Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (March 2019 – Weeks: 09 and 10)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure South Africa regions are available

Azure services are now available from new cloud regions in Johannesburg (South Africa North) and Cape Town (South Africa West), South Africa. The launch of these regions marks a major milestone for Microsoft as they open their first enterprise-grade datacenters in Africa, becoming the first global provider to deliver cloud services from datacenters on the continent. With 54 regions announced worldwide, the Microsoft global cloud infrastructure will connect the new regions in South Africa with greater business opportunity, help accelerate new global investment, and improve access to cloud and internet services across Africa. The new cloud regions in Africa are connected with Microsoft’s other regions via their global network, which spans more than 100,000 miles (161,000 kilometers) of terrestrial fiber and subsea cable systems to deliver services to customers.

Microsoft Azure Sentinel: intelligent security analytics for the entire enterprise

Security can be a never-ending saga, a chronicle of increasingly sophisticated attacks, volumes of alerts, and long resolution timeframes where today’s Security Information and Event Management (SIEM) products can’t keep pace. Microsoft rethinks the SIEM tool as a new cloud-native solution called Microsoft Azure Sentinel. Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.  It uses the power of artificial intelligence to ensure you are identifying real threats quickly and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining, and scaling infrastructure. Since it is built on Azure, it offers nearly limitless cloud scale and speed to address your security needs. Traditional SIEMs have also proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs, you pay for what you use.

Virtual network service endpoints for Azure Database for MariaDB are available

virtual network service endpoints for Azure Database for MariaDB are accessible in all available regions. Virtual network service endpoints allow you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. Traffic to Azure Database for MariaDB from the virtual network service endpoints stays within the Azure network, preferring this direct route over any specific routes that take internet traffic through virtual appliances or on-premises.

M-series virtual machines (VMs) are available in the Korea South region and in the China North 2 region

Azure M-series VMs are now available in the Korea South region and in the China North 2 region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Policy root cause analysis and change tracking features

New functionalities have been added to Azure Policy, including root cause analysis and change tracking features. This means that you’ll be able to see why a resource evaluated as non-complaint and what changes were implemented directly by a policy.

Azure Container Registry firewall rules and Virtual Network

Firewall rules and Virtual Network support in Azure Container Registry are available in preview.  Limit registry access to your resources in Azure, or specific on-premises resources, including Express Route connected devices. Virtual Network access is provided through the Azure Container Registry premium tier. General availability pricing will be announced at a later date. 

Azure Lab Services

Azure Lab Services is generally available. With Azure Lab Services, you can easily set up and provide on-demand access to preconfigured virtual machines (VMs) to teach a class, train professionals, run hackathons or hands-on labs, and more. Simply input what you need in a lab and let the service roll it out to your audience. Your users go to a single place to access all their VMs across multiple labs, and connect from there to learn, explore, and innovate.

Azure Availability Zones in East US

Azure Availability Zones, a high-availability solution for mission-critical applications, is now generally available in East US.

Global VNet Peering in Azure Government regions

Global VNet Peering is generally available in all Azure Government cloud regions. This means you can peer virtual networks across the Azure Government cloud regions. You cannot peer across Azure Government cloud and Azure public cloud regions.

Global VNet Peering supports Standard Load Balancer

Previously, resources in one virtual network could not communicate with the front-end IP address of an internal load balancer over a globally peered connection. The virtual networks needed to be in the same region. This is no longer the case. You can communicate with the internal IP address of a Standard Load Balancer instance across regions from resources deployed in a globally peered virtual network. This support is in all Azure regions, including Azure China and Azure Government regions.

New capabilities in Azure Firewall

Two new key capabilities in Azure Firewall:

  • Threat intelligence based filtering: Azure Firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior to alert and deny.
  • Service tags filtering: a service tag represents a group of IP address prefixes for specific Microsoft services such as SQL Azure, Azure Key Vault, and Azure Service Bus, to simplify network rule creation. Microsoft today supports service tagging for a rich set of Azure services which includes managing the address prefixes encompassed by the service tag, and automatically updating the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field.
Azure File Sync in Japan East, Japan West, and Brazil South

Azure File Sync is now supported in Japan East, Japan West, and Brazil South regions.

Azure Premium Blob Storage public preview

Premium Blob Storage is a new performance tier in Azure Blob Storage, complimenting the existing Hot, Cool, and Archive tiers. Premium Blob Storage is ideal for workloads with high transactions rates or requires very fast access times, such as IoT, Telemetry, AI and scenarios with humans in the loop such as interactive video editing, web content, online transactions, and more. Premium Blob Storage has higher data storage cost, but lower transaction cost compared to data stored in the regular Hot tier. This makes it cost effective and can be less expensive for workloads with very high transaction rates.

Update rollup for Azure File Sync Agent: March 2019

An update rollup for the Azure File Sync agent was released today which addresses the following issues:

  • Files may fail to sync with error 0x80c8031d (ECS_E_CONCURRENCY_CHECK_FAILED) if change enumeration is failing on the server
  • If a sync session or file receives an error 0x80072f78 (WININET_E_INVALID_SERVER_RESPONSE), sync will now retry the operation
  • Files may fail to sync with error 0x80c80203 (ECS_E_SYNC_INVALID_STAGED_FILE)
  • High memory usage may occur when recalling files
  • Cloud tiering telemetry improvements

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 5.1.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4481060.

Azure Stack

Azure App Service on Azure Stack 1.5 (Update 5) Released

This release updates the resource provider and brings the following key capabilities and fixes:

  • Updates to **App Service Tenant, Admin, Functions portals and Kudu tools**. Consistent with Azure Stack Portal SDK version.
  • Updates to **Kudu** tools to resolve issues with styling and functionality for customers operating **disconnected** Azure Stack.
  • Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.

All other fixes and updates are detailed in the App Service on Azure Stack Update Five Release Notes.

Azure storage: Disaster Recovery and failover capabilities

Microsoft recently announced a new feature that allows, for geo-redundant Azure storage account, to carry out a piloted failover. This feature increases control on this type of storage accounts, allowing greater flexibility in Disaster Recovery scenarios. This article shows the working principle and the procedure to follow in order to use this new feature.

Types of storage accounts

In Azure there are different types of storage account with distinct replication characteristics, to obtain different levels of redundancy. If you wish to keep the data present on the storage account even in the face of failures of an entire region of Azure it is necessary to adopt the geo-redundant storage account, among them there are two different types:

  • Geo-redundant storage (GRS): the data is replicated asynchronously into two geographical region of Azure, distant hundreds of miles between them.
  • Read-access geo-redundant storage (RA-GRS): it follows the same replication principle as previously described, but with the characteristic that the secondary endpoint can be accessed to read the replicated data.

Using these types of storage account are maintained three copies of the data in the primary region of Azure, selected during the configuration phase, and an additional three asynchronous copies of the data in another region of Azure, following the principle of Azure Paired Regions.

Figure 1 - Normal operation of the storage type GRS/RA-GRS

For more information about the different types of storage account and its redundancy you can consult the Microsoft's official documentation.

Characteristics of storage account failover process

Thanks to this new feature, the administrator has the option to start the account failover process deliberately, when deemed appropriate. The failover process update the public DNS record of the storage account, in this way, the requests are routed to the endpoint of the storage account in the secondary region.

Figure 2 – Failover process for a GRS/RA-GRS storage account

After the failover process, the storage account is configured to be a locally redundant storage (LRS) and it is necessary to proceed with its configuration to make geo-redundant again.

An important aspect to keep in mind, when you decide to take a failover of the storage account, is that this operation can result in a loss of data, because replication between the two regions of Azure is done asynchronously. Because of this aspect, in case of unavailability of the primary region, may not have been replicated to the secondary region all changes. To verify this condition you can refer to the property Last Sync Time that indicates when it is guaranteed that the data was successfully replicated to the secondary region.

Storage account failover procedure from the Azure Portal

Following, shows the steps to fail over to a storage account directly from the Azure Portal.

Figure 3 – Storage failover process account

Figure 4 – Storage account failover process confirmation

The procedure to start the failover of a storage account can be carried out not only by the portal Azure, but also through PowerShell, Azure CLI, or by using the API for the Azure Storage resources.

How to identify the problems on the storage account

Microsoft recommends that applications that use the storage accounts are designed to support possible errors in the writing stage. In this way, the application should expose any failures encountered in writing, in order to be alerted to the possible unavailability in gaining access to storage in a given region. This would allow take corrective actions, such as the failover of the GRSRA-GRS storage account.

Natively the platform , through the service Azure Service Health, provides detailed information if you experience conditions that affect the operation of its services available in Azure, including storage. Thanks to the complete integration of Service Health on Azure Monitor, which holds the alerting engine of Azure, you can configure specific Alerts if there are issues on Azure side, that impact on the operation of the resources present on your own subscription.

Figure 5 - Create Health alert in the Service Health Service

Figure 6 - Notification rule of issues on storage

The notification occurs through Action Groups, following which it is possible to evaluate the real need to take the storage account failover process.

Conclusions

Before the release of this feature, with GRS/RA-GRS storage account type, failover still had to be driven by Microsoft staff against a storage fault of an entire Azure region. This feature provide to the administrator the ability to failover, providing greater control over storage account. At the moment this feature is available for preview and only for storage accounts created in certain Azure regions. As with other Azure functionality in preview it is best to wait for the official release before using it for workloads in a production environment.

Azure management services and System Center: What's New in February 2019

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Multi-resource support for metric alerts

With this new feature, you can configure a single metric alert rule to monitor:

  • A list of virtual machines in an Azure region.
  • All virtual machines in one or more resource groups in an Azure region.
  • All virtual machines of a subscription, present in a given Azure region.

Azure Automation

The runbook Update Azure Modules is open source

Azure Automation allows you to update the Azure PowerShell modules imported into an automation account with the latest versions available in the PowerShell Gallery. This possibility is provided through the actionUpdate Azure Moduleson the page Modules of the Automation Account, and is implemented through a hidden runbook. In order to improve diagnostics and troubleshooting activity and provide the ability to customize the module, this has been made open source.

Support for the Azure PowerShell module Az

Azure Automation introduces support for the PowerShell module Az, thanks to which you can use the updated Azure modules within runbooks, to manage the various Azure services.

Azure Log Analytics

New version of the agent for Linux

This month the new OMS Agent version for Linux systems solves a specific bug during installation. To obtain the updated OMS agent version you can access at the official GitHub page.

Availability in new region of Azure

It is possible to activate a Log Analytics workspace also in the Azure regions of West US 2, Australia East and Central Australia. In this way the data is kept and processed in this regions.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 33 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.22.5109.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3900.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9155.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3500.0) and later.

The Update Rollup 33 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4489582.

Protection of Storage Space Direct cluster

In Azure Site Recovery (ASR) is introduced, with the Update Rollup 33, also the support for the protection of Storage Space Direct cluster, used to realize Guest Cluster in Azure environment.

Azure Backup

In Azure Backup has been released the feature of Instant Restorefor the virtual machines in Azure, that allows using the stored snapshots for the VMs recovery. Also it is given the option to configure the time of retention for the snapshots in the backup policy (from one to five days, the default is two days). This increases control over the protection of the resources, adapting it to specific requirements and depending on the criticality of the same.

Figure 1 – Retention period of the snapshot

System Center Configuration Manager

Released versions 1902 and 1902.2 for the Technical Preview Branch

Among the main new features of this release is included the ability to manage more effectively the restart notifications on systems managed by Configuration Manager.

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0
  • System Center Management Pack for Windows DNS Server version 10.0.9.3

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (February 2019 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Serial console for Azure Virtual Machines (feature update)

The serial console for Azure Virtual Machines enables you to reboot your VM from within the console experience. This ability will help you if you want to reboot a stuck VM or enter the boot menu of your VM.

Azure File Sync v5 release

Improvements and issues that are fixed:

  • Support for Azure Government cloud
    • Added preview support for the Azure Government cloud. This requires a white-listed subscription and a special agent download from Microsoft.
  • Support for Data Deduplication
    • Data Deduplication is now fully supported with cloud tiering enabled on Windows Server 2016 and Windows Server 2019. Enabling deduplication on a volume with cloud tiering enabled lets you cache more files on-premises without provisioning more storage.
  • Support for offline data transfer (e.g. via Data Box)
    • Easily migrate large amounts of data into Azure File Sync via any means you choose. You can choose Azure Data Box, AzCopy and even third party migration services. No need to use massive amounts of bandwidth to get your data into Azure, in the case of Data Box.
  • Improved sync performance
    • Customers with multiple server endpoints on the same volume may have experienced slow sync performance prior to this release. Azure File Sync creates a temporary VSS snapshot once a day on the server to sync files that have open handles. Sync now supports multiple server endpoints syncing on a volume when a VSS sync session is active. No more waiting for a VSS sync session to complete so sync can resume on other server endpoints on the volume.
  • Improved monitoring in the portal
    • Charts have been added in the Storage Sync Service portal to view:
      • Number of files synced
      • Size of data transferred
      • Number of files not syncing
      • Size of data recalled
      • Agent connectivity status
  • Improved scalability and reliability
    • Maximum number of file system objects (directories and files) in a directory has increased to 1,000,000. Previous limit was 200,000.
    • Sync will try to resume data transfer rather than retransmitting when a transfer is interrupted for large files

Agent installation notes:

  • The Azure File Sync agent is supported on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
  • Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
  • A restart may be required if files are in use during the installation.
  • The agent version for the v5 release is 5.0.2.0.

Installation instructions are documented in KB4459989.

Service tags are available in Azure Firewall network rules

A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field. You can use them in place of specific IP addresses. Service tags are fully supported in all public regions using PowerShell/REST/CLI by simply including the tag string in a network rule destination field. Portal support is being rolled out and will incrementally be available in all public regions in the near future.

Azure IaaS and Azure Stack: announcements and updates (February 2019 – Weeks: 05 and 06)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Standard Load Balancer and Standard Public IP are available in Azure Government

Azure Standard Load Balancer and Standard Public IP are now generally available in Azure Government cloud regions. Standard Load Balancer offers resiliency and ease of use for all your virtual machine resources inside a virtual network. It supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. You can use load-balancing rules with TCP/HTTP/HTTPS health probes, HA port load-balancing rules for network virtual appliances, inbound NAT rules for port forwarding, and outbound rules to scale and tune your outbound connectivity.

Global VNet Peering in Azure China cloud

Global VNet Peering is generally available in all Azure China cloud regions. This means you can peer virtual networks across the China cloud regions. You cannot peer across Azure China and Azure public cloud regions.

General availability of the Lsv2-series Azure Virtual Machines (VMs)

The Lsv2-series is well suited for your high throughput and high IOPS workloads including big data applications, SQL and NoSQL databases, data warehousing, and large transactional databases. The Lsv2-series features high throughput, low latency, and directly mapped local NVMe storage. The Lsv2 VMs run on the AMD EPYCTM 7551 processor with an all core boost of 2.55GHz. The Lsv2-series VMs offer various configurations from 8 to 80 vCPUs with simultaneous multi-threading. Each VM features 8 GiB of memory and one 1.92TB NVMe SSD M.2 device per 8 vCPUs, with up to 19.2TB (10 x 1.92TB) available on the 80vCPU L80s v2.

M-series virtual machines (VMs) are available in Australia Central 2 region

Azure M-series VMs are now available in the Australia Central 2 region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Account failover for Azure Storage (public preview)

The preview for account failover for customers with geo-redundant storage (GRS) enabled storage accounts is available. Customers using GRS or RA-GRS accounts can take advantage of this functionality to control when to failover from the primary region to the secondary region for their storage accounts. If the primary region for your geo-redundant storage account becomes unavailable for an extended period of time, you can force an account failover. When you perform a failover, all data in the storage account is failed over to the secondary region, and the secondary region becomes the new primary region. The DNS records for all storage service endpoints – blob, Azure Data Lake Storage Gen2, file, queue, and table – are updated to point to the new primary region. Once the failover is complete, clients can automatically begin writing data to the storage account using the service endpoints in the new primary region, without any code changes.

Reserved instances applicable to classic VMs, cloud services, and Dev/Test subscriptions

Classic VMs, Cloud Services users, Enterprise Dev/Test and Pay-As-You-Go Dev/Test subscriptions can now benefit from the RI discounts.

Resource group control for Azure DevTest Lab

As a lab owner, you now have the option to configure all your lab virtual machines (VMs) to be created in a single resource group. This helps prevent you from reaching resource group limits on your Microsoft Azure subscription. The feature will also help by enabling you to consolidate all your lab resources within a single resource group. In result this will simplify tracking those resources and applying policies to manage them at the resource group level.

Azure Stack

Azure Stack 1901 update

The update includes improvements, fixes, and new features for Azure Stack. This update package is only for Azure Stack integrated systems. Do not apply this update package to the Azure Stack Development Kit. The Azure Stack 1901 update build number is 1.1901.0.95.

Azure IaaS and Azure Stack: announcements and updates (January 2019 – Weeks: 03 and 04)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Guest OS Family 6 (Windows Server 2019)

Azure Guest OS Family 6, based on Windows Server 2019, is now generally available. Windows Server 2019 is the operating system that bridges on-premises environments with Azure, adding layers of security while helping you modernize your applications and infrastructure.

Azure Availability Zones in East US 2

Azure Availability Zones, a high-availability solution for mission-critical applications, is generally available in East US 2.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, Microsoft offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines.

Update rollup for Azure File Sync Agent: January 2019

An update rollup for the Azure File Sync agent was released and addresses the following issues:

  • Files are not tiered after upgrading the Azure File Sync agent to version 4.x.
  • AfsUpdater.exe is now supported on Windows Server 2019.
  • Miscellaneous reliability improvements for sync.

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 4.3.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4481059.

Azure Migrate is available in Asia and Europe

Azure Migrate now supports Asia and Europe as migration project locations. This means that you can now store your discovered metadata in Asia (Southeast Asia) and Europe (North Europe/West Europe) regions.

In addition to Asia and Europe, Azure Migrate also supports storing the metadata in United States and Azure Government geographies. Support for other Azure geographies is planned for the future.

Note that the project geography does not restrict you from planning your migration for a different target location. Azure Migrate supports more than 30 regions as assessment target locations. The project geography is only used to store the discovered VM metadata.

M-series virtual machines (VMs) are available in Australia Central region

Azure M-series VMs are  available in the Australia Central region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Governance: introduction to Azure Policy

IT governance is the process through which an organization can ensure an effective and efficient use of IT resources, in order to achieve their goals. Azure Policy is a service available in the Microsoft public cloud that can be used to create, assign and manage policies to control the resources in Azure. Azure Policy, natively integrated into the platform, are a key element for the governance of the cloud environment. In this article, the principles of operation and features of the solution are reported.

In Azure environments you can find different subscriptions on which develop and operate several groups of operators. The common requirement is to standardize, and in some cases impose, how to configure the resources in the cloud. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of different architectures. These goals can be achieved with a traditional approach, that includes a block of operators (Dev/Ops) in the direct access to cloud resources (through the portal, API or cli). This traditional approach is, however, inflexible, because it involves a loss of agility in controlling the deployment of resources. Instead, using the mechanism that comes natively from Azure platform is possible to drive the governance to achieve the desired control, without impacting speed, the basic element in the operations of the modern IT.

Figure 1 – Traditional approach vs cloud-native governance

In Azure Policy you can do the following reported:

  • Enable built-in policy or configure them to meet your needs.
  • Perform real-time evaluation of the criteria set out in the policy and force execution.
  • Assess the compliance of the policy periodically or on request.
  • Enable audit policy on the virtual machine guest environment (Vm In-Guest Policy).
  • Apply policies on Management Groups in order to gain control over the entire organization.
  • Apply multiple criteria and aggregate the various states of the policies.
  • Configure scope over which the exclusions are applied.
  • Enable real-time remediation steps, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 2 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon request, to assess the compliance of existing resources.

Figure 3 – Working principle of Azure Policy in resource control

Azure already contains many built-in policies ready to be applied. In addition, in this GitHub repository you can find different definitions of Azure Policies, that can be used directly or modified to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described in this Microsoft's document. You also have the possibility of creating Initiatives, they are a collection of multiple policies.

Figure 4 – Example of defining a Azure Policy

When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Figure 5 – Process of assigning an Azure Policy

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 6 – State of compliance

Figure 7 -Example of remediation action

 

Conclusions

Through the use of Azure Policy you can totally control your own Azure environment, in a simple and efficient way. Statistics provided by Microsoft cite that considering the 100 top Azure Customers, 92 these use Azure Policy to control their environment. This is because, when you increase the complexity and amount of services on Azure is essential to adopt instruments, as Azure Policy, to have effective governance policies.

Azure IaaS and Azure Stack: announcements and updates (January 2019 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Migrate is available in Azure Government and Azure Asia

Azure Migrate now supports Azure Government and Azure Asia as a migration project location. This means that you can store your discovered metadata in an Azure Government region (US Gov Virginia) and in Asia region (Southeast Asia).

Note that the project geography does not restrict you from planning your migration for a different target location. Azure Migrate supports more than 30 regions as assessment target locations. The project geography is only used to store the discovered VM metadata.

General availability of Azure Data Box Disk

Azure Data Box Disk, an SSD-based solution for offline data transfer to Azure is now available in the US, EU, Canada, and Australia, with more country/regions to be added over time. Microsoft also is launching the public preview of Azure Data Box Blob Storage. When enabled, this feature will allow you to copy data to Blob Storage on Data Box using blob service REST APIs.

Azure Networking: security services overview

In the modern era of cloud computing, the tendency is to move more frequently workloads in the public cloud and to use hybrid cloud. Security is often perceived as an inhibitor element for the use of cloud environments. Can you extend the datacenter to the cloud while maintaining a high level of network security? How to ensure safe access to services in the cloud and with which tools? One of the main reasons to use Azure, for your own applications and services, is the possibility to take advantage of a rich set of functionality and security tools integrated in the platform. This article will be a overview of network security services in Azure, reporting guidelines and useful tips to best utilize the potential of the platform, in order to structure the network in Azure respecting all security principles.

In field Azure Networking are available different services for enabling connectivity to distinct environments, according to different modes, to activate the protection of the network and to configure the application delivery. All these services are integrated with monitor systems offered by Azure, going to create a complete ecosystem for the provision of network services.

Figure 1 – Azure Networking Services

In order to configure the network protection for Azure we find the following services, available natively in the platform.

Network Security Group (NSG)

The Network Security Groups (NSGs) are the main tool to monitor network traffic in Azure. By the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. In addition, you can apply filters on communications with systems that reside on-premises, connected to the Azure VNet, or for communications to and from Internet. The Network Security Groups (NSGs) They can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. The advice is to apply them if possible directly on the subnet, to have a comprehensive and more flexible control of ACLs. The NSGs can contain rules with Service Tags, They allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (examples. AzureMonitor, Appservice, Storage, etc.).

In the rules of Network Security Groups can be referred the Application Security Groups (ASGs). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups also enable you no longer have to manage in the rules of NSGs IP addresses of Azure virtual machines , as long as these IPs are related to VMs attested on the same VNet.

Figure 2 -Example of a NSG rule that contains a Service Tag and ASG

Figure 3 – Graphical display of network traffic segregation by NSG

Service Endpoints

Through the Virtual Network (VNet) service endpoints, you can increase the level of security for Azure Services, preventing unauthorized access. The vNet Service Endpoints allow you to isolate the Azure services, allowing access to them only by one or more subnets defined in the Virtual Network. This feature also ensures that all traffic generated from the VNet towards the Azure services will always remain within the Azure backbone network. For the supported services and get more details about this you can see the Microsoft documentation.

Figure 4 – Summary of Sevice Endpoints

Azure Firewall

The Azure Firewall is a firewall, fully integrated into the Microsoft public cloud, of type stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. Azure Firewall also allows you to filter traffic between the virtual networks of Azure and on-premises networks, interacting with connectivity that is through the Azure VPN Gateway and with Express Route Gateway. For more details about it you can see the article Introduction to Azure Firewall.

Figure 5 – Placement of Azure Firewall

 

Web Application Firewall

The application delivery may be made using the Azure Application Gateway, a service managed by the Azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular, in the latter case, it is recommended to turn on Web Application Firewall (WAF), that provides application protection, based on rules OWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Figure 6 – Overview of Application Gateway with WAF

DDoS protection

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

The protection Basic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS Protection Standard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

For more details about it you can see the article Protection from DDoS attacks in Azure.

Synergies and recommendations for the use of various security services

In order to obtain an effective network security and direct you in the use of the various components, are reported the main recommendations which is recommended to consider:

  • The Network Security Groups (NSGs) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs is recommended to use them to filter traffic between the resources that reside within a VNet, while the Azure Firewall is useful to provide network and application security between different Virtual Networks.
  • To increase the security of Azure PaaS services is advised to use the Service endpoints, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs. To do this, you can enable the service endpoint in the Azure Firewall subnet, disabling the subnet present in the Spoke VNet.
  • Azure Firewall provides network protection Layer 3 for all ports and protocols, it also guarantees a level of application protection (Layer 7) for outbound HTTP/S traffic. For this reason, if you wish to make a secure application publishing (HTTP/S inbound) you should use the Web Application Firewall present in the Application Gateway, then associating it to Azure Firewall.
  • Azure Firewall can also be accompanied by third-party WAF/DDoS solutions.

All these security services, properly configured in a Hub-Spoke network architecture allow network traffic segregation, achieving a high level of control and security.

Figure 7 – Security services in a Hub-and-Spoke architecture

Conclusions

Azure provides a wide range of services that provide high levels of security, acting on different fronts. The security model that you decide to take, you can resize it and adapt flexibly, depending on the type of application workloads to be protected. A winning strategy can be obtained by applying a mix-and-match of different network security services, to get a protection on more layers.

Protection from DDoS attacks in Azure

A cyber attack of type distributed denial-of-service (DDoS attack – Distributed Denial of Service) is intended to exhaust deliberately the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way. This article will show the security features that you can have in Azure for this type of attacks, in order to best protect the applications on the cloud and ensure their availability against DDoS attacks.

DDoS attacks are becoming more common and sophisticated, to the point where it can reach sizes, in bandwidth, increasingly important, which make it difficult to protect and increase the chances of making a downtime to published services, with a direct impact on company business.

Figure 1 – DDoS Attack Trends

Often this type of attack is also used by hackers to distract the companies and mask other types of cyber attacks (Cyber Smokescreen).

 

Features of the solution

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 2 - Comparison of the features available in different tiers for DDoS Protection

The protection Basic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS Protection Standard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances. This protection does not apply to App Service Environments.

Figure 3 – Overview of Azure DDoS Protection Standard

The Azure DDoS Protection Standard is able to cope with the following attacks:

  • Volumetric attacks: the goal of these attacks is to flood the network with a considerable amount of seemingly legitimate traffic (UDP floods, amplification floods, and other spoofed-packet floods).
  • Protocol attacks: These attacks are aiming to make inaccessible a specific destination, exploiting a weakness that is found in the layer 3 and in the layer 4 of the stack (for example SYN flood attacks and reflection attacks).
  • Resource (application) layer attacks: These attacks are targeting the Web application packages, in order to stop transmitting data between systems. Attacks of this type include: violations of the HTTP protocol, SQL injection, cross-site scripting and other attacks in level 7. To protect themselves from attacks of this type is not sufficient DDoS protection standard, but you must use it in conjunction with the Web Application Firewall (WAF) available in Azure Application Gateway, or with third-party web application firewall solution, available in the Azure Marketplace.

 

Enabling DDoS protection Standard

The DDoS protection Standard is enabled in the virtual network and is contemplated for all resources that reside in it. The activation of the Azure DDoS Protection Standard requires you to create a DDoS Protection Plan which collects the virtual networks with DDoS Protection Standard active, cross subscription.

Figure 4 – Creating a DDoS Protection Plan

The protection Plan is created in a particular subscription, which will be associated with the cost of the solution.

Figure 5 – Enabling DDoS protection Standard on an existing Virtual Network

The Standard tier provides a real-time telemetry that can be consulted via views in Azure Monitor.

Figure 6 – DDoS Metrics available in Azure Monitor

Any DDoS protection metrics can be used to generate alerts. Using the metric "Under DDoS attack"you can be notified when an attack is detected and DDoS mitigation action is applied.

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address associated with a protected resource, so that resides on a virtual network with active the DDoS standard service.

Figure 7 – Monitor mitigation metrics available in Azure

To report generation, regarding the actions undertaken to mitigate DDoS attacks, you must configure the diagnostics settings.

Figure 8 – Diagnostics Settings in Azure Monitor

Figure 9 - Enable diagnostics of Public IP to collect logs DDoSMitigationReports

In the diagnostic settings it is possible to also collect other logs relating to mitigation activities and notifications. For more information about it you can see Configure DDoS attack analytics in the Microsoft documentation. The metrics for the DDoS protection Standard are maintained in Azure for Moniotr 30 days.

Figure 10 – Attack flow logs in Azure Log Analytics

How to test the effectiveness of the solution

Microsoft has partnered withBreakingPoint Cloud and, thanks to a very intuitive interface, it allows you to generate traffic, towards the public IPs of Azure, to simulate a DDoS attack. In this way you can:

  • Validate the effectiveness of the solution.
  • Simulate and optimize responses against incident related to DDoS attacks.
  • Document the compliance level for attacks of this type.
  • Train the network security team.

Costs of the solution

The Basic tier foresees no cost, while enabling the DDoS Protection Standard requires a fixed monthly price (not negligible) and a charge for data that are processed. The fixed monthly price includes protection for 100 resources, above which there is an additional unit cost for each protected resource. For more details on Azure DDoS Protection Standard costs you can see the Microsoft's official page.

Conclusions

The protection from DDoS attacks in Azure allows us to always have active a basic protection to deal with such attacks. Depending on the application criticality, can be evaluated the Standard protection, which in conjunction with a web application firewall solution, allows you to have full functionality to mitigate distributed denial-of-service attacks.