Category Archives: Cloud

Azure management services and System Center: What's New in March 2019

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, there are listed all the main news, accompanied by the necessary references to be able to conduct further studies.

Azure Monitor

Availability in Central Canada and UK South

The new service that allows you to monitor the virtual machines, called Azure Monitor for VMsis also available in Central Canada and UK South.

Azure Log Analytics

Availability in new regions

Azure Log Analytics is now available in the regions of Azure China, Australia East and Central Australia. It is also available in Public Preview in the following regions: France Central, Korea Central and North Europe.

Azure Site Recovery

Support for storage accounts protected with firewall rules

In Azure Site Recovery was introduced support for storage accounts that are configured with firewall rules for the Virtual Networks, in replication scenarios from VMware or physical systems to Azure.

Support for managed disks in replication scenarios with VMWare and physical systems

Azure Site Recovery now supports disaster recovery of VMware virtual machines and physical systems, replicating directly towards the managed disks. This avoids creating and managing different storage accounts target for the replica of these systems. The on-premises data are sended to a cache storage account in the target region and written in managed disk by Site Recovery.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 35 which it addresses several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB 4494485.

Azure Backup

In Azure Backup was officially released the functionality to back up the SQL Server installed in Azure IaaS virtual machines.

Figure 1 – Azure Backup Features for SQL Server in Azure VMs

Among the benefits of this solution there are:

  • Recovery Point Objective (RPO) of 15 minutes
  • Point-in-time restores: to make easy and rapid the recovery operations of the DBs.
  • Long-term retention: ability to keep backups for years.
  • Protection of encrypted databases: chance to make the backup of encrypted SQL databases and safely keep via an encryption at rest integrated into the solution. All backup and restore operations are managed by role-based access control mechanism.
  • Auto-protection: is handled automatically the detection and the protection of new databases.
  • Management and monitoring: allows to carry out a centralized management and monitoring the protection status of the systems.
  • Cost savings: are not required infrastructure costs and allows to easily scale to meet your needs.

System Center

Released System Center 2019

The main novelty regarding System Center is the release in general availability of the major release of System Center 2019. This is the release belonging to the long term servicing channel (LTSC) that will be supported for 10 years and that introduces full support for Windows Server 2019.

Starting from this release, Microsoft has decided to change the System Center product release policies. There will be no more releases in the Semi-Annual Channel (SAC) and new features, before the next release Long-Term Servicing Channel (LTSC), can be obtained via Update Rollup.

System Center 2019 supports upgrade from the two recent Semi-Annual Channel releases (SAC), System Center 1801 and System Center 1807 as well as System Center 2016.

Customers who have a valid license of System Center 2019 can download it from the Volume Licensing Service Center (VLSC).

Among the main features of System Center 2019 we find:

Virtual Machine Manager

  • Integration in VMM with Azure Update Management simplifies patching of virtual machines
  • Dynamic Storage Optimization in VMM enables higher availability of workloads
  • VMM now provides health and operational status of storage disks in Hyper Converged as well as disaggregated deployment
  • New RBAC role in VMM ensures that IT admins can be provided access commensurate with their role and no more
  • Support for latest versions of VMware in VMM (to enable migration to Hyper-V)

Operations Manager

  • SCOM supports integration with Azure services – Dependency Map (Service Map) provides comprehensive visibility of dependencies across servers along with health.
  • Azure Management Pack integrates alerts and performance metrics for Azure resources in SCOM
  • Along with modernized and extensible SCOM web console, subscriptions and notifications are now modernized with support for HTML based email
  • Maintenance schedules in SCOM with SQL server AlwaysOn
  • Update and recommendations for Linux workloads enables discovery of up-to-date MPs for Linux environments
  • Linux monitoring is now resilient to SCOM management server failover
  • All Windows Server Management Packs now support Windows Server 2019

Data Protection Manager

  • Faster backups with DPM with a 75% increase in speed and a monitoring experience for key backup parameters via Log Analytics.
  • DPM further supports backup of VMWare VMs including to tape

More news

  • Orchestrator supports PowerShellv4 +
  • Service Manager has an enhanced AD connector
  • Support for service logon across the System Center suite aligning with security best practices

More information about it can be consulted in the article System Center 2019 is now in general availability.

System Center Configuration Manager

Released version 1902 for the Current Branch

There are many new features in this release designed to enrich and improve different features of the solution. To get the complete list of new features introduced with this build, you can consult this official document. The transition to version 1902 can be done by following the installation checklist, at the end of which it is appropriate to continue with the Checklist post-update.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • System Center Management Pack for Message Queuing version 7.1.10242.0
  • System Center Management Pack for Microsoft Azure Stack version 1.0.3.11
  • System Center Management Pack for SharePoint Server 2019 version 16.0.11426.3000

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure Lab Services: how to create lab environments in the cloud

In Azure there is a service called Azure Lab Services to enable lab environments in the cloud, built from a collection of preconfigured virtual machines, in a simple and rapid way. Thanks to this service you can provide a custom lab environment for training or to work in isolated test and development environments. This article shows how to enable and configure the service and explores the main features of the solution.

Features of the solution

The main features of the solution Azure Lab Services are the following:

  • Users who receive the invitation have immediate access to virtual lab machines. All this is possible without having to provide access permissions on the Azure subscription. Access to the lab is done using a simple user experience, through a dedicated web portal.
  • You have the ability to create customized templates for VMs, from which generates virtual machines for different lab.
  • In order to achieve efficient use of resources, is given the option to schedule the automatic startup shutdown of the VMs and the option to limit the hours of use, using quotas. The end result is an optimization of operating costs.
  • Provides the ability to quickly and easily do the provisioning of systems and to scale in a flexibly way, without having to worry about the infrastructure required.

Possible usage scenarios

The use of theAzure Lab Service is recommended for the following scenarios:

  • Professional training or school classes: to configure the lab VMs in a custom way, according to the requirements of the course, to provide an environment where each participant connect and make practical activities and exercises.
  • Hackathons and hands-on labs: to provide an interactive experience during conferences and events, with the ability to easily scale based on the number of participants.
  • Environments for trial and personalized demo: to provide access at the invitation in a private lab where you can make the demo, before the official release of a software solution.
  • Machines for development and test environments: to provide an environment where you have preconfigured systems, used for purposes of development and application tests.

Configuring the environment

The first configuration needed is the creation of a Lab Account, that it is possible to carry out according to what reported:

Figure 1 – Creating a Lab Account

To create a lab you must have one user who belongs to role Lab Creator of the Lab Account. The user used to create the Lab Account has by default this capability as it belongs to the role Owner, but you can add additional users to the role Lab Creator, as below:

Figure 2 — Add a user to the role Lab Creator

In the Lab Account configuration you can specify whether the resources created in the lab are connected to a specific virtual network, having thus access to resources accessible from it:

Figure 3 – Configuration of access to VNet

As owner of the lab account you can specify which of the Azure Marketplace images you can make available to the Lab Creator for the creation of the lab:

Figure 4 – Selection of usable images from Marketplace

These are images that provide the creation of a single virtual machine, using the deployment Azure Resource Manager (ARM) and do not require additional software licenses.

Completed these configurations you can access the portal dedicated to Azure Lab Services to proceed with the configuration of the lab environment.

Figure 5 – Portal dedicated to Azure Lab Services

Doing with an enabled account (Role Owner, Lab Creator, or Contributor) you can create a new lab, setting its name and the maximum number of VMs:

Figure 6 – Creation of the Lab

Then you are prompted to set the specifications (size, region and image) to create the template, from which the environment of the lab will be generated:

Figure 7 – Specifications for creating the template

In the next step you need to specify the credentials to access the virtual machines:

Figure 8 - Configuring credentials

By selecting the button Create starts the template creation process, based on the selected image and attributes, which can take up to 20 minutes. During the creation process you may see the following screen:

Figure 9 – Template being created

At the end of this creation process you can make changes to the virtual machine template, by directly connecting via Remote Desktop, such as the installation and configuration of additional software.

Figure 10 -Customization of the template

When you feel ready, you can proceed with the template publication:

Figure 11 – Publication of the template

Management and use of the environment

When publishing is complete, by accessing the dashboard, you can manage various aspects of the laboratory:

  • Virtual machines: view the list of virtual machines and their allocation status. For each virtual machine you can manage the start, the shutdown, the cancellation, access via RDP and display how many hours the user has used it.
  • Scheduling: set up a mechanism that allows you to turn on and off automatically the VMs in the lab according to a specific or recurrent scheduling. For full details about schedule management consult this document.
  • Users: manage lab enabled users and obtain its registration link. At the moment Azure Lab Services supports organizational account and Microsoft account. Furthermore, you have the option to set a quota on the maximum working hours of the laboratory by the individual user. For further details please visit the Microsoft documentation.
  • Template: make changes to the template to make a new publication.

Figure 12 – Laboratory Management Dashboard

After completing the registration process, the user can access to the Azure Lab Services site and use the lab environment virtual machine assigned to him.

Figure 13 – Access to the lab virtual machines assigned

Who manages the lab environment can check the status of assignment of individual VMs and govern the entire lab environment.

Figure 14 – Allocation status of virtual machines

Conclusions

Thanks to this service you can turn on cloud systems quickly and easily, for lab environments for specific scenarios. All this happens by using the power of the cloud with obvious benefits in terms of flexibility, dynamism and without neglecting the aspects of governance of their environment. The service is certainly destined to get rich quickly with new features to further expand the possible scenarios of use and also to meet the needs of more articulated lab environments.

Azure IaaS and Azure Stack: announcements and updates (March 2019 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

AzCopy support in Azure Storage Explorer

Azure Storage Explorer provides the UI interface for various storage tasks, and now it supports using AzCopy as a transfer engine to provide the highest throughput for transferring your files for Azure Storage.

Service Map is available in Central Canada and UK South

The Service Map feature of Azure Monitor is now available in Central Canada and UK South. Across the world, it’s available in six public regions. Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. With Service Map, you can view your servers in the way that you think of them: as interconnected systems that deliver critical services. Service Map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, with no configuration required other than the installation of an agent.

Azure premium blob storage is generally available

Azure premium blob storage is generally available. Premium block blob is a new performance tier in Blob storage, complementing the existing hot, cool, and archive tiers. Premium blob storage is ideal for workloads with high transaction rates or that require very fast access times, such as IoT, telemetry, AI, and scenarios with humans in the loop such as interactive video editing, web content, and online transactions. 

Support for virtual network peering in Azure Security Center

The network map in Azure Security Center now supports virtual network peering. Directly from the network map, you can view allowed traffic flows between peered virtual networks and deep dive into the connections and entities.

Adaptive network hardening in Azure Security Center (Public preview)

Azure Security Center can now learn the network traffic and connectivity patterns of your Azure workload and provide you with network security group (NSG) rule recommendations for your internet-facing virtual machines. This is called adaptive network hardening, and it’s in public preview. It helps you secure connections to and from the public internet (made by workloads running in the public cloud), which are one of the most common attack surfaces.

Windows Virtual Desktop in public preview on Azure

Now available in public preview, Windows Virtual Desktop is the service that delivers simplified management, a multi-session Windows 10 experience, optimizations for Office 365 ProPlus, and support for Windows Server Remote Desktop Services (RDS) desktops and apps. With Windows Virtual Desktop, you can deploy and scale your Windows desktops and apps on Azure in minutes and enjoy built-in security.

Azure IaaS and Azure Stack: announcements and updates (March 2019 – Weeks: 09 and 10)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure South Africa regions are available

Azure services are now available from new cloud regions in Johannesburg (South Africa North) and Cape Town (South Africa West), South Africa. The launch of these regions marks a major milestone for Microsoft as they open their first enterprise-grade datacenters in Africa, becoming the first global provider to deliver cloud services from datacenters on the continent. With 54 regions announced worldwide, the Microsoft global cloud infrastructure will connect the new regions in South Africa with greater business opportunity, help accelerate new global investment, and improve access to cloud and internet services across Africa. The new cloud regions in Africa are connected with Microsoft’s other regions via their global network, which spans more than 100,000 miles (161,000 kilometers) of terrestrial fiber and subsea cable systems to deliver services to customers.

Microsoft Azure Sentinel: intelligent security analytics for the entire enterprise

Security can be a never-ending saga, a chronicle of increasingly sophisticated attacks, volumes of alerts, and long resolution timeframes where today’s Security Information and Event Management (SIEM) products can’t keep pace. Microsoft rethinks the SIEM tool as a new cloud-native solution called Microsoft Azure Sentinel. Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.  It uses the power of artificial intelligence to ensure you are identifying real threats quickly and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining, and scaling infrastructure. Since it is built on Azure, it offers nearly limitless cloud scale and speed to address your security needs. Traditional SIEMs have also proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs, you pay for what you use.

Virtual network service endpoints for Azure Database for MariaDB are available

virtual network service endpoints for Azure Database for MariaDB are accessible in all available regions. Virtual network service endpoints allow you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. Traffic to Azure Database for MariaDB from the virtual network service endpoints stays within the Azure network, preferring this direct route over any specific routes that take internet traffic through virtual appliances or on-premises.

M-series virtual machines (VMs) are available in the Korea South region and in the China North 2 region

Azure M-series VMs are now available in the Korea South region and in the China North 2 region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Policy root cause analysis and change tracking features

New functionalities have been added to Azure Policy, including root cause analysis and change tracking features. This means that you’ll be able to see why a resource evaluated as non-complaint and what changes were implemented directly by a policy.

Azure Container Registry firewall rules and Virtual Network

Firewall rules and Virtual Network support in Azure Container Registry are available in preview.  Limit registry access to your resources in Azure, or specific on-premises resources, including Express Route connected devices. Virtual Network access is provided through the Azure Container Registry premium tier. General availability pricing will be announced at a later date. 

Azure Lab Services

Azure Lab Services is generally available. With Azure Lab Services, you can easily set up and provide on-demand access to preconfigured virtual machines (VMs) to teach a class, train professionals, run hackathons or hands-on labs, and more. Simply input what you need in a lab and let the service roll it out to your audience. Your users go to a single place to access all their VMs across multiple labs, and connect from there to learn, explore, and innovate.

Azure Availability Zones in East US

Azure Availability Zones, a high-availability solution for mission-critical applications, is now generally available in East US.

Global VNet Peering in Azure Government regions

Global VNet Peering is generally available in all Azure Government cloud regions. This means you can peer virtual networks across the Azure Government cloud regions. You cannot peer across Azure Government cloud and Azure public cloud regions.

Global VNet Peering supports Standard Load Balancer

Previously, resources in one virtual network could not communicate with the front-end IP address of an internal load balancer over a globally peered connection. The virtual networks needed to be in the same region. This is no longer the case. You can communicate with the internal IP address of a Standard Load Balancer instance across regions from resources deployed in a globally peered virtual network. This support is in all Azure regions, including Azure China and Azure Government regions.

New capabilities in Azure Firewall

Two new key capabilities in Azure Firewall:

  • Threat intelligence based filtering: Azure Firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior to alert and deny.
  • Service tags filtering: a service tag represents a group of IP address prefixes for specific Microsoft services such as SQL Azure, Azure Key Vault, and Azure Service Bus, to simplify network rule creation. Microsoft today supports service tagging for a rich set of Azure services which includes managing the address prefixes encompassed by the service tag, and automatically updating the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field.
Azure File Sync in Japan East, Japan West, and Brazil South

Azure File Sync is now supported in Japan East, Japan West, and Brazil South regions.

Azure Premium Blob Storage public preview

Premium Blob Storage is a new performance tier in Azure Blob Storage, complimenting the existing Hot, Cool, and Archive tiers. Premium Blob Storage is ideal for workloads with high transactions rates or requires very fast access times, such as IoT, Telemetry, AI and scenarios with humans in the loop such as interactive video editing, web content, online transactions, and more. Premium Blob Storage has higher data storage cost, but lower transaction cost compared to data stored in the regular Hot tier. This makes it cost effective and can be less expensive for workloads with very high transaction rates.

Update rollup for Azure File Sync Agent: March 2019

An update rollup for the Azure File Sync agent was released today which addresses the following issues:

  • Files may fail to sync with error 0x80c8031d (ECS_E_CONCURRENCY_CHECK_FAILED) if change enumeration is failing on the server
  • If a sync session or file receives an error 0x80072f78 (WININET_E_INVALID_SERVER_RESPONSE), sync will now retry the operation
  • Files may fail to sync with error 0x80c80203 (ECS_E_SYNC_INVALID_STAGED_FILE)
  • High memory usage may occur when recalling files
  • Cloud tiering telemetry improvements

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 5.1.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4481060.
 

Azure Stack

Azure App Service on Azure Stack 1.5 (Update 5) Released

This release updates the resource provider and brings the following key capabilities and fixes:

  • Updates to **App Service Tenant, Admin, Functions portals and Kudu tools**. Consistent with Azure Stack Portal SDK version.
  • Updates to **Kudu** tools to resolve issues with styling and functionality for customers operating **disconnected** Azure Stack.
  • Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.

All other fixes and updates are detailed in the App Service on Azure Stack Update Five Release Notes.

Azure storage: Disaster Recovery and failover capabilities

Microsoft recently announced a new feature that allows, for geo-redundant Azure storage account, to carry out a piloted failover. This feature increases control on this type of storage accounts, allowing greater flexibility in Disaster Recovery scenarios. This article shows the working principle and the procedure to follow in order to use this new feature.

Types of storage accounts

In Azure there are different types of storage account with distinct replication characteristics, to obtain different levels of redundancy. If you wish to keep the data present on the storage account even in the face of failures of an entire region of Azure it is necessary to adopt the geo-redundant storage account, among them there are two different types:

  • Geo-redundant storage (GRS): the data is replicated asynchronously into two geographical region of Azure, distant hundreds of miles between them.
  • Read-access geo-redundant storage (RA-GRS): it follows the same replication principle as previously described, but with the characteristic that the secondary endpoint can be accessed to read the replicated data.

Using these types of storage account are maintained three copies of the data in the primary region of Azure, selected during the configuration phase, and an additional three asynchronous copies of the data in another region of Azure, following the principle of Azure Paired Regions.

Figure 1 - Normal operation of the storage type GRS/RA-GRS

For more information about the different types of storage account and its redundancy you can consult the Microsoft's official documentation.

Characteristics of storage account failover process

Thanks to this new feature, the administrator has the option to start the account failover process deliberately, when deemed appropriate. The failover process update the public DNS record of the storage account, in this way, the requests are routed to the endpoint of the storage account in the secondary region.

Figure 2 – Failover process for a GRS/RA-GRS storage account

After the failover process, the storage account is configured to be a locally redundant storage (LRS) and it is necessary to proceed with its configuration to make geo-redundant again.

An important aspect to keep in mind, when you decide to take a failover of the storage account, is that this operation can result in a loss of data, because replication between the two regions of Azure is done asynchronously. Because of this aspect, in case of unavailability of the primary region, may not have been replicated to the secondary region all changes. To verify this condition you can refer to the property Last Sync Time that indicates when it is guaranteed that the data was successfully replicated to the secondary region.

Storage account failover procedure from the Azure Portal

Following, shows the steps to fail over to a storage account directly from the Azure Portal.

Figure 3 – Storage failover process account

Figure 4 – Storage account failover process confirmation

The procedure to start the failover of a storage account can be carried out not only by the portal Azure, but also through PowerShell, Azure CLI, or by using the API for the Azure Storage resources.

How to identify the problems on the storage account

Microsoft recommends that applications that use the storage accounts are designed to support possible errors in the writing stage. In this way, the application should expose any failures encountered in writing, in order to be alerted to the possible unavailability in gaining access to storage in a given region. This would allow take corrective actions, such as the failover of the GRSRA-GRS storage account.

Natively the platform , through the service Azure Service Health, provides detailed information if you experience conditions that affect the operation of its services available in Azure, including storage. Thanks to the complete integration of Service Health on Azure Monitor, which holds the alerting engine of Azure, you can configure specific Alerts if there are issues on Azure side, that impact on the operation of the resources present on your own subscription.

Figure 5 - Create Health alert in the Service Health Service

Figure 6 - Notification rule of issues on storage

The notification occurs through Action Groups, following which it is possible to evaluate the real need to take the storage account failover process.

Conclusions

Before the release of this feature, with GRS/RA-GRS storage account type, failover still had to be driven by Microsoft staff against a storage fault of an entire Azure region. This feature provide to the administrator the ability to failover, providing greater control over storage account. At the moment this feature is available for preview and only for storage accounts created in certain Azure regions. As with other Azure functionality in preview it is best to wait for the official release before using it for workloads in a production environment.

Azure management services and System Center: What's New in February 2019

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Multi-resource support for metric alerts

With this new feature, you can configure a single metric alert rule to monitor:

  • A list of virtual machines in an Azure region.
  • All virtual machines in one or more resource groups in an Azure region.
  • All virtual machines of a subscription, present in a given Azure region.

Azure Automation

The runbook Update Azure Modules is open source

Azure Automation allows you to update the Azure PowerShell modules imported into an automation account with the latest versions available in the PowerShell Gallery. This possibility is provided through the actionUpdate Azure Moduleson the page Modules of the Automation Account, and is implemented through a hidden runbook. In order to improve diagnostics and troubleshooting activity and provide the ability to customize the module, this has been made open source.

Support for the Azure PowerShell module Az

Azure Automation introduces support for the PowerShell module Az, thanks to which you can use the updated Azure modules within runbooks, to manage the various Azure services.

Azure Log Analytics

New version of the agent for Linux

This month the new OMS Agent version for Linux systems solves a specific bug during installation. To obtain the updated OMS agent version you can access at the GitHub official page.

Availability in new region of Azure

It is possible to activate a Log Analytics workspace also in the Azure regions of West US 2, Australia East and Central Australia. In this way the data is kept and processed in this regions.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 33 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.22.5109.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3900.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9155.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3500.0) and later.

The Update Rollup 33 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4489582.

Protection of Storage Space Direct cluster

In Azure Site Recovery (ASR) is introduced, with the Update Rollup 33, also the support for the protection of Storage Space Direct cluster, used to realize Guest Cluster in Azure environment.

Azure Backup

In Azure Backup has been released the feature of Instant Restorefor the virtual machines in Azure, that allows using the stored snapshots for the VMs recovery. Also it is given the option to configure the time of retention for the snapshots in the backup policy (from one to five days, the default is two days). This increases control over the protection of the resources, adapting it to specific requirements and depending on the criticality of the same.

Figure 1 – Retention period of the snapshot

System Center Configuration Manager

Released versions 1902 and 1902.2 for the Technical Preview Branch

Among the main new features of this release is included the ability to manage more effectively the restart notifications on systems managed by Configuration Manager.

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0
  • System Center Management Pack for Windows DNS Server version 10.0.9.3

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (February 2019 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Serial console for Azure Virtual Machines (feature update)

The serial console for Azure Virtual Machines enables you to reboot your VM from within the console experience. This ability will help you if you want to reboot a stuck VM or enter the boot menu of your VM.

Azure File Sync v5 release

Improvements and issues that are fixed:

  • Support for Azure Government cloud
    • Added preview support for the Azure Government cloud. This requires a white-listed subscription and a special agent download from Microsoft.
  • Support for Data Deduplication
    • Data Deduplication is now fully supported with cloud tiering enabled on Windows Server 2016 and Windows Server 2019. Enabling deduplication on a volume with cloud tiering enabled lets you cache more files on-premises without provisioning more storage.
  • Support for offline data transfer (e.g. via Data Box)
    • Easily migrate large amounts of data into Azure File Sync via any means you choose. You can choose Azure Data Box, AzCopy and even third party migration services. No need to use massive amounts of bandwidth to get your data into Azure, in the case of Data Box.
  • Improved sync performance
    • Customers with multiple server endpoints on the same volume may have experienced slow sync performance prior to this release. Azure File Sync creates a temporary VSS snapshot once a day on the server to sync files that have open handles. Sync now supports multiple server endpoints syncing on a volume when a VSS sync session is active. No more waiting for a VSS sync session to complete so sync can resume on other server endpoints on the volume.
  • Improved monitoring in the portal
    • Charts have been added in the Storage Sync Service portal to view:
      • Number of files synced
      • Size of data transferred
      • Number of files not syncing
      • Size of data recalled
      • Agent connectivity status
  • Improved scalability and reliability
    • Maximum number of file system objects (directories and files) in a directory has increased to 1,000,000. Previous limit was 200,000.
    • Sync will try to resume data transfer rather than retransmitting when a transfer is interrupted for large files

Agent installation notes:

  • The Azure File Sync agent is supported on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
  • Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
  • A restart may be required if files are in use during the installation.
  • The agent version for the v5 release is 5.0.2.0.

Installation instructions are documented in KB4459989.

Service tags are available in Azure Firewall network rules

A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field. You can use them in place of specific IP addresses. Service tags are fully supported in all public regions using PowerShell/REST/CLI by simply including the tag string in a network rule destination field. Portal support is being rolled out and will incrementally be available in all public regions in the near future.

Azure Governance: introduction to Azure Policy

IT governance is the process through which an organization can ensure an effective and efficient use of IT resources, in order to achieve their goals. Azure Policy is a service available in the Microsoft public cloud that can be used to create, assign and manage policies to control the resources in Azure. Azure Policy, natively integrated into the platform, are a key element for the governance of the cloud environment. In this article, the principles of operation and features of the solution are reported.

In Azure environments you can find different subscriptions on which develop and operate several groups of operators. The common requirement is to standardize, and in some cases impose, how to configure the resources in the cloud. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of different architectures. These goals can be achieved with a traditional approach, that includes a block of operators (Dev/Ops) in the direct access to cloud resources (through the portal, API or cli). This traditional approach is, however, inflexible, because it involves a loss of agility in controlling the deployment of resources. Instead, using the mechanism that comes natively from Azure platform is possible to drive the governance to achieve the desired control, without impacting speed, the basic element in the operations of the modern IT.

Figure 1 – Traditional approach vs cloud-native governance

In Azure Policy you can do the following reported:

  • Enable built-in policy or configure them to meet your needs.
  • Perform real-time evaluation of the criteria set out in the policy and force execution.
  • Assess the compliance of the policy periodically or on request.
  • Enable audit policy on the virtual machine guest environment (Vm In-Guest Policy).
  • Apply policies on Management Groups in order to gain control over the entire organization.
  • Apply multiple criteria and aggregate the various states of the policies.
  • Configure scope over which the exclusions are applied.
  • Enable real-time remediation steps, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 2 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon request, to assess the compliance of existing resources.

Figure 3 – Working principle of Azure Policy in resource control

Azure already contains many built-in policies ready to be applied. Furthermore, in this GitHub repository you can find different definitions of Azure Policies, that can be used directly or modified to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described in this Microsoft's document. You also have the possibility of creating Initiatives, they are a collection of multiple policies.

Figure 4 – Example of defining a Azure Policy

When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Figure 5 – Process of assigning an Azure Policy

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 6 – State of compliance

Figure 7 -Example of remediation action

 

Conclusions

Through the use of Azure Policy you can totally control your own Azure environment, in a simple and efficient way. Statistics provided by Microsoft cite that considering the 100 top Azure Customers, 92 these use Azure Policy to control their environment. This is because, when you increase the complexity and amount of services on Azure is essential to adopt instruments, as Azure Policy, to have effective governance policies.

Azure Monitor: introduction to monitor service for virtual machines

In Azure Monitor was introduced a new service that allows you to monitor virtual machines, called Azure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies. This article shows the characteristics of the solution and describes the procedure to be followed to effect the activation.

Features of the solution

The service Azure Monitor for VMs is divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met. This feature, at the moment, is present only for systems that reside in Azure.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

Azure Monitor for VMs requires the presence of a workspace of Log Analytics. Since this is a feature currently in preview, workspace are supported in these regions: West Central US, East US, West Europe and Southeast Asia. Enabling a Log Analytics workspace can occur according to these modes:

To identify the operating systems that are supported by this solution, please visit the Official Microsoft documentation.

 

How to enable Azure Monitor for VMs

To enable the solution for a single virtual machine, from the Azure Portal, it is possible to proceed by accessing the section Insights from the virtual machine:

Figure 1 – Enabling Azure Monitor for VMs on a single VM

Enabling the solution on a single virtual machine it is possible to choose which Log Analytics workspace use and possibly create a new one. The advice is to precede before with the creation of workspace, so you can assign a meaningful name. The workspace of Log Analytics must be configured as follows:

  • You must have installed the solutions ServiceMap and InfrastructureInsights. The installation of this solutions can be done via JSON templates, according to the instructions in this document.

Figure 2 – Presence of solutions ServiceMap and InfrastructureInsights

Figure 3 – Collecting the performance counters enabled on Log Analytics workspace

Azure Monitor for VMs requires Log Analytics agent on virtual machines, also the functionality of Map requires the installation of the Microsoft Dependency agent. This is an additional agent which relies on Log Analytics agent for the connection to the workspace.

If you want to enable the solution for systems in Azure, you can activate the Dependency agent using the appropriate extension, that do the installation. For virtual machines that reside on Azure you must install it manually or via a solution that automates the deployment (such as System Center Configuration Manager).

To enable this feature automatically on new virtual machines created in Azure environment and achieve a high level of compliance you can also use the Azure Policy. Through the Azure Policy you can:

  • Deploy the Log Analytics agent and Dependency agent.
  • Having a report on the status of compliance
  • Start remediation actions for non-compliant VMs.

Figure 4 – Adding an Assignment

Figure 5 - Initiative definition to enable Azure Monitor for VMs

Figure 6 - Check of the state of compliance of the Policy

 

Consulting data collected from the solution

To analyze and identify critical operating system events, detect suboptimal performance and network issues, you can refer to the data provided by this solution directly from VM or using Azure Monitor, in case you want to have an aggregated view of the various virtual machines. All this allows you to detect and identify if problems are related to specific dependencies on other services.

Figure 7 – State of Health of a single virtual machine

Figure 8 – Performance gathered from multiple VMs, accessible by Azure Monitor

Figure 9 – Dependencies Map of various services present on VMs, accessible by Azure Monitor

For more information about using the features of Health you can consult this Microsoft documentation, while the article View Azure Monitor for VMs Map shows how to identify and analyze the dependencies detected from the solution.

Costs of the solution

By activating the solution Azure Monitor for VMs, the data collected by the virtual machines are sent and maintained in Azure Monitor and can depend on several factors, such as the number of logical disks and network adapters. The costs are those related to Azure Monitor, which has costs on the basis of the following elements:

  • Data ingested and collected.
  • Number of health monitored criteria.
  • Alert rule created.
  • Notifications sent.

 

Conclusions

The service Azure Monitor for VMs allowing you to have a fully integrated tool in Azure to monitor the virtual machines and to obtain a complete control of systems, regardless of where they reside. This solution is also particularly useful to conduct troubleshooting operations in a simple and immediate way. This service, although it is currently in preview, is already full enough and it will be enriched soon with new features.

How to reduce the cost of the cloud with Microsoft Azure

The evolution of the data center allows us to have solutions completely in the public cloud or hybrid scenarios where, the decision to use resources in the cloud, in addition to functional factors, must necessarily be made taking into consideration the fundamental aspect of costs. This article lists the directions that you can follow to achieve cost savings, maintaining their own application workloads on Azure.

Azure Reservations

The cost of various Azure services is calculated on the basis of resource usage and you can make an estimate of the cost by using the Azure pricing calculator.

If, of Azure resources in the environment, is done a continuous use is possible to evaluate the activation of Azure Reservations.

The Azure Reservation allow you to achieve cost savings up to 72% compared to the pay-as-you-go price , simply prepay in advance for one or three years the use of Azure resources. Currently, Azure resources that allow to obtain these discounts are: virtual machines, Azure SQL Database, Azure Cosmos DB and SUSE Linux. The purchase of this reservation can be made directly from the portal Azure and is feasible for customers who have the following types of subscription:

  • Enterprise agreement: in this area are not contemplated resources residing in Dev/Test subscription. It is possible to draw upon the Azure Monetary Commitment to purchase the Azure Reservation.
  • Pay-As-You-Go.
  • Cloud Solution Provider (CSP): in this case the purchase is feasible even from the Partner Center.

Among the Azure reservation there are:

  • Reserved Virtual Machine Instance: the reservation covers only the virtual machine's computational costs, and it does not cover the additional costs from software installed aboard the VM, from networking, or from storage utilization.
  • SQL Database reserved vCore: also in this case includes only computational costs, while the licenses are billed separately.
  • Azure Cosmos DB reserved capacity: the reservation covers the actual throughput of the resource, but does not cover the expected costs of storage and networking.
  • Suse Linux: saves on SUSE Linux Enterprise license costs.

How to buy the Azure Reservations from the Azure Portal

To purchase Reservations from Azure portal it is possible to follow the procedure given below.

Figure 1 – Adding Azure Reservation from portal and type selection

Figure 2 – Configuration of the parameters required for the Reserved Virtual Machine Instances

Figure 3 – Summary of Azure Reservations purchased

For more details about how the Reservation affect the calculation of Azure costs, you can consult the following Microsoft documents:

Hybrid Benefit

Another option to consider for reducing Azure costs is the use ofAzure Hybrid Benefit, that saves up to 40% on the cost of Windows Server virtual machines that are deployed on Azure. The savings is given from the fact that Microsoft allows you to pay only the cost of Azure infrastructure, while the licensing for Windows Server is covered by Software Assurance. This benefit is applicable both to the Standard and Datacenter version and is available for Windows Server 200 R2 or later.

Figure 4 – Cost structure for a Windows VM

The Azure Hybrid Benefit can be used in conjunction with the Azure Reserved VM Instance, allowing overall savings that can reach 80% (in the case of purchase of Azure Reserved Instance for 3 years).

Figure 5 – Percentages of savings by adopting RIs and Azure Hybrid Benefit

If you are not in the condition to use Azure Hybrid Benefit, the cost of Windows Server licensing is calculated based on usage time of the virtual machine and according to the number of cores.

The Azure Hybrid Benefit can also be used for Azure SQL Database and SQL Server installed on Azure virtual machines. These advantages facilitate the migration to cloud solutions and help to maximize the investments already made in terms of SQL Server licenses. For more information on how you can use the Azure Hybrid Benefit for SQL Server you can view FAQ in this document.

The cost savings, guaranteed by the use of Azure Hybrid Benefits, can be estimated using the tool Azure Hybrid Benefit Savings Calculator.

Recently Microsoft has conducted studies on the costs to be incurred to enable Windows Server and SQL Server in the cloud that highlight how, thanks to the use of Azure Reservations and Azure Hybrid Benefit, AWS is up to 5 times more expensive than Azure. The comparative between Azure and AWS costs is easily possible to evaluate with the instrument Azure vs.. AWS Cost Comparison.

Conclusions

Azure is definitely the most cost-effective choice to host in particular Microsoft workloads, being able to have lower cost thanks to the advantages provided by the Azure Reservation and the Azure Hybrid Benefit. Furthermore, thanks to the tool Azure cost management, made available for free to all Azure customers, you have the ability to monitor and optimize the costs of various Azure services.