Category Archives: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (May 2021 – Weeks: 19 and 20)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Zone redundant storage (ZRS) option for Azure managed disks (preview)

Zone redundant storage (ZRS) option for Azure managed disks is now available on Premium SSDs and Standard SSDs in public preview in: West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. Disks with ZRS maintain three consistent copies of the data in distinct Availability Zones in a region, making them tolerant to outages. They also allow you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected Zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS or GFS2.

Lower pricing for provisioned throughput on Azure Ultra Disks

Microsoft is announcing a price reduction on provisioned throughput for Azure Ultra Disks by 65%. The new pricing is effective May 1st, 2021, and applies to all the regions where Ultra Disks are available. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs).

Azure NetApp Files: Application Consistent Snapshot tool (AzAcSnap)

The Azure Application Consistent Snapshot tool (AzAcSnap) is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL). Since the January 2021 preview announcement, AzAcSnap has seen wide adoption among enterprise customers for fast backup of Azure NetApp Files volumes including multi-TB databases and scale-out scenarios for SAP HANA. Now it is available.

Azure File Sync agent v12.1

The v12.0 agent release had two bugs which are fixed in this release:

  • Agent auto-update fails to update the agent to a later version.
  • FileSyncErrorsReport.ps1 script does not provide the list of per-item errors.

If agent version 12.0 is installed on your servers, you will need to update to v12.1 using Microsoft Update or Microsoft Update Catalog (see installation instructions in KB4588751).

More information about this release:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
  • The agent version for this release is 12.1.0.0.
  • A restart may be required if files are in use during the installation.
  • Installation instructions are documented in KB4588751.

Networking

Virtual Network peering support for Azure Bastion

Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host.

Azure VPN Client for macOS (preview)

Azure VPN Client for macOS, with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol is in public preview. Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, customers can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for their Mac devices.

Application Gateway Mutual Authentication (preview)

Azure Application Gateway now supports the ability to perform frontend mutual authentication. In addition to the client authenticating Application Gateway in a request, Application Gateway can now also authenticate the client. You can upload multiple client Certificate Authority (CA) certificate chains for Application Gateway to use for client authentication. Additionally, Application Gateway also allows you to configure listener specific SSL policies. You can choose to enable mutual authentication at a per listener level on your gateway, as well as choose to pass client authentication information to the backends through server variables. This feature enables scenarios where Application Gateway needs to authenticate the client in addition to the client authenticating Application Gateway.

Azure ExpressRoute: 5 New Peering Locations Available

New peering locations are now available for ExpressRoute:

  • Bogota
  • Madrid
  • Sao Paulo
  • Rio de Janeiro
  • Toronto2

With this announcement, ExpressRoute is now available across 75 global commercial Azure peering locations.

Secure network architecture design for Azure Kubernetes Service (AKS)

The trend in adopting applications based on microservices requires the use of state-of-the-art solutions capable of managing a large number of containers and the ways in which these interact in application with each other, as Azure Kubernetes Service (AKS). As part of the design of Azure Kubernetes Service architectures (AKS) there are several elements that need to be evaluated to obtain an appropriate network topology that can ensure maximum efficiency and security. This article outlines the main points to consider, accompanied by some proposals, to make informed choices when designing network architectures for AKS.

What is Azure Kubernetes Service (AKS)?

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. In microservices-based architectures, it is also common to adopt the Azure Container Registry that allows you to create, store and manage container images and artifacts in a private registry. The use of this managed service is integrated with the container development and deployment pipelines.

Figure 1 - Azure Kubernetes Service architecture example (AKS)

The network topology

In the network architecture of type Hub and Spoke, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. TheSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 - Hub and Spoke network topology

This network topology is also recommended for AKS architectures as it can offer several advantages, including:

  • Environmental segregation to more easily enforce governance policies and gain greater control. This topology also supports the concept of "landing zones" by contemplating the separation of duties.
  • Minimizing the direct exposure of Azure resources to the public network (Internet).
  • Possibility of contemplating workloads attested on different Azure subscriptions, becoming a natural choice in these scenarios.
  • Ability to easily extend the architecture to accommodate new features or new workloads, simply by adding additional spoke virtual networks.
  • Ability to centralize Azure services shared by multiple workloads in a single location (attested on different VNet), such as DNS servers and any virtual network appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, resulting in savings on Azure costs and simplification of the architecture.

Figure 3 - Hub and Spoke network topology for AKS

Hub Virtual Network

In the Hub network it is possible to evaluate the adoption of the following services:

  • VPN or ExpressRoute Gateway: necessary to provide connectivity to the on-premises environment.
  • Firewall Solutions, necessary in case you want to control the traffic from your AKS environment, as pods or cluster nodes, outgoing to external services. In this context, the choice can fall between:
    • Azure Firewall, the firewall-as-a-service solution (FWaaS) which allows to secure the resources present in the Virtual Networks and to govern the related network flows.
    • Network Virtual Appliances (NVA's) provided by third party vendors. Such solutions are numerous and can offer advanced functionality, but typically the configuration of these solutions is more complex and the cost tends to be higher than the solution provided by the Azure platform. A comparison between the new Azure Firewall and third-party virtual appliances can be found in this article.
  • Azure Bastion, the PaaS service that offers secure and reliable RDP and SSH access to virtual machines, directly through the Azure portal.

Spoke Virtual Network

The AKS cluster is placed in the Spoke network together with other resources closely related to its operation. Spoke VNet is split into different subnets to accommodate the following components:

  • The two groups of nodes (node pools) in AKS:
    • AKS System Node pool: the pool of system nodes that host the pods needed to run the core services of the cluster.
    • AKS User Node pool: the pool of user nodes that run the application workloads and the ingress controller.

For multi-tenant application environments or for workloads with advanced needs, it may be necessary to implement isolation mechanisms of node pools that require the presence of different subnets.

  • AKS Internal Load Balancer: the balancer to route and distribute inbound traffic for Kubernetes resources. In this case the component is used Azure Load Balancer, which enables Layer-4 load balancing for all TCP and UDP protocols, ensuring high performance and very low latencies.
  • Azure Application Gateway: it is a service managed by the azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular in the latter case, it is recommended to turn onWeb Application Firewall (WAF), that provides application protection, based on rulesOWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Thanks to the adoption of Azure Private Link you can bring Azure services to a virtual network and map them with a private endpoint. In this way, all traffic is routed through the private endpoint, keeping it on the Microsoft global network. The data does not pass ever on the Internet, this reduces exposure to threats and helps to meet the compliance standards.

Figure 4 - Overview of Azure Private Link

In AKS environments theAzure Private Link they are usually created in the Spoke virtual network subnets for Azure Container Registry and Azure KeyVault.

Below is a diagram with the incoming and outgoing network flows for an AKS environment, which also includes the presence of Azure Firewall to control outgoing traffic.

Figure 5 - Example of network flows in a typical AKS architecture

Management traffic

In order to allow the management of the environment, such as creating new resources or carrying out activities to scale the cluster environment, it is advisable to provide access to the Kubernetes API. Good practice is apply network filters to authorize this access in a timely manner.

Private AKS cluster

In case you want to implement a totally private AKS environment, where no Internet service is exposed, it is possible to adopt a AKS cluster in "private" mode.

Conclusions

The increasing demand for microservices-based application architectures that useAzure Kubernetes Service (AKS) requires you to locate and build network architectures designed to be secure, flexible and with a high level of integration. All this must take place through a modern approach able to fully exploit the potential offered in the field of networking by Azure.

Azure IaaS and Azure Stack: announcements and updates (May 2021 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Hybrid Benefit for Linux with RI and VMSS Support

Azure Hybrid Benefit is available for Linux, extending the ability to easily migrate RHEL and SLES servers to Azure beyond existing pay-as-you-go instances to include support for Azure Reserved Instance (RI) and virtual machine scale set (VMSS).

While previous Bring-Your-Own-Subscription cloud migration options available to Red Hat and SUSE customers allowed them to use their pre-existing RHEL and SLES subscriptions in the cloud, Azure Hybrid Benefit for Linux improves upon this with several capabilities unique to Azure making enterprise Linux cloud migration even easier than before:

  • Applies to all Red Hat Enterprise Linux and SUSE Linux Enterprise Server pay-as-you-go images available in the Azure Marketplace or Azure Portal. No need to provide your own image.
  • Save time with seamless post-deployment conversions—production redeployment is unnecessary. Simply convert the pay-as-you-go images used during your proof-of-concept testing to bring-your-own-subscription billing.
  • Lower ongoing operational costs with automatic image maintenance, updates, and patches: Microsoft maintains the converted RHEL and SLES images for you.
  • Enjoy the convenience of unified user interface integration with the Azure CLI, providing the same UI as other Azure virtual machines, as well as scalable batch conversions.
  • Get co-located technical support from Azure, Red Hat, and SUSE with just one ticket.
  • Combine with recently announced Red Hat and SUSE support for Azure shared disks to lift-and-shift failover clusters and parallel file systems, like Global File System.
  • Fully compatible with Azure Arc, providing end-to-end hybrid cloud operations management for Windows, RHEL, and SLES servers in one solution.

New Azure VMs for general purpose and memory intensive workloads (preview)

The new Dv5, Dsv5, Ddv5, Ddsv5, and Ev5, Edv5 series Azure Virtual Machines, now in preview, are based on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. This custom processor can reach an all-core Turbo clock speed of up to 3.5GHz and features Intel® Turbo Boost Technology 2.0, Intel® Advanced Vector Extensions 512 (Intel® AVX-512) and Intel® Deep Learning Boost. These new offerings deliver a better value proposition for general-purpose, and memory intensive workloads compared to the prior generation (e.g., increased scalability and an upgraded CPU class) including better price to performance.

The Dv5, Dsv5, Ddv5, Ddsv5 VM sizes offer a combination of vCPUs and memory able to meet the requirements associated with most general-purpose workloads and can scale up to 96 vCPUs. The Ddv5 and Ddsv5 VM sizes feature high performance, large local SSD storage (up to 2,400 GiB). The Dv5 and Dsv5 VM series offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Ddv5 or Ddsv5 Azure virtual machines, which are also in Preview.

The Ev5 and Edv5 VM sizes feature up to 672 GiB of RAM and are ideal for memory-intensive enterprise applications. You can attach Standard SSDs and Standard HDDs disk storage to these VMs. If you prefer to use Premium SSD or Ultra Disk storage, please select the Esv5 and Edsv5 VM series, which will be in preview in the near future. The Ev5 and Esv5 VMs offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Edv5 VM series which are also in preview, or the Edsv5 VM series, which will be in preview in the near future.

New NPv1 virtual machines

NPv1 series virtual machines are a new addition to the Azure product offering. These instances are powered by Xilinx Alveo U250 FPGAS. These highly-programmable accelerators benefit a variety of computationally intensive workloads such as genomics, image-processing, security, data analysis and more. The NP series offering is based upon the commercially available U250 from Xilinx and uses a standard shell easing the difficulties of migrating existing FPGA workloads & solutions to the cloud. New Xilinx Alveo U250 FPGA NPv1 VMs are now generally available in West US 2, East US, West Europe, and Southeast Asia.

Microsoft acquires Kinvolk to accelerate container-optimized innovation

Microsoft is excited to bring the expertise of the Kinvolk team to Azure and having them become key contributors to the engineering development of Azure Kubernetes Service (AKS), Azure Arc, and future projects that will expand Azure’s hybrid container platform capabilities and increase Microsoft’s upstream open source contributions in the Kubernetes and container space. Microsoft is also committed to maintaining and building upon Kinvolk’s open source culture. The Kinvolk team will continue to remain active in their existing open source projects and will be essential to driving further collaboration between Azure engineering teams and the larger open source container community.

Storage

Azure Blob storage: NFS 3.0 protocol support public preview now expands to all regions

Azure Blob storage is the only public cloud storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics. This new level of support is optimized for high-throughput, read-heavy workloads where data will be ingested once and minimally modified further, such as large-scale analytic data, backup and archive, media processing, genomic sequencing, and line-of-business applications. Azure Blob Storage NFS 3.0 preview supports general purpose v2 (GPV2) storage accounts with standard tier performance in all publicly available regions. Further, Microsoft is enabling a set of Azure blob storage features in premium blockblob accounts with NFS 3.0 feature enabled such as blob service REST API and lifecycle management.

Attribute-based Access Control (ABAC) in preview

Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This preview includes support for role assignment conditions on Blobs and ADLS Gen2, and enables you to author conditions based on resource and request attributes.

Prevent Shared Key authorization for an Azure Storage account

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the general availability of the ability to disable Shared Key authorization for Azure Storage.

Append blob support in Azure Data Lake Storage

Append blobs provide a simple and effective way of adding new content to the end of a file or blob when the existing content does not need to be modified. This makes append blobs great for applications such as logging that need to add information to existing files efficiently and continuously. Until now, only block blobs were supported in Azure Data Lake Storage accounts. Applications can now also create append blobs in these accounts and write to them using Append Block operations. These append blobs can be read using existing Blob APIs and Azure Data Lake Storage APIs.

Networking

Multiple features for Azure VPN Gateway

The following features for Azure VPN Gateway are general available:

  • Multiple authentication types for point-to-site VPN – You can now enable multiple authentication types on a single gateway for OpenVPN tunnel type. Azure AD, certificate-based and RADIUS can all be enabled on a single gateway.
  • BGP diagnostics – You can now see the Border Gateway Protocol session status, route advertised and routes learnt by the VPN Gateway.
  • VPN packet capture in Azure portal – Support for packet capture on the VPN Gateway is now availbe in the Azure portal.
  • VPN connection management – With new enhancements in VPN connection management capabilities, you can now reset an individual connection instead of resseting the whole gateway. You can also set the Internet Key Exchange (IKE) mode of the gateway to responder-only, initiator-only or both and view the Security Association (SA) of a connection.

Azure IaaS and Azure Stack: announcements and updates (April 2021 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New M-series Msv2/Mdsv2 Medium Memory VMs for memory-optimized workloads

Azure Msv2/Mdsv2 Medium Memory Series offering up to 192vCPU and 4TB memory configurations and running on Cascade Lake processor are now generally available. Msv2/Mdsv2 medium memory VM sizes providing a 20% increase in CPU performance, increased flexibility with local disks, and a new intermediate scale up-option. These virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton.

Azure Virtual Machines DCsv2-series in Azure Government (public preview)

Azure Government customers can build secure, enclave-based applications to protect code and data while it’s in use, in a dedicated cloud that meets stringent government security and compliance requirements. Confidential computing DCsv2-series virtual machines are now in preview for Azure Government customers (federal, state, local governments, and their partners) in US Government Virginia and Arizona regions. These VMs are backed by Intel XEON E-2288G processors with Intel Software Guard Extensions (SGX) technology.

Microsoft announces plans to establish first datacenter region in Malaysia

The new datacenter region is part of the “Bersama Malaysia” initiative to support inclusive economic growth in Malaysia.

Storage

Azure Blob storage supports objects up to 200 TB in size

Workloads that utilize larger file sizes such as backups, media, and seismic analysis can now utilize Azure Blob storage and ADLS Gen2 without breaking these large files into separate blobs. Each blob is made up of up to 50,000 blocks. Each block can now be 4GB in size for a total of 200 TB per blob or ADLS Gen2 file.

Lustre HSM tools to import from or export to Azure Storage

Lustre HSM (Hierarchical Storage Management) provides the capability to associate a Lustre file system with an external storage system and migrate file data between them.

Now available are the File System Hydrator and Copy Tool, which enables integrating a Lustre file system with an Azure storage account:

  • The File System Hydrator is used to import a file system namespace from an Azure storage account into a Lustre file system with the imported files left in the ‘released’/’exist’ state.
  • The Copy Tool is used to hydrate the content of the files in the storage account into the Lustre file system on-demand. The copy tool can also be used to archive content of files back into the storage account, including changed or added files.

Networking

Application Gateway URL Rewrite

Azure Application Gateway now supports the ability to rewrite host name, path and query string of the request URL. In addition to header rewrites, you can now also rewrite URL of all or some of the client requests based on matching one or more conditions as required. You can choose to route the request based on the original URL or the rewritten URL. This feature enables several important scenarios such as allowing path based routing for query string values and support for hosting friendly URLs.

Azure IaaS and Azure Stack: announcements and updates (April 2021 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Virtual machine (VM) level disk bursting available on all Dsv3 and Esv3 families

Virtual machine level disk bursting allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily. This feature is now enabled on all our Dsv3-series and Esv3-series virtual machines, with more virtual machine types and families support soon to come. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

Cloud Services (extended support) is generally available

Cloud Services (extended support), which is a new Azure Resource Manager (ARM)-based deployment model for Azure Cloud Services, is generally available. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager (ASM). It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, private link support, and use of deployment templates. The ASM-based deployment model for Cloud Services has been renamed Cloud Services (classic). Customers retain the ability to build and rapidly deploy web and cloud applications and services. Customers will be able to scale cloud services infrastructure based on current demand and ensure that the performance of applications can keep up while simultaneously reducing costs. The platform-supported tool for migrating existing cloud services to Cloud Services (extended support) also goes into preview. Migrating to ARM will allow customers to set up a robust infrastructure platform for their applications. 

Storage

Azure File Sync agent v12 

Improvements and issues that are fixed in the v12 release:

  • New portal experience to configure network access policy and private endpoint connections
    • You can now use the portal to disable access to the Storage Sync Service public endpoint and to approve, reject and remove private endpoint connections. To configure the network access policy and private endpoint connections, open the Storage Sync Service portal, go to the Settings section and click Network.
  • Cloud Tiering support for volume cluster sizes larger than 64KiB
  • Measure bandwidth and latency to Azure File Sync service and storage account
    • The Test-StorageSyncNetworkConnectivity cmdlet can now be used to measure latency and bandwidth to the Azure File Sync service and storage account. Latency to the Azure File Sync service and storage account is measured by default when running the cmdlet. Upload and download bandwidth to the storage account is measured when using the “-MeasureBandwidth” parameter. To learn more, see the release notes.
  • Improved error messages in the portal when server endpoint creation fails
    • We heard your feedback and have improved the error messages and guidance when server endpoint creation fails.
  • Miscellaneous performance and reliability improvements
    • Improved change detection performance to detect files that have changed in the Azure file share.
    • Performance improvements for reconciliation sync sessions.
    • Sync improvements to reduce ECS_E_SYNC_METADATA_KNOWLEDGE_SOFT_LIMIT_REACHED and ECS_E_SYNC_METADATA_KNOWLEDGE_LIMIT_REACHED errors.
    • Files may fail to tier on Server 2019 if Data Deduplication is enabled on the volume.
    • AFSDiag fails to compress files if a file is larger than 2GiB.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation.
  • The agent version for this release is 12.0.0.0.
  • Installation instructions are documented in KB4568585.

Encryption scopes in Azure Storage

Encryption scopes introduce the option to provision multiple encryption keys in a storage account for blobs. Previously, customers using a single storage account for multi-tenancy scenarios were limited to using a single account-scoped encryption key for all the data in the account. With encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. 

Azure Data Explorer external tables

An external table is a schema entity that references data stored outside the Azure Data Explorer database. Azure Data Explorer Web UI can create external tables by taking sample files from a storage container and creating schema based on these samples. You can then analyze and query data in external tables without ingestion into Azure Data Explorer.

Azure Networking: comparison between the new Azure Firewall and third-party virtual appliances

Securing network architectures is an aspect of fundamental importance even when adopting the public cloud and becoming mandatory to adopt a firewall solution to better protect and segregate network flows. The availability of Azure Firewall Premium was recently announced, Microsoft's next generation firewall with interesting features that can be useful in highly security-sensitive environments and that require a high level of regulation. This article reports the characteristics of this new solution and a comparison is made with the Network Virtual Appliances (NVA's) of third-party vendors, to evaluate the choice of an appropriate "Firewall Strategy".

New features in Azure Firewall Premium

Azure Firewall is the firewall-as-a-service solution (FWaaS) present in Microsoft's public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows.

Figure 1 – Azure Firewall Premium Overview

Azure Firewall Premium uses Firewall Policy, a global resource that is used to centrally manage firewalls by using Azure Firewall Manager. All new features can only be configured through Firewall Policy.

The following chapters describe the new features introduced in Azure Firewall Premium.

TLS inspection

The standard security technology that allows you to establish an encrypted connection between a client and a server is the Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). This standard ensures that all data passing between clients and the server remains private and encrypted. Azure Firewall Premium is able to intercept and inspect TLS connections. To do this, a complete decryption of network communications is performed, the necessary security checks are performed and the traffic to be sent to the destination is re-encrypted.

The Azure Firewall Premium TLS Inspection solution is ideal for the following use cases:

  • Outbound TLS termination.

Figure 2 – Azure Firewall TLS Inspection for Outbound Traffic

  • TLS termination between spoke virtual networks (east-west).
  • Inbound TLS termination with Application Gateway. Azure Firewall communication flows can be deployed behind an Application Gateway. By adopting this configuration, incoming Web traffic passes both through the WAF of the Application Gateway and through the Azure Firewall. WAF provides Web application-level security, while Azure Firewall acts as a central control and logging point to inspect traffic between the Application Gateway and back-end servers. The Azure Firewall can in fact de-encrypt the traffic received from the Application Gateway for further inspection and encrypt it again before forwarding it to the destination Web server. For more details on this use case you can consult this Microsoft's document.

Figure 3 – Implementation of the Application Gateway before Azure Firewall

To enable TLS Inspection in Azure Firewall Premium it is advisable to use a certificate present in an Azure Key Vault. Azure Firewall is accessed to the key vault to retrieve certificates using a managed identity. For more information about using certificates, for this Azure Firewall Premium feature, you can see the Microsoft's official documentation.

These use cases allow customers to adopt a zero trust model and implement end-to-end network segmentation.

IDPS

An Intrusion Detection and Prevention System (IDPS) allows you to monitor network activities to detect malicious activities, record information about these activities, report them and, optionally, try to block them. Azure Firewall Premium provides signature-based IDPS and is able to enable attack detection by searching for specific patterns, as sequences of bytes in network traffic or known malicious instruction sequences used by malware. IDPS signatures are automatically managed and continuously updated.

This capability works for all ports and protocols, but despite some detections they can also run with encrypted traffic, enabling TLS Inspection is important to make the best use of the IDPS.

Figure 4 – IDPS mode

Filtering URL

URL filtering allows you to filter outbound access to specific URLs, and not just for certain FQDNs. In fact, the Azure Firewall FQDN filtering capability is extended to consider an entire URL. For example,, www.microsoft.com/a/b instead of just www.microsoft.com. This feature is also effective for encrypted traffic if TLS Inspection is enabled.

Filtering URL can also be used in conjunction with Web categorization to extend a particular category by explicitly adding multiple URLs, or to allow/deny access to URLs within your organization's intranet.

Figure 5 – URL filtering in application rules

Web categorization

Web categorization in Azure Firewall policies allows you to allow or deny users access to the Internet based on specific categories, for example, social networks, search engines, gambling, etc.

This feature can be used as a target type in the application rules in both Standard and Premium Azure Firewall SKUs. The main difference is that the Premium SKU allows you to achieve a higher level of optimization, classifying traffic by full URL, using the functionality of TLS Inspection, while the standard SKU classifies traffic only by FQDN. This feature allows you to have visibility and control in the use of an organization's Internet traffic and is ideal for controlling Internet browsing for Windows Virtual Desktop clients.

Figure 6 – Web categorization in an access rule

Azure Firewall Premium vs Network Virtual Appliances (NVA's) of third party

The Network Virtual Appliances (NVA's) provided by third-party vendors and available in the Azure marketplace are numerous and can offer advanced features. Typically the configuration of these solutions is more articulated and the cost tends to be higher than the solutions provided by the Azure platform.

The gap between Azure Firewall features, thanks to Premium features, and the third party NVAs is now greatly reduced.

There is a high-level comparison between Azure Firewall Premium and NVAs:

Figure 7 – Azure Firewall Premium vs NVAs Feature Comparison

The Azure Firewall feature set is therefore suitable for most customers and provides some key benefits being a cloud-native managed service, for example:

  • Integration with DevOps templates and other Azure artifacts (ex. Tags, diagnostic settings).
  • High availability is integrated into the service and no specific configurations or additional components are required to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • No maintenance activity required.
  • Significant TCO savings for most customers. In fact,, for NVAs it is appropriate to consider:
    • Computational costs (at least two virtual machines for HA)
    • Licensing costs
    • Costs for standard load balancers (interior and exterior)
    • Maintenance costs
    • Support costs

However, it is appropriate to specify that for some customers, third-party solutions are more suitable as they allow for continuity in the user experience compared to solutions already active in the on-premises environment.

Conclusions

With the release of the Premium SKU Azure Firewall becomes a next generation firewall fully integrated into the Azure fabric, that provides very interesting features, to the point of making it the ideal choice for customers with advanced control and security needs of their Azure networking.

How to monitor, diagnose problems and gain insights into networking with Azure tools

Network architectures in the public cloud have peculiarities and introduce concepts that substantially differentiate them from traditional ones in the on-premises environment. However, one aspect that unites them is certainly the need to monitor them, constantly checking performance and health status. To do all this effectively, contemplating the intrinsic particularities of the public cloud and hybrid network architectures, it is advisable to have effective tools. This article reports the characteristics of the platform service Azure Network Watcher, that provides a suite of tools to monitor, diagnose and view network resource metrics and logs.

Network Watcher is designed to monitor and check network infrastructure health, even in hybrid environments, specifically for IaaS components (Infrastructure-as-a-Service) attested on Azure virtual networks. Network Watcher does not provide tools to monitor the PaaS infrastructure (Platform-as-a-Service) or to carry out the analysis of web components.

Network Watcher is a regional service, zone-resilient and fully managed. The enabling of the component now occurs by default for each Azure subscription that contains virtual networks. Network Watcher resources are placed by default in the resource group, hidden and created automatically, called NetworkWatcherRG.

The tools included in Azure Network Watcher can be divided into three categories based on the features offered: Monitoring, Diagnostics and Logging

Monitoring tools

Topology view

In particularly complex network architectures it may be useful to identify which resources are attested on a specific virtual network and how they relate to each other. With this tool, you can view directly in the Azure portal a visual diagram of the components on a specific virtual network and the relationships between the various resources.

Figure 1 – Example of a Topology view

Connection Monitor

Connection Monitor was recently revised and in version 2.0 allows you to monitor end-to-end connections both in Azure environments and in the presence of hybrid network architectures.

Among the main strengths of this new solution we find:

  • Unified and intuitive monitor experience for both fully Azure-based environments and hybrid environments.
  • Connectivity monitor, also cross-region, and verify network latencies to endpoints.
  • High probing frequencies that allow to obtain greater visibility on network performance.
  • More immediate alerts to report abnormal conditions in the presence of hybrid network architectures.
  • Ability to perform connectivity checks based on protocols HTTP , TCP, and ICMP.
  • Support for saving data to Azure Monitor metrics and Log Analytics workspaces.

Figure 2 – Connection Monitor Tool Overview

To make Connection Monitor able to recognize Azure VMs as sources for monitor activities, Network Watcher Agent virtual machine extension must be installed on them.

Network Performance Monitor

Network Performance Monitor is now an integral part of Connection Monitor and therefore included in Azure Network Watcher. The solution requires the presence of the Azure Monitor agent and, thanks to the use of synthetic transactions, provides the ability to monitor network parameters in hybrid network architectures, to get performance information, like packet loss and latency. Furthermore, this solution makes it easy to locate the source of a problem in a specific network segment or by identifying a particular device. The solution, tracking retransmission packets and roundtrip time, is able to return a graph of easy and immediate interpretation. Furthermore, allows you to check the performance between the on-premises and Azure environment, even if you have expressroute connectivity.

Diagnostic Tools

IP Flow Verify

Under certain circumstances, it can happen that a virtual machine is unable to communicate with other resources, because of the security rules present. This feature allows you to specify a source and destination IPv4 address, a port, a protocol (TCP or UDP) and the direction of traffic (inbound or outbound). IP Flow Verify verifies the communication and informs if the connection is successful or not. If the connection fails, is indicated which security rule denied the communication, so you can solve the problem.

Next Hop

This tool helps to verify network traffic routes and allows you to detect any routing problems. The Next Hop functionality allows you to specify a source and destination IPv4 address and to verify their communication.

Connection Troubleshoot

This tool allows you to check connectivity and latency between a virtual machine and another network resource on a one-time basis, which can be another virtual machine, an FQDN, a URI or IPv4 address. The test returns information similar to that returned when using Connection Monitor, but the connection check happens at a certain time, instead of making a monitor over time as is the case with Connection Monitor.

Packet Capture

With this tool, you can versatilely capture network traffic on an Azure virtual machine, applying any advanced filtering options and setting time and size limits. Capture can be stored in Azure Storage, on the VM disk or in both locations. Captured network traffic can then be analyzed with several standard analysis tools, such as Wireshark.

VPN Troubleshoot

This tool performs various diagnostic checks on VPN gateways and their connections, useful for solving problems.

The Packet Capture and Connection Troubleshoot features require the presence of the extension Network Watcher on the VMs, as reported for Connection Monitor.

Logging tools

NSG Flow Logs

In Azure to allow or deny network communication to the resources connected with Azure Virtual Networks (VNet) it uses the Network Security Group (NSG), containing a list of access rules. NSGs are usually applied to subnets (recommended) or directly to the network interfaces connected to the virtual machines. Azure platform uses NSG flow logs to maintain visibility of network traffic in and out of Network Security Groups.

Traffic Analytics

Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment.

Figure 3 – Data flow of Traffic Analytics

Using Traffic Analytics you can do the following:

  • View network activities cross Azure subscriptions and identify hotspots.
  • Intercept potential network security threats, in order to take the right remedial actions. This is made possible thanks to the information provided by the solution: which ports are open, what applications attempt to access to Internet and which virtual machines connect to unauthorized networks.
  • Understand network flows between different Azure regions and Internet, in order to optimize their deployment for network performance and capacity.
  • Identify incorrect network configurations that lead to having incorrect communication attempts.

Figure 4 – Virtual Network in Traffic Analytics

The cost of Network Watcher is detailed in the Microsoft's official page and it depends on the use that is made of the various tools included in the solution.

Conclusions

As the complexity of Azure network architectures increases and in hybrid environments, it is useful to have particularly effective and easy-to-use tools to be able to carry out the monitor. Azure provides several tools integrated into the platform that in addition to the monitor allow you to diagnose problems of different kinds and obtain an overall visibility of your network resources in a simple and intuitive way.

Azure Application delivery: which load balancing service to choose?

The transition to cloud solutions to deliver applications is a trend that is proceeding at a very fast pace and ensuring an access fast, secure and reliable to such applications is a challenging task that must be directed by adopting the right solutions. Microsoft Azure provides a wide range of services to ensure optimal application delivery, but in assessing which load-balancing solution to adopt there are several aspects to consider. This article wants to clarify what you should consider to adopt the most suitable Azure solution in this area.

The need to distribute workloads over multiple computing resources may be due to the need to optimize the use of resources, maximize throughput, minimize response times and avoid overloading every single resource. Furthermore, it can also be aimed at improving application availability by sharing a workload between redundant computing resources.

Azure load balancing services

To provide Azure load-balancing services we find the following components.

Azure Load Balancer and cross-region Azure Load Balancer: these are components that enable Layer-4 load balancing for all TCP and UDP protocols, ensuring high performance and very low latencies. Azure Load Balancer is a component zone-redundant, therefore provides high availability among availability zones.

Figure 1 – Azure Load Balancer and cross-region Azure Load Balancer overview

Azure Application Gateway: it is a service managed by the azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular, in the latter case, it is recommended to turn onWeb Application Firewall (WAF), that provides application protection, based on rulesOWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Figure 2 – Azure Application Gateway Overview

Front Door: is an application delivery network that provides global load balancing and site accelleration service for web applications. It offers Layer-7 functionality for application publishing such as SSL offload, path-based routing, fast failover, caching, in order to improve the performance and high availability of applications.

Figure 3 – Azure Front Door Overview

Traffic Manager: is a DNS-based load balancer that enables optimal distribution of traffic to services deployed in different Azure regions, while providing high availability and responsiveness. Are available different routing methods to determine which endpoint to direct traffic to. Based on DNS, failover may not be immediate due to common challenges related to DNS caching and systems not meeting DNS TTLs.

Figure 4 – Azure Traffic Manager Overview (performance traffic-routing method)

Things to consider when choosing Azure load balancing services

Each service has its own characteristics and to choose the most appropriate one it is good to make a classification with respect to the following aspects.

Load-balancing services: global vs regional

  • Global load-balancing: are used to distribute traffic to globally distributed backends across multiple regions, which can be deployed in cloud or hybrid environments. Fall into this category Azure Traffic Manager, Azure Front Door and the cross-region Azure Load Balancer.
  • Regional load-balancing: they allow you to distribute traffic to virtual machines connected to a specific virtual network or to endpoints in a specific region. This category includes Azure Load Balancer and the Azure Application Gateway.

Type of traffic: HTTP(S) vs non-HTTP(S)

Another important differentiating factor in the choice of the load-balancing solution to be adopted is the type of traffic that must be managed:

  • HTTP(S): the adoption of Layer-7 load-balancing services that accept only HTTP traffic is recommended(S). They are suitable for this type of traffic Azure Front Door and Azure Application Gateway. Typically they are used for web applications or other endpoints HTTP (S) and include features such as: SSL offload, web application firewall, path-based load balancing, and session affinity.
  • Non-HTTP(S): the use of load-balancing services is required that allow to contemplate the traffic non-HTTP (S), like Azure Traffic Manager, cross-region Azure Load Balancer and Azure Load Balancer.

In the evaluation of the Azure load-balancing service to be adopted, it is also appropriate to include considerations regarding the following aspects:

To facilitate the choice of the load-balancing solution, the following flow chart can be used as a starting point, which directs the choice on a series of key aspects:

Figure 5 – Flowchart for choosing azure load-balancing solution

Note: This flowchart does not cover the cross-region Azure Load Balancer as at the moment (11/2020) are in preview.

This flow chart is a great starting point for your evaluations, but since each application has unique requirements it is good to carry out a specific more detailed analysis.

If the application consists of multiple workloads, it is appropriate to evaluate each of these separately, as it may be necessary to adopt one or more load balancing solutions.

The various load load-balancing services can be used in combination with each other to ensure reliable and secure application access to the services provided in environments IaaS, PaaS or on-premises.

Figure 6 – Possible example of how to combine the various Azure load-balancing services

Conclusions

Thanks to a wide range of global and regional services, Azure is able to guarantee performance, security and high availability in application access. In order to establish the architecture that best meets your needs, there are several elements to evaluate, but the right combination of Azure Application Delivery solutions can deliver significant value to IT organizations, ensuring a distribution that is fast, secure and reliable for applications and user data.

Azure Networking: how to monitor and analyze Azure Firewall logs

In network architectures in Azure where Azure Firewall is present, the firewall-as-a-service solution (FWaaS) which allows to secure the resources present in the Virtual Networks and to govern the related network flows, it becomes strategic to adopt tools to effectively monitor the relevant logs. This article explores how to best interpret logs and how you can do in-depth analysis of Azure Firewall, a component that often plays a fundamental role in network architectures in Azure.

An important aspect to check is that the diagnostic settings are correctly configured in Azure Firewall, to flow log data and metrics to an Azure Monitor Log Analytics workspace.

Figure 1 – Azure Firewall diagnostic settings

To get an overview of the diagnostic logs and metrics available for Azure Firewall, you can consult the specific Microsoft documentation.

One of the most effective ways to view and analyze Azure Firewall logs is to use Workbooks, that allow you to combine text, Log Analytics query, Azure metrics and parameters, thus conseasing interactive and easily searchable reports.

For Azure Firewall there is a specific workbook provided by Microsoft that allows you to obtain detailed information on events, know the applications and network rules activated and view the statistics on firewall activity by URL, ports and addresses.

The import of this workbook can be done via ARM template or Gallery template, following the instructions in this article.

Figure 2 – Azure Firewall Workbook Import

After completing the import process, you can consult the overview an overview of the different events and types of logs present (application, Networks, threat intel, DNS proxy), with the possibility of applying specific filters related to workspaces, time slot and firewalls.

Figure 3 – Azure Firewall Workbook overview

There is a specific section in the workbook for Application rule where are shown sources by IP address, the use of application rules, and FQDNs denied and allowed. Furthermore, you can apply search filters on application rule data.

Figure 4 – Azure Firewall Workbook – Application rule log statistics

Furthermore, in the section Network Rule you can view the information based on the actions of the rules (allow/deny), target ports and DNAT actions.

Figure 5 – Azure Firewall Workbook – Network rule log statistics

If Azure Firewall has been set to work also as DNS Proxy it is possible to view in the tab “Azure Firewall – DNS Proxy” of the Workbook also information regarding the traffic and DNS requests managed.

If it is necessary to carry out further information to obtain more information on the communications of specific resources, you can use the section Investigation going to act on the filters available.

Figure 6 – Azure Firewall Workbook – Investigation

To view and analyze activity logs, you can connect Azure Firewall logs to Azure Sentinel, the service that expands the capabilities of traditional SIEM products (Security Information and Event Management), using the potential of the cloud and artificial intelligence. In this way, through specific workbooks available in Azure Sentinel, you can expand your analytics capabilities and create specific alerts to quickly identify and manage security threats that affect this infrastructure component. To connect Azure Firewall logs to Azure Sentinel you can follow the procedure in this Microsoft's document.

Conclusions

Azure Firewall is a widely used service and is often the centerpiece of your network architecture in Azure, where all network communications transit and are controlled. It therefore becomes important to date yourself with a tool to analyze the metrics and information collected, able to provide valid support in the resolution of any problems and incidents. Thanks to the adoption of these Workbooks you can easily consult the data collected by Azure Firewall, using visually appealing reports, with advanced features that allow you to enrich the analysis experience directly from the Azure portal.

Azure Networking: new features to know to better design network architectures

Cloud solutions evolve very quickly and staying up to date is a key element in innovating and responding effectively to technological changes. With the change of pace imposed by the digital transformation, network infrastructures must also be increasingly efficient, flexible and able to best provide the services required by the company business. To modernize your Azure Networking design and implementation strategy, it is therefore important to evaluate how the various technologies evolve. This article describes the news recently released by Microsoft that may affect Azure networking design, with references to real use cases.

Azure Bastion and VNet peering

Azure Bastion is a PaaS service that provides secure and reliable RDP and SSH access to virtual machines, directly through the Azure portal. Azure Bastion service provisioning is done within an Azure Virtual Network and allows access without having to assign public IP addresses directly to systems.

The news is that Azure Bastion can now work in synergy with Virtual Network (VNet) peering. This means that it is possible to activate Azure Bastion on a specific VNet and the same service can also be used to connect to virtual machines attested on the VNet in peering with this.

Azure Bastion works both in the presence of network peering that connects VNets to the same Azure region, both with VNet peering type Global, that connect VNets located in different Azure regions. From the point of view of network architectures, this possibility opens up new possible scenarios. In the typical and widely used network model, defined hub-and-spoke, you have a virtual network in Azure of Hub which acts as a point of connectivity to the on-premises network and the virtual networks that perform peering with the Hub are definedspoke, useful for isolating workloads. By adopting this model it is possible to activate Azure Bastion on the network of Hub. In this way it will be possible to reach with a single Azure Bastion service also all the virtual machines distributed in the VNets of spoke.

Figure 1 – Azure Bastion in a hub-and-spoke architecture

The following diagram shows the Azure Bastion deployment in a hub-and-spoke network architecture where:

  • The Bastion host is activated in the Hub centralized virtual network.
  • Communications are allowed, per TCP port 3389 and 22, from the Azure Bastion subnet in the Hub virtual network, to the private IPs of the Spoke virtual networks.
  • No public IP is required to access virtual machines.

With this configuration, you can simplify your architecture and reduce Azure costs, as only one Azure Bastion service will be required for the entire hub-and-spoke network topology.

Furthermore, Azure Bastion can also be provisioned in full-mesh network topologies, obtaining the same experience of accessing systems in RDP / SSH for VMs attested on all virtual networks in peering.

Some observations are reported in this regard:

  • It is possible to have several Bastion hosts active simultaneously between virtual networks in peering. This can happen particularly during the transition period, when you want to consolidate several Bastion hosts according to the hub-and-spoke topology described above. In the presence of multiple Bastion hosts, when connecting, you will be offered to choose which Bastion host to use.
  • Azure Bastion currently supports peered virtual network scenarios only if they reside in subscriptions belonging to the same tenant.

Azure Firewall: new DNS settings

Azure Firewall is the firewall-as-a-service solution (FWaaS) present in Microsoft's public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows. Azure Firewall features have been enhanced by adding support for custom DNS and DNS proxy.

Custom DNS

By default Azure Firewall uses Azure DNS for name resolution. The ability to configure Azure Firewall to use specific DNS servers has now been included.

In the settings, you can configure a single DNS server or multiple DNS servers:

Figure 2 - Setting up custom DNS in Azure Firewall from the Azure portal

Azure Firewall can also perform name resolution by using Azure Private DNS. In this scenario it is required that the VNet within which Azure Firewall resides is connected to the Azure Private Zone.

DNS proxy

Azure Firewall can now be configured to play the role of DNS proxy. By enabling this new feature, you can configure the Azure Firewall private IP address as the DNS of the virtual network. In this way all DNS traffic is directed to Azure Firewall, which acts as an intermediary between the systems that make DNS requests and the DNS servers themselves, in this way avoiding possible inconsistencies in name resolutions if custom DNS are used.

When the Azure firewall acts as a DNS proxy, there are two types of caches:

  • Positive cache: DNS resolution is successful. In this case Azure Firewall uses TTL (time to live) of the package or object.
  • Negative cache: DNS resolution is not successful. In this case, the information is stored in the Azure Firewall cache for one hour.

Figure 3 - Configure Azure Firewall as a DNS proxy from the Azure portal

This feature allows you to evaluate a new usage scenario for Azure Firewall, very useful when you need to manage DNS resolution in the presence of Private link, the mechanism that allows you to establish a private connection to services in Azure.

Each Azure PaaS service that uses Azure Private Link is assigned a mapped FQDN and stored in an Azure Private DNS zone. Requests sent to Azure DNS Private Zones are routed to the platform IP 168.63.129.16, which can only be reached from within the Azure environment. For this reason, if the DNS request originates from on-premises systems (or in any case from outside Azure), it is necessary to activate a DNS proxy within an Azure virtual network connected to the on-premise environment. With this new Azure Firewall DNS proxy feature, you can manage this challenge of name resolution of PaaS servers using Private Link with the following steps:

  • The VNet within which Azure Firewall resides is connected to the Azure Private Zone.
  • Azure Firewall is configured to use the Azure default DNS and enable the DNS Proxy functionality.
  • You configure your local DNS server to conditionally forward requests to Azure Firewall for the requested zone name.

Azure Firewall: using FQDN filtering in network rules

In Azure Firewall Network Rules, you can now use fully qualified domain names (FQDN) based on Azure Firewall DNS resolution. This feature allows you to filter outbound traffic for any protocol TCP / UDP (NTP, SSH, RDP, etc.) and requires the DNS proxy functionality described in the previous paragraph to be active. Azure Firewall, when configured as a DNS proxy, stores all IP addresses resolved by the FQDNs used in the network rules. For this reason it is good practice to use FQDNs in the network rules as a best practice.

Azure Firewall, for both application rules and network rules, converts the FQDN into one or more IP addresses based on the selected DNS server (Azure DNS or custom DNS). When a new DNS resolution occurs, the new IP addresses are added to the firewall rules, IP addresses that are no longer returned by the DNS server have an expiration of 15 minutes. Azure Firewall Network Rules are updated every 15 seconds using DNS resolution. If you need to apply FQDN filters, it is still a good idea to always use the Azure Firewall application rules for HTTP / S or MSSQL protocols, while for all the remaining protocols it is possible to use both the application rules and the network rules.

New features for Azure VPN gateways

Following, are reported the new features that can be adopted in the presence of Azure VPN gateways:

  • High availability of RADIUS servers in point-to-site VPNs: this feature allows you to configure high availability for customers who use RADIUS / AD authentication for point-to-site VPNs.
  • Custom IPsec/IKE policies with DPD timeouts: the IKE DPD timeout setting (Dead Peer Detection) adjusts the IKE session timeout value based on connection latency and traffic conditions. This configuration is useful for minimizing tunnel disconnections, improving the reliability and user experience.
  • APIPA support for BGP speaker: this feature allows you to establish Border Gateway Protocol sessions (BGP), with Azure VPN gateways, using APIPA addresses (169.254.x. x). This feature is especially useful for customers with legacy VPN routers, Amazon Web Service (AWS) VGW, Google Cloud Platform (GCP) VPN that use APIPA addresses (Automatic Private IP Addressing) to announce BGP addresses.
  • FQDN support for site-to-site VPNs: this feature allows you to configure site-to-site VPN in the presence of devices that do not have static public IP addresses to connect to Azure VPN gateways. It is in fact possible to use the fully qualified domain name (FQDN) instead of IP addresses. Azure VPN gateway will be able to do DNS name resolution, automatically updating the destination to establish the VPN's IPsec / IKE connections.
  • Session management and user revocation for point-to-site VPNs: the ability to list and revoke individual user connections to VPN gateways is given, directly from the Azure portal and in real time.

Conclusions

There are several innovations recently released by Microsoft in Azure networking and it is advisable to carefully evaluate them to make an accurate design. In this way it will be possible to realize effective network architectures, optimizing costs and able to exploit all the potential offered by the Azure platform.