Category Archives: Cloud

Azure management services and System Center: What's New in March 2020

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Azure Monitor

Azure Security Center integration

In Azure Security Center (ASC) integration with Azure Monitor has been introduced. In fact, in ASC it has been made available the ability to export continues toward a Log Analytics workspace. With this feature, you can configure Azure Monitor alert rules against recommendations and alerts exported from the Security Center. As a result, you can enable action groups to achieve automation scenarios supported by Azure Monitor.

Service availability Azure Monitor for VMs

In Azure monitor, the service that monitors virtual machines has been released, calledAzure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies.

The serviceAzure Monitor for VMsis divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

New agent version for Windows and Linux systems

This month, a new version of the Log Analytics agent was released to Window systemss and for Linux systems. In both cases they are introduced several improvements and increased stability.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 18 may 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 45 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Azure Backup Report

Azure Backup has announced the release of the solution Azure Backup Report. It's a tool available in the Azure portal that provides reports to answer many questions about backup progress, including: “What backup items consume more storage space?”, “Which machines have consistently had abnormal backup behaviors?”, “What are the main causes of the backup job failure?”. Reports provide cross-sectional information across different types of workloads, Vaults, subscriptions, regions and tenants. This tool also provides support for Windows Server 2008, to facilitate the migration steps of the on-premises systems based on Windows Server 2008 to Azure, process by which you can continue to get security patches.

Azure Automation

Availability in new regions

Azure Automation is now available in preview in the regions ” US Gov Arizona”.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (March 2020 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Virtual Network NAT generally available

Azure Virtual Network NAT (Network Address Translation) simplifies outbound-only Internet connectivity for virtual networks. NAT can be configured for one or more subnets of a virtual network and provides on-demand connectivity for virtual machines.

Private Endpoints for Azure Storage are Generally Available

Private Endpoints provide secure connectivity to Azure Storage from a Azure virtual network (VNet). On-premises networks can also securely connect to a storage account using a private endpoint when that network is to a VNet using Express Route or VPN. Private Endpoints for Azure Storage are now generally available in all Azure public regions.

Azure Web Application Firewall integration with Azure Content Delivery Network service in preview

Azure Web Application Firewall service protects your web applications from malicious attacks. In addition to Azure Application Gateway and Azure Front Door service, Web Application Firewall is now natively integrated with Azure Content Delivery Network, protecting Content Delivery Network endpoints from common exploits such as SQL injection and cross site scripting (XSS) attacks.

Private Link for different Azure services is available

Azure Private Link is now generally available (GA) for the below services:

  • Azure Storage
  • Azure Data Lake Storage Gen 2
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Synapse Analytics (SQL Data Warehouse)
  • Azure Key Vault
  • Azure Database for MySQL
  • Azure Database for PostgreSQL
  • Azure Database for MariaDB
  • Azure Kubernetes Service -> Kubernetes API

In addition, Private Link is now available in preview for the following services:

  • App Service
  • Azure Cognitive Search
  • Event Hub
  • Service Bus
  • Azure Relay
  • Azure Backup
  • Azure Container Registry
  • Event Grid -> Topics
  • Event Grid -> Domains

App Service regional Virtual Network integration

The regional Virtual Network integration feature has now entered general availability (GA) and supports sending all outbound calls into your virtual network. Use features like network NSGs and UDRs against all outbound traffic from your web app.

Azure Shared Disks for clustered applications in preview

Azure Shared Disks is a shared block storage offering, enabling customers to run latency-sensitive workloads without compromising on well-known deployment patterns for fast failover and high availability. Azure Shared Disks are best suited for clustered databases, parallel file systems, persistent containers, and machine learning applications. Azure Shared Disks provide a consistent experience for applications running on Windows or Linux based clusters today.

ACR built-in audit policies for Azure Policy in preview

Azure Container Registry now supports built-in audit policies for Azure Policy.

Preparing for TLS 1.2 in Microsoft Azure

Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.

Azure File Sync agent version 6.x will expire on April 21, 2020

On April 21, 2020, Azure File Sync agent version 6.x will be expired and stop syncing. If you have servers with agent version 6.x, update to a supported agent version (7.x or later).

Azure Storage: Append Blob immutability support is generally available

Store business-critical data objects in a non-erasable and non-modifiable state for a user-specified retention interval using immutable storage for Azure Blob storage. Append blobs allow the addition of new data blocks to the end of an object and are optimized for data append operations required by auditing and logging scenarios.

General availability of NVv4 and HBv2-Series virtual machines

General availability of NVv4 virtual machines in South Central US, East US, and West Europe regions. Additional regions are planned in the coming months. With NVv4, Azure is the first public cloud to offer GPU partitioning built on industry-standard SR-IOV technology. HBv2-series VMs for HPC are now available in the Azure West Europe region.

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

  • Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.
  • Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVAs) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS ProtectionStandard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations concerning the Azure security environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. In addition, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. In addition, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.

Conclusions

Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Azure IaaS and Azure Stack: announcements and updates (March 2020 – Weeks: 09 and 10)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

New datacenter region in Spain

Microsoft will open a datacenter region in Spain to help accelerate digital transformation of public and private entities of all sizes, helping them to innovate, scale and migrate their businesses to the cloud in a secure way.

Microsoft will retire classic IaaS VMs

Because Azure Resource Manager now has all the infrastructure as a service (IaaS) capabilities of Azure Service Management and new advancements, Microsoft will retire classic IaaS VMs on March 1, 2023. Beginning March 1, 2023, customers who are using classic IaaS VMs will no longer be able to start any classic IaaS VMs using ASM. Any remaining VMs in a running or stopped-allocated state will be moved to a stopped-deallocated state. The following Azure services and functionality will not be impacted by this retirement: Cloud Services, storage accounts not used by classic VMs, and virtual networks (VNets) not used by classic VMs.

Azure Virtual Network service endpoint policies feature

Azure Virtual Network service endpoint policies enable you to prevent unauthorized access to Azure Storage accounts from your virtual network. It enables you to limit access to only specific whitelisted Azure Storage resources by applying endpoint policies over the service endpoint configuration.

Azure Load Balancer TCP resets on idle timeout is available

Azure Load Balancer now supports sending bidirectional TCP resets on idle timeout for load balancing rules, inbound NAT rules, and outbound rules. This is available in all regions. Use this ability to help applications gain visibility into when Standard Load Balancer terminates connections due to idle timeout. When enabled, Standard Load Balancer will generate a TCP reset packet to both the client and server side of a TCP connection on idle timeout. This allows applications to behave more predictably, as well as to detect the termination of a connection, remove expired connections, and initiate new connections. CP resets can be enabled on standard load balancers using the Azure portal, Resource Manager templates, CLI, and PowerShell.

Web Application Firewall with Azure Front Door service supports exclusion lists

Web Application Firewall exclusion lists allow you to omit certain request attributes from a rule evaluation. You can use them to fine tune Web Application Firewall policies for your applications.

Azure StorSimple 8000/1200 series will no longer be supported starting December 31, 2022

Microsoft has been expanding the portfolio of Azure Hybrid storage capabilities with new services for data tiering and cloud ingestion, providing more options to customers for storing data in Azure in native formats. In conjunction with this, support for the following StorSimple versions will end December 31, 2022.

Active Directory for authentication on SMB access to Azure File in preview

Azure Files Active Directory (Azure AD) Authentication is in preview. You can use it to mount your Azure Files using Azure AD credentials with the exact same access control experience as on-premises.

HPC-optimized virtual machines are available

Azure HBv2-series Virtual Machines (VMs) are generally available in the South Central US region. HBv2 VMs will also be available in West Europe, East US, West US 2, North Central US, Japan East soon. HBv2 VMs deliver supercomputer-class performance, message passing interface (MPI) scalability, and cost efficiency for a variety of real-world high performance computing (HPC) workloads, such as CFD, explicit finite element analysis, seismic processing, reservoir modeling, rendering, and weather simulation.

A8 – A11 Azure Virtual Machine sizes will be retired on March 1, 2021

Microsoft is retiring A8 – A11 Azure Virtual Machine sizes on March 1, 2021. Starting today, customers with existing A8 – A11 size virtual machines will be able to deploy more of the same size, but new customers will no longer be able to create A8 – A11 VMs. After March 1, 2021, any remaining A8 – A11 size virtual machines remaining in your subscription will be set to a deallocated state. These virtual machines will be stopped and removed from the host. These virtual machines will no longer be billed in the deallocated state.

NDv2-Series VMs are Generally Available

NDv2 GPU VMs for high-end deep learning training and HPC workloads are going GA in East US, South Central US, and West Europe.

NVv4-Series VMs are Generally Available

Microsoft announced general availability of NVv4 Virtual Machines. NVv4 VMs are designed to provide you unprecedented GPU resourcing flexibility. You can now choose VMs with a whole GPU all the way down to 1/8th of a GPU.

Virtual machine scale sets now simpler to manage

Three new capabilities that simplify the overall management of virtual machine scale sets in Azure are now available. New custom scale-in policies for virtual machine scale sets let you specify the order in which virtual machines (VMs) within a scale set are deleted during a scale-in operation based on a set of criteria (such as the newest VM that was added to a scale set). New instance protection policies enable you to protect one or more individual VMs in a scale set. Two new capabilities are provided:

  • Protect from scale-in blocks instance deletion during scale-in operations.
  • Protect from scale set actions blocks all scale set operations including upgrades and reimage.

It’s also now possible to receive notifications about instance deletions and to set up a predefined delay timeout for the deletion operation. Notifications are sent through Azure Metadata Service Scheduled Events. Delay timeouts can range between 5 and 15 minutes.

Azure management services and System Center: What's New in February 2020

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Changes to the Log Analytics schema

Important news has been made to the Azure Monitor Log Analytics schema to help you browse your content faster and easier.

Updates in the log view

Azure Monitor Log Analytics has greatly improved the appearance in the log view. New charts have been introduced that can quickly and easily display the collected data and provide the ability to obtain more information from it effectively.

Azure Site Recovery

Retirement of some protection scenarios

Starting from 1 march 2023 you will no longer be able to use Azure Site Recoivery for the following security scenarios:

  • Between customer-owned sites managed by System Center Virtual Machine Manager (SCVMM)
  • Between sites managed by SCVMM to Azure

Therefore, by this date, you must modify the configuration to use the protection scenario between Hyper-V and between Hyper-V and Azure, always without SCVMM. Data for protection scenarios that are no longer supported will be removed from the specified date.

Retirement of Azure Site Recovery data encryption functionality

Starting from 30 April 2022 Azure Site Recovery data encryption functionality will be retired and replaced with more advanced encryption mechanisms such asEncryption at Rest with Azure Site Recovery, usingStorage Service Encryption (SSE). Thanks to the adoption of SSE, the data will be encrypted before residing on the storage and decrypted when it is picked up.

Azure Backup

Azure Offline Backup with Azure Data Box

Customers using Azure Backup can now take advantage of Azure Data Box to move large backups through an offiline migration mechanism. The solution is to use both Azure Data Box (appliance from 100 TB) and also Azure Data Box disks (up to 8 TB each), through Azure Recovery Services Agent, to place large initial backups (up to 80 TB per server) in offline mode to an Azure Recovery Services Vault. Subsequent backups will then be made over the network.

Figure 1 – Azure Offline Backup with Azure Data Box

Windows Server support 2008

Azure Backup announced support for Windows Server systems 2008. This facilitates the migration of On-premises systems based on Windows Server 2008 to Azure, so you can continue to get security patches.

Selective exclusion of disks to be protected

Azure Backup now allows you to selectively exclude disks to protect on a virtual machine. This allows you to achieve cost savings for your solution if there are disks that you don't want to protect using Azure Backup.

Backup Explorer

Azure Backup now offers a new solution, currently in preview, called Backup Explorer, an integrated Azure Monitor Workbook which allows for centralized control in real time on the progress of the various backup.

Figure 2 – Overview di Backup Explorer

System Center

Update Rollup 1 for System Center 2019

For System Center 2019 it was released the first update rollup. This update introduces new features, make error corrections and affects the following products:

Microsoft Endpoint Manager

New releases for the Technical Preview Branch

For Configuration Manager were released in the Technical Preview Branch the’update 2001.2, the’update 2002 and the’update 2002.2. Among the main innovations, improvements to Desktop Analytics and task sequences are introduced. They also allow to obtain novelty inherent in Orchestration Groups, an evolution of the Server Groups.

To check the details of what's included in these updates, you can check these documents:

Please note that Releases in the Technical Preview Branch allow you to preview new Configuration Manager features, and it is recommended that you apply these updates only in test environments.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (February 2020 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Firewall Manager now supports virtual networks

Azure Firewall Manager Preview now supports Azure Firewall deployments in virtual networks (also known as hub virtual networks) in addition to its support for Azure Firewall deployments in virtual WAN hubs (also known as secured virtual hubs).

New Azure Firewall certification and features

New Azure Firewall capabilities are available:

  • ICSA Labs Corporate Firewall Certification.
  • Forced tunneling support now in preview.
  • IP Groups now in preview.
  • Customer configured SNAT private IP address ranges now generally available.
  • High ports restriction relaxation now generally available.

Form more detrails you can read this document.

Azure Virtual Network: Network address translation in preview

Azure Virtual Network now offers network address translation (NAT) (in preview) to simplify outbound-only internet connectivity for virtual networks. All outbound connectivity uses the public IP address and/or public IP prefix resources connected to the virtual network NAT. Outbound connectivity is possible without a load balancer or public IP addresses directly attached to virtual machines. Virtual Network NAT Preview is fully managed, highly resilient, and is currently available in the following regions:

  • Europe West
  • Japan East
  • US East 2
  • US West
  • US West 2
  • US West Central 

Preview of Azure Shared Disks for clustered applications

The limited preview of Azure Shared Disks, the industry’s first shared cloud block storage, is available. Azure Shared Disks enables the next wave of block storage workloads migrating to the cloud including the most demanding enterprise applications, currently running on-premises on Storage Area Networks (SANs). These include clustered databases, parallel file systems, persistent containers, and machine learning applications. This unique capability enables customers to run latency-sensitive workloads, without compromising on well-known deployment patterns for fast failover and high availability. This includes applications built for Windows or Linux-based clustered filesystems like Global File System 2 (GFS2). With Azure Shared Disks, customers now have the flexibility to migrate clustered environments running on Windows Server, including Windows Server 2008 (which has reached End-of-Support), to Azure. This capability is designed to support SQL Server Failover Cluster Instances (FCI)Scale-out File Servers (SoFS)Remote Desktop Servers (RDS), and SAP ASCS/SCS running on Windows Server.

Azure Private Link is generally available

Azure Private Link is now generally available. Azure Private Link is a secure and scalable way for you to consume services (such as Azure PaaS,  Partner Service, BYOS) on the Azure platform privately from within your virtual network. Private Link also enables you to create and render your own services on Azure. It enables a true private connectivity experience between services and virtual networks.

Azure Resource Manager template support for NSG flow logs

Now, Azure Resource Manage, the native and powerful way to manage your infrastructure as code, supports the deployment of network security group (NSG) flow logs through templates. NSG flow logs are now an Azure Resource Manager resource so you have the ability to deploy flow logs programmatically and set up Azure Governance policies to verify that flow logs are enabled. 

Azure Network Watcher is generally available in four new regions

Azure Network Watcher is now generally available in UAE North, Switzerland North, Norway West, and Germany West Central regions.

Native Azure Active Directory authentication support and Azure VPN Client 

Native Azure Active Directory (Azure AD) authentication support for OpenVPN protocol, and Azure VPN Client for Windows are generally available for Azure point-to-site (P2S) VPN. Native Azure AD authentication support enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN Gateway integration and a new Azure VPN client to obtain and validate an Azure AD token.

Unified network monitoring with connection monitor in preview

Azure Network Watcher now has a new and improved connection monitor feature. Connection monitor provides unified end-to-end connection monitoring capabilities for hybrid and Azure deployments. Some of the new capabilities include:

  • A single console for configuring and monitoring connectivity and network quality from Azure and on-premises VMs/hosts. 
  • The ability to monitor endpoints within and across Azure regions, on-premises sites, and global service locations. 
  • Higher and configurable probing frequencies and support for more protocols.
  • Faster time to detect and diagnose issues in Azure and hybrid networks.
  • Access to historical monitoring data retained in Log Analytics. 

Azure Bastion is available in 20 new regions

Azure Bastion, the managed PaaS service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL and without any public IP on your virtual machines, is now generally available in 20 new regions.

Active Directory authentication support on Azure Files (preview)

You can now mount your Azure Files using AD credentials with the exact same access control experience as on-premises. You may leverage an Active Directory domain service either hosted on-premises or on Azure for authenticating user access to Azure Files for both premium and standard tiers. Managing file permissions is also simple. As long as your Active Directory identities are synced to Azure AD, you can continue to manage the share level permission through standard role-based access control (RBAC). For directory and file level permission, you simply configure Windows ACLs (NTFS DACLs) using Windows File Explorer just like any regular file share. 

Azure Stack

Kubernetes on Azure Stack 

Microsoft now supports Kubernetes cluster deployment on Azure Stack, a certified Kubernetes Cloud Provider. Install Kubernetes using Azure Resource Manager templates generated by ACS-Engine on Azure Stack.

Azure IaaS and Azure Stack: announcements and updates (January 2020 – Weeks: 05 and 06)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

New solution for Azure Monitor for virtual machines

The new solution for Azure Monitor for VMs will soon be available in all regions. This update will provide richer monitoring functionality and map data sets for Service Map customers. Once it’s available in your region, it’ll be necessary to upgrade to the new solution in order to continue using Azure Monitor for VMs. Disruption to your workflow should be minimal since Azure Monitor for VMs is still in preview, compared to upgrading after general availability.

Azure Cost Management and billing updates

Here are a few of the latest improvements and updates related to Azure Cost Management in January 2020:

Large file shares (100 TiB) on standard is available world-wide

Large file shares (100 TiB) on standard is available in all regions world-wide, including national clouds (Gov, China, Germany).

Azure DNS private zones is now available in Azure Government and Azure China

Azure DNS private zones is now generally available in Azure Government and Azure China regions. Use Azure DNS private zones for DNS resolution across one or more virtual networks in Azure Government and Azure China clouds. Azure DNS private zones provides a reliable and secure DNS service to manage and resolve domain names in an Azure virtual network without the need to add a custom DNS solution.

Managed identities on lab virtual machines in Azure DevTest Labs

Lab owners can now enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs. Managed identities is a feature of Azure Active Directory that can authenticate any Azure service, including Azure Key Vault, without any credentials in your code. With this feature, lab users can now share Azure resources such as Azure SQL Database in the context of the lab. Once configured, every existing or newly created lab virtual machine will be enabled with this managed identity, and the lab user will be able to access resources once logged in to their machine.

New AMD-based Dav4 and Eav4 Azure VMs are available in additional regions

New Azure Dav4-series and Eav4-series virtual machines based on the latest AMD EPYC™ processor are now available in East US, East US2, West US2, Southeast Asia, North Europe, and West Europe regions. The Dav4-series and Das v4-series Azure VMs are suited for general-purpose workloads. The Eav4-series and Eas v4-series are ideal for memory-intensive workloads.

HBv2-Series VMs are Generally Available

HBv2 VMs are Generally Available in the US South Central region .HBv2 Virtual Machines feature 120 AMD EPYC™ 7002-series CPU cores, 480 GB of RAM, 480 MB of L3 cache, and no simultaneous multithreading (SMT). HBv2 Virtual Machines provide up to 350 GB/sec of memory bandwidth.

Azure management services and System Center: What's New in January 2020

The new year began with several announcements from Microsoft about what's new in Azure management services and System Center. The Cloud Community releases this summary monthly, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

New version of Log Analytics Gateway

For Azure Monitor a new version was released of the Log Analytics Gateway introducing greater stability and reliability. To get the new version, you can sign in to the Azure portal, browsing the Log Analytics blade or directly through the Microsoft Download Center.

Availability in new regions for Service Map

Azure Map functionality in Azure Log Analytics is now also available in the region US Gov Virginia“.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 43 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Support for customer-managed keys

Azure Site Recovery has introduced support for the following scenarios:

Azure Backup

Long term retention for backup of file shares configurable by the Azure portal

Azure Backup allows you to keep on-demand backups of file shares until 10 years. This configuration, made initially possible only by using PowerShell, can now also be done from the Azure portal.

Restore cross region of virtual machines

In Azure Backup has been announced the ability to perform cross region restore of virtual machines to the Azure Paired Region. This feature is currently available in limited preview in West Central United States (WCUS) and the restore can then take place towards the WUS2 region. For further information you can consult this technical documentation.

Protection of SAP HANA in new regions

The Azure Backup solution now allows you to enable the protection of SAP HANA DBs aboard Azure virtual machines in European and Asian region. These are the regions where this feature is active:

  • West Europe (WE), North Europe (NE), France Central, France South, UK West (UKW), Germany North, Germany West Central, Germany Central, Germany North East, Switzerland North, and Switzerland West.
  • Australia Central, Australia Central 2, Australia East (AE), Australia Southeast (ASE), Japan East (JPE), Japan West (JPW), Korea Central (KRC), and Korea South (KRS).

Soft Delete for SQL Server and SAP HANA in Azure VMs

In Azure Backup has been introduced the functionality of soft delete also with regard to the protection of SQL Server and SAP HANA aboard Azure virtual machines. Soft delete is a security feature that allows you to protect your backups even after you delete it. Thanks to Soft delete, if a backup is accidentally removed or by malicious action, you are guaranteed that the backup data is still maintained for 14 days from the cancellation date. This feature, that doesn't include any additional costs, take to recover any deleted backups within the retention period.

Microsoft Endpoint Manager

New release for the Technical Preview Branch

For Configuration Manager was released in the Technical Preview Branch the update 2001 that among the main changes it introduced different dashboards to monitor the utilization of the new Microsoft Edge and other browser.

To check the details of what's included in these updates, you can see this document.

Please note that Releases in the Technical Preview Branch allow you to preview new Configuration Manager features, and it is recommended that you apply these updates only in test environments.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (January 2020 – Weeks: 03 and 04)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Microsoft to launch new cloud datacenter region in Israel

Microsoft announced plans to establish the company’s first cloud region in Israel to deliver its intelligent, trusted cloud services through a local datacenter region. This investment expands the Microsoft global cloud infrastructure to 56 cloud regions in 21 countries, with the new Israel region anticipated to be available starting with Microsoft Azure in 2021, with Office 365 to follow. The new Israel region will adhere to Microsoft’s trusted cloud principles and become part of one of the largest cloud infrastructures in the world, already serving more than a billion customers and 20 million businesses.

Azure is now certified for the ISO/IEC 27701 privacy standard

zure is the first major US cloud provider to achieve certification as a data processor for the new international standard ISO/IEC 27701 Privacy Information Management System (PIMS). The PIMS certification demonstrates that Azure provides a comprehensive set of management and operational controls that can help your organization demonstrate compliance with privacy laws and regulations. Microsoft’s successful audit can also help enable Azure customers to build upon our certification and seek their own certification to more easily comply with an ever-increasing number of global privacy requirements.

New support for Network Security Group flow logs

Network Security Group (NSG) flow logs, a feature of Azure Network Watcher, allows you to view information about ingress and egress IP traffic. This feature now supports two new Azure Storage configurations:

  • Firewalled Storage accounts. Configuring Storage firewalls provides greater access control and security of your data. NSG flow logs can now be sent to storage accounts with a firewall enabled.
  • Service endpoints for Storage. Azure Virtual Network service endpoints allow you to control how your network interacts with Azure, ensuring that traffic from your virtual network to Azure services remains on the Azure backbone network. NSG Flow Logs can now be sent to Storage accounts accessible through virtual network service endpoints.

Microsoft Sustainability Calculator provides insights into IT carbon emissions

The Microsoft Sustainability Calculator is a Power BI application for Azure enterprise customers that provides new insight into carbon emissions data associated with their Azure services. For the first time, those responsible for reporting on and driving sustainability within their organizations will have the ability to quantify the carbon impact of each Azure subscription over a period of time and datacenter region, and to see estimated carbon savings from running those workloads in Azure versus on-premises datacenters. This data is crucial for reporting existing emissions and will help drive additional decarbonization efforts.

Red Hat Enterprise Linux gold images now available on Azure

Red Hat Enterprise Linux (RHEL) bring-your-own-subscription images, also referred to as RHEL gold images, are now available in Azure with a simple, automated sign-up process.

Azure Stack

Azure App Service on Azure Stack Hub Update 8 Released

This release updates the resource provider and brings the following key capabilities and fixes:

  • Updates to App Service Tenant, Admin, Functions portals and Kudu tools. Consistent with Azure Stack Portal SDK version.
  • Managed disk support for all new deployments: all new deployments of Azure App Service on Azure Stack Hub will make use of managed disks for all Virtual Machines and Virtual Machine Scale Sets.  All existing deployments will continue to use unmanaged disks.
  • Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.
  • TLS 1.2 Enforced by Front End load Balancers

All other fixes and updates are detailed in the App Service on Azure Stack Update Eight Release Notes.

Azure IaaS and Azure Stack: announcements and updates (January 2020 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Lab Services updates

Azure DevTest Labs recently released different updates:

  • Enables multiple owners to manage a lab.
  • Added the ability to automatically shut down virtual machines when a users’ remote desktop (RDP) session is disconnected (Windows).
  • Integration with Azure Bastion, enabling you to connect to your lab virtual machines through a web browser.
  • It automatically installs the necessary GPU drivers for you when you create a lab with GPU machines. You no longer have to figure out which GPU driver to use on your own.

Azure File Sync agent version 5.x will expire on February 12th

To continuously improve Azure File Sync, Microsoft can only support old versions of the agent for a limited time. On February 12, 2020, Azure File Sync agent version 5.x will be expired and stop syncing. If you have servers with agent version 5.x, update to a supported agent version (6.x or later). If you don’t update your servers before February 12, 2020, they will stop syncing. To resume syncing, the agent must be updated to a supported version.