Maximizing the multicloud advantage — Publishing and selling through the Microsoft marketplace
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. For AWS-based software companies aiming to broaden their footprint, the marketplace offers a strategic path forward. By publishing your solution, you gain visibility across Microsoft’s digital storefronts—Azure Marketplace and Microsoft AppSource—as well as in-product experiences like the Azure Portal. This presence enables 24/7 global selling and simplifies procurement for enterprise customers, especially those with Azure Consumption Commitments who are motivated to buy Azure-based solutions through the marketplace. Publishing in Azure reduces friction when selling to Azure-centric enterprises, enables consistent branding and offer management across clouds, and allows you to leverage both ecosystems without duplicating engineering investments. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to the marketplace. To replicate your app faster get cloud-ready reference code to replicate AWS apps to Azure. 1. Introduction Unlock new growth opportunities by tapping into the marketplace and reach enterprise buyers more effectively. Whether you're migrating from AWS or building natively on Azure, the marketplace enables you to expand into new geographies, co-sell with Microsoft’s extensive salesforce, and simplify procurement for customers with pre-committed Azure spend. In this guide, we’ll walk you through the key steps to publishing and selling successfully—from selecting the right offer type to optimizing billing, pricing, and co-sell incentives. Through the marketplace, your business can: Sell to millions of monthly shoppers: Sell 24/7 across 141+ geographies, 17 currencies, and 50+ value-added tax IDs, Maximize your sales reach: Sell directly on marketplace storefronts and in-product experiences used by 95% of Fortune 500 companies. Access pre-committed cloud budgets: Stand out to the more than 85% of Microsoft customers with pre-committed Azure spend using the marketplace. Co-sell with 35,000 Microsoft sellers: Sell even more with collaborative sales through the marketplace, Expand to new markets with recurring revenue: Scale through 500,000 Microsoft partners, who can sell on your behalf or sell jointly to customers. This article walks you through the essentials of publishing and selling through the marketplace, including offer types, billing and pricing models, tools, incentives, and financial programs that can accelerate your success. 2. Selecting the right marketplace offer type When publishing to the marketplace, choosing the right offer type is key. Each type supports different ways customers use and deploy your solution. Common Offer Types and What They’re Best For Software as a Service (SaaS) Best for apps deployed on your Azure infrastructure that customers access through subscriptions. For customers who want a turnkey ready-to-use, hosted solution with minimal set-up. Azure Virtual Machine (VM) Best for software that runs on a pre-configured virtual machine. Similar to Amazon Machine Image (AMI) offers. For customers who want full control over a virtual machine running your software. Azure Container Ideal for containerized apps that customers deploy and run themselves like Amazon Elastic Container Service (ECS) or Elastic Kubernetes Service (EKS). For customers who want to run your app in their own container environment. Azure Application Used to deploy multiple Azure resources like VMs, storage, or networking. This is ideal for customers who want packaged deployments that automate setup in the customer’s environment. Azure also supports other offer types. See the full list at App Advisor – Offer Types. 3. How marketplace billing and pricing work A key advantage of publishing through the marketplace is the seamless integration with Azure’s billing system, which simplifies procurement for customers and streamlines revenue collection for software development companies. Integrated Azure billing When customers purchase through the marketplace, charges are seamlessly applied to their existing Azure account, eliminating separate invoicing and procurement workflows. Purchases can count toward Azure Consumption Commitment, enhancing appeal for enterprise buyers, while customers benefit from consolidated billing and simplified expense tracking. Publisher earnings Microsoft manages billing and collection. After deducting a standard transaction fee, earnings are disbursed on a regular schedule—reducing overhead and ensuring predictable cash flow. Pricing models The marketplace supports a variety of pricing models to align with your business model and customer expectations: Flat-rate: A fixed monthly or annual fee for access to your solution. Per user pricing: Charges based on the number of users accessing the solution. Usage-based (metered): Charges based on actual usage metrics (e.g., API calls, compute hours). After choosing your pricing model, you can configure multiple tiered plans (SKUs) for different service levels or feature sets at varying price. Renewing a private offer with an existing paid customer—whether the original deal was through the marketplace or not— reduces your transaction fee by 50% for the entire renewal term. How to grow sales with negotiated deals For many enterprise customers, closing deals means negotiating pricing and terms. Most co-sell deals also happen through negotiated terms. If co-selling with Microsoft sellers is a path you want to pursue, make sure you learn about these options. Private offers: Depending on the plan you have selected, you can create personalized pricing and terms for specific customers that are only visible to them. Offers can include custom billing schedules, discounts, and contract durations. Multiparty private offers: If you sell through channel partners or need to for a specific deal, then you can use multiparty private offers (MPO) to offer negotiated terms and pricing. MPO is currently available in the United States, United Kingdom and Canada, with support for more geographies coming soon. The Private Offers API allows you to programmatically create and manage custom deals with enterprise customers. These capabilities allow you to maintain pricing flexibility while benefiting from the streamlined procurement and billing experience of the marketplace. Learn more on your options for negotiated deals through marketplace. Transactable professional services In addition to software, you can also list professional services (e.g., onboarding, training, consulting) as transactable items. This allows customers to purchase both your product and value-added services through a single, unified channel—further increasing your Azure Consumption Commitment alignment and revenue potential. These offers are currently not discoverable via storefront search and must be shared via direct link with customers. Transactable services are supported in select markets and must follow specific publishing guidelines. Learn more about selling transactable professional services. 4.Tools to help publish your marketplace offer Microsoft provides a rich set of tools and resources to help ISVs confidently publish, manage, and grow their offers in the marketplace. These assets can streamline your journey and maximize your impact. Joining as a partner to create and publish your marketplace offer To publish and manage your marketplace apps, sign up for the Microsoft AI Cloud Partner Program and set up your Partner Center account. Partner Center is where you configure offers, manage referrals and claim incentives. The best way for software companies to sign up is to join ISV Success, which offers over $126K USD in benefits, including Microsoft products, Azure cloud credits, and technical consultations. See the benefits. You can also enroll as a partner through Partner Center without joining ISV Success. Once your account is set up, assign roles to your team for tasks like publishing, marketing, and managing referrals. This helps streamline the marketplace process. Learn about marketplace-specific roles needed to publish and manage apps, payout and tax settings, and access marketplace insights Step-by-step guidance through App Advisor App Advisor provides curated step-by-step guidance—through replicating your app, publishing it to marketplace, and growing your sales—helping you make informed decisions at every stage. Reference code on transactable webhooks For SaaS publishers, implementing transactable webhooks is essential for provisioning, metering, and managing customer subscriptions. Microsoft offers reference implementations like the SaaS Accelerator, which simplifies webhook integration and accelerates time to market. The Mastering the Marketplace GitHub repo also provides hands-on code samples and walkthroughs to help you build production-ready integrations. You can review Mastering the SaaS Accelerator - Mastering the Marketplace. Marketplace documentation and offer creation guides Microsoft maintains detailed documentation to guide you through the publishing process ensuring your offer is compliant, discoverable and optimized. The marketplace documentation hub organizes all the marketplace documentation for app publishers. The Publishing Guide by Offer Type provides technical and business requirements for each offer type (SaaS, VM, Container, etc.). The marketplace offer listings best practices helps you craft compelling branding and go-to-market strategies. Engaging with Microsoft to go-to-market Microsoft offers multiple programs, incentives, and offerings to help you amplify your reach, earn by selling through marketplace, and differentiate in marketplace: Marketplace Rewards unlock benefits like listing optimization, up to $400K USD in Azure cloud credits, go-to-market support, and co-sell readiness. Transact & Grow financial incentive can pay you up to $20K USD to sell through marketplace. Solutions Partner with certified software designations help you stand out in the marketplace, differentiate with Microsoft sellers, and grants you marketing and sales benefits. Accelerating visibility, credibility, and access Publishing through the Azure gives you access to Microsoft’s extensive sales ecosystem, including: Tip: Enable a free trial period for your paid marketplace plans to get the most customer engagement in marketplace. Microsoft field sellers: who can co-sell your solution to their accounts. Partner Center insights: that help you track performance and optimize your listing. Marketplace rewards tiers: that unlock additional benefits as your offer gains traction. Visit this link to learn more about additional benefits: Transacting on the marketplace - Marketplace publisher | Microsoft Learn 5. Qualifying for Azure IP Co-sell to incentivize Microsoft sellers and help customers with commitments Software companies can leverage Azure IP Co-sell (AZIPCS) to enhance enterprise reach, seller engagement, and deal velocity via the marketplace. Offers that achieve Azure IP co-sell eligibility gain these marketplace benefits: Marked as Azure benefit eligible for eligible customers in the marketplace and Azure Portal. Sales of your offer through the marketplace contribute toward customers' pre-committed cloud budget otherwise known as Azure consumption commitment (MACC). This helps software companies align with enterprise procurement strategies and unlock larger opportunities. Microsoft sellers are highly interested in marketplace offers that can help customers meet their Azure consumption commitment. Co-sell deals are roughly 30% higher than non-co-sell deals Co-sell deals tend to close 2x faster, compared average across all Microsoft-managed customers Requirements for Azure IP co-sell eligible offers To qualify: Your marketplace offer must be configured to transact through the marketplace and have at least one non-$0 pricing plan. You need to create a co-sell solution for your offer You must reach a company-level revenue threshold over the trailing twelve-month (TTM) period of either $100K USD of marketplace billed sales (MBS) OR Azure Consumed Revenue (ACR). Learn how to make the most of co-sell. Key resources: Microsoft Azure Migration Hub | Microsoft Learn Publishing to commercial marketplace documentation Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor Accelerate your development with cloud ready deployable code through the Quick-start Development Toolkit Earn exclusive benefits for your software company business with Marketplace Rewards. Private offers overview - Marketplace customer documentation | Microsoft Learn Marketplace FAQs – Microsoft Tech CommunityUnleashing the multicloud advantage: Identity and Access Management (IAM)
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. As a software development company, expanding your marketplace presence beyond AWS Marketplace to include Azure Marketplace can open new doors to grow your customer base. Azure’s broad ecosystem and diverse user base offer a dynamic platform to enhance your application’s reach and potential. To ensure a smooth app replication, start by understanding the key differences between AWS IAM and Microsoft Entra ID. A clear grasp of these distinctions will help you transition identity management effectively while optimizing security and performance on Azure. This guide will highlight these differences, map comparable services, and provide actionable steps for a seamless IAM replication. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to Azure Marketplace. This article addresses Identity and Access Management (IAM) and select Identity Services: Amazon Cognito vs. Microsoft Entra ID. Identity and Access management (IAM) Identity and Access Management (IAM) is essential for securing and managing who can access resources, under what conditions, and with what specific permissions. AWS and Azure both offer robust IAM solutions to manage identities, roles, and policies, but they differ significantly in architecture, integration capabilities, and ease of use, particularly for software companies building SaaS solutions migrating from AWS to Azure. Users, Groups, and Roles AWS IAM creates users within an AWS account, grouping them into IAM User Groups, while Azure IAM manages users as directory objects in Microsoft Entra ID, assigning permissions via Azure RBAC. Both support MFA and identity federation through SAML, Azure enforcing Conditional Access based on location, device state, and user risk. AWS IAM grants permissions using JSON-based policies, allowing roles to be assumed by users, AWS services, or external identities without permanent credentials. Azure IAM assigns permissions via RBAC to users, groups, and service principals, offering predefined and customizable roles. Azure supports federated identity for hybrid environments, while Azure integrates with on-premises Microsoft Entra ID. Permissions and Policies AWS IAM employs JSON-based policies for granular permissions across AWS services. Policies can be identity-based, directly attached to users or roles, or resource-based, applied directly to resources such as S3 buckets or DynamoDB tables. AWS supports temporary credentials via roles, which can be assumed by users, AWS services, or external federated identities. Azure RBAC leverages predefined roles (e.g., Global Administrator, Contributor, Reader) or custom roles, offering clear hierarchical permissions management across resource, resource group, subscription, or management group levels. AWS also allows conditional permissions through advanced policy conditions (e.g., IP address, MFA status, tags). Azure IAM employs Conditional Access Policies, adjusting access based on location, device state, and user risk. AWS IAM grants access only when explicitly allowed, whereas Azure IAM evaluates role assignments and conditions before permitting actions. For multi-account and cross-tenant access, AWS IAM enables secure cross-account roles, while Azure IAM supports External Identities for inter-tenant collaboration. AWS IAM delegates administrative rights using roles and policies, whereas Azure IAM assigns administrative roles within organizations for delegated management. AWS IAM enables controlled, temporary access to S3 objects using pre-signed URLs, which grant time-limited access to specific resources without modifying IAM policies. These URLs are often used for secure file sharing and API integrations. In Azure, a similar concept exists with Shared Access Signatures (SAS) Keys, which provide scoped and time-limited access to Azure Storage resources like Blob Storage, Table Storage, and Queues. Unlike pre-signed URLs, SAS keys allow granular control over permissions, such as read, write, delete, or list operations, making them more flexible for temporary access Integration with External Identities Both platforms provide Single Sign-On (SSO). AWS IAM uses AWS SSO. Microsoft Entra ID also supports SSO with SAML, OAuth, and OIDC. For federated identities, AWS IAM allows external users to assume roles, while Microsoft Entra ID assigns roles based on its access model. Hybrid environments are supported through on-premises directory integration. AWS IAM connects to Active Directory via AWS Directory Service, while Microsoft Entra ID integrates with on-prem AD using Microsoft Entra ID Connect, enabling hybrid identity management and SSO for cloud and on-prem resources. Both support automated user provisioning: AWS IAM utilizes AWS SSO and federation services, while Microsoft Entra ID supports SCIM 2.0 for third-party applications and syncs on-prem AD via Entra ID Connect. AWS IAM enables ECS, EKS, and Lambda workloads to pull container images from Amazon Elastic Container Registry (ECR) using IAM roles. These roles grant temporary permissions to fetch container images without requiring long-term credentials. In Azure, Azure Container Registry (ACR) authentication is managed through Service Principals and Managed Identities. Instead of IAM roles, Azure applications authenticate using Entra ID, allowing containers to securely pull images from ACR without embedding credentials. Access Control Models AWS IAM uses a policy-based access model, where permissions are defined in JSON policies attached to users, groups, or roles. In contrast, Azure separate's identity management via Microsoft Entra ID from access management via Azure RBAC, which assigns roles to users, groups, service principals, or managed identities to control access to Azure resources. Both provide fine-grained access control. AWS IAM sets permissions at the resource level (e.g., EC2, S3), while Azure uses Azure RBAC to assign Microsoft Entra ID identities roles that apply hierarchically at the resource, subscription, or management group levels. Both follow a default "deny" model, granting access only when explicitly allowed. For multi-account and multi-tenant support, AWS IAM enables cross-account roles. Microsoft Entra organizations can use External ID cross-tenant access settings to manage collaboration with other Microsoft Entra organizations and Microsoft Azure clouds through B2B collaboration and B2B direct connect. Delegation is managed through IAM roles in AWS and RBAC role assignments in Azure. Conditional access is supported—AWS uses policy-based conditions (e.g., time-based, IP restrictions), while Microsoft Entra ID relies on Conditional Access Policies (e.g., location, device health, risk level). AWS allows cross-account policy sharing, while Microsoft Entra ID enables role-based delegation at different organizational levels. Both support cross-service permissions, AWS IAM policies can define access across multiple AWS services, while Azure uses Azure RBAC to assign Microsoft Entra ID identities permissions across Azure services such as Blob Storage, SQL Database, and Key Vault. For workload authentication, AWS IAM roles provide temporary credentials for EC2, Lambda, and ECS, eliminating hardcoded secrets. In Azure, Microsoft Entra ID enables Managed Identities, allowing applications running on Azure services to authenticate securely to other Azure resources without managing credentials. Additionally, Microsoft Entra Workload Identities allow Kubernetes workloads—especially on AKS—to authenticate using Entra ID via OpenID Connect (OIDC), streamlining access to Azure services in containerized and multi-tenant environments. In AWS, containerized workloads such as ECS, EKS, and Lambda use IAM roles to securely authenticate and pull images from Amazon ECR, avoiding hardcoded credentials. In Azure, containerized applications authenticate to Azure Container Registry (ACR) using Microsoft Entra ID identities—either Managed Identities or Service Principals. Permissions such as AcrPull are granted via Azure RBAC, enabling secure image access. Azure’s model supports cross-tenant authentication, making it particularly useful for ISVs with multi-tenant containerized SaaS deployments. Cross-account storage access in AWS uses IAM roles and bucket policies for Amazon S3, allowing external AWS accounts to securely share data. In Azure, Microsoft Entra ID B2B and RBAC assignments. This model avoids the need to share credentials or manage access via SAS tokens, streamlining collaborations in multi-tenant environments. Audit and Monitoring AWS IAM and Microsoft Entra ID both provide robust audit logging and monitoring. AWS CloudTrail logs IAM and AWS API calls for 90 days by default, with extended retention via CloudTrail Lake or Amazon S3. Microsoft Entra ID logs sign-ins, including failed attempts, retaining data for 7 days in the free tier and up to 30 to 90 days in Premium tiers. For longer retention, Log Analytics or Sentinel should be used. For real-time monitoring, AWS CloudWatch tracks IAM activities like logins and policy changes, while Microsoft Entra ID Premium does so via Azure AD Identity Protection. AWS uses CloudWatch Alarms for alerts on permission changes, whereas Microsoft Entra ID alerts on suspicious sign-ins and risky users. AWS GuardDuty detects IAM threats like unusual API calls or credential misuse, while Microsoft Entra ID’s Identity Protection identifies risky sign-ins (Premium P2 required). AWS Security Hub aggregates findings from CloudTrail and GuardDuty, while Microsoft Entra ID integrates with Azure Sentinel for advanced security analytics. For IAM configuration tracking, AWS Config monitors policies and permissions, while Microsoft Entra ID’s Audit Log track's role, group, and user changes. AWS Artifact provides downloadable compliance reports. Microsoft Purview Compliance Manager enables customers to assess and manage their compliance across services like Entra ID and Azure using built-in control assessments. AWS CloudTrail logs IAM activity across AWS Organizations, and Microsoft Entra ID Premium supports cross-tenant access monitoring. Azure Lighthouse enables cross-tenant management for service providers, integrating with Microsoft Entra ID for delegated access without guest accounts. It applies RBAC across tenants and manages shared resources like Azure Blob Storage and virtual machines, streamlining ISV operations in marketplace scenarios. Pricing AWS IAM and Microsoft Entra ID provide core IAM services for free, with advanced features available in paid tiers. Both platforms support unlimited users for basic IAM functions, with AWS offering free user, role, and policy creation, while Microsoft Entra ID allows up to 500,000 objects (users/groups) at no cost. Additional users can be added for free, though advanced features require a paid plan. MFA is free on both platforms, but Microsoft Entra ID includes advanced MFA options in Premium tiers. AWS does not have risk based Conditional Access for free. Microsoft Entra ID includes it in Premium P1/P2 tiers (starting at $6 per user/month) Custom policies for fine-grained access control are free in AWS and Azure. Identity federation is free in AWS IAM, while Microsoft Entra ID requires a Premium P1/P2 plan. Microsoft Entra ID includes Self-Service Password Reset (SSPR) in Premium P1/P2, whereas AWS IAM does not offer it for free. Both platforms support RBAC at no extra cost. Directory synchronization is available via Microsoft Entra ID Premium P1/P2. AWS Directory Service is a paid managed AD service, not part of IAM. AWS IAM doesn’t have a direct “guest user” concept; instead, you configure federated access or cross-account roles, but Microsoft Entra ID requires a Premium tier for Azure AD External Identities. Full API and CLI access for user, policy, and role management is free on both platforms. Advanced security monitoring is available through AWS GuardDuty and Security Hub at an extra cost. Microsoft Entra ID provides advanced security monitoring, such as risk-based conditional access, within Premium P1/P2 tiers. Both platforms offer free support for service principals, enabling secure application access and role assignments. Amazon Cognito vs. Microsoft Entra ID Amazon Cognito provides identity and access management for applications in AWS, while Azure offers this through Microsoft Entra ID, centralizing IAM tools for ISVs. Both differ in authentication, integration, and target audiences. User management Amazon Cognito uses User Pools for authentication and Identity Pools for federated identities. Microsoft Entra ID serves as a central identity directory for Azure, Microsoft 365, and third-party apps, integrating with on-prem AD. Authentication methods Both support password-based login, MFA, passwordless authentication, and social sign-in. Amazon Cognito can be extended to support passwordless authentication with magic links, OTPs, and FIDO2 using AWS Lambda. Microsoft Entra ID supports native passwordless options like FIDO2, Windows Hello, and OTPs, plus risk-based conditional authentication. Identity Federation & SSO Amazon Cognito supports SAML, OAuth 2.0, and OIDC. Microsoft Entra ID offers enterprise SSO with SAML, OAuth, and WS-Federation, plus cross-tenant federation via Entra ID B2B. Access Control & Security Policies AWS relies on AWS IAM and custom logic for built-in RBAC or Attribute Based Access Control (ABAC). Microsoft Entra ID includes RBAC, ABAC, and Conditional Access Policies for granular security control. Self-Service & User Management Amazon Cognito allows self-registration and password resets, with workflow customization via AWS Lambda. Microsoft Entra ID offers SSPR, access reviews, and an enterprise portal for account management. Security & Compliance Amazon Cognito provides monitoring via AWS CloudTrail and GuardDuty, compliant with HIPAA, GDPR, and ISO 27001. Microsoft Entra ID integrates with Microsoft Defender for Identity for threat detection, with compliance for HIPAA, GDPR, ISO 27001, and FedRAMP, plus risk-based authentication in premium tiers. Migration best practices tips When migrating IAM from AWS to Azure, organizations should: Assess existing AWS IAM policies and roles, mapping them carefully to Azure RBAC roles. Leverage Microsoft Entra Connect for seamless integration with existing on-premises Active Directory environments. Use Azure's Managed Identities and SAS tokens strategically to minimize credential management complexity. Implement Conditional Access Policies in Azure to dynamically secure and simplify access management. Key Resources: Microsoft Azure Migration Hub | Microsoft Learn Publishing to commercial marketplace documentation Pricing Calculator | Microsoft Azure Azure IAM best practices Configure SAML/WS-Fed identity provider - Microsoft Entra External ID Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor Accelerate your development with cloud ready deployable code through the Quick-start Development ToolkitAzure Best Practices delivered to machines anywhere with new Azure Arc and Automanage integration.
Tired of manually onboarding and configuring Azure services for your Arc-enabled servers? With Azure Automanage Machine Best Practices, you can point, click, set, and forget to extend Azure security, monitoring, and governance services to servers anywhere.Harnessing the multicloud advantage: Comparing AWS and Azure network designs
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. To simplify your app replication, understanding how AWS and Azure approach networking—such as routing, connectivity, private access, and hybrid integration—can help you quickly align infrastructure components across clouds. This ensures consistent performance, security, and connectivity for your customers as you extend your offer to Azure. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to Azure Marketplace. To replicate your app faster get cloud-ready reference code to replicate AWS apps to Azure. Software development companies looking to migrate or replicate their applications from AWS to Azure need to understand how networking services in both platforms compare. While AWS and Azure offer similar networking capabilities, key differences in architecture and service offerings can impact the overall solution design. This article provides a comparative overview of the networking services in AWS and Azure, focusing on their unique features and distinctions. By understanding these differences, software companies can make more informed decisions when architecting cloud-native solutions on either platform. The article explores networking services at a high level, with a deeper dive into critical areas such as peering, routing, and elastic load balancing, where the platforms diverge most significantly. Networking services overview Virtual networks & subnets AWS uses Virtual Private Cloud (VPC) to create isolated networks, spanning all Availability Zones within a region. VPCs support public and private subnets, with VPC peering routing traffic between VPCs using private IPv4 or IPv6 addresses. Azure uses Virtual Networks (VNets), which provide isolation within a region and can span multiple Availability Zones. Azure's VNet peering connects multiple VNets, making them appear as one for connectivity purposes, routing traffic through Microsoft's private network. In AWS, subnets are confined to a specific AZ, while Azure subnets are not tied to a specific Availability Zone. This allows zonal resources to retain their private IPs even when placed in different zones within a region. Peering In AWS and Azure, transitive peering is not natively supported with standard VPC Peering connections. For example, VPC-A and VPC-C cannot communicate directly if they are only peered through VPC-B. To enable transitive routing, AWS offers Transit Gateway, which connects multiple VPCs, allowing traffic between VPC-A and VPC-C. Azure provides Azure Virtual WAN, a centralized hub-and-spoke architecture that simplifies global network connections with built-in transitive routing. VNet Peering uses static routing without BGP, while Azure Virtual WAN supports BGP for branch and ExpressRoute connectivity. Additionally, Azure Virtual WAN now supports BGP for inter-regional hub-to-hub routing, enabling dynamic route propagation across hubs, similar to AWS Transit Gateway peering across regions. See Azure Virtual WAN Pricing for cost considerations. Below is an example of Azure VNet Peering. Traffic management services AWS features Elastic Load Balancing (ELB) with Classic, Application, and Network Load Balancers. Azure has Azure Load Balancer, Azure Application Gateway, and Traffic Manager for load distribution and traffic management. Below is an application of Multi-region load balancing with Traffic Manager, Azure Firewall, and Application Gateway. AWS provides a suite of load balancers including Application Load Balancer (ALB) for Layer 7 traffic, Network Load Balancer (NLB) for high-performance Layer 4 workloads, and Classic Load Balancer (CLB) as a legacy option. These services integrate with a broad set of AWS offerings such as EC2, ECS, and Lambda, and are complemented by Global Accelerator for improving global traffic performance. Azure’s approach to traffic management is more modular. Azure Load Balancer handles Layer 4 traffic and comes in Basic and Standard SKUs for varying scale and resiliency. For Layer 7 scenarios, Azure offers Application Gateway with features like SSL termination and integrated WAF. Azure Front Door adds global Layer 7 load balancing with content acceleration, while Azure Traffic Manager enables DNS-based routing with geo-failover. These services are often used in combination to build resilient architectures, rather than mirroring AWS's load balancer offerings one-to-one. Content delivery and optimization Both AWS and Azure provide robust content delivery network (CDN) services to accelerate the global delivery of content, applications, and APIs. AWS offers CloudFront, a globally distributed CDN service that integrates seamlessly with AWS services, enabling the fast delivery of web content, videos, and APIs to end users. On the Azure side, Azure Front Door acts as a modern, high-performance CDN that also includes advanced load balancing, security features, and seamless integration with Azure services. While both services focus on enhancing global content delivery, Azure Front Door goes a step further by offering enhanced scalability and secure user experiences for content-heavy applications and APIs. Routing & gateways AWS uses route tables associated with subnets in a VPC to direct traffic within and outside the network—for example, toward Internet Gateways, NAT Gateways, or VPN/Transit Gateways. Azure uses User-Defined Routes (UDRs), which can be applied to subnets in a Virtual Network (VNet) and managed centrally via Azure Network Manager. The diagram shows a spoke network group of two VNets accessing a DNS service through a Firewall, where UDRs created by Network Manager make this routing possible. AWS relies on explicit route configurations and services like Transit Gateway for transitive routing across VPCs. Azure creates system routes by default and allows UDRs to customize traffic flow to resources like VPN Gateways, NAT Gateways, or Network Virtual Appliances (NVAs). For internet egress, Azure currently allows implicit SNAT via Standard Public IPs or Load Balancers without outbound rules, but this behavior will be retired on September 30, 2025. After that, outbound access will require explicit configuration using a NAT Gateway, Load Balancer outbound rule, or Azure Firewall. Both platforms provide VPN solutions for hybrid connectivity. AWS supports Site-to-Site VPN for linking on-premises data centers with VPCs, and Client VPN for individual users. Azure offers Site-to-Site (S2S) and Point-to-Site (P2S) VPNs, as well as VNet-to-VNet connections for secure inter-region communication. These VPN services work with their respective routing infrastructures to support secure hybrid and multi-region deployments. DNS services DNS plays a foundational role in service discovery and network communication across both AWS and Azure environments. AWS offers Route 53, a scalable DNS service that supports both public and private hosted zones. It provides features like health checks, weighted routing, and integration with AWS services for domain resolution. Azure delivers similar functionality through Azure DNS for public DNS hosting and Azure Private DNS for internal name resolution within VNets. Azure Private DNS zones can be linked to one or more VNets, enabling seamless name resolution without custom DNS servers. These services are often used alongside load balancers and private endpoints to ensure consistent, secure access to application components. Private connectivity Both AWS and Azure offer dedicated, high-performance private connections to enhance security and reduce latency for hybrid and multi-cloud architectures. AWS provides Direct Connect, which establishes a dedicated network connection from an on-premises data center to AWS. This ensures a more consistent network experience, particularly for workloads requiring low latency or high throughput. Similarly, Azure offers ExpressRoute, a private, dedicated connection from on-premises infrastructure to Azure, bypassing the public internet. These private links typically use technologies like MPLS or Ethernet, depending on the provider and partner, offering better performance and reliability than traditional VPNs. ExpressRoute connections are often used for mission-critical workloads, offering greater reliability, faster speeds, and enhanced security. Security groups and network ACLs Network-level security AWS offers Security Groups (stateful) and Network ACLs (stateless) for network-level security. Security Groups are applied at the instance level, while NACLs work at the subnet boundary, adding an extra layer of filtering. Azure uses Network Security Groups (NSGs) and Application Security Groups (ASGs), which are fully stateful and simplify rule management. NSGs can be applied at both the subnet and network interface level. While Azure lacks a direct equivalent to stateless NACLs, NSGs typically offer enough granularity for most use cases. Azure also offers more granular traffic control with User-Defined Routes (UDRs) and the option to disable "Allow forwarded traffic" in virtual network peering settings. This ensures tight control or blocking of traffic even between peered VNets. Web Application Firewall (WAF) When it comes to Web Application Firewalls, AWS and Azure differ in design and deployment models. AWS WAF can be deployed as a standalone resource and attached to services like CloudFront, API Gateway, or the Application Load Balancer. This offers a high degree of flexibility but may require more hands-on setup and configuration. In contrast, Azure WAF is designed to work in close integration with services such as Application Gateway and Azure Front Door. While not standalone, central WAF policies allow consistent policy reuse across deployments. From a performance perspective, AWS WAF is recognized for its robust application-layer controls and ability to handle high traffic loads efficiently. Azure WAF is often noted for its ease of setup and the depth of its reporting and diagnostics. Private access to PaaS services and Private Endpoints As cloud-native applications increasingly depend on managed services like storage, databases, and messaging queues, securely connecting to these services without exposing traffic to the public internet becomes a critical design consideration. In AWS, VPC Endpoints—available as Interface or Gateway types—allow private connectivity to supported services from within a VPC. Azure provides a similar capability through Private Link, leveraging Private endpoints enabling private access to Azure services such as Azure Storage, SQL Database, or even custom services behind a Load Balancer. Azure Private Link also supports private access to customer or partner services published via Azure Private Link Service. Both approaches improve security posture by keeping traffic on the cloud provider's internal backbone, reducing exposure to external threats. For software development companies building multi-tiered cloud-native applications, these features offer a straightforward way to lock down service-to-service communication without relying on public endpoints. Endpoint policy management In AWS, endpoint management is handled via VPC Endpoint Policies, API Gateway, and AWS PrivateLink. These resource-specific policies are applied to services like S3, DynamoDB, or API Gateway, offering granular control, but requiring more configuration. In contrast, Azure’s endpoint management is more centralized. Services like Azure Application Gateway, Front Door, and Private Endpoint are governed through Network Security Groups (NSGs), Azure Firewall, and WAF policies. Azure's centralized policy enforcement, particularly for Private Endpoints, provides simplified access control and reduces the need for per-service configurations. AWS offers granular control at the cost of additional configuration complexity. Service mesh for Microservices For applications composed of many microservices, managing east-west traffic, enforcing security policies, and gaining observability into service communication can become complex. A service mesh addresses these challenges by abstracting service-to-service communication into a dedicated infrastructure layer. AWS offers App Mesh, which integrates with ECS, EKS, and Fargate, providing features like traffic shifting, retries, circuit breaking, and mTLS encryption. Azure supports service meshes primarily through open-source solutions like Istio and Linkerd, facilitated by managed integrations via the AKs service mesh add-on, simplifying operations on AKS. Additionally, Azure provides Dapr, which complements service mesh by offering higher-level application concerns such as state management, pub/sub messaging and simplified service invocation. For cloud-native software development companies adopting Kubernetes or containerized architectures, a service mesh brings consistency, security, and fine-grained control to internal traffic management. Monitoring and observability Azure Network Watcher provides tools for monitoring, diagnosing, and logging network performance across IaaS resources in Azure. Key features include topology visualization, connection monitoring, and various diagnostic tools like IP flow verification, NSG diagnostics, and packet capture. Additionally, Traffic Analytics provides insights into network traffic patterns. These tools support both hybrid and fully cloud-based network infrastructures, enabling efficient troubleshooting and performance optimization. On the AWS side, VPC Flow Logs and Reachability Analyzer provide comparable visibility and connectivity diagnostics. Key Resources: Microsoft Azure Migration Hub | Microsoft Learn Azure networking documentation Compare AWS and Azure Networking Options - Azure Architecture Center | Microsoft Learn SaaS Workloads - Microsoft Azure Well-Architected Framework | Microsoft Learn Microsoft commercial marketplace documentation Metered billing for SaaS offers in Partner Center Create plans for a SaaS offer in Azure Marketplace Metered billing with Azure Managed Applications Set plan pricing and availability for an Azure Container offer in Microsoft commercial marketplace - Marketplace publisher Configure pricing and availability for a virtual machine offer in Partner Center - Marketplace publisher Get cloud-ready reference code to replicate AWS apps to Azure Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success Maximize your momentum with step-by-step guidance to publish and grow your app with App AdvisorSecuring the multicloud advantage: AWS to Azure security model comparison
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. As an Independent Software Vendor (ISV), extending your Marketplace presence beyond AWS Marketplace by also offering on Azure Marketplace can unlock new opportunities to expand your customer base. With Azure's extensive network and diverse user base, it provides a vibrant platform to increase your application's visibility and capabilities. To streamline your app replication, understanding how AWS and Azure treat Identity and Access Management, data protection, threat detection and monitoring, compliance and certifications, and network security can help you map and adjust the security components of your app more quickly as you replicate, and ensure your app and your customer's security are protected. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to Azure Marketplace. Overview of cloud security models When moving your app from AWS Marketplace to Azure Marketplace, it's important to understand the key differences between AWS and Azure security models to ensure a smooth transition. Here are the main points you should keep in mind: AWS: In AWS’s shared responsibility model, AWS handles infrastructure security (like physical security and network controls), while you are responsible for securing your applications, data, and access controls. This includes managing network security, identity and access management (IAM), and data encryption. AWS uses services like Amazon GuardDuty and Amazon Inspector for threat protection and threat detection and vulnerability monitoring. Azure: Azure’s shared responsibility model focuses on compliance and regulatory requirements. It offers integrated services to secure data, applications, and infrastructure, simplifying compliance. Azure natively integrates with third-party security tools like Palo Alto Networks, Check Point, CrowdStrike and McAfee via services like Microsoft Defender for Cloud and Microsoft Sentinel for centralized security and threat detection. Microsoft Entra ID works with third-party identity providers such as Okta and Ping Identity for flexible authentication and access management without being locked into a single vendor. The Azure Marketplace also offers pre-configured security solutions, simplifying deployment and integration of security tools while maintaining flexibility. Understanding these differences can significantly ease the process and enhance the security of your cloud solutions, setting you up for success on both platforms. Figure 1https://learn.microsoft.com/en-us/azure/architecture/guide/security/security-start-here Identity and Access Management (IAM) IAM ensures that only authorized users and services can access cloud resources. AWS and Azure differ in how they manage user identities and permissions. Understanding these differences will help you map your AWS app to Azure by leveraging Azure’s IAM services. AWS: AWS uses IAM to centrally manage user identities and access permissions, with roles and policies defined in JSON for granular control. It also offers AWS Cognito for user identity management in custom applications and AWS SSO to simplify authentication across AWS accounts. While AWS IAM provides flexibility, it requires more manual configuration for complex use cases. Azure: Azure uses Microsoft Entra ID (formerly Azure AD), a cloud-based identity and access management service that provides more integrated security, especially for enterprise environments. It supports Role-Based Access Control (RBAC), which simplifies permission management by assigning predefined roles to users or groups, and integrates seamlessly with Microsoft products like Office 365, Microsoft Entra ID Connect, and third-party applications. It also offers advanced features like multi-factor authentication (MFA) and conditional access policies for context-based authentication. For ISVs migrating from AWS to Azure, Entra ID offers a more unified, scalable solution, particularly for hybrid environments and organizations with existing Microsoft infrastructure. Feature AWS IAM Azure Entra ID Core Access Model RBAC RBAC Default Access Implicit Deny Implicit Deny Policy Granularity Fine-grained IAM policies Granular access through Azure RBAC MFA Included for basic features Basic MFA included; advanced with Microsoft Entra ID Premium Conditional Access Limited support Advanced with Microsoft Entra ID Premium Audit Logging CloudTrail, CloudWatch Sign-In Logs, Azure Monitor Cross-Account Access IAM roles between AWS accounts Microsoft Entra ID B2B across tenants Federation Supports external identity providers Microsoft Entra External ID B2B/B2C Role Delegation Delegation within/across accounts Delegation across subscriptions Service Role IAM roles for services Managed identities for services Custom Roles Custom IAM policies Custom Azure RBAC roles Access to Resources Fine-grained resource access Resource, subscription, management-group level Compliance AWS Artifact Azure Compliance Manager Risk Detection AWS GuardDuty Microsoft Entra ID Identity Protection through premium licenses Temporary Credentials IAM roles provide temporary credentials Microsoft Entra Id PIM for temporary privileges through premium licenses Cross-Service Permissions IAM policies across services Unified role model across services via Azure RBAC Data protection Understanding the differences in data protection between AWS and Azure is crucial for you as an Independent Software Vendor (ISV) navigating the migration process. Recognizing these distinctions will help you make informed decisions and ensure a smoother transition. AWS: AWS offers key management through KMS, data classification with Macie, and monitoring with CloudTrail. Key features include S3 Object Locking and robust encryption for data both at rest and in transit. Azure: Azure uses Key Vault for key management, Purview for data classification, and provides Blob Storage versioning and immutability. It also offers built-in data retention, comprehensive auditing features, and advanced security via Microsoft Sentinel. Feature AWS Data Protection Azure Data Protection Data Encryption at Rest Encryption by Default on S3, EBS, RDS, etc. Encryption option of other services Encryption by Default on Blob Storage, Azure SQL DB, Azure Managed Disks, etc. Encryption options for other services Data Encryption in Transit SSL/TLS Encryption SSL/TLS Encryption Key Management AWS KMS (encryption key management), CloudHSM: hardware based key management) Azure Key Vault (encryption key management), Dedicated HSM (hardware based key management) Bring Your Own Key (BYOK) Supported Supported BYOK Key Rotation Automatic Automatic Data Classification Amazon Macie Azure Purview Data Masking RDS Column-Level Encryption Azure SQL Database and Azure Synapse Analytics offer Dynamic Data Masking Backup and Recovery AWS backup Azure backup Data Retention Policies AWS Data Lifecycle Manager Azure Blob Storage Lifecycle Management Compliance and Certifications Various Standards Various Standards Data Loss Prevention S3 Versioning Blob Storage Data Integrity and Authenticity S3 Object Locking to enforce WORM protection for data immutability Immutable Blob Storage features WORM Network Data Protection VPC with encryption, security groups, and network ACLs to protect data in transit. AWS Shield and WAF provide additional network-level security VNet with encryption, network security groups (NSG), and private endpoints to secure data in transit. DDoS Protection and WAF for network security End-to-End Encryption KMS or CloudHSM Azure Key Vault, TLS Data Deletion and Wiping S3 Lifecycle Policies Blob Storage Secure Deletion policies File-Level Encryption EFS Encryption including file-level encryption using KMS Azure Files Encryption using Azure Key Vault Data Access Auditing CloudTrail, CloudWatch Azure Monitor, Security Center, Microsoft Sentinel for advanced threat detection and alerting Threat detection and monitoring Both AWS and Azure offer robust tools for threat detection and monitoring, but Azure provides a more integrated approach, especially in hybrid and multi-cloud environments. Azure's services, such as Azure Security Center and Microsoft Sentinel, work seamlessly with third-party solutions like Palo Alto Networks, CrowdStrike, and McAfee, offering centralized management and easier threat detection. AWS: AWS provides Amazon GuardDuty for threat detection and AWS Security Hub for centralized security monitoring. Additionally, CloudTrail logs API activity, and AWS Config monitors resource configurations. Azure: Azure offers Azure Security Center for threat management and Microsoft Sentinel for SIEM and incident response. Microsoft Defender for Cloud protects various workloads across hybrid and multi-cloud environments. Feature AWS Azure Core Threat Detection GuardDuty Security Center Real-Time Monitoring Amazon CloudWatch Azure Monitor Anomaly Detection GuardDuty Security Center & Microsoft Sentinel Advanced Threat Analytics GuardDuty Microsoft Sentinel Threat Intelligence GuardDuty Microsoft Sentinel Malware Detection AWS Maice Microsoft Defender for Cloud Log Management Amazon CloudWatch Logs, AWS CloudTrail Azure Monitor, Azure Log Analytics Incident Response Centralized Security Hub Security Center & Microsoft Sentinel integrated management Compliance Monitoring AWS Config Security Center Vulnerability Scanning AWS Inspector Microsoft Defender for Cloud for Servers Network Threat Detection VPC Flow Logs & AWS Network Firewall Azure Network Watcher & Azure Firewall DDoS Protection AWS Shield Azure DDoS Protection Behavioral Analytics GuardDuty Microsoft Sentinel Cloud & Hybrid Environment Support GuardDuty, AWS Security Hub & CloudWatch Azure Security Center & Microsoft Sentinel Automation & Orchestration AWS Security Hub & Lambda Microsoft Sentinel & Azure Logic Apps External Threat Intelligence Integration GuardDuty Microsoft Sentinel Integrated Endpoint Protection AWS Endpoint Protection (via Amazon Macie, AWS Security Hub, and other services) Microsoft Defender for Cloud for Endpoint (integrated with Microsoft Sentinel) Compliance and certifications Both AWS and Azure are highly compliant with international standards, offering a range of certifications to meet industry-specific requirements. However, they differ in their approach to compliance management. Azure integrates compliance into the platform via tools like Azure Policy, Microsoft Defender for Cloud and Compliance Manager, enabling continuous management and policy enforcement. Azure’s focus on hybrid and multi-cloud environments makes it a strong choice for complex compliance needs. AWS: AWS offers a broad range of global compliance certifications, including ISO 27001, SOC 1/2/3, PCI-DSS, HIPAA, GDPR, and FedRAMP. Compliance is primarily managed via AWS Artifact, offering access to reports and documentation, with an emphasis on self-service tools for compliance across industries. Azure: Azure supports a variety of compliance certifications, including ISO 27001, SOC 1/2/3, PCI-DSS, HIPAA, GDPR, and FedRAMP, and places greater emphasis on proactive compliance management. It integrates compliance into the platform via tools like Azure Policy and Compliance Manager. These tools help you manage compliance and enforce policies. Azure’s focus on hybrid and multi-cloud environments, as well as industry-specific certifications, makes it a compelling choice for organizations with complex compliance needs. Network security Network security is crucial in any cloud environment, and both AWS and Azure provide tools to protect applications and data. While both offer strong security solutions, they differ in how they approach network security and integration. By understanding these differences, you can leverage Azure and its built-in services to build a robust and secure network. AWS: AWS focuses on network isolation and scalable connectivity through VPC (Virtual Private Cloud), allowing you to create isolated virtual networks in the AWS cloud. This gives you complete control over IP address ranges, subnets, and routing, allowing for granular control. AWS provides AWS Shield for DDoS protection, AWS WAF (Web Application Firewall) to protect web applications, and AWS Transit Gateway to facilitate secure connectivity across VPCs and on-premises environments. While these tools offer extensive customization, they require a higher level of setup and integration to ensure robust security across complex environments. Azure: Azure's approach to network security is centered around the Azure Virtual Network (VNet), which serves a similar purpose to Amazon VPC by allowing you to create isolated network environments in the Azure cloud. Azure simplifies network management by providing built-in features for connectivity, including VNet Peering for secure connections between VNets, as well as integration with Azure ExpressRoute for private connections to on-premises infrastructure. Azure also offers Azure DDoS Protection for safeguarding applications from large-scale attacks, Azure Firewall for filtering traffic, and Azure Network Security Groups (NSGs), which provide detailed control over inbound and outbound traffic to resources within a VNet. The integration of these security tools with other Azure management services makes it easier for you to manage and enforce security policies in hybrid cloud and multi-cloud environments. Aspect AWS Azure Virtual Network Setup Amazon VPC for isolated networks with subnets, route tables, and private/public IPs Azure VNet with similar capabilities for isolated networks with segmented subnets and route tables Firewall Services AWS Network Firewall and AWS WAF for web app security Azure Firewall and Azure WAF for web app protection Private Connectivity AWS Direct Connect Azure ExpressRoute Intrusion Detection AWS GuardDuty for threat detection and monitoring Azure Security Center with integrated threat protection and Microsoft Defender for Cloud VPN Support AWS VPN for secure site-to-site IPsec connections Azure VPN Gateway for secure IPsec/IKE site-to-site connections Network Segmentation AWS Security Groups at Instance level. NACLs at subnet level. Azure NSGs for instance traffic filtering and Application Security Groups for segmentation DDoS Protection AWS Shield with Standard and Advanced DDoS protection Azure DDoS Protection with Standard and Basic plans Load Balancing AWS ELB for application and network load balancing Azure Load Balancer and Application Gateway for layer 7 load balancing and WAF Traffic Inspection AWS Traffic Mirroring Azure Network Watcher Private Link AWS PrivateLink Azure Private Link Bastion Hosts AWS EC2 Instance Connect for secure SSH/RDP without public IPs, AWS Systems Manager Session Manager for remote instance connection Azure Bastion for secure RDP/SSH to Azure VMs without public exposure RDP/SSH Access AWS Systems Manager Session Manager for secure, auditable EC2 instance access with no bastion host Azure Bastion for secure, managed RDP/SSH VM access without open ports Key Resources: Publishing to commercial marketplace documentation Pricing Calculator | Microsoft Azure Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor Accelerate your development with cloud ready deployable code through the ISV quick-start development toolkit
Enable Change Tracking and Inventory for Arc Onboarded Machines (Windows and Linux)
Azure Arc simplifies governance and management by delivering a consistent way to manage your entire environment together by projecting your existing multicloud/non-Azure and on-premises resources into Azure Resource Manager. Azure Arc has benefited multiple customers by simplifying governance and management by delivering a consistent multi-cloud and on-premises management platform such as patch management using Azure Update Manager, enabling Security using Defender for cloud, Standardized role-based access control (RBAC), Change tracking etc. for resource types hosted outside of Azure such as Sever, Kubernetes, SQL Server etc. Today, we will discuss and enable Change Tracking service for Arc Onboarded devices. To know more about Azure arc benefits and Onboarding process refer to the link here. Let's look at what the change tracking service does before we activate it. The Change Tracking and Inventory services track changes to Files, Registry, Windows Software, Linux Software (Software Inventory), Services and Daemons, also supports recursion, which allows you to specify wildcards to simplify tracking across directories. Let’s understand how to enable Change tracking and Inventory feature for Arc Onboarded device. Note: Please make sure that the arc machines are registered, and their status is shown as connected before you turn on the feature, as seen below. Go to Azure Policy then Definition and filter the category by Change tracking and Inventory. You need to enable all the built-in policies present in Enable change tracking Inventory for Arc enabled virtual machines initiatives for Arc enabled windows and Linux devices respectively. Assign Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory built-in policy (Scope it to Subscription of Arc Onboarded device). Make Sure you have unchecked the Parameter and verify Effect to DeployIfNotexist and create Remediation task. This will ensure existing resources can be updated via a remediation task after the policy is assigned. Similarly, Configure Linux Arc-enabled machines to install AMA for ChangeTracking and Inventory built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have AMA Agent deployed. Assign Configure Change Tracking Extension for Windows Arc machines built-in policy (Scope it to Subscription of Arc Onboarded device). Follow the same steps as mentioned in point 1. Similarly, Configure Change Tracking Extension for Linux Arc machines built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have change tracking extension deployed. Create data collection rule. a. Download CtDcrCreation.json file. Go to Azure portal and in the search, enter Deploy a custom template. In the Custom deployment page > select a template, select Build your own template in the editor. In the Edit template, select Load file to upload the CtDcrCreation.json file or just copy the json and paste the template. And select Save. In the Custom deployment > Basics tab, provide Subscription and Resource group where you want to deploy the Data Collection Rule. The Data Collection Rule Name is optional. b. In the Custom deployment > Basics tab, provide Subscription and Resource group where you want to deploy the Data Collection Rule. The Data Collection Rule Name is optional. Workspace Resource ID of Log analytic Workspace. (You will get the workspace ID in the overview page of Log analytic workspace) . c. Select Review+create > Create to initiate the deployment of CtDcrCreation. After the deployment is complete, select CtDcr-Deployment to see the DCR Name. Go to the newly created Data collection Rule (DCR) rule named (Microsoft Ct-DCR). Click on json view and copy the Resource ID. d. Go to Azure Policy Assign [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory built-in policy (Scope it to Subscription of Arc Onboarded device). Make Sure you have enabled the Parameter and paste the Resource ID captured above and create Remediation task. Similarly, Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory built-in policy for Arc Onboarded Linux devices. Once configured using Azure Policy, Arc machine will have change tracking extension deployed. After all the policies are configured and deployed. Go to the Arc device, you will be able to view the change tracking and Inventory is enabled.June 2023 Release for Azure Arc-enabled SQL Server and Azure Arc-enabled SQL Managed Instance
The June release of Azure Arc-enabled SQL Server and Azure Arc-enabled SQL Managed Instance brings exciting new features and enhancements that simplify management and provide greater flexibility for database administrators.
