This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Stack, as officially released by Microsoft in the past two weeks.

Azure

General

Azure Integration with Canonical’s Snapshot Service (preview)

Microsoft has announced a public preview of Azure’s integration with Canonical’s Snapshot Service, marking a significant step forward in the deployment of secure and resilient Canonical workloads on Azure. This collaboration positions Azure as the first cloud provider to integrate with Canonical’s snapshot service. The integration aims to streamline the update process for Linux operating systems, enhancing security and reliability across Azure services. The Azure Guest Patching Service (AzGPS) and Azure Kubernetes Service (AKS) will utilize this new feature to apply consistent updates across different regions using Safe Deployment Principles (SDP). This initiative underscores Microsoft’s commitment to providing a secure and up-to-date environment for Linux-based applications on Azure.

Compute

Extension of Azure Compute Reservations Exchange Period

Microsoft Azure has announced a significant extension of the exchange period for Azure Compute Reservations, which includes Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations. Initially set to end on January 1, 2024, the exchange period has been extended until at least July 1, 2024. This extension provides an additional grace period, allowing users to exchange their Azure Compute Reservations to better suit their resource needs and planning. Launched in October 2022, the Azure Savings Plan for Compute aims to offer greater flexibility, accommodating changes such as virtual machine series and regions. After the grace period, it will no longer be possible to exchange instance series or regions for the mentioned reservations. Users can choose to convert their Azure Compute Reservations into a savings plan or continue to use and purchase reservations for predictable and stable workloads.

Networking

Default Rule Set 2.1 for Regional WAF with Application Gateway

Microsoft Azure has reached a new milestone with the general availability of Default Rule Set (DRS) 2.1 for the regional Web Application Firewall (WAF) on Azure Application Gateway. This release is based on the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and is enhanced with additional proprietary protection rules developed by the Microsoft Threat Intelligence team. The team’s analysis of Common Vulnerabilities and Exposures (CVEs) has been instrumental in adapting the CRS to address these vulnerabilities while minimizing false positives. This update reflects Microsoft’s dedication to providing robust security measures for applications deployed on Azure, ensuring that they are safeguarded against a wide array of threats.

Azure Bastion for Developers (Preview)

Azure Bastion now offers a developer-focused preview that enables secure and seamless RDP and SSH access to virtual machines over the Azure platform. This service is designed to provide a more integrated and streamlined experience for developers, with features that cater specifically to their workflows and access requirements. The preview aims to enhance productivity and security for development environments hosted on Azure.

Storage

Azure Blob Storage Cold Tier

Azure Blob Storage has announced the general availability of its Cold Tier support for Blob Batch operations as of August 10th, 2023. This new online access tier is the most cost-effective option within Azure Blob Storage for storing infrequently accessed data that requires long-term retention while still providing instant access. Blob Batch operations have been enhanced to support tiering operations for the cold tier, allowing for the efficient management of large volumes of data. For more information on optimizing performance and cost with the Cold Tier, users can refer to the Azure documentation.

TLS 1.2 to Become the Minimum TLS Version for Azure Storage

In a move to align with evolving technology and regulatory standards, Azure Storage is set to deprecate support for TLS versions 1.0 and 1.1. Starting from November 1, 2024, the minimum supported version will be TLS 1.2. This update is crucial as TLS 1.2 offers enhanced security and speed over its predecessors, which do not support modern cryptographic algorithms and cipher suites. The change will affect both existing and new storage accounts that are currently using the older TLS versions across all Azure clouds.

To prevent any service disruptions, users of Azure Storage are required to transition to TLS 1.2 and eliminate any dependencies on the older versions. Azure Storage already supports and defaults to TLS 1.2, so customers using it will not experience any impact due to this update. However, for those utilizing TLS 1.0 or 1.1, it is imperative to update operating systems, development libraries, frameworks, and any other solutions to the latest versions that support TLS 1.2 before October 31, 2024.

Azure has provided a set of recommendations and resources to facilitate this migration. For further details and guidance, users can navigate to the Azure updates page.

Azure Premium SSD v2 Disk Storage Now Available in More Regions

Azure Premium SSD v2 Disk Storage has expanded its availability, now including Poland Central, China North 3, and US Gov Virginia regions. This next-generation storage solution provides sub-millisecond disk latencies and is designed to support IO-intensive workloads at a cost-effective price point. It is ideal for a variety of enterprise production workloads such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, and big data analytics. For more information on Premium SSD v2 Disk Storage and pricing, users can refer to the Azure Managed Disks pricing page.

Azure NetApp Files Standard Storage with Cool Access (preview)

Azure has introduced a new feature in public preview for Azure NetApp Files, standard storage with cool access. This innovative feature allows users to configure a standard capacity pool with cool access, effectively moving cold (infrequently accessed) data transparently to an Azure storage account. This transition aims to reduce the cost of storage while maintaining the same throughput to and from the volume.

However, users should note that there might be a difference in data access latency, as data blocks could be tiered to the Azure storage account. The cool access feature offers options for the “coolness period” to optimize network transfer costs based on specific workload and read/write patterns. This functionality is provided at the volume level.

During the preview phase, this feature is available in several regions, including East US2, East Asia, Central India, Canada Central, Australia East, North Europe, Brazil South, France Central, Australia Southeast, and Canada East. More regions will be added as the preview progresses.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Stack. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Stack, as officially released by Microsoft in the past two weeks.

Azure

General

Microsoft Azure achieves HITRUST CSF v11.0.1 certification

I am thrilled to announce that Microsoft Azure has achieved HITRUST CSF v11.0.1 certification across 162 Azure services and 115 Azure Government services. This certification covers all GA Azure regions across both Azure and Azure Government clouds. This monumental achievement stands as a testament to Azure’s unwavering commitment to enhancing its security and compliance offerings, especially for valued customers in the healthcare sector.

HITRUST CSF v11.0.1 is the latest iteration of the framework, incorporating new requirements and updates from authoritative sources such as NIST SP 800-53 Rev 5, NIST Cybersecurity Framework v1.1, PCI DSS v3.2.1, FedRAMP High Baseline Rev 5, CSA CCM v3.0.1, GDPR, CCPA, and more. Moreover, HITRUST CSF v11.0.1 introduces innovative features and enhancements, including a maturity scoring model, risk factor analysis, an expanded inheritance program, improved assessment scoping tools, and more. By securing this certification, Azure reinforces its dedication to providing secure and compliant cloud services for customers in the healthcare industry.

Compute

Azure Dedicated Host – Resize

With the introduction of Azure Dedicated Host’s new ‘resize’ feature, users can now effortlessly transition their existing dedicated host to a different Azure Dedicated Host SKU, for instance, moving from Dsv3-Type1 to Dsv3-Type4. This innovative ‘resize’ feature significantly reduces the complexities and efforts associated with reconfiguring VMs when there’s a need to upgrade the foundational dedicated host system. One of the standout features is the ability to automatically create a new host, migrate all pre-existing VMs, and subsequently delete the old host. This eliminates the need for any manual interventions during the upgrade process of the dedicated host. Additionally, this could lead to potential cost savings, as users gain the capability to operate more VMs on the newly introduced dedicated host SKUs.

VMSS Automatic Instance Repairs – Reimage, Restart Repair Actions (preview)

Automatic instance repairs help Virtual Machine Scale Set customers achieve high application availability by automatically detecting and recovering unhealthy VM instances at runtime. Microsoft has announced that customers can now choose between Replace, Reimage (Preview), or Restart (Preview) as the default repair action performed in response to an “Unhealthy” application signal. These new options provide a less-impactful repair process, ensuring higher application availability while preserving VM properties and metadata for customers with sensitive workloads.

Networking

Default Outbound Access for VMs in Azure Will Be Retired

Microsoft has recently announced that starting from 30 September 2025, the default outbound access connectivity for all new virtual machines in Azure will be retired. This decision is in line with Azure’s move towards a secure-by-default model, which means that the default outbound access to the internet will be turned off. Consequently, after the mentioned date, Azure will no longer assign a default implicit IP for VMs to communicate with the internet. However, it’s important to note that existing VMs will not be affected by this retirement. For those who require outbound access post this date, Azure will provide an easy way to enable outbound internet access using explicit outbound methods. Additionally, for VMs currently having default outbound access and wishing to transition to a secure configuration after this date, Azure will offer a mechanism for easy opt-in. Users already utilizing explicit outbound connectivity methods will remain unaffected by this retirement. Azure emphasizes the benefits of explicit outbound connectivity methods, including greater control over internet connections, protection from public IP address changes, and traceable IP address resources beneficial for measurement and troubleshooting. Azure will be sending periodic updates to subscription owners impacted by this change in the coming months.

ExpressRoute Traffic Collector now generally available

Microsoft Azure has announced the general availability of the ExpressRoute Traffic Collector. This feature allows users to capture information about IP flows sent over ExpressRoute direct circuits. The ExpressRoute Traffic Collector supports flow logs capture for both Private and Microsoft peering. The captured flow logs data is sent to a Log Analytics workspace, enabling users to create custom log queries for in-depth analysis.

Some of the primary use cases for flow logs include:

• Network Monitoring: gain near real-time visibility into network throughput and performance, perform network diagnosis, and forecast capacity.
• Network Usage and Cost Optimization: analyze traffic trends by filtering sampled flows by IP, port, or applications. Identify top talkers for a source IP, destination IP, or applications. Optimize network traffic expenses by analyzing traffic patterns.
• Network Forensics Analysis: identify potentially compromised IPs by analyzing all associated network flows. Users can also export flow logs to a SIEM tool of their choice to monitor and correlate events.

It’s important to note that the flow logs collected by the ExpressRoute Traffic Collector do not impact network throughput or latency. Users can enable or stop flow logs collection without any risk of affecting the network performance of an ExpressRoute direct circuit.

Azure Private Link for MySQL – Flexible Server

Azure Private Link allows users to connect to various PaaS services, such as Azure Database for MySQL – Flexible Server, in Azure, via a private endpoint. Private Link brings Azure services inside your private virtual network (VNet). Using the private IP address, the Azure Database for MySQL – Flexible Server becomes accessible just like any other resource within the VNet. This feature is now available for general use.

Storage

Azure Files improved support for Unicode characters

Azure Files has undergone enhancements to now support all valid Unicode characters. This development allows for the creation of SMB File shares with file and directory names that align with the NTFS file system, specifically for valid Unicode characters. This expanded character set support includes:

• Control characters that are supported by NTFS.
• Trailing dot (.) characters at the end of directory and file names.
• Characters that function individually but were previously blocked when used in combination, especially in non-English languages.

Such advancements facilitate tools like AzCopy and Storage mover to migrate all files into Azure Files using the REST protocol. This expanded character support is now accessible in all Azure regions.

Zone Redundant Storage for Azure Disks in More Regions

Microsoft has announced the general availability of Zone Redundant Storage (ZRS) for Azure Disk Storage on Azure Premium SSDs and Standard SSDs in the Norway East and UAE North regions. Disks with ZRS offer synchronous replication of data across three availability zones within a region. This ensures that the disks can withstand zonal failures without disrupting the associated applications. The feature not only enhances the resilience of disks against zonal failures but also eliminates the need for application-level replication of data across zones. Furthermore, ZRS can be combined with shared disks to provide even higher availability for clustered or distributed applications, including SQL FCI, SAP ASCS/SCS, and GFS2.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Stack. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Stack, as officially released by Microsoft in the past two weeks.

Azure

General

Microsoft Azure Now Available from New Cloud Region in Italy

Microsoft Azure has officially reached General Availability in a new cloud region in Italy. This expansion of Azure’s global presence brings its cloud services closer to businesses and organizations in Italy, enabling them to benefit from Azure’s comprehensive suite of services for their digital transformation initiatives. With this new cloud region, customers in Italy can now take advantage of low-latency, high-performance computing and networking capabilities offered by Azure, while complying with local data residency requirements and ensuring data sovereignty.

Networking

Default outbound access for VMs in Azure will be retired: Transition to a new method of internet access

Azure is retiring the default outbound access for virtual machines (VMs) and recommends transitioning to a new method of internet access. This change is part of Azure’s ongoing commitment to improve the security and performance of its services. Customers are advised to review the documentation and make necessary changes to ensure uninterrupted outbound connectivity for their VMs.

Domain Fronting update on Azure Front Door and Azure CDN

Azure has announced the general availability of the domain fronting update on Azure Front Door and Azure CDN. This update enhances the security and performance of the services. Domain fronting is a technique used to obfuscate the destination of HTTPS traffic. With this update, Azure aims to provide better security and improved performance for its users. The update ensures that the services are more resilient and can handle traffic more efficiently.

Gateway Load Balancer IPv6 support

Azure Gateway Load Balancer now supports IPv6, which allows you to build, deploy, and scale applications that use IPv6 addresses. This enhancement provides a consistent frontend IP for virtual appliances, ensuring that traffic is distributed evenly across multiple instances. With this update, Azure continues to expand its IPv6 capabilities, enabling you to meet the requirements of your IPv6-enabled applications.

Storage

Zone-redundant storage for Azure Disks is now available in more regions

Zone-redundant storage (ZRS) for Azure Disks is now available in more regions. ZRS replicates your data in availability zones, ensuring data resilience and protection against zone failures. This update provides a higher level of resilience for your critical applications and ensures that they remain operational even if one of the availability zones fails.

Customer-Managed Keys for Azure NetApp Files Volume Encryption is Now Available in US Gov Regions (preview)

Azure is excited to announce the availability of Customer-Managed Keys for Azure NetApp Files Volume Encryption in the US Gov Regions, now in public preview. This new feature empowers Azure customers in government sectors to have greater control over their data security and encryption keys when using Azure NetApp Files. With Customer-Managed Keys, customers can manage their own encryption keys using Azure Key Vault, ensuring a higher level of data security and compliance with specific regulatory requirements. This preview provides an opportunity for customers in government regions to evaluate and test this feature before its general availability.

Azure Stack

Azure Stack HCI

Premier Solutions for Azure Stack HCI

The introduction of Premier Solutions for Azure Stack HCI represents a significant leap forward in Azure’s offerings for customers seeking enhanced operational efficiency, rapid deployment, and flexible procurement options. This innovative category of products has been developed in close collaboration with industry leaders like Dell Technologies and Lenovo, resulting in a seamless and comprehensive edge infrastructure solution.

Key Benefits of Premier Solutions for Azure Stack HCI:

• Improved Operational Experience: Premier Solutions are designed to streamline and enhance the operational experience for Azure Stack HCI users. By leveraging the expertise and technology of Azure, customers can expect greater reliability, scalability, and ease of management, ensuring that their infrastructure runs smoothly without interruptions.
• Faster Time to Value: With Premier Solutions, customers can deploy Azure Stack HCI more quickly and efficiently. The integration of hardware, software, and cloud services simplifies the setup process, reducing the time and effort required to get the system up and running. This means organizations can start realizing the benefits of their HCI infrastructure sooner.
• Greater Flexibility with as-a-Service Procurement: Premier Solutions offer flexible procurement options, aligning with the as-a-service model that is becoming increasingly popular in the IT industry. This allows organizations to scale their infrastructure as needed, optimizing costs and resources while ensuring they have access to the latest technologies and features.
• Deep Integration: The collaboration with leading partners, including Dell Technologies and Lenovo, ensures a high level of integration between hardware and software components. This deep integration results in a more cohesive and efficient HCI solution, delivering improved performance and reliability.
• Seamless Connectivity: Premier Solutions enable seamless connectivity between on-premises infrastructure and the Azure cloud. This connectivity ensures that organizations can leverage the full power of Azure services while maintaining control over their data and resources.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Stack. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Latest generation burstable VMs – Bsv2, Basv2, and Bpsv2

The Bsv2, Basv2, and Bpsv2 series virtual machines represent the latest generation of Azure burstable general-purpose VMs. These VMs provide a baseline level of CPU utilization and can expand to higher CPU utilization as workload volume increases. They are ideal for various applications, including development and test servers, low-traffic web servers, small databases, microservices, proof-of-concept servers, build servers, and code repositories. Compared to the B series v1, these new B series v2 virtual machines offer up to 15% better price-performance, up to 5X higher network bandwidth with accelerated networking, and 10X higher remote storage throughput.

Networking

Sensitive Data Protection for Application Gateway Web Application Firewall

Azure’s regional Web Application Firewall (WAF) running on Application Gateway has introduced support for sensitive data protection through log scrubbing. When a request aligns with the criteria of a rule and activates a WAF action, the event is documented within the WAF logs. These logs are maintained as plain text for easier debugging. However, this means that any patterns matching sensitive customer data, such as IP addresses, passwords, and other personally identifiable information, could potentially be recorded in the logs as plain text. To enhance the security of this sensitive data, users can now establish log scrubbing rules that substitute the sensitive data with “******”. The sensitive data protection feature using log scrubbing facilitates the creation of rules using various variables, including Request Header Names, Request Cookie Names, Request Arg Names, Request Post Arg Names, Request JSON Arg Names, and Request IP Address.

Azure Front Door Standard and Premium support Bring Your Own Certificates (BYOC) based domain ownership validation (preview)

Azure Front Door Standard and Premium now support Bring Your Own Certificates (BYOC) based domain ownership validation. With this feature, Azure Front Door can automatically approve domain ownership if the Certificate Name (CN) or Subject Alternative Name (SAN) of the provided certificate matches the custom domain. This reduces the steps and efforts required to prove domain ownership, streamlining the Dev-Ops experience. For domains created before this feature’s support and whose validation status is not yet approved, users will need to trigger the auto-approval of domain ownership validation manually.

Storage

Azure Premium SSD v2 Disk Storage now available in multiple regions

Azure Premium SSD v2 Disk Storage is now generally available in the Australia East, France Central, Norway East, and UAE North regions. This expansion offers customers in these regions the opportunity to leverage the benefits of Azure Premium SSD v2 Disk Storage for their workloads. Azure Premium SSD v2 Disk Storage provides high-performance and low-latency disk support for virtual machines running I/O-intensive workloads. By utilizing this storage solution, users can expect consistent performance, enhanced durability, and availability.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Trusted launch as default for VMs deployed through the Azure portal

Azure has introduced “Trusted launch” as a default feature for virtual machines deployed through the Azure portal. Trusted launch hardens Azure virtual machines with security features, ensuring that administrators deploy VMs with verified and signed bootloaders, OS kernels, and a boot policy. The feature encompasses secure boot, vTPM, and boot integrity monitoring, offering protection against boot kits, rootkits, and kernel-level malware. Secure Boot ensures that only signed OSes and drivers boot, while the Virtual TPM (vTPM) safeguards keys, certificates, and secrets within the virtual machine. Additionally, Boot integrity monitoring, in conjunction with Microsoft Azure Attestation and Azure Security Center, provides integrity alerts, recommendations, and remediation actions if remote attestation fails.

Networking

Azure Firewall Single-Click Upgrade and Downgrade Now in General Availability

Azure has introduced a new capability for its Firewall service, allowing users to seamlessly upgrade from the Standard SKU to the Premium SKU, and vice versa. This enhancement simplifies the upgrade and downgrade process, ensuring that users can make these changes without any service interruptions. With just a single click, Azure customers can now easily transition between the two firewall versions. This feature is especially beneficial for those looking to leverage the advanced functionalities of the Premium SKU or revert to the Standard SKU based on their requirements. The Azure Firewall Single-Click Upgrade and Downgrade feature was officially made available on August 31, 2023.

Azure Container Apps support for UDR, NAT Gateway, and smaller subnets

Azure has announced the general availability of Azure Container Apps support for User Defined Routes (UDR), NAT Gateway, and smaller subnets. This enhancement provides users with more flexibility and control over their networking configurations, allowing for more customized and optimized network setups. Azure Container Apps is a fully managed platform for building and running microservices and APIs. With this update, users can now leverage UDR to define custom routes, utilize NAT Gateway for outbound connectivity, and deploy in smaller subnets for more granular network segmentation.

Azure Firewall: Explicit Proxy (preview)

Microsoft Azure has recently introduced a public preview of the Azure Firewall Explicit Proxy. This new feature is designed to enhance the security and performance of Azure’s firewall services. As it is currently in public preview, users can explore its functionalities and provide feedback to help improve the service before its general release. For more details and to stay updated on further developments, you can visit the official announcement page.

Azure Firewall: Auto-Learn SNAT Routes Feature Now in Public Preview (preview)

Azure has introduced a new feature in public preview, named “Auto-Learn SNAT Routes”, promising to simplify and expedite network configurations. This feature allows the Azure Firewall to automatically learn address ranges and configure them to be excluded from SNAT, thereby reducing the time and complexity spent on manually defining private SNAT ranges. To utilize this feature, the Azure Route Server needs to be deployed in the same virtual network as the Azure Firewall. Released on August 31, 2023, this feature promises to be a valuable tool for network administrators seeking to optimize their processes. For more information, you can visit the official page.

Storage

Azure Premium SSD v2 Disk Storage Now Available in Select Regions

Microsoft has announced the general availability of Azure Premium SSD v2 Disk Storage in several regions, including Australia East, France Central, Norway East, and UAE North. This new offering promises to deliver high-quality storage performance while ensuring security and reliability. Users in these regions can now benefit from the advanced storage features offered by Azure, helping to enhance the efficiency and resilience of their systems. For further details, you can visit the official page.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Mv3 Medium Memory (MM) Virtual Machines (preview)

Microsoft announced the public preview of the next generation Mv3 Medium Memory (MM) virtual machine series. These virtual machines are designed to offer improved performance and higher reliability compared to their predecessors. Some of the key features of the new Mv3 MM VMs include:

• Powered by the 4th Generation Intel® Xeon® Scalable Processor and DDR5 DRAM technology.
• Capability to scale for SAP workloads ranging from 250GB to 4TB, ensuring faster performance and a lower total cost of ownership (TCO).
• With Azure Boost, the Mv3 MM VMs deliver approximately a 25% improvement in network throughput and up to a 1.5X boost in remote storage throughput compared to the previous M-series families.
• Azure Boost’s isolated architecture enhances security for the Mv3 MM virtual machines by processing storage and networking separately on dedicated hardware, rather than on the host server.
• Enhanced resilience against failures in memory, disks, and networking, leveraging insights from previous generations.
• Availability in both disk and diskless configurations, providing customers with the flexibility to select the option that best suits their workload requirements.

For a more detailed exploration of this release, you can read their blog.

Networking

New Monitoring and Logging Updates in Azure Firewall

New Monitoring and Logging Updates in Azure Firewall are available:

• Structured Logs: new logging format that provides a more detailed view of firewall events. Structured Logs provide the following benefits: they are easier to work with data in log queries and help discover schemas; they improves performance and reduce latency; they allow ability to grant Azure RBAC rights on specific tables.
• Latency Probe: The Latency Probe metric is designed to measure the overall latency of Azure Firewall and provide insight into the health of the service.
• Resource Health (preview): monitor that provides visibility into Azure Firewall health status and allows you to address service problems that may affect your Azure Firewall resource.
• Embedded Firewall Workbooks (preview): Integrated workbooks into the Azure Firewall Portal that provide valuable insights and statistics regarding your firewall activities and events.

Illumio for Microsoft Azure Firewall

Illumio has joined forces with Microsoft to introduce microsegmentation support for Microsoft Azure Firewall, which is now generally available. This collaboration allows Azure customers to enforce Zero Trust Segmentation, going beyond mere network and application filtering. The integration aids firewall operations teams in understanding rules with a richer context of the resources they are safeguarding. With this enriched context, administrators can effortlessly identify which resource is secured by a particular rule, determine its owner, and confidently manage the rule’s lifecycle.

For a more detailed exploration of this integration and its benefits, you can learn more here.

Quick create Azure Front Door endpoints for Azure Storage accounts

You can now create Azure Front Door Standard and Azure Front Door Premium endpoints directly from the Azure portal, similar to any other Azure CDN endpoint. This integration facilitates the management of all Azure Front Door and/or Azure CDN profiles linked to a storage account from a unified interface. Setting up a new Azure Front Door Service and endpoint for a storage account is straightforward. Users can simply browse to their storage account in the Azure portal and navigate to the Front Door and CDN profiles section. From this location, it’s possible to establish new endpoints, swiftly access the endpoint profiles, manage custom domains for the endpoints, and activate security features such as the Web Application Firewall and/or Private Link. For a more detailed understanding, you can read the documentation.

Azure Front Door Standard/Premium in Azure Government

Azure Front Door (AFD) Standard and Premium tier is now generally available in Azure Government, specifically in the regions of Arizona and Texas. With this release, Local Government (US) customers and their partners can leverage the new and enhanced capabilities offered in the standard and premium tiers. Some of these capabilities include improved reporting and diagnostic tools, an expanded rules engine with server variables, an enhanced Web Application Firewall with features like the latest DRS rule set, Bot protection, and more. The integration with Microsoft Sentinel Analytics and other security features such as Private Link connectivity and subdomain takeover prevention further enhance the offering. However, it’s important to note that the managed certificate for enabling HTTPS is currently not supported in Azure Government, and users are advised to utilize their own certificates.

Rate-limit rules for Application Gateway Web Application Firewall (preview)

Azure’s regional Web Application Firewall (WAF) running on Application Gateway has introduced support for rate-limit custom rules. These rules are designed to detect and block unusually high traffic levels aimed at your application. By implementing rate limiting, users can counteract various denial-of-service attacks, safeguard against clients that might have been mistakenly set up to send a large number of requests in a brief period, and manage traffic rates to their site from specific regions.

For more details, you can learn more here.

Storage

Incremental Snapshots for Premium SSD v2 Disk and Ultra Disk Storage

Azure has announced the general availability of incremental snapshots support for Premium SSD v2 and Ultra Disk. This feature comes with an instant restore capability and is available in all regions where Premium SSD v2 and Ultra Disk are supported. With this update, users can instantly restore Premium SSD v2 and Ultra Disks from snapshots and attach them to a running VM without waiting for any background data copy. This new capability allows immediate read and write access to disks after their creation from snapshots. This ensures a quick recovery of data from accidental deletions or disasters.

For more information and a deeper understanding of this feature, you can refer to the documentation.

Custom NFSv4.1 ID domain in Azure NetApp Files (preview)

Azure NetApp Files now supports custom NFSv4.1 ID domains in public preview. This feature allows users to customize the NFSv4.1 ID domain for their volume, ensuring a seamless migration of NFSv4.1 workloads to Azure NetApp Files. This enhancement provides flexibility and aids in the migration of workloads without the need to modify the client configuration.

Azure NetApp Files Cloud Backup for Virtual Machines (preview)

Azure NetApp Files introduces Cloud Backup for Virtual Machines in public preview. This feature provides an integrated, native backup solution for Azure Virtual Machines, ensuring data protection and business continuity. With Cloud Backup for Virtual Machines, you can now create VM consistent snapshot backups of VMs on Azure NetApp Files datastores. The associated virtual appliance installs in the Azure VMware Solution cluster and provides policy based automated and consistent backup of VMs integrated with Azure NetApp Files snapshot technology for fast backups and restores of VMs, groups of VMs (organized in resource groups) or complete datastores lowering RTO, RPO, and improving total cost of ownership.

Azure Elastic SAN Updates: Private Endpoints & Shared Volumes (preview)

As Azure approaches the general availability of Azure Elastic SAN, they have been continuously enhancing the service and introducing new features based on feedback from Azure customers. Recently, they have released support for private endpoints and volume sharing via SCSI (Small Computer System Interface) Persistent Reservation.

With the introduction of private endpoint support, users can now access Elastic SAN volumes either through private endpoints or via public endpoints that are restricted to specific virtual network subnets. This update is crucial for those who need the added layer of security that private endpoints provide. Additionally, the shared volume support allows users to connect and utilize an Elastic SAN volume from multiple compute clients, such as virtual machines. This is done while using SCSI reservation commands to select from various supported access modes to read or write to the volume. Furthermore, persistent reservations are supported, ensuring uninterrupted access to data even across reboots.

For a deeper understanding and more details on these features, you can read the blog and refer to the documentation about Azure Elastic SAN.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Networking

Cloud Next-Generation Firewall (NGFW) by Palo Alto Networks – an Azure Native ISV Service

Cloud NGFW by Palo Alto Networks is the first ISV next-generation firewall service natively integrated in Azure. Developed through a collaboration between Microsoft and Palo Alto Networks, this service delivers the cutting-edge security features of Palo Alto Network’s NGFW technology while also offering the simplicity and convenience of cloud-native scaling and management.
NGFWs provide superior network security by offering enhanced capabilities compared to traditional firewalls. These include deep packet inspection, advanced visibility and control features, and the use of AI to improve threat detection and response. The service is now more broadly available in the following 12 regions: US (Central, East, East 2, West, West 3), Australia (East, Southeast), UK (South, West), Canada Central, East Asia and West Europe.

Route Server hub routing preference (preview)

Azure Route Server now supports hub routing preference in public preview. When branch-to-branch is enabled and Route Server learns multiple routes across site-to-site (S2S) VPN, ExpressRoute, and SD-WAN NVAs, for the same on-premises destination route prefix, users can now configure connection preferences to influence Route Server route selection.

Support for new custom error pages in Application Gateway (preview)

In addition to the response codes 403 and 502, the Azure Application Gateway now lets you configure company-branded error pages for more response codes: 400, 405, 408, 500, 503, and 504. You can configure these error pages at a global level to apply to all the listeners on your gateway or individually for each listener. The custom error pages you set are displayed to the clients when the Application Gateway generates these response codes. You can host these error page files at any publicly accessible URLs.

Storage

Azure NetApp Files: SMB Continuous Availability (CA) shares

To enhance resiliency during storage service maintenance operations, SMB volumes used by Citrix App Layering, FSLogix user profile containers and Microsoft SQL Server on Microsoft Windows Server can be enabled with Continuous Availability. Continuous Availability enables SMB Transparent Failover to eliminate disruptions as a result of service maintenance events and improves reliability and user experience. This feature is now Generally Available. It can be enabled on new or existing SMB volumes.

Zone Redundant Storage for Azure Disks is now available in East Asia

Zone Redundant Storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in East Asia region.

Azure Blob Storage Cold Tier

Azure Blob Storage Cold Tier is now generally available. It is a new online access tier that is the most cost-effective Azure Blob offering for storing infrequently accessed data with long-term retention requirements, while providing instant access. Azure Blob Storage is optimized for storing massive amounts of unstructured data. With blob access tiers, you can store your data most cost-effectively based on how frequently it will be accessed and how long it will be retained. The pricing of the cold tier storage option lies between the cool and archive tiers, and it follows a 90-day early deletion policy. You can seamlessly utilize the cold tier in the same way as the hot and cool tiers, through REST API, SDKs, tools, and lifecycle management policies.

Azure Premium SSD v2 Disk Storage is available in more regions

Azure Premium SSD v2 Disk Storage is now available in Brazil South, East Asia and Central India regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

Azure Storage Mover support for SMB and Azure Files (preview)

Azure Storage Mover can now migrate your SMB shares to Azure file shares. Storage Mover is a fully managed migration service that enables you to migrate on-premises files and folders to Azure Storage while minimizing downtime for your workload. Besides the existing general available capability to migrate from an on-premises NFS share to an Azure blob container, Storage Mover will support many additional source and target combinations in the near future.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Boost (preview)

Azure Boost is one of Microsoft Azure’s latest infrastructure innovations. Azure Boost is a new system that offloads virtualization processes traditionally performed by the hypervisor and host OS onto purpose-built hardware and software, such as networking, storage, and host management. By separating hypervisor and host OS functions from the host infrastructure, Azure Boost enables greater network and storage performance at scale, improves security by adding another layer of logical isolation, and reduces the maintenance impact for future Azure software and hardware upgrades.
This innovation enables Azure customers participating in the preview to achieve a 200 Gbps networking throughput and a leading remote storage throughput up to 10 GBps and 400K IOPS, enabling the fastest storage workloads available today.
Azure Boost allows preview users to achieve this performance through access to experimental SKUs. This preview will be important for many customers and partners to integrate critical components of Azure Boost into their current VM solutions, ensuring smooth operation on this new system in the future.
Azure Boost has been providing benefits to millions of existing Azure VMs in production today, such as enabling the exceptional remote storage performance of the Ebsv5 VM series and networking throughput and latency improvements for the entire Ev5 and Dv5 VM series. Azure Boost will continue to innovate and provide benefits for Azure infrastructure users going forward.

The Classic VMs retirement deadline is now September 6, 2023

The deadline to migrate your Iaas VMs from Azure Service Manager to Azure Resource Manager is now September 6, 2023. To avoid service disruption, we recommend that you complete your migration as soon as possible. Microsoft will not provides any additional extenstions after September 6, 2023.

Networking

Updated default TLS policy for Azure Application Gateway

Microsoft has updated the default TLS configuration for new deployments of the Application Gateway to Predefined AppGwSslPolicy20220101 policy to improve the default security. This recently introduced, generally available, predefined policy ensures better security with minimum TLS version 1.2 (up to TLS v1.3) and stronger cipher suites.

Always Serve for Azure Traffic Manager

Always Serve for Azure Traffic Manager (ATM) is now generally available. You can disable endpoint health checks from an ATM profile and always serve traffic to that given endpoint. You can also now choose to use 3rd party health check tools to determine endpoint health, and ATM native health checks can be disabled, allowing flexible health check setups.

Azure Application Gateway for Containers (preview)

Azure Application Gateway for Containers is a new SKU to the Application Gateway family. Application Gateway for Containers is the next evolution of Application Gateway + Application Gateway Ingress Controller (AGIC), providing application (layer 7) load balancing and dynamic traffic management capabilities for workloads running in a Kubernetes cluster.

Application Gateway for Containers introduces the following improvements over AGIC:

• Performance: Achieve near-to-real-time convergence times to reflect add/remove of pods, routes, probes, and other load balancing configuration within Kubernetes yaml configuration.
• Scale: push boundaries past current AGIC limits, exceeding 1400 backend pods and 100 listeners with Application Gateway for Containers.
• Deployment: enable a familiar deployment of ARM resources via ARM, PowerShell, CLI, Bicep, and Terraform or define all configuration within Kubernetes and have Application Gateway for Containers manage the rest in Azure.
• Gateway API support: the next evolution in defining Kubernetes service networking through expressive, extensible, and role-oriented interfaces.
• Weighted / Split traffic distribution: enable blue-green deployment strategies and active / active or active / passive routing.

Network observability add-on for AKS (preview)

The new network observability add-on for AKS, now in public preview, provides complete observability into the network health and connectivity of your AKS cluster.

Key benefits:

• Get access to cluster level network metrics like packet drops, connections stats and more.
• (GA) Access to pod-level metrics and network debuggability features.
• Support for all Azure CNIs – AzureCNI and AzureCNI (Powered by Cilium).
• Support for all AKS node types – Linux and Windows.
• Easy deployment using native Azure tools – AKS CLI, ARM templates, PowerShell, etc.
• Seamless integration with the Azure managed Prometheus and Azure-managed Grafana offerings.

Azure Stack

General Availability of Remote Support for Azure Stack systems

Support requests for Azure Stack systems have always been managed through the Azure Portal and covered under your Azure support plan. The next big step is the remote support for all Azure Stack systems.

With remote support, you can temporarily grant Microsoft Support engineers constrained access to your on-premises edge devices to gather logs and fix issues. By default, remote support is off. It’s easy to turn on and off, when needed. After creating an Azure support request, it’s recommended to grant remote support access to enable Microsoft Support to resolve the issue as soon as possible. This takes just a few minutes in only a few steps. Once the support request is closed, you can just as easily turn off remote support access

Remote support for Azure Stack systems provides benefits to both customers and Microsoft Support:

• Improved time to resolution: eliminate the back-and-forth hassle of scheduling a call and gathering logs yourself.
• Safe and secure: you can grant just-in-time (JIT) authenticated access and define the access level and duration for each incident. You can revoke access anytime.
• Audited troubleshooting: Microsoft Support can only run Just Enough Administration (JEA) approved commands and everything they do is recorded for you to audit.
• Free: Remote support is included in your Azure subscription at no additional cost. You can get remote support for both unregistered and registered Azure Stack HCI systems.

Version availability:

• For Azure Stack Hub, remote support is available for version 2108 and later.
• For Azure Stack Edge, remote support is available for version 2110 and later.
• For Azure Stack HCI, remote support is available for version 22H2 and later.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Latest generation burstable VMs – Bsv2, Basv2, and Bpsv2 (preview)

The Bsv2, Basv2, and Bpsv2 series virtual machines are the latest generation of Azure burstable general purpose VMs, providing a baseline level of CPU utilization and capable of expanding to higher CPU utilization as workload volume increases. This is ideal for many applications such as development and test servers, low traffic web servers, small databases, micro services, servers for proof-of-concepts, build servers, and code repositories. These new B series v2 virtual machines, compared to B series v1, offer up to >15% better price-performance, up to 5X higher network bandwidth with accelerated networking and 10X higher remote storage throughput.

Azure Dedicated Host – Resize (preview)

With Azure Dedicated Host’s new ‘resize’ feature, you can easily move your existing dedicated host to a new Azure Dedicated Host SKU (e.g., from Dsv3-Type1 to Dsv3-Type4). This new ‘resize’ feature minimizes the impact and effort involved in configuring VMs when you want to upgrade your underlying dedicated host system.

Networking

Azure’s cross-region Load Balancer is now generally available

Azure Load Balancer’s Global tier is a cloud-native global network load balancing solution. With cross-region Load Balancer, you can distribute traffic across multiple Azure regions with ultra-low latency and high performance. Azure cross-region Load Balancer provides customers a static globally anycast IP address. Through this global IP address, you can easily add or remove regional deployments without interruption.

ExpressRoute private peering support for BGP communities

ExpressRoute private peering now supports the use of custom Border Gateway Protocol (BGP) communities with virtual networks connected to your ExpressRoute circuits. Once you configure a custom BGP community for your virtual network, you can view the regional and custom community values on outbound traffic sent over ExpressRoute when originating from that virtual network. These values can be used when applying filters or specifying routing preferences for traffic sent to your on-premises from your Azure environment.

Azure Virtual Network encryption

With Virtual Network encryption, customers can enable encryption of traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network and between regionally and globally peered virtual networks. This new feature enhances the existing encryption in transit capabilities in Azure.

Sensitive Data Protection for Application Gateway Web Application Firewall logs (preview)

Azure’s regional Web Application Firewall (WAF) running on Application Gateway now supports sensitive data protection through log scrubbing. When a request matches the criteria of a rule, and triggers a WAF action, that event is captured within the WAF logs. WAF logs are stored as plain text for debuggability, and any matching patterns with sensitive customer data like IP address, passwords, and other personally identifiable information could potentially end up in logs as plain text. To help safeguard this sensitive data, you can now create log scrubbing rules that replace the sensitive data with “******”.

Storage

Azure Managed Lustre now generally available

Azure Managed Lustre is a managed file system, designed specifically for HPC and AI workloads on a pay-as-you-go model. It delivers high-performance distributed parallel file system with hundreds of GBps storage bandwidth and solid-state disk latency. The system fully integrates with Azure services such as Azure HPC Compute, Azure Kubernetes Service, and Azure Machine Learning.

Key benefits include:

• a customizable Lustre file system that can be deployed on demand in minutes;
• the high throughput needed for computationally intensive workloads;
• easy integration with other Azure services;
• managed pay-as-you-go model that allows organizations to save costs on maintenance and infrastructure setup.

Azure Premium SSD v2 Disk Storage is now available in more regions

Azure Premium SSD v2 Disk Storage is now available in Switzerland North, Japan East, Korea Central, South Africa North, Sweden Central, Canada Central and Central US regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure HBv4 and HX Series VMs for HPC

Azure HBv4 and HX-series Virtual Machines (VMs) are now generally available. With the general availability, Microsoft is offering customers the first VMs featuring the latest 4th Gen AMD EPYC™ processors with AMD 3D V-Cache™ technology (codename ‘Genoa-X’), paired with 400 Gigabit NVIDIA Quantum-2 InfiniBand. Azure HBv4 and HX-series VMs offer leadership levels of performance, scaling efficiency, and cost-effectiveness for a variety of HPC workloads such as computational fluid dynamics (CFD), financial services calculations, finite element analysis (FEA), geoscience simulations, weather simulation, rendering, quantum chemistry, and silicon design.

Networking

Azure Application Gateway: using a common port for public and private listeners (preview)

Azure Application Gateway now supports configuring the same port number for public and private listeners in preview. You no longer need to use non-standard ports or customize the backend application. This provision enables you to use a single Application Gateway deployment and easily configure it to serve traffic for both internet-facing and internal clients.

Default Rule Set 2.1 for Regional WAF with Application Gateway (preview)

Announcing the preview of the Default Rule Set 2.1 (DRS 2.1) for regional WAF on Azure Application Gateway. The default rule set is now available on the Azure Application Gateway WAF V2 SKU. DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team. The Microsoft Threat Intel team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address CVE and reduce false positives.

Storage

Azure Premium SSD v2 Disk Storage in Southeast Asia, UK South, South Central US and West US 3

Azure Premium SSD v2 Disk Storage is now available in Southeast Asia, UK South, South Central US and West US 3 regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

Azure NetApp Files double encryption at-rest (preview)

Azure NetApp Files double encryption at-rest feature now provides multiple independent encryption layers, protecting against attacks to any single encryption layer. Threats are diminished to the encrypted data, for example:
– Single encryption key being compromised
– Encryption algorithms with implementation errors
– Data encryption configuration errors

This feature is currently available in West Europe, East US 2, East Asia regions and will roll out to other regions as the preview progresses.

Azure Elastic SAN Public Preview improvements

Azure Elastic SAN is currently in preview and several improvements have been made to the service. These include expanded regional availability, simplified multi-session connectivity for optimized volume performance, and native integration with Azure Container Storage (in preview). Azure Container Storage leverages Azure Elastic SAN as the backing storage resource to optimize price versus performance through dynamic resource sharing. Microsoft has also made it easier to migrate to Azure Elastic SAN and other block storage offerings like Premium SSD V2 and Ultra Disk, by including them in the Storage Migration Program.