Category Archives: Datacenter Management

Azure IaaS and Azure Stack: announcements and updates (June2021 – Weeks: 23 and 24)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Confidential Computing price reduction on DCsv2 virtual machines

DCsv2-series protects the confidentiality and integrity of your data and code while it’s processed in the public cloud. Microsoft is announcing a price reduction on DCsv2-series Azure Virtual Machines by 37%. The new pricing is effective June 1st, 2021, and applies to all the regions where DCsv2-series is available.

New datacenter region in Arizona

Microsoft is launching a new sustainable datacenter region in Arizona, known as “West US 3.” For more details you can read “Expanding cloud services: Microsoft launches its sustainable datacenter region in Arizona“.

Azure Virtual Machines DCsv2-series are available in Australia

Confidential computing DCsv2-series virtual machines (VMs) are now available in Australia East, Austria Southeast will launch in the coming weeks to provide disaster recovery capabilities.

Storage

Azure Blob index tags

Prior to index tags, solutions that required the ability to quickly find specific objects in a blob container would need to keep a secondary catalog. Blob index tags provides a built in capability to add tags and then quickly query for or filter using this information. This provides a simpler solution without requiring a separate query system. This includes the ability to set index tags both upon upload or after upload. You can utilize these indexes as part of lifecycle management that automates deletion and movement between tiers.

Networking

New Azure private MEC solution announced

An evolution of Private Edge Zones, Azure private multi-access edge compute (MEC) expands the scope of possibilities from a single platform and service to a combination of edge compute, multi-access networking stacks, and the application services that run together at the edge. These capabilities help simplify integration complexity and securely manage services from the cloud for high-performance networking and applications.

In addition to the Azure private MEC solution, we are announcing the following Microsoft and partner services and solutions:

  • New Azure Network Function Manager (public preview) service
  • Metaswitch Fusion Core third-party services on Azure Stack Edge
  • Affirmed Private Network Service third-party service on Azure Stage Edge
  • New Azure Marketplace solutions from our partners’

Default Rule Set 2.0 for Azure Web Application Firewall (preview)

The Default Rule Set 2.0 (DRS 2.0) for Azure Web Application Firewall (WAF) deployments running on Azure Front Door is in preview. This rule set is only available on the Azure Front Door Premium SKU. DRS 2.0 includes the latest changes to our rule set, including the addition of anomaly scoring. With anomaly scoring, incoming requests are assigned an anomaly score when they violate WAF rules and an action is taken only when they breach an anomaly threshold. This helps drastically reduce false positives for customer applications. Also included in DRS2.0 are rules powered by Microsoft Threat Intelligence which offer increased coverage and patches for specific vulnerabilities.

Azure Stack HCI: the constantly evolving hyper-converged solution

Azure Stack HCI is the solution that allows you to create a hyper-converged infrastructure (HCI) for the execution of workloads in an on-premises environment and which provides for a strategic connection to Azure services. Recently Microsoft has brought a series of new features that open up new scenarios in the adoption of this solution and that allow you to better manage your hybrid infrastructure based on Azure Stack HCI. This article reports the main aspects that have undergone an evolution and the new features recently introduced in Azure Stack HCI.

Azure Kubernetes Service in Azure Stack HCI

One of the main new features is the ability to activate Azure Kubernetes Service (AKS) in Azure Stack HCI. This new on-premises AKS implementation scenario allows you to automate the large-scale execution of modern applications based on micro-services. Thanks to Azure Stack HCI, the adoption of these container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud.

Figure 1 - AKS overview on Azure Stack HCI

Azure Monitor Insights for Azure Stack HCI (preview)

The solution Azure Stack HCI Insights is able to provide detailed information on integrity, on the performance and usage of Azure Stack HCI clusters, version 21H2 connected to Azure and registered for related monitoring. Azure Stack HCI Insights stores its data in a Log Analytics workspace, thus having the possibility to use powerful aggregations and filters to better analyze the data collected over time. There are no specific costs for using Azure Stack HCI Insights, but the cost is calculated based on the amount of data entered in the Log Analytics workspace and the related data retention settings.

You have the option of viewing the monitor data of a single cluster from the Azure Stack HCI resource page or you can use Azure Monitor to obtain an aggregate view of multiple Azure Stack HCI clusters with an overview of the health of the cluster, the state of nodes and virtual machines (CPU, memory and storage consumption), performance metrics and more. This is the same data also provided by Windows Admin Center, but designed to scale up to 500 cluster at the same time.

Figure 2 - Azure Monitor Insights control panel for Azure Stack HCI

Simplification of networking with Network ATC (preview)

Azure Stack HCI networking deployments and operations can be complex and error-prone. Due to the flexibility that is provided in the configuration of the network stack of the hosts that make up the Azure Stack HCI cluster, there are several parts that can be configured not in the best way. Staying up to date with the latest best practices is also a challenge as improvements are continually made to underlying technologies. Furthermore, consistency of the configuration between the nodes of the HCI cluster is an important aspect as it allows for a stable and more reliable environment.

Network ATC makes it easy to create and manage network configuration for Azure Stack HCI nodes, helping to:

  • Reduce the time, the complexity and failures of cluster host networking implementation
  • Deploy the latest best practices validated and supported by Microsoft
  • Ensure configuration consistency across the cluster environment

Automatic activation of Windows virtual machines

Starting with the cumulative update of June 2021, Azure Stack HCI will support the popular automatic virtual machine activation feature (Automatic VM Activation – AVMA) of Hyper-V for Windows Server. Customers who have an activation key of Windows Server 2019 Datacenter Edition can insert them directly into the Azure Stack HCI host using Windows Admin Center or PowerShell. In this way. virtual machines hosted in a clustered environment running Windows Server will automatically inherit activation from the host, without having to manage it for each virtual machine.

Figure 3 – Automatic VM Activation (AVMA) from Windows Admin Center

Trial Period Extension a 60 days

Azure Stack HCI offers a free trial period that allows you to thoroughly evaluate the solution. The duration of this test is extended by 30 days to 60 days and will start from when the registration of the cluster environment is completed. These changes have been applied to all tests since 3 may 2021.

Preview channel

Starting with the cumulative update of June 2021, you have the option of joining the Preview channel with non-production cluster environments, similar to the Windows Insider program but for Azure Stack HCI. It is a program that allows customers to install the next version of the operating system before the official release (build pre-release). This allows you to evaluate the new Azure Stack HCI features and is for evaluation and testing purposes only. Joining this program does not include any cost for Azure Stack HCI and the cluster environment will not have any type of support. The Preview channel will allow you to share feedback on the experience of participating in the channel, useful for enriching and improving the adoption of Azure Stack HCI.

Figure 4 - Join the Preview channel from Windows Admin Center

Availability in China

The Azure Stack HCI team is working to make its service available in other regions and now it is possible to activate it also in Azure China. In fact, you can download Azure Stack HCI from azure.cn, register your cluster in the region China East 2 and take advantage of the advantages of the solution. Integrated systems for Azure Stack HCI are available in China for different vendors, from Lenovo and Dell, as well as from regional partners, ensuring a strong local presence able to provide the best technical advice and the necessary support.

Conclusions

This set of new features introduced demonstrates a major investment by Microsoft in the Azure Stack HCI solution. Thanks to constant improvement, the continuous introduction of new features and the inclusion of new usage scenarios, the proposition for hyper-converged scenarios is increasingly complete, integrated and performing. Azure Stack HCI integrates perfectly with the existing on-premises environment and offers an important added value: the ability to connect Azure Stack HCI with Azure services to obtain a hybrid hyper-converged solution. This aspect in particular strongly differentiates it from other competitors who offer solutions in this area.

Azure IaaS and Azure Stack: announcements and updates (June 2021 – Weeks: 21 and 22)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Azure Storage Blob inventory is now available in all public regions (preview)

Azure blob storage inventory provides you the ability to understand the total number of objects, their size, tier, and other information to gain insight into your object storage estate. Inventory can be used with Azure Synapse to calculate summaries by container. Microsoft has expanded preview to all public regions for blob inventory.

Key Rotation and Expiration Policies

Key rotation is one of the best security practices to reduce the risk of secret leakage for enterprise customers. Customers using Azure Storage account access keys can rotate their keys on demand, in the absence of key expiry dates and policies customers find it difficult to enforce and manage this key rotation automatically. The new feature will allow you to not only set key expiration duration but also add policies that can mandate anyone deploying storage endpoints to specify key rotation duration. Furthermore, you would be able to monitor key expiration and set alerts if a key is about to expire. For accounts that are nearing key expiry, you can rotate the keys using APIs, CLI, Powershell, or Azure Portal.

Networking

ExpressRoute Global Reach Pricing Reduction

Microsoft is annoucing a 50% decrease in the data transfer price for ExpressRoute Global Reach. This pricing change will go into effect as of June 1, 2021. For more information about ExpressRoute Global Reach pricing, visit the ExpressRoute Pricing webpage.

Azure Stack

Azure Stack HCI

Azure Kubernetes Service (AKS) on Azure Stack HCI

Azure Kubernetes Services (AKS) on Azure Stack HCI simplifies the Kubernetes cluster deployment on Azure Stack HCI. It offers hybrid capabilities and consistency with Azure Kubernetes Service for ease of app portability and management. You can take advantage of familiar tools and capabilities to modernize both Linux and Windows .NET apps on-premises. Furthermore, its built-in security enables you to deploy your modern applications anywhere: cloud, on-premises, and edge.

Free Trial Now Available

The Azure Stack HCI team has extended the built-in free software trial from 30 days to 60 days giving more time for customers and partners to evaluate their virtual workloads on Azure Stack HCI in planning their purchase decision. There’s nothing you need to do to enable the trial duration, it’s been automatically extended.

Available in China

Azure Stack HCI is now available in the China cloud – making it very easy to get all the benefits of Azure Stack HCI.

New feature called Network ATC

The next update available to Azure Stack HCI subscribers will be 21H2 which is in preview right now. With this update comes a new feature called Network ATC, which simplifies the deployment and management of networking on your HCI hosts.

If you’ve deployed Azure Stack HCI previously, you know that network deployment can pose a significant challenge. You might be asking yourself:

  • How do I configure or optimize my adapter?
  • Did I configure the virtual switch, VMMQ, RDMA, etc. correctly?
  • Are all nodes in the cluster the same?
  • Are we following the best practice deployment models?
  • (And if something goes wrong) What changed!?

So, what does Network ATC actually set out to solve? Network ATC can help:

  • Reduce host networking deployment time, complexity, and errors
  • Deploy the latest Microsoft validated and supported best practices
  • Ensure configuration consistency across the cluster
  • Eliminate configuration drift

Network ATC does this through some new concepts, namely “intent-based” deployment. If you tell Network ATC how you want to use an adapter, it will translate, deploy, and manage the needed configuration across all nodes in the cluster.

Azure Management services: What's new in May 2021

To stay constantly updated on news regarding Azure Management services, this summary is released monthly, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Log Analytics workspace insights

Microsoft has announced the availability of Log Analytics workspace insights which allows you to obtain detailed information on the Log Analytics workspaces, providing a comprehensive overview of the following aspects: use, performance, integrity, agents, query e change logs.

These are the main questions to which the solution can provide an answer:

  • What are the main tables, those where most of the data is imported?
  • Which resource sends the most logs to the workspace?
  • How long does it take for the logs to reach the workspace?
  • How many agents are connected to the work area? How many are in a health state?
  • Query control: how many queries run in the workspace? What are their response codes and duration time? What are the slow and inefficient queries that require workspace overhead?
  • Who has set a daily limit? When data retention has changed?
    • Useful for keeping a log of changes in workspace settings.

Export of Azure Monitor logs to multiple destinations (preview)

You now have the option to create up to 10 data export rules in each Log Analytics workspace, having the flexibility to decide which tables to export and to which destination (storage accounts oppure event hubs). This configuration possibility makes it possible to address these aspects:

  • Event hub rate limit
  • Single storage account rate limit
  • Different logs can be exported to different destinations.

Updates related to the user interface(UI)

The following user interface updates have been introduced in Log Analytics(UI):

  • Consultation of custom logs: it is now possible to control and manage the table and the custom fields from a new dedicated panel, offering a new user interface that improves the experience of consulting custom logs.
  • Azure Dashboard: the parts of Log Analytics added to Azure dashboards support integration with filters.

Query packs in Azure Monitor (preview)

Query packages have been made available in Azure Monitor , which are essentially ARM objects containing several queries. Among the main features we find:

  • Being ARM objects, precise control of permissions is provided and can be distributed via code and incorporated into policies.
  • They work in all contexts and in all environments, with the ability to upload them to multiple subscriptions.
  • They allow organizations to better organize queries based on their taxonomy, thanks to the presence of new metadata.
  • The clear experience, harmonized and contextual to the environment is incorporated in Log Analytics.

Availability in new regions

Azure Monitor Log Analytics is now also available in the South India region. To check the availability of the service in all the Azure regions you can consult this document.

Secure

Azure Security Center

Integration con GitHub Actions (in public preview)

The integration of Azure Security Center (ASC) with GitHub Actions, in public preview, allows you to easily incorporate security and compliance early in the software development lifecycle. With this integrated experience, you can gain greater visibility into IT operations and IT security, both in the pipeline CI / CD, both in the security scans of container registry within ASC. Furthermore, end-to-end traceability makes it easier for developers to identify issues, improving resolution times and strengthening your cloud security posture.

Re-scanning of containers

Azure Security Center has introduced a new scan for containers that analyzes images to identify vulnerabilities before the push action occurs within the Azure container registries. In the future, ASC will also provide recommendations if you detect workflows that send Docker images without enabling scan actions CI / CD.

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Backup for Azure Blobs

Azure Blob Backup is a managed data protection solution, this helps protect block blobs from various data loss scenarios. The data is stored locally within the source storage account and can be restored from a certain time when necessary. This feature provides a simple means, safe and economical to protect blobs.

Azure Site Recovery

Enable Azure Site Recovery (ASR) when creating virtual machines

While creating new virtual machines from the Azure portal, you can now also enable the Azure Site Recovery replication process. This possibility is included in the virtual machine management options along with those already available, such as Monitoring, Identity, and Backup.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult the this page, that provides information about new releases and features. In particular, this month the main news is the migration of virtual machines and physical servers with operating system disks up to 4 TB, which is now supported using the migration method based on the presence of the agent.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (May 2021 – Weeks: 19 and 20)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Zone redundant storage (ZRS) option for Azure managed disks (preview)

Zone redundant storage (ZRS) option for Azure managed disks is now available on Premium SSDs and Standard SSDs in public preview in: West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. Disks with ZRS maintain three consistent copies of the data in distinct Availability Zones in a region, making them tolerant to outages. They also allow you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected Zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS or GFS2.

Lower pricing for provisioned throughput on Azure Ultra Disks

Microsoft is announcing a price reduction on provisioned throughput for Azure Ultra Disks by 65%. The new pricing is effective May 1st, 2021, and applies to all the regions where Ultra Disks are available. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs).

Azure NetApp Files: Application Consistent Snapshot tool (AzAcSnap)

The Azure Application Consistent Snapshot tool (AzAcSnap) is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL). Since the January 2021 preview announcement, AzAcSnap has seen wide adoption among enterprise customers for fast backup of Azure NetApp Files volumes including multi-TB databases and scale-out scenarios for SAP HANA. Now it is available.

Azure File Sync agent v12.1

The v12.0 agent release had two bugs which are fixed in this release:

  • Agent auto-update fails to update the agent to a later version.
  • FileSyncErrorsReport.ps1 script does not provide the list of per-item errors.

If agent version 12.0 is installed on your servers, you will need to update to v12.1 using Microsoft Update or Microsoft Update Catalog (see installation instructions in KB4588751).

More information about this release:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
  • The agent version for this release is 12.1.0.0.
  • A restart may be required if files are in use during the installation.
  • Installation instructions are documented in KB4588751.

Networking

Virtual Network peering support for Azure Bastion

Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host.

Azure VPN Client for macOS (preview)

Azure VPN Client for macOS, with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol is in public preview. Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, customers can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for their Mac devices.

Application Gateway Mutual Authentication (preview)

Azure Application Gateway now supports the ability to perform frontend mutual authentication. In addition to the client authenticating Application Gateway in a request, Application Gateway can now also authenticate the client. You can upload multiple client Certificate Authority (CA) certificate chains for Application Gateway to use for client authentication. Additionally, Application Gateway also allows you to configure listener specific SSL policies. You can choose to enable mutual authentication at a per listener level on your gateway, as well as choose to pass client authentication information to the backends through server variables. This feature enables scenarios where Application Gateway needs to authenticate the client in addition to the client authenticating Application Gateway.

Azure ExpressRoute: 5 New Peering Locations Available

New peering locations are now available for ExpressRoute:

  • Bogota
  • Madrid
  • Sao Paulo
  • Rio de Janeiro
  • Toronto2

With this announcement, ExpressRoute is now available across 75 global commercial Azure peering locations.

Azure IaaS and Azure Stack: announcements and updates (May 2021 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Hybrid Benefit for Linux with RI and VMSS Support

Azure Hybrid Benefit is available for Linux, extending the ability to easily migrate RHEL and SLES servers to Azure beyond existing pay-as-you-go instances to include support for Azure Reserved Instance (RI) and virtual machine scale set (VMSS).

While previous Bring-Your-Own-Subscription cloud migration options available to Red Hat and SUSE customers allowed them to use their pre-existing RHEL and SLES subscriptions in the cloud, Azure Hybrid Benefit for Linux improves upon this with several capabilities unique to Azure making enterprise Linux cloud migration even easier than before:

  • Applies to all Red Hat Enterprise Linux and SUSE Linux Enterprise Server pay-as-you-go images available in the Azure Marketplace or Azure Portal. No need to provide your own image.
  • Save time with seamless post-deployment conversions—production redeployment is unnecessary. Simply convert the pay-as-you-go images used during your proof-of-concept testing to bring-your-own-subscription billing.
  • Lower ongoing operational costs with automatic image maintenance, updates, and patches: Microsoft maintains the converted RHEL and SLES images for you.
  • Enjoy the convenience of unified user interface integration with the Azure CLI, providing the same UI as other Azure virtual machines, as well as scalable batch conversions.
  • Get co-located technical support from Azure, Red Hat, and SUSE with just one ticket.
  • Combine with recently announced Red Hat and SUSE support for Azure shared disks to lift-and-shift failover clusters and parallel file systems, like Global File System.
  • Fully compatible with Azure Arc, providing end-to-end hybrid cloud operations management for Windows, RHEL, and SLES servers in one solution.

New Azure VMs for general purpose and memory intensive workloads (preview)

The new Dv5, Dsv5, Ddv5, Ddsv5, and Ev5, Edv5 series Azure Virtual Machines, now in preview, are based on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. This custom processor can reach an all-core Turbo clock speed of up to 3.5GHz and features Intel® Turbo Boost Technology 2.0, Intel® Advanced Vector Extensions 512 (Intel® AVX-512) and Intel® Deep Learning Boost. These new offerings deliver a better value proposition for general-purpose, and memory intensive workloads compared to the prior generation (e.g., increased scalability and an upgraded CPU class) including better price to performance.

The Dv5, Dsv5, Ddv5, Ddsv5 VM sizes offer a combination of vCPUs and memory able to meet the requirements associated with most general-purpose workloads and can scale up to 96 vCPUs. The Ddv5 and Ddsv5 VM sizes feature high performance, large local SSD storage (up to 2,400 GiB). The Dv5 and Dsv5 VM series offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Ddv5 or Ddsv5 Azure virtual machines, which are also in Preview.

The Ev5 and Edv5 VM sizes feature up to 672 GiB of RAM and are ideal for memory-intensive enterprise applications. You can attach Standard SSDs and Standard HDDs disk storage to these VMs. If you prefer to use Premium SSD or Ultra Disk storage, please select the Esv5 and Edsv5 VM series, which will be in preview in the near future. The Ev5 and Esv5 VMs offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Edv5 VM series which are also in preview, or the Edsv5 VM series, which will be in preview in the near future.

New NPv1 virtual machines

NPv1 series virtual machines are a new addition to the Azure product offering. These instances are powered by Xilinx Alveo U250 FPGAS. These highly-programmable accelerators benefit a variety of computationally intensive workloads such as genomics, image-processing, security, data analysis and more. The NP series offering is based upon the commercially available U250 from Xilinx and uses a standard shell easing the difficulties of migrating existing FPGA workloads & solutions to the cloud. New Xilinx Alveo U250 FPGA NPv1 VMs are now generally available in West US 2, East US, West Europe, and Southeast Asia.

Microsoft acquires Kinvolk to accelerate container-optimized innovation

Microsoft is excited to bring the expertise of the Kinvolk team to Azure and having them become key contributors to the engineering development of Azure Kubernetes Service (AKS), Azure Arc, and future projects that will expand Azure’s hybrid container platform capabilities and increase Microsoft’s upstream open source contributions in the Kubernetes and container space. Microsoft is also committed to maintaining and building upon Kinvolk’s open source culture. The Kinvolk team will continue to remain active in their existing open source projects and will be essential to driving further collaboration between Azure engineering teams and the larger open source container community.

Storage

Azure Blob storage: NFS 3.0 protocol support public preview now expands to all regions

Azure Blob storage is the only public cloud storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics. This new level of support is optimized for high-throughput, read-heavy workloads where data will be ingested once and minimally modified further, such as large-scale analytic data, backup and archive, media processing, genomic sequencing, and line-of-business applications. Azure Blob Storage NFS 3.0 preview supports general purpose v2 (GPV2) storage accounts with standard tier performance in all publicly available regions. Further, Microsoft is enabling a set of Azure blob storage features in premium blockblob accounts with NFS 3.0 feature enabled such as blob service REST API and lifecycle management.

Attribute-based Access Control (ABAC) in preview

Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This preview includes support for role assignment conditions on Blobs and ADLS Gen2, and enables you to author conditions based on resource and request attributes.

Prevent Shared Key authorization for an Azure Storage account

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the general availability of the ability to disable Shared Key authorization for Azure Storage.

Append blob support in Azure Data Lake Storage

Append blobs provide a simple and effective way of adding new content to the end of a file or blob when the existing content does not need to be modified. This makes append blobs great for applications such as logging that need to add information to existing files efficiently and continuously. Until now, only block blobs were supported in Azure Data Lake Storage accounts. Applications can now also create append blobs in these accounts and write to them using Append Block operations. These append blobs can be read using existing Blob APIs and Azure Data Lake Storage APIs.

Networking

Multiple features for Azure VPN Gateway

The following features for Azure VPN Gateway are general available:

  • Multiple authentication types for point-to-site VPN – You can now enable multiple authentication types on a single gateway for OpenVPN tunnel type. Azure AD, certificate-based and RADIUS can all be enabled on a single gateway.
  • BGP diagnostics – You can now see the Border Gateway Protocol session status, route advertised and routes learnt by the VPN Gateway.
  • VPN packet capture in Azure portal – Support for packet capture on the VPN Gateway is now availbe in the Azure portal.
  • VPN connection management – With new enhancements in VPN connection management capabilities, you can now reset an individual connection instead of resseting the whole gateway. You can also set the Internet Key Exchange (IKE) mode of the gateway to responder-only, initiator-only or both and view the Security Association (SA) of a connection.

Azure Management services: What's New in April 2021

Microsoft is constantly announcing news regarding Azure management services. This summary, released on a monthly basis, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New agent version for Windows Systems

A new version of the Log Analytics agent has been released this month for Window systemss. The new version includes a new tool for troubleshooting and handles changes to certificates in Azure services differently.

The uniqueness of the name of the Log Analytics workspaces is now per resource group

In the past, the uniqueness of the Azure Monitor Log Analytics workspace was globally for all subscriptions. This meant that when a workspace name was used by a customer, it could not be reused by others. Microsoft has changed the way in which the uniqueness of the workspace name is requested and is now managed in the context of the resource group.

New definitions built-in of the Azure Policy for data encryption in Azure Monitor

Azure Monitor provides built-in policies for data encryption governance and control over the key used for encryption at rest. Here are the new built-in policies available for data encryption:

  • Azure Monitor logs clusters should be encrypted with customer-managed key – Audit if log analytics cluster is defined with customer-managed key.
  • Azure Monitor logs clusters should be created with infrastructure-encryption enabled (double encryption) – Audit log analytics cluster is created with Infrastructure enabled.
  • Azure Monitor logs for application insights should be linked to a log analytics workspace – Audit if application insights is linked to store data in log analytics workspace. Workspace can then be linked to a log analytics cluster for customer-managed key settings.
  • Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption – Audit if workspace has linked storage account, which allows the encryption using customer-managed key.
  • Log alert queries in Azure Monitor will be saved in customer storage account, if workspace has linked storage account, which allows the encryption using customer-managed key.

Improvements for Log Alerts

Log Alerts are available in Azure Monitor that allow users to use a Log Analytics query to evaluate the resources logs at a set frequency and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. In this context, two new highly requested features have been released (in preview):

  • Stateful Log Alert: with this feature enabled, activated alerts are automatically resolved once the condition is no longer satisfied. In this way, the same behavior is adopted as in the alerts related to metrics.
  • Frequency of 1 minute: with this feature enabled, the alert query is evaluated every minute to verify the specified condition, thus reducing the overall time for activating a Log Alert.

Availability in new regions

Azure Monitor Log Analytics is also available in the region South India.

To check the availability of the service in all the Azure regions you can consult this document.

Container insights: support for the monitor of Kubernetes Azure Arc enabled environment (preview)

Containers insights in Azure Monitor has extended its monitor capabilities to Azure Arc Kubernetes clusters as well, providing the same monitoring capabilities present for the Azure Kubernetes service (AKS), which:

  • Visibility on the performance of the environment, through the memory and processor metrics for the controllers, nodes and containers.
  • View information collected through workbooks and in the Azure portal.
  • Alert and possibility of querying historical data for problem solving.
  • Ability to verify Prometheus metrics.

Configure

Azure Automation

Availability in new regions

Azure Automation is also available in the region South India.

Support for System Assigned Managed Identities for cloud and Hybrid job (public preview)

Azure Automation has introduced support for System Assigned Managed Identities for cloud and Hybrid jobs. Among the advantages of using Managed Identities we find:

  • The ability to authenticate to any Azure service that supports Azure AD authentication.
  • Elimination of the management overhead associated with managing Run As accounts in runbook code. This makes it possible to access resources via the Managed Identity of an Automation account from a runbook, without having to worry about creating RunAsCertificate, RunAsConnection, etc.
  • It is not necessary to renew the certificate used by the Automation Run As account.

Govern

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent erroneous spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Azure Security Center

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Azure Dedicated Host protection support

Azure Backup has introduced support for the backup and recovery of virtual machines residing on Azure Dedicated Host, physical servers dedicated to your organization whose capacity is not shared with other customers. This feature is available in all Azure regions where Azure Dedicated Host can be activated.

Azure VM Scale sets protection with orchestration templates (preview)

Azure Backup now allows you to backup and restore Azure VM Scale sets with orchestration models, which provide a logical grouping of virtual machines managed by the platform.

Improvements in encryption using customer managed keys (preview)

Azure Backup now allows you to use your own keys to encrypt backup data residing in the Recovery Services vaults. This new feature allows you to increase the control of the encryption of your data. Furthermore, you can use the Azure Policy to control and apply encryption using keys managed directly by the customer.

Azure Site Recovery

Support for Azure Policy (preview)

The ability to use Azure Policy is now provided to enable large-scale use of Azure Site Recovery for virtual machines. After creating a disaster recovery policy for a resource group, all new virtual machines that will be added to this resource group will have Site Recovery enabled automatically. Furthermore, through a Remediation process, Site Recovery can also be enabled for all virtual machines already present in the Resource Group.

Support for cross-continental disaster recovery (for 3 region pairs)

Azure Site Recovery introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected. This feature is currently available for the following 3 pairs of intercontinental regions:

  • Southeast Asia and Australia East
  • Southeast Asia and Australia Southeast
  • West Europe and South Central US

Support of “proximity placement groups” in hybrid and cloud disaster recovery scenarios

Azure Site Recovery introduced support for “proximity placement groups (PPG)” in hybrid and cloud disaster recovery scenarios. With this support it will be possible to replicate an on-premises physical or virtual machine or an Azure virtual machine within a PPG, in the chosen Azure target area. Upon activation of the failover plan, Site Recovery will activate the failover VM within the target PPG selected by the user. This functionality is available both through the Azure portal and through PowerShell and REST API, across all Azure regions.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult the this page, that provides information about new releases and features. In particular, this new release was released this month:

  • The tools Azure Migrate: Discovery and Assessment and Azure Migrate: Server Migration can be used by connecting privately and securely to the Azure Migrate service via ExpressRoute or via a site-to-site VPN, using Azure private links. This connectivity method is recommended to use when there is an organizational requirement to access the Azure Migrate service and other Azure resources without crossing public networks or if you want to get better results in terms of bandwidth or latency.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (April 2021 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New M-series Msv2/Mdsv2 Medium Memory VMs for memory-optimized workloads

Azure Msv2/Mdsv2 Medium Memory Series offering up to 192vCPU and 4TB memory configurations and running on Cascade Lake processor are now generally available. Msv2/Mdsv2 medium memory VM sizes providing a 20% increase in CPU performance, increased flexibility with local disks, and a new intermediate scale up-option. These virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton.

Azure Virtual Machines DCsv2-series in Azure Government (public preview)

Azure Government customers can build secure, enclave-based applications to protect code and data while it’s in use, in a dedicated cloud that meets stringent government security and compliance requirements. Confidential computing DCsv2-series virtual machines are now in preview for Azure Government customers (federal, state, local governments, and their partners) in US Government Virginia and Arizona regions. These VMs are backed by Intel XEON E-2288G processors with Intel Software Guard Extensions (SGX) technology.

Microsoft announces plans to establish first datacenter region in Malaysia

The new datacenter region is part of the “Bersama Malaysia” initiative to support inclusive economic growth in Malaysia.

Storage

Azure Blob storage supports objects up to 200 TB in size

Workloads that utilize larger file sizes such as backups, media, and seismic analysis can now utilize Azure Blob storage and ADLS Gen2 without breaking these large files into separate blobs. Each blob is made up of up to 50,000 blocks. Each block can now be 4GB in size for a total of 200 TB per blob or ADLS Gen2 file.

Lustre HSM tools to import from or export to Azure Storage

Lustre HSM (Hierarchical Storage Management) provides the capability to associate a Lustre file system with an external storage system and migrate file data between them.

Now available are the File System Hydrator and Copy Tool, which enables integrating a Lustre file system with an Azure storage account:

  • The File System Hydrator is used to import a file system namespace from an Azure storage account into a Lustre file system with the imported files left in the ‘released’/’exist’ state.
  • The Copy Tool is used to hydrate the content of the files in the storage account into the Lustre file system on-demand. The copy tool can also be used to archive content of files back into the storage account, including changed or added files.

Networking

Application Gateway URL Rewrite

Azure Application Gateway now supports the ability to rewrite host name, path and query string of the request URL. In addition to header rewrites, you can now also rewrite URL of all or some of the client requests based on matching one or more conditions as required. You can choose to route the request based on the original URL or the rewritten URL. This feature enables several important scenarios such as allowing path based routing for query string values and support for hosting friendly URLs.

Azure IaaS and Azure Stack: announcements and updates (April 2021 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Virtual machine (VM) level disk bursting available on all Dsv3 and Esv3 families

Virtual machine level disk bursting allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily. This feature is now enabled on all our Dsv3-series and Esv3-series virtual machines, with more virtual machine types and families support soon to come. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

Cloud Services (extended support) is generally available

Cloud Services (extended support), which is a new Azure Resource Manager (ARM)-based deployment model for Azure Cloud Services, is generally available. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager (ASM). It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, private link support, and use of deployment templates. The ASM-based deployment model for Cloud Services has been renamed Cloud Services (classic). Customers retain the ability to build and rapidly deploy web and cloud applications and services. Customers will be able to scale cloud services infrastructure based on current demand and ensure that the performance of applications can keep up while simultaneously reducing costs. The platform-supported tool for migrating existing cloud services to Cloud Services (extended support) also goes into preview. Migrating to ARM will allow customers to set up a robust infrastructure platform for their applications. 

Storage

Azure File Sync agent v12 

Improvements and issues that are fixed in the v12 release:

  • New portal experience to configure network access policy and private endpoint connections
    • You can now use the portal to disable access to the Storage Sync Service public endpoint and to approve, reject and remove private endpoint connections. To configure the network access policy and private endpoint connections, open the Storage Sync Service portal, go to the Settings section and click Network.
  • Cloud Tiering support for volume cluster sizes larger than 64KiB
  • Measure bandwidth and latency to Azure File Sync service and storage account
    • The Test-StorageSyncNetworkConnectivity cmdlet can now be used to measure latency and bandwidth to the Azure File Sync service and storage account. Latency to the Azure File Sync service and storage account is measured by default when running the cmdlet. Upload and download bandwidth to the storage account is measured when using the “-MeasureBandwidth” parameter. To learn more, see the release notes.
  • Improved error messages in the portal when server endpoint creation fails
    • We heard your feedback and have improved the error messages and guidance when server endpoint creation fails.
  • Miscellaneous performance and reliability improvements
    • Improved change detection performance to detect files that have changed in the Azure file share.
    • Performance improvements for reconciliation sync sessions.
    • Sync improvements to reduce ECS_E_SYNC_METADATA_KNOWLEDGE_SOFT_LIMIT_REACHED and ECS_E_SYNC_METADATA_KNOWLEDGE_LIMIT_REACHED errors.
    • Files may fail to tier on Server 2019 if Data Deduplication is enabled on the volume.
    • AFSDiag fails to compress files if a file is larger than 2GiB.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation.
  • The agent version for this release is 12.0.0.0.
  • Installation instructions are documented in KB4568585.

Encryption scopes in Azure Storage

Encryption scopes introduce the option to provision multiple encryption keys in a storage account for blobs. Previously, customers using a single storage account for multi-tenancy scenarios were limited to using a single account-scoped encryption key for all the data in the account. With encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. 

Azure Data Explorer external tables

An external table is a schema entity that references data stored outside the Azure Data Explorer database. Azure Data Explorer Web UI can create external tables by taking sample files from a storage container and creating schema based on these samples. You can then analyze and query data in external tables without ingestion into Azure Data Explorer.

Azure Governance: how to control system configurations in hybrid and multicloud environments

There are several companies that are investing in hybrid and multicloud technologies to achieve high flexibility, that enables you to innovate and meet changing business needs. In these scenarios, customers face the challenge of using IT resources efficiently, in order to best achieve your business goals, implementing a structured IT governance process. This can be achieved more easily if you have solutions that, in a centralized way, allow you to inventory, organize and enforce control policies on your IT resources wherever you are. Azure Arc solution involves different technologies with the aim of supporting hybrid and multicloud scenarios, where Azure services and management principles are extended to any infrastructure. In this article we will explore how, thanks to the adoption of the Azure Guest Configuration Policy it is possible to control the configurations of systems running in Azure, in on-premises datacenters or other cloud providers.

The principle behind Azure Arc

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), also for on-premises and multicloud environments.

Figure 1 – Azure Arc overview

Enabling systems to Azure Arc

Enabling Azure Arc servers allows you to manage physical servers and virtual machines residing outside Azure, on the on-premises corporate network or at another cloud provider. This applies to both Windows and Linux systems. This management experience is designed to provide consistency with Azure native virtual machine management methodologies. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine"). The following operating systems are currently supported:

  • Windows Server 2008 R2, Windows Server 2012 R2 or higher (this includes core servers)
  • Ubuntu 16.04 and 18.04 LTS (x64)
  • CentOS Linux 7 (x64)
  • SUSE Linux Enterprise Server (SLES) 15 (x64)
  • Red Hat Enterprise Linux (RHEL) 7 (x64)
  • Amazon Linux 2 (x64)
  • Oracle Linux 7

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • The Guest Configuration agent that provides in-guest policy and guest configuration features.
  • TheExtension Manager agent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, see this Microsoft Official Document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Figure 3 – Azure Management for all IT resources

Guest Configuration Policy di Azure

Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. Validation is performed by the client and by the Guest Configuration extension as regards:

  • Operating system configuration
  • Configuration or presence of applications
  • Environment settings

At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they don't apply configurations. The exception is a built-in time zone configuration policy operating system for Windows machines.

Requirements

Before you can check the settings inside a machine, through guest configuration policies, you must:

  • Enable a’extension on the Azure VM, required to download assigned policy assignments and corresponding configurations. This extension is not required for "Arc Connected" machines as it is included in the Arc agent.
  • Make sure that the machine has a system-managed identity, used for the authentication process when reading and writing to the guest configuration service.

Operation

Azure provides built-in specification platform Initiatives and a large number of Guest Configuration Policy, but you can also create custom one both in Windows environment, both in Linux environment.

Guest Configuration policy assignment works the same way as standard Azure Policies, so you can group them into initiative. Specific parameters can also be configured for Guest Configuration Policies and there is at least one parameter that allows you to include Azure Arc-enabled servers. When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Following the assignment, it is possible to assess the compliance status in detail directly from the Azure portal.

Inside the machine, the Guest Configuration agent uses local tools to audit the configurations:

The Guest Configuration agent checks for new or modified guest policy assignments each 5 minutes and once the assignment is received the settings are checked at intervals of 15 minutes.

The Cost of the Solution

The cost of Azure Guest Configuration Policies is based on the number of servers registered to the service and which have one or more guest configurations assigned. Any other type of Azure Policy that is not based on guest configuration is offered at no additional cost, including virtual machine extensions to enable services such as Azure Monitor and Azure Security Center or auto tagging policies. The billing is distributed on an hourly basis and also includes the change tracking features present through Azure Automation. For more details on costs please visit the Microsoft's official page.

Conclusions

IT environments are constantly evolving and often have to deliver business-critical applications based on different technologies, active on heterogeneous infrastructures and which in some cases use solutions provided in different public clouds. The adoption of a structured IT governance process is easier also thanks to the Guest Configuration Policies and the potential of Azure Arc, that allow you to more easily control and support hybrid and multicloud environments.