Author Archives: Francesco Molfese

About Francesco Molfese

Francesco is a consultant, trainer, technical writer and Microsoft MVP focusing on public cloud, hybrid cloud, virtualization and datacenter management. Francesco has over 10 years of experience in architecting, implementing and managing IT solutions and he is currently employed as a Senior Consultant at Progel Spa an IT consulting company and Microsoft Certified Partner. Francesco is the Community Lead of the Italian User Group of System Center and Operations Management Suite (ugisystemcenter.org) and he is a frequent speaker at leading IT Pro conferences in Italy.

Azure Networking: characteristics of Global VNet peering

The Virtual Networks in Azure are logically isolated, to allow you to securely connect different Azure resources. The Global VNet peering in Azure provides the possibility of connecting virtual networks residing on different regions of Azure. This article discusses the benefits and current constraints imposed by the Global VNet peering. It will also show the procedure for activating a Global VNet peering.

Figure 1 - Sample connection of two Azure VNet in different regions

When you configure the peering between two virtual networks that reside in different regions of Azure, you expand the logical boundary and virtual machines attested on these VNet can communicate with each other with their own private IP addresses, without having to use gateway and public IP addresses. In addition, you can use the hub-and-spoke network model, to share resources such as firewalls or virtual appliances, even connecting virtual networks in different regions of Azure, through the Global VNet peering.

Benefits of Global VNet peering

The main benefits that can be obtained using the Global VNet peering to connect virtual networks are:

Figure 2 – Microsoft's backbone network

  • You can use a low-latency connectivity and with a high bandwidth.
  • Setup is simple and does not require gateway to establish VPN tunnel between different networks.

 

Current constraints of Global VNet peering

Currently there are some constraints that should be taken into account when making a Global VNet peering:

  • In the presence of a Global peering VNET you can not use the remote gateway (option "use remote gateways") and you can't allow the gateway transit (option "allow gateway transit") on the virtual network. These options are currently usable only when you make a virtual network peering with virtual networks residing within the same region of Azure. It follows then the Global VNet peering are not transitive, then the downstream VNet in a region cannot communicate, using this methodology, with the VNet to another region. For example,, assuming a scenario where between the vNet1 and the vNet2 there is a Global VNet peering and between vNet2 and vNet3 there is another Global VNet peering. In this case there will be no communication between the vNet1 and the vNet3. If needed, you can create an additional Global VNET peering to put them in communication.
  • For a resource that resides on a virtual network, is not allowed to communicate using the IP address of an internal Azure load balancer that resides on the virtual network in peer. This type of communication is allowed only if the source IP and the IP address of the Load Balancer are in the same VNet.
  • The Global VNet peering can be created in all Azure public regions, but not with VNet residing in Azure national clouds.
  • The creation of the Global VNet peering is allowed between VNet residing in different subscriptions, as long as they are associated with the same Active Directory tenant.
  • The virtual networks can inserted into peering if there is no overlapping in its address space. In addition, after the creation of the peering, if you need to modify the address space you must remove the peering.

 

Global VNet peering configuration

Configuring Global VNet peering is extremely simple. In the following images are documented the steps to connect two virtual networks created in different regions, in this case West Europe and Southeast Australia.

Figure 3 - Adding peering from VNet settings

Figure 4 - Configure the peering parameters

Selecting "Allow virtual network access", allows communication between two virtual networks. With this setting the address space of the VNet in peer is added to the tag Virtual_Network.

Figure 5 – Peering added, in state Initiated

The same operations, documented in Figure 3 and figure 4, must be repeat even on the Virtual Network that resides in the other region and with whom you want to configure the Global VNet peering. The communication will be activated when the status of the peering will be "Connected"on both VNet.

Figure 6 – Peering in state Connected

Selecting a virtual machine, attested on a virtual network configured with the global VNET Peering, you will see a specific route for VNet associated, as shown in the following figure:

Figure 7 – Effective route of the VNet in Global Peering

The Global VNet peering involves costs for inbound and outbound network traffic in transit in the peering and the cost varies depending on the areas covered. For more details you can refer to the official page of costs.

 

Conclusions

The Global VNet peering allows a great flexibility in managing in a simple and efficient way as various workloads can be connected, allowing to expand the possible implementation scenarios on Azure, without having to consider the geographical boundaries as a limit. Significant benefits can be obtained in particular in data replication and disaster recovery architectures.

Azure IaaS and Azure Stack: announcements and updates (September 2018 – Weeks: 36 and 37)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Virtual network service endpoints for Azure Key Vault

Virtual network service endpoints are generally available for Azure Key Vault in all public Azure regions.

 

Configure just-in-time virtual machine access from the VM blade

Just-in-time virtual machine access can now be configured from the virtual machine blade (in preview) to make it even easier for you to reduce your exposure to threats.

 

Filter VM sizes by current or previous generation

With a recent update to the virtual machine size picker, the default filter set will show current-generation virtual machine sizes only.

 

Announcing the Public Preview for Azure Active Directory Integration with Azure Files

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with AAD enables SMB access to Azure file shares using AAD credentials from AAD DS domain joined Windows VMs.

 

 

Azure Stack

Managed Disks in Azure Stack

Azure Managed Disks simplifies disk management for Azure VMs by managing the storage accounts associated with the VM disks. You only have to specify the type (Premium or Standard) and the size of disk you need, and Azure creates and manages the disk for you. This work will bring more options and simplicity to Azure Stack users when working with VMs. This update applies primarily to Azure Stack users.

 

Ability to incrementally add capacity to Azure Stack

Azure Stack operators can now add a node to an existing Azure Stack scale unit within the supported scale unit limits. This enables Azure Stack operators to increase the capacity of a single Azure Stack, and specifics should be discussed with hardware partners.

 

Azure Stack support for Azure Backup

Azure Stack operators can now backup and recover guest OS, data disks, and volumes using Azure Backup. This new ability gives operators more options when developing a backup strategy for Azure Stack.

 

Azure Government cloud integration for Azure Stack

Azure Stack is now integrated with the Azure Government cloud, enabling connections to Azure Government identity, subscription, registration, billing, backup/DR, and Azure Marketplace. Azure Stack unlocks a wide range of hybrid cloud use cases for government customers, such as tactical edge and regulatory scenarios.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

 

The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

 

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

Azure Site Recovery: the protection of Hyper-V virtual machines using Windows Admin Center

Among the various features that can be managed through Windows Admin Center, there is the possibility to simply drive the protection of virtual machines, present in a Hyper-V environment, with Azure Site Recovery (ASR). This article lists the necessary steps to follow and the possibilities offered by the Admin Center in this area.

Windows Admin Center, formerly known as Project Honolulu, allows through a web console, to manage the infrastructure in a centralized way. Thanks to this tool Microsoft has initiated a process of centralization in a single portal for all administrative console, allowing you to manage and configure your infrastructure with a user experience: modern, simple, integrated and secure.

Windows Admin Center requires no dependency with the cloud in order to function and can be deployed locally to gain control of different aspects of your local server infrastructure. In addition to the component Web Server, that allows access via browser to the tool, the Windows Admin Center consists of a component gateway, through which you can manage your server via Remote PowerShell and WMI over WinRM.

Figure 1 - Basic diagram of the architecture of Windows Admin Center

 

Connecting your Windows Admin Center gateway to Azure

Windows Admin Center also offers the opportunity to integrate with different Azure services, including Azure Site Recovery. In order to allow the Windows Admin Center gateway to communicate with Azure it is necessary to proceed with its registration process, by following the steps later documented. The wizard, available in the preview version of Windows Admin Center , making the creation of an Azure AD app in its own directory, which allows the Windows Admin Center communication with Azure.

Figure 2 - Start of the registration process from the Admin Center settings

Figure 3 - Generation of the code needed to log in

Figure 4 - Enter the code in the Device Login page

Figure 5 - Start the Azure authentication process

Figure 6 – Sign-in confirmation

Figure 7 – Selection of the Tenant where register the Azure AD app

Figure 8 - Guidance for providing permissions to the Azure AD app

Figure 9 – Assignment of permissions, from the Azure Portal, to the registered app

Figure 10 - Azure integration configuration completed

 

ASR environment configuration for protecting Hyper-V VMs

After configuring the connection of Windows Admin Center with Azure you can, selecting the Hyper-V system that holds the virtual machines to be replicated to Azure, proceed with the entire configuration of the Recovery Services vault, directly from the web console of Windows Admin Center. The steps below illustrate the simplicity of the activation.

Figure 11 – Start the configuration necessary for protecting VMs

From the Admin Center you are asked to provide basic information for the ASR environment configuration and it provides the ability to create a new Recovery Service vault or select an existing one.

Figure 12 – Configuration of the Hyper-V host in Azure Site Recovery

In the form proposed by the Windows Admin Center are offered only some values, therefore I advise you to proceed before to the creation of the Recovery Service vault and, on the previous screen, select an existing one, created with all configuration parameters at will and to suit your needs.

This step performs the following actions:

  • Install the ASR agent on the Hyper-V host or on all nodes in a cluster environment.
  • If you select to create a new vault it proceeds to the creation in the selected region and places it into a new Resource Group (assigning a default name).
  • It registers the Hyper-V system with ASR and configures a default replication policy.

Figure 13 - Site Recovery Jobs generated by the configuration

 

Virtual machine protection configuration

After the configuration of the previously reported activity is possible to activate the protection of virtual machines.

Figure 14 - Activation of the VM protection process

Figure 15 - Selection of the storage account and start of protection

At the end of the process of replication, you can validate the replication process by activating the test failover procedure from the Azure Portal.

 

Conclusions

Being able to interact with certain Azure services directly from Windows Admin Center can facilitate and speed up the administration of an hybrid datacenter. At the moment the possibility of integration with Azure Site Recovery are minimal and not suitable for complex scenarios. However, Windows Admin Center is constantly evolving and will be more and more enriched with new features to better interact with Azure services.

OMS and System Center: What's New in August 2018

In August have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references to conduct any insights.

Operations Management Suite (OMS)

Azure Log Analytics

As already announced in the article The management of Log Analytics from the Azure portal Microsoft has chosen to abandon the OMS portal, in favour of the Azure Portal. The date announced for the final withdrawal of the OMS portal is the 15 January 2019. As a result of this choice also creation of new workspace of Azure Log Analytics can be performed only from the Azure Portal. Trying to create a new workspace from the old OMS portal you will be redirected to the Azure portal to complete the task. Have not made any changes to REST API and PowerShell to create workspaces.

Even the Advanced Analytics Portal is incorporated into the Azure Portal. At the moment you can access this portal by logging on to Logs (preview) available in the workspace of Log Analytics.

Figure 1 - Advanced Analytics available in the Logs (preview) from the Azure Portal

 

Azure Automation

Managing updates through Azure Automation Update Management sees the addition of a new option for the deployment of the updates. When creating or editing an update deployment is now an option the Reboot, that allows you to control whether and when reboot systems. For more information please visit the official technical documentation.

Figure 2 – Reboot option available in the update deployment

In the functionality of Change Tracking the following changes have been made:

  • To track changes and make the inventory of the files in the Windows environment now you can use: recursion, wildcards, and environment variables. In Linux there is already the support for recursion and wildcards.
  • As for the changes that are processed in files, both Windows and Linux, introduced the ability to display the content of the changes.
  • Introduced the possibility to reduce the frequency with which Windows services are collected (frequency is expressed in seconds and runs from a minimum of 10 seconds to a maximum of 30 minutes).

Agent

This month the new version ofOMS agent for Linux systems fixes some bugs and introduces an updated version for several core components, that increase the stability, the safety and improve the installation process. Among the various news is introduced the support for Ubuntu 18.04. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.6.0-163. In the case the OMS agent for Linux systems has been installed using the Azure Extension and if its automatic update is active, this update will be installed independently.

Figure 3 – Bug fixes and what's new for the OMS agent for Linux

 

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 27 introducing new versions for the following components:

  • Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.18.4946.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3550.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services agent (version 2.0.9125.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

  • Unified Setup/Mobility agent version 9.14.0000.0 or later.
  • Site Recovery Provider (with System Center VMM): version 3.3. x. x or later.
  • Site Recovery Provider (for replication without VMM): version 5.1.3100.0 or later.
  • Site Recovery Hyper-V Provider: version 4.6. x. x or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4055712.

 

In Azure Site Recovery was introduced support for enabling disaster recovery scenarios Cross-subscription, for IaaS virtual machines, as long as belonging to the same Azure Active Directory tenant. This feature is very useful because often you have environments that use different Azure subscriptions, created primarily to have greater control of costs. Thanks to this new support you can more easily reach business continuity requirements creating disaster recovery plans without altering the topology of the Azure subscriptions in your environment.

Figure 4 - VM replica configuration to a different subscription target

 

Azure Site Recovery now can integrate with Veritas Backup Exec Instant Cloud Recovery (ICR) with the release of Backup Exec 20.2. Using ICR, Backup Exec users are able to configure replication of VMs on-premises to Azure and easily operate the DR plan if necessary, reducing the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Instant Cloud Recovery requires a subscription Azure and supports Hyper-V and VMware virtual machines. For more details and references you can see thespecific announcement.

Azure Backup

In this interesting article there is the procedure to monitor all workloads protected by Azure Backup using Log Analytics.

System Center

System Center Configuration Manager

Released the version 1806 for the Current Branch (CB) of System Center Configuration Manager that introduces new features and major improvements in the product.

Among the main innovations of this update there is a new feature called CMPivot. It is a new utility available in the Configuration Manager console that can provide information in real time about connected devices in your environment. On this information you can apply filters and groupings, then perform certain actions.

Figure 5 – Features and benefits of CMPivot functionality

For a complete list of new features introduced in this version of Configuration Manager, you can consult theofficial announcement.

 

Released the version 1808 for the branch Technical Preview of System Center Configuration Manager. This update introduces the ability to perform a gradual release of software updates automatically. The button that allows you to configure this operation is shown in figure below and can be found in the console nodes All Software Updates, All Windows 10 Updates, and Office 365 Updates.

Figure 6 – Phased Deployment creation button

For more information about configuring Phased Deployments in Configuration Manager, you can refer to the Microsoft technical documentation .

I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

 

System Center Operations Manager

Released the updated version of Microsoft System Center 2016 Management Pack for Microsoft Azure (version 1.5.20.18).

There are also the following news:

 

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center you must access theEvaluation Center and after the registration you can start the trial period.

System Center: guide to release options and roadmap

For System Center products you have the option of choosing two different release: Long-Term Servicing Channel (LTSC) or Semi-Annual Channel. In this article will be reported the features of each release model and what aspects should be taken into consideration to make the most correct choice. You will also see planned roadmap for releases of System Center products.

Characteristics of Semi-Annual Channel

The release channel defined Semi-Annual Channel is characterized by these elements:

  • Are released approximately two product releases every year. This releases include new features, improvements and resolution of issues.
  • The versions are identified by a four-digit number, two for the year and two for the month. To date, two versions have already been released, the 1801 (January 2018) and the 1807 (July 2018).
  • Given the rapid release cycles, there are not expected Update Releases (UR) for products belonging to this release channel.
  • The Semi-Annual Channel releases have a support of 18 months from the date of publication.
  • The use of products released in the Semi-Annual Channel is only open to Microsoft customers with a Software Assurance contract.

Considering the constant releases and the support period not particularly long, it follows that this channel is suitable for customers with the aim to innovate in a constant and fast way, to keep up with the rapid evolution of the cloud.

Characteristics of Long Term Servicing Channel (LTSC)

The release model defined Long-Term Servicing Channel (LTSC) has the following features:

  • A new major version of System Center is released approximately every two or three years. The latest version is now System Center 2016 and in the future will be released System Center 2019.
  • In the LTSC products receive updates, inclusive of security updates, through Update Releases (UR). The Update Releases (UR) do not contain the new features included in the releases belonging to the Semi-Annual Channel, which will be incorporated into the next release in the Long-Term Servicing Channel.
  • The products belonging to the LTSC have 5 years of mainstream support and more 5 years of extended support.
  • Products belonging to the Long-Term Servicing Channel (LTSC) may be adopted by our customers regardless of the licensing model that adhere (Software Assurance is not needed).

The use of the products in the Long-Term Servicing Channel (LTSC) is appropriate in case you want to have a longer period of service of products and greater stability of the services functionality.

Additional considerations

In terms of compatibility, unless several communications, the minimum requirements to use System Center products belonging to the Semi-Annual Channel are the same as the latest version of the System Center product released in Long-Term Servicing Channel.

Customers with Software Assurance can do theupgrade of products of System Center 2016 or 2012 R2 to System Center products released in the Semi-Annual Channel model. Upgrading from release of the Semi-Annual Channel towards release belonging to the LTSC is not supported.

System Center roadmap

For System Center products was announced by Microsoft the following roadmap:

Figure 1 – System Center Roadmap

The figure below lists the currently available versions of the System Center products, with a summary of the main features introduced.

Figure 2 – Current versions of System Center and main features

In addition to the upcoming release of the Update Release 6 of System Center 2016, in the coming year will be released System Center 2019 and the new release belonging to the Semi-Annual Channel. These releases introduce new functionality to provide integration and full support of Windows Server 2019. Following, there are the next planned releases for System Center:

Figure 3 – Future releases of System Center and main features

Other useful references

Conclusions

With this release model of new versions of System Center products, you should make a careful choice by establishing the most suitable for your needs and your business model. To do it in the best way you should be aware of the characteristics of each model and all that it follows from this choice.

Azure Networking: introduction to the Hub-Spoke model

A network topology increasingly adopted by Microsoft Azure customers is the network topology defined Hub-Spoke. This article lists the main features of this network architecture, examines the most common use cases, and shows the main advantages that can are obtained thanks to this architecture.

The Hub-Spoke topology

In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. The Spoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

The architecture basic scheme:

Figure 1 – Hub-Spoke basic network architecture

This architecture is also designed to position in the Hub network a network virtual appliance (NVA) to control the flow of network traffic in a centralized way.

Figure 2 - Possible architecture of Hub vNet in the presence of NVA

In this regard it should be noted that Microsoft recently announced the availability of the’Azure Firewall, a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. At the moment the service is in preview, but soon it will be possible to assess the adoption of Azure Firewall to control centrally, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of Hub-Spoke network architectures , lends itself to be placed in the Hub network, in order to obtain complete control of network traffic.

Figure 3 - Positioning Azure Firewall in the Hub Network

For additional details on Azure Firewall you can see Introduction to Azure Firewall.

When you can use the Hub-Spoke topology

The network architecture Hub-Spoke is typically used in scenarios where these characteristics are required in terms of connectivity:

  • In the presence of workloads deployed in different environments (development, testing and production) which require access to the shared services such as DNS, IDS, Active Directory Domain Services (AD DS). Shared services will be placed in the Hub virtual network, while the various environments (development, testing and production) will be deployed in Spoke networks to maintain a high level of insolation.
  • When certain workloads must not communicate with all other workloads, but only with shared services.
  • In the presence of reality that require a high level of control over aspects related to network security and needing to make a segregation of the network traffic.

Figure 4 – Hub-Spoke architecture design with its components

The advantages of the Hub-Spoke topology

The advantages of this Azure network topology can be summarized as:

  • Cost savings, because shared services can be centralized in one place and used by multiple workloads, such as the DNS server and any virtual appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, with a cost savings for Azure.
  • Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops).
  • Greater flexibility in terms of management and security for the Azure environment.

Useful references for further reading

The following are the references to the Microsoft technical documentation useful to direct further investigation on this topic:

Conclusions

One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establish from the beginning the most appropriate network topology allows you to have a winning strategy and avoid to be in the position of having to migrate workloads, to adopt different network architectures, with all the complications that ensue.

Each implementation requires a careful analysis in order to take into account all aspects and to make appropriate assessments. It is therefore not possible to assert that the Hub-Spoke network architecture is suitable for all scenarios, but certainly it introduces several benefits that make it effective for obtaining certain characteristics and have a high level of flexibility.

What's new in Virtual Machine Manager 1807

Following the first announcement of the Semi-Annual Channel release of System Center, took place in February with the version 1801, in June has been released the new update release: System Center 1807. This article will explore the new features introduced in System Center Virtual Machine Manager (SCVMM) the update release 1807.

Networking

Information related to the physical network

SCVMM 1807 introduced an important improvement in the field of network. In fact, using the Link Layer Discovery Protocol (LLDP), SCVMM can provide information regarding connectivity to the physical network of Hyper-V hosts. These are the details that SCVMM 1807 can retrieve:

  • Chassis ID: Switch chassis ID
  • Port ID: The Switch port to which the NIC is connected
  • Port Description: Details on the port, such as the Type
  • System Name Manufacturer: Manufacturer and Software version details
  • System Description
  • Available Capabilities: Available features of the system (such as switching, Routing)
  • Enabled Capabilities: Features that are enabled on the system (such as switching, Routing)
  • VLAN ID: Virtual LAN identifier
  • Management Address: management IP address

The consultation of this information can be via Powershell or by accessing the SCVMM console: View > Host > Properties > Hardware Configuration > Network adapter.

Figure 1 – Information provided by SCVMM 1807 regarding the physical connectivity of Hyper-V hosts

These details are very useful for having visibility on the physical network and to facilitate troubleshooting steps. This information will be made available for Hyper-V hosts that meet the following requirements:

  • Windows Server Operating System 2016 or later.
  • Features DataCenterBridging and DataCenterBridging-LLDP-Tools enabled.

Conversion SET in Logical Switch

SCVMM 1807 can convert a Hyper-V Virtual Switch, created in Switch Embedded Teaming mode (SET), in a logical switch, using directly the SCVMM console. In previous versions of SCVMM this operation was feasible only through PowerShell commands. This conversion can be useful to generate a Logical Switch, that can be used as a template on different Hyper-V hosts that are managed by SCVMM. For more information on Switch Embedded Teaming (SET) I invite you to consult the article Windows Server 2016: the new Virtual Switch in Hyper-V

Support for host VMware ESXi v6.5

SCVMM 1807 introduced support for VMware ESXi host v 6.5 within its fabric. For what is my experience, even in environments that consist of multiple hypervisors, hardly you use SCVMM to manage VMware host. This support is important because it introduces the ability to convert VMs hosted on VMWare ESXi host 6.5 in Hyper-v VMs.

 

Storage

Support for selecting the CSV to use when adding a new disk

SCVMM 1807 allows you to specify, during the addition of a new virtual disk to an existing VM, in which cluster shared volumes (CSV) place it. In previous releases of VMM this possibility was not provided and by default the new virtual disks were placed on the same CSV where the disks that have been associated with the virtual machine were present. In some circumstances, such as in the presence of CSV with little free space available, this behavior could be inadequate and inflexible.

Figure 2 – Adding a new disk to a virtual machine by selecting which CSV place it

Support for the update of cluster Storage Spaces Direct (S2D)

In Virtual Machine Manager 2016 there is support for making the deployment of Storage Spaces Direct cluster (S2D). With SCVMM 1807 has also introduced the possibility of patching and update of Storage Spaces Direct cluster nodes, orchestrating the entire update process, which will use the baseline configured in Windows Server Update Services (WSUS). This feature allows you to more effectively manage the Storage Spaces Direct environment, cornerstone of the Software Defined Storage of Microsoft, that leads to the achievement of the Software Defined Data Center.

 

Statement of support

Support for SQL Server 2017

In SCVMM 1807 was introduced the support for SQL Server 2017 to host its database. This allows you to upgrade from SQL Server 2016 to SQL Server 2017.

 

Conclusions

The update release 1807 introduces several innovations in Virtual Machine Manager that greatly enrich it in terms of functionality. In addition, This update also addresses a number of issues listed in Microsoft's official documentation. It is therefore recommended to evaluate an update of the Virtual Machine Manager deployments, for greater stability and to take advantage of the new features introduced. Remember that the release belonging to the Semi-Annual Channel have a support period of 18 months.

To try out System Center Virtual Machine Manager, you must access to theEvaluation Center and after the registration you can start the trial period.

OMS and System Center: What's New in July 2018

Microsoft announces constantly news about Operations Management Suite (OMS) and System Center. As usual our community releases this monthly summary that provides a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Operations Management Suite (OMS)

Azure Log Analytics

The possible integration of Azure Data Factory (ADF) with Azure Monitor lets you send usage metrics to Operations Management Suite (OMS). The new solution Azure Data Factory Analytics, available in the Azure marketplace, can provide an overview of the State of health of the Data Factory, allowing you to go into detail of the information collected. This can be very useful for troubleshooting. It is also possible to collect metrics from different data factories to the same workspace of OMS Log Analytics. For configuration details required to use this solution, you can see the official documentation.

Figure 1 – Overview of the new Azure Data Factory Analytics solution

In Log Analytics, query execution introduces the ability to easily select the workspace on which to execute the queries.:

Figure 2 - Selection of the workspace on which to perform the Log Analytics query

The same possibility is also introduced in Azure Application Insights Analytics. This feature is useful because in each query tab you can select the specific workspace, avoiding having to open Log Analytics in different browser tabs.

In case they are collected custom logs in Azure Log Analytics, a separate category was created called "Custom Logs", where they are grouped.

Figure 3 – Grouping of custom logs in the specific category

For workspace of Log Analytics present in the region of West Europe, East US, and West Central was announced the availability in public preview of Metric Alerts for logs. The Metric alerts for logs allow you to use data from Log Analytics as metrics of Azure Monitor. The types of supported logs has been extended and the complete list is available at this link. For more information please visit the official documentation.

Azure Backup

In Azure Pricing Calculator, the official Microsoft tool for estimating the cost of Azure services, has been made possible to obtain a more accurate estimate of the costs of Azure Backup, allowing you to specify different retention range for the Recovery Points.

Figure 4 – New parameters to make a more accurate estimate of costs of Azure Backup

 

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 26 introducing new versions for the following components:

  • Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.17.4897.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3400.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services agent (version 2.0.9122.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

  • Unified Setup/Mobility agent version 9.13.000.1 or later.
  • Site Recovery Provider version 5.1.3000 or later.
  • Hyper-V Recovery Manager 3.4.486 or later.
  • Site Recovery Hyper-V Provider 4.6.660 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4344054.

Azure Automation

Regarding Azure Automation has been introduced the possibility to configure the Hybrid Runbook Workers so that they can execute only runbooks digitally signed (the execution of unsigned runbooks not fail). The procedure to be followed is reported in this section of the Microsoft's article.

System Center

Following the first announcement of the Semi-Annual Channel release of System Center, took place in February with the version 1801, this month has been released the new update release, System Center 1807.

The update release 1807 introduces new features for Virtual Machine Manager and Operations Manager, while for Data Protection Manager, Orchestrator and Service Manager contains fixes for known issues (including bug fixes present in the UR5 for System Center 2016, released in April).

What's new in Virtual Machine Manager 1807
  • Supports selection of CSV for placing a new VHD
  • Display of LLDP information for networking devices
  • Convert SET switch to logical switch
  • VMware host management: VMM 1807 supports VMware ESXi v6.5 servers in VMM fabric
  • Support for S2D cluster update
  • Support for SQL 2017
What's new in Operations Manager 1807
  • Configure APM component during agent install or repair
  • Linux log rotation
  • HTML5 Web console enhancements
  • Support for SQL Server 2017
  • Operations Manager and Service Manager console coexistence

For further details please visit the Microsoft official documentation:

System Center 1807 can be download from System Center Evaluation Center.

For all System Center products (DPM, SCORCH, SM, SCOM and VMM) you can now Update existing deployments going from SQL server 2016 to SQL server 2017.

Please remember that the release belonging to the Semi-Annual Channel have support for 18 months.

System Center Configuration Manager

Released the version 1807 for the branch Technical Preview of System Center Configuration Manager. The main novelty in this release is l & #8217; introduction of the new Community hub, through which you can share scripts, reports, configuration items and more, about Configuration Manager. Through the community hub, accessible from the SCCM console, you can introduce into your environment solutions provided by the community.

Among the new features in this release are also:

  • Improvements to third-party software updates
  • Co-managed device activity sync from Intune
  • Approve application requests via email
  • Repair applications
  • Admin defined offline operating system image servicing drive
  • Improvements to run scripts

Please note that the releases in the Technical Preview Branch help you evaluate the new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

In order to configure the connection between Operations Management Suite (OMS) and System Center Operations Manager you must import the following new management packs, version-specific:

This change to the MPs was made necessary to allow proper communication with new APIs of OMS Log Analytics, introduced after moving towards the Azure Portal of Log Analytics.

Figure 5 - SCOM Wizard for the OMS onboarding

It is reported the new wave of System Center Operations Manager management packs released for SQL Server, now lined up to version 7.0.7.0:

In July were also released the following Management Packs for the Open Source software, version 7.7.1129.0, which include the following news:

Apache HTTP Server

  • Supports Apache HTTP Server version 2.2 and 2.4
  • Provides monitoring of busy and idle workers
  • Provides monitoring of resource usage – memory and CPU
  • Provides statistics for virtual hosts such as “Requests per Minute” and “Errors per Minute”
  • Provides alerting for SSL Certificate expiration

MySQL Server

  • Supports MySQL Server version 5.0, 5.1, 5.5, 5.6, and 5.7
  • Supports MariaDB Server version 5.5, and 10.0
  • Provides monitoring of databases
  • Provides monitoring of disk space usage for server and databases
  • Provides statistics for Key Cache, Query Cache, and Table Cache
  • Provides alerting for slow queries, failed connections, and full table scans

The following new MPs have also been released by Microsoft:

  • MP for Active Directory Federation Services version 0.2.0
  • MP for Active Directory Federation Services 2012 R2 version 1.10172.1
  • MP for Microsoft Azure version 5.20.18

Please also note the new community version (1807) of the Azure Management Pack, issued by Daniele Grandini.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center, you can access theEvaluation Center and after the registration you can start the trial period.

Introduction to Azure Firewall

Microsoft recently announced the availability of a long-awaited service required by the users of systems in the Azure environment , it is the’Azure Firewall. The Azure Firewall is a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. This article will look at the main features of this new service, currently in preview, and it will indicate the procedure to be followed for its activation and configuration.

Figure 1 – Positioning of Azure Firewall in network architecture

The Azure Firewall is a type of firewall stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of type of network architectures hub-and-spoke, lends itself to be placed in the Hub network, in order to obtain a complete control of the traffic.

The Azure Firewall features, currently available in this phase of public preview, are the following:

  • High availability (HA) Built-in: high availability is integrated into the service and are not required specific configurations or add-ons to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Unrestricted cloud scalability: Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • FQDN filtering: you have the option to restrict outbound HTTP/S traffic towards a specific list of fully qualified domain names (FQDN), with the ability to use wild card characters in the creation of rules.
  • Network traffic filtering rules: You can create rules to allow or of deny to filter the network traffic based on the following elements: source IP address, destination IP address, ports and protocols.
  • Outbound SNAT support: to the Azure Firewall is assigned a public static IP address, which will be used by outbound traffic (Source Network Address Translation), generated by the resources of the Azure virtual network, allowing easy identification from remote Internet destinations.
  • Azure Monitor logging: all events of Azure Firewall can be integrated into Azure Monitor. In the settings of the diagnostic logs you are allowed to enable archiving of logs in a storage account, stream to an Event Hub, or set the sending to a workspace of OMS Log Analytics.

Azure Firewall is currently in a managed public preview, which means that to implement it is necessary to explicitly perform the enable via the PowerShell command Register-AzureRmProviderFeature.

Figure 02 – PowerShell commands for enabling the public preview of Azure Firewall

Feature registration can take up to 30 minutes and you can monitor the status of registration with the following PowerShell commands:

Figure 03 – PowerShell commands to verify the status of enabling Azure Firewall

After registration, you must run the following PowerShell command:

Figure 04 – Registration command of Network Provider

To deploy the Azure Firewall on a specific Virtual Network requires the presence of a subnet called AzureFirewallSubnet, that must be configured with a sunbnet mask at least /25.

Figure 05 – Creation of the subnet AzureFirewallSubnet

To deploy Azure Firewall from the Azure portal, you must select Create a resource, Networking and later See all:

Figure 06 - Search Azure Firewall in Azure resources

Filtering for Firewall will also appear the new resource Azure Firewall:

Figure 07 – Microsoft Firewall resource selection

By starting the creation process you will see the following screen that prompts you to enter the necessary parameters for the deployment:

Figure 08 – Parameters required for the deployment of the Firewall

Figure 09 – Review of selected parameters and confirmation of creation

In order to bring outbound traffic of a given subnet to the firewall you must create a route table that contains a route with the following characteristics:

Figure 10 - Creation of the Rule of traffic forwarding to the Firewall Service

Although Azure Firewall is a managed service, you must specify Virtual appliance as next hop. The address of the next hop will be the private IP of Azure Firewall.

The route table must be associated with the virtual network that you want to control with Azure Firewall.

Figure 11 - Association of the route table to the subnet

At this point, for systems on the subnet that forwards the traffic to the Firewall, is not allowed outgoing traffic, as long as it is not explicitly enabled:

Figure 12 – Try to access blocked website from Azure Firewall

Azure Firewall provides the following types of rules to control outbound traffic.

Figure 13 – The available rule Types

  • Application rules: to configure access to specific fully qualified domain names (FQDNs) from a given subnet.

Figure 14 - Creating Application rule to allow access to a specific website

  • Network rules: enable the configuration of rules that contain the source address, the protocol, the address and port of destination.

Figure 15 – Creating Network rule to allow traffic on port 53 (DNS) towards a specific DNS Server

Conclusions

The availability of a fully integrated firewall in the Azure fabric is certainly an important advantage that helps to enrich the capabilities provided natively by Azure. At the time are configurable basic operations, but the feature set is definitely destined to get rich quickly. Please note that this service is currently in preview, and no service level agreement is guaranteed and is not recommended to use it in production environments.