This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
New Azure Cloud Services deployment model (preview)
Both deployment models are now available in Azure Cloud Services:
- Azure Cloud Services (extended support), in public preview, is a new Azure Resource Manager–based deployment model for Azure Cloud Services. As an existing user of Azure Cloud Services, with Azure Cloud Services (extended support) you can now increase regional resiliency while gaining access to new capabilities such as role-based access control (RBAC), tags, policy, and support for deployment templates.
- The Azure Service Manager–based deployment model is now named Azure Cloud Services (classic). You can keep using the existing Azure Cloud Services (classic) deployment model for your Azure Service Manager–based applications.
Availability Zones in new regions
Availability Zones give users additional options for high availability for their most demanding applications and services as well as confidence and protection from potential hardware and software failures by providing three or more unique physical locations within an Azure region. Availability Zones are now generally available in South Central US and in Germany West Central. Availability Zones in this regions are made up of 3 unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.
Linux Diagnostics Agent 4.0 (preview)
The Linux Diagnostic Extension (LAD) 4.0 is now available in public preview. This release contains,
- Azure Monitor Metric Sink enabled by default
- Support for Ubuntu 20.04
- Removal of OMI for a modified version of Telegraf
- Bug and stability improvements
- Performance improvements
Since this is a major version upgrade this update will not be automatically applied. You will need to update manually.
Copy Blob support over private endpoints
Azure Storage now enables you to copy data between storage accounts where one or both the accounts are protected using private endpoints. This includes support for Copy Blob or utilities such as such as AzCopy over Private Endpoints. The feature also enables copying of data between storage accounts, where one account uses a private endpoint and another uses a service endpoint. Azure Storage validates that the client has access to both the source and the destination storage accounts before allowing the data to be copied.
Resource instance rules for access to Azure Storage (preview)
Some Azure resources cannot be isolated through a virtual network or an IP address rule. However, you’d still like to secure and restrict access to your storage account to only your application’s Azure resources. You can now configure your storage accounts to allow access to only specific resource instances of select Azure services by creating a resource instance rule. Resource instances must be in the same tenant as your storage account, but they may belong any resource group or subscription in the tenant. Resource instance rules for access to Azure Storage are now in public preview in all Azure public regions.
Prevent Shared Key authorization on Azure Storage accounts (preview)
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the public preview of the ability to disable Shared Key authorization for Azure Storage. Before you disable Shared Key authorization on existing storage accounts, Microsoft suggests checking existing access patterns via monitoring.