Azure Management Stores - Page 7 of 7 - Francesco Molfese // Blog

To stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. The main innovations introduced are:

Stability and reliability improvements.
Improved support for Azure Arc for Server.
FIPS Compliance.
RHEL support 8.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 17 August 2020, postponing the date previously set to 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 17 August 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Feature extensions of Azure Monitor

The following enhancements have been made in Azure Monitor that expand its functionality and make it an increasingly complete solution:

Azure Monitor availability for Azure Storage and Azure Monitor for Azure Cosmos DB.
Azure Monitor preview for Azure Key Vault and Azure Monitor for Redis Cache.
Preview of Azure Monitor Application Insights in Azure Monitor Logs workspaces.
Capacity reservation and CMK encryption with Azure Monitor Logs clusters dedicated to large-scale deployments.

Azure Private Link Availability for Azure Monitor
The Azure Private Link feature is now also available for Azure Monitor and allows you to have the following features:

Private connectivity to Azure Monitor Logs workspaces and to Azure Application Insights.
Exfiltration data protection with granular access to specific resources.
Protecting resources from access from the public network.

At the moment you need to make a request explicitly to access these features.

Improve the experience when deleting and restoring Azure Monitor Logs workspaces

Microsoft has added soft-delete workspace functionality to make it easier to recover if necessary. In fact, in the event of a cancellation, the workspace will go into a soft-delete state to allow it to be restored if necessary, including data and connected agents, within 14 days. This behavior can be circumvented and permanently deleted the workspace. To avoid the incorrect elimination of the workspaces from the Azure portal, a specific section has been added where you can consult how many solutions are installed and the relative daily data volume received in the last 7 days by data type.
Restoring the workspace, can now take place directly from the Azure portal.

Azure Advisor recommendation digests

Azure Advisor introduces the ability to receive a periodic summary of the available best practice recommendations developed by the solution. Advisor Digest Recommendations keep you up-to-date on Azure optimization opportunities outside the Azure portal. Notifications are customizable and handled through Azure Monitor Action Group.

Azure Service Health also includes emerging issues

Azure Service Health now also reports emerging issues in the Azure portal. An emerging problem is a situation in which Azure is aware of a widespread outage but may not yet be fully aware of the extent and amplitude. Previously, emerging problems were only available in the Azure Status page.

Configure

Azure Automation

TLS 1.2 Enforcement

Starting from September 1st 2020, Azure Automation will impose the presence of Transport Layer Security (TLS) version 1.2 or later, for all external HTTPS endpoints.

Secure

Azure Security Center

Changes to the just-in-time service (JIT) virtual machine (VM) Access

In the just-in-time service (JIT) virtual machine (VM) access have been made the following changes:

The recommendation advising to enable JIT on a VM has been renamed by “Just-in-time network access control should be applied on virtual machines” in “Management ports of virtual machines should be protected with just-in-time network access control”.
The recommendation is now activated only if open management ports are detected.

Custom recommendations placed in a separate panel

All the custom recommendations created for your subscriptions are now positioned in the dedicated section “Custom recommendations”.

Account security recommendations moved to the section “Security best practices”

The following recommendations have been included in the section “Security best practices” and therefore do not impact on the secure score:

MFA should be enabled on accounts with read permissions on your subscription (originally in the “Enable MFA” control)
External accounts with read permissions should be removed from your subscription (originally in the “Manage access and permissions” control)
A maximum of 3 owners should be designated for your subscription (originally in the “Manage access and permissions” control)

Microsoft has decided to apply this change as it has determined that the risk of these three recommendations is lower than initially thought.

Protect

Azure Backup

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup includes protecting SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Protect against accidental deletion of Azure file shares

To provide greater protection against cyberattacks and accidental deletion, Azure Backup has added an extra layer of security to the Azure file shares snapshot management solution. If you delete File Shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a file share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which you can restore the contents and snapshots of your file shares after any accidental deletion operations. Once the share file is restored, backups resume working without the need for additional configurations.

Azure Site Recovery

Zone-to-zone disaster recovery available in new regions

Zone-to-Zone DR is now also available in the Southeast Asia and UK South regions. With this Azure Site Recovery feature, called zone-to-zone DR, there's an opportunity to create disaster recovery plans (DR) for virtual machines (VM), replicating them between different Azure Availability Zones. If a single Azure Availability Zone is compromised, you will be able to fail over virtual machines to a different zone within the same region and access them from the Secondary Availability Zone.

Introduced support for proximity groups

Azure Site Recovery has introduced support for proximity placement groups (PPGs). Thanks to this feature, any virtual machine (VM) hosted within a PPG can be secured using Azure Site Recovery. By enabling replication of that VM, you can provide a PPG in the secondary region as an additional parameter. When a failover process is activated, Site Recovery will place the VM in the user-supplied target PPG.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth.

Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.

The following diagram shows the different areas related to management, which will be covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Monitor

Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools

Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. They are currently supported as NVIDIA and AMD vendors.
This monitoring functionality can be useful for:

Check the availability of GPUs on the nodes, the use of the GPU memory and the status of GPU requests by pods.
View the information collected through the built-in workbook available in the workbook gallery.
Generate alerts on pod status

Export of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.

Workflow automation functionality

Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. Furthermore, manual trigger execution is available for security alerts and for recommendations that have the quick fix option available.

Integration with Windows Admin Center

It is now possible to include Windows Server systems residing on-premises directly from the Windows Admin Center in Azure Security Center.

Azure Monitor Application Insights: monitors Java applications codeless

The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:

gRPC.
Netty/Webflux.
JMS.
Cassandra.
MongoDB.

Retiring the solution for Office 365

For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. The combination of these two solutions is able to offer a better experience in configuration and in its use.

Azure Monitor for Containers: support for Azure Red Hat OpenShift

Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.

Azure Monitor Logs: limitations on concurrent queries

To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, but they should not be relevant for the typical use of the solution.

Secure

Azure Security Center

Dynamic compliance packages available

The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. A summary report will also be available for download for all standards that have been integrated.

Identity recommendations included in Azure Security Center tier free

Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:

“Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”
“A maximum of three owners should be designated for your subscription.”
“Deprecated accounts should be removed from your subscription.”

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them completely controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).

Figure 1 – New possible scenarios from Cross Region Restore (CRR)

Azure Files share snapshot management

Azure Backup introduces the ability to create Snapshots of Azure Files share, Daily, weekly, Monthly, and keep them until 10 years.

Support for replacing existing disks for VMs with custom images

Azure Backup introduced support, during the recovery phases, to replace existing disks on virtual machines created with custom images.

SAP HANA backup

In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. This solution is officially certified by SAP.