Category Archives: Datacenter Management

Azure Management services: what's new in January 2022

The new year started with several announcements from Microsoft regarding news related to Azure management services. The monthly release of this summary allows you to have an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

News regarding Azure Monitor alerts

The following changes have been introduced in Azure Monitor regarding alerts:

Frequency of 1 minute for alert logs. Alert logs allow users to use a Log Analytics query to evaluate, with a set frequency, resource logs and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. Now you have the ability to evaluate the alert query every minute, thus reducing the overall time for activating an alert log. By adopting this frequency of evaluation it should be taken into account that it also has an impact on the costs of Azure Monitor.
New way of creating alert rules: the experience of creating an alert rule has been transformed from an articulated process into a simple and intuitive wizard.

New agent: support for Private Links

The new Azure Monitor agent introduced support for network configurations via private link. This configuration allows you to operate in restricted environments that require special network requirements and a high degree of isolation.

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems thanks to which several improvements and greater stability are introduced.

Govern

Azure Cost Management

Improvements in Azure Advisor recommendations for virtual machines

Azure has improved the Azure Advisor recommendation named “Shutdown/Resize your virtual machines”. This recommendation offers customers the opportunity to save costs by targeting virtual machines that are not being used efficiently.

Among the main improvements we have made are:

Resizing of series between different SKUs: up to this new version, the sizing recommendations provided by Azure Advisor were mostly within the same SKU family. This means if you were using a D3 v2 inefficiently, a D2 v2 or a D1 v2 was recommended, or a smaller SKU but within the same family. Now the recommendations take into account, to increase savings, the ability to move to different families by using SKUs that adapt perfectly to the workload based on the data collected.
Adoption of new versions of SKU families: in general, newer versions of SKU families are more optimized, offer more features and a better performance / cost ratio than previous versions. If the workload is found to be running on an older version and can achieve cost benefits without impacting performance on a newer version, is reported by Azure Advisor.
Improvements on the quality of reports: Microsoft received feedback that some recommendations were not feasible as they did not take certain criteria into account. In order to improve the quality of the recommendations, they are now generated taking into account even more characteristics, such as accelerated network support, support for premium storage, availability in a region, inclusion in an availability set, etc. . Furthermore, to increase the quality, the robustness and applicability of the recommendations the entire recommendation engine has been completely revamped to base it on new automatic and cutting-edge machine learning algorithms.

Multitasking in cost analysis (preview)

Azure Cost Management introduces a new cost analysis experience that allows you to do them more effectively. The preview includes a new tabbed experience to simplify analysis. Starting with an integrated view list, you can open multiple tabs to explore different cost aspects at the same time.

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Microsoft Defender for Resource Manager has been updated with new alerts and a greater emphasis has been introduced on high-risk operations mapped to MITER ATT&CK® Matrix
Introduced recommendations for enabling Microsoft Defender plans on workspaces (preview)
Automatic provisioning of the Log Analytics agent on Azure Arc-enabled machines (preview)

Protect

Azure Backup

Changes in security settings

Azure Backup recently released the following changes regarding security settings for workloads protected by Microsoft Azure Recovery Service Agent, Azure Backup Server, or System Center Data Protection Manager:

Integration with MUA (Multi-user authorization): the operation of “disabling safety functions” is now defined as a critical operation that can be protected by a Resource Guard.
To provide protection against accidental or harmful elimination, it is no longer possible to unregister a protected server if the security features are enabled for the vault and there are associated backup items, in active or soft delete state.
Customers will not have to incur any costs for backup data kept in the soft delete state.
The backup policy is not applied to data kept in the soft delete state and therefore no data is deleted for 14 days.

Azure Site Recovery

Support for Azure Policy

Microsoft has introduced the ability to use Azure Policies to enable Azure Site Recovery for virtual machines (VM) on a large scale, thus allowing you to more easily and quickly adhere to organizational standards. After creating a Disaster Recovery policy for a specific subscription or for a specific resource group, all new virtual machines added to that subscription or to the resource group will have Azure Site Recovery enabled automatically. The policy in question is called "Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery“. In addition to enabling replication for large-scale virtual machines, the Policies make it possible to maintain control over the achievement of organizational standards. In fact,, compliance with policies can be monitored and, if virtual machines are found to be non-compliant, you can create a remediation activity to make the subscription or resource group compliant with the 100%.

Support for Managed Disk of Zone Redundant Storage type (ZRS)

Azure Site Recovery (ASR) introduced support for ZRS type managed disks. Therefore, ASR now allows you to protect virtual machines that take advantage of ZRS managed disks, replicating them in a secondary region of your choice. ASR identifies the source disks as ZRS managed disks and creates equivalent ZRS managed disks in the secondary region. If there is an outage in a region and it is necessary to fail over to the secondary region, ASR will activate the virtual machines in the secondary region with ZRS managed disks, ensuring the same level of resilience.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Price reductions for Azure confidential computing

Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill.

Storage

Azure Ultra Disk Storage is available in West US 3

Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.

Networking

Multiple custom BGP APIPA addresses for active VPN gateways

All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.

Load Balancer SKU upgrade through PowerShell script

You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you.

Azure Traffic Manager: additional IP addresses for endpoint monitoring service

Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.

Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.

Azure Networking: how to extend an on-premises network to Azure with private connectivity

When you decide to undertake a strategy based on a hybrid cloud, that combines on-premises IT resources with public cloud resources and services, it is advisable to carefully consider how to connect your local network with the virtual networks present in the public cloud. In Azure one option is to use ExpressRoute, a private and dedicated connection that takes place through a third-party connectivity provider. This article describes possible network architectures with ExpressRoute, together with a series of precautions to be taken into consideration for a successful deployment.

Very often a Site-to-site VPN is used to establish connectivity between the on-premise resources and the resources in Azure environment attested on the Virtual Networks. This type of connectivity is ideal for the following use cases:

Development environments, test, laboratories, but also production workloads where the resources located in the Azure environment do not use the connectivity to the on-premises environment intensively and strategically and vice versa.
When you have an acceptable tolerance for bandwidth and speed in the hybrid connection.

There are some use cases, however, where ExpressRoute should be configured, according to Microsoft best practices, to ensure bidirectional connectivity between the on-premise network and virtual networks (vNet) of Azure of the customer. In fact,, ExpressRoute is suitable for the following use cases:

If high speed requirements are to be met, connection with low latency and high availability / resilience.
In the presence of mission-critical workloads that use hybrid connectivity.

What is ExpressRoute?

Thanks to ExpressRoute it is possible to activate a dedicated private connection, provided by a third party connectivity provider, to extend the on-premises network to Azure. ExpressRoute connections do not go through the public internet. In this way they can offer a higher level of security, greater reliability, faster speeds and consistent latencies than traditional internet connections.

Figure 1 - ExpressRoute logic diagram

ExpressRoute connections enable access to the following services:

Microsoft Azure services (scenario covered in this article).
Services of Microsoft 365. Microsoft 365 it has been designed to be accessed securely and reliably over the Internet. For this reason it is recommended that you use ExpressRoute with Microsoft 365 only in certain scenarios, as described in this Microsoft article.

It is possible to create an ExpressRoute connection between the local network and the Microsoft cloud via four different modes:

Figure 2 - ExpressRoute connectivity models

Connectivity providers can offer one or more connectivity models and you can choose the most appropriate model for your connectivity needs.

Reference architectures

The following reference architecture shows how you can connect your on-premises network to virtual networks in Azure, using Azure ExpressRoute.

Figure 3 - Reference architecture to extend a local network with ExpressRoute

The architecture will consist of the following components.

On-premises corporate network (“On-premises network” in the schema). This is the Customer's private local network.
Local Edge Routers. These are the routers that connect the local network to the circuit managed by the provider.
ExpressRoute Circuit. It is a circuit layer 2 or layer 3, provided by the connectivity provider, which joins the local network to Azure via edge router. The circuit uses the hardware infrastructure managed by the connectivity provider.
Edge router Microsoft. These are routers in an active-active high availability configuration. These routers allow the connectivity provider to connect their circuits directly to the data center.
Virtual network gateway (ExpressRoute). The ExpressRoute virtual network gateway enables the virtual network (VNet) Azure to connect to the ExpressRoute circuit used for connectivity with the local network.
Azure virtual networks (VNet). Virtual networks residing in an Azure region.

In the architecture described above, ExpressRoute will be used as the primary connectivity channel to connect the on-premises network to Azure.

Furthermore, it is possible to use a site-to-site VPN connection as a source of backup connectivity to improve connectivity resilience. In this case, the reference architecture will be the following:

Figure 4 - Reference architecture to use both ExpressRoute and a site-to-site VPN connection

In this scenario they are expected, in addition to the architectural components described above, the following components:

Appliance VPN on-premises. A device or service that provides external connectivity to the local network. The VPN appliance can be a hardware device or a supported software solution for connecting to Azure.
Virtual network gateway (VPN). The VPN virtual network gateway allows the virtual network to connect to the VPN appliance present in the local network.
VPN connection. The connection has properties that specify the type of connection (IPSec) and the key shared with the local VPN appliance to encrypt the traffic.

How to monitor ExpressRoute

To allow you to monitor network resources in the presence of ExpressRoute connectivity, you can use the Azure Monitor platform tool, through which you can check availability, performance, the use and operation of this connectivity.

A screenshot of the solution is shown as an example.

Figure 5 – ExpressRoute circuit monitor via Azure Monitor

This solution will provide a detailed topology mapping of all ExpressRoute components (peering, connections, gateway) in relation to each other. The detailed network information for ExpressRoute will include a dashboard through which the metrics can be consulted, the actual speed, any drop of network packets and gateway metrics.

As an example, a dashboard screen showing the total throughput of inbound and outbound traffic for the ExpressRoute circuit is shown (expressed in bits / second). Furthermore, you can view the throughput for individual connections.

Figure 6 - Metrics relating to the Throughput of ExpressRoute connections

For more details you can refer to the Microsoft official documentation on how to make the ExpressRoute monitor.

Security Considerations

Microsoft in the security baselines for ExpressRoute, refer to the Azure Security Benchmark version 1.0, the Azure-specific set of guidelines created by Microsoft, provides several indications that are recommended to be followed. Among the main ones that should be adopted we find:

Definition and implementation of standard security configurations for Azure ExpressRoute using Azure Policy.
Use of tags for Azure ExpressRoute components in order to provide metadata and a logical and structured organization of resources.
Locking to prevent accidental deletion or unwanted modification of Azure components related to ExpressRoute configuration.
Using Azure Platform Tools to Monitor Network Resource Configurations and Detect Network Resource Changes of ExpressRoute Connections. Creating Alerts in Azure Monitor to be generated when changes are made to critical resources.
Configure centralized collection of Activity Logs for ExpressRoute components.

Conclusions

ExpressRoute offers a fast and reliable connection to Azure with bandwidths that can reach up to 100 Gbps. It is therefore an ideal option for specific scenarios such as periodic data migration, replication for business continuity purposes, the disaster recovery, and the activation of high availability strategies. Thanks to ExpressRoute's fast speed and low latency times, Azure will feel like a natural extension of your data centers. In this way, it is possible to take advantage of the scalability and innovation of the public cloud without compromising in terms of network performance.

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 51 and 52)

In the past two weeks, Microsoft hasn’t made any major announcements regarding these topics. However, here are some links to interesting videos made by John Savill, Principal Cloud Solution Architect at Microsoft:

I take this opportunity to wish you happy holidays and happy New Year!

Azure Management services: what's new in December 2021

In December, Microsoft announced news regarding Azure management services. Thanks to the release of this summary, which occurs on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Monitor

Azure Monitor

Audit Logs for Azure Monitor queries

Azure Monitor allows you to collect data from the entire ecosystem, including telemetry data at the application and operating system level, security log, network log, diagnostic logs from Azure resources and custom logs. All these data can be queried with the powerful KQL language, useful for obtaining detailed information and making correlations. Microsoft has included the ability to control Azure Monitor queries. In fact,, by enabling this functionality through the Azure diagnostic mechanism, you can collect telemetry data about who ran a query, when it was performed, which tool was used to run the query, the text of the query and performance statistics relating to the execution of the query. This telemetry, like any other Azure Diagnostic-based telemetry, can be sent to an Azure Storage Blob, to an Azure Event Hub, or in the Azure Monitor logs.

Govern

Azure Cost Management

Updates related toAzure Cost Management and Billing

Secure

Microsoft Defender for Cloud

Microsoft Defender for Containers adds new features for Kubernetes (preview)

Microsoft Defender for Containers, is a new offering that combines the functionality of Azure Defender for Kubernetes and Azure Defender for Container registries, adding several new features related to Kubernetes on Azure:

AKS Profile: onboarding and maintenance as an AKS profile, so as to no longer have a dependency on the Log Analytics agent.
Multi cloud support: multi cloud support for AKS, Amazon EKS, Kubernetes on-prem / IaaS (GCP will be added in the future).
Visibility of vulnerabilities: a new recommendation monitors Kubernetes clusters and shows a list of running images with any vulnerabilities, based on evaluation scans provided by Qualys. This allows you to focus on the most critical vulnerabilities that expose runtime environments to security threats and attacks.
Advanced Threat Protection: Kubernetes compatible AI analysis and anomaly detection.
Improved ACR vulnerability assessment: the Azure Container Registry Vulnerability Assessment Recommendation (ACR) has been improved by adding runtime information to image scan results. This allows for the assignment of priorities and to apply filters based on the distribution status of the image.
Continuous scanning of images: in addition to periodic scanning of Azure Container Registry images (ACR) over the past 30 days, continuous image scanning periodically scans ACR images running on Kubernetes clusters.

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Migrate

Azure Migrate

New Azure Migrate releases and features

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

Cloud Security Posture Management (CSPM) capable of providing the following features:
- Visibility: to assess the current security situation.
- Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, like AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.

Conclusions

Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 49 and 50)

Azure

Compute

Virtual Machine restore points (preview)

Public preview of VM restore point is available, a new resource that stores VM configuration and a point-in-time snapshot of one or more managed disks attached to a VM. VM restore points supports multi-disk application consistent snapshots and can be leveraged to easily capture backups of your VM and disks. You can easily restore the VM using VM restore points in cases of data loss, corruption, or disasters. Microsoft is also introducing a new Azure Resource Manager (ARM) resource called Restore Point Collection, which will act as a container for all the restore points of a specific VM.

Placement polices for Azure VMware Solution

Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution Software-Defined Data Center (SDDC). These constraints allow the you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster.

Storage

Secure access to storage account from a virtual network/subnet in any region (preview)

You can secure access to your storage account by enabling a service endpoint for Storage in the subnet and configuring a virtual network rule for that subnet through the Azure storage firewall. You can now configure your storage account to allow access from virtual networks and subnets in any Azure region. By default, service endpoints enable connectivity from a virtual network to a storage account in the same Azure region as the virtual network or it’s paired Azure region. This preview enables you to register your subnet to allow service endpoint connectivity to storage accounts in any Azure region across the globe.

Attribute-based Access Control (ABAC) conditions with principal attributes (preview)

Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments expressed as a predicate using these attributes. This update to the preview enables the use of Azure AD custom security attributes for principals in role assignment conditions. You can now use combine principal attributes with resource and request attributes in your condition expressions.

Soft delete for blobs capability for Azure Data Lake Storage

Soft delete for blobs capability for Azure Data Lake Storage is now generally available. This feature protects files and directories from accidental deletes by retaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object, i.e. file or directory, to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted. All soft deleted files and directories are billed at the same rate as active ones until the retention period has expired.

Azure Stack

Azure Stack HCI

Windows Server guest licensing offer for Azure Stack HCI (preview)

To facilitate guest licensing for Azure Stack HCI customers, we are pleased to announce a new offer that brings simplicity and more flexibility for licensing. The new Windows Server subscription for Azure Stack HCI is available in public preview as of December 14, 2021. This offer will allow you to purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime and preview pricing is $0 until general availability (GA). At GA, the offer will be charged at $23.60 per physical core per month. This offer simplifies billing through an all-in-one place Azure subscription and in some cases will be less expensive for customers than the traditional licensing model.

How to extend Azure management principles to VMware infrastructures with Azure Arc

The trend that is frequently found in different business contexts is to resort to hybrid and multi-cloud strategies for their IT environments. All this allows you to embark on a path of digital innovation with great flexibility and agility. To do this in the best possible way, it is appropriate to adopt technologies that make it possible to create new opportunities and at the same time to manage the challenges inherent in these new paradigms.. Microsoft has designed a specific solution and is called Azure Arc. One of the crucial benefits of Azure Arc is to extend Azure management and governance practices also to different environments and to adopt solutions and techniques that are typically used in the cloud environment also for on-premises environments. This article explores how Microsoft has recently improved the integration process of VMware vSphere infrastructures in Azure Arc and what opportunities can be seized from this innovation.

Why adopt a hybrid strategy?

Among the main reasons that lead customers to adopt a hybrid strategy we find:

Workloads that cannot be moved to the public cloud due to regulatory and data sovereignty requirements. This is usually common in highly regulated industries such as financial services, healthcare and government environments.
Some workloads, especially those residing in the edges, require low latencies.
Many companies have made significant investments in the on-premises environment that they want to maximize, therefore the choice falls on modernizing the traditional applications that reside on-premises and the solutions adopted.
Ensure greater resilience.

What questions to ask to better leverage and manage hybrid and multi-cloud environments?

In situations where a hybrid or multi-cloud strategy is being adopted, the key questions you should ask yourself to reap the greatest benefits are:

How can I view, govern and protect IT assets, regardless of where they are running?
There is the possibility of bringing cloud innovation to existing infrastructure as well?
How you can modernize local datacenters by adopting new cloud solutions?
How to extend processing and artificial intelligence to the edge to unlock new business scenarios?

The answer to all these questions can be… “by adopting Azure Arc!".

Figure 1 – Azure Arc overview

There are many customers who have VMware-based infrastructure and are using Azure services at the same time. Azure Arc extends the possibilities offered in governance and management by Azure also to virtual machines in VMware environments. To further improve this experience of control and management of these resources, a deep integration between Azure Arc and VMware vSphere has been introduced.

Azure Arc-enabled VMware vSphere: how does it work?

Azure Arc-enabled VMware vSphere is a new Azure Arc feature designed for customers with on-premises VMware vSphere environments or those who adopt Azure VMware Solution.

This direct integration of Azure Arc with VMware vSphere requires you to activate a virtual appliance called "Arc bridge". This resource allows you to establish the connection between the VMware vCenter server and the Azure Arc environment.

Thanks to this integration it is possible to onboard in Azure some or all of the vSphere resources managed by your vCenter server such as: resource pool, cluster, host, datastore, network, existing templates and virtual machines.

Figure 2 - VMware vCenter from the Azure portal

Once the onboarding phase is over, new usage scenarios open up that allow you to take advantage of the benefits reported in the following paragraph.

Benefits of Azure Arc-enabled VMware vSphere

Thanks to this new integration it is possible to obtain the following benefits:

Run the provisioning of new virtual machines in VMware environments from Azure. The distribution of virtual machines on VMware vSphere can be done from the portal or using ARM templates. The possibility of being able to describe the infrastructure, through Infrastructure as Code processes, consistently across Azure and on-premises environments is very important. In fact,, adopting ARM template, DevOps teams can use CI / CD pipelines to provision systems or to update VMware virtual machines in context with other application updates.

Figure 3 - Provisioning of a VMware VM from the Azure portal

Make ordinary maintenance operations on virtual machines directly from the Azure portal such as: stop, start, reboot, resizing, adding or updating disks and managing network cards.
Guarantee a self-service access to vSphere resources via Azure Arc. For administrators managing vSphere environments, this means they can easily delegate self-service access to VMware resources, governing and ensuring compliance through advanced controls of Azure governance and Azure RBAC. In fact,, it is possible to assign granular authorizations on computational resources, storage, network and templates.
Provide a inventory of virtual machines in distributed vSphere environments.
Run and manage on a large scale the’onboarding of vSphere environments in Azure management services such as Azure Monitor Log Analytics and Azure Policy Guest Configuration. This enabling allows you to orchestrate the installation of the specific Azure Arc agent (Connected Machine agent) directly from Azure.
Keep changes made directly through vCenter synchronized in Azure, thanks to automatic detection features.

Conclusions

Thanks to this new advanced integration, customers can have the flexibility to innovate, even using their existing VMware environment. Furthermore, through this approach it is possible to have an effective control mechanism to manage and govern all IT resources in a coherent way.

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 47 and 48)

Azure

Compute

West Central US: Microsoft expands cloud services with two new datacenters in Wyoming

Microsoft is announcing the launch of two new Microsoft datacenters in Cheyenne – Wyoming, one in Cheyenne Business Parkway and another in Bison Business Park, enabling to expand and support the growth and demand for digital services in West Central US datacenter region. Cheyenne has been home to Microsoft’s cloud infrastructure services since 2012 and this expansion will enable us to continue providing services to current and new customers.

New Azure Virtual Machines DCasv5 and ECasv5-series (preview)

Azure DCasv5/ECasv5 confidential virtual machines (VMs) powered by 3rd Gen AMD EPYC™ processors with SEV-SNP are available in preview.

SQL Server IaaS Agent extension for Linux SQL VMs

Microsoft is making the capabilities of SQL Server IaaS Agent extension available to Linux platforms, starting with Ubuntu with plans for other distributions in time.

If you are already running SQL Server on Azure using an Ubuntu Linux Virtual Machine, the SQL Server IaaS Agent extension now enables you to leverage integration with the Azure portal and unlocks the following benefits for SQL Server on Linux Azure VMs:

Compliance: The extension offers a simplified method to fulfill the requirement of notifying Microsoft that the Azure Hybrid Benefit has been enabled as is specified in the product terms. This process negates needing to manage licensing registration forms for each resource.
Simplified license management: The extension simplifies SQL Server license management, and allows you to quickly identify SQL Server VMs with the Azure Hybrid Benefit enabled using the Azure portal, Azure PowerShell, or the Azure CLI.

IaaS Agent extension full mode no restart for SQL VMs

You can now enable the full mode of SQL Server IaaS Agent extension with no restart, giving you access to more manageability features for SQL Server on Azure Virtual Machines without interruption to your workloads. Previously, you had to restart the SQL Server services to enable these features. The full mode of SQL Server IaaS Agent extension unlocks many benefits such as Automated Backup, Automated Patching, Storage Optimization, and more, along with license management that comes with lightweight mode.

Storage

Azure File Sync: new agent released

The Azure File Sync agent v14.1 is available. Issue that is fixed in the v14.1 release:

Tiered files deleted on Windows Server 2022 are not detected by cloud tiering filter driver. This issue can also impact Windows 2016 and Windows Server 2019 if a tiered file is deleted using the FILE_DISPOSITION_INFORMATION_EX class.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 14.1.0.0.
Installation instructions are documented in KB5001873.

Azure NetApp Files application volume group for SAP HANA (preview)

Application volume group (AVG) for SAP HANA enables you to deploy all volumes required to install and operate an SAP HANA database according to best practices in a single one-step and optimized workflow. The application volume group feature includes the use of proximity placement group (PPG) with VMs to achieve automated, low-latency deployments. Application volume group for SAP HANA has implemented many technical improvements that simplify and standardize the entire process to help you streamline volume deployments for SAP HANA. Instead of creating the SAP HANA volumes (data, log, shared, log-backup, file-backup) individually, the new application volume group for SAP HANA creates these volumes in a single ‘atomic’ operation (GUI, RP, API).

Networking

VPN Gateway NAT

Azure VPN NAT (Network Address Translation) supports overlapping address spaces between your on-premises branch networks and your Azure Virtual Networks. NAT can also enable business-to-business connectivity where address spaces are managed by different organizations and re-numbering networks is not possible. VPN NAT provides support for 1:1 Static NAT and 1-to-many dynamic NAT.

Wildcard listener on Application Gateways

Azure Application Gateway now supports the use of wildcard characters such as asterisk (*) and question mark (?) for hostnames on a multi-site HTTP(S) listener. You can now route requests from multiple host-names such as shop.contoso.com, accounts.contoso.com, pay.contoso.com to the same backend pool through a single listener configured with a wildcard hostname such as *.contoso.com.

Azure Management services: what's new in November 2021

In November, Microsoft unveiled several news regarding Azure management services, accomplice also the Microsoft Ignite conference 2021. Through these articles released on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Monitor

Azure Monitor

Log Analytics Workspace Insights in Azure Monitor

Microsoft has announced the availability ofLog Analytics workspace insights which allows you to obtain detailed information on the Log Analytics workspaces, providing a comprehensive overview of the following aspects: usage, performance, integrity, agents, query and change logs.

These are the main questions to which the solution can provide an answer:

What are the main tables, those where most of the data is imported?
Which resource sends the most logs to the workspace?
How long does it take for the logs to reach the workspace?
How many agents are connected to the work area? How many are in a health state?
Query control: how many queries run in the workspace? What are their response codes and duration time? What are the slow and inefficient queries that require workspace overhead?
Who has set a daily limit? When data retention has changed?
- Useful for keeping a log of changes in workspace settings.

New troubleshooting experiences in Network Insights for VPN Gateway & Azure Firewall

It is now possible to access detailed information and have a new problem solving experience in Azure Monitor Network Insights for VPN Gateway and Azure Firewall.

In fact,, you have the option of:

Access the resource topology that shows the integrity of the same and the related connections
A workbook showing all the key metrics
Direct links to documentation and troubleshooting guide

Azure Monitor container insights for Azure Arc enabled Kubernetes

In Azure Monitor, you can get detailed information about the containers running in Azure Arc-enabled Kubernetes environments. This allows you to centralize the visualization of infrastructure metrics, of container logs and related recommendations. The main features are:

Simple onboarding directly from the Azure portal
Receipt of automatic updates from the monitoring agent
Performance visibility, collecting memory and processor metrics from controllers, nodes and containers
Views via workbook and in the Azure portal
Alerts and queries on historical data for troubleshooting
Ability to examine Prometheus metrics

Manage Log Analytics data export rules in the Azure portal (preview)

The export of Log Analytics data can now be configured in the Azure portal. This allows you to easily manage data export rules by giving you a clear view of existing rules in the workspace, regardless of whether they are in the enabled or disabled state. It is also possible to modify existing rules and create new rules with a few simple steps.

Azure Monitor for SAP: new telemetry and root cause analysis (RCA)

Azure Monitor for SAP Solutions (AMS) introduced support for new telemetry data of SAP HANA (preview) and SAP NetWeaver

For SAP HANA we find:

License status: provides licensing details for all tenants running with SAP HANA MDC.
Multi-Version Concurrency Control (MVCC): report on the consistency of transactional data, isolating the transactions that access the same data at the same time
Details on save point operation
Details on delta merge
Statistics on HANA Alert

Customers who are using the solution will have available, without carrying out any further activities, the above telemetry data. For new customers who want to activate this solution, you can follow this guide to AMS onboarding and configure at least one SAP HANA provider.

Furthermore, customers using SAP in an Azure environment can view the “root cause analysis (RCA)” when a SAP system becomes unavailable due to an outage of the virtual machine or host. In fact,, AMS allows you to view information about the restart, the analysis of the triggering cause, details on the affected system and recommended steps.

AMS is currently available in the following Azure regions: US East, US East 2, US West 2, Europe West, and Europe North. AMS does not incur any additional licensing fees, but only the consumption costs of Azure Monitor are covered.

Configure

Azure Automation

PowerShell runbook support 7.1 (preview)

Azure Automation support for PowerShell runbooks 7.1 has been made available in preview on Azure, Azure Gov and Azure China. This allows for the development and execution of runbooks using PowerShell 7.1, both for cloud processes and for hybrid processes on Azure and non-Azure systems.

Support for Managed Identities

Support for Managed Identities has been introduced in Azure Automation. System Assigned Managed Identities are supported for cloud and hybrid processes, while User Assigned Managed Identities are only supported for cloud processes. This support allows you to reduce the effort of managing Run As Accounts for runbooks. A User Assigned Managed Identities is an independent Azure resource that can be assigned to the Azure Automation account, which can have multiple associated user-assigned identities. The same identity can be assigned to multiple Azure Automation accounts.

Govern

Update Management

Automatic VM guest patching

The new feature called "Automatic VM guest patching" is now available and helps simplify update management and achieve security compliance. Enabling the feature “Automatic VM guest patching” patches classified as critical and security are automatically downloaded and applied to the system. This feature is available for both Windows and Linux systems.

Azure Cost Management

Azure Advisor: tips to save on Azure Cosmos DB resource costs

Specific recommendations have been included in Azure Advisor to help you achieve possible cost savings for Azure Cosmos DB, obtained based on the historical use of resources.

Updates related toAzure Cost Management and Billing

Secure

Microsoft Defender for Cloud

Change to the names of Azure solutions in the security field

In November, durante Ignite 2021, changes have been announced to the names of Microsoft Azure solutions in the security field, as below:

Figure 2 - New names for Azure security solutions

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Azure Security Center and Azure Defender have been unified and are called “Microsoft Defender for Cloud”
Native CSPM for AWS and Threat Protection for Amazon EKS and AWS EC2
Prioritizing sensitive data in cloud workloads, using Azure Purview
Improvements to integration with Microsoft Sentinel
Azure Security Benchmark v3 released

Protect

Azure Backup

Multi-user authorization for backups (preview)

Multi-user authorization for Azure Backup provides advanced protection for Recovery Services vaults against unauthorized critical operations. Azure Backup uses a Resource Guard to ensure that critical operations are performed only with the appropriate authorization. With this mechanism, Azure Backup helps provide better protection against operations that could lead to the loss of backup data, including:

Disabling soft delete and hybrid security settings
Disabling MUA protection
Changes to backup policies
Security changes
Stop protection
Changing the MARS security PIN

The backup administrator, which typically accesses the Recovery Services vault, must acquire the role of Contributor on Resource Guard to be able to perform the above protected operations (Critical). To do this, it must also request the action of the Resource Guard owner, who must approve and grant the requested access. It is also possible to use Azure AD Privileged Identity Management to manage just-in-time access on Resource Guard. Furthermore, it is possible to create the Resource Guard resource in a subscription or in a tenant other than that of the Recovery Services vault, for maximum isolation.

Metrics and related alerts for Azure Backup (preview)

Azure Backup now provides built-in metrics to allow you to monitor the integrity of backups and write custom alert rules based on these metrics.

Azure Site Recovery

Support for failover of multiple IP configurations

Azure Site Recovery has been introduced, for virtual machines on Azure, support for failover of secondary IP configurations. This allows you to configure failover and test failover settings for each secondary IP configuration, currently only in the Azure to Azure scenario (A2A).

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 59 which solves several problems and introduces some improvements. Among the most important innovations we find support for Windows Server 2022 for the mobility Service. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

New Azure Migrate releases and features

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.