Category Archives: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (January 2023 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure Ultra Disk Storage in Switzerland North and Korea South

Azure Ultra Disk Storage is now available in one zone in Switzerland North and with Regional VMs in Korea South. Azure Ultra Disk Storage offers high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs). Ultra Disk Storage is well-suited for data-intensive workloads such as SAP HANA, top-tier databases, and transaction-heavy workloads.

Azure Active Directory authentication for exporting and importing Managed Disks

Azure already supports disk import and export locking only from a trusted Azure Virtual Network (VNET) using Azure Private Link. For greater security, the integration with Azure Active Directory (AD) to export and import data to Azure Managed Disks is available. This feature enables the system to validate the identity of the requesting user in Azure AD and verify that the user has the required permissions to export and import that disk.

Azure IaaS and Azure Stack: announcements and updates (December 2022 – Weeks: 51 and 52)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

During these two weeks of holidays, there were no notable news related to these areas.

We look forward to 2023 for lots of news!

I wish everyone a happy 2023!

Azure IaaS and Azure Stack: announcements and updates (December 2022 – Weeks: 49 and 50)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Dedicated Host: Restart

Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware. With this new capability, now generally available, you can take troubleshooting steps at the host level.

New Memory Optimized VM sizes (preview)

The new E96bsv5 and E112ibsv5 VM sizes part of the Azure Ebsv5 VM series offer the highest remote storage performances of any Azure VMs to date. The new VMs can now achieve even higher VM-to-disk throughput and IOPS performance with up to 8,000 MBps and 260,000 IOPS. This enables you to run data intensive workloads more efficiently and process more data on fewer vCPUs, potentially optimizing infrastructure and licensing costs.

Networking

Feature enhancements to Azure Web Application Firewall (WAF)

Azure’s global Web Application Firewall (WAF) running on Azure Front Door, and Azure’s regional WAF running on Application Gateway, now support additional features that help organizations improve their security posture and make it easier to manage logging across resources:

  • SQL injection (SQLi) and cross site scripting (XSS) detection queries: new Azure WAF analytics SQLi and XSS detection rule templates simplify the process of setting up automated detection and response with Microsoft’s security incident & event management (SIEM) service: Microsoft Sentinel.
  • Azure policies for WAF logging: the regional WAF on Application Gateway and the global WAF running on Azure Front Door now have built-in Azure policies requiring resource logs and metrics. This allows organizations to enforce standards for WAF deployments to collect logs and metrics for further analysis and insights related to security events.

In addition, Azure regional WAF on Application Gateway now has:

  • Increased exclusion limit: CRS 3.2 or greater ruleset now supports exclusions limit up to 200, a 5x increase from older versions; allowing for greater customization on how the WAF handles managed rulesets.
  • Bot Manager ruleset exclusion rules: exclusions are extended to Bot Manager Rule Set 1.0. Learn more: WAF exclusions.
  • Uppercase transform on custom rules: you can now handle case sensitivity when creating custom WAF rules using uppercase transform in addition to the lowercase transform.

Storage

Azure NetApp Files cross-zone replication (preview)

The cross-zone replication feature allows you to replicate your Azure NetApp Files volumes asynchronously from one Azure availability zone (AZ) to another in the same region. It uses a combination of the SnapMirror® technology used with cross-region replication and the new availability zone volume placement feature, to replicate data in-region; only changed blocks are sent over the network in a compressed, efficient format. It helps you protect your data from unforeseeable zone failures, without the need for host-based data replication. This feature minimizes the amount of data required to replicate across the zones, therefore limiting data transfers required and also shortens the replication time, so you can achieve a smaller restore point objective (RPO). Cross-zone replication doesn’t involve any network transfer costs, and hence it is highly cost-effective.

Azure IaaS and Azure Stack: announcements and updates (December 2022 – Weeks: 47 and 48)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure HX series and HBv4 series virtual machines (preview)

The Azure HX series and HBv4 series virtual machines (VMs) are now in preview in the East US region. These VMs, powered by AMD 4th gen EPYCTM “Genoa” CPUs, improve the performance and cost-effectiveness of a variety of memory performance bound, compute bound, and massively parallel workloads. These new VMs deliver more performance, value-adding innovation, and cost-effectiveness to every Azure HPC customer.

Networking

Azure Bastion now support shareable links (preview)

With the new Azure Bastion shareable links feature in public preview and included in Standard SKU, you can now connect to a target resource (virtual machine or virtual machine scale set) using Azure Bastion without accessing the Azure portal.

This feature will solve two key pain points:

  • Administrators will no longer have to provide full access to their Azure accounts to one-time VM users, helping to maintain their privacy and security.
  • Users without Azure subscriptions can seamlessly connect to VMs without exposing RDP/SSH ports to the public internet.

Storage

Azure File Sync agent v15.2

Azure File Sync agent v15.2 is now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Fixed a cloud tiering issue in the v15.1 agent that caused the following symptoms:
    • Memory usage is higher after upgrading to v15.1
    • Storage Sync Agent (FileSyncSvc) service intermittently crashes
    • Files are failing to recall with error ERROR_INVALID_HANDLE (0x00000006)
  • Fixed a health reporting issue with servers configured to use a non-Gregorian calendar

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations
  • The agent version for this release is 15.2.0.0
  • Installation instructions are documented in KB5013875

Azure IaaS and Azure Stack: announcements and updates (November 2022 – Weeks: 45 and 46)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

What’s new in Azure VMware Solution

Recent updates for Azure VMware Solution:

  • Stretched Clusters for Azure VMware Solution, now in preview, provides 99.99 percent uptime for mission critical applications that require the highest availability. In times of availability zone failure, your virtual machines (VMs) and applications automatically failover to an unaffected availability zone with no application impact.
  • Azure NetApp Files Datastores is now generally available to run your storage intensive workloads on Azure VMware Solution. This integration between Azure VMware Solution and Azure NetApp Files enables you to create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes and attach the datastores to your private cloud clusters of choice.
  • Customer-managed keys for Azure VMware Solution is now in preview, both supporting higher security for customers’ mission-critical workloads and providing you with control over your encrypted vSAN data on Azure VMware Solution. With this feature, you can use Azure Key Vault to generate customer-managed keys as well as centralize and streamline the key management process.
  • New node sizing for Azure VMware Solution. Start leveraging Azure VMware Solution across two new node sizes with the general availability of AV36P and AV52 in AVS. With these new node sizes organizations can optimize their workloads for memory and storage with AV36P and AV52.

Virtual Machine software reservations

The new Virtual Machine software reservations enable savings on your Virtual Machine software costs when you make a one- to three-year commitment for plans offered by third-party publishers such as Canonical, Citrix, and Red Hat.

Arm-based VMs now available in four additional Azure regions

The Dpsv5, Dplsv5, and Epsv5 VMs are available in the following additional four Azure regions: West US, North Central US, UK South, and France Central

Storage

Encrypt managed disks with cross-tenant customer-managed keys

Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.

Networking

New capabilities for Azure Firewall

Azure Firewall is a cloud-native firewall as a service offering that enables customers to centrally govern and log all their traffic flows using a DevOps approach.

Several key Azure Firewall capabilities are now generally available:

  • New GA regions in Qatar central, China East, and China North: Azure Firewall Standard, Azure Firewall Premium, and Azure Firewall Manager are now generally available in three new regions: Qatar Central, China East, and China North
  • IDPS Private IP ranges: in Azure Firewall Premium IDPS, Private IP address ranges are used to identify traffic direction (inbound, outbound, or internal) to allow accurate matches with IDPS signatures. By default, only ranges defined by Internet Assigned Numbers Authority (IANA) RFC 1918 are considered private IP addresses. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.
  • Single Click Upgrade/Downgrade (preview): With this new capability, customers can easily upgrade their existing Firewall Standard SKU to Premium SKU as well as downgrade from Premium to Standard SKU. The process is fully automated and has zero service downtime.
  • Enhanced Threat Intelligence (preview): Threat Intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and FQDNs. With the new enhancement, Azure Firewall Threat Intelligence has more granularity for filtering based on malicious URLs. This means that customers may have access to a certain domain through a specific URL in this domain will be denied by Azure Firewall if identified as malicious.
  • KeyVault with zero internet exposure (preview): in Azure Firewall Premium TLS inspection, customers are required to deploy their intermediate CA certificate in Azure KeyVault. Now that Azure firewall is listed as a trusted Azure KeyVault service, customers can eliminate any internet exposure of their Azure KeyVault.

Azure Front Door: new features in preview

New features are available for Azure Front Door (preview):

  • Azure Front Door zero downtime migration. In March of this year, Microsoft announced the general availability of two new Azure Front Door tiers. Azure Front Door Standard and Premium are native, modern cloud content delivery network (CDN) catering to both dynamic and static content delivery acceleration with built-in turnkey security and a simple and predictable pricing model. The migration capability enables you to perform a zero-downtime migration from Azure Front Door (classic) to Azure Front Door Standard or Premium in just three simple steps or five simple steps if your Azure Front Door (classic) instance has custom domains with your own certificates. The migration will take a few minutes to complete depending on the complexity of your Azure Front Door (classic) instance, such as number of domains, backend pools, routes, and other configurations.
  • Upgrade from Azure Front Door Standard to Premium tier: Azure Front Door supports upgrading from Standard to Premium tier without downtime. Azure Front Door Premium supports advanced security capabilities and has increased quota limit, such as managed Web Application Firewall rules and private connectivity to your origin using Private Link.
  • Azure Front Door integration with managed identities. Azure Front Door now supports managed identities generated by Azure Active Directory to allow Front Door to easily and securely access other Azure AD-protected resources such as Azure Key Vault. This feature is in addition to the AAD Application access to Key Vault that is currently supported.

Default Rule Set 2.1 for Azure Web Application Firewall

Default Rule Set 2.1 (DRS 2.1) on Azure’s global Web Application Firewall (WAF) running on Azure Front Door is available. This rule set is available on the Azure Front Door Premium tier.
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team. As with previous DRS releases, DRS 2.1 rules are also tailored by Microsoft Threat Intelligence Center (MSTIC). The MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address those issues while also reducing false positives to our customers.

Bot Manager Rule Set 1.0 on regional Web Application Firewall

A new bot protection rule set (Microsoft_BotManagerRuleSet_1.0) is now generally available for Azure Web Application Firewall (WAF) with Azure Application Gateway. Added to this updated rule set are three bot categories: good, bad, and unknown. Bot signatures are managed and dynamically updated by Azure WAF. The default action for bad bot groups is set to Block, for the verified search engine crawlers group it’s set to Allow, and for the unknown bot category it’s set to Log. You may overwrite the default action with Allow, Block, or Log for any type of bot rule

Per Rule Actions on regional Web Application Firewall

Azure’s regional Web Application Firewall (WAF) with Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis. This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions.

Azure Stack

Azure Stack HCI

Network HUD

Network HUD is a new feature, available with the November update on Azure Stack HCI that detects operational network issues causing stability issues or degrade performance. It distills the various indicators of problems generated by event logs, performance counters, the physical network and more, to proactively identify issues and alert you with contextual messages that you can act on. It also integrates with the existing alerting mechanisms you’re already used to and leverages Network ATC for intent-based analytics and remediation.

Azure IaaS and Azure Stack: announcements and updates (November 2022 – Weeks: 43 and 44)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Attribute-based access control for standard storage accounts

Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, and requests. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This release makes generally available role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts.

Premium SSD v2 disks available on Azure Disk CSI driver

Premium SSD v2 is the next-generation Azure Disk Storage optimized for performance-sensitive and general-purpose workloads that need consistent low average read and write latency combined with high IOPS and throughput. Premium SSD v2 is now available with the Azure Disk CSI driver to deploy stateful workloads in Kubernetes on Azure.

Ephemeral OS disk support for confidential virtual machines

The support to create confidential VMs using Ephemeral OS disks is available. This enables customers using stateless workloads to benefit from the trusted execution environments (TEEs). Trusted execution environments protect data being processed from access outside the trusted execution environments.

Encrypt storage account with cross-tenant customer-managed keys

The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Availability zone volume placement for Azure NetApp Files (preview)

Azure NetApp Files availability zone volume placement feature lets you deploy new volumes in the logical availability zone of your choice to support enterprise, mission-critical high availability (HA) deployments across multiple availability zones.

Networking

Azure Virtual WAN announcements

Multiple areas of Azure Virtual WAN (vWAN) have key announcements:

  • Remote user connectivity (also known as point-to-site VPN)
    • Multipool user group support preview

  • Routing
    • Secure hub routing intent preview

    • Hub routing preference (HRP) is generally available

    • Bypass next hop IP for workloads within a spoke VNet connected to the virtual WAN hub generally available

    • Border Gateway Protocol (BGP) Peering with a virtual hub is generally available

  • Branch connectivity (also known as site-to-site VPN)
    • BGP dashboard is now generally available

    • Virtual Network Gateway VPN over ExpressRoute private peering (AZ and non-AZ regions) is generally available

    • Custom traffic selectors (portal)

    • High availability for Azure VPN client using secondary profile is generally available

  • Private connectivity (also known as ExpressRoute)

    • ExpressRoute circuit with visibility of Virtual WAN connection

  • Third-Party Network Virtual Appliance Integrations
    • Fortinet SDWAN is generally available

    • Aruba EdgeConnect Enterprise SDWAN preview

    • Checkpoint NG Firewall preview

Custom IP Prefixes (BYOIP) available in US Government regions

The ability to bring your own public IP ranges is now available in all US Government regions.

Azure IaaS and Azure Stack: announcements and updates (October 2022 – Weeks: 41 and 42)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

In this dedicated post you can find the most important announcements and major updates officialized last week during Microsoft Ignite (October 2022) conference.

Azure

Compute

Azure savings plan for compute

Azure savings plan for compute is an easy and flexible way to save significantly on compute services, compared to pay-as-you-go prices. The savings plan unlocks lower prices on select compute services when customers commit to spend a fixed hourly amount for one or three years. Choose whether to pay all upfront or monthly at no extra cost. As you use select compute services across the world, your usage is covered by the plan at reduced prices, helping you get more value from your cloud budget. During the times when your usage is above your hourly commitment, you’ll be billed at your regular pay-as-you-go prices. With savings automatically applying across compute usage globally, you’ll continue saving even as your usage needs change over time.

Storage

SFTP support for Azure Blob Storage

SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available. Azure Blob Storage now supports SFTP, enabling you to leverage object storage economics and features for your SFTP workloads. With just one click, you can provision a fully managed, highly scalable SFTP endpoint for your storage account. This expands Blob Storage’s multi-protocol access capabilities and eliminates data silos, meaning you can run different applications, requiring different protocols, on a single storage platform with no code changes.

Azure IaaS and Azure Stack: announcements and updates (October 2022 – Weeks: 39 and 40)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure NetApp Files new regions and cross-region replication

Azure NetApp Files is now available in the following additional regions:

  • Korea South,
  • Sweden Central.

Additionally, Azure NetApp Files cross-region replication has been enabled between following regions:

  • Korea Central and Korea South,
  • North Central US and East US 2,
  • France Central and West Europe.

Networking

ExpressRoute FastPath support for Vnet peering and UDRs

FastPath now supports virtual network peering and user defined routing (UDR). FastPath will send traffic directly to any VM deployed in a spoke virtual network peered to the virtual network where the ExpressRoute virtual network gateway is deployed. Additionally, FastPath will now honor UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third-party Network Virtual Appliance (NVA).

Azure Firewall Basic (preview)

Azure Firewall Basic is a new SKU for Azure Firewall designed for small and medium-sized businesses.

Comprehensive, cloud-native network firewall security:

  • Network and application traffic filtering
  • Threat intelligence to alert on malicious traffic
  • Built-in high availability
  • Seamless integration with other Azure security services

Simple setup and easy-to-use:

  • Setup in just a few minutes
  • Automate deployment (deploy as code)
  • Zero maintenance with automatic updates
  • Central management via Azure Firewall Manager

Cost-effective:

  • Designed to deliver essential, cost-effective protection of your resources within your virtual network

Policy analytics for Azure Firewall (preview)

Policy analytics for Azure Firewall, now in public preview, provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance.

Azure Basic Load Balancer will be retired

On 30 September 2025, Azure Basic Load Balancer will be retired. You can continue to use your existing Basic Load Balancers until then, but you’ll no longer be able to deploy new ones after 31 March 2025.

To keep your workloads appropriately distributed, you’ll need to upgrade to Standard Load Balancer, which provides significant improvements including:

  • High performance, ultra-low latency, and superior resilient load-balancing.
  • Security by default: closed to inbound flows unless allowed by a network security group.
  • Diagnostics such as multi-dimensional metrics and alerts, resource health, and monitoring.
  • SLA of 99.99 percent availability.

Basic SKU public IP addresses will be retired

On 30 September 2025, Basic SKU public IP addresses will be retired in Azure. You can continue to use your existing Basic SKU public IP addresses until then, however, you’ll no longer be able to create new ones after 31 March 2025.

Standard SKU public IP addresses offer significant improvements, including:

  • Access to a variety of other Azure products, including Standard Load Balancer, Azure Firewall, and NAT Gateway.
  • Security by default—closed to inbound flows unless allowed by a network security group.
  • Zone-redundant and zonal front ends for inbound and outbound traffic.

Azure IaaS and Azure Stack: announcements and updates (September 2022 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure File Sync agent v15.1

Improvements and issues that are fixed:

  • Low disk space mode to prevent running out of disk space when using cloud tiering. Low disk space mode is designed to handle volumes with low free space more effectively. On a server endpoint with cloud tiering enabled, if the free space on the volume reaches below a threshold, Azure File Sync considers the volume to be in Low disk space mode. In this mode, files are tiered to the Azure file share more proactively and tiered files accessed by the user will not be persisted to the disk. To learn more, see the low disk space mode section in the Cloud tiering overview documentation.
  • Fixed a cloud tiering issue that caused high CPU usage after v15.0 agent is installed.
  • Miscellaneous reliability and telemetry improvements.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • The agent version for this release is 15.1.0.0.
  • Installation instructions are documented in KB5003883.

Standard network features for Azure NetApp Files

Standard network features for Azure NetApp Files volumes are available. Standard network features provide you with an enhanced, and consistent virtual networking experience along with security posture for Azure NetApp Files.

You are now able to choose between standard or basic network features while creating a new Azure NetApp Files volume:

  • Basic provide the current functionality, limited scale, and features.
  • Standard provides the following new features for Azure NetApp Files volumes or delegated subnets:
    – Increased IP limits for Vnets with Azure NetApp Files volumes. This is at par with VMs to enable you to provision Azure NetApp File volumes in your existing topologies or architectures. This eliminates the need to rearchitect network topologies to use Azure NetApp Files for workloads like VDI, AVD, or AKS.
    – Enhanced network security with support for network security groups (NSG) on the Azure NetApp Files delegated subnet.
    – Enhanced network control with support for user-defined routes (UDR) to and from Azure NetApp Files delegated subnets. You can now direct traffic to and from Azure NetApp Files via your choice of network virtual appliances for traffic inspection.
    – Connectivity over active or active VPN gateway setup for highly available connectivity to Azure NetApp Files from on-premises network.
    – ExpressRoute FastPath connectivity to Azure NetApp Files. FastPath improves the data path performance between on-premises network and Azure Virtual Network.

Immutable storage for Azure Data Lake Storage

Immutable storage for Azure Data Lake Storage is now generally available. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed.

Improved Append Capability on Immutable Storage for Blob Storage

Immutable storage for Blob Storage on containers (which has been generally available since September 2018) now includes a new append capability. This capability, titled “Allow Protected Appends for Block and Append Blobs”, allows you to set up immutable policies for block and append blobs to keep already written data in a WORM state and continue to add new data. This capability is available for both legal holds and time-based retention policies.

Encrypt managed disks with cross-tenant customer-managed keys

Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.

Azure Dedicated Host support for Ultra Disk Storage

Virtual machines (VMs) running on Azure Dedicated Host support the use of standard and premium disks as data disks, and now there is also the support for ultra disks on dedicated host.

Azure unmanaged disks will be retired on 30 September 2025

Azure Managed Disks now have full capabilities of unmanaged disks and other advancements. Microsoft will begin deprecating unmanaged disks on September 30, 2022, and this functionality will be completely retired on September 30, 2025.

Encryption scopes on hierarchical namespace enabled storage accounts (preview)

Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The preview is available for REST, HDFS, NFSv3, and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.

Customer initiated storage account conversion (preview)

The self-service option to convert storage accounts from non-zonal redundancy (LRS/GRS) to zonal redundancy (ZRS/GZRS) is available. This allows you to initiate the conversion of storage accounts via the Azure portal without the necessity of creating a support ticket.

Networking

Resizing of peered virtual networks

Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address space or resize for a peered virtual network without removing the peering.

Improvements to Azure Web Application Firewall (WAF) custom rules

  • There are two improvements for WAF custom rules:
    Azure regional Web Application Firewall (WAF) with Application Gateway now supports creating custom rules using the operators “Any” and “GreaterThanOrEqual”. Custom rules allow you to create your own rules to customize how each request is evaluatedas it passes through the WAF engine.
  • Azure global Web Application Firewall (WAF) with Azure Front Door now supports custom geo-match filtering rules using socket addresses. Filtering by socket address allows you to restrict access to your web application by country/region using the source IP that the WAF sees.

Azure IaaS and Azure Stack: announcements and updates (September 2022 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Virtual Machines with Ampere Altra Arm–based processors

Microsoft is announcing the general availability of the latest Azure Virtual Machines featuring the Ampere Altra Arm–based processor. The new virtual machines will be generally available on September 1, and customers can now launch them in 10 Azure regions and multiple availability zones around the world. In addition, the Arm-based virtual machines can be included in Kubernetes clusters managed using Azure Kubernetes Service (AKS). This ability has been in preview and will be generally available over the coming weeks in all the regions that offer the new virtual machines.

Storage

Prevent a lifecycle management policy from archiving recently rehydrated blobs

Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. You can configure rules to move a blob to archive tier based on last modified condition. If you rehydrate a blob by changing its tier, this rule may move the blob back to the archive tier. This can happen if the last modified time is beyond the threshold set for the policy. Now you can add a new condition, daysAfterLastTierChangeGreaterThan, in your rules, to skip the archiving action if the blobs are newly rehydrated.

Encrypt storage account with cross-tenant customer-managed keys (preview)

The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available in preview. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Ephemeral OS disks supports host-based encryption using customer managed key

Ephemeral OS disk customers can choose encryption type between platform managed keys or customer managed keys for host-based encryption. The default is platform managed keys. This feature would enable our customers to meet organization’s compliance needs.

Resource instance rules for access to Azure Storage

Resource instance rules enable secure connectivity to a storage account by restricting access to specific resources of select Azure services.
Azure Storage provides a layered security model that enables you to secure and control access to your storage account. You can configure network access rules to limit access to your storage account from select virtual networks or IP address ranges. Some Azure services operate on multi-tenant infrastructure, so resources of these services cannot be isolated to a specific virtual network.
With resource instance rules, you can now configure your storage account to only allow access from specific resource instances of such Azure services. For example, Azure Synapse offers analytic capabilities that cannot be deployed into a virtual network. If your Synapse workspace uses such capabilities, you can configure a resource instance rule on a secured storage account to only allow traffic from that Synapse workspace.
Resource instances must be in the same tenant as your storage account, but they may belong to any resource group or subscription in the tenant.

Networking

ExpressRoute IPv6 Support for Global Reach

IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.