This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
What’s new in Azure VMware Solution
Recent updates for Azure VMware Solution:
- Stretched Clusters for Azure VMware Solution, now in preview, provides 99.99 percent uptime for mission critical applications that require the highest availability. In times of availability zone failure, your virtual machines (VMs) and applications automatically failover to an unaffected availability zone with no application impact.
- Azure NetApp Files Datastores is now generally available to run your storage intensive workloads on Azure VMware Solution. This integration between Azure VMware Solution and Azure NetApp Files enables you to create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes and attach the datastores to your private cloud clusters of choice.
- Customer-managed keys for Azure VMware Solution is now in preview, both supporting higher security for customers’ mission-critical workloads and providing you with control over your encrypted vSAN data on Azure VMware Solution. With this feature, you can use Azure Key Vault to generate customer-managed keys as well as centralize and streamline the key management process.
- New node sizing for Azure VMware Solution. Start leveraging Azure VMware Solution across two new node sizes with the general availability of AV36P and AV52 in AVS. With these new node sizes organizations can optimize their workloads for memory and storage with AV36P and AV52.
Virtual Machine software reservations
The new Virtual Machine software reservations enable savings on your Virtual Machine software costs when you make a one- to three-year commitment for plans offered by third-party publishers such as Canonical, Citrix, and Red Hat.
Arm-based VMs now available in four additional Azure regions
The Dpsv5, Dplsv5, and Epsv5 VMs are available in the following additional four Azure regions: West US, North Central US, UK South, and France Central
Encrypt managed disks with cross-tenant customer-managed keys
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.
New capabilities for Azure Firewall
Azure Firewall is a cloud-native firewall as a service offering that enables customers to centrally govern and log all their traffic flows using a DevOps approach.
Several key Azure Firewall capabilities are now generally available:
- New GA regions in Qatar central, China East, and China North: Azure Firewall Standard, Azure Firewall Premium, and Azure Firewall Manager are now generally available in three new regions: Qatar Central, China East, and China North
- IDPS Private IP ranges: in Azure Firewall Premium IDPS, Private IP address ranges are used to identify traffic direction (inbound, outbound, or internal) to allow accurate matches with IDPS signatures. By default, only ranges defined by Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.
- Single Click Upgrade/Downgrade (preview): With this new capability, customers can easily upgrade their existing Firewall Standard SKU to Premium SKU as well as downgrade from Premium to Standard SKU. The process is fully automated and has zero service downtime.
- Enhanced Threat Intelligence (preview): Threat Intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and FQDNs. With the new enhancement, Azure Firewall Threat Intelligence has more granularity for filtering based on malicious URLs. This means that customers may have access to a certain domain through a specific URL in this domain will be denied by Azure Firewall if identified as malicious.
- KeyVault with zero internet exposure (preview): in Azure Firewall Premium TLS inspection, customers are required to deploy their intermediate CA certificate in Azure KeyVault. Now that Azure firewall is listed as a trusted Azure KeyVault service, customers can eliminate any internet exposure of their Azure KeyVault.
Azure Front Door: new features in preview
New features are available for Azure Front Door (preview):
- Azure Front Door zero downtime migration. In March of this year, Microsoft announced the general availability of two new Azure Front Door tiers. Azure Front Door Standard and Premium are native, modern cloud content delivery network (CDN) catering to both dynamic and static content delivery acceleration with built-in turnkey security and a simple and predictable pricing model. The migration capability enables you to perform a zero-downtime migration from Azure Front Door (classic) to Azure Front Door Standard or Premium in just three simple steps or five simple steps if your Azure Front Door (classic) instance has custom domains with your own certificates. The migration will take a few minutes to complete depending on the complexity of your Azure Front Door (classic) instance, such as number of domains, backend pools, routes, and other configurations.
- Upgrade from Azure Front Door Standard to Premium tier: Azure Front Door supports upgrading from Standard to Premium tier without downtime. Azure Front Door Premium supports advanced security capabilities and has increased quota limit, such as managed Web Application Firewall rules and private connectivity to your origin using Private Link.
- Azure Front Door integration with managed identities. Azure Front Door now supports managed identities generated by Azure Active Directory to allow Front Door to easily and securely access other Azure AD-protected resources such as Azure Key Vault. This feature is in addition to the AAD Application access to Key Vault that is currently supported.
Default Rule Set 2.1 for Azure Web Application Firewall
Default Rule Set 2.1 (DRS 2.1) on Azure’s global Web Application Firewall (WAF) running on Azure Front Door is available. This rule set is available on the Azure Front Door Premium tier.
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team. As with previous DRS releases, DRS 2.1 rules are also tailored by Microsoft Threat Intelligence Center (MSTIC). The MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address those issues while also reducing false positives to our customers.
Bot Manager Rule Set 1.0 on regional Web Application Firewall
A new bot protection rule set (Microsoft_BotManagerRuleSet_1.0) is now generally available for Azure Web Application Firewall (WAF) with Azure Application Gateway. Added to this updated rule set are three bot categories: good, bad, and unknown. Bot signatures are managed and dynamically updated by Azure WAF. The default action for bad bot groups is set to Block, for the verified search engine crawlers group it’s set to Allow, and for the unknown bot category it’s set to Log. You may overwrite the default action with Allow, Block, or Log for any type of bot rule
Per Rule Actions on regional Web Application Firewall
Azure’s regional Web Application Firewall (WAF) with Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis. This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions.
Azure Stack HCI
Network HUD is a new feature, available with the November update on Azure Stack HCI that detects operational network issues causing stability issues or degrade performance. It distills the various indicators of problems generated by event logs, performance counters, the physical network and more, to proactively identify issues and alert you with contextual messages that you can act on. It also integrates with the existing alerting mechanisms you’re already used to and leverages Network ATC for intent-based analytics and remediation.