Azure NetApp Files new regions and cross-region replication
Azure NetApp Files is now available in the following additional regions:
Korea South,
Sweden Central.
Additionally, Azure NetApp Files cross-region replication has been enabled between following regions:
Korea Central and Korea South,
North Central US and East US 2,
France Central and West Europe.
Networking
ExpressRoute FastPath support for Vnet peering and UDRs
FastPath now supports virtual network peering and user defined routing (UDR). FastPath will send traffic directly to any VM deployed in a spoke virtual network peered to the virtual network where the ExpressRoute virtual network gateway is deployed. Additionally, FastPath will now honor UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third-party Network Virtual Appliance (NVA).
Azure Firewall Basic (preview)
Azure Firewall Basic is a new SKU for Azure Firewall designed for small and medium-sized businesses.
Seamless integration with other Azure security services
Simple setup and easy-to-use:
Setup in just a few minutes
Automate deployment (deploy as code)
Zero maintenance with automatic updates
Central management via Azure Firewall Manager
Cost-effective:
Designed to deliver essential, cost-effective protection of your resources within your virtual network
Policy analytics for Azure Firewall (preview)
Policy analytics for Azure Firewall, now in public preview, provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance.
Azure Basic Load Balancer will be retired
On 30 September 2025, Azure Basic Load Balancer will be retired. You can continue to use your existing Basic Load Balancers until then, but you’ll no longer be able to deploy new ones after 31 March 2025.
To keep your workloads appropriately distributed, you’ll need to upgrade to Standard Load Balancer, which provides significant improvements including:
High performance, ultra-low latency, and superior resilient load-balancing.
Security by default: closed to inbound flows unless allowed by a network security group.
Diagnostics such as multi-dimensional metrics and alerts, resource health, and monitoring.
SLA of 99.99 percent availability.
Basic SKU public IP addresses will be retired
On 30 September 2025, Basic SKU public IP addresses will be retired in Azure. You can continue to use your existing Basic SKU public IP addresses until then, however, you’ll no longer be able to create new ones after 31 March 2025.
Standard SKU public IP addresses offer significant improvements, including:
Access to a variety of other Azure products, including Standard Load Balancer, Azure Firewall, and NAT Gateway.
Security by default—closed to inbound flows unless allowed by a network security group.
Zone-redundant and zonal front ends for inbound and outbound traffic.
In September there were several news that Microsoft announced regarding Azure management services. This article lists the main announcements, accompanied by the necessary references to be able to conduct further studies on.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Monitors for VM and AKS clusters basedon Arm
Azure Monitor introduced support for Ampere Altra Arm-based Azure virtual machines and Azure Kubernetes service consisting of Arm nodes.
Update required for MMA using SSL v1
Starting November 1st 2022, Azure will no longer accept connections from previous versions of the Operations Manager agent, also known as the Microsoft Monitoring Agent (MMA), using SSL V1. If the Operations Manager agent is configured to send data to Log Analytics, the agent must be updated to the latest version by that date.
Expected retirement of ITSM connector for ServiceNow
Microsoft announced that the 30 September 2025 the Azure Monitor ITSM connector for creating alerts in ServiceNow will be retired. For those who use this integration, it will be possible to create incidents or events using the appropriate Secure Webhook.
Govern
Azure Policy
Azure Policy built-in per Azure NetApp Files
Microsoft has introduced built-in policies related to Azure NetApp Files to allow administrators to restrict the creation of unprotected NFS volumes and to more easily control existing volumes.
Azure Cost Management
Updates related toMicrosoft Cost Management
Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:
Ability to monitor budgets from the Azure app for mobile devices.
Ability to obtain detailed information on possible savings directly from cost analysis (preview).
Secure
Microsoft Defender for Cloud
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Defender for Servers support for File Integrity Monitoring functionality using the Azure Monitor Agent.
The addition of identity recommendations.
Protect
Azure Backup
Reserved capacity per Azure Backup Storage
To optimize costs, it is possible to purchase the Azure Backup Storage capacity in reserved capacity mode. The reservation will automatically apply to the selected Backup Storage and will be available on an annual basis with a discount until 16% or on a three-year basis with a discount of 24%.
Alert in Azure Monitor
Thanks to this integration between Azure Monitor and Azure Backup it is possible to generate alerts for critical events related to the security of backups and in case of errors in the protection of resources. To monitor these alerts, you can use the Azure Monitor dashboard or the Backup center. Thanks to this integration it is also possible to route these alerts to different notification channels.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:
The introduction of support for suspending and resuming replicas of VMs in progress, without having to perform a full replication again.
Advanced notifications regarding migration completion status and migration testing.
Detection of Java web apps on Apache Tomcat running on Linux servers hosted in VMware environments.
For ASP.NET web apps the possibility of carrying out an advanced data collection, including detection of database connection strings, directories and authentication mechanisms.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Low disk space mode to prevent running out of disk space when using cloud tiering. Low disk space mode is designed to handle volumes with low free space more effectively. On a server endpoint with cloud tiering enabled, if the free space on the volume reaches below a threshold, Azure File Sync considers the volume to be in Low disk space mode. In this mode, files are tiered to the Azure file share more proactively and tiered files accessed by the user will not be persisted to the disk. To learn more, see the low disk space mode section in the Cloud tiering overview documentation.
Fixed a cloud tiering issue that caused high CPU usage after v15.0 agent is installed.
Miscellaneous reliability and telemetry improvements.
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this release:
This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
The agent version for this release is 15.1.0.0.
Installation instructions are documented in KB5003883.
Standard network features for Azure NetApp Files
Standard network features for Azure NetApp Files volumes are available. Standard network features provide you with an enhanced, and consistent virtual networking experience along with security posture for Azure NetApp Files.
You are now able to choose between standard or basic network features while creating a new Azure NetApp Files volume:
Basic provide the current functionality, limited scale, and features.
Standard provides the following new features for Azure NetApp Files volumes or delegated subnets: – Increased IP limits for Vnets with Azure NetApp Files volumes. This is at par with VMs to enable you to provision Azure NetApp File volumes in your existing topologies or architectures. This eliminates the need to rearchitect network topologies to use Azure NetApp Files for workloads like VDI, AVD, or AKS. – Enhanced network security with support for network security groups (NSG) on the Azure NetApp Files delegated subnet. – Enhanced network control with support for user-defined routes (UDR) to and from Azure NetApp Files delegated subnets. You can now direct traffic to and from Azure NetApp Files via your choice of network virtual appliances for traffic inspection. – Connectivity over active or active VPN gateway setup for highly available connectivity to Azure NetApp Files from on-premises network. – ExpressRoute FastPath connectivity to Azure NetApp Files. FastPath improves the data path performance between on-premises network and Azure Virtual Network.
Immutable storage for Azure Data Lake Storage
Immutable storage for Azure Data Lake Storage is now generally available. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed.
Improved Append Capability on Immutable Storage for Blob Storage
Immutable storage for Blob Storage on containers (which has been generally available since September 2018) now includes a new append capability. This capability, titled “Allow Protected Appends for Block and Append Blobs”, allows you to set up immutable policies for block and append blobs to keep already written data in a WORM state and continue to add new data. This capability is available for both legal holds and time-based retention policies.
Encrypt managed disks with cross-tenant customer-managed keys
Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.
Azure Dedicated Host support for Ultra Disk Storage
Virtual machines (VMs) running on Azure Dedicated Host support the use of standard and premium disks as data disks, and now there is also the support for ultra disks on dedicated host.
Azure unmanaged disks will be retired on 30 September 2025
Azure Managed Disks now have full capabilities of unmanaged disks and other advancements. Microsoft will begin deprecating unmanaged disks on September 30, 2022, and this functionality will be completely retired on September 30, 2025.
Encryption scopes on hierarchical namespace enabled storage accounts (preview)
Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The preview is available for REST, HDFS, NFSv3, and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.
The self-service option to convert storage accounts from non-zonal redundancy (LRS/GRS) to zonal redundancy (ZRS/GZRS) is available. This allows you to initiate the conversion of storage accounts via the Azure portal without the necessity of creating a support ticket.
Networking
Resizing of peered virtual networks
Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address space or resize for a peered virtual network without removing the peering.
Improvements to Azure Web Application Firewall (WAF) custom rules
There are two improvements for WAF custom rules: Azure regional Web Application Firewall (WAF) with Application Gateway now supports creating custom rules using the operators “Any” and “GreaterThanOrEqual”. Custom rules allow you to create your own rules to customize how each request is evaluatedas it passes through the WAF engine.
Azure global Web Application Firewall (WAF) with Azure Front Door now supports custom geo-match filtering rules using socket addresses. Filtering by socket address allows you to restrict access to your web application by country/region using the source IP that the WAF sees.
For most companies, the ability to continuously provide and integrate artificial intelligence solutions within their own applications and business workflows, is considered a particularly complex evolution. In the rapidly evolving artificial intelligence landscape, machine learning (ML) plays a fundamental role together with "data science". Therefore, to increase the successes of certain artificial intelligence projects, organizations must have modern and efficient IT architectures for machine learning. This article describes how these architectures can be built anywhere thanks to the integration between Kubernetes, Azure Arc ed Azure Machine Learning.
Azure Machine Learning
Azure Machine Learning (AzureML) is a cloud service that you can use to accelerate and manage the life cycle of machine learning projects, bringing ML models into a secure and reliable production environment.
Kubernetes as a compute target for Azure Machine Learning
Azure Machine Learning recently introduced the ability to activate a new target for computing: AzureML Kubernetes compute. In fact,, it is possible to use an Azure Kubernetes Service cluster (AKS) existing or an Azure Arc-enabled Kubernetes cluster as a compute target for Azure Machine Learning and use it to validate and deploy ML models.
Figure 1 - Overview on how to take Azure ML anywhere thanks to K8s and Azure Arc
AzureML Kubernetes compute supports two types of Kubernetes clusters:
Cluster AKS (in Azure environment). Using an Azure Kubernetes Service managed cluster (AKS), you can get a flexible environment, secure and capable of meeting compliance requirements for ML workloads.
Arc-enabled Kubernetes Cluster (in environments other than Azure). Thanks to Azure Arc-enabled Kubernetes it is possible to manage Kubernetes running in different environments from Azure clusters (on-premises or on other clouds) and use them to deploy ML models.
To enable and use a Kubernetes cluster to run AzureML workloads you need to follow the following steps:
Activate and configure an AKS cluster or an Arc-enabled Kubernetes cluster. In this regard it is also recalled the possibility of activate AKS in Azure Stack HCI environment.
Distribute the extension AzureML on the cluster.
Connect the Kubernetes cluster to the Azure ML workspace.
Use the Kubernetes compute target from CLI v2, SDK v2 and the Studio UI.
Figure 2 - Step to enable and use a K8s cluster for AzureML workloads
Infrastructure management for ML workloads can be complex and Microsoft recommends that it be done by the IT-operations team, so that the data science team can focus on the efficiency of the ML models. In light of this consideration, the division of roles can be as follows:
The IT-operation Team is responsible for the former 3 steps above. Furthermore, typically performs the following activities for the data science team:
Make configurations of aspects related to networking and security
Create and manage instance types for different ML workload scenarios in order to achieve efficient use of compute resources.
It deals with troubleshooting the workload of Kubernetes clusters.
The Data science Team, completed the activation activities in charge of IT-operation Team , can locate a list of compute targets and instance types available in the AzureML workspace. These compute resources can be used for training or inference workloads. The compute target is chosen by the team using specific tools such as AzureML CLI v2, Python SDK v2 or Studio UI.
Usage scenarios
The ability to use Kubernetes as a compute target for Azure Machine Learning, combined with the potential of Azure Arc, allows you to create, train and deploy ML models in any on-premises infrastructure or on different clouds.
This possibility activates different new usage scenarios, previously unthinkable using only the cloud environment. The following table provides a summary of the use scenarios made possible by Azure ML Kubernetes compute, specifying where the data resides, the motivation that drives each usage model and how it is implemented at the infrastructure and Azure ML level.
Table 1 - New usage scenarios made possible by Azure ML Kubernetes compute
Conclusions
Gartner expects that by 2025, due to the rapid spread of AI initiatives, the 70% of organizations will have operationalized IT architectures for artificial intelligence. Microsoft, thanks to the integration between different solutions, offers a series of possibilities to activate flexible and cutting-edge architectures for Machine Learning, an integral part of artificial intelligence.
Azure Virtual Machines with Ampere Altra Arm–based processors
Microsoft is announcing the general availability of the latest Azure Virtual Machines featuring the Ampere Altra Arm–based processor. The new virtual machines will be generally available on September 1, and customers can now launch them in 10 Azure regions and multiple availability zones around the world. In addition, the Arm-based virtual machines can be included in Kubernetes clusters managed using Azure Kubernetes Service (AKS). This ability has been in preview and will be generally available over the coming weeks in all the regions that offer the new virtual machines.
Storage
Prevent a lifecycle management policy from archiving recently rehydrated blobs
Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. You can configure rules to move a blob to archive tier based on last modified condition. If you rehydrate a blob by changing its tier, this rule may move the blob back to the archive tier. This can happen if the last modified time is beyond the threshold set for the policy. Now you can add a new condition, daysAfterLastTierChangeGreaterThan, in your rules, to skip the archiving action if the blobs are newly rehydrated.
Encrypt storage account with cross-tenant customer-managed keys (preview)
The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available in preview. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.
Ephemeral OS disks supports host-based encryption using customer managed key
Ephemeral OS disk customers can choose encryption type between platform managed keys or customer managed keys for host-based encryption. The default is platform managed keys. This feature would enable our customers to meet organization’s compliance needs.
Resource instance rules for access to Azure Storage
Resource instance rules enable secure connectivity to a storage account by restricting access to specific resources of select Azure services. Azure Storage provides a layered security model that enables you to secure and control access to your storage account. You can configure network access rules to limit access to your storage account from select virtual networks or IP address ranges. Some Azure services operate on multi-tenant infrastructure, so resources of these services cannot be isolated to a specific virtual network. With resource instance rules, you can now configure your storage account to only allow access from specific resource instances of such Azure services. For example, Azure Synapse offers analytic capabilities that cannot be deployed into a virtual network. If your Synapse workspace uses such capabilities, you can configure a resource instance rule on a secured storage account to only allow traffic from that Synapse workspace. Resource instances must be in the same tenant as your storage account, but they may belong to any resource group or subscription in the tenant.
Networking
ExpressRoute IPv6 Support for Global Reach
IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.
Azure VMware Solution (AVS) is the service designed, built and supported by Microsoft, and approved by VMware, that allows customers to easily extend or migrate fully to Azure VMware workloads residing in an on-premises environment. Microsoft recently introduced a series of interesting innovations regarding Azure VMware Solution that pave the way for new adoption scenarios and make it even more complete. This article reports the main aspects that have undergone an evolution and the new features recently introduced in Azure VMware Solution.
Azure VMware Solution allows you to deploy a VMware private cloud, in Software-Defined Data Center mode (SDDC), in Microsoft Azure environment.
Figure 1 – Azure VMware Solution overview
Main adoption scenarios
The adoption of Azure VMware Solution is usually contemplated to address the following scenarios:
Need to expand your datacenter
Disaster recovery and business continuity
Application Modernization
Reduction, consolidation or decommissioning of your datacenter
Benefits of the solution
Among the main benefits of adopting this solution it is possible to mention:
Ability to take advantage of investments already made in the skills and tools for managing on-premises VMware environments.
Modernization of your application workloads by adopting Azure services and without facing interruptions.
Economic convenience for running Windows and SQL Server workloads. In fact,, being in effect an Azure service, Azure VMware Solution supports Azure Hybrid Benefits, that allow you to maximize the investments made in Windows Server and SQL Server licenses in an on-premises environment, during migration or extension to Azure. Furthermore, customers who adopt this solution are entitled to three years of free extended security updates for Windows Server and SQL Server.
For more details about Azure VMware Solution (AVS) you can refer to this article.
Evolution and news of the solution
To further enrich the capabilities of the AVS solution and to make it even more effective, Microsoft has recently introduced the innovations reported in the following paragraphs.
Presence in 24 region of Azure
Since the launch of AVS, happened about two years ago, Microsoft has worked to extend the availability of this solution globally and it is now available in 24 different regions of Azure, more than any other cloud service provider. To consult the geographical availability of AVS it is possible to consult this page.
Figure 2 - Presence of AVS globally
VMware vSphere 7.0
All Azure VMware solution deployments can adopt VMware vSphere 7.0, the latest version of the suite that offers a full range of enterprise virtualization features.
Availability of Azure NetApp Files datastores
Workloads that require intensive use of storage, even in the AVS environment, can take advantage of integration with Azure NetApp Files. By adopting this solution, you can easily scale to increase storage capacities, thus overcoming the limits of local storage instances made available by vSAN. For further details please visit the Microsoft's official documentation.
Jetstream DR with Azure NetApp Files datastore support
Microsoft, in order to guarantee its customers the opportunity to make the most of the investments made in skills and technologies, has worked with some of the main partners offering disaster recovery solutions, one of them is Jetstream. The adoption of JetStream to develop DR plans is interesting as Azure Blob Storage is used to keep copies of virtual machines and related data. JetStream DR is now also able to replicate and automate recovery using Azure NetApp Files datastores.
VMware Cloud Director Services
Customers who have adopted the AVS solution, using the Microsoft Enterprise agreement, can purchase the service VMware Cloud Director from VMware. This allows us to connect to the AVS private cloud to create and manage private virtual data centers. Furthermore, you can take advantage of the features offered for migrating local VMware workloads to the Azure VMware Solution private cloud. For further details you can consult this documentation.
VMware vRealize Log Insight Cloud
The service VMware vRealize Log Insight Cloud it is also available for AVS. This solution provides centralized log management, detailed operational visibility and the ability to carry out in-depth analyzes. Thanks to this solution it is possible to increase the operational efficiency of IT departments, reduce costs resulting from unplanned downtime and provide in-depth visibility into security events.
“Public IP to NSX Edge” available in 17 region of Azure
Client applications running on AVS frequently require both outbound and inbound Internet connectivity. Thanks to this new feature, it is possible to adopt three different models to ensure incoming and outgoing Internet access to resources hosted in the Azure VMware Solution private cloud.
VMware Cloud Universal Program
Microsoft has extended the partnership with VMware by adding support to the program VMware Cloud Universal, a flexible purchasing and consumption program for the adoption of hybrid and multi-cloud strategies. This will allow customers to purchase Azure VMware Solution as part of the VMware Cloud Universal program.
Conclusions
Companies are required to adopt flexible and modern solutions in the IT field to achieve greater stability, continuity and resilience of the main application workloads that support their core business. Azure VMware solution has all the features to respond in the best way to these needs and the numerous improvements introduced, result of the joint work between Microsoft and VMware, make it more and more modern, solid and reliable.
Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Azure Monitor metric alerts: improvement in learning the thresholds
The “metric alerts” of Azure Monitor with dynamic threshold detection, use machine learning algorithms (ML) advanced tools to learn the historical behavior of metrics and identify patterns and anomalies that indicate possible problems in services. Thanks to the introduction of this new feature, prolonged interruptions are automatically recognized and these interruptions are removed from the trend in order not to distort the results. In this way, much better thresholds are obtained that adapt to the data and can detect problems in services with the same sensitivity before the interruption.
VM insights and the use of the new Azure Monitor agent (preview)
Currently, in order to use Azure Monitor VM insights you need to install, on board each virtual machine or virtual machine scale set to be monitored, the Log Analytics agent and the dependency agent. Thanks to the release of this new feature (preview) VM insights will use the new Azure Monitor agent, instead of the Log Analytics agent.
There are several features that are obtained with this preview:
Easy configuration, using the data collection rule, to collect the performance counters of VMs and specific data types.
Ability to enable and disable processes and dependency data that generate the Map view, thus obtaining a consequent cost optimization.
Improvement of security and performance resulting from the use of the Azure Monitor agent and managed identity.
Managed identity-based authentication to enable Azure Monitor container insights(preview)
Container insights now supports integration through the Azure Monitor agent for AKS clusters (Linux nodes) and for Arc-enabled clusters. This agent collects performance and event data from all cluster nodes and is automatically deployed and registered with the Log Analytics workspace. With the Azure Monitor agent, container insights also supports managed identity authentication for AKS and Arc-enabled clusters. This is a secure and simplified authentication model in which the monitor agent uses the managed identity of the cluster to send data to Azure Monitor. This new authentication mechanism replaces local authentication based on certificates and eliminates the need to add a specific role to the cluster. System-assigned identities and user-assigned identities are supported.
Availability in new regions
Azure Monitor Log Analytics is available in the following new regions:
China North 3
China East 3
To check the availability of the service in all the Azure regions you can consult this document.
Govern
Azure Policy
Policy to block the deployment of potential vulnerable images
To protect Kubernetes clusters and their container-based workloads from potential attack attempts, it is now possible to create restrictions in the deployment of images that contain vulnerabilities in their software components. Thanks to this feature it is possible to use Azure Policy and Azure Defender for Containers to identify vulnerabilities and apply related patches before making deployments.
Azure Cost Management
Updates related toMicrosoft Cost Management
Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported. In particular, it should be noted the possibility to consolidate and manage various Azure Active Directory tenants from a single Billing account of the Microsoft Customer Agreement (MCA).
Azure Arc
Azure Arc-enable Servers: availability in new regions
Azure Arc-enable Servers is available in the following new regions:
China East 2 (preview)
China North 2 (preview)
South Africa North
Secure
Microsoft Defender for Cloud
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Automatic deployment of the Azure Monitor agent (preview)
Deprecated alerts regarding suspicious activity related to a Kubernetes cluster
Protect
Azure Site Recovery
New Update Rollup
For Azure Site Recovery was released theUpdate Rollup 63 that solves several issues and introduces some improvements.
Among the main improvements introduced by this version of the ASR components, we find:
Oracle Linux support 8.6 for Linux OS/Azure to Azure and for VMware/Physical to Azure
The ability to migrate existing replication jobs from classic to modern mode for VMware virtual machines (see next paragraph “Upgrade to adopt VMware's modern VM replication experience”)
The details and the procedure to follow for the installation can be found in the specific KB.
Upgrade to adopt VMware's modern VM replication experience
In ASR the possibility of migrating has been introduced, VMware virtual machines protected by Azure Site Recovery, from the classical experience to the modern one recently introduced. The classic mode involves the replication of VMware VMs using the Configuration Server, while the modern mode involves the adoption of the ASR replication appliance. The migration process, towards the modern mode, which was introduced provides:
A detection mechanism that allows you not to have to repeat the initial replication of protected systems.
The calculation of the necessary migration times, in order to have all the elements necessary for proper planning.
A robust rollback mechanism, to restore the initial situation (classic mode) if any problems arise.
The adoption of the modern replication mechanism is recommended by Microsoft as it improves security, reduce the management effort and simplify the environment.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:
Ability to perform the discovery and assessment of SQL environments in Microsoft Hyper-V and physical / bare-metal systems, as well as on the IaaS services of other public clouds.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Azure VMware Solution empowers you to seamlessly extend or migrate your existing on-premises VMware workloads to Azure without the cost, effort, or risk of re-architecting applications or retooling operations. With this update Azure VMware Solution has now expanded availability to the Sweden Central Azure region.
Azure VMware Solution: public IP capability
Most customer applications running on Azure VMware Solution require internet access. These applications require both outbound and inbound internet connectivity. Azure VMware Solution Public IP is a simplified and scalable solution for running these applications. With this capability, Microsoft enables the following:
Direct inbound and outbound internet access for AVS to the NSX-T Edge.
The ability to receive up to 1000 or more Public IPs.
DDoS Security protection against network traffic in and out of the internet.
Enable support for VMware HCX (migration tool for VMwre VMs) over the public internet.
UAE North Availability Zones
Availability Zones in UAE North are made up of three unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.
Networking
Private endpoint network security group support
Private endpoint support for network security groups (NSGs) is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled.
Private endpoint user-defined routes support
Private endpoint support for user-defined routes (UDRs) is now generally available. This feature enhancement will remove the need to create a /32 address prefix when defining custom routes. You will now have the ability to use a wider address prefix in the user defined route tables for traffic destined to a private endpoint (PE) by way of a network virtual appliance (NVA). In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.
Azure Stack
Azure Stack HCI
Azure Stack HCI 22H2: Network ATC improvements
Network ATC can simplify the deployment and on-going management of host networking in Azure Stack HCI. In this article are described all improvements to this component, released with Azure Stack HCI 22H2 update.
Software Defined Networking (SDN) extensions reach General Availability for WAC
SDN Infrastructure, Network Security Groups (NSGs), Logical networks, Virtual Networks, Load Balancers, and Gateways reach General Availability for Windows Admin Center (WAC). SDN Infrastructure’s “Network Controller” tab in WAC now displays information about cluster, server, and node certificates, complete with UI indications that certificate will expire soon.
Common cybersecurity practices provide, among the many tricks, the timely application of software updates. In fact,, this activity is also of fundamental importance to eliminate the vulnerabilities that allow the implementation of specific cyber attacks on company systems. To facilitate the application of patches, related to the operating system, to the machines of your infrastructure, Microsoft recently announced the availability of a new solution called "Update management center". This article reports the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance with regard to these aspects related to security.
What allows you to do this solution?
Update management center is the new solution that helps to centrally manage and govern the updates of all the machines present in your infrastructure. In fact,, by means of this solution it is possible:
Check update compliance for your entire fleet of machines.
Instantly distribute critical updates to protect your systems or plan installation within a defined maintenance window.
Take advantage of the different patching options, like Automatic VM guest patching in Azure, hot patching, and maintenance schedules defined by the customer.
To date, Update management center is able to manage and govern updates on:
Windows and Linux operating systems.
Machines residing in Azure, locally and on other cloud platforms, thanks to Azure Arc.
The following diagram illustrates how Update management center performs the evaluation and application of updates on all Azure systems and Arc-enabled servers, both Windows and Linux.
Figure 1 - Update management center overview
Update Management Center is based on a new Azure extension designed to provide all the features necessary to interact with the operating system as regards the evaluation and application of updates. This extension is automatically installed at the start of any operation of Update Management Center. The distribution of the extension is supported on Azure virtual machines or on Arc-enabled servers and is installed and managed using:
The Windows agent or the Linux agent for Azure virtual machines.
The Azure Arc agent for non-Azure physical computers or servers (bot Linux, and Windows).
The installation and configuration of the extension is managed by the solution and no manual intervention is required, as long as the Azure VM Agents or Agents for Azure Arc are functional. The extension ofUpdate management center runs code locally on the computer to interact with the operating system and allows you to:
Retrieve evaluation information about the status of system updates, specified by the Windows Update agent or by the Linux package manager*.
Start the download and installation of approved updates from the Windows Update client or from the Linux package manager.
Get all the information on the results of installing updates, which are reported inUpdate management center from the extension and are available for analysis via the Azure Resource Graph. The visualization of the evaluation data can be consulted for the last seven days and the results regarding the installation of updates are available for the last thirty days.
* The machines deliver notifications on updates based on the origin with which they are configured for synchronization. Windows Update Agent (WUA) on Windows machines it can be configured to reference Windows Server Update Services (WSUS) or to Microsoft Update. Linux machines can be configured to reference a local or public YUM or APT package repository.
Benefits of the solution
Update management center works without the need for onboarding, as it is a solution that is natively based on the Azure Compute platform and Azure Arc-enabled servers. This solution will soon take the place of Update Management of Azure Automation, removing any dependency on Azure Automation and Log Analytics.
The main strengths of the new solution are summarized in the following paragraphs.
Centralized visibility of updates
Thanks to this solution it is possible to consult centrally, direct from the Azure Portal, the state of compliance with respect to the updates requested and distributed on the various systems.
Native integration and zero onboarding
Being a solution created as a native feature of the Azure platform, there is no dependency on Log Analytics and Azure Automation. Furthermore, the solution supports full integration with Azure Policy.
Integration with Azure roles and identities
The solution allows for granular access control at the resource level. Everything is based on Azure Resource Manager and therefore allows the use of RBAC and ARM-based roles in Azure.
High flexibility in managing updates
The ability to automatically check for missing or on-demand updates, as well as the ability to act by installing updates immediately or to schedule them for a later date are elements that guarantee high flexibility. Furthermore, it is allowed to keep the systems updated by adopting new techniques, such as automatic VM guest patching in Azure and hotpatching.
Integration with other solutions
In this context it is worth considering that Microsoft offers, in addition to this solution, also other features to manage updates for Azure virtual machines. These features should be considered as an integral part of your overall update management strategy. Among the various features we find:
This new feature, fully integrated into the Azure platform and able to exploit the potential of Azure Arc, it allows you to keep all the systems of your infrastructure up-to-date in a simple way, direct and with very little administrative effort. Furthermore, guarantees total visibility on update compliance for both Windows and Linux systems, fundamental element to increase the security posture of your infrastructure.
Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware. With this new capability, now in preview, you can take troubleshooting steps at the host level.
Azure Dedicated Host support for Ultra SSD (preview)
Currently, VMs running on Azure Dedicated Host support the use of Standard and Premium Azure disks as data disks. With this preview, Microsoft is introducing support for Azure Ultra Disks on Azure Dedicated Host. Azure Ultra disks are highly performant disks on Azure that offer high throughput (maximum of 4000 MBps per disk) and high IOPS (maximum of 160,00 IOPS per disk) depending on the disk size.
If you are running IaaS workloads that are data intensive and latency sensitive, such as Oracle DB, MySQL DB, other critical databases, and gaming applications, you will benefit from using Ultra disks as data disks on VMs hosted on Azure Dedicated Host.
Microsoft Azure available from new cloud region in Qatar
Microsoft is launching a new datacenter region in Qatar. The new datacenter region includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.
Enforcement mode of machine configuration (previously guest configuration)
The enforcement mode of machine configuration (previously guest configuration) is now generally available. This represents the ApplyAndMonitor and ApplyAndAutocorrect auditing modes. The customer experience within Azure has not changed as a result of the renaming. Machine configuration continues to provide a native capability to audit or configure operating system settings as code, both for machines running in Azure and hybrid Azure Arc-enabled servers, directly per-machine or at-scale orchestrated through Azure Automanage, Microsoft Defender for Cloud, or Azure Policy.
You will now be able to:
Apply and monitor configurations: set the required configuration on your machines and remediate on demand.
Apply and autocorrect configurations: set the required configuration at scale and autoremediate in the event of a configuration drift.
Apply configurations to machines at management group level.
Set TLS 1.2 to machines through our newly released built-in policy.
Create, delete, and monitor the compliance of your configurations through the Azure portal.
Storage
Azure StorSimple 8000/1200 series will no longer be supported starting 31st December 2022
Support for the following StorSimple versions will end 31st December 2022:
• StorSimple 8000 series – 8100, 8600, 8010, 8020
• StorSimple 1200 Series
• StorSimple Data Manager
• StorSimple Snapshot Manager
The StorSimple service will reach end of life which means the following will no longer be available:
• All cloud management capability (e.g. viewing or updating settings related to volumes, shares, backups, backup policies or installing updates, etc.)
• Access to live data and backups.
• Access to customer support resources (phone, email, web)
• Hardware replacement parts and repair services for StorSimple 8000 series devices
• Software updates for StorSimple 8000 series and 1200 series devices
Microsoft has been expanding the portfolio of Azure Hybrid storage capabilities with new services for data tiering and cloud ingestion, providing more options to customers for storing data in Azure in native formats.
Networking
Azure Firewall Premium is now ICSA labs certified
Azure Firewall Premium SKU is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It provides advanced threat protection that meets the needs of highly sensitive and regulated environments and includes Intrusion Prevention System (IPS) and TLS inspection capabilities.
The new Intrusion Prevention System (IPS) certification from ICSA Labs is an important IPS certification, is an addition to existing Firewall certification, from ICSA Labs.
ICSA Labs provides credible third-party testing and certification of security and health IT products, as well as network-connected devices. This includes certification of network intrusion prevention systems.
ICSA Labs Network Intrusion Prevention System (IPS) security certification test cycle includes Azure Firewall protection against exploits aimed at approximately 100 high severity vulnerabilities in enterprise software. Because real world attacks do not happen on a quiescent network, ICSA Labs tests with an appropriate level of background traffic using various mixes of enterprise network traffic. The test included evasion techniques, platform security of the product itself, logging, secure administration, and administrative functions.
Azure Firewall is the first cloud firewall service to attain the ICSA Labs Corporate Certification for both Firewall and IPS services.
Next hop IP support for Route Server
With next hop IP support, you can deploy network virtual appliances (NVAs) behind an Azure Internal Load Balancer (ILB) to acheive key active-passive connectivity scenarios and improve connectivity performance.
