Category Archives: Datacenter Management

Azure IaaS and Azure Stack: announcements and updates (May 2022 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Lab Services April 2022 update (preview)

IT departments, administrators, educators, and students can utilize the following updated features in Azure Lab Services:

Enhanced lab creation and improved backend reliability
Access performance
Extended virtual network support
Easier labs administration via new roles
Improved cost tracking via Azure Cost Management service
Availability of PowerShell module
.NET API SDK for advanced automation and customization
Integration with Canvas learning management system

Storage

Azure File Sync agent v15

Azure File Sync agent v15 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

Reduced transactions when cloud change enumeration job runs
View Cloud Tiering status for a server endpoint or volume
New diagnostic and troubleshooting tool
Immediately run server change enumeration to detect files changes that were missed by USN journal
Miscellaneous improvements

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 15.0.0.0.
Installation instructions are documented in KB5003882.

Object replication on premium blob storage and rule limit increased

Object replication now supports premium block blobs to replicate your data from your blob container in one storage account to another anywhere in Azure. The destination storage account can be a premium block blob or a general-purpose v2 storage account.

You can also specify up to 1000 replication rules (increased from 10) for each replication policy for both general-purpose v2 and premium block blob storage accounts.

Object replication unblocks a set of common replication scenarios for block blobs:

Minimize latency: have your users consume the data locally rather than issuing cross-region read requests.
Increase efficiency: have your compute clusters process the same set of objects locally in different regions.
Optimize data distribution: have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide.
Optimizing costs: after your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies.

Networking

Controls to block domain fronting behavior on customer resources

Effective April 29, 2022,you will be able to stop allowing domain fronting behavior on your Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources in alignment with Microsoft’s commitment to secure the approach to domain fronting within Azure.

Virtual Network NAT health checks available via Resource Health

Virtual Network NAT (VNet NAT) is a fully managed and highly resilient network address translation (NAT) service. With Virtual Network NAT, you can simplify your outbound connectivity for virtual networks without worrying about the risk of connectivity failures from port exhaustion or your internet routing configurations.

Support for Resource Health check with Virtual Network NAT helps you monitor the health of your NAT gateway as well as diagnose or troubleshoot outbound connectivity.

With Azure Resource Health, you can:

View a personalized dashboard of the health of your NAT gateway
Set up customizable resource health alerts to notify you in near real-time of when the health status of your NAT gateway changes

See the current and past health history of your NAT gateway to help you mitigate issues
Access technical support when you need help with Azure services, such as diagnosing and solving issues

Virtual Network NAT Resource Health is available in all Azure public regions, Government cloud regions, and China Cloud regions.

Enhancements to Azure Web Application Firewall

Microsoft offers two options, global WAF integrated with Azure Front Door and regional WAF integrated with Azure Application Gateway, for deploying Azure WAF for your applications and APIs.

On March 29, Microsoft announced the general availability of managed Default Rule Set 2.0 with anomaly scoring, Bot Manager 1.0, and security reports on global WAF. Additional features on regional WAF are available, that offer you better security, improved scale, easier deployment, and better management of your applications and APIs:

Reduced false positives with Core Rule Set 3.2 integrated with Azure Application Gateway. The older CRS 2.2.9 ruleset is being phased out in favor of the newer rulesets.
Improved performance and scale with the next generation of WAF engine, released with CRS 3.2
Increased size limits on regional WAF for body inspection up to 2MB and file upload up to 4GB
Advanced customization with per rule exclusion and attribute by names support on regional WAF
Native consistent experience with WAF policy, new deployments of Application Gateway v2 WAF SKU now natively utilizes WAF policies instead of configuration
Advanced analytics capabilities with new Azure Monitor metrics on regional WAF

Azure Management services: what's new in April 2022

Microsoft is constantly announcing news regarding Azure management services. This summary, published monthly, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Windows client support for the Azure Monitor agent (preview)

Azure Monitor agent and data collection rules now support client devices, Windows 10 and Windows 11, via a new installation setup (MSI). This allows you to extend the use of the same agent for telemetry and for security aspects (using Sentinel).

Support for custom logs and IIS logs for the Azure Monitor agent (preview)

The Azure Monitoring Agent (AMA) natively provides the ability to collect log files (custom and IIS logs) in a Log Analytics workspace. This feature is particularly useful for easily consulting the custom logs generated by services or applications and IIS logs and for carrying out specific analyzes..

Integration between Azure Monitor and Azure Managed Grafana(preview)

Microsoft announced Azure Managed Grafana, a service managed by Microsoft that allows customers to run Grafana natively within the Azure platform. Azure Managed Grafana allows you to extend integrations with Azure Monitor, providing the ability to easily view Azure monitor data in Grafana dashboards.

Configure

Azure Automation

Diagnostic audit log for Automation account

Also for Automation Accounts, has been enabled the ability to send audit data to blob storage accounts, Event Hub and workspace of Azure Monitor Log Analytics. This possibility allows you to monitor the main activities that are carried out on the Automation Account for security and compliance purposes. By enabling the Audit event collection mechanism, it is possible to collect telemetry data regarding operations of creation, updating and deleting of Automation Account runbooks and assets.

Govern

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Support for vault-archive storage for VMs backup, even in the presence of SQL and SAP HANA

Azure Backup announced the ability to move recovery points to the Azure Storage Vault-Archive tier to save costs and keep backup data for longer. This feature is available for Azure VMs, even in the presence of SQL Server and SAP HANA installed on board the VMs. When moving backup data from vault-standard to vault-archive, Azure Backup converts incremental data into full backup. This procedure involves an increase in the total GB used, but costs are reduced due to the huge difference in cost per GB between the two storage tiers. To simplify this process, Azure Backup provides advice on Recovery Points (RPs) for which migration to the vault-archive is recommended. Restores can always be done in an integrated way from the Azure portal, through a simple and intuitive process.

Metrics and related alerts for Azure Blob storage (preview)

In recent months Azure Backup has released the ability to consult the health metrics of backups and restores for Azure virtual machines, SQL/HANA databases on board Azure virtual machines and Azure File. Now, Azure Backup also supports these metrics for storage blobs.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 15 and 16)

Azure

Compute

Recommended alert rules for virtual machines (preview)

The Azure portal experience now allows you to easily enable a set of recommended and out-of-the-box set of alert rules for your Azure resources. Currently in preview for virtual machines, you can simply enable a set of best practice alert rules on an unmonitored VM with just a few clicks.

Storage

Rehydrate an archived blob to a different storage account

You can now rehydrate an archived blob by copying it to a different storage account, as long as the destination account is in the same region as the source account. Rehydration across storage accounts enables you to segregate your production data from your backup data, by maintaining them in separate accounts. Isolating archived data in a separate account can also help to mitigate costs from unintentional rehydration.

Azure Archive Storage now available in Switzerland North

Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in Switzerland North.

Networking

Service tags support for user-defined routing

Specify a service tag as the address prefix parameter in a user-defined route for your route table. You can choose from tags representing over 70 Microsoft and Azure services to simplify and consolidate route creation and maintenance. With this release, using service tags in routing scenarios for containers is also supported. User-defined routes with service tags will update automatically to include any changes that services make to their list of IPs and endpoints.

DNS reservations to prevent subdomain takeover in Cloud Services deployments

Microsoft Azure is a cloud platform integrated with data services, advanced analytics, and developer tools and services. When you build on, or migrate IT assets to Azure, Microsoft provides a secure, consistent application platform to run your workloads. To strengthen your security posture, Microsoft rolled out DNS reservations to prevent subdomain takeover in Cloud Services deployments. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.

Azure Stack

Azure Stack HCI

Windows Server guest licensing offer

To facilitate guest licensing for Azure Stack HCI customers, take advantage of a new offer that brings simplicity and increased flexibility. This licensing is through an all-in-one place Azure subscription and in some cases may be less expensive than the traditional licensing model. The new Windows Server subscription for Azure Stack HCI is generally available as of April 1, 2022. With this offer, you can purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime. There is a free 60-day trial after which the offer will be charged at $23.30 per physical core per month.

How to strengthen security posture in the public cloud, in hybrid and multi-cloud environments thanks to Defender for Cloud

The adoption of infrastructures and services in cloud environments, useful for businesses to accelerate the digital transformation process, it requires us to adapt the solutions as well, the processes and practices that are adopted to ensure and maintain a high degree of security of IT resources. Everything must be done independently of the deployment models used, strengthening the overall security posture of your environment and providing advanced threat protection for all workloads, wherever they reside. This article reports how the Defender for Cloud solution is able to control and improve the security aspects of the IT environment where resources are used in the public cloud, in hybrid and multi-cloud environments.

The challenges of security in modern infrastructures

Among the main challenges that must be faced in the security field by adopting modern infrastructures that use components in the cloud we find:

Rapid and constantly evolving workload. This aspect is certainly a double-edged sword of the cloud in that, on the one hand, end users have the ability to get more from solutions in cloud environments, on the other hand, it becomes complex to ensure that rapidly and constantly evolving services are always up to their standards and that they follow all security best practices.
Increasingly sophisticated security attacks. Regardless of where your workloads are running, security attacks adopt sophisticated and advanced techniques that require reliable protections to be implemented to counter their effectiveness.
Resources and expertise in the field of security not always up to par to intervene in the face of security alerts and to ensure that the environments are adequately protected. In fact,, IT security is an ever-changing front and staying up-to-date is a constant and difficult challenge to achieve.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are able to contemplate two great pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 1 – The pillars of security covered by Microsoft Defender for Cloud

Cloud Security Posture Management (CSPM)

In the field of Cloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

- Visibility: to assess the current security situation.
- Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, the resources are flagged and you get a priority list of advice related to what should be corrected to improve their protection. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) and it can be customized according to the standards to be respected.

Figure 2 - Examples of recommendations

Defender for Cloud assigns a global score to the environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

Figure 3 - Secure score example

Cloud workload protection (CWP)

Regarding this area, Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments:

Figure 4 – Workloads protected by Defender for Cloud

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and in on-premises environments:

Figure 5 - Security needs covered by Microsoft Defender for Cloud

Defender for Cloud also includes, as part of the advanced security features, vulnerability assessment solutions for virtual machines, container registry and SQL server. Some scans are done using the Qualys solution, that can be used without specific licenses and without dedicated accounts, but everything is included and managed through Defender for Cloud.

Which environments can be protected with Defender for Cloud?

Defender for Cloud is an Azure native service, which allows you to protect not only the resources present in Azure, but also hybrid and multi-cloud environments.

Figure 6 - Cross protection on different environments

Azure environment protection

Azure IaaS and services Azure PaaS: Defender for Cloud can detect threats targeting virtual machines and services in Azure, including Azure App Service, Azure SQL, Azure Storage Account, and others. Furthermore, allows you to detect anomalies in Azure activity logs (Azure activity logs) through native integration with Microsoft Defender for Cloud Apps (known as Microsoft Cloud App Security).
Azure data services: Defender for Cloud includes features that allow you to automatically classify data in Azure SQL. Furthermore, it is possible to carry out assessments to detect potential vulnerabilities in Azure SQL and Storage services, accompanied by recommendations on how to mitigate them.
Network: the application of the Network Security Group (NSG) to filter the traffic to and from the resources attested on the Azure virtual networks, is essential to guarantee network security. However, there may be some cases where the actual traffic passing through the NSGs affects only a subset of the defined NSG rules. In these cases, the functionality of Adaptive network hardening allows to further improve the security posture by strengthening the NSG rules. Using a machine learning algorithm that takes into account actual traffic, the configuration, threat intelligence and other indicators of compromise, is able to provide advice to adjust the configuration of the NSG to allow only the strictly necessary traffic.

Hybrid Environment Protection

In addition to protecting the Azure environment, Defender for Cloud functionality can also be extended to hybrid environments to protect in particular servers that do not reside on Azure. Through Azure Arc Microsoft Defender plans can be extended to non-Azure machines.

Protection of resources running on other public clouds

Microsoft Defender for Cloud may also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). To protect resources on other public clouds with this solution, a new native mechanism and, through an approach agentless, allows you to connect to AWS and GCP environments. This new method of interfacing take advantage of the AWS and GCP APIs and it has no dependence on other solutions, for example AWS Security Hub.

Real case of protection with Defender for Cloud

Assuming a customer environment with resources located in Azure, on-premises and in AWS, with Defender for Cloud you can extend protection to all resources, independently of where they reside.

In fact,, by connecting an Amazon Web Services account (AWS) to an Azure subscription, it is possible to enable the following protections:

The functionalities CSPM di Defender for Cloud are also extended to AWS resources, allowing you to evaluate the resources present in the Amazon cloud, according to AWS specific security recommendations. Furthermore, resources are evaluated for compliance with AWS specific standards such as: AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All of this is considered by influencing the overall security score.
Microsoft Defender for Servers offers threat detection and enables advanced defenses for EC2 Windows and Linux instances as well.
Microsoft Defender for Kubernetes extends advanced defenses to Amazon EKS Linux clusters and enables the detection of threats on containers present in those infrastructures.

These protections will be added to the features listed above available for Azure environments and for resources residing on-premises.

Conclusions

Defender for Cloud is able to respond effectively to challenges, in the security field, given by the adoption of modern infrastructures. In fact, thanks to the use of Microsoft Defender for Cloud, you have a solution capable of identifying the weaknesses in the security field in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments.

Azure IaaS and Azure Stack: announcements and updates (April 2022 – Weeks: 13 and 14)

Azure

Compute

On-demand capacity reservations

On-demand capacity reservations let you reserve compute capacity for one or more VM size(s) in an Azure region or availability zone for any length of time.

Azure Batch supports Spot Virtual Machines

Azure Batch offers Spot Virtual Machines in user-subscription Batch accounts. The Spot Virtual Machines are available as single-instance virtual machines (VMs) or Virtual Machine Scale Sets. In addition, you get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machine’s.

Azure Virtual Machines increase storage throughput by up to 300%

The new memory optimized Ebs v5 and Ebds v5 Azure Virtual Machines, now generally available, feature the latest 3rd Gen Intel Xeon Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. These VMs deliver up to 300% increase in VM-to-Disk Storage throughput and IOPS compared to the previous generation D/Ev4 VM series. The new VM series feature sizes from 2 to 64 vCPUs with and without local temporary storage best match your workload requirements. These new VMs offer up to 120,000 IOPS and 4,000 MB/s of remote disk storage throughput. The increased storage throughput is ideal for the most demanding data-intensive workloads, including large relational databases such as SQL Server, high-performance OLTP scenarios, and high-end data analytics applications.

New planned datacenter region in India (India South Central)

Microsoft has announced plans to bring a new datacenter region to India, including availability zones.

Azure Virtual Machines DCsv3 available in Switzerland and West US (preview)

DCsv3-series virtual machines (VMs) are available (in preview) in Switzerland North and West US. The DCsv3 and DCdsv3-series virtual machines help protect the confidentiality and integrity of your code and data while it processes in the public cloud. By leveraging Intel® Software Guard Extensions and Intel® Total Memory Encryption – Multi Key, you can ensure your data is always encrypted and protected in use.

Storage

Cross-region snapshot copy for Azure Disk Storage

Cross-region snapshot copy allows you to copy disk snapshots to any region for disaster recovery.
Incremental snapshots are cost-effective point-in-time backups of Azure Disk Storage. They are billed for the changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage, irrespective of the storage type of the parent disk. Now, you can copy incremental snapshots to any region of your choice for disaster recovery using cross-region snapshot copy. Azure manages the copy process and ensures that only changes since the last snapshot in the target region are copied, reducing the data footprint and recovery point objective (RPO).

Copy data directly to Archive Storage with Data Box

You can now use Data Box to copy data directly to Archive tier by indicating this when ordering and then copying to the corresponding share on the Data Box.

Azure Ultra Disk Storage in Sweden Central

Azure Ultra Disk Storage provides high-performance along with sub-millisecond latency for your most-demanding workloads.

Azure storage table access using Azure Active Directory

Azure Active Directory (Azure AD) support to authorize requests for Azure Table Storage is now generally available. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to any security principal, which can include a user, group, application service principal, or managed identity. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. Authorizing requests against Azure Storage Tables with Azure AD provides superior security and ease of use over shared key authorization. Microsoft recommends using Azure AD authorization with your table applications when possible to assure access with minimum required privileges.

Azure File Sync agent v15

Improvements and issues that are fixed:

Reduced transactions when cloud change enumeration job runs
View Cloud Tiering status for a server endpoint or volume
New diagnostic and troubleshooting tool
Immediately run server change enumeration to detect files changes that were missed by USN journal
Miscellaneous improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 15.0.0.0.
Installation instructions are documented in KB5003882.

Networking

Bring your own public IP ranges to Azure

When planning a potential migration of on-premises infrastructure to Azure, you may want to retain your existing public IP addresses due to your customers’ dependencies (for example, firewalls or other IP hardcoding) or to preserve an established IP reputation. Now you can bring your own IP addresses (BYOIP) to Azure in all public regions. Using the Custom IP Prefix resource, you can now bring your own public IPv4 ranges to Azure and use them like any other Azure-owned public IP ranges. Once onboarded, these IPs can be associated with Azure resources, interact with private IPs and VNETs within Azure’s network, and reach external destinations by egressing from Microsoft’s Wide Area Network.

The new Azure Front Door: a modern cloud CDN service

The new Azure Front Door is a Microsoft native, unified, and modern cloud content delivery network (CDN) catering to dynamic and static content acceleration. This service includes built in turnkey security and a simple pricing model built on Microsoft’s massive scale private global network. There are two Azure Front Door tiers: standard and premium. They combine the capabilities of Azure Front Door (classic) and Azure CDN from Microsoft (classic) and attach with Azure Web Application Firewall (WAF). This provides a unified and secure solution for delivering your applications, APIs, and content on Azure or anywhere at scale.

Several key capabilities have been released:

Improved automation and simplified provisioning with DNS TXT based domain validation
Auto generated endpoint host name to prevent subdomain takeover
Expanded Private Link support in all Azure regions with availability zones to secure backends
Web Application Firewall enhancements with DRS 2.0 RuleSet and Bot manager
Expanded rules engine with regular expressions and server variables
Enhanced analytics and logging capabilities
Integration with Azure DNS, Azure Key Vault, Azure Policy and Azure Advisor
A simplified and predictable cost model

Azure Bastion native client support

With the new Azure Bastion native client support, available with Standard SKU, you can now:

Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local machine
Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials
Access the features available with your chosen native client (ex: file transfer)

Azure Bastion support for Kerberos authentication (preview)

Azure Bastion support for Kerberos authentication, available with both basic and standard SKUs, is now in public preview.

Datacenter Modernization: a real case with Microsoft solutions

The statistics speak for themselves, beyond the 90% some companies already have or foresee, in the short term, to adopt a hybrid strategy for their IT infrastructure. These data are confirmed by the daily events, where several customers include in their investment plans both the maintenance of workloads on on-premises infrastructures, both the adoption of solutions in the public cloud. At the same time, a process of modernization of applications is supported with the aim of making the most of the potential and innovation offered by these infrastructures. So we live in the era of hybrid cloud and Microsoft offers several interesting solutions to modernize datacenter and easily manage hybrid infrastructure. This article gives a real example of how a customer has embarked on the modernization path of their datacenter thanks to Azure Stack HCI and how, via Azure Arc, was able to extend Azure services and management principles to its on-premises infrastructure as well.

Initial customer request and problems to be solved

The customer in question wanted to activate a new modern and integrated virtualization infrastructure at their datacenter, to allow you to configure quickly, dynamic and flexible application workloads. The infrastructure in use by the customer was not adequate and encountered various problems, including:

Non-scalable and inflexible virtualization solution
Hardware obsolescence
Configurations that did not ensure adequate availability of virtualized systems
Performance and stability issues
Difficulty in managing the various infrastructure components

Characteristics of the proposed solutions, adopted and benefits obtained

The customer has decided to adopt a hyper-converged infrastructure (HCI), where several hardware components have been removed, replaced by software that can merge layers of compute, storage and network in one solution. In this way it made a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 1 - Transition from a "Three Tier" infrastructure to a Hyper-Converged Infrastructure (HCI)

Azure Stack HCI: the complete stack of the Hyper-Converged infrastructure

This was all done by adopting the solution Microsoft Azure Stack HCI, which allows the execution of workloads and an easy connection to Azure of the hyper-converged infrastructure (HCI). The main characteristics of the solution are reported in the following paragraphs.

Choosing and customizing your hardware

The customer was able to customize the hardware solution according to their needs, going to configure the processor, memory, storage and features of network adapters, respecting the supplier's compatibility matrices.

Figure 2 - Hardware composition of the Azure Stack HCI solution

There are several hardware vendors that offer suitable solutions to run Azure Stack HCI and can be consulted by accessing this link. The choice is wide and falls on more than 200 solutions of more than 20 different partners. Azure Stack HCI requires hardware that is specifically tested and validated by various vendors.

Dedicated and specific operating system

The operating system of the solution Azure Stack HCI is a specific operating system with a simplified composition and more up-to-date components than Windows Server. Roles that are not required by the solution are not included in this operating system, but there is the latest hypervisor also used in Azure environment, with software-defined networking and storage technologies optimized for virtualization.

The local user interface is minimal and is designed to be managed remotely.

Figure 3 - Azure Stack HCI OS interface

Disaster recovery and failover of virtual machines

The customer also took advantage of the possibility of creating a stretched cluster to extend their cluster Azure Stack HCI, in the specific case in two different buildings. This functionality is based on storage replication (synchronous in this scenario) contemplating encryption, local site resilience and automatic failover of virtual machines in the event of a disaster.

Figure 4 – Stretched cluster dell’architettura hyper-converged di Azure Stack HCI

Updates of the entire solution stack (full-stack updates)

To reduce the complexity and operational costs of the solution update process, the customer can start in Azure Stack HCI the process that involves the full-stack upgrade (Firmware / driver along with the operating system) directly from Windows Admin Center.

Figure 5 - Solution updates of the Dell EMC branded Azure Stack HCI solution

Azure Hybrid Service: familiarity in management and operation

The customer is able to manage their infrastructure based on Azure Stack HCI in a simple way and without adopting specific software tools, as if it were an extension of the public cloud, thanks to the features mentioned in the following paragraphs.

Native integration in Azure

Azure Stack HCI natively integrates with Azure services and Azure Resource Manager (ARM). No agent is required for this integration, but Azure Arc is integrated directly into the operating system. This allows you to view, direct from the Azure Portal, the cluster Azure Stack HCI on-premises exactly like an Azure resource.

Figure 6 - Azure Stack HCI integration into Azure

By integrating with Azure Resource Manager, the customer can take advantage of the following benefits of Azure-based management:

Adopting Standard Azure Resource Manager-Based Constructs (ARM)
Classification of Clusters with Tags
Organizing Clusters in Resource Groups
Viewing all clusters Azure Stack HCI in one centralized view
Managing access using Azure Identity Access Management (IAM)

Furthermore, from the Azure Stack HCI resource you can locate, add, modify or remove extensions, thanks to which you can easily access the management features.

Figure 7 - Azure Stack HCI management capabilities

Arc-enabled VM management

In addition to managing the cluster, the customer can also use Azure Arc to provision and manage virtual machines running on Azure Stack HCI, directly from the Azure portal. Virtual machines and their associated resources (images, disks, and network) are projected into ARM as separate resources using a new multi-platform technology called Arc Resource Bridge.

In this way you can:

achieve consistent management between cloud resources and Azure Stack HCI resources;
automate virtual machine deployments using ARM templates;
guarantee self-service access thanks to Azure RBAC support.

Figure 8 - Features provided by Azure Arc integration for Azure Stack HCI VMs

Azure Backup and Azure Site Recovery

Azure Stack HCI supports Azure Backup and Azure Site Recovery. With Microsoft Azure Backup Server (MABS) the customer backs up hosts and active virtual machines in Azure Stack HCI. Furthermore, using Azure Site Recovery it is possible to activate the replication of virtual machines from Azure Stack HCI to Azure, to create specific disaster recovery scenarios.

Infrastructure monitor with Azure Monitor Insights for Azure Stack HCI

Thanks to the solution Azure Stack HCI Insights the customer is able to consult detailed information on integrity, on the performance and use of Azure Stack HCI clusters connected to Azure and registered for related monitoring. Azure Stack HCI Insights stores its data in a Log Analytics workspace, thus having the possibility to use powerful aggregations and filters to better analyze the data collected over time. You have the option of viewing the monitor data of a single cluster from the Azure Stack HCI resource page or you can use Azure Monitor to obtain an aggregate view of multiple Azure Stack HCI clusters with an overview of the health of the cluster, the state of nodes and virtual machines (CPU, memory and storage consumption), performance metrics and more. This is the same data also provided by Windows Admin Center, but designed to scale up to 500 cluster at the same time.

Figure 9 - Azure Monitor Insights control panel for Azure Stack HCI

Azure benefit for Windows Server

Microsoft offers special benefits when deploying Windows Server in Azure environment, and the same benefits are also available on Azure Stack HCI.

Figure 10 – Azure benefit for Windows Server

Azure Stack HCI allows you to:

Deploy virtual machines with Windows Server 2022 Azure Datacenter edition, which offers specific features not available in the classic Standard and Datacenter editions. To learn more about the features available in this edition, you can consult this article.
Get extended security updates for free, just like in Azure. This is true for both Windows Server 2008 / R2, both for Windows Server 2012 / R2, in addition to the corresponding versions of SQL Server.
Obtain the license and activate the Windows Server machines as in Azure. Azure Stack HCI as well as allowing you to use your own Datacenter license to enable automatic activation of virtual machines (Automatic VM Activation – AVMA), provides the option to pay the Windows Server license for guest systems through your Azure subscription, just like in Azure environment.

Dedicated Azure Support Team

Azure Stack HCI is in effect an Azure solution, therefore the customer can take advantage of Azure support with the following characteristics:

You can easily request technical support directly from the Azure portal.
Support will be provided by a new team of experts dedicated to supporting the solution Azure Stack HCI.
You can choose from different support plans, depending on your needs.

Infrastructure innovation and new evolved scenarios

In the Azure Stack HCI environment, in addition to running virtual machines, you can activate Azure Kubernetes Service (AKS) and Azure Virtual Desktop.

Azure Kubernetes Service in Azure Stack HCI

This on-premises AKS implementation scenario allows you to automate the large-scale execution of modern applications based on micro-services. Thanks to Azure Stack HCI, the adoption of these container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud.

Figure 11 - AKS overview on Azure Stack HCI

For more information, you can consult the article Azure Kubernetes Service in an Azure Stack HCI environment.

Azure Virtual Desktop for Azure Stack HCI

In situations where applications are sensitive to latency, such as video editing, or scenarios where users need to take advantage of a legacy system present on-premises that cannot be easily reached, Azure Virtual Desktop adds a new hybrid option thanks to Azure Stack HCI. Azure Virtual Desktop for Azure Stack HCI uses the same cloud management plan as regular Azure Virtual Desktop, but it allows you to create session host pools using virtual machines running on Azure Stack HCI. These virtual machines can run Windows 10 and/or Windows 11 Enterprise multi-session. By placing desktops closer to users, it is possible to enable direct access with low latency and without round trip.

Conclusions

Microsoft operates one of the largest data centers in the world and is making large investments to bring the experience gained and the innovation of the cloud to Azure Stack HCI. This customer, relying on Azure Stack HCI is taking advantage of a subscription service that receives regular feature updates, with the important goal of being able to exploit the technology tested on a large scale in the cloud on-premises. Furthermore, is able to manage the resources of its environment in a unified way and have a continuous innovation of its hybrid infrastructure.

Azure Management services: what's new in March 2022

In March there were several news announced by Microsoft regarding Azure management services. In this series of articles, published on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Monitor

Azure Monitor

New agent: support for Private Links

The new Azure Monitor agent introduced support for network configurations via private link. This configuration allows you to operate in restricted environments that require special network requirements and a high degree of isolation.

Govern

Azure Cost Management

Automated emails on cost views

To allow you to stay up to date on cost changes in Azure Cost Management and Billing the possibility of sending automated e-mails has been introduced. From the cost analysis, selecting a graphic view, you have the opportunity to subscribe to updates on a daily basis, weekly or monthly and even share those views with people outside the Azure portal.

Updates related toAzure Cost Management and Billing

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Protect

Azure Backup

Azure Files Snapshot Protection

To protect Azure Files snapshots from accidental deletion, Azure Backup has added an extra layer of security to the snapshot management solution, integrating with the Azure Files platform's ability to acquire a snapshot lease. This lease creates and maintains a lock on snapshots for delete operations. After taking a snapshot of Azure File, Azure Backup acquires it, thus protecting it from accidental elimination. Furthermore, to ensure that the snapshot is not deleted during a restore operation, Azure Backup also checks the lease status at the beginning of the recovery and acquires it if necessary.

Support for Azure virtual machines with technologies trusted launch (preview)

Trusted launch is an easy way to improve the security of second generation virtual machines, which allows you to get protection from advanced attack techniques, combining technologies that can be independently enabled, such as secure boot and the virtualized version of the Trusted Platform Module (vTPM). Azure introduced support, currently in preview, of Azure VMs with trusted launch features enabled.

Azure Site Recovery

On-demand capacity reservation with Azure Site Recovery to safeguard virtual machine failover

Azure Site Recovery is now integrated with the’on-demand capacity reservation, which allows you to take advantage of the capacity reservation to reserve processing capacity in the disaster recovery region (DR) and thus ensure the execution of workloads during failover processes. By assigning a capacity reservation group (CRG) for protected VMs, Azure Site Recovery will fail over the VMs to that CRG. Furthermore, there is a SLA for the Recovery Time Objective (RTO) of 2 hours.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 61 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 11 and 12)

Azure

Compute

Trusted launch support for Virtual Machines using Ephemeral OS disks (preview)

Trusted launch is a seamless way to improve the security of generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies that can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM). Now, Trusted Launch support for VMs using Ephemeral OS disks is available in preview.

Best practices assessment for SQL Server on Azure Virtual Machines

You can now evaluate if your SQL Server on Azure Virtual Machines is following configuration best practices using the SQL best practices assessment feature. You can start or schedule an assessment on the SQL virtual machine blade in the Azure portal. Once the feature is enabled, your SQL Server instance and databases are scanned to provide recommendations for things like indexes, retired features, enabled or missing trace flags, statistics, and more.

Select Azure Dedicated Host SKUs will be retired on 31 March 2023

On 31 March 2023, Azure Dedicated Hosts Dsv3-Type1, Esv3-Type1, Dsv3-Type2, and Esv3-Type2 will be retired. Before that date, you must migrate to the new Dedicated Host SKUs.

Azure HBv3 virtual machines for HPC now upgraded

All Azure HBv3 virtual machine (VM) deployments from 21 March 2022 will include AMD EPYC 3rd Gen processors with 3D V-Cache, codenamed “Milan-X”. The enhanced HBv3 VMs are available in the Azure East US, South Central US, and West Europe regions. All VM deployments from today onward will occur on machines featuring Milan-X processors. Existing HBv3 VMs deployed prior to today’s launch will continue to see AMD EPYC 3^rd Gen processors, codenamed “Milan”, until they are de-allocated and you create a new VM in its place.

New planned datacenter region in Finland (Finland Central)

Microsoft will establish a new datacenter region in the country, offering Finnish organizations local data residency and faster access to the cloud, delivering advanced data security and cloud solutions. The new datacenter region will also include availability zones, providing you with high availability and additional tolerance to datacenter failures.

Networking

Inbound NAT rule now supports port management for backend pools

Standard Load Balancer inbound NAT rule now supports specifying a range of ports for the backend instances. Previously, to enable port forwarding, an inbound NAT rule needed to be created for every instance in Load Balancer’s backend pool. This became complex to manage at scale and resulted in management overhead. The addition of port management for backend pool to inbound NAT rules allows you to specify a range of frontend ports pre-allocated for a specific backend pool to enable port forwarding. Upon scaling, Standard Load Balancer will automatically create port mapping from an available frontend port of the specified range to the specified backend port of the new instance. This capability applies to all types of backend pools composed of Virtual Machines, Virtual Machines Scale Sets, or IP addresses across all Azure regions.

Five Azure classic networking services will be retired on 31 August 2024

Azure Cloud Services (classic) will be retired on 31 August 2024. Because classic Azure Virtual Network, reserved IP addresses, Azure ExpressRoute gateway, Azure Application Gateway, and Azure VPN Gateway are dependent on Azure Cloud Services (classic), they’ll be retired on the same date. Before that date, you’ll need to migrate any resources that use these classic networking services to the Azure Resource Manager deployment model.

Azure Stack

Azure Stack Edge

General Availability of Azure Stack Edge Pro 2

Microsoft has announced the general availability of its Azure Stack Edge Pro 2 solution, a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

Azure Stack Hub

Azure Kubernetes Service on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Kubernetes Service on Azure Stack Hub. The same service that’s currently found in Azure is available in Azure Stack Hub. Manage Kubernetes clusters in the same way you currently do in Azure and utilize a familiar user experience, CLI, and API.

IoT Hub on Azure Stack Hub public preview will be retired on 30 September 2022

On 30 September 2022, the public preview version of IoT Hub on Azure Stack Hub will be retired. Before that date, we recommend you migrate to Azure IoT Edge gateway. Azure IoT Edge gateway is integrated with Azure IoT Hub running in Azure and provides an end-to-end IoT experience with comprehensive diagnostics capabilities. An Azure IoT Edge gateway can be deployed on an Azure Stack Hub Virtual Machine. Alternatively, you can host a VM on another physical hardware of your choice.

Azure Container Registry on Azure Stack Hub (preview)

With Azure Stack Hub’s 2108 update, you can preview Azure Container Registry on Azure Stack Hub. This service uses private container registries on Azure Stack Hub to store and retrieve OCI-compliant images to support both connected and disconnected scenarios for Azure Kubernetes Service (AKS), AKS engine, and other container orchestrator engines.

How to accelerate the application modernization process with Azure

There are several companies that undertake a digital transformation process centered on the public cloud with the aim of increasing innovation, agility and operational efficiency. As part of this path, application modernization is fast becoming a milestone that allows important benefits to be achieved. This article explores how it is possible to undertake and accelerate the modernization process of applications with the solutions available in Microsoft Azure and which opportunities can be seized.

Microsoft Azure offers the flexibility to choose from a wide range of options to host your applications, covering the spectrum of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Container-as-a-Service (CaaS) and serverless.

The tendency to develop modern applications, that need microservices-based architectures, make containers the ideal solution for efficiently deploying software and operating on a large scale. In addition to the ability to make consistent deployments, reliable and repeatable in all environments, it is possible to obtain a better use of the infrastructure and a standardization of management practices.

Furthermore, customers can increasingly use containers even for applications that are not specifically designed to use microservices-based architectures. In these cases, it is possible to implement a migration strategy for existing applications that only involves minimal changes to the application code or changes to configurations. These are strictly necessary changes to optimize the application in order to be hosted on PaaS and CaaS solutions.

This migration technique is usually used when:

You want to leverage an existing code base
Code portability is important
The application can be easily packaged to run in an Azure environment
The application must be more scalable and there must be the ability to be deployed faster
We want to promote business agility through continuous innovation by adopting DevOps techniques

Repackage application with Azure Migrate: App Containerization

To facilitate this migration process you can use the Azure Migrate solution which includes many tools and features, including the tool App Containerization. This tool offers a "point-and-containerize" approach to "repackage" applications using containers and making, only if necessary, minimal changes to the code. The tool currently supports containerization of ASP.NET applications and Java web applications running on Apache Tomcat.

Figure 1 – Application modernization capabilities by adopting Azure Migrate: App Containerization

The tool App Containerization allows you to perform the following activities:

Remotely connect to application servers to discover applications and their configurations.
Parameterize configurations and application dependencies, such as database connection strings, to enable consistent and repeatable deployments.
Outsource any static content and states stored on the file system, moving them to persistent storage.
Create and publish container images using Azure Container Registry.
Customize and reuse artifacts generated by tools like Dockerfile, container images and Kubernetes resource definition files. This allows you to integrate them directly into the continuous integration and continuous delivery pipeline (CI / CD).

Furthermore, in Azure Migrate: App Containerization is expected to use Azure Key Vault to manage secrets and automatic integration to monitor Java applications with Azure Application Insights.

Azure App Service vs Azure Kubernetes Service (AKS): which one to choose?

App Containerization allows you to migrate containerized applications using Azure App Service or Azure Kubernetes Service (AKS). The following paragraphs contain some considerations for evaluating which service is best suited to host your applications.

Azure App Service: Azure Web App for Containers

For web-based workloads, there is the ability to run containers from Azure App Service, the Azure web hosting platform, using the serviceAzure Web App for Containers, with the advantage of being able to exploit the distribution methodologies, scalability and monitors inherent in the solution.

The automation and management tasks of a large number of containers and the ways in which they interact with each other is known as orchestration. In case therefore there is a need to orchestrate more containers it is necessary to adopt more sophisticated solutions such asAzure Kubernetes Service (AKS).

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster.

Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field. Kubernetes tends to simplify deployments, allowing you to automatically perform implementations and rollbacks. Furthermore, it allows to improve the management of applications and to monitor the status of services to avoid errors in the implementation phase. Among the various functions there are services integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly. Kubernetes also allows you to automatically scale based on usage and exactly like containers, allows you to manage the cluster environment in a declarative way, allowing version-controlled and easily replicable configuration.

Figure 2 - Example of microservices architecture based on Azure Kubernetes Service (AKS)

Next step: innovate using modern application solutions

The migration technique described in the previous paragraphs is often also the first step to undertake further modernization of the application which involves a redesign. In fact,, the next step is to modify or extend the architecture and code base of the existing application, optimizing it for the cloud platform. When integrating modern application platforms into your cloud adoption strategy, innovation is not limited to containers. This integration offers an important innovation that also involves the adoption of hybrid and multicloud strategies.

Figure 3 – Innovation given by modern application platforms

Conclusions

There is a clear and growing trend that sees a modernization of applications aimed at ensuring greater flexibility, a reduction in the footprint of the infrastructure and the possibility of benefiting from the innovation given by the cloud. This modernization does not necessarily have to pass immediately from a strategy of rebuilding the application from scratch by providing for the use of cloud-native technologies, but it can happen gradually. Thanks to the tool App Containerization of Azure Migrate it is possible to undertake the path of modernization with a simple approach that allows you to quickly benefit from the potential offered by cloud solutions. Furthermore, the awareness that Azure provides different infrastructure solutions to host modern applications facilitates the journey of application modernization.

Azure IaaS and Azure Stack: announcements and updates (March 2022 – Weeks: 09 and 10)

Azure Stack

Azure Stack Edge

Azure Stack Edge Pro 2

Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:

This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.

The Pro 2 series is designed for deployment in edge locations such as retail, telecommunications, manufacturing, or even healthcare. Here are the various scenarios where Azure Stack Edge Pro 2 can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure:

Inference with Azure Machine Learning: you can run ML models to get quick results that can be acted on before the data is sent to the cloud.
Preprocess data: transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset.
Transfer data over network to Azure: use this solution to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.