Tag: Azure Policy

Azure Friday - Manage and govern your hybrid servers using Azure Arc

Azure Friday: Manage hybrid servers using Azure Arc

Last Friday, I had the chance to join Donovan Brown on Azure Friday to talk about how you can manage and govern your hybrid servers using Azure Arc. I showed how you can manage and govern your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers, similar to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. You can watch the full episode here on Microsoft Channel 9.

Azure Friday - Manage and govern your hybrid servers using Azure Arc

Azure Friday – Manage and govern your hybrid servers using Azure Arc

If you want to know more about the Azure Arc and Azure Hybrid services, check out the following blog post and Microsoft Docs articles:

If you want to check out my other Azure Friday episode, in which I was joining Scott Hanselman to talk about how you can connect Windows Server to Azure Hybrid Cloud services using Windows Admin Center. And how you can use other Azure Hybrid services to improve your on-premises environment, check out my blog here.

I hope you liked this Azure Friday episode about how you can manage and govern your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers, using Azure Arc for servers. If you have any questions, feel free to leave a comment. And yes, this is a Surface Pro X.



Azure Policy

Keep control of your Azure environment with Azure Policy

Keeping control of your Azure environment and your Azure tenant can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. For example, you can limit the deployment to specific virtual machines types and sizes, or block different Azure regions from being used. You can still give developers and IT Pros access to the Azure environment and subscriptions but always stay in control.

  • Real-time policy enforcement and evaluation
  • Cloud policy management and security at scale
  • Automated remediation of existing resources
  • Comprehensive compliance view of all your resources across your Azure subscriptions

You use Azure Policy not just to enforce rules, but also to only audit your environment. This enables you to see the resources which are not compliant with your company policies instead of just blocking the deployment.

Have a look at my other blog posts about:

Cloud-Native Governance

Cloud-Native Governance

Why not just use RBAC?

Azure Policy is complementary to role-based access control (RBAC), and are both part of the overall Azure Governance tools.

There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.



Azure Hybrid

Azure Arc – Cloud-native Management for Hybrid Cloud

Azure Hybrid is not just Azure Stack, it also includes a couple of other Azure Hybrid services like Azure Update Management, Azure File Sync and many more. Today, Microsoft will extend the hybrid cloud solutions in Azure and announced Azure Arc, which is designed to extend Azure Management to any infrastructure. In the new world where organizations run servers, containers, and applications across multi-cloud environments, on-premises locations, and the edge, managing these hybrid resources becomes challenging. Azure Arc enables cloud-native Azure management across any infrastructure and also allows you to run Azure data services to be deployed anywhere. It includes hybrid server management, Kubernetes and Azure data services.

Azure Arc Overview

Azure Arc Overview

As you can see Azure Arc consists of a set of different technologies and components like:

  • Organize and govern all your servers – Azure Arc extends Azure management to physical and virtual servers anywhere. Govern and manage servers from a single scalable management pane. You can learn more about Azure Arc for servers here.
  • Manage Kubernetes apps at scale – Deploy and configure Kubernetes applications consistently across all your environments with modern DevOps techniques.
  • Run data services anywhere – Deploy Azure data services in moments, anywhere you need them. Get simpler compliance, faster response times, and better security for your data. You can learn more here.
  • Adopt cloud technologies on-premises – Bringing cloud-native management to your hybrid environment.

In this blog post, we will have a closer look at hybrid server management. If you want to know more about Azure Arc, check out the announcement blog post by Jeremy Winter, Director of Program Management, Microsoft Azure.

Cloud-native Azure management for hybrid environments with Azure Arc

By extending Azure Resource Manager to support hybrid cloud environments, Azure Arc to make it easier to implement cloud security across environments with centralized role-based access control, security policies. Azure Management provides you now with a single control plane for Azure native and Azure Arc resources.

Azure Management Overview

Azure Management Overview

Hybrid Server Management

Today Azure Arc allows you to onboard physical and virtual servers in your hybrid environment (on-premises, edge, and multi-cloud). By joining serves to Azure Arc, you get the benefits you are used from native Azure resources, like tags, RBAC, and many more. In the preview, you can now use Azure Management services like Azure Log Analytics and Azure Policy to make sure your servers are compliant across your hybrid environment.

Hybrid Server Management

Hybrid Server Management

I had the chance to have a very early chat with Jian Yan from the Azure Management team, a couple of weeks ago, about hybrid server management. Check out the video here:

Join the Preview

Azure Arc for Server is currently in public preview, while you can sign up for the preview to manage Kubernetes and data services. To enable hybrid server management, you must register the required Resource Providers.

  • Microsoft.HybridCompute
  • Microsoft.GuestConfiguration

You can register the resource providers with the following Azure PowerShell commands:

Login-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration

or with Azure CLI:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'

You can also run them from Azure Cloud Shell. If you want to know more, check out the following Microsoft Docs article.

Onboarding Servers to Azure Arc

As mentioned we will have a closer look here at how you can onboard Linux and Windows Server to Azure Arc. To onboard a server which can run Linux or Windows, physical or virtual, and can run on-premises or at another service provider, you open Azure Arc in the Azure Portal. There you can select manage servers.

Azure Arc Portal

Azure Arc Portal

Here you will see your existing servers which you have on-boarded.

Azure Arc Server in Portal

Azure Arc Server in Portal

 

You can click on Add, to add another server. You will be able to add a single server or get instructions to onboard servers at scale.

Add server to Azure Arc

Add server to Azure Arc

Here you can go through a wizard that will help you to generate a script, which you can copy or download to run it on your server. You can select the subscription and resource group, as well as the region where you want to join your server.

You will also be able to configure a proxy server if your server is behind a proxy. Since this will use the Azure Resource Manager, you will also be able to use tags. After you are done with the wizard, you are able to download or copy the command to run that on your server.

Generate Script

Generate Script

After you have run that command on your on-premises server, your server will show up as an Azure resource in a couple of minutes.

Use Windows Admin Center to onboard a server to Azure Arc

Windows Admin Center and Azure Stack HCI

Windows Admin Center and Azure Stack HCI

If you are using Windows Admin Center on Windows Server or with Azure Stack HCI, you can also onboard servers directly from there. Go to the settings of the server and click on Azure Arc. Now you can sign in and select the specific subscription and resource group.

More

If you want to know more about the Azure Hybrid announcements at Microsoft Ignite 2019, check out the blog post of Julia White. If you want to know more about Azure Arc, check out the blog post from Jeremy Winter. If you have any questions about it feel free to leave a comment, or if you are at Microsoft Ignite, feel free to talk to me and the Azure team.

I will also host a Microsoft Ignite Live interview with Jian Yan, which you can watch live in Orlando or online.

Microsoft Ignite Live

Azure is built from the ground up to manage at-scale, cross-geography environments with multiple operational models and DevOps patterns. The vision is to keep Azure at the center of the enterprise as the control plane for governance, management, and modern development and bring the Azure management capabilities and services to any customer environment. In this session, we demo one of the extension services to enable you to bring servers from anywhere to Azure, and use Azure to get a compliance view for all your server assets.



Azure Stack Development Kit PowerShell Install

Developing Azure Stack compatible services in Azure using Azure Policies

As mentioned Azure Stack brings a true hybrid Cloud experience by bringing an consistent platform from the public cloud to the private cloud. There is a little bit of a catch, Microsoft Azure Stack of course only offers some of the Azure Public Cloud services, since for some of them you need to have a specific scale or specialized hardware, and they often they are behind in feature and functionality, since Azure gets updated daily and Azure Stack gets a slower updated cycle.

But what if you want to develop services on Azure, which should be compatible with Azure Stack, how can you make sure that these services also work on Azure Stack? The anwser to that is the Azure Stack Policy Module. The Azure Stack Policy module allows you to configure an Azure subscription with the same versioning and service availability as Azure Stack using Azure Policy.  The module uses the New-AzureRMPolicyAssignment PowerShell cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. You can then use your Azure subscription to develop apps targeted for Azure Stack.

You can find the Azure Stack Policy Module in Azure Stack tools on GitHub.

Install the Azure Stack Policy Module

  1. Install the required version of the AzureRM PowerShell module, as described in Step1 of Install PowerShell for Azure Stack.
  2. Download the Azure Stack tools from GitHub
  3. Configure PowerShell for use with Azure Stack
  4. Import the AzureStack.Policy.psm1 module:
    Import-Module .\Policy\AzureStack.Policy.psm1

Apply policy to subscription

The following command can be used to apply a default Azure Stack policy against your Azure subscription.

 
Login-AzureRmAccount
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

Apply policy to a resource group

You may want to apply policies in a more granular method. As an example, you may have other resources running in the same subscription. You can scope the policy application to a specific resource group, which lets you test your apps for Azure Stack using Azure resources.

 
Login-AzureRmAccount
$rgName = 'myRG01'
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

You can find more information about this on the official documentation page: https://docs.microsoft.com/en-us/azure/azure-stack/user/azure-stack-policy-module