Category Archives: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (May 2022 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Lab Services April 2022 update (preview)

IT departments, administrators, educators, and students can utilize the following updated features in Azure Lab Services:

  • Enhanced lab creation and improved backend reliability
  • Access performance
  • Extended virtual network support
  • Easier labs administration via new roles
  • Improved cost tracking via Azure Cost Management service
  • Availability of PowerShell module
  • .NET API SDK for advanced automation and customization
  • Integration with Canvas learning management system

Storage

Azure File Sync agent v15

Azure File Sync agent v15 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Reduced transactions when cloud change enumeration job runs
  • View Cloud Tiering status for a server endpoint or volume
  • New diagnostic and troubleshooting tool
  • Immediately run server change enumeration to detect files changes that were missed by USN journal
  • Miscellaneous improvements

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 15.0.0.0.
  • Installation instructions are documented in KB5003882.

Object replication on premium blob storage and rule limit increased

Object replication now supports premium block blobs to replicate your data from your blob container in one storage account to another anywhere in Azure. The destination storage account can be a premium block blob or a general-purpose v2 storage account.

You can also specify up to 1000 replication rules (increased from 10) for each replication policy for both general-purpose v2 and premium block blob storage accounts.

Object replication unblocks a set of common replication scenarios for block blobs:

  • Minimize latency: have your users consume the data locally rather than issuing cross-region read requests.
  • Increase efficiency: have your compute clusters process the same set of objects locally in different regions.
  • Optimize data distribution: have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide.
  • Optimizing costs: after your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies.

Networking

Controls to block domain fronting behavior on customer resources

Effective April 29, 2022,you will be able to stop allowing domain fronting behavior on your Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources in alignment with Microsoft’s commitment to secure the approach to domain fronting within Azure.

Virtual Network NAT health checks available via Resource Health

Virtual Network NAT (VNet NAT) is a fully managed and highly resilient network address translation (NAT) service. With Virtual Network NAT, you can simplify your outbound connectivity for virtual networks without worrying about the risk of connectivity failures from port exhaustion or your internet routing configurations.

Support for Resource Health check with Virtual Network NAT helps you monitor the health of your NAT gateway as well as diagnose or troubleshoot outbound connectivity.

With Azure Resource Health, you can:

  • View a personalized dashboard of the health of your NAT gateway

  • Set up customizable resource health alerts to notify you in near real-time of when the health status of your NAT gateway changes

  • See the current and past health history of your NAT gateway to help you mitigate issues

  • Access technical support when you need help with Azure services, such as diagnosing and solving issues

Virtual Network NAT Resource Health is available in all Azure public regions, Government cloud regions, and China Cloud regions.

Enhancements to Azure Web Application Firewall

Microsoft offers two options, global WAF integrated with Azure Front Door and regional WAF integrated with Azure Application Gateway, for deploying Azure WAF for your applications and APIs.

On March 29, Microsoft announced the general availability of managed Default Rule Set 2.0 with anomaly scoring, Bot Manager 1.0, and security reports on global WAF. Additional features on regional WAF are available, that offer you better security, improved scale, easier deployment, and better management of your applications and APIs:

  • Reduced false positives with Core Rule Set 3.2 integrated with Azure Application Gateway. The older CRS 2.2.9 ruleset is being phased out in favor of the newer rulesets.
  • Improved performance and scale with the next generation of WAF engine, released with CRS 3.2
  • Increased size limits on regional WAF for body inspection up to 2MB and file upload up to 4GB
  • Advanced customization with per rule exclusion and attribute by names support on regional WAF
  • Native consistent experience with WAF policy, new deployments of Application Gateway v2 WAF SKU now natively utilizes WAF policies instead of configuration
  • Advanced analytics capabilities with new Azure Monitor metrics on regional WAF

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Recommended alert rules for virtual machines (preview)

The Azure portal experience now allows you to easily enable a set of recommended and out-of-the-box set of alert rules for your Azure resources. Currently in preview for virtual machines, you can simply enable a set of best practice alert rules on an unmonitored VM with just a few clicks.

Storage

Rehydrate an archived blob to a different storage account

You can now rehydrate an archived blob by copying it to a different storage account, as long as the destination account is in the same region as the source account. Rehydration across storage accounts enables you to segregate your production data from your backup data, by maintaining them in separate accounts. Isolating archived data in a separate account can also help to mitigate costs from unintentional rehydration.

Azure Archive Storage now available in Switzerland North

Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in Switzerland North.

Networking

Service tags support for user-defined routing

Specify a service tag as the address prefix parameter in a user-defined route for your route table. You can choose from tags representing over 70 Microsoft and Azure services to simplify and consolidate route creation and maintenance. With this release, using service tags in routing scenarios for containers is also supported. User-defined routes with service tags will update automatically to include any changes that services make to their list of IPs and endpoints.

DNS reservations to prevent subdomain takeover in Cloud Services deployments

Microsoft Azure is a cloud platform integrated with data services, advanced analytics, and developer tools and services. When you build on, or migrate IT assets to Azure, Microsoft provides a secure, consistent application platform to run your workloads. To strengthen your security posture, Microsoft rolled out DNS reservations to prevent subdomain takeover in Cloud Services deployments. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.

Azure Stack

Azure Stack HCI

Windows Server guest licensing offer

To facilitate guest licensing for Azure Stack HCI customers, take advantage of a new offer that brings simplicity and increased flexibility. This licensing is through an all-in-one place Azure subscription and in some cases may be less expensive than the traditional licensing model. The new Windows Server subscription for Azure Stack HCI is generally available as of April 1, 2022. With this offer, you can purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime. There is a free 60-day trial after which the offer will be charged at $23.30 per physical core per month.

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

On-demand capacity reservations

On-demand capacity reservations let you reserve compute capacity for one or more VM size(s) in an Azure region or availability zone for any length of time.

Azure Batch supports Spot Virtual Machines

Azure Batch offers Spot Virtual Machines in user-subscription Batch accounts. The Spot Virtual Machines are available as single-instance virtual machines (VMs) or Virtual Machine Scale Sets. In addition, you get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machine’s.

Azure Virtual Machines increase storage throughput by up to 300%

The new memory optimized Ebs v5 and Ebds v5 Azure Virtual Machines, now generally available, feature the latest 3rd Gen Intel Xeon Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. These VMs deliver up to 300% increase in VM-to-Disk Storage throughput and IOPS compared to the previous generation D/Ev4 VM series. The new VM series feature sizes from 2 to 64 vCPUs with and without local temporary storage best match your workload requirements. These new VMs offer up to 120,000 IOPS and 4,000 MB/s of remote disk storage throughput. The increased storage throughput is ideal for the most demanding data-intensive workloads, including large relational databases such as SQL Server, high-performance OLTP scenarios, and high-end data analytics applications.

New planned datacenter region in India (India South Central)

Microsoft has announced plans to bring a new datacenter region to India, including availability zones.

Azure Virtual Machines DCsv3 available in Switzerland and West US (preview)

DCsv3-series virtual machines (VMs) are available (in preview) in Switzerland North and West US. The DCsv3 and DCdsv3-series virtual machines help protect the confidentiality and integrity of your code and data while it processes in the public cloud. By leveraging Intel® Software Guard Extensions and Intel® Total Memory Encryption – Multi Key, you can ensure your data is always encrypted and protected in use.

Storage

Cross-region snapshot copy for Azure Disk Storage

Cross-region snapshot copy allows you to copy disk snapshots to any region for disaster recovery.
Incremental snapshots are cost-effective point-in-time backups of Azure Disk Storage. They are billed for the changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage, irrespective of the storage type of the parent disk. Now, you can copy incremental snapshots to any region of your choice for disaster recovery using cross-region snapshot copy. Azure manages the copy process and ensures that only changes since the last snapshot in the target region are copied, reducing the data footprint and recovery point objective (RPO).

Copy data directly to Archive Storage with Data Box

You can now use Data Box to copy data directly to Archive tier by indicating this when ordering and then copying to the corresponding share on the Data Box.

Azure Ultra Disk Storage in Sweden Central

Azure Ultra Disk Storage provides high-performance along with sub-millisecond latency for your most-demanding workloads.

Azure storage table access using Azure Active Directory

Azure Active Directory (Azure AD) support to authorize requests for Azure Table Storage is now generally available. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to any security principal, which can include a user, group, application service principal, or managed identity. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. Authorizing requests against Azure Storage Tables with Azure AD provides superior security and ease of use over shared key authorization. Microsoft recommends using Azure AD authorization with your table applications when possible to assure access with minimum required privileges.

Azure File Sync agent v15

Improvements and issues that are fixed:

  • Reduced transactions when cloud change enumeration job runs
  • View Cloud Tiering status for a server endpoint or volume
  • New diagnostic and troubleshooting tool
  • Immediately run server change enumeration to detect files changes that were missed by USN journal
  • Miscellaneous improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 15.0.0.0.
  • Installation instructions are documented in KB5003882.

Networking

Bring your own public IP ranges to Azure

When planning a potential migration of on-premises infrastructure to Azure, you may want to retain your existing public IP addresses due to your customers’ dependencies (for example, firewalls or other IP hardcoding) or to preserve an established IP reputation. Now you can bring your own IP addresses (BYOIP) to Azure in all public regions. Using the Custom IP Prefix resource, you can now bring your own public IPv4 ranges to Azure and use them like any other Azure-owned public IP ranges. Once onboarded, these IPs can be associated with Azure resources, interact with private IPs and VNETs within Azure’s network, and reach external destinations by egressing from Microsoft’s Wide Area Network.

The new Azure Front Door: a modern cloud CDN service

The new Azure Front Door is a Microsoft native, unified, and modern cloud content delivery network (CDN) catering to dynamic and static content acceleration. This service includes built in turnkey security and a simple pricing model built on Microsoft’s massive scale private global network. There are two Azure Front Door tiers: standard and premium. They combine the capabilities of Azure Front Door (classic) and Azure CDN from Microsoft (classic) and attach with Azure Web Application Firewall (WAF). This provides a unified and secure solution for delivering your applications, APIs, and content on Azure or anywhere at scale.

Several key capabilities have been released:

  • Improved automation and simplified provisioning with DNS TXT based domain validation
  • Auto generated endpoint host name to prevent subdomain takeover
  • Expanded Private Link support in all Azure regions with availability zones to secure backends
  • Web Application Firewall enhancements with DRS 2.0 RuleSet and Bot manager
  • Expanded rules engine with regular expressions and server variables
  • Enhanced analytics and logging capabilities
  • Integration with Azure DNS, Azure Key Vault, Azure Policy and Azure Advisor
  • A simplified and predictable cost model

Azure Bastion native client support

With the new Azure Bastion native client support, available with Standard SKU, you can now:

  • Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local machine
  • Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials
  • Access the features available with your chosen native client (ex: file transfer)

Azure Bastion support for Kerberos authentication (preview)

Azure Bastion support for Kerberos authentication, available with both basic and standard SKUs, is now in public preview.

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Trusted launch support for Virtual Machines using Ephemeral OS disks (preview)

Trusted launch is a seamless way to improve the security of generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies that can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM). Now, Trusted Launch support for VMs using Ephemeral OS disks is available in preview.

Best practices assessment for SQL Server on Azure Virtual Machines

You can now evaluate if your SQL Server on Azure Virtual Machines is following configuration best practices using the SQL best practices assessment feature. You can start or schedule an assessment on the SQL virtual machine blade in the Azure portal. Once the feature is enabled, your SQL Server instance and databases are scanned to provide recommendations for things like indexes, retired features, enabled or missing trace flags, statistics, and more.

Select Azure Dedicated Host SKUs will be retired on 31 March 2023

On 31 March 2023, Azure Dedicated Hosts Dsv3-Type1, Esv3-Type1, Dsv3-Type2, and Esv3-Type2 will be retired. Before that date, you must migrate to the new Dedicated Host SKUs.

Azure HBv3 virtual machines for HPC now upgraded

All Azure HBv3 virtual machine (VM) deployments from 21 March 2022 will include AMD EPYC 3rd Gen processors with 3D V-Cache, codenamed “Milan-X”. The enhanced HBv3 VMs are available in the Azure East US, South Central US, and West Europe regions. All VM deployments from today onward will occur on machines featuring Milan-X processors. Existing HBv3 VMs deployed prior to today’s launch will continue to see AMD EPYC 3rd Gen processors, codenamed “Milan”, until they are de-allocated and you create a new VM in its place.

New planned datacenter region in Finland (Finland Central)

Microsoft will establish a new datacenter region in the country, offering Finnish organizations local data residency and faster access to the cloud, delivering advanced data security and cloud solutions. The new datacenter region will also include availability zones, providing you with high availability and additional tolerance to datacenter failures.

Networking

Inbound NAT rule now supports port management for backend pools

Standard Load Balancer inbound NAT rule now supports specifying a range of ports for the backend instances. Previously, to enable port forwarding, an inbound NAT rule needed to be created for every instance in Load Balancer’s backend pool. This became complex to manage at scale and resulted in management overhead. The addition of port management for backend pool to inbound NAT rules allows you to specify a range of frontend ports pre-allocated for a specific backend pool to enable port forwarding. Upon scaling, Standard Load Balancer will automatically create port mapping from an available frontend port of the specified range to the specified backend port of the new instance. This capability applies to all types of backend pools composed of Virtual Machines, Virtual Machines Scale Sets, or IP addresses across all Azure regions.

Five Azure classic networking services will be retired on 31 August 2024

Azure Cloud Services (classic) will be retired on 31 August 2024. Because classic Azure Virtual Network, reserved IP addresses, Azure ExpressRoute gateway, Azure Application Gateway, and Azure VPN Gateway are dependent on Azure Cloud Services (classic), they’ll be retired on the same date. Before that date, you’ll need to migrate any resources that use these classic networking services to the Azure Resource Manager deployment model.

Azure Stack

Azure Stack Edge

General Availability of Azure Stack Edge Pro 2

Microsoft has announced the general availability of its Azure Stack Edge Pro 2 solution, a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

  • This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
  • This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
  • These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

Azure Stack Hub

Azure Kubernetes Service on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Kubernetes Service on Azure Stack Hub. The same service that’s currently found in Azure is available in Azure Stack Hub. Manage Kubernetes clusters in the same way you currently do in Azure and utilize a familiar user experience, CLI, and API.

IoT Hub on Azure Stack Hub public preview will be retired on 30 September 2022

On 30 September 2022, the public preview version of IoT Hub on Azure Stack Hub will be retired. Before that date, we recommend you migrate to Azure IoT Edge gateway. Azure IoT Edge gateway is integrated with Azure IoT Hub running in Azure and provides an end-to-end IoT experience with comprehensive diagnostics capabilities. An Azure IoT Edge gateway can be deployed on an Azure Stack Hub Virtual Machine. Alternatively, you can host a VM on another physical hardware of your choice.

Azure Container Registry on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Container Registry on Azure Stack Hub. This service uses private container registries on Azure Stack Hub to store and retrieve OCI-compliant images to support both connected and disconnected scenarios for Azure Kubernetes Service (AKS), AKS engine, and other container orchestrator engines.

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 09 and 10)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure Stack

Azure Stack Edge

Azure Stack Edge Pro 2

Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

  • This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
  • This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
  • These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

The Pro 2 series is designed for deployment in edge locations such as retail, telecommunications, manufacturing, or even healthcare. Here are the various scenarios where Azure Stack Edge Pro 2 can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure:

  • Inference with Azure Machine Learning: you can run ML models to get quick results that can be acted on before the data is sent to the cloud.

  • Preprocess data: transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset.

  • Transfer data over network to Azure: use this solution to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Hotpatch for Windows Server virtual machines

You can patch and install updates to your Windows Server virtual machines on Azure without requiring a reboot using hotpatch. This capability is available exclusively as part of Azure Automanage for Windows Server for Windows Server Azure Edition core virtual machines, and comes with the following benefits:

  • Lower workload impact with less reboots
  • Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
  • Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting

Virtual Machine level disk bursting supports additional VM types

Virtual Machine level disk bursting supports M-series, Msv2-series Medium Memory, and Mdsv2-series Medium Memory VM families allowing your virtual machine to burst its disk IO and throughput performance for a short time, daily. This enables VMs to handle unforeseen spiky disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

Automatically delete a VM and its associated resources simultaneously

Automatically delete disks, NICs and Public IPs associated with a VM at the same time you delete the VM. With this feature, you can specify the associated resources that should be automatically deleted when you delete a VM. This will allow you to save time and simplify the VM management process.

Storage

Azure NetApp Files: new region and cross-region replication

Azure NetApp Files is now available in Australia Central 2. Additionally, cross-region replication has been enabled between Australia Central and Australia Central 2 region pair.

Azure NetApp Files: application consistent snapshot tool v5.1 (preview)

Application consistent snapshot tool (AzAcSnap) v5.1 is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).

The public preview of application consistent snapshot tool v5.1 supports the following new capabilities:

  • Oracle Database support
  • Backint Co-existence
  • RunBefore and RunAfter capability

These new features can be used with Azure NetApp Files, Azure BareMetal, and now, Azure Managed Disk.

Networking

Application Gateway mutual authentication

Azure Application Gateway is announcing general availability for transport layer security (TLS) mutual authentication. Mutual authentication allows for two-way TLS certificate-based authentication, which allows both client and server to verify each other’s identity. This release strengthens your zero trust networking posture and enables many connected devices, IoT, business to business, and API security scenarios.

You can upload multiple client certificate authority (CA) certificate chains on the Application Gateway to use for client authentication. You can also choose to enable frontend mutual authentication at a per-listener level on Application Gateway. Microsoft is also adding enhancements to server variables supported on Application Gateway to enable you to pass additional client certificate information to backend as HTTP headers.

With this release Microsoft is also extending support for listener specific TLS policies which allows you to configure predefined or custom TLS policies at a per listener granularity, instead of global TLS policies.

Azure Networking: security services for a Zero Trust approach

There are more and more companies that, in order to sustain the pace dictated by digital transformation and for other specific reasons, undertake a path of adopting cloud solutions and migrating their workloads to the cloud. To ensure that the resources in the cloud environment are secure, it is necessary to adopt a new security model that adapts more effectively to the complexity of the modern environment, contemplating hybrid environments and protecting applications and data no matter where they reside. This article describes some of the key Azure networking security services that help organizations adopt the Zero Trust model, an integrated and proactive approach to security to be applied on different fronts.

The Zero Trust framework developed by Microsoft is based on the following three principles to protect assets:

  • Verify explicitly. Always authenticate and authorize, taking into consideration different aspects such as: the user identity, location, the status of the device, the service or workload, data classification and anomalies.
  • Use least privileged access. Restrict user access through: “just-in-time” access (JIT) and “just-enough-access” (JEA), risk-based adaptive policies and data protection.
  • Assume breach. Minimize exposure and segment accesses by defining granular perimeters. Use end-to-end encryption and scan for: gain visibility, detect threats and improve defenses.

The Zero Trust approach assumes a violation and accepts the reality that bad guys can be anywhere. For this reason, this model recommends checking all access attempts, restrict user access (JIT and JEA) and strengthen asset protection. However, it is important to associate checks on network communications with all these practices, going to segmenting the network into smaller areas and then checking what traffic can flow between them. An approach where network firewalls are implemented exclusively on the perimeter networks, filtering traffic between trusted and untrusted zones becomes limiting for this model. Instead, it is recommended to filter the traffic also between internal networks, hosts and applications.

There are several networking related security services in Azure, described in the following paragraphs, that allow you to filter and control network communications in a granular way, thus supporting the Zero Trust model.

Network Security Group (NSG)

The Network Security Groups (NSG) are the main tool to monitor network traffic in Azure. Through the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. Furthermore, you can apply filters on communications with systems that reside on-premises, connected to the Azure VNet, or for communications to and from Internet. Network Security Groups (NSG) can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. NSGs may contain rules with Service Tags, that allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (ex. AzureMonitor, Appservice, Storage, etc.).

The rules of the Network Security Groups can also be referenced Application Security Groups (ASG). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups therefore allow you to no longer have to manage the IP addresses of Azure virtual machines in the NSG rules, as long as these IPs are related to VMs attested on the same VNet.

Although there is the option to enable firewall solutions at the guest OS level, Azure NSGs can guarantee protection even if the virtual machine in Azure is compromised. Indeed, an attacker who gains access to the virtual machine and elevates its privileges may be able to disable the firewall on the host. In NSG, being implemented outside the virtual machine, they provide strong guarantees against attacks on the firewalling system on board virtual machines.

Figure 1 - Graphical display of network traffic segregation via NSG

Azure Firewall

Azure Firewall is a network security service, managed and cloud-based, able to protect the resources attested on the Azure Virtual Networks and to centrally govern the related network flows. Furthermore, it has inherent features of high availability and scalability.

Azure Firewall Premium guarantees all the features present in the Azure Firewall Standard tier and in addition adds the following features typical of a next generation firewall.

Figure 2 - Overview of Azure Firewall Premium features

The best practices dictated by the Zero Trust model are to always encrypt data in transit to obtain end-to-end encryption. However, from an operational point of view, often there is a need for greater visibility to apply additional security services to unencrypted data. With the features of Azure Firewall Premium all this is possible. Indeed, the Premium version allows you to obtain an additional level of protection from security threats, through features such as TLS Inspection and IDPS that guarantee greater control of network traffic in order to intercept and block the spread of malware and viruses. For more details regarding the features of Azure Firewall Premium you can consult this article.

DDoS protection

The Zero Trust model aims to authenticate and authorize any component residing on the network. Nevertheless, any system capable of receiving network packets is vulnerable to DDoS attacks, even those that use a Zero Trust architecture. Consequently, It is imperative that any Zero Trust implementation also adopts a DDoS protection solution.

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all Azure public IPs associated with the resources present in the virtual networks, come: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Firewall Manager

The security model Zero Trust directs us to adopt an approach related to micro-segmentation and the definition of granular perimeters in its network architecture. To facilitate this approach, you can use Azure Firewall Manager, a tool that, providing a single centralized control panel, is able to simplify the configuration and management of network security policies, which often need to be deployed across multiple Azure Firewall instances. In addition to the management of Azure Firewall policies, Azure Firewall Manager allows you to associate a DDoS protection plan to virtual networks.

Furthermore, Azure Firewall Manager allows you to use SECaaS offerings (Security as a Service) third parties to protect users' Internet access.

Synergies and recommendations for the use of the various protection services

In order to obtain effective network protection, some recommendations are given that are recommended to be taken into consideration for the use of the various security components related to Azure networking:

  • Network Security Groups (NSG) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs are recommended to use them to filter traffic between resources residing within a VNet, while the Azure Firewall is useful for providing network and application protection between different Virtual Networks.
  • To increase the security of Azure PaaS services, it is recommended to use Private link, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs.
  • In case you want to make a protected application publication (HTTP/S in inbound) it is advisable to use the Web Application Firewall present in Azure Application Delivery solutions, then placing it alongside Azure Firewall. Web Application Firewall (WAF), provides protection from common vulnerabilities and attacks, such as X-Site Scripting and SQL Injection attacks.
  • Azure Firewall can also be supported by third-party WAF / DDoS solutions.
  • In addition to Azure Firewall, it is possible to evaluate the adoption of Network Virtual Appliances (NVA's) provided by third-party vendors and available in the Azure marketplace.

All these protection services, suitably configured in a Hub-Spoke network topology allow you to perform a segregation of network traffic, achieving a high level of control and security.

Figure 3 - Example of a Hub-Spoke architecture with the various security services

Furthermore, providing for integration with Azure security services, such as Microsoft Defender for Cloud, Microsoft Sentinel and Azure Log Analytics, it is possible to further optimize the management of security postures and the protection of workloads.

Conclusions

The security model defined Zero trust by analysts at Forrester Research is now an imperative for the protection of their environments. Azure provides a wide range of services that allow you to achieve high levels of security, acting on different fronts to support this model. To face this process of adopting the Zero Trust model, a winning strategy in Azure networking can be obtained by applying a mix-and-match of the different network security services to have protection on multiple levels.

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 05 and 06)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Deployment enhancements for SQL Server on Azure Virtual Machines

A great update to our Azure Marketplace image with SQL is you can now configure the instance during deployment. Most companies have standards for their SQL instances and can now make configuration changes during deployment vs keeping the preconfigured image settings. Items like moving the system database to a data disk, configuring tempdb data and log files, configuring the amount of memory and more. During SQL VM deployment under SQL Server Settings, you have the options to change the defaults by clicking Change Configuration for storage or Change SQL Instance settings for customizing memory limits, collation, and ad hoc workloads.

Networking

New Azure Firewall capabilities

New Azure Firewall capabilities are available:

  • Azure Firewall network rule name logging: previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.
  • Azure Firewall premium performance boost: this feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps).
  • Performance whitepaper: to provide customers with a better visibility into the expected performance of Azure Firewall, Microsoft is releasing the Azure Firewall Performance documentation.

Azure Bastion now supports file transfer via the native client (preview)

With the new Azure Bastion native client support in public preview and included in Standard SKU, you can now:

  • Use either SSH or RDP to upload files to a VM from your local computer.
  • Use RDP to download files from a VM to your local computer.

Custom virtual network support in Azure Container Apps (preview)

You can now create Azure Container Apps environments into new or existing virtual networks. This enables Container Apps to receive private IP addresses, maintain outbound internet connectivity, and communicate privately with other resources on the same virtual network.

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 03 and 04)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure NetApp Files: new features

New features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities have recently received general availability status and no longer need registration for use:

The following new features have been added in public preview :

Regional coverage continues to expand, and Azure NetApp Files is now generally available in:

  • East Asia
  • Switzerland North
  • Switzerland West
  • West US 3

Feature regional coverage continues to expand as well for cross-region replication, cross region replication region pair additions:

  • West US 3 <-> East US
  • Southeast Asia <-> East Asia
  • Switzerland North <-> Switzerland West
  • UsGov Virginia <-> UsGov Texas
  • UsGov Arizona <-> UsGov Texas
  • UsGov Virginia <-> UsGov Arizona

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Price reductions for Azure confidential computing

Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill.

Storage

Azure Ultra Disk Storage is available in West US 3

Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.

Networking

Multiple custom BGP APIPA addresses for active VPN gateways

All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.

Load Balancer SKU upgrade through PowerShell script

You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you.

Azure Traffic Manager: additional IP addresses for endpoint monitoring service

Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.

Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.