Skip to content

v0.18.0
Compare
Choose a tag to compare
@oZakari oZakari released this 21 Jun 09:33
· 71 commits to main since this release
v0.18.0
0a9a675
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Summary

This is a major release, following the update of Azure Landing Zones with its major policy refresh and the transition from Microsoft Monitoring Agent (MMA) to Azure Monitoring Agent (AMA), you can read more in the "What's New" wiki page in the Enterprise-Scale repo. This release incorporates the following changes from the upstream Enterprise Scale repo:

1. Policy Refresh H2 FY24

  • Transition to built-in policies for the deployment of diagnostic settings (original assignments will be moved to new definitions).
  • Transition to built-in policies for the deployment of Azure Monitor Agent.

Tip

See here for the updated list of all ALZ Default Policy Assignments

Policy Refresh H2 FY24 Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

  • Therefore, the original assignments listed below will need to be deleted within your Azure environments:

    Initiative Display Name Original Assignment Name New Assignment Name Scope of Assignment
    Deploy-VM-Monitor Legacy - Enable Azure Monitor for VMs Deploy-VM-Monitoring Deploy-VM-Monitor-24 Landing Zones Management Group
    Deploy-VMSS-Monitor Legacy - Enable Azure Monitor for Virtual Machine Scale Sets Deploy-VMSS-Monitoring Deploy-VMSS-Monitor-24 Landing Zones Management Group
    Deploy-MDFC-Config Deploy Microsoft Defender for Cloud configuration Deploy-MDFC-Config Deploy-MDFC-Config-H224 Intermediate Root Management Group
    Deploy-EncryptTransit Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-TLS-SSL Enforce-TLS-SSL-H224 Landing Zones Management Group
    Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings to Azure Services Deploy-Resource-Diag Deploy-Diag-Logs Intermediate Root Management Group

| Deploy-VM-Monitor | Deploy

2. AMA Updates

The Microsoft Monitoring Agent (MMA) is deprecated, and all related assignment files have been removed, though the policy definitions files remain. We now assign policies that deploy the Azure Monitor Agent (AMA) instead of MMA.

The ALZ team have a number of pieces of guidance you can utilise to understand the MMA deprecation (aka AMA migration) steps: aka.ms/alz/ama/blog

New resources

  • A user-assigned managed identity (UAMI) for the AMA agent to authenticate with Azure Monitor (this requires no special role assignments; any valid identity will suffice)
  • Data collection rule for VM Insights
  • Data collection rule for Change Tracking
  • Data collection rule for Defender for SQ

Microsoft Monitoring Agent (MMA) Cleanup

As MMA resources were deployed using Azure Policy (DeployIfNotExists), they will not be cleaned up automatically. Manual cleanup of these resources is required. Please refer to the product group guidance on how to clean up the MMA resources.

Legacy Policy Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

  • Therefore, the original assignments listed below will need to be deleted within your Azure environments:

    Assignment Name Display Name Scope of Assignment
    Deploy-MDFC-DefenSQL-AMA Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace Platform Management Group
    Landing Zones Management Group
    Deploy-UAMI-VMInsights Deploy User Assigned Managed Identity for VM Insights Landing Zones Management Group

Important

Going forward, this ALZ Default Policy Assignments Module and Logging Module will not support MMA and will only support AMA. If you wish to continue using MMA, you will need to manage it outside of these modules.

What's Changed

Breaking Changes

  1. With the fix for #780, we changed the allowed value within the param to specify the hub routing preference from ASN to AsPath

Full Changelog: v0.17.5...v0.18.0

Contributors

jaredfholgate and oZakari
Assets 4
Loading