Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (January 2019 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Migrate is available in Azure Government and Azure Asia

Azure Migrate now supports Azure Government and Azure Asia as a migration project location. This means that you can store your discovered metadata in an Azure Government region (US Gov Virginia) and in Asia region (Southeast Asia).

Note that the project geography does not restrict you from planning your migration for a different target location. Azure Migrate supports more than 30 regions as assessment target locations. The project geography is only used to store the discovered VM metadata.

General availability of Azure Data Box Disk

Azure Data Box Disk, an SSD-based solution for offline data transfer to Azure is now available in the US, EU, Canada, and Australia, with more country/regions to be added over time. Microsoft also is launching the public preview of Azure Data Box Blob Storage. When enabled, this feature will allow you to copy data to Blob Storage on Data Box using blob service REST APIs.

Azure Networking: security services overview

In the modern era of cloud computing, the tendency is to move more frequently workloads in the public cloud and to use hybrid cloud. Security is often perceived as an inhibitor element for the use of cloud environments. Can you extend the datacenter to the cloud while maintaining a high level of network security? How to ensure safe access to services in the cloud and with which tools? One of the main reasons to use Azure, for your own applications and services, is the possibility to take advantage of a rich set of functionality and security tools integrated in the platform. This article will be a overview of network security services in Azure, reporting guidelines and useful tips to best utilize the potential of the platform, in order to structure the network in Azure respecting all security principles.

In field Azure Networking are available different services for enabling connectivity to distinct environments, according to different modes, to activate the protection of the network and to configure the application delivery. All these services are integrated with monitor systems offered by Azure, going to create a complete ecosystem for the provision of network services.

Figure 1 – Azure Networking Services

In order to configure the network protection for Azure we find the following services, available natively in the platform.

Network Security Group (NSG)

The Network Security Groups (NSGs) are the main tool to monitor network traffic in Azure. By the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. In addition, you can apply filters on communications with systems that reside on-premises, connected to the Azure VNet, or for communications to and from Internet. The Network Security Groups (NSGs) They can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. The advice is to apply them if possible directly on the subnet, to have a comprehensive and more flexible control of ACLs. The NSGs can contain rules with Service Tags, They allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (examples. AzureMonitor, Appservice, Storage, etc.).

In the rules of Network Security Groups can be referred the Application Security Groups (ASGs). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups also enable you no longer have to manage in the rules of NSGs IP addresses of Azure virtual machines , as long as these IPs are related to VMs attested on the same VNet.

Figure 2 -Example of a NSG rule that contains a Service Tag and ASG

Figure 3 – Graphical display of network traffic segregation by NSG

Service Endpoints

Through the Virtual Network (VNet) service endpoints, you can increase the level of security for Azure Services, preventing unauthorized access. The vNet Service Endpoints allow you to isolate the Azure services, allowing access to them only by one or more subnets defined in the Virtual Network. This feature also ensures that all traffic generated from the VNet towards the Azure services will always remain within the Azure backbone network. For the supported services and get more details about this you can see the Microsoft documentation.

Figure 4 – Summary of Sevice Endpoints

Azure Firewall

The Azure Firewall is a firewall, fully integrated into the Microsoft public cloud, of type stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. Azure Firewall also allows you to filter traffic between the virtual networks of Azure and on-premises networks, interacting with connectivity that is through the Azure VPN Gateway and with Express Route Gateway. For more details about it you can see the article Introduction to Azure Firewall.

Figure 5 – Placement of Azure Firewall

 

Web Application Firewall

The application delivery may be made using the Azure Application Gateway, a service managed by the Azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular, in the latter case, it is recommended to turn on Web Application Firewall (WAF), that provides application protection, based on rules OWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Figure 6 – Overview of Application Gateway with WAF

DDoS protection

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

The protection Basic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS Protection Standard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

For more details about it you can see the article Protection from DDoS attacks in Azure.

Synergies and recommendations for the use of various security services

In order to obtain an effective network security and direct you in the use of the various components, are reported the main recommendations which is recommended to consider:

  • The Network Security Groups (NSGs) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs is recommended to use them to filter traffic between the resources that reside within a VNet, while the Azure Firewall is useful to provide network and application security between different Virtual Networks.
  • To increase the security of Azure PaaS services is advised to use the Service endpoints, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs. To do this, you can enable the service endpoint in the Azure Firewall subnet, disabling the subnet present in the Spoke VNet.
  • Azure Firewall provides network protection Layer 3 for all ports and protocols, it also guarantees a level of application protection (Layer 7) for outbound HTTP/S traffic. For this reason, if you wish to make a secure application publishing (HTTP/S inbound) you should use the Web Application Firewall present in the Application Gateway, then associating it to Azure Firewall.
  • Azure Firewall can also be accompanied by third-party WAF/DDoS solutions.

All these security services, properly configured in a Hub-Spoke network architecture allow network traffic segregation, achieving a high level of control and security.

Figure 7 – Security services in a Hub-and-Spoke architecture

Conclusions

Azure provides a wide range of services that provide high levels of security, acting on different fronts. The security model that you decide to take, you can resize it and adapt flexibly, depending on the type of application workloads to be protected. A winning strategy can be obtained by applying a mix-and-match of different network security services, to get a protection on more layers.

Protection from DDoS attacks in Azure

A cyber attack of type distributed denial-of-service (DDoS attack – Distributed Denial of Service) is intended to exhaust deliberately the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way. This article will show the security features that you can have in Azure for this type of attacks, in order to best protect the applications on the cloud and ensure their availability against DDoS attacks.

DDoS attacks are becoming more common and sophisticated, to the point where it can reach sizes, in bandwidth, increasingly important, which make it difficult to protect and increase the chances of making a downtime to published services, with a direct impact on company business.

Figure 1 – DDoS Attack Trends

Often this type of attack is also used by hackers to distract the companies and mask other types of cyber attacks (Cyber Smokescreen).

 

Features of the solution

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 2 - Comparison of the features available in different tiers for DDoS Protection

The protection Basic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS Protection Standard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances. This protection does not apply to App Service Environments.

Figure 3 – Overview of Azure DDoS Protection Standard

The Azure DDoS Protection Standard is able to cope with the following attacks:

  • Volumetric attacks: the goal of these attacks is to flood the network with a considerable amount of seemingly legitimate traffic (UDP floods, amplification floods, and other spoofed-packet floods).
  • Protocol attacks: These attacks are aiming to make inaccessible a specific destination, exploiting a weakness that is found in the layer 3 and in the layer 4 of the stack (for example SYN flood attacks and reflection attacks).
  • Resource (application) layer attacks: These attacks are targeting the Web application packages, in order to stop transmitting data between systems. Attacks of this type include: violations of the HTTP protocol, SQL injection, cross-site scripting and other attacks in level 7. To protect themselves from attacks of this type is not sufficient DDoS protection standard, but you must use it in conjunction with the Web Application Firewall (WAF) available in Azure Application Gateway, or with third-party web application firewall solution, available in the Azure Marketplace.

 

Enabling DDoS protection Standard

The DDoS protection Standard is enabled in the virtual network and is contemplated for all resources that reside in it. The activation of the Azure DDoS Protection Standard requires you to create a DDoS Protection Plan which collects the virtual networks with DDoS Protection Standard active, cross subscription.

Figure 4 – Creating a DDoS Protection Plan

The protection Plan is created in a particular subscription, which will be associated with the cost of the solution.

Figure 5 – Enabling DDoS protection Standard on an existing Virtual Network

The Standard tier provides a real-time telemetry that can be consulted via views in Azure Monitor.

Figure 6 – DDoS Metrics available in Azure Monitor

Any DDoS protection metrics can be used to generate alerts. Using the metric "Under DDoS attack"you can be notified when an attack is detected and DDoS mitigation action is applied.

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address associated with a protected resource, so that resides on a virtual network with active the DDoS standard service.

Figure 7 – Monitor mitigation metrics available in Azure

To report generation, regarding the actions undertaken to mitigate DDoS attacks, you must configure the diagnostics settings.

Figure 8 – Diagnostics Settings in Azure Monitor

Figure 9 - Enable diagnostics of Public IP to collect logs DDoSMitigationReports

In the diagnostic settings it is possible to also collect other logs relating to mitigation activities and notifications. For more information about it you can see Configure DDoS attack analytics in the Microsoft documentation. The metrics for the DDoS protection Standard are maintained in Azure for Moniotr 30 days.

Figure 10 – Attack flow logs in Azure Log Analytics

How to test the effectiveness of the solution

Microsoft has partnered withBreakingPoint Cloud and, thanks to a very intuitive interface, it allows you to generate traffic, towards the public IPs of Azure, to simulate a DDoS attack. In this way you can:

  • Validate the effectiveness of the solution.
  • Simulate and optimize responses against incident related to DDoS attacks.
  • Document the compliance level for attacks of this type.
  • Train the network security team.

Costs of the solution

The Basic tier foresees no cost, while enabling the DDoS Protection Standard requires a fixed monthly price (not negligible) and a charge for data that are processed. The fixed monthly price includes protection for 100 resources, above which there is an additional unit cost for each protected resource. For more details on Azure DDoS Protection Standard costs you can see the Microsoft's official page.

Conclusions

The protection from DDoS attacks in Azure allows us to always have active a basic protection to deal with such attacks. Depending on the application criticality, can be evaluated the Standard protection, which in conjunction with a web application firewall solution, allows you to have full functionality to mitigate distributed denial-of-service attacks.

Azure IaaS and Azure Stack: announcements and updates (December 2018 – Weeks: 50 and 51)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Update rollup for Azure File Sync Agent: December 2018

An update rollup for the Azure File Sync agent was released this month which addresses the following issues:

  • A Stop error 0x3B or Stop error 0x1E may occur when a VSS snapshot is created.
  • A memory leak may occur when cloud tiering is enabled

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 installations that have Azure File Sync agent version 3.1.0.0 or a later version installed.
  • The agent version of this update rollup is 4.2.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4459990.

Automate Always On availability group deployments with SQL Virtual Machine resource provider

A new automated way to configure high availability solutions for SQL Server on Azure Virtual Machines (VMs) is now available using SQL VM resource provider.

Virtual Network Service Endpoints for serverless messaging and big data

Azure Event Hubs, a highly reliable and easily scalable data streaming service, and Azure Service Bus, which provides enterprise messaging, are the new set of serverless offerings joining the growing list of Azure services that have enabled Virtual Network Service Endpoints.

Azure Stack

Azure Stack 1811 update

The 1811 update package includes fixes, improvements, and new features for Azure Stack. This update package is only for Azure Stack integrated systems. Do not apply this update package to the Azure Stack Development Kit.

Azure Monitor: introduction to monitor service for virtual machines

In Azure Monitor was introduced a new service that allows you to monitor virtual machines, called Azure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies. This article shows the characteristics of the solution and describes the procedure to be followed to effect the activation.

Features of the solution

The service Azure Monitor for VMs is divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met. This feature, at the moment, is present only for systems that reside in Azure.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

Azure Monitor for VMs requires the presence of a workspace of Log Analytics. Since this is a feature currently in preview, workspace are supported in these regions: West Central US, East US, West Europe and Southeast Asia. Enabling a Log Analytics workspace can occur according to these modes:

To identify the operating systems that are supported by this solution, please visit the Official Microsoft documentation.

 

How to enable Azure Monitor for VMs

To enable the solution for a single virtual machine, from the Azure Portal, it is possible to proceed by accessing the section Insights from the virtual machine:

Figure 1 – Enabling Azure Monitor for VMs on a single VM

Enabling the solution on a single virtual machine it is possible to choose which Log Analytics workspace use and possibly create a new one. The advice is to precede before with the creation of workspace, so you can assign a meaningful name. The workspace of Log Analytics must be configured as follows:

  • You must have installed the solutions ServiceMap and InfrastructureInsights. The installation of this solutions can be done via JSON templates, according to the instructions in this document.

Figure 2 – Presence of solutions ServiceMap and InfrastructureInsights

Figure 3 – Collecting the performance counters enabled on Log Analytics workspace

Azure Monitor for VMs requires Log Analytics agent on virtual machines, also the functionality of Map requires the installation of the Microsoft Dependency agent. This is an additional agent which relies on Log Analytics agent for the connection to the workspace.

If you want to enable the solution for systems in Azure, you can activate the Dependency agent using the appropriate extension, that do the installation. For virtual machines that reside on Azure you must install it manually or via a solution that automates the deployment (such as System Center Configuration Manager).

To enable this feature automatically on new virtual machines created in Azure environment and achieve a high level of compliance you can also use the Azure Policy. Through the Azure Policy you can:

  • Deploy the Log Analytics and Dependency agent.
  • Having a report on the status of compliance
  • Start remediation actions for non-compliant VMs.

Figure 4 – Adding an Assignment

Figure 5 - Initiative definition to enable Azure Monitor for VMs

Figure 6 - Check of the state of compliance of the Policy

 

Consulting data collected from the solution

To analyze and identify critical operating system events, detect suboptimal performance and network issues, you can refer to the data provided by this solution directly from VM or using Azure Monitor, in case you want to have an aggregated view of the various virtual machines. All this allows you to detect and identify if problems are related to specific dependencies on other services.

Figure 7 – State of Health of a single virtual machine

Figure 8 – Performance gathered from multiple VMs, accessible by Azure Monitor

Figure 9 – Dependencies Map of various services present on VMs, accessible by Azure Monitor

For more information about using the features of Health you can consult this Microsoft documentation, while the article View Azure Monitor for VMs Map shows how to identify and analyze the dependencies detected from the solution.

Costs of the solution

By activating the solution Azure Monitor for VMs, the data collected by the virtual machines are sent and maintained in Azure Monitor and can depend on several factors, such as the number of logical disks and network adapters. The costs are those related to Azure Monitor, which has costs on the basis of the following elements:

  • Data ingested and collected.
  • Number of health monitored criteria.
  • Alert rule created.
  • Notifications sent.

 

Conclusions

The service Azure Monitor for VMs allowing you to have a fully integrated tool in Azure to monitor the virtual machines and to obtain a complete control of systems, regardless of where they reside. This solution is also particularly useful to conduct troubleshooting operations in a simple and immediate way. This service, although it is currently in preview, is already full enough and it will be enriched soon with new features.

Azure IaaS and Azure Stack: announcements and updates (December 2018 – Weeks: 48 and 49)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Dedicated Hardware Security Module (HSM)

The Microsoft Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices with complete and exclusive control of the HSM appliance. Azure Dedicated HSM addresses a unique set of customer needs for secure key storage scenarios in Azure.

The Dedicated HSM service is available in eight Azure regions, namely East US, West US, South Central US, East US 2, Southeast Asia, East Asia, West Europe, and North Europe

Improving Azure Virtual Machine resiliency with predictive ML and live migration

Since early 2018, Azure has been using live migration in response to a variety of failure scenarios such as hardware faults, as well as regular fleet operations like rack maintenance and software/BIOS updates. The use of live migration to handle failures gracefully allowed us to reduce the impact of failures on availability by 50 percent. Using the deep fleet telemetry, Microsoft enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies. Azure team partnered with Microsoft Research (MSR) on building the ML models that predict failures with a high degree of accuracy before they occur. As a result, Microsoft is able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Update rollup for Azure File Sync Agent: December 2018

An update rollup for the Azure File Sync agent was released which addresses the following issues:

  • A Stop error 0x3B or Stop error 0x1E may occur when a VSS snapshot is created.
  • The server may become unresponsive because of a cloud-tiering memory leak.
  • Agent installation fails with the following error: Error 1921. Service ‘Storage Sync Agent’ (FileSyncSvc) could not be stopped. Verify that you have sufficient privileges to stop system services.
  • The Storage Sync Agent (FileSyncSvc) service may crash when memory usage is high.
  • Miscellaneous reliability improvements for cloud tiering and sync.

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 installations that have Azure File Sync agent version 3.1.0.0 or a later version installed.
  • The agent version of this update rollup is 4.1.0.0.
  • A restart may be required if files are in use during the update rollup installation.

Installation instructions are documented in KB4459988.

Virtual network service endpoints for Azure Database for MariaDB (preview)

Virtual network service endpoints for Azure Database for MariaDB are accessible in preview in all available regions. Virtual network service endpoints allow you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. Traffic to Azure Database for MariaDB from the virtual network service endpoints stays within the Azure network, preferring this direct route over any specific routes that take internet traffic through virtual appliances or on-premises.

How to reduce the cost of the cloud with Microsoft Azure

The evolution of the data center allows us to have solutions completely in the public cloud or hybrid scenarios where, the decision to use resources in the cloud, in addition to functional factors, must necessarily be made taking into consideration the fundamental aspect of costs. This article lists the directions that you can follow to achieve cost savings, maintaining their own application workloads on Azure.

Azure Reservations

The cost of various Azure services is calculated on the basis of resource usage and you can make an estimate of the cost by using the Azure pricing calculator.

If, of Azure resources in the environment, is done a continuous use is possible to evaluate the activation of Azure Reservations.

The Azure Reservation allow you to achieve cost savings up to 72% compared to the pay-as-you-go price , simply prepay in advance for one or three years the use of Azure resources. Currently, Azure resources that allow to obtain these discounts are: virtual machines, Azure SQL Database, Azure Cosmos DB and SUSE Linux. The purchase of this reservation can be made directly from the portal Azure and is feasible for customers who have the following types of subscription:

  • Enterprise agreement: in this area are not contemplated resources residing in Dev/Test subscription. It is possible to draw upon the Azure Monetary Commitment to purchase the Azure Reservation.
  • Pay-As-You-Go.
  • Cloud Solution Provider (CSP): in this case the purchase is feasible even from the Partner Center.

Among the Azure reservation there are:

  • Reserved Virtual Machine Instance: the reservation covers only the virtual machine's computational costs, and it does not cover the additional costs from software installed aboard the VM, from networking, or from storage utilization.
  • SQL Database reserved vCore: also in this case includes only computational costs, while the licenses are billed separately.
  • Azure Cosmos DB reserved capacity: the reservation covers the actual throughput of the resource, but does not cover the expected costs of storage and networking.
  • Suse Linux: saves on SUSE Linux Enterprise license costs.

How to buy the Azure Reservations from the Azure Portal

To purchase Reservations from Azure portal it is possible to follow the procedure given below.

Figure 1 – Adding Azure Reservation from portal and type selection

Figure 2 – Configuration of the parameters required for the Reserved Virtual Machine Instances

Figure 3 – Summary of Azure Reservations purchased

For more details about how the Reservation affect the calculation of Azure costs, you can consult the following Microsoft documents:

Hybrid Benefit

Another option to consider for reducing Azure costs is the use ofAzure Hybrid Benefit, that saves up to 40% on the cost of Windows Server virtual machines that are deployed on Azure. The savings is given from the fact that Microsoft allows you to pay only the cost of Azure infrastructure, while the licensing for Windows Server is covered by Software Assurance. This benefit is applicable both to the Standard and Datacenter version and is available for Windows Server 200 R2 or later.

Figure 4 – Cost structure for a Windows VM

The Azure Hybrid Benefit can be used in conjunction with the Azure Reserved VM Instance, allowing overall savings that can reach 80% (in the case of purchase of Azure Reserved Instance for 3 years).

Figure 5 – Percentages of savings by adopting RIs and Azure Hybrid Benefit

If you are not in the condition to use Azure Hybrid Benefit, the cost of Windows Server licensing is calculated based on usage time of the virtual machine and according to the number of cores.

The Azure Hybrid Benefit can also be used for Azure SQL Database and SQL Server installed on Azure virtual machines. These advantages facilitate the migration to cloud solutions and help to maximize the investments already made in terms of SQL Server licenses. For more information on how you can use the Azure Hybrid Benefit for SQL Server you can view FAQ in this document.

The cost savings, guaranteed by the use of Azure Hybrid Benefits, can be estimated using the tool Azure Hybrid Benefit Savings Calculator.

Recently Microsoft has conducted studies on the costs to be incurred to enable Windows Server and SQL Server in the cloud that highlight how, thanks to the use of Azure Reservations and Azure Hybrid Benefit, AWS is up to 5 times more expensive than Azure. The comparative between Azure and AWS costs is easily possible to evaluate with the instrument Azure vs.. AWS Cost Comparison.

Conclusions

Azure is definitely the most cost-effective choice to host in particular Microsoft workloads, being able to have lower cost thanks to the advantages provided by the Azure Reservation and the Azure Hybrid Benefit. In addition, thanks to the tool Azure cost management, made available for free to all Azure customers, you have the ability to monitor and optimize the costs of various Azure services.

Azure IaaS and Azure Stack: announcements and updates (November 2018 – Weeks: 46 and 47)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Network Watcher enabled by default for subscriptions that contain virtual networks

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

Network Watcher is now enabled by default for subscriptions that contain a virtual network. There is no impact to your resources or associated charge for automatically enabling Network Watcher. This will simplify and improve your network troubleshooting experience.

To learn more about Network Watcher features, or for information about how to opt out, see the product documentation. You can also get information about pricing.

 

Azure Availability Zones in Southeast Asia

Azure Availability Zones, a high-availability solution for mission-critical applications, is now generally available in Southeast Asia.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, we now offer a service-level agreement (SLA) of 99.99% for uptime of virtual machines.

Availability Zones are generally available in select regions.

 

Microsoft Azure is now certified to host sensitive health data in France

Microsoft Azure, Microsoft Office 365, and Microsoft Dynamics have been granted a Health Data Hosting (HDS) certification. This makes Microsoft the first major cloud provider capable of meeting the strict standards of storing and processing health data for data centers located in France, and under the new certification process that began in June 2018. This validates the very high level of safety and protection that Microsoft can offer to French healthcare entities, who will be able to rely on the Microsoft cloud to deploy the applications and health services of tomorrow. These applications and health services will also be in compliance with the current regulations on data protection and privacy.

 

Announced the Azure File Sync v4 release

Improvements and issues that are fixed:

  • Adds support for Windows Server 2019.
  • Adds a new date-based cloud tiering policy setting. This policy setting is used to specify files that should be cached if accessed in a specified number of days. To learn more, see Cloud Tiering Overview.
  • Fixes an issue in which cloud tiering can take up to 24 hours to tier files.
  • Improvement when adding a new server to an existing sync group. Files are now downloaded based on the recently Created\Modified date from other servers in the sync group.
  • Improves interop with antivirus and other solutions so that tiered files can now use the FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS attribute.
  • Fixes an issue in which servers are unable to communicate with the Storage Sync Service when app-specific proxy settings are used.
  • Fixes an issue in which deleting a server endpoint will no longer cause tiered files to become unusable as long as the cloud endpoint was not deleted and the server endpoint is recreated within 30 days.
  • Improves unattended agent installations by enabling including an answer file.
  • Adds support for a volume-level restore option on servers which have cloud tiering disabled.
  • Improves sync so that it now supports bidirectional control characters.
  • Adds miscellaneous performance and reliability improvements for sync and cloud tiering.

 

New H-series Azure VMs for HPC workloads

Two new H-series (HB and HC) Azure Virtual Machines for high-performance computing (HPC) workloads are now available in preview. These are optimized for HPC applications driven by intensive computation, such as implicit finite element analysis, reservoir simulation, and computational chemistry. More information in this blog.

Azure Stack

Azure App Service on Azure Stack 1.4 (Update 4)

Released the fourth update to Azure App Service on Azure Stack. These release notes describe the improvements and fixes in Azure App Service on Azure Stack Update 4 and any known issues.

Extension Host is coming with the next update 1811

Extension Host will be enabled by the next Azure Stack update, 1811. This capability further enhances security and simplifies network integration for Azure Stack.

How to monitor Office 365 with Azure Log Analytics

In Azure Log Analytics is available a specific solution that consolidates within the Log Analytics workspace different information from the environment Office 365, making the consultation of the data simple and intuitive. This article will look at the characteristics of this solution and It will illustrate the steps to follow for the relative activation.

Features of the solution

The solution allows you to use Log Analytics to perform the following tasks related to Office 365:

  • Monitor the activities carried out by administrators, in order to track changes to configurations and operations that require elevated privileges.
  • Analyze the activities of account in Office 365 in order to identify behavioral trends and monitor resource utilization. For example, you can determine which files are shared outside your organization or check the most used SharePoint sites.
  • Provide support in audits and compliance. It is possible for example to control access to specific files that are considered confidential.
  • Identify any unwanted behaviors that are performed by users, based on specific organizational needs.
  • Play easier troubleshooting tasks that become necessary in your environment Office 365.

To enable this solution you must have an account with the role Global Administrator. For a single Log Analytics workspace you can connect multiple subscriptions Office 365. In case you want to merge in the Log Analytics workspace also the Audit events of Office 365 you must enable auditing on the subscription Office 365, by following the steps in this documentation.

Figure 1 – Enabling Office 365 audit

Solution activation

To enable theOffice 365 Management solution You must follow these steps. The solution collects data directly from Office 365, without the iteration of any agent of Log Analytics.

Figure 2 – Access to Workspace summary from the Azure portal and adding solution

Figure 3 - Selection of the solution of Office 365

Figure 4 – Selection of the workspace to use

The solution requires the presence of an Azure Active Directory application, configured as reported later, which is used to access data in Office 365.

Figure 5 – Adding a new App registration in Azure AD

Figure 6 – Creation of the App registration required for solution

Figure 7 – Enable Multi-tenanted

Figure 8 -Added API Access for Office 365 Management APIs

Figure 9 - Selection of permission for Office 365 Management APIs

Figure 10 – Assignment of permissions

To be able to configure the solution is required a key for the Azure Active Directory application created.

Figure 11 – Generating a key for the application

At this point, you must run the PowerShell script office365_consent.ps1 which enables administrative access. This script is available at this link.

Figure 12 - Command line example for the execution of the script office365_consent.ps1

Figure 13 - Request for administrative approval

The last step needed to complete activation is the script PowerShell office365_subscription.ps1, also available at this link, which subscribes the Azure AD application to the Log Analytics workspace.

Figure 14 - Command line example for the execution of the script office365_subscription.ps1

After the initial configuration may take several minutes to display the data from Office 365 in Log Analytics. All records created by this solution in Log Analytics have the Type in OfficeActivity. The value contained in the property OfficeWorkload determines which Office Service 365 refers: Exchange, Azure Active Directory, SharePoint, or OneDrive. In the property RecordType instead, is showed the type of operation performed.

The solution adds to the dashboard the following tile:

Figure 15 - Tile Office 365

When selected it will open the specific dashboard, which divides the various services activities collected from Office 365.

Figure 16 – Dashboard of Office 365

Of course you can also perform specific queries to suit your needs:

Figure 17 - Examples of queries to return specific records collected by the solution

 

Conclusions

The collection in Log Analytics of activities carried out in Office 365 allows granular control of the environment, in order to satisfy at best and with a single instrument to regulations concerning auditing and compliance.

Azure File Sync: solution overview

The Azure File Sync service (AFS) allows you to centralize the network folders of your infrastructure in Azure Files, allowing you to maintain the typical characteristics of a file server on-premises, in terms of performance, compatibility and flexibility and at the same time to benefit from the potential offered by cloud. This article describes the main features of the Azure File Sync service and the procedures to be followed to deploy it.

Figure 1 – Overview of Azure File Sync

Azure File Sync is able to transform Windows Server in a "cache" for quick access to content on a given Azure file share. Local access to data can occur with any protocol available in Windows Server, such as SMB, NFS, and FTPS. You have the possibility to have multiple "cache" servers in different geographic locations.

These are the main features of Azure File Sync:

  • Multi-site sync: you have the option to sync between different sites, allowing write access to the same data between different Windows Servers and Azure Files.
  • Cloud tiering: are maintained locally only recently accessed data.
  • Integration with Azure backup: becomes invalid the need to back up data on premises. You can get content protection through Azure Backup.
  • Disaster recovery: you have the option to immediately restore metadata files and retrieve only the data you need, for faster service reactivation in Disaster Recovery scenarios.
  • Direct access to the cloud: is allowed to directly access content on the File Share from other Azure resources (IaaS and PaaS).

 

Requirements

In order to deploy Azure File Sync, you need the following requirements:

A Azure Storage Account, with a file share configured on Azure Files, in the same region where you want to deploy the AFS service. To create a storage account, you can follow the article Create a storage account, while the file share creation process is shown in this document.

A Windows Server system running Windows Server 2012 R2 or later, who must have:

  • PowerShell 5.1, which is included by default since Windows Server 2016.
  • PowerShell Modules AzureRM.
  • Azure File Sync agent. The setup of the agent can be downloaded at this link. If you intend to use AFS clustered environment, you should install the agent on all nodes in the cluster. In this regard Windows Server Failover Clustering is supported by Azure Sync Files of deployment type “File Server for general use”. The Failover Cluster environment is not supported on “Scale-Out File Server for application data” (SOFS) or on Clustered Shared Volumes (CSVS).
  • You should keep the option "Internet Explorer Enhanced Security Configuration" disabled for Administrators and for Users.

 

Concepts and service configuration

After confirming the presence of these requirements the Azure File Sync activation requires to proceed with the creation of the service Storage Sync:

Figure 2 – Creating Storage Sync service

This is the top-level resource for Azure File Sync, which acts as a container for the synchronization relationships between different storage accounts and multiple Sync Group. The Sync Group defines the synchronization topology for a set of files. The endpoints that are located within the same Sync Group are kept in sync with each other.

Figure 3 – Creating Sync Group

At this point you can proceed with server registration by starting the agent Azure File Sync.

Figure 4 – Initiation of the process of Sign-in

Figure 5 – Selection of server registration parameters

Figure 6 – Confirmation of registration of the agent

After the registration the server will also appear in the "Registered servers" section of the Azure portal:

Figure 7 – Registered servers into Storage Sync service

At the end of the server registration is appropriate to insert a Server Endpoints within the Sync Group, which integrates a volume or a specific folder, with a Registered Server, creating a location for the synchronization.

Figure 8 – Adding a Server Endpoint

Adding a Server Endpoint you can enable Cloud tiering that preserves, locally on the Windows Server cache, most frequently accessed files, while all the remaining files are saved in Azure on the basis of specific policies that can be configured. More information about Cloud Tiering capabilities can be found in the Microsoft's official documentation. In this regard, it is appropriate to specify that there's no support between Azure File Sync with enabled cloud tiering, and data deduplication. If you want to enable Windows Server Data Deduplication, cloud tiering capabilities must be maintained disabled.

After adding one or more Server Endpoint you can check the status of the Sync Group:

Figure 9 – Status of Sync Group

 

To achieve successful Azure File Sync deployment you should also carefully check compatibility with antivirus and backup solutions that are used.

Azure File Sync and DFS Replication (DFS-R) are two data replication solutions and can also operate in side-by-side as long as these conditions are met:

  1. Azure File Sync cloud tiering must be disabled on volumes with DFS-R replicated folders.
  2. The Server endpoints should not be configured on DFS-R read-only folders.

Azure File Sync can be a great substitute for DFS-R and for the migration you can follow the instructions in this document. There are still some specific scenarios that might require the simultaneous use of both replication solutions:

  • Not all on-premises servers that require a copy of the files can be connected to the Internet.
  • When the branch servers consolidate data in a single hub server, on which is then used Azure File Sync.
  • During the migration phase of deployment of DFS-R to Azure File Sync.

Conclusions

Azure File Sync is a solution that extends the classic file servers deployed on-premises with new features for content synchronization, using the potential of Microsoft public cloud in terms of scalability and flexibility.