Archivi categoria: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (May 2022 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Lab Services April 2022 update (preview)

IT departments, administrators, educators, and students can utilize the following updated features in Azure Lab Services:

  • Enhanced lab creation and improved backend reliability
  • Access performance
  • Extended virtual network support
  • Easier labs administration via new roles
  • Improved cost tracking via Azure Cost Management service
  • Availability of PowerShell module
  • .NET API SDK for advanced automation and customization
  • Integration with Canvas learning management system

Storage

Azure File Sync agent v15 

Azure File Sync agent v15 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Reduced transactions when cloud change enumeration job runs
  • View Cloud Tiering status for a server endpoint or volume
  • New diagnostic and troubleshooting tool
  • Immediately run server change enumeration to detect files changes that were missed by USN journal
  • Miscellaneous improvements

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 15.0.0.0.
  • Installation instructions are documented in KB5003882.

Object replication on premium blob storage and rule limit increased

Object replication now supports premium block blobs to replicate your data from your blob container in one storage account to another anywhere in Azure. The destination storage account can be a premium block blob or a general-purpose v2 storage account.

You can also specify up to 1000 replication rules (increased from 10) for each replication policy for both general-purpose v2 and premium block blob storage accounts.  

Object replication unblocks a set of common replication scenarios for block blobs: 

  • Minimize latency: have your users consume the data locally rather than issuing cross-region read requests.  
  • Increase efficiency: have your compute clusters process the same set of objects locally in different regions. 
  • Optimize data distribution: have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide. 
  • Optimizing costs: after your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies. 

Networking

Controls to block domain fronting behavior on customer resources

Effective April 29, 2022,you will be able to stop allowing domain fronting behavior on your Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources in alignment with Microsoft’s commitment to secure the approach to domain fronting within Azure.

Virtual Network NAT health checks available via Resource Health

Virtual Network NAT (VNet NAT) is a fully managed and highly resilient network address translation (NAT) service. With Virtual Network NAT, you can simplify your outbound connectivity for virtual networks without worrying about the risk of connectivity failures from port exhaustion or your internet routing configurations.

Support for Resource Health check with Virtual Network NAT helps you monitor the health of your NAT gateway as well as diagnose or troubleshoot outbound connectivity. 

With Azure Resource Health, you can: 

  • View a personalized dashboard of the health of your NAT gateway 

  • Set up customizable resource health alerts to notify you in near real-time of when the health status of your NAT gateway changes 

  • See the current and past health history of your NAT gateway to help you mitigate issues 

  • Access technical support when you need help with Azure services, such as diagnosing and solving issues 

Virtual Network NAT Resource Health is available in all Azure public regions, Government cloud regions, and China Cloud regions. 

Enhancements to Azure Web Application Firewall

Microsoft offers two options, global WAF integrated with Azure Front Door and regional WAF integrated with Azure Application Gateway, for deploying Azure WAF for your applications and APIs.

On March 29, Microsoft announced the general availability of managed Default Rule Set 2.0 with anomaly scoring, Bot Manager 1.0, and security reports on global WAF. Additional features on regional WAF are available, that offer you better security, improved scale, easier deployment, and better management of your applications and APIs:

  • Reduced false positives with Core Rule Set 3.2 integrated with Azure Application Gateway. The older CRS 2.2.9 ruleset is being phased out in favor of the newer rulesets.
  • Improved performance and scale with the next generation of WAF engine, released with CRS 3.2
  • Increased size limits on regional WAF for body inspection up to 2MB and file upload up to 4GB
  • Advanced customization with per rule exclusion and attribute by names support on regional WAF
  • Native consistent experience with WAF policy, new deployments of Application Gateway v2 WAF SKU now natively utilizes WAF policies instead of configuration
  • Advanced analytics capabilities with new Azure Monitor metrics on regional WAF

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Recommended alert rules for virtual machines (preview)

The Azure portal experience now allows you to easily enable a set of recommended and out-of-the-box set of alert rules for your Azure resources. Currently in preview for virtual machines, you can simply enable a set of best practice alert rules on an unmonitored VM with just a few clicks.

Storage

Rehydrate an archived blob to a different storage account

You can now rehydrate an archived blob by copying it to a different storage account, as long as the destination account is in the same region as the source account. Rehydration across storage accounts enables you to segregate your production data from your backup data, by maintaining them in separate accounts. Isolating archived data in a separate account can also help to mitigate costs from unintentional rehydration.

Azure Archive Storage now available in Switzerland North

Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in Switzerland North.

Networking

Service tags support for user-defined routing

Specify a service tag as the address prefix parameter in a user-defined route for your route table. You can choose from tags representing over 70 Microsoft and Azure services to simplify and consolidate route creation and maintenance. With this release, using service tags in routing scenarios for containers is also supported. User-defined routes with service tags will update automatically to include any changes that services make to their list of IPs and endpoints.

DNS reservations to prevent subdomain takeover in Cloud Services deployments

Microsoft Azure is a cloud platform integrated with data services, advanced analytics, and developer tools and services. When you build on, or migrate IT assets to Azure, Microsoft provides a secure, consistent application platform to run your workloads. To strengthen your security posture, Microsoft rolled out DNS reservations to prevent subdomain takeover in Cloud Services deployments. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity. 

Azure Stack

Azure Stack HCI

Windows Server guest licensing offer

To facilitate guest licensing for Azure Stack HCI customers, take advantage of a new offer that brings simplicity and increased flexibility. This licensing is through an all-in-one place Azure subscription and in some cases may be less expensive than the traditional licensing model. The new Windows Server subscription for Azure Stack HCI is generally available as of April 1, 2022. With this offer, you can purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime. There is a free 60-day trial after which the offer will be charged at $23.30 per physical core per month.

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

On-demand capacity reservations

On-demand capacity reservations let you reserve compute capacity for one or more VM size(s) in an Azure region or availability zone for any length of time.

Azure Batch supports Spot Virtual Machines

Azure Batch offers Spot Virtual Machines in user-subscription Batch accounts. The Spot Virtual Machines are available as single-instance virtual machines (VMs) or Virtual Machine Scale Sets. In addition, you get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machine’s.

Azure Virtual Machines increase storage throughput by up to 300%

The new memory optimized Ebs v5 and Ebds v5 Azure Virtual Machines, now generally available, feature the latest 3rd Gen Intel Xeon Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. These VMs deliver up to 300% increase in VM-to-Disk Storage throughput and IOPS compared to the previous generation D/Ev4 VM series. The new VM series feature sizes from 2 to 64 vCPUs with and without local temporary storage best match your workload requirements. These new VMs offer up to 120,000 IOPS and 4,000 MB/s of remote disk storage throughput. The increased storage throughput is ideal for the most demanding data-intensive workloads, including large relational databases such as SQL Server, high-performance OLTP scenarios, and high-end data analytics applications. 

New planned datacenter region in India (India South Central)

Microsoft has announced plans to bring a new datacenter region to India, including availability zones.

Azure Virtual Machines DCsv3 available in Switzerland and West US (preview)

DCsv3-series virtual machines (VMs) are available (in preview) in Switzerland North and West US. The DCsv3 and DCdsv3-series virtual machines help protect the confidentiality and integrity of your code and data while it processes in the public cloud. By leveraging Intel® Software Guard Extensions and Intel® Total Memory Encryption – Multi Key, you can ensure your data is always encrypted and protected in use. 

Storage

Cross-region snapshot copy for Azure Disk Storage

Cross-region snapshot copy allows you to copy disk snapshots to any region for disaster recovery.
Incremental snapshots are cost-effective point-in-time backups of Azure Disk Storage. They are billed for the changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage, irrespective of the storage type of the parent disk. Now, you can copy incremental snapshots to any region of your choice for disaster recovery using cross-region snapshot copy. Azure manages the copy process and ensures that only changes since the last snapshot in the target region are copied, reducing the data footprint and recovery point objective (RPO).

Copy data directly to Archive Storage with Data Box

You can now use Data Box to copy data directly to Archive tier by indicating this when ordering and then copying to the corresponding share on the Data Box.

Azure Ultra Disk Storage in Sweden Central

Azure Ultra Disk Storage provides high-performance along with sub-millisecond latency for your most-demanding workloads.

Azure storage table access using Azure Active Directory

Azure Active Directory (Azure AD) support to authorize requests for Azure Table Storage is now generally available. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to any security principal, which can include a user, group, application service principal, or managed identity. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. Authorizing requests against Azure Storage Tables with Azure AD provides superior security and ease of use over shared key authorization. Microsoft recommends using Azure AD authorization with your table applications when possible to assure access with minimum required privileges.

Azure File Sync agent v15

Improvements and issues that are fixed:

  • Reduced transactions when cloud change enumeration job runs
  • View Cloud Tiering status for a server endpoint or volume
  • New diagnostic and troubleshooting tool
  • Immediately run server change enumeration to detect files changes that were missed by USN journal
  • Miscellaneous improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 15.0.0.0.
  • Installation instructions are documented in KB5003882.

Networking

Bring your own public IP ranges to Azure

When planning a potential migration of on-premises infrastructure to Azure, you may want to retain your existing public IP addresses due to your customers’ dependencies (for example, firewalls or other IP hardcoding) or to preserve an established IP reputation. Now you can bring your own IP addresses (BYOIP) to Azure in all public regions. Using the Custom IP Prefix resource, you can now bring your own public IPv4 ranges to Azure and use them like any other Azure-owned public IP ranges. Once onboarded, these IPs can be associated with Azure resources, interact with private IPs and VNETs within Azure’s network, and reach external destinations by egressing from Microsoft’s Wide Area Network.

The new Azure Front Door: a modern cloud CDN service

The new Azure Front Door is a Microsoft native, unified, and modern cloud content delivery network (CDN) catering to dynamic and static content acceleration. This service includes built in turnkey security and a simple pricing model built on Microsoft’s massive scale private global network. There are two Azure Front Door tiers: standard and premium. They combine the capabilities of Azure Front Door (classic) and Azure CDN from Microsoft (classic) and attach with Azure Web Application Firewall (WAF). This provides a unified and secure solution for delivering your applications, APIs, and content on Azure or anywhere at scale.

Several key capabilities have been released:

  • Improved automation and simplified provisioning with DNS TXT based domain validation
  • Auto generated endpoint host name to prevent subdomain takeover
  • Expanded Private Link support in all Azure regions with availability zones to secure backends
  • Web Application Firewall enhancements with DRS 2.0 RuleSet and Bot manager
  • Expanded rules engine with regular expressions and server variables
  • Enhanced analytics and logging capabilities
  • Integration with Azure DNS, Azure Key Vault, Azure Policy and Azure Advisor
  • A simplified and predictable cost model

Azure Bastion native client support

With the new Azure Bastion native client support, available with Standard SKU, you can now:

  • Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local machine
  • Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials
  • Access the features available with your chosen native client (ex: file transfer)

Azure Bastion support for Kerberos authentication (preview)

Azure Bastion support for Kerberos authentication, available with both basic and standard SKUs, is now in public preview.

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Trusted launch support for Virtual Machines using Ephemeral OS disks (preview)

Trusted launch is a seamless way to improve the security of generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies that can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM). Now, Trusted Launch support for VMs using Ephemeral OS disks is available in preview.

Best practices assessment for SQL Server on Azure Virtual Machines

You can now evaluate if your SQL Server on Azure Virtual Machines is following configuration best practices using the SQL best practices assessment feature. You can start or schedule an assessment on the SQL virtual machine blade in the Azure portal. Once the feature is enabled, your SQL Server instance and databases are scanned to provide recommendations for things like indexes, retired features, enabled or missing trace flags, statistics, and more.

Select Azure Dedicated Host SKUs will be retired on 31 March 2023

On 31 March 2023, Azure Dedicated Hosts Dsv3-Type1, Esv3-Type1, Dsv3-Type2, and Esv3-Type2 will be retired. Before that date, you must migrate to the new Dedicated Host SKUs.

Azure HBv3 virtual machines for HPC now upgraded

All Azure HBv3 virtual machine (VM) deployments from 21 March 2022 will include AMD EPYC 3rd Gen processors with 3D V-Cache, codenamed “Milan-X”. The enhanced HBv3 VMs are available in the Azure East US, South Central US, and West Europe regions. All VM deployments from today onward will occur on machines featuring Milan-X processors. Existing HBv3 VMs deployed prior to today’s launch will continue to see AMD EPYC 3rd Gen processors, codenamed “Milan”, until they are de-allocated and you create a new VM in its place.

New planned datacenter region in Finland (Finland Central)

Microsoft will establish a new datacenter region in the country, offering Finnish organizations local data residency and faster access to the cloud, delivering advanced data security and cloud solutions. The new datacenter region will also include availability zones, providing you with high availability and additional tolerance to datacenter failures. 

Networking

Inbound NAT rule now supports port management for backend pools

Standard Load Balancer inbound NAT rule now supports specifying a range of ports for the backend instances. Previously, to enable port forwarding, an inbound NAT rule needed to be created for every instance in Load Balancer’s backend pool. This became complex to manage at scale and resulted in management overhead. The addition of port management for backend pool to inbound NAT rules allows you to specify a range of frontend ports pre-allocated for a specific backend pool to enable port forwarding. Upon scaling, Standard Load Balancer will automatically create port mapping from an available frontend port of the specified range to the specified backend port of the new instance. This capability applies to all types of backend pools composed of Virtual Machines, Virtual Machines Scale Sets, or IP addresses across all Azure regions.

Five Azure classic networking services will be retired on 31 August 2024

Azure Cloud Services (classic) will be retired on 31 August 2024. Because classic Azure Virtual Network, reserved IP addresses, Azure ExpressRoute gateway, Azure Application Gateway, and Azure VPN Gateway are dependent on Azure Cloud Services (classic), they’ll be retired on the same date. Before that date, you’ll need to migrate any resources that use these classic networking services to the Azure Resource Manager deployment model.

Azure Stack

Azure Stack Edge

General Availability of Azure Stack Edge Pro 2

Microsoft has announced the general availability of its Azure Stack Edge Pro 2 solution, a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

  • This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
  • This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
  • These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

Azure Stack Hub

Azure Kubernetes Service on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Kubernetes Service on Azure Stack Hub. The same service that’s currently found in Azure is available in Azure Stack Hub. Manage Kubernetes clusters in the same way you currently do in Azure and utilize a familiar user experience, CLI, and API.

IoT Hub on Azure Stack Hub public preview will be retired on 30 September 2022

On 30 September 2022, the public preview version of IoT Hub on Azure Stack Hub will be retired. Before that date, we recommend you migrate to Azure IoT Edge gateway. Azure IoT Edge gateway is integrated with Azure IoT Hub running in Azure and provides an end-to-end IoT experience with comprehensive diagnostics capabilities. An Azure IoT Edge gateway can be deployed on an Azure Stack Hub Virtual Machine. Alternatively, you can host a VM on another physical hardware of your choice.

Azure Container Registry on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Container Registry on Azure Stack Hub. This service uses private container registries on Azure Stack Hub to store and retrieve OCI-compliant images to support both connected and disconnected scenarios for Azure Kubernetes Service (AKS), AKS engine, and other container orchestrator engines. 

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 09 and 10)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure Stack

Azure Stack Edge

Azure Stack Edge Pro 2

Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

  • This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
  • This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
  • These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

The Pro 2 series is designed for deployment in edge locations such as retail, telecommunications, manufacturing, or even healthcare. Here are the various scenarios where Azure Stack Edge Pro 2 can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure:

  • Inference with Azure Machine Learning: you can run ML models to get quick results that can be acted on before the data is sent to the cloud. 

  • Preprocess data: transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset. 

  • Transfer data over network to Azure:  use this solution to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Hotpatch for Windows Server virtual machines

You can patch and install updates to your Windows Server virtual machines on Azure without requiring a reboot using hotpatch. This capability is available exclusively as part of Azure Automanage for Windows Server for Windows Server Azure Edition core virtual machines, and comes with the following benefits:

  • Lower workload impact with less reboots
  • Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
  • Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting

Virtual Machine level disk bursting supports additional VM types

Virtual Machine level disk bursting supports M-series, Msv2-series Medium Memory, and Mdsv2-series Medium Memory VM families allowing your virtual machine to burst its disk IO and  throughput performance for a short time, daily. This enables VMs to handle unforeseen spiky disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

Automatically delete a VM and its associated resources simultaneously

Automatically delete disks, NICs and Public IPs associated with a VM at the same time you delete the VM. With this feature, you can specify the associated resources that should be automatically deleted when you delete a VM. This will allow you to save time and simplify the VM management process.

Storage

Azure NetApp Files: new region and cross-region replication

Azure NetApp Files is now available in Australia Central 2. Additionally, cross-region replication has been enabled between Australia Central and Australia Central 2 region pair.

Azure NetApp Files: application consistent snapshot tool v5.1 (preview)

Application consistent snapshot tool (AzAcSnap) v5.1 is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).

The public preview of application consistent snapshot tool v5.1 supports the following new capabilities:

  • Oracle Database support
  • Backint Co-existence
  • RunBefore and RunAfter capability

These new features can be used with Azure NetApp Files, Azure BareMetal, and now, Azure Managed Disk. 

Networking

Application Gateway mutual authentication

Azure Application Gateway is announcing general availability for transport layer security (TLS) mutual authentication. Mutual authentication allows for two-way TLS certificate-based authentication, which allows both client and server to verify each other’s identity. This release strengthens your zero trust networking posture and enables many connected devices, IoT, business to business, and API security scenarios.

You can upload multiple client certificate authority (CA) certificate chains on the Application Gateway to use for client authentication. You can also choose to enable frontend mutual authentication at a per-listener level on Application Gateway. Microsoft is also adding enhancements to server variables supported on Application Gateway to enable you to pass additional client certificate information to backend as HTTP headers.

With this release Microsoft is also extending support for listener specific TLS policies which allows you to configure predefined or custom TLS policies at a per listener granularity, instead of global TLS policies.

Azure Networking: i servizi di sicurezza per un approccio Zero Trust

Sono sempre più numerose le realtà aziendali che per sostenere il ritmo dettato dalla trasformazione digitale e per altre ragioni specifiche intraprendono un percorso di adozione di soluzioni cloud e di migrazione dei propri workload verso il cloud. Per garantire che le risorse presenti in ambiente cloud siano al sicuro è necessario adottare un nuovo modello di sicurezza che si adatti in modo più efficace alla complessità dell’ambiente moderno, contemplando ambienti ibridi e proteggendo applicazioni e dati indipendentemente da dove risiedono. In questo articolo vengono descritti alcuni dei principali servizi di sicurezza del networking di Azure che aiutano le organizzazioni a adottare il modello Zero Trust, un approccio alla sicurezza integrato e proattivo da applicare su differenti fronti.

Il framework Zero Trust elaborato da Microsoft si basa sui seguenti tre principi per proteggere le risorse:

  • Verify explicitly. Autenticare e autorizzare sempre, tenendo in considerazione diversi aspetti come: l’identità utente, la location, lo stato del dispositivo, il servizio oppure il workload, la classificazione dei dati e le anomalie.
  • Use least privileged access. Limitare l’accesso degli utenti mediante: accessi “just-in-time” (JIT) e “just-enough-access” (JEA), policy adattive basate sul rischio e protezione dei dati.
  • Assume breach. Ridurre al minimo l’esposizione e segmentare gli accessi andando a definire perimetri granulari. Utilizzare una crittografia end-to-end e fare analisi per: ottenere visibilità, rilevare minacce e migliorare le difese.

L’approccio Zero Trust presuppone una violazione e accetta la realtà che i malintenzionati possano essere ovunque. Per questa ragione tale modello consiglia di verificare tutti i tentativi di accesso, limitare l’accesso degli utenti (JIT e JEA) e rafforzare la protezione delle risorse. A tutte queste pratiche è però importante associare dei controlli sulle comunicazioni di rete, andando a segmentando la rete in zone più piccole per poi controllare quale traffico può fluire tra di esse. Un approccio dove i firewall di rete vengono implementati esclusivamente sulle reti perimetrali, filtrando il traffico tra zone attendibili e non attendibili diventa limitante per questo modello. Invece, è consigliato filtrare il traffico anche tra reti interne, host e applicazioni.

In Azure sono presenti diversi servizi di sicurezza relativi al networking, descritti nei paragrafi seguenti, che consentono di filtrare e controllare le comunicazioni di rete in modo granulare, supportando così il modello Zero Trust.

Network Security Group (NSG)

I Network Security Groups (NSG) sono lo strumento principale per controllare il traffico di rete in Azure. Tramite delle regole di deny e permit è possibile filtrare le comunicazioni tra differenti workload attestati su una virtual network di Azure. Inoltre, è possibile applicare filtri sulle comunicazioni con sistemi che risiedono nell’ambiente on-premises, connesso alla VNet Azure, oppure per le comunicazioni da e verso Internet. I Network Security Groups (NSG) possono essere applicati su una determinata subnet di una VNet Azure oppure direttamente sulle singole schede di rete delle macchine virtuali Azure. I NSG possono contenere regole con dei Service Tags, che consentono di raggruppare con dei nomi predefiniti delle categorie di indirizzi IP, incluse quelle assegnate a determinati servizi Azure (es. AzureMonitor, AppService, Storage, etc.).

Nelle regole dei Network Security Groups possono essere referenziati anche gli Application Security Groups (ASG). Si tratta di gruppi che contengono schede di rete di macchine virtuali presenti su Azure. Gli ASG consentono di raggruppare con nomi mnemonici più server, utili in particolare per workload dinamici. Gli Application Security Groups consentono quindi di non dover più gestire nelle regole degli NSG gli indirizzi IP delle macchine virtuali Azure, purché questi IP siano relativi a VMs attestate sulla stessa VNet.

Sebbene ci sia la possibilità di attivare soluzioni firewall a livello di sistema operativo guest, i NSG di Azure sono in grado di garantire la protezione anche se la macchina virtuale in Azure viene compromessa. Infatti, un utente malintenzionato che ottiene l’accesso alla macchina virtuale e ne eleva i privilegi potrebbe essere in grado di disabilitare il firewall sull’host. I NSG, essendo implementati al di fuori della macchina virtuale, forniscono forti garanzie contro gli attacchi al sistema di firewalling a bordo delle macchine virtuali.

Figura 1 – Visualizzazione grafica della segregazione del traffico di rete tramite NSG

Azure Firewall

Azure Firewall è un servizio di sicurezza di rete, gestito e basato su cloud, in grado di proteggere le risorse attestate sulle Virtual Network di Azure e di governare in modo centralizzato i relativi flussi di rete. Inoltre, ha funzionalità intrinseche di alta disponibilità e di scalabilità.

Azure Firewall Premium garantisce tutte le funzionalità presenti nel tier Standard di Azure Firewall e in più aggiunge le seguenti funzionalità tipiche di un next generation firewall.

Figura 2 – Panoramica delle funzionalità di Azure Firewall Premium

Le best practice dettate dal modello Zero Trust prevedono di crittografare sempre i dati in transito per ottenere una crittografia end-to-end. Tuttavia, dal punto di vista operativo, spesso si ha la necessità di avere una maggiore visibilità per applicare servizi di sicurezza aggiuntivi ai dati non crittografati. Con le funzionalità di Azure Firewall Premium tutto ciò è possibile. Infatti, la versione Premium permette di ottenere un livello di protezione ulteriore dalle minacce di sicurezza, mediante funzionalità come TLS Inspection e IDPS che garantiscono un maggior controllo del traffico di rete al fine di intercettare e bloccare la diffusione di malware e virus. Per ulteriori dettagli riguardanti le funzionalità di Azure Firewall Premium è possibile consultare questo articolo.

DDoS protection

Il modello Zero Trust si pone l’obiettivo di autenticare e autorizzare qualsiasi componente che risiede sulla rete. Nonostante ciò, qualsiasi sistema in grado di ricevere pacchetti di rete è vulnerabile agli attacchi DDoS, anche quelli che utilizzano un’architettura Zero Trust. Di conseguenza, è fondamentale che qualsiasi implementazione Zero Trust adotti anche una soluzione per la protezione dagli attacchi DDoS.

In Azure la protezione da attacchi DDoS è disponibile in due differenti tiers: Basic oppure Standard.

La protezione Basic è abilitata di default nella piattaforma Azure, la quale effettua costantemente il monitor del traffico e applica in tempo reale delle mitigazioni agli attacchi di rete più comuni. Questo tier fornisce lo stesso livello di protezione adottato e collaudato dai servizi online di Microsoft ed è attiva per gli indirizzi IP Pubblici di Azure (Pv4 e IPv6). Non è richiesta alcun tipo di configurazione per il tier Basic.

L’Azure DDoS Protection di tipologia Standard fornisce delle funzionalità di mitigation aggiuntive rispetto al tier Basic, che sono ottimizzate in modo specifico per le risorse dislocate nelle virtual network di Azure. Le policy di protezione sono auto-configurate e vengono ottimizzate effettuando un monitoraggio specifico del traffico di rete e applicando degli algoritmi di machine learning, che consentono di profilare nel modo più opportuno e flessibile il proprio applicativo studiando il traffico generato. Nel momento in cui vengono superate le soglie impostate nella policy di DDoS, viene in automatico avviato il processo di DDoS mitigation, il quale viene sospeso nel momento in cui si scende al di sotto delle soglie di traffico stabilite. Queste policy vengono applicate a tutti gli IP pubblici Azure associati alle risorse presenti nelle virtual network, come: macchine virtuali, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway e istanze Azure Service Fabric.

Azure Firewall Manager

Il modello di sicurezza Zero Trust ci indirizza nell’adozione di un approccio legato alla micro-segmentazione e alla definizione di perimetri granulari nella propria architettura di rete. Per agevolare questo approccio è possibile utilizzare Azure Firewall Manager, uno strumento che, mettendo a disposizione un unico pannello di controllo centralizzato, è in grado di semplificare la configurazione e la gestione delle network security policy, le quali spesso devono essere distribuite su più istanze di Azure Firewall.  Oltre alla gestione delle policy di Azure Firewall, Azure Firewall Manager consente di associare alle reti virtuali un piano di protezione dagli attacchi DDoS.

Inoltre, Azure Firewall Manager consente di utilizzare offerte SECaaS (Security as a Service) di terze parti per proteggere l’accesso a Internet degli utenti.

Sinergie e raccomandazioni per l’utilizzo dei vari servizi di protezione

Al fine di ottenere una protezione di rete efficace si riportano alcune raccomandazioni che è consigliato tenere in considerazione per l’utilizzo dei vari componenti di sicurezza relativi al networking di Azure:

  • I Network Security Groups (NSG) e l’Azure Firewall sono tra di loro complementari e utilizzandoli in modo congiunto si ottiene un grado di difesa elevato. I NSG è consigliato utilizzarli per filtrare il traffico tra le risorse che risiedono all’interno di una VNet, mentre l’Azure Firewall è utile per fornire una protezione di rete e applicativa tra differenti Virtual Network.
  • Per aumentare la sicurezza dei servizi Azure PaaS è consigliato utilizzare i Private Link, i quali possono essere utilizzati in concomitanza ad Azure Firewall per consolidare e centralizzare i log degli accessi.
  • Nel caso si voglia effettuare una pubblicazione applicativa protetta (HTTP/S in inbound) è opportuno utilizzare il Web Application Firewall presente nelle soluzioni di Application Delivery di Azure, affiancandolo quindi ad Azure Firewall. Web Application Firewall (WAF), consente di ottenere una protezione da vulnerabilità e da attacchi comuni, come ad esempio attacchi X-Site Scripting e SQL Injection.
  • Azure Firewall può essere affiancato anche da soluzioni WAF/DDoS di terze parti.
  • Oltre ad Azure Firewall è possibile valutare l’adozione di Network Virtual Appliances (NVAs) fornite da vendor di terze parti e disponibili nel marketplace di Azure.

Tutti questi servizi di protezione, opportunamente configurati in una topologia di rete Hub-Spoke consentono di effettuare una segregazione del traffico di rete, ottenendo un elevato livello di controllo e sicurezza.

Figura 3 – Esempio di una architettura Hub-Spoke con i vari servizi di sicurezza

Inoltre, prevedendo l’integrazione con i servizi di sicurezza di Azure, come Microsoft Defender for Cloud, Microsoft Sentinel ed Azure Log Analytics, è possibile ottimizzare ulteriormente la gestione delle security posture e la protezione dei workload.

Conclusioni

Il modello di sicurezza definito Zero trust dagli analisti di Forrester Research è ormai un imperativo per la protezione dei propri ambienti. Azure mette a disposizione una vasta gamma di servizi che consentono di ottenere elevati livelli di sicurezza, agendo su differenti fronti per sostenere questo modello. Per affrontare questo percorso di adozione del modello Zero Trust, una strategia vincente in ambito Azure networking la si può ottenere applicando un mix-and-match dei differenti servizi di sicurezza di rete per avere una protezione su più livelli.

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 05 and 06)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Deployment enhancements for SQL Server on Azure Virtual Machines

A great update to our Azure Marketplace image with SQL is you can now configure the instance during deployment.  Most companies have standards for their SQL instances and can now make configuration changes during deployment vs keeping the preconfigured image settings. Items like moving the system database to a data disk, configuring tempdb data and log files, configuring the amount of memory and more.   During SQL VM deployment under SQL Server Settings, you have the options to change the defaults by clicking Change Configuration for storage or Change SQL Instance settings for customizing memory limits, collation, and ad hoc workloads.

Networking

New Azure Firewall capabilities

New Azure Firewall capabilities are available:

  • Azure Firewall network rule name logging: previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.
  • Azure Firewall premium performance boost: this feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps).
  • Performance whitepaper: to provide customers with a better visibility into the expected performance of Azure Firewall, Microsoft is releasing the Azure Firewall Performance documentation.

Azure Bastion now supports file transfer via the native client (preview)

With the new Azure Bastion native client support in public preview and included in Standard SKU, you can now:

  • Use either SSH or RDP to upload files to a VM from your local computer.
  • Use RDP to download files from a VM to your local computer. 

Custom virtual network support in Azure Container Apps (preview)

You can now create Azure Container Apps environments into new or existing virtual networks. This enables Container Apps to receive private IP addresses, maintain outbound internet connectivity, and communicate privately with other resources on the same virtual network.  

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 03 and 04)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure NetApp Files: new features

New features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities have recently received general availability status and no longer need registration for use:

The following new features have been added in public preview :

Regional coverage continues to expand, and Azure NetApp Files is now generally available in:

  • East Asia
  • Switzerland North
  • Switzerland West
  • West US 3

Feature regional coverage continues to expand as well for cross-region replication, cross region replication region pair additions:

  • West US 3 <-> East US
  • Southeast Asia <-> East Asia
  • Switzerland North <-> Switzerland West
  • UsGov Virginia <-> UsGov Texas
  • UsGov Arizona <-> UsGov Texas
  • UsGov Virginia <-> UsGov Arizona

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Price reductions for Azure confidential computing

Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill. 

Storage

Azure Ultra Disk Storage is available in West US 3

Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.

Networking

Multiple custom BGP APIPA addresses for active VPN gateways

All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.

Load Balancer SKU upgrade through PowerShell script

You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you. 

Azure Traffic Manager: additional IP addresses for endpoint monitoring service

Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.

Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.