The announcement of Azure Arc by Satya Nadella at Ignite 2019 was something which I believed was targeted at managing virtual machines and the proliferation of containers used by developers. It was only during Ignite 2020 that I started seeing an overlooked benefit of Arc: its potential for a simpler, centrally managed security posture which helps solves the challenge associated with hybrid cloud management and governance. Together, our MOQdigital Security, Infrastructure and Application architects have been working through this technology offering for our clients benefit, as we look help them adopt new hybrid scenarios and to offer improvements to how business operates as a whole.
The Azure Backstory
Before we dive into Azure Arc and the security benefits it offers, lets quickly review the three levels of operations within Azure.
The Azure Fabric Controller is responsible for managing and controlling the lifecycle of resources, whether than are virtual machines, databases, or Kubernetes Clusters.
Azure Resource Manager provides automation of the resources through an ARM template which defines the desired state of a resource. Azure also offers resource providers for services running within Azure such as VM’s, SQL and Azure Kubernetes Service.
Resources within Azure report their state to the Fabric Controller, and in a VM instance this is completed by an agent running on the VM.
Azure Arc – the high-level view
With Azure Arc, Microsoft has expanded the support for ARM to resources running outside of Azure, including physical servers running in a data centre, VMware vSphere, Amazon EC2 and Google Compute Engine (all of which are GA in Azure), and allows the Azure Fabric Controller to see these resources. Kubernetes clusters, including Amazon EKS, Google Kubernetes Engine and IBM Kubernetes Service can also be registered to Azure Arc, and Arc can even manage database services in hybrid and multi-cloud environments. Kubernetes integration, data services and SQL Server are still in preview at the time of publishing.
So what does this mean for my organisation?
Any resource deployed within Azure or outside of Azure can be managed through the same control plane and regardless of the underlying hardware. Those ARM templates are now applicable to all resources across hybrid and multi-cloud environments, providing true overarching management and governance from one location.
Now for the security bit
By connecting multiple resources to Azure through Arc, you can now start managing those 3rd party resources the way you would manage your Azure resources. Even better is that Azure Arc treats resources consistently, so a database running on a VM in a data centre can use the same template as virtual machines in Azure. In a similar vein, non-Azure Linux (including Ubuntu, CentOS, SUSE and Red Hat) and Windows systems in AWS, GCP and on-premises date centres could all have the same policy applied for reporting events to Azure Sentinel, or the same security policy defined within Azure Security Centre ensuring that visibility and control of security events is consistent and evenly applied.
Azure Security Centre can use this visibility and reporting functionality to detect whether a security policy is correctly applied or a potential vulnerability exists, and Azure Arc can invoke a remediation task to automate any necessary steps on resources which are required to achieve compliance and mitigate any risks. This could be in multiple forms, including:
- The deployment of logging agents
- Rectification of security misconfigurations
- Patching of application or operating system vulnerabilities
- Endpoint Detection and Response functionality
- Updated or additional policy being applied
Together, Azure Arc and Azure Security Centre provide a solution for the previously difficult task associated with visibility, management and governance of hybrid and multi-cloud environments, and ensure that the security posture within your organisation is consistently applied and that you have visibility into the operations of all IT assets.
For more information on how Azure Arc an how it can help your organisation, please contact us below.