Announcing Azure Monitoring Agent support in Azure Landing Zones
![Announcing Azure Monitoring Agent support in Azure Landing Zones Announcing Azure Monitoring Agent support in Azure Landing Zones](https://cdn.techcommunity.microsoft.com/assets/Azure/BlogPreview_default-blue.png)
Introduction
- Terraform upgrade guide [User Guide] Upgrade from v5.2.1 to v6.0.0
- Bicep release notes: v0.18.0 Release Notes
Key Updates and Enhancements
Centralization of the User Assigned Managed Identity
- Centralized UAMI: Azure Landing Zones now utilizing a single, centralized UAMI for AMA, enhancing manageability and scalability.
- Reliability: After the UAMI is created, it's replicated globally, and credential requests happen within the VM/VMSS's region instead of the UAMI region. Therefore, if the VM is in EastUS and the UAMI in WestUS, whenever the VM needs the UAMI credential, the request is completely fulfilled in EastUS.
- Scalability: Caching is enabled to support large-scale deployments. Managed identity limits for user assigned identity assignment remain the same regardless if you use single UAMI versus serval UAMI since rate limiting is done based on the VM/VMSS receiving the assignment not on the UAMI being assigned. This enables the convenience of managing a single identity that is both scalable and reliable.
- Protection: Added new custom policy Do not allow deletion of specified resource and resource type that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect.
New Policies and Built-in Initiatives
- Deny Action Delete Policy: A new policy has been introduced that denies the deletion of the UAMI used for AMA, adding an extra layer of security.
- Policy Initiatives Updates: Built-in policy initiatives for VM Insights, Change Tracking, and Microsoft Defender for Cloud (MDfC) Defender for SQL have been updated to support a single centralized UAMI.
- Feature Flag: The restriction that enforces a UAMI per subscription is lifted by setting the restrictBringYourOwnUserAssignedIdentityToSubscription feature flag to false, enabling the use of a single centralized UAMI.
For more details on the policy changes please review What's New.
Brownfield Migration Guidance
- Assess current state: Conduct a thorough analysis of your existing environment to identify dependencies and custom configurations.
- Update Azure Landing Zones: guidance and automation tools help streamline the update process for Azure Landing Zones components
- Removing MMA and additional steps: It is crucial to be aware of other settings in your environment that may necessitate further considerations and steps when planning to migrate. While the final phase involves removing the Microsoft Monitoring Agent and addressing, you may need to address additional requirements discovered during the initial assessment, we have included references to already existing documentation to help with the next steps
Automation Tools
- Update Policies and Initiatives.
- Delete outdated Policy Assignments.
- Deploy a User Assigned Managed Identity for the AMA agent.
- Deploys Data Collection Rules for VMInsights, ChangeTracking and MDfC Defender for SQL.
- Assign new Policies and Initiatives.
- Remove Legacy Solutions
- Create remediation tasks for the newly assigned Policies and initiatives.
- Remove obsolete User Assigned Managed Identities (that were deployed with releases starting 2024-01-31 until 2024-04-24)
Conclusion
Published on:
Learn moreRelated posts
{How to} Create Azure Communication Services for Dynamics 365 Customer Service Omnichannel
Hello Everyone,Today I am going to show how to subscribe to Azure Communication Services on Azure Portal.Let's get's started.Let's say you hav...
Upgrade to Azure Synapse runtimes for Apache Spark 3.4 & previous runtimes deprecation
It is important to stay ahead of the curve and keep services up to date. That's why we encourage all Azure Synapse customers with Apache ...
Using Keycloak with Azure AD to integrate AKS Cluster authentication process
Introduction Integrating Azure Kubernetes Service (AKS) with Keycloak through Azure Active Directory (Azure AD) as an intermediary lev...
Dev Proxy v0.19 with simulating LLM APIs and new Azure API Center integrations
We're excited to share the launch of Dev Proxy v0.19 to help you to build robust apps connected to APIs. The post Dev Proxy v0.19 with simulat...
PostgreSQL with Local Small Language Model and In-Database Vectorization | Azure
Improve search capabilities for your PostgreSQL-backed applications using vector search and embeddings generated in under 10 milliseconds with...
Convert speech to text using Azure Speech service in Power Automate Flow
Azure provides Speech Services that let developers add advanced speech features to achieve complex functionality, including Speech-to-Text. Wi...
Azure API Center: Centralizing API Management for Enhanced Discovery and Governance
Have you ever thought about having a single place to manage all your APIs? It could make it easier to find and control your services. ...
Azure SDK Release (June 2024)
The Azure SDKs release every month. This post includes the month's highlights and release notes. The post Azure SDK Release (June 2024) appear...