Category Archives: Cloud

Azure management services and System Center: What's New in September 2019

Even in September it was announced by Microsoft news regarding the Azure management services and System Center. Our community publishes this summary monthly to provide an overview of these new features. In this way you can stay up-to-date on these topics and have the necessary references to conduct further investigations.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 40 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Support for disks up to 30 TB

For Azure Backup has been announced the support in public preview for large Managed disks, up to 30TB. For further information you can consultthis article.

System Center

New Update Rollup for System Center 2016

Microsoft has released the Update Rollup 8 (UR8) for System Center 2016. This is the second update rollup of the year and includes updates for the following products, mainly aimed at solving problems:

System Center Configuration Manager

New releases for the Technical Preview Branch

For Configuration Manager was released the update 1909 one of the main innovations is the creation of orchestration groups, to better control the deployment of software updates. The Orchestration Groups are designed to give you more flexibility when upgrading devices, including the ability to run PowerShell scripts before and after the update deployment phase.

To check the details of what's included in these updates, you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

Evaluation of Azure and System Center

To test and evaluate free of charge the service offered by Azure you can access this page, while to try out the various components of System Center you must Access to theEvaluation Center and, after registering, you can start the trial period.

Azure Migrate: introduction to the solution

The migration of workloads hosted in on-premises datacenter toward Azure is a challenger process that is more and more frequently required to exploit the benefits of cloud. To best address the migration path and achieve the desired results, it is appropriate to carry out a careful preliminary analysis and use appropriate tools. Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. This article describes the main features of Azure Migrate and the changes that have recently affected this solution.

Azure Migrate structure the process of migration in different phase: discovery, assessment, and migration. This approach provides an integrated experience that provides continuity and provides an overall view of the migration process.

The solution is currently able to cover the following scenarios of migrating to Azure:

  • Virtual Machines, in a VMware environment, Hyper-V or other public clouds (AWS, Google) and physical machines.
  • SQL Server Database to Azure SQL Database or Azure SQL Database Managed Instance.
  • Web App using .NET or PHP to Azure App Service, its Azure Platform-as-a-Service.
    • In this case, you are directed directly to the page App Service Migration, that providing the public URL it scans and provides a detailed report of the technologies that are used, to determine if they can be hosted by App Service. If so, you can start the migration process by using the Migration Assistant installed locally.
  • Large amounts of data via the offline Data Box service.
    • Directly from the portal you can order a Azure Data Box, monitor the shipping status and its data copy process towards Azure.

By accessing Azure Migrate from Azure portal is immediately directed, according to the migration scenario that you want to perform, the most appropriate tools to use.

Figure 1 – Overview of Azure Migrate

To proceed with the use of the tool you need to create a new project. This project is used to save metadata from discovery activities, assessment and migration in the on-premises environment. Metadata is retained in an Azure datacenter in the selected region. However, you can use a project in any region to perform migrations to any Azure region.

Figure 2 – Creating the migration project

Each of these steps is done through solutions provided directly by Microsoft or through tools provided by third-party vendors. At the moment in Azure Migrate are integrated the following third-party tools: Carbonite, Cloudamize, Corent, Device42, Turbonomic, and UnifyCloud.

Figure 4 - Migration Tools Available

The Microsoft tool that allows the assessment of the servers, called "Azure Migrate: Server Assessment", has been enhanced with the following features:

  • It can discover and assess VMware environments that host up to 35000 virtual machines. The limit in the previous version was 1500 VMs.
  • You have the option to profile Hyper-V environments that host up to 10000 VMs.
  • The inventory data from VMware and Hyper-V environments can flow within the same Azure Migrate project.
  • It provides guidance on sizing systems, performs analysis to identify application dependencies and provide a cost estimate.

All of the discovery process and the assessment with the tool Server Assessment occurs without installing any agent. This is a totally free tool for all Azure customers and will soon be enhanced to cover also the support of physical systems.

Also with regard to the migration process Microsoft provides its own tool called "Azure Migrate: Server Migration", that allows you to migrate virtual systems in VMware environments, Hyper-V, Amazon Web Services (AWS), and Google Cloud Platform (GCP) and physical servers. This tool has recently been enhanced with the following features:

  • Ability to migrate VMs in VMware environment in agentless mode. By adopting this mode of migration without agent, you can use the same appliance for the discovery, the assessment and the migration. This ensures that you have operating system-independent support, that allows you to migrate any OS client or server, if supported on Azure.
  • Ability to migrate without agent virtual machines in Hyper-V environments.
  • Agent-based Migration to VMs and physical servers running on Amazon Web Services or Google Cloud Platform.
  • A new simplified user experience has been introduced, making the process similar to creating a virtual machine in Azure.
  • Ability to perform the migration test without giving any impact, allowing in this way to better plan the migration. Furthermore, the migration process allows to obtain a loss of data equal to zero when moving applications in Azure .

Also "Azure Migrate: Server Migration" is a tool you can be uses for free for all Azure customers. Obviously the costs are to be considered for computational resources and storage used in Azure subscription after the successful migration. In this regard it is also possible to estimate in advance the possible cost savings that can be achieved by migrating workloads in Azure. The tool Total Cost of Ownership (TCO) Calculator allows you to define the characteristics of your workloads that you want to migrate and, after arranging different parameters specific to each reality, you get an estimate of the potential savings over the 5 years.

Figure 5 – Chart of an estimate of savings, migrando in Azure, effettuata tramite TCO Calculator

Conclusions

Azure Migrate, thanks to the new features recently released , is an excellent solution that can provide a broad set of tools needed to better address the most common migration scenarios. Azure Migrate is now a real reference point for moving workloads to Azure through integrated and centralized management and a transversal approach, able to deal with different migration paths.

Azure IaaS and Azure Stack: announcements and updates (September 2019 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

New cloud regions in Germany

Microsoft Azure is available from new cloud regions in Germany. Azure is available in new cloud datacenter regions in Germany, Germany West Central (located in Frankfurt) and Germany North (located in Berlin), to provide greater flexibility, the latest intelligent cloud services, full connectivity to the global cloud network, and data residency within Germany. The new regions with German-specific compliance, including Cloud Computing Compliance Controls Catalogue (C5) attestation, and will remove barriers so in-country companies can benefit from the latest solutions such as containers, IoT, and AI.

Azure Firewall is ISO compliant

Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), and International Organization for Standardization (ISO) compliant. It currently supports SOC 1 Type 2, SOC 2 Type 2, SOC 3, PCI DSS, and ISO 27001, 27018, 20000-1, 22301, 9001, 27017. For more information, see the Microsoft Compliance Guide.

New Azure ExpressRoute sites

The following new ExpressRoute meet-me sites are now live:

  • Copenhagen
  • Stockholm
  • Munich

Azure Private Link in preview

Private Link simplifies the network architecture and secures the connection between endpoints in Azure by keeping data on the Azure network, thus eliminating exposure to the internet. Private Link also enables you to create and render your own services on Azure. During public preview, Private Link supports Azure Storage, Azure Data Lake Storage Gen 2, Azure SQL Database, Azure SQL Data Warehouse, and customer-owned services.

Monitor bandwidth for all peered Azure virtual networks with ExpressRoute

Azure network monitoring solutions including Network Performance Monitor and Network Watcher help monitor your networks in the cloud and in hybrid environments. ExpressRoute Monitoring enables you to monitor network performance over ExpressRoute circuits that are configured to use private peering or Microsoft peering.

Azure Monitor for Azure Virtual Machines is available in additional regions

Monitor for Virtual Machines monitors and analyzes the performance and health of your Windows and Linux virtual machines hosted in Azure, on-premises, or with another cloud provider. Azure Monitor for Azure Virtual Machines is now available in Japan East, North Europe, and East US2.

Service Map feature of Azure Monitor is available in additional regions

Service Map automatically discovers application components on Windows and Linux systems and maps communication between services. The feature enables you to view your servers, processes, inbound and outbound connection latency, and ports as interconnected systems. The Service Map feature of Azure Monitor is available in Japan East, North Europe, and East US2.

Zone Redundant Storage (ZRS) for Azure Files premium tier

Zone Redundant Storage (ZRS) is available for Azure Files premium tier. The ZRS replication provides customers a choice of performant Azure Files services with higher availability. With the release of ZRS support, Azure Files premium tier now offers two durability options:

  • Zone redundant storage (ZRS) for data protection against entire zonal outage.
  • Locally-redundant storage (LRS) for lower cost-effective storage for data protection against hardware failure.

Currently, ZRS option is available in West Europe and we plan to gradually expand the regional coverage.

Azure Lab Services supports new GPU Virtual Machine sizes

Azure Lab Services supports two new 6-core GPU Virtual Machine sizes:

  • Small GPU (Compute): 6 cores, 56 GB RAM, 139 Lab units.
    • Available in US, North Europe, and West Europe regions
    • Best-suited for compute-intensive and network-intensive applications such as Artificial Intelligence and Deep Learning
  • Small GPU (Visualization): 6 cores, 56 GB RAM, 160 Lab units.
    • Available in US, North Europe, West Europe, and Australia regions
    • Best-suited for remote visualization, streaming, gaming, and encoding using frameworks such as OpenGL and DirectX.

M-series virtual machines (VMs) are available in new regions

Azure M-series VMs are now available in: Germany West, Germany North, Switzerland West and Switzerland North. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Networking: what's new in Azure Firewall

Azure Firewall is the firewall-as-a-service solution exists in the Microsoft public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows. This service has been officially released from several months and, as is often the case with cloud services, there are rapid evolutions, to improve the service and increase the feature set. This article lists the top news that recently affected Azure Firewall.

Public IP addresses associated with Azure Firewall

While initially, only one public IP address could be associated with Azure Firewall, now you can associate up to 100 public IP addresses. This opens up new configuration and operation scenarios:

  • In DNAT configurations you have the option to use the same port on different public IP addresses.
  • For SNAT outbound connections will be available a larger number of ports, reducing the ability to finish the doors available.

Currently the source Public IP address of Azure Firewall used for the connections is chosen randomly. This should be considered when you need specific permissions for traffic from Azure Firewall. Microsoft still has a roadmap of SNAT configurations by specifying the Public IP address to use. The steps to deploy Azure Firewall with multiple public IP addresses, using PowerShell commands, you can consult in this document.

Figure 1 – Assign multiple public IPs to Azure Firewall from the Azure portal

Availability Zones

In order to increase the availability levels of Azure Firewall, you can, during the creation phase,  plan to use the Availability Zones. Selecting two or more Availability Zones will allow you to get an uptime percentage of the 99.99 %. Full details about Service Level Agreements (SLA) of Azure Firewall are contained in this document. The adoption of this deployment methodology does not involve any additional costs, but you need to contemplate an increase in the costs of inbound and outbound data transfer from Availability Zones, available in this document. Compared to the cost of the Azure Firewall, these do not have a particularly significant impact. I personally think that if you adopt an architecture of the networking where Azure Azure Firewall is the core component for the security of the environment, it becomes very useful to use the Availability Zones to ensure a high level of availability of mission-critical applications protected by this service.

Figure 2 - Configuration of Availability Zones in the process of creating Azure Firewall

In the presence of Azure Firewall created without the use of Availability Zones, you do not have the possibility of carrying out a conversion to the use of the same. The only currently available method involves the creation of a new Azure Firewall migrating existing configurations. Backups in JSON format of the Azure Firewall configuration can be made using the following PowerShell commands:

[cc lang=”powershell”]

$AzureFirewallId = (Get-AzFirewall -Name “AzureFirewallName” -ResourceGroupName “Network-RG”).id

$BackupFileName = “.AzureFirewallBackup.json”

Export-AzResourceGroup -ResourceGroupName “Network-RG” -Resource $AzureFirewallId -SkipAllParameterization -Path $BackupFileName

[/cc]

With the availability of the JSON file you need to edit it to contemplate the Availability Zones:

[cc lang=”powershell”]

{

“apiVersion”: “2019-04-01”,

“type”: “Microsoft.Network/azureFirewalls”,

“name”: “[variables(‘FirewallName’)]”,

“location”: “[variables(‘RegionName’)]”,

“zones”: [

“1”,

“2”,

“3”

],

“properties”: {

“ipConfigurations”: [

{

[/cc]

After the change is complete, you can deploy the new Azure Firewall, using suitably modified JSON file, using the following command:

[cc lang=”powershell”]

New-AzResourceGroupDeployment -name “RestoreFirewallAvZones” -ResourceGroupName “Network-RG” -TemplateFile “.AzureFirewallBackup.json”

[/cc]

Centralized management with third party solutions

Azure Firewall exposes publicly REST APIs that can be used by third-party vendors to provide solutions that allow a centralized management of Azure Firewall, Network Security Groups (NSGs), and network virtual appliances (NVA's). At the moment these are the vendors that offer such solutions: Barracuda with Cloud Security Guardian, AlgoSec with CloudFlow and Tufin with Orca.

Just-in-time (JIT) VM access for Azure Firewall

When a user requests access to a VM with a Just-in-time policy (JIT), the Security Center first checks whether the user actually has Role-Based Access Control permissions (RBAC) required to make the request for access. If so the request is approved, and the Security Center is able to automatically configure not only the NSG, but also the necessary rules in Azure Firewall side to allow incoming traffic.

Application rules with SQL FQDN

In application rule of Azure Firewall the ability to specify the SQL FQDN was introduced. This makes it possible to control access from the virtual network to specific instances of SQL Server. Through SQL FQDN you can filter traffic:

  • From Virtual Network to a Azure SQL database or a SQL Azure Data Warehouse.
  • From the on-premises environment to a SQL Azure Managed Instances or SQL IaaS running on Virtual Network.
  • From spoke-to-spoke to Azure SQL Managed Instances or SQL IaaS running on Virtual Network.

Figure 3 - Creating Application Rule with SQL FQDN

FQDN Tag for Azure HDInsight (HDI)

Azure HDInsight clusters present on its Virtual Network have different dependencies on other Azure services (for example Azure Storage), with which an outgoing network traffic is necessary to operate in the correct way. With the introduction of the FQDN tags for HDInsight you can configure Azure Firewall to restrict outbound access for HDI clusters. For more details please visit the Microsoft's official documentation.

Automation to handle the backup

Having a strategy to restore the configuration of the service in a short time is critical because this service is the government center of your Azure networking environment and contains several rules to comprehensively manage the network traffic. The service currently does not have an integrated feature to make full backup periodically. In this article you can find a mechanism designed to make the scheduled backup of the configuration of this component using the Azure Automation service.

Conclusions

Azure Firewall is a solution that is increasingly being used in network architectures of Azure, for the advantages over firewall solutions by third party vendors and thanks to a constant enrichment of features offered. All these new features make Azure Firewall a more comprehensive solution, totally integrated in the platform, that allows you to secure the resources on Azure Virtual Networks with high flexibility.

Azure IaaS and Azure Stack: announcements and updates (September 2019 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Microsoft Azure available from new cloud regions in Switzerland

Microsoft announced the availability of new Azure Regions in Switzerland. With the Azure Region Switzerland West and Switzerland North, Microsoft addresses the need of customers to have cloud regions and datacenters available in Switzerland. Remember that not all services are available in all Azure regions. You can find more information about the products and services available in the Swiss Azure regions on the Azure website.

31 new Azure edge sites

Microsoft announced the addition of 31 new edge sites, bringing the total to over 150 across more than 50 countries. Microsoft is also adding 14 new meet-me sites to Azure ExpressRoute to further enable and expand access to dedicated private connections between customers’ on-premises environments and Azure.

Azure Firewall in China

Azure Firewall is also available in China.

Azure DevTest Labs now integrates with Azure Bastion

Azure DevTest Labs now integrates with Azure Bastion, enabling you to connect to your virtual machines through a web browser. Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. As a lab owner, it’s possible to enable your lab virtual machines to have browser-based access provided they’re created in a virtual network that has Azure Bastion configured on it.

Azure Stack

Azure App Service on Azure Stack Update 7 (1.7)

This release updates the resource provider and brings the following key capabilities and fixes:

  • Updates to **App Service Tenant, Admin, Functions portals and Kudu tools**. Consistent with Azure Stack Portal SDK version.
  • Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.
  • Access Restrictions now enabled in User Portal

All other fixes and updates are detailed in the App Service on Azure Stack Update Seven Release Notes.

Diagnostic log collection is generally available for Azure Stack

The Azure Stack diagnostic log collection service provides a simplified way for Azure Stack operators to collect and share diagnostic logs with Microsoft Customer Support Services (CSS). A new user experience in the Azure Stack administrator portal is available for operators to set up the automatic upload of diagnostic logs to a storage blob when certain critical alerts are raised, or to perform the same operation on demand.

Azure management services and System Center: What's New in August 2019

Microsoft constantly releases news regarding the Azure management services and System Center. Our community publishes this monthly summary to provide an overview of the top news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 39 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Availability in new regions

Azure Site Recovery is now available in these new regions: West India, UAE Central, UAE North, South Africa North, and South Africa West.

Disaster recovery of Azure Disk Encryption-enabled virtual machines

Azure Site Recovery introduced support for virtual machines with disks that use Azure Disk Encryption without using Azure Active Directory app. This feature is currently only supported for Windows virtual machines that use managed disks. Soon will be introduced the support for Linux virtual machines, using managed disks.

Monitor in Log Analytics

The ability to send diagnostic logs to a Log Analytics workspace has been introduced to the Site Recovery vault. These logs are generated in addition to virtual machines in Azure, also from VMware virtual machines and physical systems protected by Azure Site Recovery.

Azure Backup

Availability in new regions

Azure Backup can now also be used in these new regions: West India, UAE Central, UAE North, South Africa North, and South Africa West.

Support for disks up to 30 TB

For Azure Backup has been announced support, currently in limited public preview, for large Managed disks, up to 30TB. For further information you can consult this article.

Soft Delete for protected virtual machines

In order to increase the protection of the backups made by Azure Backup, was introduced the soft delete for IaaS virtual machines. This allows you to have a higher level of protection from accidental or malicious deletions of IaaS VMs backups.

System Center Configuration Manager

New releases for the Technical Preview Branch

For Configuration Manager was released the update 1908 that among the main innovations there is the ability to activate the’High Performance Power Plan during the execution of the task sequence, for performance benefits.

Furthermore, it was released the update 1908.02 that includes the integration with Teams messaging in the Configuration Manager console.

To check the details of what's included in these updates, you can see this document for update 1908 and this document for update 1908.02.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

Evaluation of Azure and System Center

To test and evaluate free of charge the service offered by Azure you can access this page, while to try out the various components of System Center you must Access to theEvaluation Center and, after registering, you can start the trial period.

Azure Dedicated Host: the creation of virtual machines on a dedicated system

In Azure was recently announced the availability of the new service Azure Dedicated Host, that allows you to have a physical server in Azure, totally dedicated to your organization, on which to enable Windows or Linux virtual machines. This article describes what are the main features of the service, its benefits and what procedure to follow for activation.

Normally, without the adoption of this new service, in Azure physical hosts are used to host virtual machines of more tenants, and the isolation occurs through the multi-tenant hypervisor. Using Azure Dedicated Host, physical servers can keep running only the workloads of an individual tenant. In this way you can have a wider visibility and a higher control on the hardware on which are running the own virtual machines, with the certainty that the host are not shared with other customers of Azure.

Usage scenarios

The service Azure Dedicated Host can be very useful to meet the following usage scenarios:

  • Need to have an isolation at the host level for compliance reasons, in terms of physical security, data integrity and monitoring.
  • Have visibility and control over the server infrastructure on Azure hosting yours virtual machines. You can in fact define the type of host hardware, the characteristics of the processor and the number of cores, the type and size of the VMs that you plan to deploy, with the ability to choose different sizes for virtual machines, while maintaining the same series selected for the specific host.
  • Govern all maintenance activities at the host level given by the Azure platform, such as physical host operating system updates. By using theAzure Dedicated Host you have the option of choosing the most appropriate time of maintenance, within a maintenance window of 35 days.

If you need to cope with one of the above scenarios, theAzure Dedicated Host is definitely a great option, but if you don't have specific needs you should use the classic methodology for deploying virtual machines Azure, as it has a greater level of flexibility.

Activation of the service

The deployment of a new Azure Dedicated Host requires the presence of a host group. To this group can be added more Host, that will be used to host the new virtual machine in Azure. Deploy Azure Dedicated Host can be done throughARM templateCLIPowerShell, and directly fromAzure Portal. This article shows the steps for creating the service directly from the Azure Portal.

Figure 1 - Starting the procedure of creation of a Host Group

During the Host Group creation process you are requested specific settings such as Availability zones (Optional) and the number of fault domain.

Figure 2 – Parameters required when creating a Host Group

When the Host Group is created you can start the process of setting upAzure Dedicated Host, that will be associated with a specific Host Group.

Figure 3 – Start the process of creating a Dedicated Host

Among the parameters required in the creation of a Dedicated Host there is the family of VMs, that will be hosted by the specific host, the host group membership, the number of Fault Domain and the ability to automatically substitute the host in case of any problems. Furthermore, it requests information necessary to obtain the benefits in terms of licensing, reported in the following paragraph.

Figure 4 – Parameters required when creating a Dedicated Host

Completed the process of setting up Azure Dedicated Host it's possible, during the creation of a virtual machine, host it on a specific system . An important consideration is that the region must be the same as the host and the size of the VM must belong to the VM Host Family configured during creation.

During the virtual machine creation process is present, in the section Host of the tab Advanced, the ability to select the host group and the Dedicated Host.

Figure 5 — Select the Host Group and the Host when creating the VM

Aspects related to licensing

Azure Dedicated Host lets get some advantages in terms of licensing, with the ability to take advantage of theAzure Hybrid Benefit. You can use the licenses available to Windows Server and SQL Servers covered by Software Assurance even in this scenario. Furthermore, customers who have Windows Server Datacenter licenses and Software Assurance may have fired an unlimited number of Windows Server virtual machines in the environment Azure Dedicated Host. Similarly, clients with SQL Server Enterprise Edition licenses and Software Assurance may use unlimited virtualization rights for SQL Server on their dedicated host in Azure. For other vendors like SUSE or RedHat Linux is allowed to use the licenses available with Azure Dedicated Host. In this case it is advisable to check with vendors specific licensing conditions.

With the introduction of this new service, Microsoft is updating accordingly the terms of use of licences in order to clarify the distinction between the on-premises/traditional outsourcing services and cloud services. To get more information about it you can see the Microsoft's official documentation.

Another important aspect to consider is that using the Azure Dedicated Host you can use the service of Extended Security Updates for Windows Server 2008/R2 and SQL Server 2008/R2.

Cost of service

The cost of Azure Dedicated Host is calculated at the host level and not on the basis of the number of virtual machines running on the host. Software licensing costs are calculated separately based on use of individual VMs. To obtain licensing savings you can take into consideration what is reported in the previous paragraph. This is a pay-as-you-go, no activation or termination fee. For more details please visit the official page of costs.

Conclusions

The service Azure Dedicated Host allows you to contemplate new usage scenarios of the Azure platform, and is able to address the needs of those customers who require host isolation, targeted to meet compliance and governance requirements. Very interesting also the possibility to achieve savings in licensing, by using Azure Hybrid Benefit. The advice is to consider using this service only if really necessary for your needs, otherwise you should use the classic method of deployment of virtual machines.

Azure IaaS and Azure Stack: announcements and updates (August 2019 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Geo Zone Redundant Storage in Azure in preview

Geo Zone Redundant Storage provides a great balance of high performance, high availability, and disaster recovery and is beneficial when building highly available applications or services in Azure. Geo Zone Redundant Storage helps achieve higher data resiliency by doing the following:

  • Synchronously writing three replicas of your data across multiple Azure Availability Zones, such as zone-redundant storage today, protecting from cluster, datacenter, or entire zone failure.

  • Asynchronously replicating the data to another region within the same geo into a single zone, such as locally redundant storage, protecting from a regional outage.

Ultra Disks generally available

Microsoft Azure Ultra Disks is the new managed disks offering which is now generally available for running data intensive business critical workloads on cloud requiring high IO performance and low latency. With the introduction of Ultra Disk Storage, Azure includes four types of persistent disk: Ultra Disk Storage, Premium SSD, Standard SSD, and Standard HDD. This portfolio gives you price and performance options tailored to meet the requirements of every workload.

Azure File Sync agent v7.2

Azure File Sync agent v7.2 update rollup is on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Storage Sync Agent (FileSyncSvc) crashes if the proxy configuration is null.
  • Server endpoint will start BCDR (error 0x80c80257 – ECS_E_BCDR_IN_PROGRESS) if multiple endpoints on the server have the same name.
  • Cloud tiering reliability improvements.

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 7.2.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4490497.

Azure Files Azure Active Directory Domain Services (Azure AD DS) Authentication

General Availability of Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files. By enabling integration with Azure AD DS, you can mount your Azure file share over SMB using Azure AD credentials from Azure AD DS domain joined Windows VMs with NTFS ACLs enforced.

Just-in-time (JIT) VM access for Azure Firewall is generally available
Use it to secure your Azure Firewall protected environments in addition to your NSG protected environments.

Azure Firewall: automation to manage your backups

Azure Firewall is the firewall-as-a-service solution exists in the Microsoft public cloud, which allows you to secure the resources present in the Azure Virtual Networks and to govern the related network flows. This article provides a mechanism designed to make the scheduled backup of this component configuration using Azure Automation.

Azure Firewall is a solution that is increasingly being used in Azure architectures, for the advantages over firewall solutions by third party vendors and thanks to a constant enrichment of features offered. From the moment it is adopted, this service becomes the government center of your Azure networking environment and will contain different rules to comprehensively manage the network traffic. It is therefore essential to have a strategy that allows you to restore the configuration of the service quickly. The service currently does not have an integrated feature to make full backup periodically. For this reason I made a runbook in Azure Automation that backup the Azure Firewall configuration on a Azure blob storage account.

In the following paragraphs there is the procedure for enabling periodic configuration backup using this methodology.

Prerequisites

If you do not have an Azure Automation Account is necessary to proceed with its creation:

Figure 1 – Creating Azure Automation Account

It is also necessary to have a blob storage account on which the Azure Firewall backups will be saved.

Figure 2 — Create blob storage account

In the firewall account storage settings must be enabled the exception "Allow trusted Microsoft services to access this storage account".

On the storage account you can also consider creating policies that enable you to prevent the deletion of backups.

Configuring modules on Azure Automation

Azure Automation supports the ability to use the moduleAzure Powershell Az in runbooks. The module AZ is currently not automatically imported into Automation Accounts. For this reason it is necessary procedures with its configuration as described by this Microsoft's document, in particular by following the procedure given below.

Figure 3 – Start process of adding modules

 

Figure 4 - Selection of the necessary modules and starting the import process

These are the modules required for this automation:

Figure 5 – Required modules

Import and publish of runbook

The next step is to create the Runbook in Azure Automation:

Figure 6 – Creation of Runbook

You can find the code of the runbook in this GitHub page. Once you have created the runbook is appropriate to proceed with its publication.

Figure 7 - Publication of the Runbook.

Runbook schedule

As last step you should schedule the periodic execution of the runbook.

Figure 8 - Creation of schedule

 

Figure 9 - Adding the scheduling to the runbook

 

Figure 10 - Configuration of parameters required by the runbook

Backups in JSON format of the Azure Firewall configuration is automatically saved in the storage accounts indicated and are retained for the number of days expressed in the parameter "RetentionDays".

Figure 11 - Azure Firewall Backups inside the container

Restoring your configuration

In case you need to restore the Azure Firewall configuration is sufficient to deploy the JSON file in the specific resource group, using the following command:

New-AzResourceGroupDeployment -name “RestoreAzureFirewall” -ResourceGroupName “AFW-RGNamexxx” -TemplateFile “.xxx-afwxxxxx.json”

 

Conclusions

Thanks to the adoption of this automation is possible to backup Azure Firewall configuration on a Azure blob storage account. All this is particularly useful and strategic in case of wrong modification of the rules, or if there is a partial or total cancellation of Azure Firewall configuration, which can be accidental or carried out by unauthorized persons.

Azure IaaS and Azure Stack: announcements and updates (August 2019 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Dedicated Host

Azure Dedicated Host is a new Azure service that enables you to run your organization’s Linux and Windows virtual machines on single-tenant physical servers. Azure Dedicated Hosts provide you with visibility and control to help address corporate compliance and regulatory requirements. Azure Dedicated Host is in preview in most Azure regions.

Azure marketplace charges are available in Azure Cost Management for Pay-As-You-Go customers

Azure marketplace charges within Cost Analysis tool for Pay-As-You-Go customers are available. As a part of this preview you can analyze marketplace charges alongside Azure service charges within Cost Analysis and reconcile Azure marketplace invoice using both Cost Analysis and a new usage csv download API.

Network security group improvements

New improvements have been added to network security group (NSG), which filters network traffic to and from various Azure resources:

  • Specify ICMP as the protocol in your NSG rules, in addition to TCP, UDP, or Any.
  • Override the default Azure platform considerations by creating an NSG rule with the following service tags. Please exercise caution when using these tags.
    • ​​AzurePlatformDNS for DNS
    • AzurePlatformIMDS for IMDS
    • AzurePlatformLKM for Windows licensing (Key Management Service)
Azure File Sync agent v7.1 update rollup

Azure File Sync agent v7.1 update rollup is on Microsoft Update and Microsoft Download Center. Improvements and issues that are fixed:

  • Accessing or browsing a server endpoint location over SMB is slow on Windows Server 2012 R2.
  • Increased CPU utilization after installing the Azure File Sync v6 agent.
  • Cloud tiering telemetry improvements.
  • Miscellaneous reliability improvements for cloud tiering and sync.

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 7.1.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4490496.

Most cost-effective storage offering

Microsoft has dropped Azure Archive Storage prices by up to 50 percent in some regions. The new pricing is effective immediately.

New AMD-based Azure VMs for general purpose and memory intensive workloads

New Azure virtual machines part of the Dv3 and Ev3-series, optimized for general purpose and memory intensive workloads, are in Preview. The new general purpose Da_v3 and Das_v3 Azure VM-series provide up to 64 vCPUs, 256 GiBs of RAM and 1,600 GiBs of SSD-based temporary storage. Das_v3 Azure VM-series supports Premium SSD disk storage. The new memory optimized Ea_v3 and Eas_v3 Azure VM-series provide up to 64 vCPUs, 432 GiBs of RAM and 1,600 GiBs of SSD-based temporary storage. Eas_v3 Azure VM-series supports Premium SSD disk storage.

M-series virtual machines (VMs) are generally available in the Brazil South Region

Azure M-series VMs are available in the Brazil South region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Geo and Zone Redundant Storage in public preview

Azure Geo and Zone Redundant Storage (GZRS) helps customers achieve higher data resiliency by Synchronously writing three replicas of your data across multiple Availability Zones and Asynchronously replicating the data to another region within the same geo into a single zone (like LRS today) protecting from a regional outage.

Azure Files Active Directory (Azure AD) authentication with Azure AD domain services is generally available

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with Azure AD enables SMB access to Azure file shares using Azure AD credentials from Azure AD domain services domain joined Windows VMs.

Azure Firewall feature updates for July 2019

Here are the Azure Firewall feature updates for July 2019:

  • Multiple public IPs is generally available in all Azure public regions.
  • Availability Zones is now generally available.
  • SQL FQDN filtering is now in preview in all Azure regions.
  • Azure HDInsight FQDN tag is now in preview in all Azure public regions.
  • Central management using partner solutions