Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Azure Arc on AIS Cloud X
1.
2.
3. Agenda
• Introduction to Azure Arc
• Azure Arc-enabled data services
• Azure Arc-enabled security
• Hybrid and Multicloud concept
• Azure Arc on AIS Cloud X
• Benefit for local enterprise
5. Azure Arc
Azure Arc is a bridge that extends the Azure platform to help you
build applications and services with the flexibility to run across
datacenters, at the edge, and in multicloud environments.
6.
7. Run Azure
services anywhere
Azure Arc
Extend Azure’s Services and Benefits anywhere
Gain central visibility,
operations, and compliance
Build Cloud native apps
anywhere, at scale
Multi-cloud
Datacenter & hosted
8. Single control plane with Azure Arc
Azure Arc-enabled infrastructure
Connect and operate hybrid resources
as native Azure resources
Azure Arc-enabled services
Deploy and run Azure services outside of
Azure while still operating it from Azure
Multi-cloud Datacenter Edge
13. Enhance practices with Azure Arc
Migration
Use Azure Arc to get full visibility for assessment and attach Azure
services to move from a one-time to continuous engagement.
Cloud and infrastructure management
Develop consistent and transferable skills across environments and
reduce custom development through Azure services
App modernization and innovation
Leverage continuous Azure investment in K8s and developer tools.
Simplify hard to find talent acquisition with a platform built for diverse
skillsets.
Data modernization and sovereignty
Expand your data practices to Azure managed PaaS data services
running in datacenter, edge or even other clouds
Governance, compliance, and security
Offer consistent at-scale Azure governance and security fully
integrated with the management and identity services
15. Azure Arc-enabled
SQL Server
Organize, inventory
Enhanced security with
Microsoft Defender for Cloud
Free SQL Assessment service
GENERALLY
AVAILABLE
Azure Arc-enabled
PostgreSQL
Azure Database for PostgreSQL
on any infrastructure
Fully automated, single server
Scale up/down/out/in
PUBLIC PREVIEW
Azure Arc-enabled SQL
Managed Instance
Azure SQL Managed Instance
on any infrastructure
Fully automated, evergreen SQL
Cloud billing model for on-premises
GENERALLY
AVAILABLE
IaaS PaaS
Azure Arc-enabled data services
16. Making the decision based on needs
Azure SQL / OSS
databases
Access to the latest cutting-edge technology
Standardize data management with
agility and consistency
Reduce cost with full automation
Maintain server-based legacy applications
Reuse existing data center and SQL Server
Manage all SQL Server from one place
Operational data workloads
Can data go to Azure?
Outside of Azure
Yes (Full migration)
No (Hybrid)
Any Windows/Linux servers
Any Kubernetes Cluster
Retire data centers
Limitless scale, E2E security
IaaS, PaaS, Single DB, Pools
Fully managed with SLAs
Existing apps
App modernization
17. Azure Arc-enabled SQL Server architecture
Onboard Arc-enabled server
Onboard Arc-enabled SQL Server
Enroll Microsoft Defender and
secure SQL Server
Enroll SQL Best Practice assessment
1
2
3A
3B
Microsoft
defender
Customer firewall
At scale
onboarding
Policy
3A
Best Practice
assessment
Arc-enabled
SQL Server
2
Arc-enabled
server
1
3B
Port 443
Downloaded
binaries
Arc guest
configuration agent
Azure extension for
SQL Server
Monitoring agent
Event log
Perf counters
Virtual server
or physical machine SQL Instances
Discovery
18. Databases
properties?
Policy at scale
detect and
resolve
vulnerabilities
Inventory of
EOS Servers
Which servers
are not on
latest CU?
Servers of OS
type?
Single view of all SQL Servers from Azure Portal
Asset
Management
Receive Extended Security
Updates (ESU) for reduced
price through Arc-enabled
SQL Servers.
Govern, Protect, configure
your hybrid and multi-
cloud servers with Azure
Policy, Defender and Azure
Automation, centrally,
securely and at scale
Inventory
Management
Single consistent view of all
your SQL Servers deployed
on-prem, Edge, Multi-cloud
Inventory and tag
management using Resource
Graph thus increasing the
visibility of the entire
data estate
License management using
Azure portal to review license
position and compare with
the procurement state
19. Fully automated technical assessment for SQL Server
Evaluate your configuration
of SQL Server:
Security and compliance
Availability and business
continuity
Performance and scalability
Operations
Change and configuration
management
Scanned in intervals
for most up to
date results
Empower DBAs
to proactively address
any risks
Increases operational
stability while
reducing routine
workloads from DBAs
20. Azure Arc-enabled data services
Cloud experience for data workloads anywhere
As-a-Service Elastic scale
Unified
management
Always current
Any hardware, any Kubernetes
Support all connectivity modes
Azure Arc-enabled SQL Managed Instance Azure Arc-enabled PostgreSQL
Scale up, scale out
Hyperscale Postgres
Automated updates
Evergreen SQL
Single pane of glass
Consistent workflows
Built in HA/DR
Automation at scale
GENERALLY AVAILABLE PUBLIC PREVIEW
21. Azure Arc-enabled SQL MI architecture
Deploy Kubernetes on the
infrastructure of your choice
Deploy the Azure Arc data
controller/control plane
Deploy an Azure Arc-enabled
data service using the Azure
portal or CLI
Use direct connected mode
with Azure Arc agents or
indirect connected mode with
az CLI, kubectl etc.
Connect to a data service
using an application or tools Node Node Node
Infrastructure
Kubernetes API
Azure Arc
data
controller
Microsoft
Container
Registry
SQL Managed
Instance
PostgreSQL
Azure Arc Resource
Providers
kubectl
az CLI
Azure Portal
Azure Arc agents
Inventory Logs/
Metrics Billing
Azure RBAC
Deployments
Configuration
Direct
Indirect
Azure
Data Studio
Application Database
Tools
Customer
Private
Registry
22. Azure Arc-enabled SQL Managed Instance
General Purpose High Availability K8s Worker Node
K8s Worker Node
Pod
Data
Controller
SQL MI
Load Balancer
Service
Web App
Service
Web App
Read-Only
Single replica
Single point of failure
If pod crashes, Kubernetes will spin a
new pod and bring it online
Applications will need to reconnect
to this new pod
Potential for downtime
23. Azure Arc-enabled SQL Managed Instance
Business Critical High Availability K8s Worker Node
K8s Worker Node
Pod
K8s Worker Node
Pod
K8s Worker Node
Pod
Data
Controller
SQL MI
Secondary
AG agent
SQL MI
Primary
AG agent
SQL MI
Secondary
AG agent
Load Balancer
Service
Web App
Availability
Group
Service
Web App
Read-Only
Built-in Setup
No other cluster technologies
Default configuration with
3 sync replicas
Primary and readable secondary
endpoints
Automated Failover
Near zero downtime
24. Azure Arc-enabled data services: Security
Any Kubernetes Cluster
Azure Control Plane
Azure Arc
Data Controller
Metrics & Logs
Dashboards
Browser
HTTPS
Azure CLI
Azure Data Studio
Kubernetes tools
HTTPS
Kubernetes
API
HTTPS
Azure Active
Directory
Secure by default configuration
Non-root containers
Least privilege deployment configuration
Security enabled via HTTPS/TLS/SSL for external endpoints
System managed certificates
Directly connected mode
Azure Role Based Access Control (RBAC) integration
AD Authentication for management operations
Comprehensive encryption
Always Encrypted
User provided or system managed certificates
Certificate rotation
User managed encryption of PVs
26. Azure Arc-enabled security
Consistent security and governance for your hybrid and multi-cloud compute.
On - premises
Azure Security across your infrastructure
Azure
Monitor
Azure
Policy
Microsoft
Defender
Microsoft
Sentinel
Azure
Monitor
Microsoft
Defender
Microsoft
Sentinel
Microsoft
Defender
27. Strengthen your cloud
security posture
Secure
score
Policies and
compliance
Automation
Streamline security management
Protect your multicloud
and hybrid workloads
Leveraging
Azure Arc
Servers
Cloud native
workloads
Databases and
storage
Azure service
layers
IoT
devices
Microsoft Defender for Cloud
Assess, secure, and defend your hybrid environment.
MicrosoftDefenderforCloud
28. Microsoft Defender for Cloud
Microsoft Defender for Cloud
SQL/Storage VMs Containers
Network Industrial
IoT
Apps
Multi-cloud Datacenter Edge
✓ Continuously assess. Understand your current security
posture, identify and track vulnerabilities. Get a bird’s
eye-view of your security posture with Secure Score
✓ Secure. Harden connected resources and services by
following customized and prioritized recommendations
with Azure Security Benchmark
✓ Defend. Detect and resolve threats to those resources
and services. With prioritized security alerts, focus on
what matters the most and surface to the right audience
Assess, secure, and defend your hybrid and multicloud workloads
29. Deploy Defender Anywhere
Leverage VM and Cluster Extensions to deploy to Servers and Containers
Microsoft Defender
for Servers
On-Premises and/or Multicloud
Azure Arc
Azure Arc-enabled
servers
Microsoft Defender
for Containers
On-Premises and/or Multicloud
Azure Arc
Azure Arc-enabled
Kubernetes clusters
30. Defender for Servers: Azure
Arc-enabled Servers
✓ Adaptive application control.
Use intelligent and automated allow lists
of known-safe applications to protect
against malware and comply with
organizational policies.
✓ File integrity monitoring. Examine OS
files, Windows registries, application
software, Linux system files, and more, for
changes that might indicate an attack.
✓ Vulnerability assessment. Automated
deployment of the Qualys vulnerability
scanner, continuous visibility for Linux &
Windows VMs.
31. Defender for SQL:
Azure Arc-enabled SQL Servers
✓ Protect SQL workloads anywhere.
Centralize security across all data assets
with one-click enablement of built-in
Azure native security.
✓ Rich detection suite. Alerts specifically
designed for threats targeted at databases:
✓ Respond at scale. Reduce friction by
preventing and responding to top threats
first.
✓ SQL Injection attacks
✓ Brute force attacks
✓ Unusual data exfiltration
✓ Suspicious access or queries
32. Defender for Containers:
Azure Arc-enabled K8S
✓ Control & data plane recommendations.
Harden and audit according to Azure
Security Benchmarks. Follow Docker CIS
benchmark on container nodes. Audit
security best practices on K8S workloads.
✓ Deployment and monitoring. Frictionless
deployment provisioning at scale with easy
onboarding and support for standard
Kubernetes monitoring tools
✓ Ship, runtime, build vulnerabilities.
Automatic discovery and onboarding, scan
triggered on image push, pull, and import,
continuous scanning of running images.
35. IT environments are evolving
100’s–1,000’s of apps
VMs
Containers
Databases
Serverless
Diverse infrastructure
IoT devices Edge
Datacenters
Branch offices
Hosters
OEM hardware
Multi-cloud
36. Reasons for a hybrid
and multicloud strategy
Regulatory and data sovereignty
Low latency and edge workloads
Application and
datacenter modernization
Business continuity
and resilience
Freedom to use more
than one public cloud
37. Innovation anywhere with Azure
Hybrid and multicloud
Azure
Single control plane with Azure Arc
Bring Azure services
to any infrastructure
Modernize datacenters
with Azure Stack
Extend to the edge
with Azure IoT
38. Innovation anywhere with Azure
Hybrid and multicloud
Azure
0 Migrate to Azure
Single control plane
with Azure Arc
1
Unified operations and
management with Azure Arc
Bring Azure services
to any infrastructure
2
Build cloud native apps and
run Azure services anywhere
3
Modernize your data estate
with Azure data services
Modernize datacenters
with Azure Stack
4 Modernize datacenter
47. Single control plane with Azure Arc
Bring Azure Services
to the edge
Bring Azure services
to AIS Cloud Infrastructure
Bring Azure Services
to your datacenters
Azure Innovation anywhere with Azure