Server, you can save 40 percent or more1 on Windows Server virtual machines by paying only the base compute2 rates—adding value to your Software Assurance investments. The benefit is available across all Azure regions. Read more here
Disks tab
Disk storage is important for performance, that’s why you can choose for Standard HDD, Standard SSD or
Premium SSD for your OS Disk. When your server need a Data disk, you can add it here or later on.
Here you can read more on Managed disks What disk types are available in Azure?
Networking tab
Here you create your Virtual Network / subnet with a public IP. You can see here when you choose for a specific Virtual machine, you can not use accelerated networking because It’s not supported by the VM size selection.
Here you can choose for a Load Balancer or a Application Gateway
Azure Application Gatewayis a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 – TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Azure Application Gateway
With Azure Load Balancer, you can scale your applications and create high availability for your services. Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications.
Load Balancer distributes new inbound flows that arrive on the Load Balancer’s frontend to backend pool instances, according to rules and health probes.
Additionally, a public Load Balancer can provide outbound connections for virtual machines (VMs) inside your virtual network by translating their private IP addresses to public IP addresses.
Azure Load Balancer is available in two SKUs: Basic and Standard. There are differences in scale, features, and pricing. Any scenario that’s possible with Basic Load Balancer can also be created with Standard Load Balancer, although the approaches might differ slightly. As you learn about Load Balancer, it is important to familiarize yourself with the fundamentals and SKU-specific differences.
Management tab
When you have deployed your virtual machine, you want to manage it like monitoring and backup for example.
You can do these options also after the Virtual Machine deployment.
Backup of the Virtual Machine can be added when you deploy the VM.
I have a existing Backup Vault called WACvault1
From here you can create your own backup recovery Vault with your Own backup policy and retention times.
The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. What is managed identities for Azure resources?
Advanced tab
In the advanced tab you can select extensions for your Virtual Machine. These are add-ons and will installed during the deployment. You can now also select Gen 2 VM in Preview. Microsoft Azure has a lot of extensions for your Virtual machine :
List of extensions for your VM
Click on Create for adding Microsoft Antimalware on your VM
Select the options and exclusions
Tags tab
Here you can Tag your deployment
After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management. Read more on Tags here
At this moment the validation has passed for deployment with all your settings, but don’t forget to have a look at “Download a template for Automation” before you hit Create.
Here you can download or save the JSON ARM Template
When you you go Back and click on Create the Virtual Machine, this will deploy the VM in Minutes.
The following Azure items are deployed in RSG-Winserv
Now your Virtual Machine is deployed in Microsoft Azure Cloud and is running, you can have a look at all the features of the Virtual Machine in the Portal.
To connect to the Virtual Machine you have to Manage access for your RDP session via the NSG in my case:
Double click on the NSG
I added a new rule to give my IP-address access to the VM
From here you can access the Windows Server 2019 Datacenter Virtual Machine in Microsoft Azure Cloud.
Management of your Virtual Machine
When your Azure Virtual Machine with Windows Server 2019 is running, you want to monitor the VM and see what is happening inside the Virtual Machine. Azure Monitor Insights can help you with this.
Health State of the VM
Connections
When Microsoft Azure Monitoring is on and running you want have important alerts on your Mobile by sms or
via E-mail notification to take action.
Alerts on Winserv2019 VM
High CPU Alert
Here we make an Alert about the CPU which is going higher then 80% average.
Making an Action group for email notification of the Alert
Action Group made
Alert made for the VM
Alert details
Alert rule is set and running for this Virtual Machine.
Conclusion
You can create every virtual machine you want for your business, Windows Server or Linux..
You can mange your own performance for the VM on demand by selecting the right VM Size.
You can set Networking and High Availability
You can set Disk Performance for your IOPS
You can configure your management settings and dashboard for Monitoring.
Security can be set on different levels.
Backup of the Virtual Machine can be set with the right policy before deployment.
and more…….
And keep watching your Azure Advisor for better changes :
New Advise will come !
and of course there are more features and options on this Virtual Machine, Have a look :
Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
With Advisor, you can:
Get proactive, actionable, and personalized best practices recommendations.
Improve the performance, security, and high availability of your resources, as you identify opportunities to reduce your overall Azure spend.
Get recommendations with proposed actions inline.
You can access Advisor through the Azure portal. Sign in to the portal, locate Advisor in the navigation menu, or search for it in the All services menu.
The Advisor dashboard displays personalized recommendations for all your subscriptions. You can apply filters to display recommendations for specific subscriptions and resource types. The recommendations are divided into four categories:
High Availability: To ensure and improve the continuity of your business-critical applications. For more information, see Advisor High Availability recommendations.
Security: To detect threats and vulnerabilities that might lead to security breaches. For more information, see Advisor Security recommendations.
The Microsoft Azure Cloud is always on the move with better features, Security, and Cost efficiency.
Azure Advisor will help you with all the changes and great features to keep you secure and up-to-date and lower your Cloud solution cost if possible.
Have a look at Azure Advisor and get your new Advise in your Microsoft Azure Subscription!
Building on the full range of existing Azure services, Azure Sentinel natively incorporates proven foundations, like Log Analytics, and Logic Apps. Azure Sentinel enriches your investigation and detection with AI, and provides Microsoft’s threat intelligence stream and enables you to bring your own threat intelligence.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Read more about Azure Sentinel Preview here
Watch live as technology leaders from across industries share the latest breakthroughs and trends, and explore innovative ways to create solutions. After the keynotes, select Microsoft Build sessions will stream live—dive deep into what’s new and what’s next for developer tools and tech.
Discover and experience new ways to build, modernize, and migrate your applications. Get hands-on experiences with tools like Azure Kubernetes Service (AKS) that can help you dynamically scale your application infrastructure.
Quickly and easily build, train, and deploy your machine learning models using Azure Machine Learning, Azure Databricks, and ONNX. Uncover insights from all your content—documents, images, and media—with Azure Search and Cognitive Services.
Join Microsoft for hands-on learning to discover how tools like Visual Studio live share can help you collaborate with your peers instantly.
Come learn how to build an end-to-end continuous delivery pipeline that is fast and secure with Azure DevOps technologies. Spend less time maintaining your toolset and more time focusing on customer value.
Understand how frameworks like Xamarin and .NET can help you reach customers on all platforms. Learn how to use the same languages, APIs, and data structures across all mobile development platforms.
Learn how mixed reality helps you bring your work and data to life when you need it, and where you need it. Start building secure, collaborative mixed reality solutions today using intelligent services, best-in-class hardware, and cross-platform tools.
Learn to connect your devices to the cloud using flexible IoT solutions that integrate with your existing infrastructure. Collect untapped data and form valuable insights that help you create better customer experiences and generate new streams of revenue.
