Az Replace – Week 2 of the return editions


Hi there People!

This week’s updates all give attention to one thing we hear from IT professionals and platform engineers on a regular basis:

How can we make our environments safer, extra manageable, and simpler to modernize with out including extra complexity?

Whether or not you are operating PostgreSQL workloads in Azure, securing Kubernetes storage, or planning your subsequent wave of SQL Server migrations, this week’s bulletins carry sensible enhancements that may assist cut back operational overhead whereas strengthening your total platform technique.

We’ll take a look at three newly out there capabilities:

  1. Replace #1 – Usually Accessible: Microsoft Defender safety assessments for Azure Database for PostgreSQL Versatile Server
  2. Replace #2 – Usually Accessible: Encryption in Transit for Azure Recordsdata NFS Shares in Azure Kubernetes Service (AKS)
  3. Replace #3 – Usually Accessible: Increasing Azure Arc SQL Migration with SQL Server on Azure Digital Machines

As all the time, I am approaching these updates from an infrastructure and operations perspective. I will cowl why every functionality issues, what to be careful for earlier than manufacturing deployment, and a few sensible steps you’ll be able to take to begin evaluating them in your individual atmosphere.

Let’s dig in.

This launch brings automated safety posture evaluation straight into managed PostgreSQL environments. For ITPros, this issues as a result of database safety is usually handled individually from infrastructure safety tooling, creating blind spots and silos.

What modified is that Defender now runs native vulnerability scanning and compliance checks in opposition to PostgreSQL configurations, patches, and the methods a database may very well be uncovered to safety dangers or assault alternatives. As an alternative of counting on exterior scanners or handbook audits, you get platform-native assessments built-in along with your current Defender workflows.

The operational impression is critical: now you can implement safety baselines on the database layer with the identical consistency you apply to VMs and community assets, lowering the hole between infrastructure and knowledge safety accountability.

Operationally, this improves your safety baseline enforcement and reduces the necessity for separate database safety evaluation instruments. It additionally strengthens how effectively you’ll be able to display and show that safety controls are in place and dealing for compliance opinions the place regulators count on constant, documented safety controls.

Earlier than manufacturing rollout, validate that Defender value fashions suit your price range, that evaluation frequency aligns along with your change home windows, and that remediation steerage maps to your patch and upkeep processes.

Conditions embrace enabling Microsoft Defender for Cloud, registering the PostgreSQL Versatile Server supplier, and making certain community connectivity so assessments can attain the database endpoint.

  1. Allow Microsoft Defender for Cloud if not already energetic, and guarantee PostgreSQL Versatile Server subscription protection.
  2. Register the goal PostgreSQL Versatile Server cases and make sure Defender has community visibility to the database endpoints.
  3. Run a baseline evaluation and overview preliminary findings to know present safety posture and customary remediation patterns.
  4. Prioritise findings by severity and enterprise impression, then schedule patches and configuration adjustments in upkeep home windows.
  5. Monitor ongoing assessments and monitor remediation progress by way of Defender dashboards, validating that fixes cut back publicity scores.

This instance validates that Defender is actively assessing your PostgreSQL property. The sequence checks Defender standing, confirms PostgreSQL registration, and retrieves present evaluation scores.

Run these queries in a pilot subscription first to know knowledge construction and anticipated output earlier than scaling to manufacturing databases.

az account set --subscription  az safety sql-vulnerability-assessment baseline present --resource-group  --server-name  --database-name 

az safety pricing present --subscription  --query "[?name=='VirtualMachines' || name=='SqlServers' || name=='StorageAccounts'].[name,pricingTier]" -o desk

az supplier present --namespace Microsoft.DBforPostgreSQL --query "registrationState" -o tsv

Anticipated behaviour: Defender standing exhibits energetic, PostgreSQL cases are registered with the supplier, and pricing tier displays your protection degree. If assessments don’t run, verify community guidelines, managed id permissions, and Defender plan activation. If baseline knowledge is lacking, set off a handbook scan and watch for completion.

  1. Azure replace: Microsoft Defender safety assessments for Azure Database for PostgreSQL Versatile Server
  2. Microsoft Defender for Cloud overview
  3. Azure Database for PostgreSQL safety
  4. SQL vulnerability assessments in Defender for Cloud
  5. Allow Defender for Cloud

This launch closes a major hole in knowledge safety for Kubernetes workloads consuming NFS shares from Azure Recordsdata. Beforehand, NFS site visitors between AKS nodes and Azure Recordsdata was unencrypted, creating compliance and safety dangers for delicate workloads.

What modified is which you could now implement encryption for NFS communication on the Azure Recordsdata layer, not simply on the software layer. That is necessary as a result of conventional NFS lacks built-in encryption, and counting on community isolation alone is more and more inadequate.

For ITPros managing regulated workloads (healthcare, finance, PII-sensitive knowledge), this removes a management hole. Encryption in transit now turns into a platform-native characteristic as a substitute of a workaround, lowering structure complexity and bettering auditability.

The operational worth is stronger compliance posture and decreased assault floor for knowledge in movement between containers and storage. It additionally simplifies the safety story when auditors ask about knowledge safety controls.

Earlier than enabling in manufacturing, validate that NFS-over-TLS introduces acceptable latency overhead to your workload patterns, check failover and reconnection behaviour underneath encryption, and make sure that monitoring and logging nonetheless work appropriately.

Conditions embrace operating AKS with Azure CNI or Kubenet networking, having Azure Recordsdata with NFS 4.1 enabled, and making certain the NFS consumer libraries on container photographs assist TLS.

  1. Create an Azure Recordsdata NFS share with encryption in transit enabled and make sure TLS model alignment along with your safety requirements.
  2. Deploy a check AKS workload that mounts the NFS share and validate that pods mount efficiently with encrypted site visitors.
  3. Run efficiency baselines (throughput, latency, CPU overhead) earlier than and after enabling encryption to doc operational expectations.
  4. Monitor pod logs and Azure Recordsdata metrics throughout the check to verify no silent failures or sudden throttling happens.
  5. Roll out to manufacturing workloads in phases, with clear rollback standards tied to software latency and error charges.

This instance validates that your AKS cluster can efficiently mount NFS shares with encryption enabled. The sequence checks cluster networking, confirms NFS connectivity, and checks mount success.

Run these instructions in a non-production cluster first to validate atmosphere readiness earlier than touching manufacturing storage.

az aks present --resource-group  --name  --query "networkProfile.{networkPlugin:networkPlugin,networkPolicy:networkPolicy,podCidr:podCidr}" -o jsonc

az storage account present --resource-group  --name  --query "{identify:identify,sort:sort,accessTier:accessTier}" -o jsonc

kubectl get pvc -A --all-namespaces -o huge kubectl describe pv  | grep -i nfs

Anticipated behaviour: cluster networking is correctly configured, storage account sort helps NFS, and PVC/PV assets present NFS mount factors. If mounts fail, verify community safety group guidelines, storage account firewall allowances, and subnet delegation. If latency will increase, monitor useful resource utilisation and modify workload placement if wanted.

  1. Azure replace: Encryption in Transit for Azure Recordsdata NFS Shares in Azure Kubernetes Service (AKS)
  2. Azure Recordsdata NFS assist
  3. Mount Azure Recordsdata with NFS in AKS
  4. Azure storage safety
  5. AKS networking ideas

This functionality brings SQL Server migration into the Azure Arc operational footprint, making a unified migration and stock expertise. For ITPros, this issues as a result of SQL Server modernisation is usually fragmented throughout a number of instruments and groups.

What modified is which you could now uncover, assess, and execute SQL migrations by way of Arc-native workflows, utilizing the identical permissions and governance mannequin you have already got for infrastructure and hybrid assets.

The operational acquire is consistency: discovery knowledge feeds migration planning, assessments floor blockers early, and rollout may be managed by way of the identical change and approvals processes you utilize for different infrastructure migrations.

Operationally, this reduces tooling sprawl and improves coordination between infrastructure and database groups. Arc turns into your single management airplane for monitoring migration progress, managing runbooks, and amassing audit proof.

Earlier than manufacturing use, validate that your SQL Server stock is full, that migration blockers are understood and addressed, and that your upkeep home windows can accommodate anticipated cutover timings.

Conditions embrace Azure Arc agent deployment on supply VMs, Azure Database Migration Service readiness, and community connectivity to focus on Azure SQL assets.

  1. Deploy Azure Arc brokers to SQL Server VMs and make sure all cases report wholesome standing with full stock knowledge.
  2. Run Arc-integrated SQL Server assessments to determine compatibility points, dependencies, and advisable migration targets.
  3. Pilot migration for a non-critical workload to ascertain runbook patterns, measure cutover time, and validate post-migration validation procedures.
  4. Execute validation checks: connectivity, login success, database consistency checks, job execution, and software integration checks.
  5. Scale migration in waves utilizing documented runbooks, with gates for monitoring knowledge well being and software efficiency after every cutover.

This instance validates Arc agent well being and SQL Server discovery completeness. The sequence ensures your Arc infrastructure is prepared for migration workflows.

Run these instructions as a part of your pre-migration guidelines to catch configuration gaps earlier than committing to migration timelines.

az account present --output desk az connectedmachine listing --resource-group  --query "[].{identify:identify,standing:standing,osName:osName}" -o desk

az useful resource listing --resource-type Microsoft.AzureArcData/sqlServerInstances --query "[].{identify:identify,resourceGroup:resourceGroup,location:location}" -o desk

az connectedmachine machine extension listing --resource-group  --machine-name  --query "[].{identify:identify,provisioningState:provisioningState}" -o desk

Anticipated behaviour: Arc brokers report wholesome standing, SQL Server cases are totally found with correct stock, and required extensions are provisioned efficiently. If discovery is incomplete, verify Arc agent connectivity, extension deployment, and SQL service operating standing on supply VMs. If migration pre-checks fail, confirm SQL Server model compatibility and overview Defender logs for blocking points.

  1. Azure replace: Increasing Azure Arc SQL Migration with SQL Server on Azure Digital Machines
  2. Azure Arc SQL Server Overview
  3. Azure Arc-enabled servers
  4. SQL Server on Azure Digital Machines
  5. Azure Database Migration Service

For any new functionality this week, in the event that they map to your operational roadmap, run a managed pilot, measure the impression, after which scale with confidence. That’s how you progress the needle on modernisation whereas managing danger.

Cheers!

Pierre Roman

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles