Connecting the Dots: Azure Arc and the UK Public Sector
Friday 26th September 2025
Since the Cabinet Office’s Cloud First policy was introduced, most UK public bodies now run a blend of on‑premises systems, multiple public clouds and sensitive workloads that can’t simply “lift and shift.” The UK Government’s Cloud Guide for the Public Sector explicitly recognises that one size doesn’t fit all and endorses cross‑functional, hybrid approaches to achieve the right outcome for security, value, and delivery.
Azure Arc is designed for exactly this reality: it extends Azure governance, security and automation to any infrastructure (on‑prem, multi-cloud, and edge), so departments can modernise without a disruptive migration and monitor everything from one pain of glass.
Govern consistently, everywhere.
Arc visualises non‑Azure servers into Azure Resource Manager, so you can apply the same tags, RBAC and Azure Policy you use in Azure to resources running in your data centre or other clouds. That means consistent inventory, at‑scale policy compliance, and automated patching with Azure Update Manager, visible and auditable in the Azure portal. In practice, it reduces operational variance and speeds up assurance activities like internal audits.
Strengthen cyber resilience across estates
With Arc‑enabled servers, non‑Azure machines onboard directly into Microsoft Defender for Cloud, bringing posture management, vulnerability assessment and threat detection (via Microsoft Defender for Endpoint) into a single view across Azure and on‑premises.
Pairing this with Microsoft Sentinel allows you to correlate telemetry from all environments and respond faster to incidents, supporting NCSC’s emphasis on layered defence and shared responsibility. This aligns with the NCSC’s 14 Cloud Security Principles, which encourage buyers to evidence controls like data protection in transit, identity and authentication, and supply‑chain security when selecting and operating cloud services.
Make Kubernetes repeatable and compliant
Many UK services are now containerised, but estates are split between AKS and on‑prem clusters for latency, data or vendor reasons.
Arc‑enabled Kubernetes standardises operations using GitOps with Flux: platform teams declare the desired state (policy, namespaces, images, sidecars) in Git, and Arc enforces that state across clusters, at scale and with full auditability. You can even use Azure Policy to deploy Flux configurations automatically, ensuring new clusters inherit the same secure baseline by default.
Modernise commercials without a rewrite
Budget pressure is real. Arc offers pragmatic levers that move costs from CAPEX to OPEX while improving control:
- Windows Server 2025 Pay‑as‑you‑Go (via Arc) licenses on‑prem and edge servers by usage through your Azure subscription, and brings included Arc management benefits like Update Manager and Change Tracking. It’s ideal for variable estates and short‑term capacity without upfront licensing.
- SQL Server enabled by Azure Arc lets you consolidate core‑based licensing on an hourly basis, manage billing centrally and subscribe to Extended Security Updates (ESUs) for legacy versions—all while databases remain on‑prem or in other clouds.
- Extend your MACC; As these services are billed via Azure and not as a traditional license, you are able to decrement your MACC agreement and fee up any additional spend.
Support Cloud First, NCSC guidance, and procurement routes
G‑Cloud and the Digital Marketplace eased procurement of cloud services aligned to UK policy. Microsoft publishes evidence against the NCSC Cloud Security Principles for Azure services in scope, helping buyers evaluate control coverage for OFFICIAL workloads (the vast majority of government data).
Arc builds on that by extending Azure governance and security to where your workloads already run, so you can meet policy aims without forcing workload moves that break risk or cost models.
Operate in restricted networks and at the edge
For departments with strict egress controls, or edge sites that are occasionally disconnected, Arc gateway for Azure Local (formerly Azure Stack HCI) reduces the number of endpoints needed to deploy and manage on‑prem infrastructure, simplifying firewall and proxy configuration.
That’s particularly valuable in estates with complex network segregation or where change control for outbound connectivity is slow.
An AI‑ready foundation (without cutting corners)
Every credible AI roadmap starts with well‑governed, secure infrastructure. Arc gives you a single control plane to enforce policy, patching and monitoring across legacy estates, so data platforms and app teams can adopt Azure AI services faster, without compromising on compliance or operational readiness highlighted in the UK Cloud Guide.
A 60‑day path to value
- Connect a representative slice (e.g., 25–50 Windows/Linux servers spanning on‑prem and another cloud) to Arc using the standard onboarding script or at‑scale methods; verify they appear as Azure resources with the right tags and RBAC.
- Enable Defender for Servers and action top recommendations; confirm Defender for Endpoint integration where appropriate to close detection gaps across the estate.
- Attach one Kubernetes cluster and roll out a GitOps baseline with Flux plus Azure Policy so new clusters inherit the same secure configuration automatically.
- Pilot licensing optimisation: move a small Windows Server footprint to PAYG or switch one SQL instance to Arc PAYG/ESUs to validate commercials and operational flow.
Azure Arc lets UK public‑sector teams meet Cloud First ambitions practically, by bringing Azure governance, security and automation to your workloads wherever they run, rather than forcing the workloads to move first
Our next Public Sector Power Hour shows how Azure Arc helps UK organisations cut risk, control costs and accelerate digital transformation, while meeting Cloud First and NCSC guidance.
Want to keep informed? Sign up to our Newsletter