Category Archives: Datacenter Management

Azure IaaS and Azure Stack: announcements and updates (September 2022 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure File Sync agent v15.1

Improvements and issues that are fixed:

  • Low disk space mode to prevent running out of disk space when using cloud tiering. Low disk space mode is designed to handle volumes with low free space more effectively. On a server endpoint with cloud tiering enabled, if the free space on the volume reaches below a threshold, Azure File Sync considers the volume to be in Low disk space mode. In this mode, files are tiered to the Azure file share more proactively and tiered files accessed by the user will not be persisted to the disk. To learn more, see the low disk space mode section in the Cloud tiering overview documentation.
  • Fixed a cloud tiering issue that caused high CPU usage after v15.0 agent is installed.
  • Miscellaneous reliability and telemetry improvements.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • The agent version for this release is 15.1.0.0.
  • Installation instructions are documented in KB5003883.

Standard network features for Azure NetApp Files

Standard network features for Azure NetApp Files volumes are available. Standard network features provide you with an enhanced, and consistent virtual networking experience along with security posture for Azure NetApp Files.

You are now able to choose between standard or basic network features while creating a new Azure NetApp Files volume:

  • Basic provide the current functionality, limited scale, and features.
  • Standard provides the following new features for Azure NetApp Files volumes or delegated subnets:
    – Increased IP limits for Vnets with Azure NetApp Files volumes. This is at par with VMs to enable you to provision Azure NetApp File volumes in your existing topologies or architectures. This eliminates the need to rearchitect network topologies to use Azure NetApp Files for workloads like VDI, AVD, or AKS.
    – Enhanced network security with support for network security groups (NSG) on the Azure NetApp Files delegated subnet.
    – Enhanced network control with support for user-defined routes (UDR) to and from Azure NetApp Files delegated subnets. You can now direct traffic to and from Azure NetApp Files via your choice of network virtual appliances for traffic inspection.
    – Connectivity over active or active VPN gateway setup for highly available connectivity to Azure NetApp Files from on-premises network.
    – ExpressRoute FastPath connectivity to Azure NetApp Files. FastPath improves the data path performance between on-premises network and Azure Virtual Network.

Immutable storage for Azure Data Lake Storage

Immutable storage for Azure Data Lake Storage is now generally available. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed.

Improved Append Capability on Immutable Storage for Blob Storage

Immutable storage for Blob Storage on containers (which has been generally available since September 2018) now includes a new append capability. This capability, titled “Allow Protected Appends for Block and Append Blobs”, allows you to set up immutable policies for block and append blobs to keep already written data in a WORM state and continue to add new data. This capability is available for both legal holds and time-based retention policies.

Encrypt managed disks with cross-tenant customer-managed keys

Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.

Azure Dedicated Host support for Ultra Disk Storage

Virtual machines (VMs) running on Azure Dedicated Host support the use of standard and premium disks as data disks, and now there is also the support for ultra disks on dedicated host.

Azure unmanaged disks will be retired on 30 September 2025

Azure Managed Disks now have full capabilities of unmanaged disks and other advancements. Microsoft will begin deprecating unmanaged disks on September 30, 2022, and this functionality will be completely retired on September 30, 2025.

Encryption scopes on hierarchical namespace enabled storage accounts (preview)

Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The preview is available for REST, HDFS, NFSv3, and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.

Customer initiated storage account conversion (preview)

The self-service option to convert storage accounts from non-zonal redundancy (LRS/GRS) to zonal redundancy (ZRS/GZRS) is available. This allows you to initiate the conversion of storage accounts via the Azure portal without the necessity of creating a support ticket.

Networking

Resizing of peered virtual networks

Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address space or resize for a peered virtual network without removing the peering.

Improvements to Azure Web Application Firewall (WAF) custom rules

  • There are two improvements for WAF custom rules:
    Azure regional Web Application Firewall (WAF) with Application Gateway now supports creating custom rules using the operators “Any” and “GreaterThanOrEqual”. Custom rules allow you to create your own rules to customize how each request is evaluatedas it passes through the WAF engine.
  • Azure global Web Application Firewall (WAF) with Azure Front Door now supports custom geo-match filtering rules using socket addresses. Filtering by socket address allows you to restrict access to your web application by country/region using the source IP that the WAF sees.

Building modern IT architectures for Machine Learning

For most companies, the ability to continuously provide and integrate artificial intelligence solutions within their own applications and business workflows, is considered a particularly complex evolution. In the rapidly evolving artificial intelligence landscape, machine learning (ML) plays a fundamental role together with "data science". Therefore, to increase the successes of certain artificial intelligence projects, organizations must have modern and efficient IT architectures for machine learning. This article describes how these architectures can be built anywhere thanks to the integration between Kubernetes, Azure Arc ed Azure Machine Learning.

Azure Machine Learning

Azure Machine Learning (AzureML) is a cloud service that you can use to accelerate and manage the life cycle of machine learning projects, bringing ML models into a secure and reliable production environment.

Kubernetes as a compute target for Azure Machine Learning

Azure Machine Learning recently introduced the ability to activate a new target for computing: AzureML Kubernetes compute. Indeed, it is possible to use an Azure Kubernetes Service cluster (AKS) existing or an Azure Arc-enabled Kubernetes cluster as a compute target for Azure Machine Learning and use it to validate and deploy ML models.

Figure 1 - Overview on how to take Azure ML anywhere thanks to K8s and Azure Arc

AzureML Kubernetes compute supports two types of Kubernetes clusters:

  • Cluster AKS (in Azure environment). Using an Azure Kubernetes Service managed cluster (AKS), you can get a flexible environment, secure and capable of meeting compliance requirements for ML workloads.
  • Arc-enabled Kubernetes Cluster (in environments other than Azure). Thanks to Azure Arc-enabled Kubernetes it is possible to manage Kubernetes running in different environments from Azure clusters (on-premises or on other clouds) and use them to deploy ML models.

To enable and use a Kubernetes cluster to run AzureML workloads you need to follow the following steps:

  1. Activate and configure an AKS cluster or an Arc-enabled Kubernetes cluster. In this regard it is also recalled the possibility of activate AKS in Azure Stack HCI environment.
  2. Distribute the extension AzureML on the cluster.
  3. Connect the Kubernetes cluster to the Azure ML workspace.
  4. Use the Kubernetes compute target from CLI v2, SDK v2 and the Studio UI.

Figure 2 - Step to enable and use a K8s cluster for AzureML workloads

Infrastructure management for ML workloads can be complex and Microsoft recommends that it be done by the IT-operations team, so that the data science team can focus on the efficiency of the ML models. In light of this consideration, the division of roles can be as follows:

  • The IT-operation Team is responsible for the former 3 steps above. Furthermore, typically performs the following activities for the data science team:
    • Make configurations of aspects related to networking and security
    • Create and manage instance types for different ML workload scenarios in order to achieve efficient use of compute resources.
    • It deals with troubleshooting the workload of Kubernetes clusters.
  • The Data science Team, completed the activation activities in charge of IT-operation Team , can locate a list of compute targets and instance types available in the AzureML workspace. These compute resources can be used for training or inference workloads. The compute target is chosen by the team using specific tools such as AzureML CLI v2, Python SDK v2 or Studio UI.

Usage scenarios

The ability to use Kubernetes as a compute target for Azure Machine Learning, combined with the potential of Azure Arc, allows you to create, train and deploy ML models in any on-premises infrastructure or on different clouds.

This possibility activates different new usage scenarios, previously unthinkable using only the cloud environment. The following table provides a summary of the use scenarios made possible by Azure ML Kubernetes compute, specifying where the data resides, the motivation that drives each usage model and how it is implemented at the infrastructure and Azure ML level.

Table 1 - New usage scenarios made possible by Azure ML Kubernetes compute

Conclusions

Gartner expects that by 2025, due to the rapid spread of AI initiatives, the 70% of organizations will have operationalized IT architectures for artificial intelligence. Microsoft, thanks to the integration between different solutions, offers a series of possibilities to activate flexible and cutting-edge architectures for Machine Learning, an integral part of artificial intelligence.

Azure IaaS and Azure Stack: announcements and updates (September 2022 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Virtual Machines with Ampere Altra Arm–based processors

Microsoft is announcing the general availability of the latest Azure Virtual Machines featuring the Ampere Altra Arm–based processor. The new virtual machines will be generally available on September 1, and customers can now launch them in 10 Azure regions and multiple availability zones around the world. In addition, the Arm-based virtual machines can be included in Kubernetes clusters managed using Azure Kubernetes Service (AKS). This ability has been in preview and will be generally available over the coming weeks in all the regions that offer the new virtual machines.

Storage

Prevent a lifecycle management policy from archiving recently rehydrated blobs

Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. You can configure rules to move a blob to archive tier based on last modified condition. If you rehydrate a blob by changing its tier, this rule may move the blob back to the archive tier. This can happen if the last modified time is beyond the threshold set for the policy. Now you can add a new condition, daysAfterLastTierChangeGreaterThan, in your rules, to skip the archiving action if the blobs are newly rehydrated.

Encrypt storage account with cross-tenant customer-managed keys (preview)

The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available in preview. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Ephemeral OS disks supports host-based encryption using customer managed key

Ephemeral OS disk customers can choose encryption type between platform managed keys or customer managed keys for host-based encryption. The default is platform managed keys. This feature would enable our customers to meet organization’s compliance needs.

Resource instance rules for access to Azure Storage

Resource instance rules enable secure connectivity to a storage account by restricting access to specific resources of select Azure services.
Azure Storage provides a layered security model that enables you to secure and control access to your storage account. You can configure network access rules to limit access to your storage account from select virtual networks or IP address ranges. Some Azure services operate on multi-tenant infrastructure, so resources of these services cannot be isolated to a specific virtual network.
With resource instance rules, you can now configure your storage account to only allow access from specific resource instances of such Azure services. For example, Azure Synapse offers analytic capabilities that cannot be deployed into a virtual network. If your Synapse workspace uses such capabilities, you can configure a resource instance rule on a secured storage account to only allow traffic from that Synapse workspace.
Resource instances must be in the same tenant as your storage account, but they may belong to any resource group or subscription in the tenant.

Networking

ExpressRoute IPv6 Support for Global Reach

IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.

The Azure VMware Solution's evolution for running VMware workloads on Azure

Azure VMware Solution (AVS) is the service designed, built and supported by Microsoft, and approved by VMware, that allows customers to easily extend or migrate fully to Azure VMware workloads residing in an on-premises environment. Microsoft recently introduced a series of interesting innovations regarding Azure VMware Solution that pave the way for new adoption scenarios and make it even more complete. This article reports the main aspects that have undergone an evolution and the new features recently introduced in Azure VMware Solution.

Azure VMware Solution allows you to deploy a VMware private cloud, in Software-Defined Data Center mode (SDDC), in Microsoft Azure environment.

Figure 1 – Azure VMware Solution overview

Main adoption scenarios

The adoption of Azure VMware Solution is usually contemplated to address the following scenarios:

  • Need to expand your datacenter
  • Disaster recovery and business continuity
  • Application Modernization
  • Reduction, consolidation or decommissioning of your datacenter

Benefits of the solution

Among the main benefits of adopting this solution it is possible to mention:

  • Ability to take advantage of investments already made in the skills and tools for managing on-premises VMware environments.
  • Modernization of your application workloads by adopting Azure services and without facing interruptions.
  • Economic convenience for running Windows and SQL Server workloads. Indeed, being in effect an Azure service, Azure VMware Solution supports Azure Hybrid Benefits, that allow you to maximize the investments made in Windows Server and SQL Server licenses in an on-premises environment, during migration or extension to Azure. Furthermore, customers who adopt this solution are entitled to three years of free extended security updates for Windows Server and SQL Server.

For more details about Azure VMware Solution (AVS) you can refer to this article.

Evolution and news of the solution

To further enrich the capabilities of the AVS solution and to make it even more effective, Microsoft has recently introduced the innovations reported in the following paragraphs.

Presence in 24 region of Azure

Since the launch of AVS, happened about two years ago, Microsoft has worked to extend the availability of this solution globally and it is now available in 24 different regions of Azure, more than any other cloud service provider. To consult the geographical availability of AVS it is possible to consult this page.

Figure 2 - Presence of AVS globally

VMware vSphere 7.0

All Azure VMware solution deployments can adopt VMware vSphere 7.0, the latest version of the suite that offers a full range of enterprise virtualization features.

Availability of Azure NetApp Files datastores

Workloads that require intensive use of storage, even in the AVS environment, can take advantage of integration with Azure NetApp Files. By adopting this solution, you can easily scale to increase storage capacities, thus overcoming the limits of local storage instances made available by vSAN. For further details please visit the Microsoft's official documentation.

Jetstream DR with Azure NetApp Files datastore support

Microsoft, in order to guarantee its customers the opportunity to make the most of the investments made in skills and technologies, has worked with some of the main partners offering disaster recovery solutions, one of them is Jetstream. The adoption of JetStream to develop DR plans is interesting as Azure Blob Storage is used to keep copies of virtual machines and related data. JetStream DR is now also able to replicate and automate recovery using Azure NetApp Files datastores.

VMware Cloud Director Services

Customers who have adopted the AVS solution, using the Microsoft Enterprise agreement, can purchase the service VMware Cloud Director from VMware. This allows us to connect to the AVS private cloud to create and manage private virtual data centers. Furthermore, you can take advantage of the features offered for migrating local VMware workloads to the Azure VMware Solution private cloud. For further details you can consult this documentation.

VMware vRealize Log Insight Cloud

The service VMware vRealize Log Insight Cloud it is also available for AVS. This solution provides centralized log management, detailed operational visibility and the ability to carry out in-depth analyzes. Thanks to this solution it is possible to increase the operational efficiency of IT departments, reduce costs resulting from unplanned downtime and provide in-depth visibility into security events.

“Public IP to NSX Edge” available in 17 region of Azure

Client applications running on AVS frequently require both outbound and inbound Internet connectivity. Thanks to this new feature, it is possible to adopt three different models to ensure incoming and outgoing Internet access to resources hosted in the Azure VMware Solution private cloud.

VMware Cloud Universal Program

Microsoft has extended the partnership with VMware by adding support to the program VMware Cloud Universal, a flexible purchasing and consumption program for the adoption of hybrid and multi-cloud strategies. This will allow customers to purchase Azure VMware Solution as part of the VMware Cloud Universal program.

Conclusions

Companies are required to adopt flexible and modern solutions in the IT field to achieve greater stability, continuity and resilience of the main application workloads that support their core business. Azure VMware solution has all the features to respond in the best way to these needs and the numerous improvements introduced, result of the joint work between Microsoft and VMware, make it more and more modern, solid and reliable.

Azure Management services: what's new in August 2022

Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor metric alerts: improvement in learning the thresholds

The “metric alerts” of Azure Monitor with dynamic threshold detection, use machine learning algorithms (ML) advanced tools to learn the historical behavior of metrics and identify patterns and anomalies that indicate possible problems in services. Thanks to the introduction of this new feature, prolonged interruptions are automatically recognized and these interruptions are removed from the trend in order not to distort the results. In this way, much better thresholds are obtained that adapt to the data and can detect problems in services with the same sensitivity before the interruption.

VM insights and the use of the new Azure Monitor agent (preview)

Currently, in order to use Azure Monitor VM insights you need to install, on board each virtual machine or virtual machine scale set to be monitored, the Log Analytics agent and the dependency agent. Thanks to the release of this new feature (preview) VM insights will use the new Azure Monitor agent, instead of the Log Analytics agent.

There are several features that are obtained with this preview:

  • Easy configuration, using the data collection rule, to collect the performance counters of VMs and specific data types.
  • Ability to enable and disable processes and dependency data that generate the Map view, thus obtaining a consequent cost optimization.
  • Improvement of security and performance resulting from the use of the Azure Monitor agent and managed identity.

Managed identity-based authentication to enable Azure Monitor container insights (preview)

Container insights now supports integration through the Azure Monitor agent for AKS clusters (Linux nodes) and for Arc-enabled clusters. This agent collects performance and event data from all cluster nodes and is automatically deployed and registered with the Log Analytics workspace. With the Azure Monitor agent, container insights also supports managed identity authentication for AKS and Arc-enabled clusters. This is a secure and simplified authentication model in which the monitor agent uses the managed identity of the cluster to send data to Azure Monitor. This new authentication mechanism replaces local authentication based on certificates and eliminates the need to add a specific role to the cluster. System-assigned identities and user-assigned identities are supported.

Availability in new regions

Azure Monitor Log Analytics is available in the following new regions:

  • China North 3
  • China East 3

To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Policy

Policy to block the deployment of potential vulnerable images

To protect Kubernetes clusters and their container-based workloads from potential attack attempts, it is now possible to create restrictions in the deployment of images that contain vulnerabilities in their software components. Thanks to this feature it is possible to use Azure Policy and Azure Defender for Containers to identify vulnerabilities and apply related patches before making deployments.

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent erroneous spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported. In particular, it should be noted the possibility to consolidate and manage various Azure Active Directory tenants from a single Billing account of the Microsoft Customer Agreement (MCA).

Azure Arc

Azure Arc-enable Servers: availability in new regions

Azure Arc-enable Servers is available in the following new regions:

  • China East 2 (preview)
  • China North 2 (preview)
  • South Africa North

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

  • Automatic deployment of the Azure Monitor agent (preview)
  • Deprecated alerts regarding suspicious activity related to a Kubernetes cluster

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 63 that solves several issues and introduces some improvements.

Among the main improvements introduced by this version of the ASR components, we find:

  • Oracle Linux support 8.6 for Linux OS/Azure to Azure and for VMware/Physical to Azure
  • The ability to migrate existing replication jobs from classic to modern mode for VMware virtual machines (see next paragraph “Upgrade to adopt VMware's modern VM replication experience”)

The details and the procedure to follow for the installation can be found in the specific KB.

Upgrade to adopt VMware's modern VM replication experience

In ASR the possibility of migrating has been introduced, VMware virtual machines protected by Azure Site Recovery, from the classical experience to the modern one recently introduced. The classic mode involves the replication of VMware VMs using the Configuration Server, while the modern mode involves the adoption of the ASR replication appliance. The migration process, towards the modern mode, which was introduced provides:

  • A detection mechanism that allows you not to have to repeat the initial replication of protected systems.
  • The calculation of the necessary migration times, in order to have all the elements necessary for proper planning.
  • A robust rollback mechanism, to restore the initial situation (classic mode) if any problems arise.

The adoption of the modern replication mechanism is recommended by Microsoft as it improves security, reduce the management effort and simplify the environment.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:

  • Ability to perform the discovery and assessment of SQL environments in Microsoft Hyper-V and physical / bare-metal systems, as well as on the IaaS services of other public clouds.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (August 2022 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution now in Sweden Central

Azure VMware Solution empowers you to seamlessly extend or migrate your existing on-premises VMware workloads to Azure without the cost, effort, or risk of re-architecting applications or retooling operations. With this update Azure VMware Solution has now expanded availability to the Sweden Central Azure region.

Azure VMware Solution: public IP capability

Most customer applications running on Azure VMware Solution require internet access. These applications require both outbound and inbound internet connectivity. Azure VMware Solution Public IP is a simplified and scalable solution for running these applications. With this capability, Microsoft enables the following:

  • Direct inbound and outbound internet access for AVS to the NSX-T Edge.
  • The ability to receive up to 1000 or more Public IPs.
  • DDoS Security protection against network traffic in and out of the internet.
  • Enable support for VMware HCX (migration tool for VMwre VMs) over the public internet.

UAE North Availability Zones

Availability Zones in UAE North are made up of three unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.

Networking

Private endpoint network security group support

Private endpoint support for network security groups (NSGs) is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled.

Private endpoint user-defined routes support

Private endpoint support for user-defined routes (UDRs) is now generally available. This feature enhancement will remove the need to create a /32 address prefix when defining custom routes. You will now have the ability to use a wider address prefix in the user defined route tables for traffic destined to a private endpoint (PE) by way of a network virtual appliance (NVA). In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

Azure Stack

Azure Stack HCI

Azure Stack HCI 22H2: Network ATC improvements

Network ATC can simplify the deployment and on-going management of host networking in Azure Stack HCI. In this article are described all improvements to this component, released with Azure Stack HCI 22H2 update.

Software Defined Networking (SDN) extensions reach General Availability for WAC

SDN Infrastructure, Network Security Groups (NSGs), Logical networks, Virtual Networks, Load Balancers, and Gateways reach General Availability for Windows Admin Center (WAC). SDN Infrastructure’s “Network Controller” tab in WAC now displays information about cluster, server, and node certificates, complete with UI indications that certificate will expire soon.

The new solution to manage and govern system updates

Common cybersecurity practices provide, among the many tricks, the timely application of software updates. Indeed, this activity is also of fundamental importance to eliminate the vulnerabilities that allow the implementation of specific cyber attacks on company systems. To facilitate the application of patches, related to the operating system, to the machines of your infrastructure, Microsoft recently announced the availability of a new solution called "Update management center". This article reports the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance with regard to these aspects related to security.

What allows you to do this solution?

Update management center is the new solution that helps to centrally manage and govern the updates of all the machines present in your infrastructure. Indeed, by means of this solution it is possible:

  • Check update compliance for your entire fleet of machines.
  • Instantly distribute critical updates to protect your systems or plan installation within a defined maintenance window.
  • Take advantage of the different patching options, like Automatic VM guest patching in Azure, hot patching, and maintenance schedules defined by the customer.

To date, Update management center is able to manage and govern updates on:

  • Windows and Linux operating systems.
  • Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc.

The following diagram illustrates how Update management center performs the evaluation and application of updates on all Azure systems and Arc-enabled servers, both Windows and Linux.

Figure 1 - Update management center overview

Update Management Center is based on a new Azure extension designed to provide all the features necessary to interact with the operating system as regards the evaluation and application of updates. This extension is automatically installed at the start of any operation of Update Management Center. The distribution of the extension is supported on Azure virtual machines or on Arc-enabled servers and is installed and managed using:

  • The Windows agent or the Linux agent for Azure virtual machines.
  • The Azure Arc agent for non-Azure physical computers or servers (bot Linux, and Windows).

The installation and configuration of the extension is managed by the solution and no manual intervention is required, as long as the Azure VM Agents or Agents for Azure Arc are functional. The extension ofUpdate management center runs code locally on the computer to interact with the operating system and allows you to:

  • Retrieve evaluation information about the status of system updates, specified by the Windows Update agent or by the Linux package manager*.
  • Start the download and installation of approved updates from the Windows Update client or from the Linux package manager.
  • Get all the information on the results of installing updates, which are reported inUpdate management center from the extension and are available for analysis via the Azure Resource Graph. The visualization of the evaluation data can be consulted for the last seven days and the results regarding the installation of updates are available for the last thirty days.

* The machines deliver notifications on updates based on the origin with which they are configured for synchronization. Windows Update Agent (WUA) on Windows machines it can be configured to reference Windows Server Update Services (WSUS) or to Microsoft Update. Linux machines can be configured to reference a local or public YUM or APT package repository.

Benefits of the solution

Update management center works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics.

The main strengths of the new solution are summarized in the following paragraphs.

Centralized visibility of updates

Thanks to this solution it is possible to consult centrally, direct from the Azure Portal, the state of compliance with respect to the updates requested and distributed on the various systems.

Native integration and zero onboarding

Being a solution created as a native feature of the Azure platform, there is no dependency on Log Analytics and Azure Automation. Furthermore, the solution supports full integration with Azure Policy.

Integration with Azure roles and identities

The solution allows for granular access control at the resource level. Everything is based on Azure Resource Manager and therefore allows the use of RBAC and ARM-based roles in Azure.

High flexibility in managing updates

The ability to automatically check for missing or on-demand updates, as well as the ability to act by installing updates immediately or to schedule them for a later date are elements that guarantee high flexibility. Furthermore, it is allowed to keep the systems updated by adopting new techniques, such as automatic VM guest patching in Azure and hotpatching.

Integration with other solutions

In this context it is worth considering that Microsoft offers, in addition to this solution, also other features to manage updates for Azure virtual machines.  These features should be considered as an integral part of your overall update management strategy. Among the various features we find:

  • Automatic OS image upgrade
  • Automatic VM guest patching
  • Automatic extension upgrade
  • Hotpatch
  • Maintenance control
  • Scheduled events

To learn more about all these solutions, you can consult the Microsoft's official documentation.

Conclusions

This new feature, fully integrated into the Azure platform and able to exploit the potential of Azure Arc, it allows you to keep all the systems of your infrastructure up-to-date in a simple way, direct and with very little administrative effort. Furthermore, guarantees total visibility on update compliance for both Windows and Linux systems, fundamental element to increase the security posture of your infrastructure.

Azure IaaS and Azure Stack: announcements and updates (August 2022 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Dedicated Host restart (preview)

Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware. With this new capability, now in preview, you can take troubleshooting steps at the host level.

Azure Dedicated Host support for Ultra SSD (preview)

Currently, VMs running on Azure Dedicated Host support the use of Standard and Premium Azure disks as data disks. With this preview, Microsoft is introducing support for Azure Ultra Disks on Azure Dedicated Host. Azure Ultra disks are highly performant disks on Azure that offer high throughput (maximum of 4000 MBps per disk) and high IOPS (maximum of 160,00 IOPS per disk) depending on the disk size.
If you are running IaaS workloads that are data intensive and latency sensitive, such as Oracle DB, MySQL DB, other critical databases, and gaming applications, you will benefit from using Ultra disks as data disks on VMs hosted on Azure Dedicated Host.

Microsoft Azure available from new cloud region in Qatar

Microsoft is launching a new datacenter region in Qatar. The new datacenter region includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.

Enforcement mode of machine configuration (previously guest configuration)

The enforcement mode of machine configuration (previously guest configuration) is now generally available. This represents the ApplyAndMonitor and ApplyAndAutocorrect auditing modes. The customer experience within Azure has not changed as a result of the renaming. Machine configuration continues to provide a native capability to audit or configure operating system settings as code, both for machines running in Azure and hybrid Azure Arc-enabled servers, directly per-machine or at-scale orchestrated through Azure Automanage, Microsoft Defender for Cloud, or Azure Policy.
You will now be able to:

  • Apply and monitor configurations: set the required configuration on your machines and remediate on demand.
  • Apply and autocorrect configurations: set the required configuration at scale and autoremediate in the event of a configuration drift.
  • Apply configurations to machines at management group level.
  • Set TLS 1.2 to machines through our newly released built-in policy.
  • Create, delete, and monitor the compliance of your configurations through the Azure portal.

Storage

Azure StorSimple 8000/1200 series will no longer be supported starting 31st December 2022

Support for the following StorSimple versions will end 31st December 2022:
• StorSimple 8000 series – 8100, 8600, 8010, 8020
• StorSimple 1200 Series
• StorSimple Data Manager
• StorSimple Snapshot Manager

The StorSimple service will reach end of life which means the following will no longer be available:
• All cloud management capability (e.g. viewing or updating settings related to volumes, shares, backups, backup policies or installing updates, etc.)
• Access to live data and backups.
• Access to customer support resources (phone, email, web)
• Hardware replacement parts and repair services for StorSimple 8000 series devices
• Software updates for StorSimple 8000 series and 1200 series devices

Microsoft has been expanding the portfolio of Azure Hybrid storage capabilities with new services for data tiering and cloud ingestion, providing more options to customers for storing data in Azure in native formats.

Networking

Azure Firewall Premium is now ICSA labs certified

Azure Firewall Premium SKU is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It provides advanced threat protection that meets the needs of highly sensitive and regulated environments and includes Intrusion Prevention System (IPS) and TLS inspection capabilities.
The new Intrusion Prevention System (IPS) certification from ICSA Labs is an important IPS certification, is an addition to existing Firewall certification, from ICSA Labs.
ICSA Labs provides credible third-party testing and certification of security and health IT products, as well as network-connected devices. This includes certification of network intrusion prevention systems.
ICSA Labs Network Intrusion Prevention System (IPS) security certification test cycle includes Azure Firewall protection against exploits aimed at approximately 100 high severity vulnerabilities in enterprise software. Because real world attacks do not happen on a quiescent network, ICSA Labs tests with an appropriate level of background traffic using various mixes of enterprise network traffic. The test included evasion techniques, platform security of the product itself, logging, secure administration, and administrative functions.
Azure Firewall is the first cloud firewall service to attain the ICSA Labs Corporate Certification for both Firewall and IPS services.

Next hop IP support for Route Server

With next hop IP support, you can deploy network virtual appliances (NVAs) behind an Azure Internal Load Balancer (ILB) to acheive key active-passive connectivity scenarios and improve connectivity performance.

Azure Management services: what's new in July 2022

Microsoft is constantly announcing news regarding Azure management services and as usual this monthly summary is released. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor for SAP Solutions (preview)

Azure Monitor has launched a new version, called Azure Monitor for SAP solutions (AMS), for the SAP solutions monitor (preview). This new version allows, for SAP workloads in Azure, to collect SAP information and telemetry. This solution is useful for both SAP BASIS teams and infrastructure teams who can consult the information collected in a single location.

Migration tools for the Azure Monitor Agent (preview)

The Azure Monitor Agent (AMA) offers a secure way, economically convenient, simplified and performing for the collection of telemetry data from Azure virtual machines, from Virtual Machine Scale Set, from Arc-enabled servers and Windows clients. Migration from the Log Analytics agent (MMA or OMS agents) it must take place by August 2024. To make this process easier for you, Microsoft is providing dedicated agent migration tools, that allow you to automate the migration process. For further details you can consult the Microsoft's official documentation.

Azure Monitor Agent: support for User-assigned Managed Identity (preview)

The new Azure Monitor Agent (AMA) now supports User-assigned Managed Identities in preview. Thanks to this support, it is possible to use the policies to distribute the extension of the AMA on virtual machines and on virtual machine scale sets. User-assigned Managed Identities allow for greater scalability and resilience than System Assigned Identities, thus becoming the recommended method for large-scale installations using extensions.

Configure

Update management center (preview)

Update management center is the new solution that helps centrally manage and govern updates of all machines. It works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics. Update management center is, today, able to manage and govern updates on:

  • Windows and Linux operating systems
  • Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc

Among the main strengths of the new solution we find:

  • Centralized visibility of updates
  • Native integration and zero onboarding
  • Integration with Azure roles and identities
  • High flexibility in managing updates

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent erroneous spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Smart tiering: automatic move to the vault-archive tier (preview)

Azure Backup has introduced the ability to configure policies to automate the use of the vault-archive tier for Azure virtual machines and for SQL Server / SAP HANA on board virtual machines. This ensures that the restore points are suitable and recommended (in the case of Azure virtual machines) are automatically moved to the vault-archive tier. This is done periodically and according to the backup policy settings. Furthermore, you can specify the number of days after which you want the recovery points to be moved to the vault-archive tier.

Azure Site Recovery

Mitigated Azure Site Recovery vulnerabilities

Microsoft has corrected a number of Azure Site Recovery vulnerabilities (ASR) releasing updates on 12 July, during Microsoft's regular update cycle. These vulnerabilities affect all customers using ASR in a VMware / Physical to Azure replication scenario. These vulnerabilities have been corrected in the latest version of ASR 9.49. For more information you can consult this bulletin.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 62 which solves various problems and introduces some new features, among which:

  • Support for Linux OS / Azure to Azure: RHEL 8.6 and Cent OS 8.6
  • Support for VMware / Physical to Azure: RHEL 8.6 and Cent OS 8.6
  • Support for configuring “proxy bypass” for VMware and Hyper-V replicas, using private endpoints.

The related details and the procedure to follow for installation can be found in specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (July 2022 – Weeks: 29 and 30)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Virtual machine restore points

VM restore points provides you with a point in time snapshot of all the managed disks attached to your Virtual Machine. Customers and Azure partners who are looking to build business continuity and disaster recovery solutions can use VM restore points to capture app consistent and crash consistent backups natively on the Azure platform. This can then be used to restore disks and VMs during scenarios such as data loss, data corruption, or disaster recovery.

NVads A10 v5 Virtual Machines

NVads A10 v5 virtual machines (VMs) are now generally available in West Europe, South Central US, and West US3 regions. The NVads A10 v5 VM series enables a wide variety of graphics, video, and AI workloads, including virtual production and visual effects, engineering design and simulation, game development and streaming, virtual desktops/workstations and more. They feature NVIDIA A10 Tensor Core GPUs, up to 72 AMD EPYC™ 74F3-series vCPUs, and are designed to offer the right choice for any workload with optimum configurations for both single user and multi-session environments.

Azure confidential VMs (DCasv5/ECasv5-series VMs)

Azure confidential VMs are designed to offer a new, hardware-based TEE leveraging SEV-SNP, which hardens guest protections to deny the hypervisor and other host management code access to VM memory and state, protecting against operator access. Azure DCasv5/ECasv5 confidential VMs, utilizing 3rd Gen AMD EPYC processors with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, are available.

Trusted Launch support for DCsv3 and DCdsv3 series Virtual Machines

Trusted Launch support for DCsv3 and DCdsv3 virtual machines is available. DCsv3 and DCdsv3 series virtual machines provides support for Intel® SGX. With all new hardware-based security paradigm is now just a few clicks away in Azure to deploy DCsv3 virtual machines with trusted launch feature.

Storage

Live resize for Premium SSD and Standard SSD Disk Storage

Resizing a disk on Azure can provide increased storage capacity and better performance for your applications. As part of our commitment to continuously add new capabilities to our Azure Disk Storage portfolio, live resize for Premium SSD and Standard SSD Disk Storage is now generally available. With live resize, you can dynamically increase the storage capacity of your Premium SSD and Standard SSD disks without causing any disruption to your applications. To reduce costs, you can start with smaller disks and gradually increase their storage capacity without experiencing any downtime.

Azure Premium SSD v2 Disk Storage (preview)

The next generation of Microsoft Azure Premium SSD Disk Storage is available in preview. This new disk offering provides the most advanced block storage solution designed for a broad range of input/output (IO)-intensive enterprise production workloads that require sub-millisecond disk latencies as well as high input/output operations per second (IOPS) and throughput at a low cost. With Premium SSD v2, you can now provision up to 64TiBs of storage capacity, 80,000 IOPS, and 1,200 MBPS throughput on a single disk. With best-in-class IOPS and bandwidth, Premium SSD v2 provides the most flexible and scalable general-purpose block storage in the cloud, enabling you to meet the ever-growing demands of your production workloads such as SQL Server, Oracle, MariaDB, SAP, Cassandra, Mongo DB, big data, analytics, gaming, on virtual machines, or stateful containers. Moreover, with Premium SSD v2, you can provision granular disk sizes, IOPS, and throughput independently based on your workload needs, providing you more flexibility in managing performance and costs.

Networking

TLS 1.3 support on Application Gateway (preview)

The new Predefined and CustomV2 policies on Application Gateway come with TLS v1.3 support. They provide improved security and performance benefits, fulfilling the needs of your enterprise security policies. You may use out-of-the-box predefined policies or configure a preferred cipher-suite list by using the CustomV2 policy.

Azure Stack

Azure Stack HCI

Azure Marketplace for Arc-enabled Azure Stack HCI (preview)

Azure Marketplace for Arc-enabled Azure Stack HCI makes it easy and convenient to download the latest fully patched image to your cluster with just a few clicks in the Azure Portal. This preview focuses on Windows 11 Enterprise multi-session, the image used by Azure Virtual Desktop, and Windows Server 2022 Datacenter Azure Edition, which enables hot-patching (reboot-less patching) for on-premises VMs. More images will follow in the coming months. This preview is available for all in-market Azure Stack HCI.

Remote support for Arc-enabled Azure Stack HCI (preview)

When opening a case, you can now grant Microsoft support engineers remote access to your cluster to gather logs of perform remediation steps themselves. This reduces the back-and-forth that’s typical with on-premises support. New PowerShell cmdlets and Windows Admin Center tools let you precisely control and audit the access that support engineers get, including time limits, allow-listing cmdlets, and comprehensive auditing that’s always on.

Arc-enabled guest VMs with extensions for Azure Stack HCI (preview)

When you deploy a new virtual machine through Azure Arc onto Azure Stack HCI, the guest operating system is now automatically enrolled as an Arc-enabled server instance. This means you can use popular VM extensions like Custom Script to perform configuration inside the VM (like installing an application) as part of VM deployment. To illustrate the usefulness of this capability, Microsoft is providing a sample custom script extension that enrolls a VM into an Azure Virtual Desktop session host pool, eliminating manual configuration of the guest agent as its own step. This preview is available for all in-market Arc-enabled Azure Stack HCI.

Azure Stack HCI version 22H2 (preview)

The operating system at the heart of Azure Stack HCI gets a major update with new features and enhancements every year. Next month, the first significant preview of version 22H2 will become available to clusters enrolled in the public Preview channel. Like version 21H2, the new version 22H2 will be available as a free, non-disruptive, over-the-air update for all subscribers when it reaches general availability later this year. Content-wise, the update is focused on fundamental improvements to the core hypervisor, storage, and networking.

Storage replication in stretch clusters is faster, and you can convert existing volumes from fixed provisioning to thin provisioning.

Network ATC has gained new abilities, including automatic IP addressing for storage networks, support for stretch clusters, and better network proxy support.

Hyper-V live migration is faster and more reliable for switchless 2-node and 3-node clusters.

And for new installations, version 22H2 starts with a stronger default security posture, including a stronger set of protocols and cipher suites, Secured-Core Server, Windows Defender application control, and other well-known security features enabled by default right from the start.

Azure Stack Hub

Azure Well-Architected Framework Assessments (preview)

Two pillars of the Well-Architected Framework are available in Preview for Azure Stack Hub on the Microsoft Assessment Platform: Reliability and Operational Excellence. If you are using Azure Stack Hub to deploy and operate workloads for key business systems, it is now possible to answers questions for these pillars within the assessments platform. After completing the assessments, you will be provided with a maturity or risk score, together with prescriptive guidance and knowledge links that suggest possible improvements you could make to your architecture design and score.