Category Archives: Microsoft Azure

Azure File Sync: solution overview

The Azure File Sync service (AFS) allows you to centralize the network folders of your infrastructure in Azure Files, allowing you to maintain the typical characteristics of a file server on-premises, in terms of performance, compatibility and flexibility and at the same time to benefit from the potential offered by cloud. This article describes the main features of the Azure File Sync service and the procedures to be followed to deploy it.

Figure 1 – Overview of Azure File Sync

Azure File Sync is able to transform Windows Server in a "cache" for quick access to content on a given Azure file share. Local access to data can occur with any protocol available in Windows Server, such as SMB, NFS, and FTPS. You have the possibility to have multiple "cache" servers in different geographic locations.

These are the main features of Azure File Sync:

  • Multi-site sync: you have the option to sync between different sites, allowing write access to the same data between different Windows Servers and Azure Files.
  • Cloud tiering: are maintained locally only recently accessed data.
  • Integration with Azure backup: becomes invalid the need to back up data on premises. You can get content protection through Azure Backup.
  • Disaster recovery: you have the option to immediately restore metadata files and retrieve only the data you need, for faster service reactivation in Disaster Recovery scenarios.
  • Direct access to the cloud: is allowed to directly access content on the File Share from other Azure resources (IaaS and PaaS).

 

Requirements

In order to deploy Azure File Sync, you need the following requirements:

A Azure Storage Account, with a file share configured on Azure Files, in the same region where you want to deploy the AFS service. To create a storage account, you can follow the article Create a storage account, while the file share creation process is shown in this document.

A Windows Server system running Windows Server 2012 R2 or later, who must have:

  • PowerShell 5.1, which is included by default since Windows Server 2016.
  • PowerShell Modules AzureRM.
  • Azure File Sync agent. The setup of the agent can be downloaded at this link. If you intend to use AFS clustered environment, you should install the agent on all nodes in the cluster. In this regard Windows Server Failover Clustering is supported by Azure Sync Files of deployment type “File Server for general use”. The Failover Cluster environment is not supported on “Scale-Out File Server for application data” (SOFS) or on Clustered Shared Volumes (CSVS).
  • You should keep the option "Internet Explorer Enhanced Security Configuration" disabled for Administrators and for Users.

 

Concepts and service configuration

After confirming the presence of these requirements the Azure File Sync activation requires to proceed with the creation of the service Storage Sync:

Figure 2 – Creating Storage Sync service

This is the top-level resource for Azure File Sync, which acts as a container for the synchronization relationships between different storage accounts and multiple Sync Group. The Sync Group defines the synchronization topology for a set of files. The endpoints that are located within the same Sync Group are kept in sync with each other.

Figure 3 – Creating Sync Group

At this point you can proceed with server registration by starting the agent Azure File Sync.

Figure 4 – Initiation of the process of Sign-in

Figure 5 – Selection of server registration parameters

Figure 6 – Confirmation of registration of the agent

After the registration the server will also appear in the "Registered servers" section of the Azure portal:

Figure 7 – Registered servers into Storage Sync service

At the end of the server registration is appropriate to insert a Server Endpoints within the Sync Group, which integrates a volume or a specific folder, with a Registered Server, creating a location for the synchronization.

Figure 8 – Adding a Server Endpoint

Adding a Server Endpoint you can enable Cloud tiering that preserves, locally on the Windows Server cache, most frequently accessed files, while all the remaining files are saved in Azure on the basis of specific policies that can be configured. More information about Cloud Tiering capabilities can be found in the Microsoft's official documentation. In this regard, it is appropriate to specify that there's no support between Azure File Sync with enabled cloud tiering, and data deduplication. If you want to enable Windows Server Data Deduplication, cloud tiering capabilities must be maintained disabled.

After adding one or more Server Endpoint you can check the status of the Sync Group:

Figure 9 – Status of Sync Group

 

To achieve successful Azure File Sync deployment you should also carefully check compatibility with antivirus and backup solutions that are used.

Azure File Sync and DFS Replication (DFS-R) are two data replication solutions and can also operate in side-by-side as long as these conditions are met:

  1. Azure File Sync cloud tiering must be disabled on volumes with DFS-R replicated folders.
  2. The Server endpoints should not be configured on DFS-R read-only folders.

Azure File Sync can be a great substitute for DFS-R and for the migration you can follow the instructions in this document. There are still some specific scenarios that might require the simultaneous use of both replication solutions:

  • Not all on-premises servers that require a copy of the files can be connected to the Internet.
  • When the branch servers consolidate data in a single hub server, on which is then used Azure File Sync.
  • During the migration phase of deployment of DFS-R to Azure File Sync.

Conclusions

Azure File Sync is a solution that extends the classic file servers deployed on-premises with new features for content synchronization, using the potential of Microsoft public cloud in terms of scalability and flexibility.

Azure IaaS and Azure Stack: announcements and updates (November 2018 – Weeks: 44 and 45)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure File Sync is now supported in North Central US and South Central US regions

To get the latest list of supported regions, see https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning#region-availability

 

M-Series VMs are now available in East Asia regions

Azure M-Series virtual machines (VMs) are now available in the Canada Central, Canada East and East Asia regions. M-Series VMs offer configurations with memory from 192 GB to 3.8TiB (4TB) RAM and are certified for SAP HANA.

 

Approve and audit support access requests to VMs using Customer Lockbox for Azure

Customer Lockbox for Microsoft Azure helps customers control and audit a Microsoft support engineer’s access to compute workloads on Azure that may contain customer data. Microsoft support doesn’t have standing access to service operations. In some rare scenarios, to resolve a support issue, just-in-time access with limited and time bound authorization can be provided to Microsoft support engineers. Customer Lockbox helps ensure that Microsoft support engineers don’t access customers’ content in the Azure portal without the customer’s explicit approval. It also helps improve the existing support ticket workflow by expediting the customer’s approval process. This capability enables customers to have more granular control, better visibility and enhanced audit over the support process.

Azure IaaS and Azure Stack: announcements and updates (October 2018 – Weeks: 42 and 43)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure AD DS now supports Azure managed disks

Azure Active Directory Domain Services (AD DS) now supports Azure managed disks. Azure managed disks provide a greater degree of availability and resilience to failures. This enables the domain controllers of your managed domain to be more resilient to storage-related outages. All newly created managed domains now use Azure managed disks by default. Existing managed domains will slowly be migrated to use Azure managed disks over the course of calendar year 2018.

 

Azure DevTest Labs: Configure enforcing auto shutdown schedule for the lab

You can now configure enforcing a shutdown schedule for all the virtual machines in your lab so that you can save costs from wasteful running machines. To learn more about this feature, go to the team blog.

 

Azure Availability Zones expand with new services and to new regions

Availability Zones expand into additional regions, North Europe and West US 2. In addition to the continued expansion of Availability Zones across Azure regions, Microsoft announces an expanded list of zone-redundant services including Azure SQL Database, Service Bus, Event Hubs, Application Gateway, VPN Gateway, and ExpressRoute.

 

Azure Stack

Azure Stack 1809 update

This update package includes improvements, fixes, and known issues for Azure Stack.
The following improvements for Azure Stack are included:

  • Azure Stack syslog client (General Availability). This client allows the forwarding of audits, alerts, and security logs related to the Azure Stack infrastructure to a syslog server or security information and event management (SIEM) software external to Azure Stack. The syslog client now supports specifying the port on which the syslog server is listening.
    With this release, the syslog client is generally available, and it can be used in production environments.
  • You can now move the registration resource on Azure between resource groups without having to re-register. Cloud Solution Providers (CSPs) can also move the registration resource between subscriptions, as long as both the new and old subscriptions are mapped to the same CSP partner ID. This does not impact the existing customer tenant mappings.

Microsoft Azure: guide for the choice of the Region

Microsoft Azure is located in different places around the world and is the first to have datacenters in more geographical areas than any other cloud providers. This aspect provides a wide scalability, necessary to deliver applications in proximity of the geographical location of users, while preserving the residence of data and providing compliance and resiliency options. You can choose, between different Azure regions, where activate your services, undoubtedly has many advantages, but it is worth considering different aspects when you are faced with this choice. In this article we will be carried over the main elements that should be taken into account in the choice of the region of Azure.

A region in Azure consists of multiple datacenters residing in a specific geographical area and that are connected to each other through a low-latency network. To see the complete list of the Azure regions you can access the page Azure locations. Within a region are present physically distinct location denominated Availability Zones. Each Availability Zone is composed of multiple datacenters equipped independently of the others regarding the power, cooling systems and networks. Each region is paired with another region within the same geographical area, in order to preserve the data resiliency and increase compliance levels.

Figure 1 – Pair regions and Availability Zones within the same data residency boundary

Figures 2 – Azure regional pairs

The choice of the Azure region must be done carefully taking into consideration some key aspects, each of which can have a decisive influence.

 

Performance

Definitely one of the predominant factors in choosing the region is given by the performance, that they are bound by the network latencies in reaching the Azure datacenters. Typically, you choose the region closest geographically, but you can't always identify easily. In support of this choice you can use some useful third-party tools that provide objective values:

  • Azure Speed Test 2.0: by accessing this site, you can measure the latency from your web browser to the various Blob Storage Service residing in various Azure regions.

Figures 3 – Result shown from Azure Speed Test

  • Azure Latency Test: shows the network latency from your location to different Azure regions, with the ability to easily apply filters.

Figures 4 – Result shown from Azure Latency Test

 

Availability of services

Not all Azure services are available in all regions, it follows that it is appropriate to check carefully whether the Azure service that you intend to use is offered in the selected region. To see the Azure services available in each region you can access this page, that allows you to quickly apply filters to check the availability of services offered for region.

 

Compliance laws and residence of the data

Many organizations are cautious in the approach to cloud computing because they need their data geographically reside in a certain territory. Maintain the confidentiality of data is essential for all, but for customers who have specific needs in terms of compliance and data-residency, Microsoft offers all the information you need:

  • Date residency: by accessing this web site you can get all the information about where the data resides, distinguishing between the services for which you choose the region they belong and those who do not provide this selection during deployment.
  • Compliance: in this portal are listed useful support information for customers who have to comply with specific regulations regarding the use, transmission and archive of data.

 

Costs

The costs of the various Azure services may vary depending on region. If the others factors are not decisive in choosing, It may be useful to consider to deploy services in the region where they are most economically advantageous. In order to verify the costs of different services you can access the Azure pricing page.

Conclusions

The choice of the Azure region most appropriate for their business needs, must necessarily be made taking into consideration the factors listed. Since this is a strategic choice and not easily editable, the advice is to carefully examine the items listed above, in order to design the best architecture in Microsoft Azure environment.

Azure Virtual WAN: introduction to the solution

Azure Virtual WAN is a new network service that allows you to optimize and automate the branch-to-branch connectivity through Azure. Thanks to this service you can connect and configure network devices in branch to allow communication with Azure (branch-to-Azure). This article examines the components involved in Azure Virtual WAN and shows the procedure to be followed for its configuration.

 

Figure 1 – Azure Virtual WAN overview

The Azure Virtual WAN configuration includes the creation of the following resources.

 

Virtual WAN

The Virtual WAN resource represents a virtual layer of Azure network and collect different components. It is a layering that contains links to all the virtual hubs that you want to have inside the Virtual WAN. Virtual WAN resources are isolated and cannot contain common hubs.

Figure 2 – Start the process of creating Azure Virtual WAN

Figure 3 – Creating Azure Virtual WAN

When creating the Virtual WAN resource you are prompted to specify a location. In reality it is a global resource that does not reside in a particular region, but you are prompted to specify it just to be able to manage and locate more easily.

By enabling the option Network traffic allowed between branches associated with the same hub allows traffic between the various sites (VPN or ExpressRoute) associated with the same hub (branch-to-branch).

Figure 4 – Branch-to-branch connectivity option

 

Site

The site represents the on-prem environment. You will need to create as many sites as are the physical location. For example, if you have a branch office in Milan, one in New York and one in London, you will need to create three separate sites, which contain their endpoints of network devices used to establish communication. If you are using Virtual WAN partner network equipment, provides solutions to natively export this information into the Azure environment.

Figure 5 – Creating a site

In the advanced settings you can enable BGP, which if activated becomes valid for all connections created for the specific site . Among the optional fields you can specify device information, that may be of help to the Azure Team in case of any future enhancements or Azure support.

 

Virtual Hub

A Virtual Hub is a Microsoft-managed virtual network. The hub is the core component of the network in a given region and there can be only one hub for Azure region. The hub contains different service endpoints to allow to establish connectivity with the on-prem environment. Creating a Virtual Hub involves the generation of a new VNet and optionally a new VPN Gateway. The Hub Gateway is not a classic virtual network gateway that is used for ExpressRoute connectivity and VPN and it is used to create a Site-to-site connection between the on-prem environment and the hub.

Figure 6 – Creating a Hub

Figure 7 -Association of the site with a Hub

The Hubs should be associated with sites residing in the same region where there are the VNet.

 

Hub virtual network connection

The resource Hub virtual network connection is used to connect the hub with the virtual network. Currently you can create connections (peering) with virtual networks that reside in the same region of the hub.

Figure 8 – Connection of the VNet to a hub

Configuring the VPN device on-prem

To configure the VPN on-prem device, you can proceed manually, or if you are using Virtual WAN partner solutions, the configuration of the VPN devices can occur automatically. In the latter case the device controller gets the configuration file from Azure and applies the configuration to devices, avoiding the need to proceed with manual configurations. It all feels very comfortable and effective, saving time. Among the various virtual WAN partners we find: Citrix, Riverbed, 128 Technology, Barracuda, Check Point, NetFoundry and Paloalto. This list is intended to expand soon with more partners.

By selecting Download VPN configuration creates a storage account in the resource group 'microsoft-network-[location]’ from which you can download the configuration for the VPN device on-prem. That storage account can be removed after retrieving the configuration file.

Figure 9 - Download the VPN configuration

Figure 10 – Download the configuration file on the storage account

After configuration of the on-prem device, the site will be connected, as shown in the following figure:

Figure 11 - State of the connected site

It also provides the ability to establish ExpressRoute connections with Virtual WAN, by associating the circuit ExpressRoue to the hub. It also provides for the possibility of having Point-to-Site connections (P2S) towards the virtual Hub. These features are now in preview.

The Health section contains useful information to check the connectivity for each Hub.

Figure 12 – Check Hub health

 

Conclusions

Virtual WAN is the new Azure service that enables centralized, simple and fast connection of several branch, with each other and with the Microsoft public cloud. This service allows you to get a great experience of connectivity, taking advantage of the Microsoft global network, which can boast of reaching different region around the world, more than any other public cloud providers.

Azure IaaS and Azure Stack: announcements and updates (October 2018 – Weeks: 40 and 41)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Advanced Threat Protection for Azure Storage (public preview)

Advanced Threat Protection for Azure Storage, available in public preview, detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit storage accounts. This feature helps customers detect and respond to potential threats on their storage account as they occur.

 

Ephemeral OS Disk (limited preview)

Limited preview of Ephemeral OS Disk, a new type of OS disk created directly on the host node, providing local disk performance and faster boot/reset time. Ephemeral OS Disk is supported for all virtual machines (VM) and virtual machine scale sets (VMSS). Ephemeral OS Disk is ideal for stateless workloads that require consistent read/write latency to OS disk, as well as frequent reimage operations to reset the VM(s) to the original state. This includes workloads such as website applications, game server hosting services, VM pools, computation, jobs and more. Ephemeral OS Disk also works well for workloads that are leveraging low-priority VM scale sets.

Azure confidential computing (public preview)

Azure confidential computing protects your data while it’s in use. It is the final piece to enable data protection through its lifecycle whether at rest, in transit, or in use. It is the cornerstone of Microsoft ‘Confidential Cloud’ vision, which aims to make data and code opaque to the cloud provider. DC-series of virtual machines in US East and Europe West are in public preview. While these virtual machines may ‘look and feel’ like standard VM sizes from the control plane, they are backed by hardware-based Trusted Execution Environments (TEEs), specifically the latest generation of Intel Xeon Processors with Intel SGX technology. You can now build, deploy, and run applications that protect data confidentiality and integrity in the cloud. The DC-series of VMs are the first set of Generation 2 virtual machines. As such, Microsoft has specially configured operating images that are required with these virtual machines (Generation 2 support for Ubuntu Server 16.04 and Windows Server 2016 Datacenter). These images are automatically used when deploying through the portal. Custom images are not yet supported. DC-series VMs will not show up in the size selector for arbitrary marketplace images, as not all images have been updated yet.

Azure IaaS and Azure Stack: announcements and updates (September 2018 – Weeks: 38 and 39)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Virtual machine serial console

The Azure virtual machine serial console is now generally available in all public regions. New features include magic SysRq keys, non-maskable interrupts, and subscription-wide enable/disable. More details are available in the documentation for Windows and Linux.

 

Immutable storage for Azure Storage Blobs

Financial services organizations regulated by SEC, CFTC, FINRA, IIROC, FCA, etc., are required to retain business-related communications in a Write-Once-Read-Many (WORM) or immutable state to ensure that they’re non-erasable and non-modifiable for a specific retention interval. The immutable storage requirement is not limited to financial organizations. It also applies to industries such as healthcare, insurance, media, public safety, and legal services.

To address this requirement, immutable storage for Azure Blob storage is now generally available in all Azure public regions. Through configurable policies, users can keep Azure Blob storage data in an immutable state where blobs can be created and read, but not modified or deleted.

For more details on the feature, see the Microsoft Azure blog.

 

Azure Premium Blob Storage (preview)

Azure Blob Storage introduces a new performance tier—Premium Blog Storage, complimenting the existing hot, cool, and archive tiers. Data in Premium Blob Storage is stored on solid-state drives, which are known for lower latency and higher transactional rates compared to traditional hard drives. Premium Blob Storage is ideal for workloads that require very fast access times. This includes most scenarios with a human in the loop, such as interactive video editing, static web content, and online transactions. It also works well for workloads that perform many transactions that are relatively small, such as capturing telemetry data, message passing, and data transformation.

 

Azure Availability Zones in West US 2 and North Europe

Azure Availability Zones, a high-availability solution for mission-critical applications, is now generally available in West US 2 and North Europe.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, we now offer a service-level agreement (SLA) of 99.99% for uptime of virtual machines.

Availability Zones are generally available in select regions.

 

Public IP prefix (preview)

A Public IP prefix is a reserved range of static IP addresses that can be assigned to your subscription. You can use a prefix to simplify IP address management in Azure. Knowledge of the range ahead of time eliminates the need to change firewall rules as you assign IP addresses to new resources. This predictability significantly reduces management overhead when scaling in Azure.

For more information about Public IP prefixes in Azure and how to use them, see Public IP Prefix.

 

Virtual network peering across Azure Active Directory tenants

Virtual network peering enables direct VM-to-VM connectivity across virtual machines deployed in different virtual networks using the Microsoft backbone. Virtual network peering is now available for virtual networks that belong to subscriptions in different Azure Active Directory tenants.

 

Azure Load Balancer: Outbound Rules for Standard Load Balance GA

This new ability allows you to declare which public IP or public IP prefix should be used for outbound connectivity from your virtual network, and how outbound network address translations should be scaled and tuned.

 

Azure Load Balancer TCP resets on idle (preview)

Azure Load Balancer supports sending of bidirectional TCP resets on idle timeout for load balancing rules, inbound NAT rules, and outbound rules. For more information, including pricing details, please visit the Azure Load Balancer TCP reset page.

 

ExpressRoute Direct 100Gbps connectivity

ExpressRoute Direct provides 100G connectivity for customers with extreme bandwidth needs. This is 10x faster than other clouds. With ExpressRoute Direct you can send 100 Gbps of network traffic to Azure services such as Azure Storage and Azure Virtual Networks. All your traffic can be on a single 100G ExpressRoute Circuit or you subdivide 100G among your business units in any combination of 40G, 10G, 5G, 2G, and 1G ExpressRoute circuits.

 

ExpressRoute Global Reach

ExpressRoute Global Reach allows you to connect two ExpressRoute circuits together. Your sites that are already connected to ExpressRoute can now privately exchange data via their ExpressRoute circuits. ExpressRoute Global Reach can be enabled on both ExpressRoute Standard and ExpressRoute Premium circuits. ExpressRoute Global Reach is available in the following locations: Hong Kong, Ireland, Japan, Netherlands, United Kingdom, and United States with Korea and Singapore coming soon. More locations will be available later this year.

 

Zone-Redundant VPN and ExpressRoute Virtual Network Gateways

To improve the resiliency, scalability and availability of gateways, Zone Redundant VPN and ExpressRoute Gateways bring support for Azure Availability Zones. With these new Zone-Redundant/Zonal Gateways, you will be able to deploy Azure VPN and Azure ExpressRoute gateways in Azure Availability Zones, thus making them physically and logically separate within a region to protect your on-premises network connectivity to Azure from zone-level failures.

 

Azure Firewall: General availability and new capabilities

Azure Firewall, now GA, offers fully stateful network and application level traffic filtering for VNet resources, with built-in high availability and cloud scalability delivered as a service. For more information, please refer to Azure Firewall documentation.

 

Shared Image Gallery (public preview)

Shared Image Gallery provides an Azure-based solution to make the custom management of virtual machine (VM) images easier in Azure. Shared Image Gallery provides a simple way to share your applications with others in your organization, within or across regions, enabling you to expedite regional expansion or DevOps processes, simplify your cross-region HA/DR setup and more. Shared Image Gallery also enables you to quickly deploy thousands of VMs concurrently from a custom image.

 

Automatic OS image upgrade in virtual machine scale sets is now generally available.

After you enable this feature for your scale sets, when a new OS image is published with the latest features, security patches, and performance improvements, your scale sets and Azure Service Fabric clusters can receive these updates automatically. The new image will roll out to the VMs in your scale sets in batches based on preconfigured health probes to check for application issues. You can monitor the status of upgrades programmatically or through an out-of-the-box experience in the Azure portal. To learn more about this capability and to start enabling it for your VMs in VM scale sets, see this documentation.

 

Azure Virtual Machine Image Builder available in private preview

Azure Virtual Machine (VM) Image Builder, now available in private preview, allows you to migrate your image building pipeline to Azure. Submit a template describing your VM source image and customizations, indicate where to distribute a bootable image, and then start building your VM images.

 

Ultra SSD, a new Azure Managed Disks offering (preview)

Ultra SSD, a new Azure Managed Disks offering for your most demanding data-intensive workloads, is now available in preview. Ultra SSDs can deliver unprecedented and extremely scalable performance with sub-millisecond latency:

  • Choose a disk size from 4 GiB up to 64 TiB.
  • Achieve the optimal performance you need per disk even at low storage capacities.
  • Scale performance up to 160,000* IOPS and 2 GB/s per disk with zero downtime.

 

Azure Stack

Service Fabric now available on Azure Stack

Azure Service Fabric is now available on Azure Stack. Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers.

 

Red Hat OpenShift and Microsoft Azure Stack together for hybrid enterprise solutions

OpenShift and Azure Stack present exciting new options for customers who use Microsoft and Red Hat technologies and offer the greatest possible flexibility and consistency where these solutions are run and managed – whether its in the public cloud or on-premises with Azure Stack. OpenShift and Azure Stack enable a consistent application experience across Azure, Azure Stack, bare-metal, Windows and RHEL bringing together Microsoft’s and Red Hat’s developer frameworks and partner ecosystems.

Azure Networking: characteristics of Global VNet peering

The Virtual Networks in Azure are logically isolated, to allow you to securely connect different Azure resources. The Global VNet peering in Azure provides the possibility of connecting virtual networks residing on different regions of Azure. This article discusses the benefits and current constraints imposed by the Global VNet peering. It will also show the procedure for activating a Global VNet peering.

Figure 1 - Sample connection of two Azure VNet in different regions

When you configure the peering between two virtual networks that reside in different regions of Azure, you expand the logical boundary and virtual machines attested on these VNet can communicate with each other with their own private IP addresses, without having to use gateway and public IP addresses. In addition, you can use the hub-and-spoke network model, to share resources such as firewalls or virtual appliances, even connecting virtual networks in different regions of Azure, through the Global VNet peering.

Benefits of Global VNet peering

The main benefits that can be obtained using the Global VNet peering to connect virtual networks are:

Figure 2 – Microsoft's backbone network

  • You can use a low-latency connectivity and with a high bandwidth.
  • Setup is simple and does not require gateway to establish VPN tunnel between different networks.

 

Current constraints of Global VNet peering

Currently there are some constraints that should be taken into account when making a Global VNet peering:

  • In the presence of a Global peering VNET you can not use the remote gateway (option "use remote gateways") and you can't allow the gateway transit (option "allow gateway transit") on the virtual network. These options are currently usable only when you make a virtual network peering with virtual networks residing within the same region of Azure. It follows then the Global VNet peering are not transitive, then the downstream VNet in a region cannot communicate, using this methodology, with the VNet to another region. For example,, assuming a scenario where between the vNet1 and the vNet2 there is a Global VNet peering and between vNet2 and vNet3 there is another Global VNet peering. In this case there will be no communication between the vNet1 and the vNet3. If needed, you can create an additional Global VNET peering to put them in communication.
  • For a resource that resides on a virtual network, is not allowed to communicate using the IP address of an internal Azure load balancer that resides on the virtual network in peer. This type of communication is allowed only if the source IP and the IP address of the Load Balancer are in the same VNet.
  • The Global VNet peering can be created in all Azure public regions, but not with VNet residing in Azure national clouds.
  • The creation of the Global VNet peering is allowed between VNet residing in different subscriptions, as long as they are associated with the same Active Directory tenant.
  • The virtual networks can inserted into peering if there is no overlapping in its address space. In addition, after the creation of the peering, if you need to modify the address space you must remove the peering.

 

Global VNet peering configuration

Configuring Global VNet peering is extremely simple. In the following images are documented the steps to connect two virtual networks created in different regions, in this case West Europe and Southeast Australia.

Figure 3 - Adding peering from VNet settings

Figure 4 - Configure the peering parameters

Selecting "Allow virtual network access", allows communication between two virtual networks. With this setting the address space of the VNet in peer is added to the tag Virtual_Network.

Figure 5 – Peering added, in state Initiated

The same operations, documented in Figure 3 and figure 4, must be repeat even on the Virtual Network that resides in the other region and with whom you want to configure the Global VNet peering. The communication will be activated when the status of the peering will be "Connected"on both VNet.

Figure 6 – Peering in state Connected

Selecting a virtual machine, attested on a virtual network configured with the global VNET Peering, you will see a specific route for VNet associated, as shown in the following figure:

Figure 7 – Effective route of the VNet in Global Peering

The Global VNet peering involves costs for inbound and outbound network traffic in transit in the peering and the cost varies depending on the areas covered. For more details you can refer to the official page of costs.

 

Conclusions

The Global VNet peering allows a great flexibility in managing in a simple and efficient way as various workloads can be connected, allowing to expand the possible implementation scenarios on Azure, without having to consider the geographical boundaries as a limit. Significant benefits can be obtained in particular in data replication and disaster recovery architectures.

Azure IaaS and Azure Stack: announcements and updates (September 2018 – Weeks: 36 and 37)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Virtual network service endpoints for Azure Key Vault

Virtual network service endpoints are generally available for Azure Key Vault in all public Azure regions.

 

Configure just-in-time virtual machine access from the VM blade

Just-in-time virtual machine access can now be configured from the virtual machine blade (in preview) to make it even easier for you to reduce your exposure to threats.

 

Filter VM sizes by current or previous generation

With a recent update to the virtual machine size picker, the default filter set will show current-generation virtual machine sizes only.

 

Announcing the Public Preview for Azure Active Directory Integration with Azure Files

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with AAD enables SMB access to Azure file shares using AAD credentials from AAD DS domain joined Windows VMs.

 

 

Azure Stack

Managed Disks in Azure Stack

Azure Managed Disks simplifies disk management for Azure VMs by managing the storage accounts associated with the VM disks. You only have to specify the type (Premium or Standard) and the size of disk you need, and Azure creates and manages the disk for you. This work will bring more options and simplicity to Azure Stack users when working with VMs. This update applies primarily to Azure Stack users.

 

Ability to incrementally add capacity to Azure Stack

Azure Stack operators can now add a node to an existing Azure Stack scale unit within the supported scale unit limits. This enables Azure Stack operators to increase the capacity of a single Azure Stack, and specifics should be discussed with hardware partners.

 

Azure Stack support for Azure Backup

Azure Stack operators can now backup and recover guest OS, data disks, and volumes using Azure Backup. This new ability gives operators more options when developing a backup strategy for Azure Stack.

 

Azure Government cloud integration for Azure Stack

Azure Stack is now integrated with the Azure Government cloud, enabling connections to Azure Government identity, subscription, registration, billing, backup/DR, and Azure Marketplace. Azure Stack unlocks a wide range of hybrid cloud use cases for government customers, such as tactical edge and regulatory scenarios.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

 

The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

 

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.