Cloud adaptatif : unifiez l’hybride, le multicloud et la périphérie (edge) avec Azure Arc

Thiago Moreira CSA Microsoft Jérome Sporbert CSA Microsoft Michel Hubert Architecte Solution Avanade Jean Rémi Pontvianne CSA Microsoft

Wifi : CF-GeorgeV mdp GEORGEV2017

Advancing cloud to cloud Hybrid IoT Multicloud Edge Distributed Thrive in dynamic environments by unifying teams, sites, and systems across hybrid, multicloud, edge, and IoT.

Fuel your modernization and migration journey Establish a central inventory for all servers 1 Install Azure Arc in your hybrid and multicloud environments Cloud to edge management 2 Streamline configuration management and resiliency Modernize and migrate workloads to be AI-ready 3 Deliver business value faster with intelligent apps on Azure Azure Arc Windows Server management capabilities Azure IaaS, Application, Data, and AI Services

Replace current third-party management solutions for Azure services included in WS SA Redirect investment on security foundation with Defender for Server P1 Extend investment to improve continuous operational security with CSPM and Defender for Server P2 Ongoing Operational Security Management & Govern with Azure Manage all Windows Servers (and their licenses) deployed on-premises, in Azure or third-party clouds with Azure Inventory and Change Tracking Administrate Windows Servers remotely (including RDP) using Windows Admin Center from the Azure Portal Integrate full lifecycle VM management operations for VMware and SCVMM Manage access and permissions across environments using Azure EntraID authentication and Azure RBAC Proactive and actionable insights using Windows Server Assessment Schedule and automate Windows Server updates using Azure Update Manager Security Foundation for Windows Server NextGen antivirus protection and EDR with Defender for Server (from P1) Secure and protect server, detecting vulnerabilities and threats and protecting against malicious attacks with Defender for Server (from P1) Enhance security using Extended Security Updates* as a service for WS2012 Audit and reinforce server settings and desired states configurations with Azure Machine Configuration and Azure Policy Key insights and observability across all Windows Servers (logs, metrics, network, health) with Azure Monitor Enhance operational efficiency through configurable Disaster Recovery with Azure Site Recovery Actionable security insights with hardening assessment using Defender for Server P2 Regulatory compliance and industry benchmarks, risk prioritization, and governance management with Defender CSPM (or Defender for Server P2) Automate many common manageability tasks with Microsoft Copilot for Azure (preview) Delivering Azure management & security to Servers How Azure benefits from Windows Server SA leverages security opportunity * Defender for Server (compatible from WS2012R2+)

Operate with AI-enhanced central management Rapidly develop and scale applications across boundaries Cultivate data and insights across physical operations Enabled by Azure Arc Adaptive Cloud Azure Monitor Microsoft Defender for Cloud Microsoft Copilot for Azure Visual Studio Azure Kubernetes Service Machine Learning Microsoft Fabric IoT Operations GitHub

Customer challenges when hybrid Complexity “I need to have health visibility in a single pane of glass to all my existing and future infrastructure and applications.” Compliance “I need to manage security and incident management across my public cloud and datacenter assets.” Inconsistency “I want my on-prem skills to work in the cloud, and my cloud skills to work on-prem.” Regulation “Our DB layer must remain on-premises due to sensitive patient data and data availability needs.” Latency “We can’t take a dependency on the internet. If we lose connectivity, we still want to be able to access the data.” Legacy “Our older systems take too much maintenance. We want evergreen technology and to pay for it like a utility.” Multi-cloud Datacenter Edge

Customer environments and application requirements are evolving Single control plane with Azure Arc How to govern and operate across disparate environments? How to ensure security across the entire organization? How to best enable innovation and developer agility? How to meet regulatory requirements and overcome technical hurdles? 100’s–1,000’s of apps Diverse infrastructure Hybrid & Multi-Cloud

Leader in the 2024 Gartner Magic Quadrant for Distributed Hybrid Infrastructure Microsoft recognized once again as a Leader for its Ability to execute and Completeness of vision in 2024 Gartner® Magic Quadrant for Distributed Hybrid Infrastructure | Microsoft Azure Blog

Extend Azure management & security to any infrastructure Microsoft Copilot for Azure Microsoft Defender for Cloud Azure Monitor Microsoft Sentinel Azure Policy Azure Update Manager Configuration Management Inventory Management Azure Services across your infrastructure Datacenter, multicloud, and edge

Microsoft Azure Single control plane with Azure Arc Infrastructure Connect and operate hybrid resources as native Azure resources Azure Arc-enabled infrastructure Services Deploy and run Azure services outside of Azure while still operating it from Azure Azure Arc-enabled services Arc Server K8s Windows SQL Server Linux Multi-cloud Datacenter Edge Microsoft Defender Microsoft Sentinel Azure Monitor Update Manager & ESU Azure Policy AVS

Effectively manage your WS, SQL & Linux estate at scale with new Azure services from a single pane of glass. Compliance Networking capabilities Security Disaster Recovery Copilot integration Access Management Easy to onboard Manage Govern Secure Updates + hotpatching

 Generate onboarding script from Azure Portal and run it non- interactively using Configuration Manager, Group Policy, Ansible with a Azure service principal  Autodiscover servers and deploy Arc agent in AWS using Azure Arc multicloud connector*  Automatically onboard agent during VM creation on VMWare vSphere and SCVMM using Azure Arc Resource Bridge Requirements: • A local account that is a member of a local administrator group • The following resource providers must be registered in the targeted subscription: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity, Microsoft.Compute and Microsoft.AzureArcData • Subscription(s) and resource group(s) where servers will be represented. • Service Principal with Azure Connected Machine Onboarding role on the targeted subscription(s) or resource group(s) • Whitelist Azure Arc URLs on proxy or firewall • If private traffic must be reinforced, setup private link scope and private connectivity between Azure and targeted environment * GCP coming soon Onboarding with Azure Arc

Onboarding with Azure Arc Customers with WS Software Assurance or enrolled in Windows Server Pay as you Go can access the following capabilities at no additional cost: • Azure Update Manager • Azure Machine Configuration [Policy] • Azure Change Tracking and Inventory* • Best Practices Assessment* • Remote Support • Network HUD • Azure Site Recovery configuration* • Windows Admin Center in Azure for Arc *May incur additional storage, log data ingestion, and compute costs

Azure VNET Azure Arc enabled Server Azure Arc Service Endpoint Public Endpoint Private Endpoint Service tag Private Link Azure Express Route & Site-to-Site VPN Internet Proxy 1. Direct connection (Internet) 2. Connection via Proxy (Internet) 3. Service tag (S2S VPN/ER) 4. Private Link (S2S VPN/ER) Connectivity options – Azure Arc-enabled servers

Azure Change Tracking and Inventory • Discover what's installed on your machines and their changes • Software • Services/Daemons • Files • Registries • View how many machines have a specific software or version • Updated when a change is detected • View changes when troubleshooting • Alerting on critical changes • Differences in inventory snapshots Requires AMA (Azure Monitor Agent) with Log Analytics workspace

Azure Update Manager • Assess the update status of servers across your Azure, on-premises, and multi-cloud estates from one place • Easily deploy updates to your machines • Schedule one-off or recurring updates • Schedule recurring updates for machine groups • Target systems by name, imported groups, or custom query • Verify update compliance across your environment • Track update deployments across your environment • Audit past deployments

Azure Machine Configuration • Configuration as code defining machine properties: • Operating System settings • App configuration or presence • Environment settings • Advanced reporting through Azure Resource Graph • Ability to create custom packages • Built in configurations for operational and security best practices • OS settings, expiring certificates, networking capabilities • TLS Versions, local user accounts, security baselines • Native to Azure Arc’s Connected Machine Agent

Windows Admin Center in Azure for Arc Securely manage your servers from anywhere without a VPN, public IP address, or other inbound connectivity Management, configuration, troubleshooting, and maintenance functionality in a single pane of glass • Virtual machines tool • Event viewer • Remote Desktop • File explorer • ….and much more!

Remote Support Get professional support by permitting access to your machine remotely Grant consent while controlling access level and duration of access (JIT) on an incident-by- incident basis View detailed transcripts of all executed operations at any time Revoke consent at anytime Access is auto disabled once the consent duration expires

Azure Monitor Detect & diagnose issues across apps and dependencies with application insights Correlate issues at infra level with insights for VMs, containers, SQL, network, etc. Operationalize at scale with smart alerts and automated actions Drill down with log analytics for troubleshooting & deeper diagnostics Create visualizations with Azure dashboards & workbooks

Best Practices Assessment (*) Collects and analyze server data to generate list of issues and remediation guidance Provide customers with best practices to improve performance of their server infrastructure and features such as deploying applications, software updates, etc… Assesses in the following areas: • Server Baselines • Server Security • Hyper-V • Failover Cluster • IIS (*) : Available in preview

Azure Site Recovery configuration Installs the Azure Site Recovery agent on your machine and associates the replication policy, vault, and Hyper-V site with the agent Ensure business continuity Keeps business apps and workloads running during outages Provides replication and data resilience

Defender for Servers Easily deploy as extensions in Azure without re- installing agents Vulnerability assessment built-in with flexibility to use tools like Qualys offering integrated vulnerability scanning for your connected machines Use Just-in-Time VM access to control access to commonly attacked management ports Block malware with adaptive application controls Set guardrails with Azure Policy integration, server owners can view and remediate to meet their compliance Two plans available P1 (5$ per server) & P2 (15$ per server) Microsoft Defender for Cloud On-premises and/or multicloud Azure Arc Azure Arc-enabled servers

Azure Sentinel (SIEM) Collect data at cloud scale —across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds Detect previously uncovered threats and minimize false positives using analytics and threat intelligence from Microsoft Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft Respond to incidents rapidly with built-in orchestration and automation of common tasks

Copilot for Azure • Design: Create and configure services while aligning with organizational policies. • Operate: Answer questions, author complex commands, and manage resources. • Troubleshoot: Orchestrate across Azure services to summarize issues, identify causes, and suggest solutions. • Optimize: Improve costs, scalability, and reliability through recommendations tailored to your environment

SQL Server

Bring cloud manageability to SQL Server anywhere Manage all SQL estate with better observability Single view of all SQL Servers deployed on-premises, in Azure and other clouds Capture key performance metrics with out-of-box monitoring Gain proactive and actionable insights with automated best practices assessment Utilize migration assessment and best- fit recommendation on SQL IaaS/PaaS Enhance business continuity Manage Availability Groups inventory and track real-time health status View Always-on Failover Cluster Instances and protect with Defender Enhance operational efficiency through configurable Automated backups Minimize downtime and operational disruption with Point-in-time restore Govern and protect all SQL estate using Azure Protect your on-premises and multicloud data using Microsoft Defender for Cloud Enhance security using Extended Security Updates as a service and auto patching Central insights and governance across all SQL Servers with Microsoft Purview Unified sign-on experience with Microsoft Entra ID authentication Azure Pay-As-You-Go enabled by Azure Arc for SQL Server anywhere, with simplified onboarding Manage, govern, and protect your SQL Server from Azure

Management capabilities comparison Not supported Supported Future support Customer Infrastructure or 3P Clouds Azure Built-in capabilities SQL Server Arc Enabled SQL Server SQL Server Azure VM Pay-as-you-go billing Azure AD auth Best practices assessment Inventory management Auto patching Auto backup Monitoring Defender for SQL Server TDE with Azure Key Vault HA/DR inventory management License compliance management Cluster aware patching and upgrades Purview premium Point-in-time restore Backup long-term retention to Azure

Detailed inventory of your SQL Server estate  Single view for your entire SQL Server estate  Detailed inventory information for your SQL Server  Combine to see Azure SQL and hybrid SQL together

Provide proactive and actionable insights at scale to optimize entire SQL Server estate across on-premises and multicloud environments Use Cases  Identify opportunities for performance optimization, improvement on security posture and compliance  Perform proactive planning on disaster recovery and high availability  Perform more accurate capacity planning on SQL Server resources Key Capabilities  450+ rules to evaluate the configuration of SQL Server estate at scale  Provide a prioritized list of the risks detected and step-by-step mitigation guidance  Scan in intervals for most up to date results Benefits  Improve uptime and performance by mitigating the risks detected  Enhance security and compliance posture  Increase efficiency of DBA’s routine operation by at-scale assessment Best Practices Assessment for SQL Server enabled by Azure Arc

Présentation du Lab Azure Arc for IT Pros

Azure Arc https://github.com/AzureInnovationDay/AzureArc

Clavier QWERTY

Preview… Azure Local, Arc Gateway, …

Arc Gateway : How it Works ? The Arc Gateway introduces two new components: • Arc gateway – A common front end for Arc traffic. This Gateway is served on a specific domain, that customers must allow access to. • Arc Proxy – A component that routes all Arc Agentry traffic to its destination in Azure via the Gateway. This Proxy is part of Arc core agentry and runs within the context of an Arc enabled resource.

Azure Arc gateway – Arc-enabled servers solution architecture (Public Preview) On-premises infrastructure Arc proxy forwards traffic via on-premises enterprise proxy On-premises single server Arc agentry & extensions use the Azure Arc Proxy as their forward proxy On-premises servers [unique-guid].gw.arc.azure.com Azure endpoint targets gbl.his.arc.azure.com Microsoft Entra ID login.microsoftonline.com Azure Resource Manager (ARM) management.azure.com Microsoft Entra ID traffic routes directly ARM traffic routes directly Target services endpoints reached via Arc gateway using HTTP tunnels over HTTP2 Arc gateway is reached using TLS connection Hybrid Identity Service traffic routes directly Azure Update Manager Arc gateway proxies traffic only to Azure services endpoints

Introducing Cloud infrastructure for distributed locations, enabled by Azure Arc Operate and scale with the power of the cloud Ready for all your apps: VMs and containers alike Flexibility to meet your requirements and budget Extend cloud security to your distributed locations

Azure Local replaces Azure Stack HCI Consistent software platform, Portal, and APIs Low-spec, low-cost edge servers Simpler, smaller hardware for light computing requirements. NEW PREVIEW Disconnected operations Meet strict data residency regulations with a permanently disconnected option. NEW PREVIEW Connected servers (formerly Azure Stack HCI) Choose from over 100 hyperconverged server platforms from major OEMs. GA Existing customers of Azure Stack HCI will transition seamlessly to Azure Local with the next software update.

Introducing Azure Local Cloud infrastructure for distributed locations, enabled by Azure Arc Low-cost and rugged Connected servers Disconnected operations Ready for all your apps: VMs and containers alike Flexibility to meet your requirements and budgets Extend cloud security to your distributed locations Operate and scale with the power of the cloud

Bring Azure app, data, and AI services anywhere Portal Copilot Identity Monitor Graph Defender Policy Billing Updates Support Management services Foundational services Kubernetes services Virtual machines Storage paths Logical networks App Service Functions Logic Apps Arc-enabled SQL Server Managed instance PostgreSQL Windows and Linux Azure IoT Operations Azure Virtual Desktop Local AI search (preview) Machine Learning Video Indexer NEW Cloud region Distributed location Enabled by Azure Arc

options for edge use cases Azure Stack HCI Requirements at launch Azure Local 1 Requirements at launch Windows Server certified Windows Server certified Min. 2+ machines 1+ machine Min. 4+ disks per machine 1+ SSD per machine 2 Min. 10 Gbps w/ RDMA 1 Gbps/2.5 Gbps Ethernet 3 Active Directory required Doesn’t require AD 4 NEW SuperMicro SYS-E302 Fan-less server Dell MC-4000r/z + MC-4510c Rugged two-sled chassis HPE MicroServer Gen11 Micro tower server Lenovo ThinkEdge SE350v2 Half-width, half-depth 1U Example possible solutions, pending validation 1 : Reduced requirements allowed up to maximum of 3-node cluster 2 : Excludes OS boot disk 3 : Must support Hyper-V virtualization 4 : In preview now, coming 2025

Introducing disconnected operations (preview) Satisfy regulatory requirements by operating permanently disconnected from the cloud Host backend Azure resource manager, portal, and services in local appliance VM Subset of services available: Portal ARM Registries Key Vaults Policy 2 Local Machines Kubernetes Copilot AVD Defender Others Infrastructure Infrastructure Control plane Workloads Control plane 1 (appliance VM) Workloads Cloud region Distributed location Azure Local (connected) Azure Local 1 : Available only to customers who prequalify based on industry, use case, and other considerations 2 : Partial functionality NEW

Thank you