Skip to content

Latest commit

 

History

History
59 lines (45 loc) · 11.9 KB

ALZ-Deprecated-Services.md

File metadata and controls

59 lines (45 loc) · 11.9 KB

Azure Landing Zones Deprecated Notices

In this section

Overview

As policies and services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded and need to be deprecated. This article provides details as to those items and supporting documentation to help you remain up to date.

Deprecated policies

New Azure Policies are being developed and created by product groups that support their services and are typically of the built-in type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new built-in policies instead of ALZ custom policies. Through this process, custom ALZ policies will be deprecated when new built-in policies are available that provide the same capability, which ultimately reduces maintenance overhead for custom policies.

Policies being deprecated:

Deprecated ALZ Policy Superseded by policy
(includes link to AzAdvertizer)
Justification
Deploys NSG flow logs and traffic analytics
ID: Deploy-Nsg-FlowLogs
e920df7f-9a64-4066-9b58-52684c02a091 Custom policy replaced by built-in requires less administration overhead
Deploys NSG flow logs and traffic analytics to Log Analytics
ID: Deploy-Nsg-FlowLogs-to-LA
e920df7f-9a64-4066-9b58-52684c02a091 Custom policy replaced by built-in requires less administration overhead
Deny the creation of public IP
ID: Deny-PublicIP
6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Custom policy replaced by built-in requires less administration overhead
Latest TLS version should be used in your API App
ID: 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b Deprecated policy in initiative removed as existing policy supersedes it
SQL servers should use customer-managed keys to encrypt data at rest
ID: 0d134df8-db83-46fb-ad72-fe0c9428c8dd
0a370ff3-6cab-4e85-8995-295fd854c5b8 Deprecated policy in initiative replaced with new policy
RDP access from the Internet should be blocked
ID: Deny-RDP-From-Internet
Deny-MgmtPorts-From-Internet Deprecated policy as it is superseded by a more flexible policy
Deploy SQL Database Transparent Data Encryption
ID: Deploy SQL Database Transparent Data Encryption
86a912f6-9a06-4e26-b447-11b16ba8659f Custom policy replaced by built-in requires less administration overhead
Azure Machine Learning should have disabled public network access
ID: Deny-MachineLearning-PublicNetworkAccess
438c38d2-3772-465a-a9cc-7a6666a275ce Custom policy replaced by built-in requires less administration overhead
Public network access should be disabled for MariaDB
ID: Deny-PublicEndpoint-MariaDB
fdccbe47-f3e3-4213-ad5d-ea459b2fa077 Deprecating policies for MariaDB see ALZ Policy FAQ & Tips.
Diagnostic Settings for MariaDB to Log Analytics Workspace
ID: Deploy-Diagnostics-MariaDB
Deprecating due to service retirement Deprecating policies for MariaDB, see ALZ Policy FAQ & Tips
Deploy SQL Database Vulnerability Assessments
ID: Deploy-Sql-vulnerabilityAssessments
Deploy-Sql-vulnerabilityAssessments_20230706 Custom policy replaced by updated custom policy providing bug fix
Deploy Microsoft Defender for Cloud configuration
ID: Deploy-MDFC-Config
Deploy-MDFC-Config_20240319 Custom initiative replaced by updated custom initiative due to breaking changes
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: Enforce-EncryptTransit
Enforce-EncryptTransit_20240509 Custom initiative replaced by updated custom initiative due to breaking changes
Deploy SQL Database built-in SQL security configuration
ID: Deploy-SQL-Security
Deploy-SQL-Security_20240529 Custom initiative replaced by updated custom initiative due to breaking changes
Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW
ID: Deploy-MDFC-DefenderSQL-AMA
de01d381-bae9-4670-8870-786f89f49e26 Custom policy replaced by built-in requires less administration overhead
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
ID: Deploy-MDFC-SQL-DefenderSQL
ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Custom policy replaced by built-in requires less administration overhead
Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: Deploy-MDFC-SQL-DefenderSQL-DCR
04754ef9-9ae3-4477-bf17-86ef50026304 Custom policy replaced by built-in requires less administration overhead
Configure SQL Virtual Machines to automatically install Azure Monitor Agent
ID: Deploy-MDFC-SQL-AMA
f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Custom policy replaced by built-in requires less administration overhead
Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: Deploy-MDFC-Arc-Sql-DefenderSQL-DCR
63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Custom policy replaced by built-in requires less administration overhead
Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR
ID: Deploy-MDFC-Arc-SQL-DCR-Association
2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Custom policy replaced by built-in requires less administration overhead
Deploy User Assigned Managed Identity for VM Insights
ID: Deploy-UserAssignedManagedIdentity-VMInsights
Deprecating as it's no longer required User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.
Deploy Azure Monitor Baseline Alerts for Landing Zone
ID: Alerting-LandingZone
Alerting-KeyManagement
Alerting-LoadBalancing
Alerting-NetworkChanges
Alerting-RecoveryServices
Alerting-Storage
Alerting-VM
Alerting-Web
To provide more flexibility for future growth we are transitioning from a single Landing Zone policy initiative and instead we are adopting a modular approach by splitting the Landing Zone initiative into distinct components (initiatives)

IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative Enable allLogs category group resource logging for supported resources to Log Analytics

More Information

Deprecated services

  • Removed ActivityLog Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented here.

  • Removed Service Map solution as an option to be deployed, as this has been superseded by VM Insights, as documented here. Guidance on migrating and removing the Service Map solution can be found here.

  • Due to Microsoft Monitor Agent (MMA) planned for deprecation (August 2024) we have started to remove MMA from our reference implementations starting with the ALZ Portal (https://aka.ms/alz/portal) and following this will start to remove MMA from Bicep and Terraform before the planned deprecation date. Please see MMA Deprecation Guidance for more details.