This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.
Azure
General
Azure Managed Grafana Now Available in ItalyNorth
Azure Managed Grafana is now available in the ItalyNorth region, bringing the powerful visualization and analytics capabilities of Grafana closer to businesses in this area. This service enables users to monitor and analyze their Azure and hybrid environments seamlessly through an integrated, fully managed Grafana experience. With this expansion, organizations can leverage a locally hosted solution, ensuring lower latency and adherence to regional compliance requirements.
Compute
New Da/Ea/Fav6 Series AMD-Based Virtual Machines
Microsoft has announced the general availability of the Da/Ea/Fav6 series AMD-based virtual machines (VMs). These VMs include the Dasv6 and Dalsv6 general-purpose series, the Easv6 memory-optimized series, and the compute-optimized Falsv6, Fasv6, and Famsv6 series. They deliver significant performance and price-performance improvements over previous AMD-based VM generations, making them ideal for workloads like data analytics, web and application servers, databases, and caches.
Key advancements in these VMs include the integration of NVMe interfaces for local and remote disks, leading to:
- 80% better remote storage performance,
- 400% faster local storage speeds,
- 20% networking bandwidth improvement,
- 45% higher NVMe SSD capacity per vCPU for local-disk configurations.
These enhancements ensure superior performance and scalability for a wide range of enterprise needs.
Networking
Copilot in Azure: Embedded Experience for Azure Firewall Integration in Security Copilot
The integration of Azure Firewall with Security Copilot has been enhanced, offering a streamlined embedded experience for detailed threat analysis directly in the Azure portal. This feature enables analysts to investigate malicious traffic intercepted by the IDPS (Intrusion Detection and Prevention System) feature of Azure Firewall using natural language queries.
Key capabilities now accessible via the Azure portal include:
- Retrieving the top IDPS signature hits for an Azure Firewall.
- Enriching the threat profile of an IDPS signature beyond log information.
- Searching for specific IDPS signatures across tenants, subscriptions, or resource groups.
- Generating recommendations to secure environments using Azure Firewall’s IDPS feature.
These advancements simplify threat analysis and provide actionable insights to bolster security postures.
Azure Bastion Premium
Azure Bastion Premium is a new SKU designed to meet the needs of customers managing highly sensitive virtual machine workloads. This premium offering enhances security by ensuring private connectivity and enabling monitoring for potential anomalies in virtual machine sessions.
Key features introduced with Azure Bastion Premium include:
- Session Recording: Record all virtual machine sessions connected via Bastion, allowing for graphical session playback for auditing and compliance.
- Private Endpoint Connectivity: Securely connect to Bastion via a private endpoint to further isolate network traffic.
These features provide an elevated level of security and monitoring for critical workloads, ensuring compliance and operational integrity. For more details, refer to the guides on configuring session recording and private endpoint connectivity.
Azure Virtual Network Now Supports Configuration of Private IP Address Blocks on Network Interfaces (preview)
Azure Virtual Network has introduced support for configuring private IP address blocks on network interfaces, increasing the number of usable private IP addresses by up to 16 times. Network interfaces now support the configuration of one primary and multiple secondary IP configurations, with each secondary configuration capable of assigning a /28 CIDR block of private IPv4 addresses. This provides 16 usable IP addresses per configuration. This enhancement is particularly beneficial for scenarios such as deploying a large number of Kubernetes (K8s) containers in a virtual network, enabling seamless routing between virtual machines (VMs) and K8s containers. To learn more about configuring private IP address blocks on network interfaces, refer to the documentation: Assign private IP address prefixes to virtual machines.
Fallback to Internet on Private DNS Zones (preview)
The fallback to internet on Private DNS Zones is a new feature in preview that unlocks the adoption of fully managed solutions for network isolation and simplifies scenarios involving Private Link and Private DNS. This feature enables public recursion to occur when an authoritative NXDOMAIN response is received from Private DNS Zones, removing the need for IaaS-based DNS servers.
With this capability, customers can now implement a fully managed native solution for Private Link and Private DNS adoption. The feature can be enabled at the virtual network link level via the API, CLI, or PowerShell, with portal support expected within two weeks. Users can activate the fallback option by selecting Enable fallback to internet in the virtual network link configuration.
DNS Security Policy (preview)
The DNS security policy is now in public preview, introducing enhanced visibility and control over DNS traffic at the virtual network (VNet) level. This feature allows logs to be sent to a storage account, log analytics workspace, or event hubs, and offers DNS filtering capabilities to allow, alert, or block name resolutions based on domain lists. The general availability version will incorporate threat intelligence feeds to block known malicious domains.
Key features of the DNS security policy include:
- DNS Traffic Rules: Rules to allow, block, or alert based on priority and domain lists.
- Virtual Network Links: A single policy can be linked to multiple VNets within the same region.
- DNS Domain Lists: Location-based lists of domains for targeted filtering.
The feature is accessible through API, CLI, and PowerShell, with portal availability expected within two weeks.
Azure DNS Now Supports DNSSEC (preview)
Azure DNS has introduced support for DNSSEC (Domain Name System Security Extensions) in public preview, significantly enhancing the security of domain name systems in the Azure public cloud. This feature ensures the integrity and authenticity of DNS data by verifying DNS responses against signatures, protecting against attacks such as cache poisoning and man-in-the-middle.
Key Benefits of DNSSEC:
- Enhanced Security: Prevents DNS response manipulation, ensuring users are directed to legitimate destinations.
- Data Integrity: Verifies that DNS data has not been altered in transit by signing responses.
- Trust and Authenticity: Establishes a chain of trust from the root DNS servers to your domain.
DNSSEC is now available via API, CLI, and PowerShell, with portal support expected in the coming weeks. For further details, refer to the Azure DNSSEC documentation.
Network Security Perimeter (preview)
The Network Security Perimeter feature, now in preview, provides a robust solution to restrict access to resources within a defined perimeter while permitting public traffic through explicitly configured inbound and outbound access rules. This capability enhances security and simplifies the management of PaaS resources.
With Network Security Perimeter, administrators can:
- Create secure boundaries around PaaS resources.
- Prevent data exfiltration by associating PaaS resources with the perimeter.
- Define and manage access rules for traffic outside the secure perimeter.
- Consolidate access rule management for all PaaS resources within a single interface.
- Enable diagnostic settings to generate access logs for auditing and compliance.
- Allow private endpoint traffic without requiring additional access rules.
This feature streamlines the administration of secure environments while maintaining flexibility for specific access needs.
Web Application Firewall (WAF) Running on Application Gateway for Containers (preview)
Azure’s Application Gateway for Containers now supports Web Application Firewall (WAF) in private preview, offering centralized security for Azure Kubernetes Service (AKS) environments. WAF’s Default Ruleset protects against a wide range of attacks and exploits, including:
- Cross-site scripting (XSS),
- SQL injection,
- PHP and Java injection,
- Local and remote file inclusion,
- Remote command execution,
- Protocol attacks, and
- Session fixation vulnerabilities.
Additionally, the WAF includes bot manager rulesets to safeguard against malicious bot activities. This comprehensive protection empowers AKS users to defend their applications and services against evolving threats while leveraging the scalability of containerized architectures.
Storage
Azure NetApp Files Cool Access Feature Support with Large Volumes
Azure NetApp Files now supports the cool access feature for large volumes, marking its general availability. This capability enables the tiering of infrequently accessed data on large volumes (ranging from 50 TiB to 1 PiB, and up to 2 PiB on request) to a lower-cost storage tier while maintaining seamless integration with standard, premium, and ultra storage service levels.
The cool access feature allows organizations in industries like Oil & Gas, Manufacturing, and Healthcare to optimize costs by transitioning inactive data to more affordable storage tiers. This integration is especially valuable for large-scale workloads requiring compliance or ongoing business processes, offering significant cost savings and operational efficiency. This feature is available in Azure NetApp Files regions that support large volumes.
Conclusion
Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Stack. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.