Category Archives: Cloud

OMS and System Center: What's New in November 2018

Microsoft announces constantly news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, to stay up to date on these topics and have the necessary references to conduct further investigation.

Operations Management Suite (OMS)

Azure Monitor

SQL Data Warehouse now allows you to send diagnostic information to a workspace of Log Analytics. This setting allows developers to better analyze the behavior of their application workloads to optimize queries, to better manage the use of resources and undertake troubleshooting operations.

Figure 1 – SQL Data Warehouse Diagnostics settings

Log Analytics

Starting from 1 February 2019 changes are foreseen regarding service-level agreements (SLAs) for Log Analytics and Application Insights (which are now part of Azure Monitor). The new SLAs refer to the availability of the query (Query Availability SLA) that for a given resource will be of 99.9 %. Previously, SLAs were referring to data latency (Data latency SLA).

Agent

This month the new version ofOMS agent for Linux systems fixes important bugs and improves stability. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.8.1-256.

Figure 2 – Bug fixes and what's new for the OMS agent for Linux

Azure Backup

For Microsoft Azure Backup Server has been released version 3 (MABS V3), which includes important bug fixes, introduces support for Windows Server 2019 and SQL Server 2017, and introduces new features and improvements including:

  • Support for the protection of VMware virtual machines for production environments.
  • Use TLS 1.2 for communications between MABS and protected servers, for certificate-based authentication, and for cloud backups.

The MABS V3 code is based on the System Center Data Protection Manager 1807. To get more information about it, please consult the Knowledge Base Microsoft Azure Backup Server v3.

Azure Site Recovery

In Azure Site Recovery was introduced support for the firewall-enabled storage accounts. Thanks to this support you can replicate to another region, for disaster recovery purposes, virtual machines with unmanaged disks, residing on firewall-enabled storage accounts. The firewall-enabled storage account can also be selected as a storage target for unmanaged disks. You can also restrict access to the cache storage account, so that you can write only by the virtual network that host virtual machines. In these cases it is necessary to enable the exception as described in Microsoft documentation Allow trusted Microsoft services.

 

System Center

System Center Configuration Manager

For the Current Branch (CB) of System Center Configuration Manager has been releasedupdate 1810, that introduces new features and major improvements in the product.

The main novelty of this update reveals the possibility for Central Administration sites and child primary sites to have an additional site server in passive mode, on-prem or on Azure.

Figure 3 – Site server High Availability Architecture

For a complete list of new features introduced in this version of Configuration Manager you can consult the official documentation.

System Center Operations Manager

Following, are reported the news about the SCOM Management Packs:

  • Windows Server Cluster 2016 and 1709 Plus version 10.6.6
  • Windows Print Server 2016 and 1709 more version 10.6.1
  • Windows Server Network Load Balancing 2016 and 1709 plus versione 10.2.1
  • Internet Information Service 2016 and 1709 Plus version 10.9.1
  • Windows Server DNS versione 10.9.2
  • Windows Server DHCP 2016 and 1709 Plus version 10.11.0
  • Active Directory Federation Services version 10.3.0
  • Active Directory Federation Services 2012 R2 version 1.10172.1
  • Skype for Business Server 2019 version 2046.19
  • Windows Server 2012 DHCP version 6.0.7307.0
  • UNIX and Linux Operating Systems versione 7.7.1136.0
  • Microsoft Windows Server File & iSCSI Services 2012 R2 version 7.1.10100.2
  • Microsoft Windows Server File & iSCSI Services 2016 and 1709 More version 10.0.0.0

 

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

How to monitor Office 365 with Azure Log Analytics

In Azure Log Analytics is available a specific solution that consolidates within the Log Analytics workspace different information from the environment Office 365, making the consultation of the data simple and intuitive. This article will look at the characteristics of this solution and It will illustrate the steps to follow for the relative activation.

Features of the solution

The solution allows you to use Log Analytics to perform the following tasks related to Office 365:

  • Monitor the activities carried out by administrators, in order to track changes to configurations and operations that require elevated privileges.
  • Analyze the activities of account in Office 365 in order to identify behavioral trends and monitor resource utilization. For example, you can determine which files are shared outside your organization or check the most used SharePoint sites.
  • Provide support in audits and compliance. It is possible for example to control access to specific files that are considered confidential.
  • Identify any unwanted behaviors that are performed by users, based on specific organizational needs.
  • Play easier troubleshooting tasks that become necessary in your environment Office 365.

To enable this solution you must have an account with the role Global Administrator. For a single Log Analytics workspace you can connect multiple subscriptions Office 365. In case you want to merge in the Log Analytics workspace also the Audit events of Office 365 you must enable auditing on the subscription Office 365, by following the steps in this documentation.

Figure 1 – Enabling Office 365 audit

Solution activation

To enable theOffice 365 Management solution You must follow these steps. The solution collects data directly from Office 365, without the iteration of any agent of Log Analytics.

Figure 2 – Access to Workspace summary from the Azure portal and adding solution

Figure 3 - Selection of the solution of Office 365

Figure 4 – Selection of the workspace to use

The solution requires the presence of an Azure Active Directory application, configured as reported later, which is used to access data in Office 365.

Figure 5 – Adding a new App registration in Azure AD

Figure 6 – Creation of the App registration required for solution

Figure 7 – Enable Multi-tenanted

Figure 8 -Added API Access for Office 365 Management APIs

Figure 9 - Selection of permission for Office 365 Management APIs

Figure 10 – Assignment of permissions

To be able to configure the solution is required a key for the Azure Active Directory application created.

Figure 11 – Generating a key for the application

At this point, you must run the PowerShell script office365_consent.ps1 which enables administrative access. This script is available at this link.

Figure 12 - Command line example for the execution of the script office365_consent.ps1

Figure 13 - Request for administrative approval

The last step needed to complete activation is the script PowerShell office365_subscription.ps1, also available at this link, which subscribes the Azure AD application to the Log Analytics workspace.

Figure 14 - Command line example for the execution of the script office365_subscription.ps1

initial setup may take several minutes to view data from office 365 in Log Analytics. All records created by this solution in Log Analytics have the Type in OfficeActivity. The value contained in the property OfficeWorkload determines which Office Service 365 refers: Exchange, Azure Active Directory, SharePoint, or OneDrive. In the property RecordType instead, is showed the type of operation performed.

The solution adds to the dashboard the following tile:

Figure 15 - Tile Office 365

When selected it will open the specific dashboard, which divides the various services activities collected from Office 365.

Figure 16 – Dashboard of Office 365

Of course you can also perform specific queries to suit your needs:

Figure 17 - Examples of queries to return specific records collected by the solution

Conclusions

The collection in Log Analytics of activities carried out in Office 365 allows granular control of the environment, in order to satisfy at best and with a single instrument to regulations concerning auditing and compliance.

Azure File Sync: solution overview

The Azure File Sync service (AFS) allows you to centralize the network folders of your infrastructure in Azure Files, allowing you to maintain the typical characteristics of a file server on-premises, in terms of performance, compatibility and flexibility and at the same time to benefit from the potential offered by cloud. This article describes the main features of the Azure File Sync service and the procedures to be followed to deploy it.

Figure 1 – Overview of Azure File Sync

Azure File Sync is able to transform Windows Server in a "cache" for quick access to content on a given Azure file share. Local access to data can occur with any protocol available in Windows Server, such as SMB, NFS, and FTPS. You have the possibility to have multiple "cache" servers in different geographic locations.

These are the main features of Azure File Sync:

  • Multi-site sync: you have the option to sync between different sites, allowing write access to the same data between different Windows Servers and Azure Files.
  • Cloud tiering: are maintained locally only recently accessed data.
  • Integration with Azure backup: becomes invalid the need to back up data on premises. You can get content protection through Azure Backup.
  • Disaster recovery: you have the option to immediately restore metadata files and retrieve only the data you need, for faster service reactivation in Disaster Recovery scenarios.
  • Direct access to the cloud: is allowed to directly access content on the File Share from other Azure resources (IaaS and PaaS).

 

Requirements

In order to deploy Azure File Sync, you need the following requirements:

A Azure Storage Account, with a file share configured on Azure Files, in the same region where you want to deploy the AFS service. To create a storage account, you can follow the article Create a storage account, while the file share creation process is shown in this document.

A Windows Server system running Windows Server 2012 R2 or later, who must have:

  • PowerShell 5.1, which is included by default since Windows Server 2016.
  • PowerShell Modules AzureRM.
  • Azure File Sync agent. The setup of the agent can be downloaded at this link. If you intend to use AFS clustered environment, you should install the agent on all nodes in the cluster. In this regard Windows Server Failover Clustering is supported by Azure Sync Files of deployment type “File Server for general use”. The Failover Cluster environment is not supported on “Scale-Out File Server for application data” (SOFS) or on Clustered Shared Volumes (CSVS).
  • You should keep the option "Internet Explorer Enhanced Security Configuration" disabled for Administrators and for Users.

 

Concepts and service configuration

After confirming the presence of these requirements the Azure File Sync activation requires to proceed with the creation of the service Storage Sync:

Figure 2 – Creating Storage Sync service

This is the top-level resource for Azure File Sync, which acts as a container for the synchronization relationships between different storage accounts and multiple Sync Group. The Sync Group defines the synchronization topology for a set of files. The endpoints that are located within the same Sync Group are kept in sync with each other.

Figure 3 – Creating Sync Group

At this point you can proceed with server registration by starting the agent Azure File Sync.

Figure 4 – Initiation of the process of Sign-in

Figure 5 – Selection of server registration parameters

Figure 6 – Confirmation of registration of the agent

After the registration the server will also appear in the "Registered servers" section of the Azure portal:

Figure 7 – Registered servers into Storage Sync service

At the end of the server registration is appropriate to insert a Server Endpoints within the Sync Group, which integrates a volume or a specific folder, with a Registered Server, creating a location for the synchronization.

Figure 8 – Adding a Server Endpoint

Adding a Server Endpoint you can enable Cloud tiering that preserves, locally on the Windows Server cache, most frequently accessed files, while all the remaining files are saved in Azure on the basis of specific policies that can be configured. More information about Cloud Tiering capabilities can be found in the Microsoft's official documentation. In this regard, it is appropriate to specify that there's no support between Azure File Sync with enabled cloud tiering, and data deduplication. If you want to enable Windows Server Data Deduplication, cloud tiering capabilities must be maintained disabled.

After adding one or more Server Endpoint you can check the status of the Sync Group:

Figure 9 – Status of Sync Group

 

To achieve successful Azure File Sync deployment you should also carefully check compatibility with antivirus and backup solutions that are used.

Azure File Sync and DFS Replication (DFS-R) are two data replication solutions and can also operate in side-by-side as long as these conditions are met:

  1. Azure File Sync cloud tiering must be disabled on volumes with DFS-R replicated folders.
  2. The Server endpoints should not be configured on DFS-R read-only folders.

Azure File Sync can be a great substitute for DFS-R and for the migration you can follow the instructions in this document. There are still some specific scenarios that might require the simultaneous use of both replication solutions:

  • Not all on-premises servers that require a copy of the files can be connected to the Internet.
  • When the branch servers consolidate data in a single hub server, on which is then used Azure File Sync.
  • During the migration phase of deployment of DFS-R to Azure File Sync.

Conclusions

Azure File Sync is a solution that extends the classic file servers deployed on-premises with new features for content synchronization, using the potential of Microsoft public cloud in terms of scalability and flexibility.

Microsoft Azure: guide for the choice of the Region

Microsoft Azure is located in different places around the world and is the first to have datacenters in more geographical areas than any other cloud providers. This aspect provides a wide scalability, necessary to deliver applications in proximity of the geographical location of users, while preserving the residence of data and providing compliance and resiliency options. You can choose, between different Azure regions, where activate your services, undoubtedly has many advantages, but it is worth considering different aspects when you are faced with this choice. In this article we will be carried over the main elements that should be taken into account in the choice of the region of Azure.

A region in Azure consists of multiple datacenters residing in a specific geographical area and that are connected to each other through a low-latency network. To see the complete list of the Azure regions you can access the page Azure locations. Within a region are present physically distinct location denominated Availability Zones. Each Availability Zone is composed of multiple datacenters equipped independently of the others regarding the power, cooling systems and networks. Each region is paired with another region within the same geographical area, in order to preserve the data resiliency and increase compliance levels.

Figure 1 – Pair regions and Availability Zones within the same data residency boundary

Figures 2 – Azure regional pairs

The choice of the Azure region must be done carefully taking into consideration some key aspects, each of which can have a decisive influence.

 

Performance

Definitely one of the predominant factors in choosing the region is given by the performance, that they are bound by the network latencies in reaching the Azure datacenters. Typically, you choose the region closest geographically, but you can't always identify easily. In support of this choice you can use some useful third-party tools that provide objective values:

  • Azure Speed Test 2.0: by accessing this site, you can measure the latency from your web browser to the various Blob Storage Service residing in various Azure regions.

Figures 3 – Result shown from Azure Speed Test

  • Azure Latency Test: shows the network latency from your location to different Azure regions, with the ability to easily apply filters.

Figures 4 – Result shown from Azure Latency Test

 

Availability of services

Not all Azure services are available in all regions, it follows that it is appropriate to check carefully whether the Azure service that you intend to use is offered in the selected region. To see the Azure services available in each region you can access this page, that allows you to quickly apply filters to check the availability of services offered for region.

 

Compliance laws and residence of the data

Many organizations are cautious in the approach to cloud computing because they need their data geographically reside in a certain territory. Maintain the confidentiality of data is essential for all, but for customers who have specific needs in terms of compliance and data-residency, Microsoft offers all the information you need:

  • Date residency: by accessing this web site you can get all the information about where the data resides, distinguishing between the services for which you choose the region they belong and those who do not provide this selection during deployment.
  • Compliance: in this portal are listed useful support information for customers who have to comply with specific regulations regarding the use, transmission and archive of data.

 

Costs

The costs of the various Azure services may vary depending on region. If the others factors are not decisive in choosing, It may be useful to consider to deploy services in the region where they are most economically advantageous. In order to verify the costs of different services you can access the Azure pricing page.

Conclusions

The choice of the Azure region most appropriate for their business needs, must necessarily be made taking into consideration the factors listed. Since this is a strategic choice and not easily editable, the advice is to carefully examine the items listed above, in order to design the best architecture in Microsoft Azure environment.

Azure Virtual WAN: introduction to the solution

Azure Virtual WAN is a new network service that allows you to optimize and automate the branch-to-branch connectivity through Azure. Thanks to this service you can connect and configure network devices in branch to allow communication with Azure (branch-to-Azure). This article examines the components involved in Azure Virtual WAN and shows the procedure to be followed for its configuration.

 

Figure 1 – Azure Virtual WAN overview

The Azure Virtual WAN configuration includes the creation of the following resources.

 

Virtual WAN

The Virtual WAN resource represents a virtual layer of Azure network and collect different components. It is a layering that contains links to all the virtual hubs that you want to have inside the Virtual WAN. Virtual WAN resources are isolated and cannot contain common hubs.

Figure 2 – Start the process of creating Azure Virtual WAN

Figure 3 – Creating Azure Virtual WAN

When creating the Virtual WAN resource you are prompted to specify a location. In reality it is a global resource that does not reside in a particular region, but you are prompted to specify it just to be able to manage and locate more easily.

By enabling the option Network traffic allowed between branches associated with the same hub allows traffic between the various sites (VPN or ExpressRoute) associated with the same hub (branch-to-branch).

Figure 4 – Branch-to-branch connectivity option

 

Site

The site represents the on-prem environment. You will need to create as many sites as are the physical location. For example, if you have a branch office in Milan, one in New York and one in London, you will need to create three separate sites, which contain their endpoints of network devices used to establish communication. If you are using Virtual WAN partner network equipment, provides solutions to natively export this information into the Azure environment.

Figure 5 – Creating a site

In the advanced settings you can enable BGP, which if activated becomes valid for all connections created for the specific site . Among the optional fields you can specify device information, that may be of help to the Azure Team in case of any future enhancements or Azure support.

 

Virtual Hub

A Virtual Hub is a Microsoft-managed virtual network. The hub is the core component of the network in a given region and there can be only one hub for Azure region. The hub contains different service endpoints to allow to establish connectivity with the on-prem environment. Creating a Virtual Hub involves the generation of a new VNet and optionally a new VPN Gateway. The Hub Gateway is not a classic virtual network gateway that is used for ExpressRoute connectivity and VPN and it is used to create a Site-to-site connection between the on-prem environment and the hub.

Figure 6 – Creating a Hub

Figure 7 -Association of the site with a Hub

The Hubs should be associated with sites residing in the same region where there are the VNet.

 

Hub virtual network connection

The resource Hub virtual network connection is used to connect the hub with the virtual network. Currently you can create connections (peering) with virtual networks that reside in the same region of the hub.

Figure 8 – Connection of the VNet to a hub

Configuring the VPN device on-prem

To configure the VPN on-prem device, you can proceed manually, or if you are using Virtual WAN partner solutions, the configuration of the VPN devices can occur automatically. In the latter case the device controller gets the configuration file from Azure and applies the configuration to devices, avoiding the need to proceed with manual configurations. It all feels very comfortable and effective, saving time. Among the various virtual WAN partners we find: Citrix, Riverbed, 128 Technology, Barracuda, Check Point, NetFoundry and Paloalto. This list is intended to expand soon with more partners.

By selecting Download VPN configuration creates a storage account in the resource group 'microsoft-network-[location]’ from which you can download the configuration for the VPN device on-prem. That storage account can be removed after retrieving the configuration file.

Figure 9 - Download the VPN configuration

Figure 10 – Download the configuration file on the storage account

After configuration of the on-prem device, the site will be connected, as shown in the following figure:

Figure 11 - State of the connected site

It also provides the ability to establish ExpressRoute connections with Virtual WAN, by associating the circuit ExpressRoue to the hub. It also provides for the possibility of having Point-to-Site connections (P2S) towards the virtual Hub. These features are now in preview.

The Health section contains useful information to check the connectivity for each Hub.

Figure 12 – Check Hub health

 

Conclusions

Virtual WAN is the new Azure service that enables centralized, simple and fast connection of several branch, with each other and with the Microsoft public cloud. This service allows you to get a great experience of connectivity, taking advantage of the Microsoft global network, which can boast of reaching different region around the world, more than any other public cloud providers.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

 

The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

 

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

OMS and System Center: What's New in August 2018

In August have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Operations Management Suite (OMS)

Azure Log Analytics

As already announced in the article The management of Log Analytics from the Azure portal Microsoft has chosen to abandon the OMS portal, in favour of the Azure Portal. The date announced for the final withdrawal of the OMS portal is the 15 January 2019. As a result of this choice also creation of new workspace of Azure Log Analytics can be performed only from the Azure Portal. Trying to create a new workspace from the old OMS portal you will be redirected to the Azure portal to complete the task. Have not made any changes to REST API and PowerShell to create workspaces.

Even the Advanced Analytics Portal is incorporated into the Azure Portal. At the moment you can access this portal by logging on to Logs (preview) available in the workspace of Log Analytics.

Figure 1 - Advanced Analytics available in the Logs (preview) from the Azure Portal

 

Azure Automation

Managing updates through Azure Automation Update Management sees the addition of a new option for the deployment of the updates. When creating or editing an update deployment is now an option the Reboot, that allows you to control whether and when reboot systems. For more information please visit the official technical documentation.

Figure 2 – Reboot option available in the update deployment

In the functionality of Change Tracking the following changes have been made:

  • To track changes and make the inventory of the files in the Windows environment now you can use: recursion, wildcards, and environment variables. In Linux there is already the support for recursion and wildcards.
  • As for the changes that are processed in files, both Windows and Linux, introduced the ability to display the content of the changes.
  • Introduced the possibility to reduce the frequency with which Windows services are collected (frequency is expressed in seconds and runs from a minimum of 10 seconds to a maximum of 30 minutes).

Agent

This month the new version ofOMS agent for Linux systems fixes some bugs and introduces an updated version for several core components, that increase the stability, the safety and improve the installation process. Among the various news is introduced the support for Ubuntu 18.04. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.6.0-163. In the case the OMS agent for Linux systems has been installed using the Azure Extension and if its automatic update is active, this update will be installed independently.

Figure 3 – Bug fixes and what's new for the OMS agent for Linux

 

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 27 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.18.4946.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3550.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services agent (version 2.0.9125.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

  • Unified Setup/Mobility agent version 9.14.0000.0 or later.
  • Site Recovery Provider (with System Center VMM): version 3.3. x. x or later.
  • Site Recovery Provider (for replication without VMM): version 5.1.3100.0 or later.
  • Site Recovery Hyper-V Provider: version 4.6. x. x or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4055712.

 

In Azure Site Recovery was introduced support for enabling disaster recovery scenarios Cross-subscription, for IaaS virtual machines, as long as belonging to the same Azure Active Directory tenant. This feature is very useful because often you have environments that use different Azure subscriptions, created primarily to have greater control of costs. Thanks to this new support you can more easily reach business continuity requirements creating disaster recovery plans without altering the topology of the Azure subscriptions in your environment.

Figure 4 - VM replica configuration to a different subscription target

 

Azure Site Recovery now can integrate with Veritas Backup Exec Instant Cloud Recovery (ICR) with the release of Backup Exec 20.2. Using ICR, Backup Exec users are able to configure replication of VMs on-premises to Azure and easily operate the DR plan if necessary, reducing the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Instant Cloud Recovery requires a subscription Azure and supports Hyper-V and VMware virtual machines. For more details and references you can see thespecific announcement.

Azure Backup

In this interesting article there is the procedure to monitor all workloads protected by Azure Backup using Log Analytics.

System Center

System Center Configuration Manager

Released the version 1806 for the Current Branch (CB) of System Center Configuration Manager that introduces new features and major improvements in the product.

Among the main innovations of this update there is a new feature called CMPivot. It is a new utility available in the Configuration Manager console that can provide information in real time about connected devices in your environment. On this information you can apply filters and groupings, then perform certain actions.

Figure 5 – Features and benefits of CMPivot functionality

For a complete list of new features introduced in this version of Configuration Manager, you can consult theofficial announcement.

 

Released the version 1808 for the branch Technical Preview of System Center Configuration Manager. This update introduces the ability to perform a gradual release of software updates automatically. The button that allows you to configure this operation is shown in figure below and can be found in the console nodes All Software Updates, All Windows 10 Updates, and Office 365 Updates.

Figure 6 – Phased Deployment creation button

For more information about configuring Phased Deployments in Configuration Manager, you can refer to the Microsoft technical documentation .

I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

 

System Center Operations Manager

Released the updated version of Microsoft System Center 2016 Management Pack for Microsoft Azure (version 1.5.20.18).

There are also the following news:

 

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center you must access theEvaluation Center and after the registration you can start the trial period.

Azure Networking: introduction to the Hub-Spoke model

A network topology increasingly adopted by Microsoft Azure customers is the network topology defined Hub-Spoke. This article lists the main features of this network architecture, examines the most common use cases, and shows the main advantages that can are obtained thanks to this architecture.

The Hub-Spoke topology

In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. The Spoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

The architecture basic scheme:

Figure 1 – Hub-Spoke basic network architecture

This architecture is also designed to position in the Hub network a network virtual appliance (NVA) to control the flow of network traffic in a centralized way.

Figure 2 - Possible architecture of Hub vNet in the presence of NVA

In this regard it should be noted that Microsoft recently announced the availability of the’Azure Firewall, a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. At the moment the service is in preview, but soon it will be possible to assess the adoption of Azure Firewall to control centrally, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of Hub-Spoke network architectures , lends itself to be placed in the Hub network, in order to obtain complete control of network traffic.

Figure 3 - Positioning Azure Firewall in the Hub Network

For additional details on Azure Firewall you can see Introduction to Azure Firewall.

When you can use the Hub-Spoke topology

The network architecture Hub-Spoke is typically used in scenarios where these characteristics are required in terms of connectivity:

  • In the presence of workloads deployed in different environments (development, testing and production) which require access to the shared services such as DNS, IDS, Active Directory Domain Services (AD DS). Shared services will be placed in the Hub virtual network, while the various environments (development, testing and production) will be deployed in Spoke networks to maintain a high level of insolation.
  • When certain workloads must not communicate with all other workloads, but only with shared services.
  • In the presence of reality that require a high level of control over aspects related to network security and needing to make a segregation of the network traffic.

Figure 4 – Hub-Spoke architecture design with its components

The advantages of the Hub-Spoke topology

The advantages of this Azure network topology can be summarized as:

  • Cost savings, because shared services can be centralized in one place and used by multiple workloads, such as the DNS server and any virtual appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, with a cost savings for Azure.
  • Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops).
  • Greater flexibility in terms of management and security for the Azure environment.

Useful references for further reading

The following are the references to the Microsoft technical documentation useful to direct further investigation on this topic:

Conclusions

One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establish from the beginning the most appropriate network topology allows you to have a winning strategy and avoid to be in the position of having to migrate workloads, to adopt different network architectures, with all the complications that ensue.

Each implementation requires a careful analysis in order to take into account all aspects and to make appropriate assessments. It is therefore not possible to assert that the Hub-Spoke network architecture is suitable for all scenarios, but certainly it introduces several benefits that make it effective for obtaining certain characteristics and have a high level of flexibility.

OMS and System Center: What's New in July 2018

Microsoft announces constantly news about Operations Management Suite (OMS) and System Center. As usual our community releases this monthly summary that provides a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Operations Management Suite (OMS)

Azure Log Analytics

The possible integration of Azure Data Factory (ADF) with Azure Monitor lets you send usage metrics to Operations Management Suite (OMS). The new solution Azure Data Factory Analytics, available in the Azure marketplace, can provide an overview of the State of health of the Data Factory, allowing you to go into detail of the information collected. This can be very useful for troubleshooting. It is also possible to collect metrics from different data factories to the same workspace of OMS Log Analytics. For configuration details required to use this solution, you can see the official documentation.

Figure 1 – Overview of the new Azure Data Factory Analytics solution

In Log Analytics, query execution introduces the ability to easily select the workspace on which to execute the queries.:

Figure 2 - Selection of the workspace on which to perform the Log Analytics query

The same possibility is also introduced in Azure Application Insights Analytics. This feature is useful because in each query tab you can select the specific workspace, avoiding having to open Log Analytics in different browser tabs.

In case they are collected custom logs in Azure Log Analytics, a separate category was created called "Custom Logs", where they are grouped.

Figure 3 – Grouping of custom logs in the specific category

For workspace of Log Analytics present in the region of West Europe, East US, and West Central was announced the availability in public preview of Metric Alerts for logs. The Metric alerts for logs allow you to use data from Log Analytics as metrics of Azure Monitor. The types of supported logs has been extended and the complete list is available at this link. For more information please visit the official documentation.

Azure Backup

In Azure Pricing Calculator, the official Microsoft tool for estimating the cost of Azure services, has been made possible to obtain a more accurate estimate of the costs of Azure Backup, allowing you to specify different retention range for the Recovery Points.

Figure 4 – New parameters to make a more accurate estimate of costs of Azure Backup

 

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 26 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.17.4897.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3400.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services agent (version 2.0.9122.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

  • Unified Setup/Mobility agent version 9.13.000.1 or later.
  • Site Recovery Provider version 5.1.3000 or later.
  • Hyper-V Recovery Manager 3.4.486 or later.
  • Site Recovery Hyper-V Provider 4.6.660 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4344054.

Azure Automation

Regarding Azure Automation has been introduced the possibility to configure the Hybrid Runbook Workers so that they can execute only runbooks digitally signed (the execution of unsigned runbooks not fail). The procedure to be followed is reported in this section of the Microsoft's article.

System Center

Following the first announcement of the Semi-Annual Channel release of System Center, took place in February with the version 1801, this month has been released the new update release, System Center 1807.

The update release 1807 introduces new features for Virtual Machine Manager and Operations Manager, while for Data Protection Manager, Orchestrator and Service Manager contains fixes for known issues (including bug fixes present in the UR5 for System Center 2016, released in April).

What's new in Virtual Machine Manager 1807
  • Supports selection of CSV for placing a new VHD
  • Display of LLDP information for networking devices
  • Convert SET switch to logical switch
  • VMware host management: VMM 1807 supports VMware ESXi v6.5 servers in VMM fabric
  • Support for S2D cluster update
  • Support for SQL 2017
What's new in Operations Manager 1807
  • Configure APM component during agent install or repair
  • Linux log rotation
  • HTML5 Web console enhancements
  • Support for SQL Server 2017
  • Operations Manager and Service Manager console coexistence

For further details please visit the Microsoft official documentation:

System Center 1807 can be download from System Center Evaluation Center.

For all System Center products (DPM, SCORCH, SM, SCOM and VMM) you can now Update existing deployments going from SQL server 2016 to SQL server 2017.

Please remember that the release belonging to the Semi-Annual Channel have support for 18 months.

System Center Configuration Manager

Released the version 1807 for the branch Technical Preview of System Center Configuration Manager. The main novelty in this release is l & #8217; introduction of the new Community hub, through which you can share scripts, reports, configuration items and more, about Configuration Manager. Through the community hub, accessible from the SCCM console, you can introduce into your environment solutions provided by the community.

Among the new features in this release are also:

  • Improvements to third-party software updates
  • Co-managed device activity sync from Intune
  • Approve application requests via email
  • Repair applications
  • Admin defined offline operating system image servicing drive
  • Improvements to run scripts

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

In order to configure the connection between Operations Management Suite (OMS) and System Center Operations Manager you must import the following new management packs, version-specific:

This change to the MPs was made necessary to allow proper communication with new APIs of OMS Log Analytics, introduced after moving towards the Azure Portal of Log Analytics.

Figure 5 - SCOM Wizard for the OMS onboarding

It is reported the new wave of System Center Operations Manager management packs released for SQL Server, now lined up to version 7.0.7.0:

In July were also released the following Management Packs for the Open Source software, version 7.7.1129.0, which include the following news:

Apache HTTP Server

  • Supports Apache HTTP Server version 2.2 and 2.4
  • Provides monitoring of busy and idle workers
  • Provides monitoring of resource usage – memory and CPU
  • Provides statistics for virtual hosts such as “Requests per Minute” and “Errors per Minute”
  • Provides alerting for SSL Certificate expiration

MySQL Server

  • Supports MySQL Server version 5.0, 5.1, 5.5, 5.6, and 5.7
  • Supports MariaDB Server version 5.5, and 10.0
  • Provides monitoring of databases
  • Provides monitoring of disk space usage for server and databases
  • Provides statistics for Key Cache, Query Cache, and Table Cache
  • Provides alerting for slow queries, failed connections, and full table scans

The following new MPs have also been released by Microsoft:

  • MP for Active Directory Federation Services version 0.2.0
  • MP for Active Directory Federation Services 2012 R2 version 1.10172.1
  • MP for Microsoft Azure version 5.20.18

Please also note the new community version (1807) of the Azure Management Pack, issued by Daniele Grandini.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center, you can access theEvaluation Center and after the registration you can start the trial period.

Introduction to Azure Firewall

Microsoft recently announced the availability of a long-awaited service required by the users of systems in the Azure environment , it is the’Azure Firewall. The Azure Firewall is a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. This article will look at the main features of this new service, currently in preview, and it will indicate the procedure to be followed for its activation and configuration.

Figure 1 – Positioning of Azure Firewall in network architecture

The Azure Firewall is a type of firewall stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of type of network architectures hub-and-spoke, lends itself to be placed in the Hub network, in order to obtain a complete control of the traffic.

The Azure Firewall features, currently available in this phase of public preview, are the following:

  • High availability (HA) Built-in: high availability is integrated into the service and are not required specific configurations or add-ons to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Unrestricted cloud scalability: Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • FQDN filtering: you have the option to restrict outbound HTTP/S traffic towards a specific list of fully qualified domain names (FQDN), with the ability to use wild card characters in the creation of rules.
  • Network traffic filtering rules: You can create rules to allow or of deny to filter the network traffic based on the following elements: source IP address, destination IP address, ports and protocols.
  • Outbound SNAT support: to the Azure Firewall is assigned a public static IP address, which will be used by outbound traffic (Source Network Address Translation), generated by the resources of the Azure virtual network, allowing easy identification from remote Internet destinations.
  • Azure Monitor logging: all events of Azure Firewall can be integrated into Azure Monitor. In the settings of the diagnostic logs you are allowed to enable archiving of logs in a storage account, stream to an Event Hub, or set the sending to a workspace of OMS Log Analytics.

Azure Firewall is currently in a managed public preview, which means that to implement it is necessary to explicitly perform the enable via the PowerShell command Register-AzureRmProviderFeature.

Figure 02 – PowerShell commands for enabling the public preview of Azure Firewall

Feature registration can take up to 30 minutes and you can monitor the status of registration with the following PowerShell commands:

Figure 03 – PowerShell commands to verify the status of enabling Azure Firewall

After registration, you must run the following PowerShell command:

Figure 04 – Registration command of Network Provider

To deploy the Azure Firewall on a specific Virtual Network requires the presence of a subnet called AzureFirewallSubnet, that must be configured with a sunbnet mask at least /25.

Figure 05 – Creation of the subnet AzureFirewallSubnet

To deploy Azure Firewall from the Azure portal, you must select Create a resource, Networking and later See all:

Figure 06 - Search Azure Firewall in Azure resources

Filtering for Firewall will also appear the new resource Azure Firewall:

Figure 07 – Microsoft Firewall resource selection

By starting the creation process you will see the following screen that prompts you to enter the necessary parameters for the deployment:

Figure 08 – Parameters required for the deployment of the Firewall

Figure 09 – Review of selected parameters and confirmation of creation

In order to bring outbound traffic of a given subnet to the firewall you must create a route table that contains a route with the following characteristics:

Figure 10 - Creation of the Rule of traffic forwarding to the Firewall Service

Although Azure Firewall is a managed service, you must specify Virtual appliance as next hop. The address of the next hop will be the private IP of Azure Firewall.

The route table must be associated with the virtual network that you want to control with Azure Firewall.

Figure 11 - Association of the route table to the subnet

At this point, for systems on the subnet that forwards the traffic to the Firewall, is not allowed outgoing traffic, as long as it is not explicitly enabled:

Figure 12 – Try to access blocked website from Azure Firewall

Azure Firewall provides the following types of rules to control outbound traffic.

Figure 13 – The available rule Types

  • Application rules: to configure access to specific fully qualified domain names (FQDNs) from a given subnet.

Figure 14 - Creating Application rule to allow access to a specific website

  • Network rules: enable the configuration of rules that contain the source address, the protocol, the address and port of destination.

Figure 15 – Creating Network rule to allow traffic on port 53 (DNS) towards a specific DNS Server

Conclusions

The availability of a fully integrated firewall in the Azure fabric is certainly an important advantage that helps to enrich the capabilities provided natively by Azure. At the time are configurable basic operations, but the feature set is definitely destined to get rich quickly. Please note that this service is currently in preview, and no service level agreement is guaranteed and is not recommended to use it in production environments.