Loading...

Announcing Azure Monitoring Agent support in Azure Landing Zones

Announcing Azure Monitoring Agent support in Azure Landing Zones

Introduction

 

Hello and welcome to another blog post about Azure Landing Zones, the best practice framework for accelerating your cloud adoption journey. In this post, I will share with you some of the latest updates and enhancements that we have made to Azure Landing Zones.
 
One of the main components of Azure Landing Zones is the Azure Monitoring Agent (AMA), which enables you to collect and analyze data from your virtual machines, virtual machine scale sets, and hybrid resources. AMA provides a unified agent experience for Azure Monitor, Azure Security Center, Azure Sentinel, and other services. AMA replaces the legacy Log Analytics agent and Dependency agent, and offers better performance, reliability, and security.
 
We are happy to announce that all the implementation methods, including Terraform and Bicep have been updated and Azure Landing Zones is now exclusively using AMA for all its monitoring scenarios. This means that you can benefit from the latest features and capabilities of AMA, such as the ability to send custom logs and metrics, use Azure Arc to monitor hybrid resources, and leverage Azure Policy to deploy and manage AMA at scale.
 
 
As MMA is deprecating, as of the 31st of August 2024, please make sure that you are working towards migrating to AMA to avoid falling out of support. We're retiring the Log Analytics agent in Azure Monitor on 31 August 2024 | Azure updates | Microsoft Azure

 

Key Updates and Enhancements

 

Since January 2024, the Portal Accelerator has been utilizing AMA and has received a significant update. Let's explore the specifics of the recent updates.
 

Centralization of the User Assigned Managed Identity

 

One of the most noteworthy advancements is the centralized approach to User Assigned Managed Identities (UAMI). Here are the key highlights:
 
  • Centralized UAMI: Azure Landing Zones now utilizing a single, centralized UAMI for AMA, enhancing manageability and scalability.
  • Reliability: After the UAMI is created, it's replicated globally, and credential requests happen within the VM/VMSS's region instead of the UAMI region. Therefore, if the VM is in EastUS and the UAMI in WestUS, whenever the VM needs the UAMI credential, the request is completely fulfilled in EastUS.
  • Scalability: Caching is enabled to support large-scale deployments. Managed identity limits for user assigned identity assignment remain the same regardless if you use single UAMI versus serval UAMI since rate limiting is done based on the VM/VMSS receiving the assignment not on the UAMI being assigned. This enables the convenience of managing a single identity that is both scalable and reliable.
  • Protection: Added new custom policy Do not allow deletion of specified resource and resource type that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect.

 

New Policies and Built-in Initiatives

 

To support the seamless integration of AMA, several policy updates have been made:
 
  • Deny Action Delete Policy: A new policy has been introduced that denies the deletion of the UAMI used for AMA, adding an extra layer of security.
  • Policy Initiatives Updates: Built-in policy initiatives for VM Insights, Change Tracking, and Microsoft Defender for Cloud (MDfC) Defender for SQL have been updated to support a single centralized UAMI.
  • Feature Flag: The restriction that enforces a UAMI per subscription is lifted by setting the restrictBringYourOwnUserAssignedIdentityToSubscription feature flag to false, enabling the use of a single centralized UAMI.

 

For more details on the policy changes please review What's New.

 

Brownfield Migration Guidance

 

Migrating existing environments to AMA involves several steps, which are comprehensively covered in the new brownfield migration guidance.
 
Here's a breakdown of the process: 

 

  • Assess current state: Conduct a thorough analysis of your existing environment to identify dependencies and custom configurations.
  • Update Azure Landing Zones: guidance and automation tools help streamline the update process for Azure Landing Zones components
  • Removing MMA and additional steps: It is crucial to be aware of other settings in your environment that may necessitate further considerations and steps when planning to migrate. While the final phase involves removing the Microsoft Monitoring Agent and addressing, you may need to address additional requirements discovered during the initial assessment, we have included references to already existing documentation to help with the next steps

 

Automation Tools

 

To facilitate the transition, we have developed a PowerShell script designed to update Azure Landing Zones portal accelerator deployments to support AMA. This script reduces the manual effort required and ensures a smooth migration process. Several tasks that are automated:
 
  • Update Policies and Initiatives.
  • Delete outdated Policy Assignments.
  • Deploy a User Assigned Managed Identity for the AMA agent.
  • Deploys Data Collection Rules for VMInsights, ChangeTracking and MDfC Defender for SQL.
  • Assign new Policies and Initiatives.
  • Remove Legacy Solutions
  • Create remediation tasks for the newly assigned Policies and initiatives.
  • Remove obsolete User Assigned Managed Identities (that were deployed with releases starting 2024-01-31 until 2024-04-24)

 

Conclusion

 

The recent updates to Azure Landing Zones, with a focus on the Azure Monitoring Agent, bring significant improvements in manageability, scalability, and security. The comprehensive brownfield migration guidance and automation tools provide a clear pathway for existing environments to transition seamlessly to AMA. By leveraging these enhancements, organizations can better manage their Azure environments and ensure they remain compliant with the latest best practices.
 
Stay tuned for more updates and detailed guides on implementing and optimizing your Azure Landing Zones.

Published on:

Learn more
Azure Governance and Management Blog articles
Azure Governance and Management Blog articles

Azure Governance and Management Blog articles

Share post:

Related posts

Azure Developer CLI (azd) – November 2024

This post announces the November release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – November 2024 appeared...

2 days ago

Microsoft Purview | Information Protection: Auto-labeling for Microsoft Azure Storage and Azure SQL

Microsoft Purview | Information Protection will soon offer Auto-labeling for Microsoft Azure Storage and Azure SQL, providing automatic l...

3 days ago

5 Proven Benefits of Moving Legacy Platforms to Azure Databricks

With evolving data demands, many organizations are finding that legacy platforms like Teradata, Hadoop, and Exadata no longer meet their needs...

4 days ago

November Patches for Azure DevOps Server

Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customer...

4 days ago

Elevate Your Skills with Azure Cosmos DB: Must-Attend Sessions at Ignite 2024

Calling all Azure Cosmos DB enthusiasts: Join us at Microsoft Ignite 2024 to learn all about how we’re empowering the next wave of AI innovati...

4 days ago

Getting Started with Bicep: Simplifying Infrastructure as Code on Azure

Bicep is an Infrastructure as Code (IaC) language that allows you to declaratively define Azure resources, enabling automated and repeatable d...

6 days ago

How Azure AI Search powers RAG in ChatGPT and global scale apps

Millions of people use Azure AI Search every day without knowing it. You can enable your apps with the same search that enables retrieval-augm...

10 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy