Category Archives: Cloud

Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Maintenance control for platform updates

The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated Hosts and isolated virtual machines (VMs). This feature gives you more control over platform maintenance when dealing with highly sensitive workloads. Use this feature to control all host updates, including rebootless updates, within a 35-day window. The ability to control the maintenance window is particularly useful when you deploy workloads that are extremely sensitive to interruptions running on an Azure Dedicated Host or an isolated VM where the underlying physical server runs a single customer’s workload. This feature is not supported for VMs deployed in hosts shared with other customers.

New DCsv2-series virtual machines are available

You can develop confidential applications that protect data while it’s being processed in the CPU with new DCsv2-series virtual machines (VMs), powered by Intel SGX. Traditionally, applications are protected while at rest and in transit. Now, you can deliver applications that protect data while in use. This enables a new set of scenarios like multiparty sharing, where it’s possible to combine data from multiple companies to run machine learning models without the companies getting access to each other’s data.

Windows Server containers in AKS now generally available

Windows Server containers in Azure Kubernetes Service (AKS) are now generally available. You can take advantage of this new feature to run Linux and Windows workloads side-by-side in a single cluster using the same tools. Create/upgrade/scale Windows node pools in AKS through the standard tools (portal/CLI) and Azure will help manage the health of the cluster.

Azure Migrate now available in Azure Government

Microsoft’s service for datacenter migration, Azure Migrate, is now available in Azure Government, unlocking the whole range of functionality for government customers. Azure Migrate V2 for Azure Government includes a one-stop shop for discovery, assessment, and migration of largescale datacenters.

Storage

Enhanced features in Azure Archive Storage

Three new feature enhancements for Azure Block Blob storage and Azure Archive storage are now generally available, making the service faster, simpler, and more capable.

Priority retrieval from Azure Archive. High rehydrate-priority fulfills the need for emergency data rehydrate from archive, with retrievals for blobs of a few GB typically taking less than one hour.
Upload blob direct to access tier of your choice. The PutBlob or PutBlockList API allows you to upload your blob data directly to any access tier (hot, cool, or archive). This enables customers to write cold data directly to Azure Archive, realizing their cost savings immediately.
CopyBlob enhanced capabilities. The CopyBlob API supports the archive access tier, allowing you to copy data into and out of the archive access tier within the same storage account. It also includes support for the other two new features—priority retrieval and direct to access tier of your choice.

Networking

Azure Firewall: support for Windows Virtual Desktop

You can use Azure Firewall to protect Window Virtual Desktop deployments. In addition there are FQDN tags for Windows Virtual Desktop (WVD).

Azure Private Link for AKS is generally available

Azure Kubernetes Service (AKS) Private Link is generally available. You can use it to isolate your Kubernetes API server within your Azure virtual network, enabling fully private communication with the managed Kubernetes control plane hosted by AKS.

Azure Management services: What's New in April 2020

Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth.

Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.

The following diagram shows the different areas related to management, which will be covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools

Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. They are currently supported as NVIDIA and AMD vendors.
This monitoring functionality can be useful for:

Check the availability of GPUs on the nodes, the use of the GPU memory and the status of GPU requests by pods.
View the information collected through the built-in workbook available in the workbook gallery.
Generate alerts on pod status

Export of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.

Workflow automation functionality

Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. Furthermore, manual trigger execution is available for security alerts and for recommendations that have the quick fix option available.

Integration with Windows Admin Center

It is now possible to include Windows Server systems residing on-premises directly from the Windows Admin Center in Azure Security Center.

Azure Monitor Application Insights: monitors Java applications codeless

The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:

gRPC.
Netty/Webflux.
JMS.
Cassandra.
MongoDB.

Retiring the solution for Office 365

For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. The combination of these two solutions is able to offer a better experience in configuration and in its use.

Azure Monitor for Containers: support for Azure Red Hat OpenShift

Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.

Azure Monitor Logs: limitations on concurrent queries

To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, but they should not be relevant for the typical use of the solution.

Secure

Azure Security Center

Dynamic compliance packages available

The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. A summary report will also be available for download for all standards that have been integrated.

Identity recommendations included in Azure Security Center tier free

Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:

“Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”
“A maximum of three owners should be designated for your subscription.”
“Deprecated accounts should be removed from your subscription.”

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them completely controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).

Figure 1 – New possible scenarios from Cross Region Restore (CRR)

Azure Files share snapshot management

Azure Backup introduces the ability to create Snapshots of Azure Files share, Daily, weekly, Monthly, and keep them until 10 years.

Support for replacing existing disks for VMs with custom images

Azure Backup introduced support, during the recovery phases, to replace existing disks on virtual machines created with custom images.

SAP HANA backup

In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. This solution is officially certified by SAP.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (April 2020 – Weeks: 15 and 16)

Azure

Compute

SQL Server 2019 IaaS images with Linux distribution support now available

Azure Marketplace pay-as-you-go images for SQL Server 2019 on RHEL 8.0, Ubuntu 18.04, and SLES 12 SP5 are now generally available.

Virtual machine scale sets: automatic image upgrades for custom images

Virtual machine scale sets now provide the ability to automatically deploy new versions of custom images to scale set virtual machines. Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all virtual machines in the scale set. This capability is now available in preview for custom images through Shared Image Gallery.

Automatic instance repairs for virtual machine scale sets

Virtual machine scale sets now provide the capability to automatically repair unhealthy instances based on application health status. Configure the scale set instances to emit application health by using either the application health extension or Azure Load Balancer health probes. After the automatic repairs policy is enabled, when an instance is found to be unhealthy, the scale set will automatically delete the unhealthy instance and create a new one to replace it.

Azure Migrate is now available in Azure Government

Azure Migrate provides a hub of Microsoft and partner tools to help customers meet their migration needs. Azure Migrate also offers scenarios for database migration, VDI migration, and web application migration, in addition to at-scale migration of VMware, Hyper-V, and physical servers to Azure. All Azure Migrate features, including agentless discovery and assessment, application inventory, and migration, are now available in Azure Government.

Azure File Sync v10 released

The Azure File Sync agent v10 release is being released to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed:

Improved sync progress in the portal
Improved cloud tiering portal experience
Support for moving the Storage Sync Service and/or storage account to a different Azure Active Directory (AAD) tenant
Evaluation tool now identifies files or directories that end with a period
Miscellaneous performance and reliability improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog by following the steps documented in KB4522409.

Networking

Azure Virtual Network supports reverse DNS lookup

Azure Virtual Network now supports reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default. Use this to quickly look up name of the VM from its IP address. Previously, using DNS queries to look up the fully qualified domain name (FQDN) for a virtual machine from its IP address would result in an NXDOMAIN response. Now, instead of getting an NXDOMAIN, you’ll receive valid FQDN of the virtual machine to which the IP address belongs.

Azure Monitor: consultation of data through Workbooks

Azure Monitor Log Analytics can collect large amounts of data and it is essential to have effective methods to make it easy to access and analyze it in a simple way. Among the various possibilities offered are the Workbooks, interactive documents that allow you to better interpret the data and do in-depth analysis, also designed for collaboration scenarios. This article lists the key features of the Workbooks and the indications to use them at best.

The Workbooks combine text, Log Analytics query, Azure metrics and parameters, this is an interactive report. Interestingly, they can be accessed and editable by anyone who has access to the same Azure resources. This makes them a powerful collaboration tool between members of a team.

Possible usage scenarios

The Workbooks can be used in different scenarios, for example:

Guide tool for troubleshooting and post-mortem incidents. Not only can you highlight the impact of an application or virtual machine outage, but it will also be possible to combine data and provide written explanations. This can become a guide tool to discuss the steps needed to prevent future service outages.
Explore the use of a particular application or virtual machine when you don't know the metrics of interest in advance. In fact,, unlike other analysis tools, The Workbooks combine multiple types of visualizations and analysis, making them a great tool for freeform exploration.
Show your team the performance of a new application feature or the performance of a new virtual machine, giving visibility of key metrics of interest.
Sharing the results of experimentation work on an application with other team members. You have the ability to detail the objectives of text experimentation and to show the Log Analytics metrics and queries used to evaluate the items of interest.

Advantages of Workbooks

Among the main advantages of Workbooks it is possible to quote:

Support for metrics, logs and Azure Resource Graph data.
Parameter support that enables interactive reports, for example, selecting an item in a table will dynamically update the associated charts and visualizations.
Document-like flow.
Ability to have Workbooks personal or shared.
Experience of simple creation and always with a view to collaboration.
Ability to tap into a public template gallery on GitHub that contains several ready-to-use Workbooks.

Workbooks Limits

The Workbooks they also have the following limitations which should be taken into consideration:

There are no automatic refresh mechanisms.
They are not designed to have a denser layout like dashboards and to have a single centralized control panel. In fact, they are designed to gain insights through an interactive path.

Deploy and use Workbooks

The section Workbooks is accessible from the Azure portal from Azure Monitor Log Analytics that from Application Insights and a gallery is available with a series of Workbooks by default.

Figure 1 – Workbooks Gallery from Azure Portal

In this GitHub repository you can view numerous templates of Workbooks. You can of course contribute by adding new ones or by processing existing ones.

The Workbooks can be composed of different sections that show graphs, Tables, text and input controls, all independently editable.

Figure 2 – Adding section to a Workbook

In order to create Workbooks according to your needs it is useful to know which elements are supported, in this regard, references to the official Microsoft documentation are provided:

Figure 3 - Example of Workbook showing the key metrics of the VMs

Figure 4 - Example of Workbook showing the highest CPU usage of VMs by region

To deploy new Workbooks through ARM templates you can refer to Microsoft's official documentation.

Conclusions

Thanks to the adoption of Workbooks it is possible to consult the data collected using visually appealing reports, with advanced features that allow you to greatly enrich the analysis experience from the Azure portal. Interactivity based on user inputs, personalization and sharing are important elements that make very useful to adopt Workbooks in specific scenarios.

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

Splunk: Azure Monitor Add-On for Splunk
IBM QRadar: Use a manually configured source log
ArcSight: SmartConnector

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.

Conclusions

With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Azure IaaS and Azure Stack: announcements and updates (April 2020 – Weeks: 13 and 14)

Azure

Compute

Azure Spot Virtual Machines are now generally available

Spot Virtual Machines provide scalability while reducing costs and they’re ideal for workloads that can be interrupted. Get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machines.

Storage

Direct Upload of Azure Managed Disks

Customers can bring an on-premises VHD to Azure as a managed disk in two ways: copy the VHD into a storage account before converting it into a managed disk, or attach an empty managed disk to a virtual machine and do a copy. Both of these have disadvantages. The first option requires maintaining storage accounts, while the second option has the additional cost of running virtual machines. Direct upload addresses both these issues and provides a simplified workflow by allowing you to copy an on-premises VHD directly into an empty managed disk. You can use it to upload to Standard HDD, Standard SSD, and Premium SSD managed disks of all the supported sizes.

New Azure Disk sizes and bursting support

Azure Disks, block-level storage volumes managed by Azure and used with Azure Virtual Machines, now have new 4-GiB, 8-GiB, and 16-GiB sizes available on both premium and standard SSDs. The new disk sizes introduced on standard SSD disk provide the most cost-efficient SSD offering in the cloud, providing consistent disk performance at the lowest cost per GB. In addition, Microsoft now supports bursting on Azure premium SSD disks in all Azure regions in the public cloud. With bursting, even the smallest premium SSD disks at 4-GiB can now achieve up to 3,500 IOPS and 170 MiB/second, and better accommodate spiky workloads. It can be best used for OS disks to accelerate virtual machine (VM) boot or data disks to accommodate spiky traffic. To learn more about disk bursting, read the premium SSD bursting article.

Azure Ultra Disks: Shared disk capability in preview

Attach an Azure managed disk to multiple virtual machines (VMs) simultaneously using the new shared disks feature of Azure Managed Disks. Deploy new or migrate existing clustered applications to Azure by attaching a managed disk to multiple VMs. Shared disks also support SCSI persistent reservation protocol.

Server-side encryption with customer-managed keys for Azure Managed Disks in GA

Azure customers already benefit from server-side encryption with platform-managed keys for Managed Disks enabled by default. Server-side encryption with customer-managed keys improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Today, customers can also use Azure Disk Encryption which leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your virtual machines by encrypting data in the Storage service.

General availability of incremental snapshots of Managed Disks

Incremental snapshots are a cost-effective, point-in-time backup of managed disks. Unlike current snapshots, which are billed for the full size, incremental snapshots are billed for the delta changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage irrespective of the storage type of the parent disks. For additional reliability, incremental snapshots are stored on Zone Redundant Storage (ZRS) by default in regions that support ZRS. Incremental snapshots provide differential capability, enabling customers and independent solution vendors (ISVs) to build backup and disaster recovery solutions for Managed Disks. It allows you to get the changes between two snapshots of the same disk, thus copying only changed data between two snapshots across regions, reducing time and cost for backup and disaster recovery. Incremental snapshots are accessible instantaneously; you can read the underlying data of incremental snapshots or restore disks from them as soon as they are created. Azure Managed Disk inherit all the compelling capabilities of current snapshots and have a lifetime independent from their parent managed disks and independent of each other.

New additions to the Azure Archive Storage partner network

Azure Archive Storage is now integrated with new partners including IBM Spectrum Protect Plus, NetApp StorageGRID, Rubrik, and Veritas NetBackup, making the partner network even more comprehensive. Other Azure Archive Storage partners include Archive360, CloudBerry Lab, Cohesity, Commvault, HubStor, Igneous, NetApp, and Tiger Technology.

Networking

IPv6 for Azure Virtual Network is generally available

IPv6 for Azure Virtual Network is now generally available worldwide. IPv6 support within the Azure Virtual Network and to the internet enables you to expand into the growing mobile and IoT markets with Azure-based applications and to address IPv4 depletion in your own corporate networks.

Azure Container Registry support for Private Link now in preview

Azure Container Registry now supports Private Link, a means to limit network traffic of resources within the virtual network.

Azure Edge Zones extends Azure services to the edge

Azure Edge Zones combines the power of Azure, 5G, carriers, and operators around the world to enable new scenarios for developers, customers and partners. These new offerings are coming to preview and will help local telecoms and carrier partners drive new solutions for business and society, including autonomous vehicles, smart cities, virtual reality, and other smart industry use cases.

Azure Stack

Azure Stack Edge

Azure Stack Edge preview

Microsoft also announced the expansion of Azure Stack Edge preview with the NVIDIA T4 Tensor Core GPU. Azure Stack Edge is a cloud managed appliance that provides processing for fast local analysis and insights to the data. With the addition of an NVIDIA GPU, customers are able to build in the cloud then run at the edge.

Azure Stack Hub

Azure Stack Hub preview

Microsoft, in collaboration with NVIDIA, is announcing that Azure Stack Hub with Azure NC-Series Virtual Machine (VM) support is now in preview. GPU support in Azure Stack Hub unlocks a variety of new solution opportunities. With our Azure Stack Hub hardware partners, customers can choose the appropriate GPU for their workloads to enable Artificial Intelligence, training, inference, and visualization scenarios.

Event Hubs on Azure Stack Hub in preview

We are now announcing the availability of the preview version of Event Hubs on Azure Stack Hub. Event Hubs on Azure Stack Hub will allow you to realize cloud and on-premises scenarios that use streaming and event-based architectures.

Azure management services and System Center: What's New in March 2020

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Azure Monitor

Azure Security Center integration

In Azure Security Center (ASC) integration with Azure Monitor has been introduced. In fact, in ASC it has been made available the ability to export continues toward a Log Analytics workspace. With this feature, you can configure Azure Monitor alert rules against recommendations and alerts exported from the Security Center. As a result, you can enable action groups to achieve automation scenarios supported by Azure Monitor.

Service availability Azure Monitor for VMs

In Azure monitor, the service that monitors virtual machines has been released, calledAzure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies.

The serviceAzure Monitor for VMsis divided into three different perspectives:

Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met.
Performance: shows summary details of performance, from the guest operating system.
Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

New agent version for Windows and Linux systems

A new version of the Log Analytics agent has been released this month for Window systemss and for Linux systems. In both cases they are introduced several improvements and increased stability.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 18 may 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 45 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Azure Backup Report

Azure Backup has announced the release of the solution Azure Backup Report. It's a tool available in the Azure portal that provides reports to answer many questions about backup progress, including: “What backup items consume more storage space?”, “Which machines have consistently had abnormal backup behaviors?”, “What are the main causes of the backup job failure?”. Reports provide cross-sectional information across different types of workloads, Vaults, subscriptions, regions and tenants. This tool also provides support for Windows Server 2008, to facilitate the migration steps of the on-premises systems based on Windows Server 2008 to Azure, process by which you can continue to get security patches.

Azure Automation

Availability in new regions

Azure Automation is now available in preview in the regions ” US Gov Arizona”.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (March 2020 – Weeks: 11 and 12)

Azure

Virtual Network NAT generally available

Azure Virtual Network NAT (Network Address Translation) simplifies outbound-only Internet connectivity for virtual networks. NAT can be configured for one or more subnets of a virtual network and provides on-demand connectivity for virtual machines.

Private Endpoints for Azure Storage are Generally Available

Private Endpoints provide secure connectivity to Azure Storage from a Azure virtual network (VNet). On-premises networks can also securely connect to a storage account using a private endpoint when that network is to a VNet using Express Route or VPN. Private Endpoints for Azure Storage are now generally available in all Azure public regions.

Azure Web Application Firewall integration with Azure Content Delivery Network service in preview

Azure Web Application Firewall service protects your web applications from malicious attacks. In addition to Azure Application Gateway and Azure Front Door service, Web Application Firewall is now natively integrated with Azure Content Delivery Network, protecting Content Delivery Network endpoints from common exploits such as SQL injection and cross site scripting (XSS) attacks.

Private Link for different Azure services is available

Azure Private Link is now generally available (GA) for the below services:

Azure Storage
Azure Data Lake Storage Gen 2
Azure SQL Database
Azure Cosmos DB
Azure Synapse Analytics (SQL Data Warehouse)
Azure Key Vault
Azure Database for MySQL
Azure Database for PostgreSQL
Azure Database for MariaDB
Azure Kubernetes Service -> Kubernetes API

In addition, Private Link is now available in preview for the following services:

App Service
Azure Cognitive Search
Event Hub
Service Bus
Azure Relay
Azure Backup
Azure Container Registry
Event Grid -> Topics
Event Grid -> Domains

App Service regional Virtual Network integration

The regional Virtual Network integration feature has now entered general availability (GA) and supports sending all outbound calls into your virtual network. Use features like network NSGs and UDRs against all outbound traffic from your web app.

Azure Shared Disks for clustered applications in preview

Azure Shared Disks is a shared block storage offering, enabling customers to run latency-sensitive workloads without compromising on well-known deployment patterns for fast failover and high availability. Azure Shared Disks are best suited for clustered databases, parallel file systems, persistent containers, and machine learning applications. Azure Shared Disks provide a consistent experience for applications running on Windows or Linux based clusters today.

ACR built-in audit policies for Azure Policy in preview

Azure Container Registry now supports built-in audit policies for Azure Policy.

Preparing for TLS 1.2 in Microsoft Azure

Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.

Azure File Sync agent version 6.x will expire on April 21, 2020

On April 21, 2020, Azure File Sync agent version 6.x will be expired and stop syncing. If you have servers with agent version 6.x, update to a supported agent version (7.x or later).

Azure Storage: Append Blob immutability support is generally available

Store business-critical data objects in a non-erasable and non-modifiable state for a user-specified retention interval using immutable storage for Azure Blob storage. Append blobs allow the addition of new data blocks to the end of an object and are optimized for data append operations required by auditing and logging scenarios.

General availability of NVv4 and HBv2-Series virtual machines

General availability of NVv4 virtual machines in South Central US, East US, and West Europe regions. Additional regions are planned in the coming months. With NVv4, Azure is the first public cloud to offer GPU partitioning built on industry-standard SR-IOV technology. HBv2-series VMs for HPC are now available in the Azure West Europe region.

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Windows Hello for Business, Ideal for users using dedicated Windows systems.
Access viaFIDO2 Security keys, you can prefer in scenarios where you can access them on shared locations or when you don't have the ability to use a mobile device.
Mobile device access using theMicrosoft Authenticator App.

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.

Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVA's) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS ProtectionStandard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations relating to the security of the Azure environment.
Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. Furthermore, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.

Conclusions

Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Azure IaaS and Azure Stack: announcements and updates (March 2020 – Weeks: 09 and 10)

Azure

New datacenter region in Spain

Microsoft will open a datacenter region in Spain to help accelerate digital transformation of public and private entities of all sizes, helping them to innovate, scale and migrate their businesses to the cloud in a secure way.

Microsoft will retire classic IaaS VMs

Because Azure Resource Manager now has all the infrastructure as a service (IaaS) capabilities of Azure Service Management and new advancements, Microsoft will retire classic IaaS VMs on March 1, 2023. Beginning March 1, 2023, customers who are using classic IaaS VMs will no longer be able to start any classic IaaS VMs using ASM. Any remaining VMs in a running or stopped-allocated state will be moved to a stopped-deallocated state. The following Azure services and functionality will not be impacted by this retirement: Cloud Services, storage accounts not used by classic VMs, and virtual networks (VNets) not used by classic VMs.

Azure Virtual Network service endpoint policies feature

Azure Virtual Network service endpoint policies enable you to prevent unauthorized access to Azure Storage accounts from your virtual network. It enables you to limit access to only specific whitelisted Azure Storage resources by applying endpoint policies over the service endpoint configuration.

Azure Load Balancer TCP resets on idle timeout is available

Azure Load Balancer now supports sending bidirectional TCP resets on idle timeout for load balancing rules, inbound NAT rules, and outbound rules. This is available in all regions. Use this ability to help applications gain visibility into when Standard Load Balancer terminates connections due to idle timeout. When enabled, Standard Load Balancer will generate a TCP reset packet to both the client and server side of a TCP connection on idle timeout. This allows applications to behave more predictably, as well as to detect the termination of a connection, remove expired connections, and initiate new connections. CP resets can be enabled on standard load balancers using the Azure portal, Resource Manager templates, CLI, and PowerShell.

Web Application Firewall with Azure Front Door service supports exclusion lists

Web Application Firewall exclusion lists allow you to omit certain request attributes from a rule evaluation. You can use them to fine tune Web Application Firewall policies for your applications.

Azure StorSimple 8000/1200 series will no longer be supported starting December 31, 2022

Microsoft has been expanding the portfolio of Azure Hybrid storage capabilities with new services for data tiering and cloud ingestion, providing more options to customers for storing data in Azure in native formats. In conjunction with this, support for the following StorSimple versions will end December 31, 2022.

Active Directory for authentication on SMB access to Azure File in preview

Azure Files Active Directory (Azure AD) Authentication is in preview. You can use it to mount your Azure Files using Azure AD credentials with the exact same access control experience as on-premises.

HPC-optimized virtual machines are available

Azure HBv2-series Virtual Machines (VMs) are generally available in the South Central US region. HBv2 VMs will also be available in West Europe, East US, West US 2, North Central US, Japan East soon. HBv2 VMs deliver supercomputer-class performance, message passing interface (MPI) scalability, and cost efficiency for a variety of real-world high performance computing (HPC) workloads, such as CFD, explicit finite element analysis, seismic processing, reservoir modeling, rendering, and weather simulation.

A8 – A11 Azure Virtual Machine sizes will be retired on March 1, 2021

Microsoft is retiring A8 – A11 Azure Virtual Machine sizes on March 1, 2021. Starting today, customers with existing A8 – A11 size virtual machines will be able to deploy more of the same size, but new customers will no longer be able to create A8 – A11 VMs. After March 1, 2021, any remaining A8 – A11 size virtual machines remaining in your subscription will be set to a deallocated state. These virtual machines will be stopped and removed from the host. These virtual machines will no longer be billed in the deallocated state.

NDv2-Series VMs are Generally Available

NDv2 GPU VMs for high-end deep learning training and HPC workloads are going GA in East US, South Central US, and West Europe.

NVv4-Series VMs are Generally Available

Microsoft announced general availability of NVv4 Virtual Machines. NVv4 VMs are designed to provide you unprecedented GPU resourcing flexibility. You can now choose VMs with a whole GPU all the way down to 1/8th of a GPU.

Virtual machine scale sets now simpler to manage

Three new capabilities that simplify the overall management of virtual machine scale sets in Azure are now available. New custom scale-in policies for virtual machine scale sets let you specify the order in which virtual machines (VMs) within a scale set are deleted during a scale-in operation based on a set of criteria (such as the newest VM that was added to a scale set). New instance protection policies enable you to protect one or more individual VMs in a scale set. Two new capabilities are provided:

Protect from scale-in blocks instance deletion during scale-in operations.
Protect from scale set actions blocks all scale set operations including upgrades and reimage.

It’s also now possible to receive notifications about instance deletions and to set up a predefined delay timeout for the deletion operation. Notifications are sent through Azure Metadata Service Scheduled Events. Delay timeouts can range between 5 and 15 minutes.