Good day Of us!
This week’s updates all give attention to one thing we hear from IT professionals and platform engineers on a regular basis:
How can we make our environments safer, extra manageable, and simpler to modernize with out including extra complexity?
Whether or not you are working PostgreSQL workloads in Azure, securing Kubernetes storage, or planning your subsequent wave of SQL Server migrations, this week’s bulletins deliver sensible enhancements that may assist cut back operational overhead whereas strengthening your total platform technique.
We’ll take a look at three newly accessible capabilities:
- Replace #1 – Usually Accessible: Microsoft Defender safety assessments for Azure Database for PostgreSQL Versatile Server
- Replace #2 – Usually Accessible: Encryption in Transit for Azure Information NFS Shares in Azure Kubernetes Service (AKS)
- Replace #3 – Usually Accessible: Increasing Azure Arc SQL Migration with SQL Server on Azure Digital Machines
As at all times, I am approaching these updates from an infrastructure and operations perspective. I will cowl why every functionality issues, what to be careful for earlier than manufacturing deployment, and a few sensible steps you may take to start out evaluating them in your personal surroundings.
Let’s dig in.
This launch brings automated safety posture evaluation immediately into managed PostgreSQL environments. For ITPros, this issues as a result of database safety is commonly handled individually from infrastructure safety tooling, creating blind spots and silos.
What modified is that Defender now runs native vulnerability scanning and compliance checks in opposition to PostgreSQL configurations, patches, and the methods a database could possibly be uncovered to safety dangers or assault alternatives. As a substitute of counting on exterior scanners or handbook audits, you get platform-native assessments built-in together with your present Defender workflows.
The operational impression is critical: now you can implement safety baselines on the database layer with the identical consistency you apply to VMs and community sources, lowering the hole between infrastructure and information safety accountability.
Operationally, this improves your safety baseline enforcement and reduces the necessity for separate database safety evaluation instruments. It additionally strengthens how effectively you may show and show that safety controls are in place and dealing for compliance critiques the place regulators count on constant, documented safety controls.
Earlier than manufacturing rollout, validate that Defender price fashions suit your funds, that evaluation frequency aligns together with your change home windows, and that remediation steering maps to your patch and upkeep processes.
Stipulations embrace enabling Microsoft Defender for Cloud, registering the PostgreSQL Versatile Server supplier, and making certain community connectivity so assessments can attain the database endpoint.
- Allow Microsoft Defender for Cloud if not already lively, and guarantee PostgreSQL Versatile Server subscription protection.
- Register the goal PostgreSQL Versatile Server situations and ensure Defender has community visibility to the database endpoints.
- Run a baseline evaluation and evaluate preliminary findings to grasp present safety posture and customary remediation patterns.
- Prioritise findings by severity and enterprise impression, then schedule patches and configuration modifications in upkeep home windows.
- Monitor ongoing assessments and monitor remediation progress by way of Defender dashboards, validating that fixes cut back publicity scores.
This instance validates that Defender is actively assessing your PostgreSQL property. The sequence checks Defender standing, confirms PostgreSQL registration, and retrieves present evaluation scores.
Run these queries in a pilot subscription first to grasp information construction and anticipated output earlier than scaling to manufacturing databases.
az account set --subscription az safety sql-vulnerability-assessment baseline present --resource-group --server-name --database-name
az safety pricing present --subscription --query "[?name=='VirtualMachines' || name=='SqlServers' || name=='StorageAccounts'].[name,pricingTier]" -o desk
az supplier present --namespace Microsoft.DBforPostgreSQL --query "registrationState" -o tsv
Anticipated behaviour: Defender standing exhibits lively, PostgreSQL situations are registered with the supplier, and pricing tier displays your protection stage. If assessments don’t run, examine community guidelines, managed id permissions, and Defender plan activation. If baseline information is lacking, set off a handbook scan and anticipate completion.
- Azure replace: Microsoft Defender safety assessments for Azure Database for PostgreSQL Versatile Server
- Microsoft Defender for Cloud overview
- Azure Database for PostgreSQL safety
- SQL vulnerability assessments in Defender for Cloud
- Allow Defender for Cloud
This launch closes a major hole in information safety for Kubernetes workloads consuming NFS shares from Azure Information. Beforehand, NFS site visitors between AKS nodes and Azure Information was unencrypted, creating compliance and safety dangers for delicate workloads.
What modified is which you can now implement encryption for NFS communication on the Azure Information layer, not simply on the utility layer. That is necessary as a result of conventional NFS lacks built-in encryption, and counting on community isolation alone is more and more inadequate.
For ITPros managing regulated workloads (healthcare, finance, PII-sensitive information), this removes a management hole. Encryption in transit now turns into a platform-native function as an alternative of a workaround, lowering structure complexity and enhancing auditability.
The operational worth is stronger compliance posture and diminished assault floor for information in movement between containers and storage. It additionally simplifies the safety story when auditors ask about information safety controls.
Earlier than enabling in manufacturing, validate that NFS-over-TLS introduces acceptable latency overhead in your workload patterns, check failover and reconnection behaviour below encryption, and ensure that monitoring and logging nonetheless work appropriately.
Stipulations embrace working AKS with Azure CNI or Kubenet networking, having Azure Information with NFS 4.1 enabled, and making certain the NFS consumer libraries on container photographs assist TLS.
- Create an Azure Information NFS share with encryption in transit enabled and ensure TLS model alignment together with your safety requirements.
- Deploy a check AKS workload that mounts the NFS share and validate that pods mount efficiently with encrypted site visitors.
- Run efficiency baselines (throughput, latency, CPU overhead) earlier than and after enabling encryption to doc operational expectations.
- Monitor pod logs and Azure Information metrics throughout the check to verify no silent failures or sudden throttling happens.
- Roll out to manufacturing workloads in phases, with clear rollback standards tied to utility latency and error charges.
This instance validates that your AKS cluster can efficiently mount NFS shares with encryption enabled. The sequence checks cluster networking, confirms NFS connectivity, and checks mount success.
Run these instructions in a non-production cluster first to validate surroundings readiness earlier than touching manufacturing storage.
az aks present --resource-group --name --query "networkProfile.{networkPlugin:networkPlugin,networkPolicy:networkPolicy,podCidr:podCidr}" -o jsonc
az storage account present --resource-group --name --query "{identify:identify,sort:sort,accessTier:accessTier}" -o jsonc
kubectl get pvc -A --all-namespaces -o huge kubectl describe pv | grep -i nfs
Anticipated behaviour: cluster networking is correctly configured, storage account sort helps NFS, and PVC/PV sources present NFS mount factors. If mounts fail, examine community safety group guidelines, storage account firewall allowances, and subnet delegation. If latency will increase, monitor useful resource utilisation and alter workload placement if wanted.
- Azure replace: Encryption in Transit for Azure Information NFS Shares in Azure Kubernetes Service (AKS)
- Azure Information NFS assist
- Mount Azure Information with NFS in AKS
- Azure storage safety
- AKS networking ideas
This functionality brings SQL Server migration into the Azure Arc operational footprint, making a unified migration and stock expertise. For ITPros, this issues as a result of SQL Server modernisation is commonly fragmented throughout a number of instruments and groups.
What modified is which you can now uncover, assess, and execute SQL migrations by way of Arc-native workflows, utilizing the identical permissions and governance mannequin you have already got for infrastructure and hybrid sources.
The operational acquire is consistency: discovery information feeds migration planning, assessments floor blockers early, and rollout will be managed by way of the identical change and approvals processes you employ for different infrastructure migrations.
Operationally, this reduces tooling sprawl and improves coordination between infrastructure and database groups. Arc turns into your single management airplane for monitoring migration progress, managing runbooks, and accumulating audit proof.
Earlier than manufacturing use, validate that your SQL Server stock is full, that migration blockers are understood and addressed, and that your upkeep home windows can accommodate anticipated cutover timings.
Stipulations embrace Azure Arc agent deployment on supply VMs, Azure Database Migration Service readiness, and community connectivity to focus on Azure SQL sources.
- Deploy Azure Arc brokers to SQL Server VMs and ensure all situations report wholesome standing with full stock information.
- Run Arc-integrated SQL Server assessments to establish compatibility points, dependencies, and really helpful migration targets.
- Pilot migration for a non-critical workload to determine runbook patterns, measure cutover time, and validate post-migration validation procedures.
- Execute validation checks: connectivity, login success, database consistency checks, job execution, and utility integration checks.
- Scale migration in waves utilizing documented runbooks, with gates for monitoring information well being and utility efficiency after every cutover.
This instance validates Arc agent well being and SQL Server discovery completeness. The sequence ensures your Arc infrastructure is prepared for migration workflows.
Run these instructions as a part of your pre-migration guidelines to catch configuration gaps earlier than committing to migration timelines.
az account present --output desk az connectedmachine record --resource-group --query "[].{identify:identify,standing:standing,osName:osName}" -o desk
az useful resource record --resource-type Microsoft.AzureArcData/sqlServerInstances --query "[].{identify:identify,resourceGroup:resourceGroup,location:location}" -o desk
az connectedmachine machine extension record --resource-group --machine-name --query "[].{identify:identify,provisioningState:provisioningState}" -o desk
Anticipated behaviour: Arc brokers report wholesome standing, SQL Server situations are totally found with correct stock, and required extensions are provisioned efficiently. If discovery is incomplete, examine Arc agent connectivity, extension deployment, and SQL service working standing on supply VMs. If migration pre-checks fail, confirm SQL Server model compatibility and evaluate Defender logs for blocking points.
- Azure replace: Increasing Azure Arc SQL Migration with SQL Server on Azure Digital Machines
- Azure Arc SQL Server Overview
- Azure Arc-enabled servers
- SQL Server on Azure Digital Machines
- Azure Database Migration Service
For any new functionality this week, in the event that they map to your operational roadmap, run a managed pilot, measure the impression, after which scale with confidence. That’s how you progress the needle on modernisation whereas managing threat.
Cheers!
Pierre Roman
