Category Archives: Cloud

Azure IaaS and Azure Stack: announcements and updates (June 2019 – Weeks: 21 and 22)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Generation 2 virtual machines in Azure in Public Preview

Generation 2 virtual machines use the new UEFI-based boot architecture vs. the BIOS-based architecture used by Generation 1 VMs. The new architecture enables customers to:

Build large virtual machines (up to 12TB)
Provision OS disks sizes that exceed 2TB, and
Leverage advanced security capabilities like SecureBoot and Virtual Trusted Platform Module (vTPM) to secure their Virtual Machines.

If you want to take advantage of these features, you can now create Generation 2 virtual machines in Azure. For a complete list of capabilities, limitations and details associated with the deployment of Generation 2 virtual machines on Azure, please refer to this documentation.

Azure DDoS Protection Standard introduces DDoS Alert integration with Azure Security Center

DDoS Protection Standard customers can view DDoS Alerts in Azure Security Center (ASC) and this capability is generally available for all ASC and DDoS Standard customers. These DDoS alerts will be available for review in the Security Center in near real-time without any setup or manual integrations required and will provide details on DDoS attacks detected and automatically mitigated by the service.

General availability of Azure NetApp Files

Azure NetApp Files, the industry’s first bare-metal cloud file storage and data management service, is general availability (GA). Azure NetApp Files is an Azure first-party service for migrating and running the most demanding enterprise file-workloads in the cloud including databases, SAP, and high-performance computing applications with no code changes. Azure NetApp Files is a fully managed cloud service with full Azure portal integration. It’s sold and supported exclusively by Microsoft. Customers can seamlessly migrate and run applications in the cloud without worrying about procuring or managing storage infrastructure. Additionally, customers can purchase Azure NetApp Files and get support through existing Azure agreements, with no up-front or separate term agreement.

OpenVPN support in Azure VPN gateways

Microsoft announced the General Availability (GA) of OpenVPN protocol in Azure VPN gateways for P2S connectivity. Form more details you can read this article.

Azure Mv2 Virtual Machines are generally available

Azure Mv2-series virtual machines are hyper-threaded and feature Intel® Xeon® Platinum 8180M 2.5GHz (Skylake) processor, offering up to 208 vCPU in 3TB and 6 TB memory configurations. Mv2 virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton. Mv2-series VMs are certified by SAP for SAP HANA OLTP and OLAP production workloads. Mv2 VMs are available in US East and US East 2 regions. Mv2 VMs in U.S. West 2, Europe West, Europe North and Southeast Asia regions will become available in the coming months.

Azure Stack

Azure App Service on Azure Stack 1.6 (Update 6) Released

This release updates the resource provider and brings the following key capabilities and fixes:

Updates to App Service Tenant, Admin, Functions portals and Kudu tools. Consistent with Azure Stack Portal SDK version.
Updates to Kudu tools to resolve issues with styling and functionality for customers operating disconnected Azure Stack.
Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.

All other fixes and updates are detailed in the App Service on Azure Stack Update Six Release Notes. The App Service on Azure Stack Update 6 build number is 82.0.1.50.

Azure Networking: Point-to-Site VPN access and what's new

Among the different possibilities to establish a hybrid connectivity with the Azure cloud exist VPN Point-to-Site (P2S). Through the VPN P2S you can enable connectivity from one location to the Azure environment, easily and securely. It is a useful solution to allow communication from remote locations to the Virtual Network of Azure, mostly used for test and development purposes. Can be activated alternatively to Site-to-Site VPN if you must provide connectivity to Azure for a very limited number of systems. This article describes the features of this connectivity and displays the latest news about.

To establish hybrid connectivity with Azure we can use different methodologies, each of which has different characteristics and may be eligible for specific scenarios, providing different levels of performance and reliability.

Figure 1 – Options to enable hybrid connectivity with Azure

The Point-to-Site VPN definitely provide a more limited set of features compared to other hybrid connectivity options and are appropriate in specific cases, where only a limited number of places should be connected to the Azure environment. The P2S connection is established by starting directly from the remote system and in the solution are not expected native systems to activate it in an automatic way.

Figure 2 – Comparison of hybrid connectivity options

Protocols used by the P2S VPN

The Point-to-site VPNs can be configured to use the following protocols:

OpenVPN®: is a protocol recently added in Azure, but already widely used by different solutions, that enriches this type of connectivity. This is an SSL/TLS based VPN Protocol, that due to its characteristics more easily traverses firewalls. Furthermore, it is compatible with different platforms: Android, IOS (version 11.0 and above), Windows, Linux and Mac devices (OSX version 10.13 and later).
Secure Socket Tunneling Protocol (SSTP): This is a Microsoft proprietary VPN protocol based on SSL and it can easily cross firewalls, but has the limitation that can only be used by Windows systems. In particular, Azure supports all versions of Windows that include SSTP (Windows 7 and newer).
IKEv2: This is an IPsec VPN solution that can be used by different client platforms, but in order to function it requires that in the firewall are permitted specific communications. IKEv2 is supported on Windows 10 and Windows Server 2016, but in order to use it you need to install specific updates and set certain registry keys. Previous versions of the OS are not supported and can only use SSTP, orOpenVPN®.

Figure 3 – OpenVPN Protocols® and IKEv2 compared

The Point-to-Site VPN require the presence of a VPN gateway on the active virtual network of Azure and depending on the SKU vary the maximum number of possible connections. It should also be taken into account that the VPN Gateway Basic does not support IKEv2 and OpenVPN protocols.

Figure 4 – Gateway SKU in comparison for VPNs P2S

Coexistence between the P2S VPN and S2S VPN for the same virtual network is possible only in the presence of VPN gateway RouteBased.

Supported client authentications

Point-to-site VPN access provides the ability to use the following authentication methods:

Azure native authentication using certificates. With this mode, the authentication takes place via a client certificate present on the device that needs to connect. Client certificates are generated by a trusted root certificate and must be installed on each system to connect. The root certificate can be issued by an Enterprise solution, or you can generate a self-signed certificate. The client certificate validation process is performed by the VPN gateway while attempting to connect the P2S VPN. The root certificate must be loaded into the Azure environment and is required for the validation process.
Authentication using Active Directory (AD) Domain Server. Thanks to this type of authentication users can authenticate using domain credentials. This methodology requires a RADIUS server integrated with AD. RADIUS system can be deployed on-premises or in the VNet of Azure. Using this mechanism, during the authentication process, the Azure VPN Gateway communicates with the RADIUS system, therefore it is essential to provide this communication flow. If the RADIUS server is deployed on-premises, must therefore be a connectivity through S2S VPN with on-premises systems. The RADIUS server can use certificates issued by an internal Certification Authority as an alternative to certificates issued by Azure, with the advantage that it is not necessary to manage Azure upload root certificates and certificate revocation. Another important aspect is that the RADIUS server can be integrated with third-party authentication mechanisms, thus opening the possibility of also use multifactor authentication for P2S VPN access. At the moment the OpenVPN® Protocol is not supported with RADIUS authentication.

Conclusions

Point-to-Site VPNs (P2S) can be very useful to provide connectivity to the Azure Virtual Networks in very specific scenarios. Thanks to the introduction of the support to OpenVPN® protocol it is possible to activate more easily and from different devices (Windows, Mac and Linux), without neglecting safety aspects.

Azure IaaS and Azure Stack: announcements and updates (May 2019 – Weeks: 19 and 20)

Azure

Public IP Prefix

A Public IP prefix is a reserved range of static IP addresses that can be assigned to your subscription. You can use a prefix to simplify IP address management in Azure. Knowledge of the range ahead of time eliminates the need to change firewall rules as you assign IP addresses to new resources. This predictability significantly reduces management overhead when scaling in Azure. Public IP Prefix is available in all Azure public regions, Government cloud regions and China cloud regions.

Azure Premium Files preview

Azure Premium Files preview is available. Premium Files is a new performance tier for Azure Files, which is designed for IO intensive workloads with low latency and higher throughput requirements. Premium files storage provides consistent low latency and offers high throughput and IOPS that scales with your storage. Premium tier provides 20x capacity, 100x IOPS and 170x throughput as compared to the existing standard tier. For more details, see the Premium Files redefines limits for Azure Files blog.

Update rollup for Azure File Sync Agent: May 2019

An update rollup for the Azure File Sync agent was released today.

Improvements and issues that are fixed:

Windows Admin Center fails to display the agent version and server endpoint configuration on servers which have Azure File Sync agent version 6.0 installed.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 6.1.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4489737.

Azure File Sync is supported in West US 2 and West Central US

Azure File Sync is now supported in West US 2 and West Central US

Azure Cost Management multi-cloud for AWS is in preview

Azure Cost Management for AWS is now in public preview and you can manage your AWS spend along your Azure spend in Azure Cost Management. Features like cost analysis and budgets are availble as part of this feature as well, helping simplify your cost management practice on multi-cloud scenarios.

Advanced Threat Protection for Azure Storage is generally available

Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to protect and address concerns about potential threats to your storage accounts as they occur, without needing to be an expert in security. To learn more, see Advanced Threat Protection for Azure Storage or read about the ATP for Storage price in Azure Security Center pricing page.

Ephemeral OS Disk in Public Preview

Ephemeral OS disks work well for stateless workloads, where applications are tolerant of individual VM failures and are more concerned about the time it takes to deploy at scale or to reimage the individual VMs. In addition, Ephemeral OS disk is free i.e., you incur no storage cost for the Ephemeral OS disk.

Azure Serial Console updated

The Azure Serial Console is an invaluable tool in troubleshooting scenarios where you may be unable to connect to your VM. In addition to VMs, you may now use the Serial Console to troubleshoot and diagnose connectivity issues with your Virtual Machine Scale Set (VMSS) instances. To use Serial Console on a VMSS instance, enable boot diagnostics on the VMSS model and ensure that your instances have been upgraded to the latest model. Use Serial Console just as you would with a VM to troubleshoot and diagnose connectivity issues. In addition, improved language support means that you can now troubleshoot your VMs and VMSS instances in a variety of languages.

Adaptive network hardening in public preview

One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.

Azure ExpressRoute is generally available in additional locations

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. The ExpressRoute footprint is expanding to eight new locations:

Amsterdam2
Frankfurt
London2
Perth
Silicon Valley2
Taipei
Washington DC2
Zurich

Red Hat Enterprise Linux BYOS images now available

Red Hat Enterprise Linux images are now available as both BYOS and PAYG offers.

Azure Lab Services update: Address range feature available

In Azure Lab Services was added the ability to provide address range of virtual machines for the labs. This is useful for scenarios where licensing servers for an application on the lab virtual machines only accept a specific range of IP addresses.

Azure Virtual Machine PowerOff available with fast shutdown

The Azure Compute Virtual Machines API has now been updated to allow users to forcefully skip the graceful shutdown period when executing a power off command. This may be useful in situations where a VM may need to be quickly powered off and the risk for data loss or corruption can be ignored. To use this feature, ensure the skipShutdown flag is added to your API or SDK calls.

High-Performance Computing Virtual Machines in new regions

HB-series, designed to provide supercomputer-grade performance and scalability with the best price-performance on the public cloud, are Generally Available in South Central US and Western Europe.

Reserved instance pricing in the Dev/Test Offer

Reserved instances discounts are available for VMs and Azure SQL Database instances created in Dev/Test offer subscriptions. Dev/Test offer provides you a cost-effective way to run your development and testing workloads and with the support of Reserved instances, you can enjoy additional savings and have more purchase controls for your development and test workloads.

How to discover and optimize cloud costs with Azure Cost Management

One of the main features of the cloud is the ability to create new resources with ease and speed. At the same time an important and fundamental challenge is to be able to keep under control the expenses to be incurred for the resources created in the cloud. The tool Azure Cost Management makes it easy to find from which services are generated costs, prevent unnecessary costs and optimize resource costs. This article lists the characteristics of the solution and provides guidance in order to best use it for maximize and optimize investments in cloud resources.

Features of the solution

Azure Cost Management is enabled by default and accessible from Azure portal for all Microsoft Enterprise Agreement and Pay-As-You-Go subscriptions. The availability of the solution for CSP subscriptions (Cloud Solution Providers) is scheduled for the second half of the year. Azure Cost Management contemplates the Azure services, including reservations, and cost data by the use of third-party solutions coming from the Azure Marketplace. All costs shown are based on negotiated prices and the data is updated every four hours.

Azure Cost Management allows you to do the following regarding the cost of cloud resources.

Monitor the cloud costs

With this solution you can provide, to the various departments involved in the use of cloud resources, cost visibility of resources for which they are responsible. Furthermore, you have the option to go into detail and view the trend of costs with a very intuitive and interactive experience. From section Cost analysis you can view the costs, with a chance to put filters on time period and eventually group them according to different parameters.

Figure 1 – Cost analysis – costs accumulated in the last month

Setting for the selected period the daily granularity you can have a graph that shows precisely the day-by-day costs.

Figure 2 – Cost analysis – costs incurred daily

Azure Cost Management also offers the possibility to export the data to Excel or CSV, after setting the required view in section Cost analysis.

Figure 3 -Export the data view created in Cost analysis

The downloaded file contains details about the context used for file generation:

Figure 4 – Summary of Excel sheet created

This feature can be useful for detailed analysis that require a consolidation of this information with other data.

In case there is a need for more functionality in terms of integration and customization you can use Power BI connectors for the creation of specific dashboards and Azure Cost Management APIs to process information with other solutions.

Assignment of responsibility to the various project teams

To raise awareness of the various project teams by making adequate use of resources in terms of spending, you can define your budget. So you can get a significant cost optimization, with no impact in terms of agility in creating resources .

Figure 5 – Creating a budget

When creating a budget it is defined a spending for a certain period of time and you can set the alert to warn those directly responsible when it reaches a certain percentage of the preset threshold.

Optimization of costs

Although you may opt to manage the various Azure resource costs to team by giving them a budget, you can not always be assumed to know how to optimize resource efficiency and reduce costs. Azure Cost Management is able to provide specific recommendations to achieve cost savings.

Figure 6 – Advisor recommendations

In the specific case, to optimize Azure resource costs , it is recommended the purchase ofVirtual Machine Reserved Instances (VM RIs), estimating the annual savings that could be obtained by adopting VM RIs.

Azure Cost Management will soon be enriched with a new feature (currently in public preview) involving the management of costs incurred in the AWS, with the same characteristics as shown for Azure. This integration simplifies management of costs in multi-cloud scenarios.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consult the pricing of Cost Management.

Conclusions

Azure Cost Management is a great tool that allows you to maintain complete visibility of costs and to drive you to have a better manage of the expenses in the cloud resources. Thanks to the flexibility of this tool, constantly evolving, you can get the most from the investment in the cloud easily and intuitively.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 17 and 18)

Azure

Azure VMware Solutions

Microsoft Corp. and Dell Technologies announced they are expanding their partnership to address a wider range of customer needs and help accelerate digital transformations. Through this collaboration, the companies will deliver a fully native, supported, and certified VMware cloud infrastructure on Microsoft Azure.

Azure VMware Solutions are built on VMware Cloud Foundation, a comprehensive offering of software defined compute, storage, networking and management, deployed in Azure. With these solutions, customers can capitalize on VMware’s broadly deployed and trusted cloud infrastructure while experiencing the power of Microsoft Azure.

Azure VMware Solutions give customers the power to seamlessly migrate, extend and run existing VMware workloads from on-premises environments to Azure without the need to re-architect applications or retool operations. Customers will be able to build, run, manage, and secure new and existing applications across VMware environments and Microsoft Azure while extending a single model for operations based on established tools, skills and processes as part of a hybrid cloud strategy. Some of the more popular customer scenarios Azure VMware Solutions will support are app migration and datacenter expansion, disaster recovery, and business continuity and modern application development.

Azure Firewall – Price Reduction

Azure Firewall pricing includes a fixed hourly cost ($1.25/firewall/hour) and a variable per GB processed cost to support auto scaling. Microsoft are announcing a price reduction, effective 01/05/2019, for the firewall per GB cost to $0.016/GB (-46.6%) to ensure that high throughput customers maintain cost effectiveness. There is no change to the fixed hourly cost.

Azure Application Gateway Standard v2 and WAF v2 SKUs

Application Gateway is Azure’s Application Delivery Controller as-a-service offering which provides customers with layer 7 load balancing, security and WAF functionality.

Azure Application Gateway Standard v2 and WAF v2 SKUs are generally available and fully supported with a 99.95 SLA. The v2 SKUs also offer the following additional capabilities to Application Gateway and WAF:

Faster provisioning and configuration update time.
Static VIPs ensure that the Application Gateway VIP will not change over its lifecycle.
Autoscaling allows elasticity to your application enabling it to scale up or down based on application traffic pattern. This also eliminates the need to run Application Gateway at peak provisioned capacity, thus significantly saving cost.
Improved performance offers better application performance and also helps reduce overall cost.
Zone redundancy enables your Application Gateway to survive zonal failures, thereby offering better resilience to your applications.
Header Rewrite allows you to add, remove, or update HTTP request and response headers allowing applications to enable various scenarios like HSTS support, securing cookies, changing cache controls, etc. without changing application code.

For more information about the capabilities available, please visit the Application Gateway documentation webpage.

Azure File Sync v6

Azure File Sync Agent v6 is available.

Improvements and issues that are fixed

Agent auto-update support
Support for Azure file share ACLs
Parallel upload and download sync sessions for a server endpoint
New Cloud Tiering cmdlets to get volume and tiering status
Support for FIPS mode
Miscellaneous reliability improvements for cloud tiering and sync

For more details, see KB4489736.

Agent installation notes

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
A restart may be required if files are in use during the update rollup installation.
The agent version for the v6 release is 6.0.0.0.
Installation instructions are documented in KB4489736.

Azure management services and System Center: What's New in April 2019

Microsoft announces constantly news about Azure management services and System Center. Our community releases on a monthly basis this summary that provides a general overview of the main new features of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

Azure Log Analytics

Agent

This month the new version ofLog Analytics agent for Linux systems fixes important bugs and improves stability. To obtain the updated version of the Log Analytics agent you can access to the GitHub official page.

Figure 1 – News of the new release of Log Analytics agent

Availability in new regions

The availability of Azure Log Analytics has been extended into three new regions: France Central, Korea Central, and North Europe. Furthermore, it can be activated in preview in the following regions: Central US, East US 2, East Asia, West US and South Central US.

Azure Automation

New features in Azure Update Management

Azure Management Update added the option to have as a target of patch deployment groups of virtual machines, generated by queries that rely on native Azure concepts (such as resource group, location, and tags). The virtual machines can be added dynamically to existing patch deployment based on defined criteria.

System Center Configuration Manager

End of support for SCCM 2007 and FEP 2010

Please note that the support for System Center Configuration Manager 2007 and Forefront Endpoint Protection (FEP) 2010 end on 9 July 2019. After this date will be discontinued by Microsoft: updates (security and non), assisted support and for FEP Microsoft will no longer releases antivirus signatures and engine updates. For those who are using these products it is time to consider switching to the latest version of SCCM.

New releases for the Technical Preview Branch

Released version 1903

For Configuration Manager was released the update 1903 and among other changes was the ability to use a new tool for cost estimates for the deployment of cloud management gateway.

Figure 2 – SCCM Clooud Cost Estimator

For full details of what's new in this release you can consult this document.

Released version 1904

For Configuration Manager was also released the update 1904 which includes new dashboards to identify the devices ready to be upgraded to Office 365 ProPlus.

To verify the details about what's new in this update you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Support for Windows Server 2012 and for SCOM 2019

After the release of SCOM 2019, Microsoft has decided to change the support statement to allow even the monitor of systems Windows Server 2012. To see the full list of System requirements for System Center Operations Manager 2019 you can consult this document.

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 15 and 16)

Azure

Gateway Transit support for Global VNet Peering

Global VNet Peering seamlessly connects Azure virtual networks across regions. After virtual networks are peered, they appear as one for connectivity purposes. Traffic between resources in the peered virtual networks is completely private and stays on the Microsoft Backbone. Gateway Transit is a VNet Peering property that enables one virtual network to use the VPN gateway in the peered virtual network for cross-premises connectivity. Previously, support for Gateway Transit was limited to peering within the same region. Now, Gateway Transit is supported for Global VNet Peering in all Azure public regions, Azure China regions, and Azure Government regions. Gateway Transit enables you to use a peered virtual network’s gateway instead of creating a new gateway for connectivity. As you increase your workloads in Azure, you need to scale your networks across regions and virtual networks to keep up with the growth. VNet peering’s Gateway Transit can help simplify your network architecture.

Full IPv6 support for Azure Virtual Networks

Dual Stack IPv4/IPv6 connectivity with full IPv6 support for Virtual Networks is now available. This lets you bring your private IPv6 space into Azure and enables connectivity over IPv6 within your Virtual Networks. With this, you’re able to address IPv4 depletion, meet regulatory requirements, and expand into the growing mobile and IoT markets with your Azure-based applications.

Azure Cost Management generally available for Pay-As-You-Go customers

The general availability of Azure Cost Management features for all Pay-As-You-Go and Azure Government customers will greatly enhance the ability to analyze and proactively manage cloud costs. These features will allow you to analyze your cost data, configure budgets to drive accountability for cloud costs, and export pre-configured reports on a schedule to support deeper data analysis within your own systems. This release for Pay-As-You-Go customers also provides invoice reconciliation support in the Azure portal via a usage csv download of all charges applicable to your invoices.

New experience and APIs for purchasing Azure reservations

The new user experience also shows purchase recommendations for VM size that have consistent usage over the last 30 days, to help you select the right VM size. You can now add multiple products to your cart and purchase them together from the Azure portal, or use the reservation APIs to purchase individual products.

Rewrite HTTP headers with Azure Application Gateway

Rewriting HTTP headers in Azure Application Gateway is now supported. You can add, remove, or update HTTP request and response headers while the request and response packets move between the client and backend application. You can also add conditions to ensure that the headers you specify are rewritten only when the conditions are met. Rewriting headers helps you accomplish several important scenarios such as removing port information from X-Forwarded-For headers, adding security-related header fields like HSTS/ X-XSS-Protection, removing response header fields which may reveal sensitive information, etc.

Azure Backup support to move Recovery Services vaults across subscriptions and resource groups

Azure Backup support for move functionality for recovery services vaults where you can migrate a vault between subscriptions and resource groups with a few steps, in minimal downtime and without any data-loss of old backups. You can move the vault across resource groups and subscriptions. This is very helpful in scenarios like expiry of old subscription, moving from EA to CSP type subscription, organizational and departmental changes or separation between QA environment and production environment. Post migration, all the settings, backup policies and configurations in the vault are retained, including all backup and recovery points created in the past inside the vault. You can restore from retained backup history in the vault regardless of whether the VM is moved with the vault or not to the target subscription.

Azure Availability Zones in UK South and in Japan East

Azure Availability Zones, a high-availability solution for mission-critical applications, is generally available in UK South and in Japan East. Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, Microsoft offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines. Availability Zones are generally available in select regions.

Azure virtual network service endpoint policies expanded

Public preview for virtual network service endpoint policies for Azure Storage was expanded to four new US regions on March 25. Azure virtual network service endpoint policies enable you to prevent unauthorized access to Azure service resources from your virtual network. You can now allow access to only specific Azure service resources (for example, storage accounts) by using endpoint policies over service endpoints. For details about supported capabilities and limitations, and for configuration guidance, see Virtual network service endpoint policies (preview).

Best practices in Azure deployment with Azure Advisor

In Azure is available the Advisor solution that would provide useful recommendations to optimize the deployment in your environment. Azure Advisor analyzes the configuration of the resources present in the Azure subscriptions and its use, and highlights the issues to consider in order to optimize costs, the performance, high availability and security. This article lists the main characteristics and features of the solution.

Azure Advisor is a totally free solution and included in Azure that allows you to easily optimize the resources in your deployments, offering specific recommendations in the following categories:

High availability: it gives directions on how you can increase the availability of your business-critical applications, in order to ensure greater continuity of service.
Security: reports on how to best protect Azure resources from security threats.
Performance: thanks to constant analysis of resources used, the solution is able to return useful information to increase the speed and responsiveness of applications.
Costs: it provides guidance to maximize the economic return on investment in Azure, thanks to the extra touches that can reduce and optimize costs.

All these recommendations are proactive and, to facilitate its implementation, contain proposals for concrete actions to be carried out.

Azure Advisor is accessible from Azure portal and the overview screen includes the recommendations of the four macro-categories mentioned :

Figure 1 – Azure Advisor overview

All information provided by the solution can be downloaded in two different formats (.pdf and .csv), to facilitate the consultation and to keep them documented.

By selecting each category you will be sent to the detail section, where you can check for any recommendation provided, which resources are impacted and the relative level of criticality (high, medium, low).

Figure 2 – High Availability raccomandations

The recommendations in the field of security are integrated with Azure Security Center and you will be sent to the specific section of the Security Center.

Figure 3 – Security raccomandations

The solution is also provided for integration with Azure SQL DB Advisor, to get useful tips even for improving the performance of datatabase.

Figure 4 – Performance raccomandations

Figure 5 – Cost raccomandations

In the specific case, to optimize Azure resource costs , it is recommended the purchase of Virtual Machine Reserved Instances (VM RIs), estimating the savings that could be achieved by adopting VM RIs 3 years.

For ease of reference, you can apply filters to display only the recommendations relating to specific resources on the subscriptions and in certain resource groups, with the ability to select only the desired categories.

Figure 6 – Azure Advisor Resources configuration

It is also possible to modify, at the moment the only rule on the CPU, the threshold of use of virtual machines to be taken into consideration in the relative assessments.

Figure 7 – Azure Advisor Rules configuration

Azure Advisor provides recommendations for virtual machines, availability set, application gateway, Service App, SQL Server and Redis Cache. The solution performs its assessments in the background and automatically intercept new resources created. Since the creation of new resources, can take up to 24 hours to receive its recommendations.

Every single recommendation can be postponed or ignored for a certain period of time.

Figure 8 – Management of the recommendations

Conclusions

This is a very useful support tool to verify that fulfilled the main best practices in the Azure environment and to guide you in taking appropriate corrective actions. Azure Advisor allows you to centralize in a single solution the different recommendations from different Azure services, to have a global vision and improve implementations in the Azure environment.

Security in the cloud with Azure Sentinel solution

Microsoft recently announced a new cloud solution called Azure Sentinel. It is a service that aims to expand the capabilities and potential of the products SIEM (Security Information and Event Management) traditional, going to use the power of the cloud and artificial intelligence to be able to quickly identify and manage security threats affecting your infrastructure. This article lists the main features of the solution.

Azure Sentinel is a solution that allows real-time analysis of security events and information generated within their own hybrid infrastructure, from server, applications, devices and users. It is a cloud-based service, it follows that one can easily scale and have high-speed processing of information, without the need to implement and manage a dedicated infrastructure, to intercept potential security threats.

Azure Sentinel service can be activated directly from the Azure Portal:

Figure 1 - Creation of service Azure Sentinel

Operating principles of Azure Sentinel

Collect data within the infrastructure

Azure Sentinel leans to Azure Monitor that, using the proven and scalable repository of Log Analytics, is able to accommodate a high volume of data, which it is possible to process them effectively thanks to an engine that ensures high performance.

Figure 2 - Adding Azure Sentinel to an existing Log Analytics workspace

With Azure Sentinel you can aggregate different security data from many sources, using the appropriate connectors embedded in the solution. Azure Sentinel is able to connect, in addition to the different platform solutions, even the most widespread and popular network solutions of third-party vendors, including Palo Alto Networks, F5, Symantec, Fortinet and Check Point. Azure Sentinel also has a native integration with logs that meet the standard formats, as common event and syslog.

Figure 3 -Data Connectors

Using this solution, you also have the ability to easily import data from Microsoft Office 365 and combine them with other security data, in order to get a detailed analysis of your environment and have visibility into the entire sequence of an attack.

Figure 4 – Office 365 Connector

Azure Sentinel also integrates with’Microsoft Graph Security API, which allows you to import your own threat intelligence feeds and customize detection rules of potential security incidents and notification.

Analyze and quickly identify the threats by using artificial intelligence

Azure Sentinel uses scalable machine learning algorithms, able to correlate a high amount of security data, to present to the analyst only potential security incidents, all with a high level of reliability. Thanks to this mechanism Azure Sentinel differs from other SIEM solutions, adopting traditional correlation engines, drastically reducing noise and consequently the effort for the analysis required in detecting threats.

Figure 5 – Azure Sentinel Overview

After enabling the Data Collectors required, you will begin to receive data in the workspace of Log Analytics and setting up ofAlert Rules, it can generateCases to report potential security threats. For more details on how to detect threats with Azure Sentinel, see the Microsoft's official documentation.

Investigate suspicious security activities

The data processed by the solution can be found using the dashboards, customizable to suit your needs. Dashboards allow you to conduct investigations by reducing the time needed to understand the scope of an attack and its impact.

Figure 6 – Dashboards available in Azure Sentinel

Figure 7 – Azure Network Watcher dashboard

If security threats are detected, against the Alert Rules set, it is generated a Case, for which you can set the severity, the status and its assignment.

Figure 8 – Cases

Using the console, you can proceed with the investigation of the case:

Figure 9 – Case Investigation

In the same dashboard you can also perform actions. Proactive research activities of suspicious transactions are a fundamental aspect for security analysts, that with Azure Sentinel can be made through two specific features that allow you to automate the analysis: search query (hunting queries) and Azure Notebooks (based on notebook Jupyter), that are constantly updated.

Figure 10 – Hunting queries

Figure 11 -Example of an Azure Notebook

Automate common tasks and response to threats

Azure Sentinel provides the ability to automate and orchestrate the response to common problems, so you don't have to manually perform repetitive tasks. By means of predefined and customizable playbooks you can quickly respond to security threats.

Figure 12 – Alert playbooks

Figure 13 – Logic Apps Designer

Microsoft also announced that more defense and investigation tools will be integrated in the solution increased.

Conclusions

Azure Sentinel is a complete solution that provides native SIEM in the cloud and introduces significant benefits over traditional SIEM solutions, which require to sustain high costs for the maintenance of the infrastructure and for data processing. Azure Sentinel enables customers to simplify the tasks required to maintain high security in the infrastructure and to scale gradually to suit your needs, providing a wide integration with third party solutions.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 13 and 14)

Azure

Azure Front Door Service is generally available

Azure Front Door Service (AFD) is a scalable and secure entry point for fast delivery of your global applications. AFD is a solution for your global website/application and provides:

Application and API acceleration with anycast and using Microsoft’s massive private global network to directly connect to your Azure deployed backends means your app runs with lower latency and higher throughput to your end users.
Global HTTP load balancing enables you to build your application resiliently across regions, fail-over instantly and offer your users an “always-on” web site availability experience either at a domain or microservice (URL path) level.
SSL offload at a massive scale enables you to maintain security and scale to a rapidly growing or expanding user base, all while reducing latency.
WAF @ Edge offering application security against DDoS attacks or malicious users at the edge providing protection at scale without sacrificing on performance.

ExpressRoute Direct is generally available

ExpressRoute Direct provides 100 Gbps connectivity. It is the first service of its scale in public cloud and focuses on core scenarios around large data-ingestion, R&D, media services, graphics and the like.

ExpressRoute Global Reach is generally available

ExpressRoute Global Reach extends the use of ExpressRoute from on-premises or from your corporate datacenter to Azure, to now also provide connectivity between on-premises sites, using the Microsoft Global network.

Azure Premium Block Blob Storage is generally available

Premium Blob Storage is a new performance tier in Azure Blob Storage for block blobs and append blobs, complimenting the existing Hot, Cool, and Archive access tiers. Premium Blob Storage provides lower and more consistent storage latency, providing low and consistent storage response times for both read and write operations across a range of object sizes, and is especially good at handling smaller blob sizes. Premium Blob Storage is ideal for workloads that require very fast response times and/or high transactions rates, such as IoT, Telemetry, AI, and scenarios with humans in the loop such as interactive video editing, web content, online transactions, and more.

New Azure Disks SKU

All existing Azure Managed Disk offerings (Premium SSD, Standard SSD and Standard HDD) will now feature 8, 16 and 32 TiB disk sizes. In addition, are supported disk sizes up to 64 TiB on Ultra Disks in preview. The performance scale targets for Premium SSD are increased to 20,000 IOPS and 900 MB/sec. Also, Standard SSD performance will now reach up to 6,000 IOPS and 750MBps and Standard HDD to 2000 IOPS and 500MBps .

Advanced Threat Protection for Azure Storage
Advanced Threat Protection for Azure Storage is available. It provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.

Azure Blob Storage lifecycle management

General availability of Blob Storage lifecycle management so that you can automate blob tiering and retention with custom defined rules. Azure Blob Storage lifecycle management offers a rich, rule-based policy which you can use to transition your data to the best access tier and to expire data at the end of its lifecycle. This feature is available in all Azure public regions.

Azure Firewall in Government Cloud

Azure Firewall Service is now generally available in Government Cloud. Specific regions and limitations can be found here.

New B-series VM size

A new B-series VM size, B1ls, which has the smallest memory and lowest cost among Azure VM instances is available. B1ls has 512 MiB of memory and 1 vCPU. This offering is in response to customers who were looking for entry-level offerings. B1ls is available only on Linux for the best customer experience. Windows is not supported because the minimum recommended memory for the Windows OS is larger than what B1ls offers. B1ls is best for small web servers, small databases, and development and test environments. It offers a cost-effective way to deploy workloads that don’t need the full performance of the CPU continuously and burst in their performance.

New capabilities in Azure Security Center

Microsoft Azure Security Center has released new capabilities:

Advanced Threat Protection for Azure Storage. Layer of protection that helps customers detect and respond to potential threats on their storage account as they occur—without having to be an expert in security.
Regulatory compliance dashboard. Helps Security Center customers streamline their compliance process by providing insight into their compliance posture for a set of supported standards and regulations.
Support for Virtual Machine Scale Sets (VMSS). Easily monitor the security posture of your VMSS with security recommendations.
Dedicated Hardware Security Module (HSM) service, now available in U.K., Canada, and Australia. Provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements.
Azure disk encryption support for VMSS. Now Azure disk encryption can be enabled for Windows and Linux VMSS in Azure public regions—enabling customers to help protect and safeguard the VMSS data at rest using industry standard encryption technology.

New Regions for Azure File Sync

Azure File Sync is available in Korea Central and Korea South. To get the latest list of supported regions, see this document.

New Regions for Traffic Analytics

Traffic Analytics is now available in East Asia, Japan West, France Central and Korea Central.

Update rollup for Azure File Sync Agent: April 2019

An update rollup for the Azure File Sync agent was released.

Improvements and issues that are fixed:

Reliability improvements for offline data transfer and data transfer resume features.
Sync telemetry improvements.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 5.2.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4481061.

Azure Stack

Azure Stack HCI

Microsoft announced Azure Stack HCI solutions for customers who want to run virtualized applications on modern hyperconverged infrastructure (HCI) to lower costs and improve performance. Azure Stack HCI solutions feature the same software-defined compute, storage, and networking software as Azure Stack, and can integrate with Azure for hybrid capabilities such as cloud-based backup, site recovery, monitoring, and more.

With Azure Stack, you can run Azure IaaS and PaaS services on-premises to consistently build and run cloud applications anywhere.

Azure Stack HCI is a better solution to run virtualized workloads in a familiar way – but with hyperconverged efficiency – and connect to Azure for hybrid scenarios such as cloud backup, cloud-based monitoring, etc.