New centralized management experience for Azure Hybrid Benefit for SQL Server (preview)
Azure Hybrid Benefit for SQL Server helps reduce costs by allowing existing on-premises licenses with active Software Assurance to be assigned to Azure. Now there’s an easier way to manage the benefit, optimize cost savings, and sustain compliance for the entire organization. Instead of assigning the benefit to each individual Azure resource (e.g. virtual machine), billing admins can now assign and manage SQL Server licenses at an Azure subscription or entire Azure account level.
Cross region replication for Azure NetApp Files
With this disaster recovery capability, you can replicate your Azure NetApp Files volumes between select Azure standard and non-standard region pairs continuously in a fast and cost-effective way, protecting your data from unforeseeable regional failures. Azure NetApp Files cross region replication leverages NetApp SnapMirror technology so only changed blocks are sent over the network in a compressed, efficient format. This technology reduces the amount of data required to replicate across the regions with up to 50% or more, therefore saving Azure NetApp Files customers data transfer cost. It also shortens the replication time so you can achieve a smaller Restore Point Objective.
Networking
Azure Firewall Premium now generally available in five new Azure regions
Azure Firewall Premium provides next generation firewall capabilities that are required for highly sensitive and regulated environments, and it is now generally available in the following new Azure Cloud regions: USGov Texas, USGov Arizona, USGov Virginia, China North 2 and China East 2.
Azure Stack
Azure Stack HCI
New feature update
Feature updates for Azure Stack HCI are released periodically to enhance the customer experience. This month’s feature update for Clusters running Azure Stack HCI, version 21H2 are:
Dynamic CPU compatibility mode: Processor compatibility mode has been updated to take advantage of new processor capabilities in a clustered environment.
Storage thin provisioning: Improve storage efficiency and simplify management with thin provisioning.
Network ATC: Simplify host networking and network configuration management.
Adjustable storage repair speed: Gain more control over the data resync process by allocating resources to either resiliency or performance to service your clusters more flexibly and efficiently.
The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt solutions and techniques, which are typically used in a cloud environment, even for on-premises environments. This article discusses how Azure Arc allows you to deploy and configure Kubernetes applications homogeneously across all environments, adopting modern DevOps techniques.
Thanks to Azure Arc-enabled Kubernetes it is possible to connect and configure Kubernetes clusters located inside or outside the Azure environment. By connecting a Kubernetes cluster to Azure Arc, this:
It appears in the Azure portal with an Azure Resource Manager ID and a managed identity.
It is inserted within an Azure subscription and a resource group.
Allows it to be associated with tags like any other Azure resource.
To connect a Kubernetes cluster to Azure, the agents must be installed on the various nodes. Such agents:
Azure Arc-enabled Kubernetes supports SSL to protect data in transit. Furthermore, to ensure the confidentiality of inactive data, these are stored in an encrypted way in an Azure Cosmos DB database.
Azure Arc agents on Kubernetes systems do not require the opening of inbound ports on firewall systems, but you only need to be enabled to access outbounds to specific endpoints.
For more details on this and for the procedure to follow to connect a Kubernetes cluster to Azure Arc you can consult this official Microsoft documentation.
Supported distributions
Azure Arc-enabled Kubernetes can be enabled with any certified Kubernetes cluster Cloud Native Computing Foundation (CNCF)". In fact,, the Azure Arc team collaborated with leading industry partners to validate compliance of their Kubernetes distributions with Azure Arc-enabled Kubernetes.
Supported scenarios
Enabling Azure Arc-enabled Kubernetes The following scenarios are supported:
Connecting Kubernetes clusters running in environments other than Azure, to perform inventory operations, grouping and tagging.
Application distribution and configuration management based on GitOps mechanisms. Related to Kubernetes, GitOps is the practice of declaring the desired state of Kubernetes cluster configurations (deployments, namespaces, etc.) in a repository Git. This declaration is followed by a poll and pull-based deployment of these cluster configurations using an operator. The Git repository can contain:
YAML format manifest describing any valid Kubernetes resources, including Namespaces, ConfigMaps, Deployments, DaemonSets, etc.
Chart Helm for application distribution.
Flux, a popular open source tool from GitOps, can be deployed on the Kubernetes cluster to facilitate the flow of configurations from a Git repository to a Kubernetes cluster.
For more details on the CI / CD workflow using GitOps for Azure Arc-enabled Kubernetes clusters you can refer to this Microsoft documentation.
View and monitor cluster environments using Azure Monitor for containers.
Threat Protection using Azure Defender for Kubernetes. The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end ofAzure Defender for Kubernetesin the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace. The extension allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.
Apply settings via Azure Policy for Kubernetes.
Creation of custom locations used as targets for the deployment of Azure Arc-enabled Data Services, App Services on Azure Arc (which includes web, function, and logic apps) and Event Grid on Kubernetes.
Azure Arc-enabled Kubernetes also supports Azure Lighthouse, which allows service providers to access their tenant to manage subscriptions and resource groups delegated by customers.
Conclusions
Companies that need to operate in a hybrid environment thanks to this technology will be able to minimize the effort of managing containerized workloads, extending services such as Azure Policy and Azure Monitor to Kubernetes clusters located in on-premises environments. Finally, through the GitOps approach, you will be able to simplify updates to cluster configurations in all environments, minimizing the risks associated with configuration problems.
Azure VMware Landing Zone is now publically available. It is Microsoft’s prescriptive, opinionated and best-practices backed guidance for deploying and managing workloads running on Azure VMware solution.
It’s soon possible to use Azure NetApp Filesas NFS datastore for Azure VMware Solution. It’s a great option for using the same NetApp VSAN datastores as used in on-premise environments in Azure now.
It is possible now to do HCX migration over VPN and SD-SWAN. Customers can get an additional option besides Azure ExpressRoute for driving migrations.
Azure VMware Solution is now included as part of Azure Workload Acquisition & Nurture incentive Partners can take advantage of multiple benefits available under the program to drive Azure VMware Solution projects.
New enhancements, global expansion, partner integration are now available as documented here.
Availability Zones now generally available in new regions
Azure Availability Zones are now generally available in the South Africa North, Norway East and Korea Central region. These new zones provide customers with options for additional resiliency and tolerance to infrastructure impact.
Storage
Azure NetApp Files waitlist removal
Azure NetApp Files, one of the fastest growing bare-metal Azure services is now available to Azure customers directly from the Azure portal, CLI, API or with SDK, without having to go through waitlist approval process.
Standard network features for Azure NetApp Files (preview)
Standard network features for Azure NetApp Files volumes is now in public preview in select regions. This includes support for increased IP limits, Network Security Groups, User-defined routes, and additional connectivity patterns like connectivity over Active/Active VPN gateway and ExpressRoute FastPath.
Azure NetApp Files Backup capability (preview)
Azure NetApp Files backup expands the data protection capabilities of Azure NetApp Files by providing fully managed backup solution for long-term recovery, archive, and compliance. Azure NetApp Files online snapshots are now enhanced with backup of snapshots. With this new backup capability, you can offload your Azure NetApp Files snapshots to Azure blob storage in a fast and cost-effective way, further protecting your data from accidental deletion.
Enable hierarchical namespace for existing Azure Storage accounts
Accelerating value through data analytics by enabling the Azure Data Lake Storage (ADLS) hierarchical namespace for existing Azure Storage accounts is now generally available. The benefits of the ADLS hierarchical namespace in providing enhanced performance and features that are dedicated to maximizing the value of data analytics is well established. You can now get this benefit for existing accounts and data by enabling the hierarchical namespace in place.
Object replication for Premium Block Blob Storage (preview)
Object replication allows you to replicate your premium block blob data at the blob level from one storage account to another anywhere in the Azure. Object replication unblocks a new set of common replication scenarios for premium block blobs:
Minimize latency: have your users consume the data locally rather than issuing cross-region read requests.
Increase efficiency: have your compute clusters process the same set of objects locally in different regions.
Optimize data distribution: have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide.
For European and US companies with part of their business in China, the adoption of cloud solutions is becoming increasingly attractive. Microsoft offers the possibility of adopting Azure solutions also in China and a large number of important companies of the caliber of Coca Cola, BMW and Heineken have already landed on the Azure platform in China. However, there are important aspects and some peculiarities, covered in this article, which is good to take into consideration to make an informed choice when you intend to proceed with the deployment of line of business applications in the areas from China to Azure.
What is Azure China?
To offer cloud services in China and ensure consistent quality of service globally, you have the option to adopt Azure China, which has the following characteristics:
It is independently managed and sold by 21Vianet in mainland China. Shanghai Blue Cloud Technology Co., Ltd. (“21Vianet”) is a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.
This is a physically separate instance of cloud services located in China.
Compared to Microsoft-managed Azure Public Areas, Azure subscriptions from Chinese regions can only be created by a Chinese entity. This means that to activate Azure services in these geographic areas it is necessary to collaborate with a local organization in mainland China. In fact,, during the registration process, you are asked to specify a telephone number and an address in China. After creating the account, subscription management is the same as for any other Azure region, using a dedicated Azure portal.
To allow customers and partners to examine all important aspects, before activating workloads in Azure China, Microsoft has published this list of activities.
Datacenter
Azure China datacenters are located in eastern and northern China and are geographically separated by more 1.000 kilometres. Also for these datacenters there is support for geographic replication and business continuity, allowing to obtain high data reliability for Azure services. The following regions are currently available on the Chinese territory: China North, China North 2, China East e China East 2.
New Azure region coming to China in 2022
To meet the growing public cloud service needs of the Chinese market, Microsoft announced that in the 2022 a new Azure region will be available in North China, always managed by its local operating partner 21Vianet. This expansion is expected to double the capacity of Microsoft's cloud portfolio in China in the coming years, which in addition to Azure includes Microsoft Office 365, Dynamics 365 and Power Platform. All of this will help fuel further innovation and digital transformation for developers, partner, and customers in China and around the world.
Availability of services
There is a gap between the services that can be activated in Azure China and the global services of Azure. Taking this into account, you can check the services available in the regions of China in this page. Furthermore, releases of new services, Azure versions and new features have their own history in China.
Connectivity and access to resources
First of all, It is good to specify that the workloads distributed in Azure China are potentially accessible anywhere globally.
However, please note that Azure Global Regions and Azure Chinese Regions are physically disconnected. Therefore, to privately connect the resources located in the subscriptions in Azure China with those in the global areas of Azure, it is necessary to provide the activation of VPN site-to- site or ExpressRoute.
The adoption of a hybrid architecture allows you to extend applications and workloads located in Azure China and provide connectivity and interoperability globally.
The following connections are supported:
VPN or Azure ExpressRoute to create a direct network connection between Azure China and the on-premises environment located in China.
Site-to-site VPN to connect an Azure site in China to the on-premises environment outside China. ExpressRoute is not supported for direct network connectivity to an external site outside of China (Azure global is also considered external).
Figure 1 – Cross-border connectivity
In this regard, it is necessary to consider that the purchase of the connectivity service must be done by contacting qualified telecommunications operators who have a license issued by the Ministry of Industry and Information Technology (MIIT).
Free ExpressRoute circuit for China
Azure China ExpressRoute offers a free circuit among the following paired regions: China North (N1) – China North 2 (N2) e China East (E1) – China East 2 (E2). This allows for minimal network latency, similar to being within the same region. The ExpressRoute crossover N1-E2, E1-N2 requires ExpressRoute Premium and is subject to a cross-data transfer charge.
Network latency
Between China and the rest of the world, high network latencies, low bandwidth, unstable connections and high costs are situations that occur in most cases.
All of this happens because of the intermediary technologies that regulate internet traffic that crosses the border. Among these the “Great Firewall of China” which protects Chinese Internet access and filters traffic to China. In fact,, almost all traffic going from the Republic of China outside of China, with the exception of special administration areas such as Hong Kong and Macao, go through the Great Firewall. Traffic passing through Hong Kong and Macao does not fully hit the Great Firewall, but it is managed by a subset of the Great Firewall.
Figure 2 - Interconnections with China
To improve interconnections with China, it is also possible to use the Azure Virtual WAN service, as detailed in this Microsoft documentation.
Figure 3 - Example of architecture with Azure Virtual WAN
Furthermore, to improve the performance and responsiveness of websites with streaming media and other rich media content, it is possible to evaluate the adoption of an Azure CDN (Azure Content Delivery Network). According to Chinese law, the use of the CDN service in China could also subject an offshore website to the ICP registration. It is not recommended to use a global CDN service that does not have a point of presence (PoP) within mainland China.
Purchase options, costs and support
For information regarding the purchasing process and end-to-end onboarding for both Chinese and foreign users who are considering the adoption of Microsoft Azure services managed by 21Vianet in China (“Azure Services in China”) you can consult this guide, made following the customer's perspective.
The details on the costs of the various Azure China services can be found in this dedicated portal.
To get a complete view of the support plans in Azure China you can consult this page.
Conclusions
To ensure an effective distribution of your workloads in Azure China there are several aspects to consider such as which legal entity will manage your Azure China account, the level of compatibility of your applications with Azure services running in China, the Great Firewall and the migration and replication strategy to use. However, there are several companies that have long relied on Azure China and it is possible to consult the many success stories in this page.
In September there were several news announced by Microsoft regarding Azure management services. In this summary, which I report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Support for Availability Zones is available
Azure Monitor has introduced support for Availability Zones that help protect applications and data from datacenter failures and can provide resilience for Azure Monitor features such as Application Insights and any other functionality that relies on a Log Analytics workspace. When a workspace is linked to an availability zone, Azure Monitor remains active and operational even if a specific datacenter is not functional or completely inactive. Azure Monitor currently supports Availability Zones for the following regions: East US 2 and West US 2.
Cross query between Azure Monitor and Azure Data Explorer
The ability to query between Azure Monitor and Azure Data Explorer allows you to query data exported to Azure Data Explorer or Azure blob storage and merge them with any Azure Monitor Log Analytics workspace.
Among the various features recently released we find the ability to perform queries:
Between Azure Data Explorer and Azure Monitor services (Log Analytics / Application Insights) and vice versa
On Azure Monitor logs exported from an Azure blob storage account using Azure Data Explorer
In Azure Monitor Log Analytics, the maximum data retention time frame is limited to 2 years. This aspect can be limiting in some areas, to the point that certain compliance criteria are not met. To overcome this limitation, you can export logs to an Azure blob storage. This new feature allows you to cross-query by including data exported to Azure blob storage in an integrated way.
Support for Windows Server 2022 for the Azure Monitor Agent
The Azure Monitor Agent is now also supported for Windows Server 2022 such as virtual machines, virtual machine scale sets and Arc enabled servers (in on-premise environments and / or non-Azure servers).
New version of the agent for Linux systems
A new version of the Log Analytics agent has been released this month for Linux systems where several improvements and greater stability are introduced. Furthermore, the OMI component has been updated to version 1.6.8 and introduced support for AWS 2 / Centos 8.4 Linux.
Configure
Azure Automation
Support for the Az module
Azure Automation introduces support for the module “Az”, available by default for all new Automation Accounts. Furthermore, the option is present in the Azure portal “Update Az Modules” which allows you to update the modules to “Az” for existing Automation Accounts.
Govern
Azure Policy
Support for AKS custom policy (preview)
Microsoft has announced in preview support for custom policies for Azure Kubernetes Service clusters (AKS). With this feature, it is possible to create and assign custom policy definitions and constraint templates to AKS clusters, see advanced information about any errors, use the embedded constraint template embedded within the policy definition and more.
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features.
Protect
Azure Backup
New alerts and management in the Backup center (preview)
Azure Backup has released a new Azure Monitor based alerting solution, which allows you to take advantage of the notification capabilities offered by Azure to monitor and effectively act on critical backup incidents. These alerts can also be managed directly by Azure Backup center.
Oracle snapshot with Azure Backup
Azure Backup now allows you to run pre-post scripts to deactivate and reactivate Oracle databases. This allows you to have consistent backups and take advantage of all the advantages of Azure VM backup also for Oracle systems. Database-consistent snapshots can be used for restores from Oracle, they are verifiable by Oracle database clients such as RMAN and have economic advantages as the backup of Azure VMs is intrinsically incremental. The ability to take consistent snapshots at the Oracle database level also means there is no need to stream the full daily data to a storage target, therefore it is possible to significantly reduce the I / O demand on the machine and on the network, as well as reducing the need for large storage spaces. Furthermore, the use of these snapshots guarantees the ability to quickly create clones of Oracle production VMs and it is not necessary to perform intensive I / O operations such as a datapump.
Offline backup with Azure Data Box
Microsoft has made the Azure Offline Backup functionality available using Azure Data Box, which allows you to use Azure Data Box to seed large initial backups offline in an Azure Recovery Service vault.
Azure Site Recovery
New features to simplify the DR scenarios of VMs in a VMware environment (preview)
The following changes have been released in preview in ASR to help improve the activation of Disaster Recovery scenarios for VMware environments:
Automatic updates for the ASR replication appliance and for the Mobility agent. A limitation of the current ASR architecture is the need to manually update the various components of the configuration server and the Mobility service. To make things easier, Microsoft has introduced the ability to update automatically: when an update is made available, both the appliance (configuration server) and the Mobility service can be updated automatically. Furthermore, to perform automatic updates, the machine's root / admin credentials are no longer required.
Scalability improvements. The appliance becomes a single management unit where all its components have been converted into microservices hosted in an Azure environment. Not only will this make troubleshooting a lot easier, but managing the scalability of the solution will also be easier.
High availability for the appliance. Appliance resilience is a required feature and, thanks to this review, it is no longer necessary to perform regular backups of the appliance, but just start a new appliance and transfer all protected machines to the new appliance, without having to repeat a full replication.
Upgrade al TLS 1.2 or later
As part of the Microsoft initiative that provides for Azure to use TLS 1.2 by default and removing dependencies from previous versions, Azure Site Recovery is moving away from legacy protocols to ensure greater security for replication data. Therefore, TLS 1.0 e TLS 1.1 they will no longer be supported. These changes will take effect on 15 November 2021. To continue using Azure Site Recovery without interruption, you should make sure that all the resources that use the Microsoft Azure Recovery Services agent (MARS) are enabled for the use of TLS 1.2 or later.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Azure VMware Solution achieves FedRAMP High Authorization
With this certification, U.S. government and public sector customers can now use Azure VMware Solution as a compliant FedRAMP cloud computing environment, ensuring it meets the demanding standards for security and information protection.
JetStream Disaster Recovery for Azure VMware Solution (preview)
JetStream Disaster Recovery is now available on Azure VMware Solution in public preview, enabling DR protection needed for business and mission-critical applications. JetStream Disaster Recovery on Azure VMware Solution is also cost-effective, as it uses minimal resources at the DR site by leveraging cloud storage, such as Azure Blob Storage.
Azure AD-joined VMs support
With this latest update, you can now:
Join your Azure Virtual Desktop virtual machines directly to Azure Active Directory (Azure AD.)
Connect to the virtual machine from any device with basic credentials.
Automatically enroll the virtual machines with Microsoft Endpoint Manager.
Management Group Scope for Azure Reservations (preview)
You can scope a reservation to a management group. When you set the scope to a management group, the reservation discount is applied to matching resources in the list of subscriptions that are a part of the management group and the billing context.
Storage
Azure Archive Storage now available in three new regions
Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in three new regions: Norway East, UAE North, and Germany West Central.
The hyper-converged Azure Stack HCI solution allows you to activate the Azure Kubernetes Service orchestrator in an on-premises environment (AKS) for running containerized applications at scale. This article explores how Azure Kubernetes in Azure Stack HCI environment offers the possibility of hosting Linux and Windows containers in your datacenter, going to explore the main benefits of this solution.
Before going into the specifics of AKS in the Azure Stack environment, a summary of the solutions involved is reported.
What is Kubernetes?
Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field, through:
Generally simpler deployments that allow automatic implementations and rollbacks.
Better application management with the ability to monitor the status of services to avoid implementation errors. In fact,, the various features include service integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly.
Ability to scale automatically based on usage and, exactly the same as for containers, manage the cluster environment in a declarative manner, allowing version-controlled and easily replicable configuration.
Figure 1 – Kubernetes cluster with related architecture components
What is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. The use of this managed service is integrated with the container development and deployment pipelines.
Figure 2 - Azure Kubernetes Service architecture example (AKS)
What is Azure Stack HCI?
Azure Stack HCI is the solution that allows you to create a hyper-converged infrastructure (HCI) for the execution of workloads in an on-premises environment and which provides for a strategic connection to Azure services. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).
Figure 3 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)
What is AKS in Azure Stack HCI?
AKS in the Azure Stack HCI environment is a Microsoft implementation of AKS, which automates the deployment and management of containerized applications.
Microsoft, after introducing AKS as a service in Azure, has extended its availability also to on-premises environments. However, there are some important differences:
In Azure, Microsoft manages the control plane of each AKS cluster. Furthermore, the cluster nodes (management node and worker node) run on Azure virtual machines or on Azure virtual machine scale sets.
In an on-premises environment , the customer manages the entire environment, where the AKS cluster nodes are running on virtual machines hosted on the hyper-converged infrastructure.
AKS architecture on Azure Stack HCI
The implementation of AKS in Azure Stack HCI consists of two types of clusters:
A management cluster of AKS. This cluster acts as a dedicated control plane for managing Kubernetes clusters running on the hyper-converged platform. This cluster consists of Linux virtual machines, that host Kubernetes system components such as API servers and load balancers.
One or more Kubernetes clusters. These clusters consist of control nodes and worker nodes. Control nodes are implemented as Linux virtual machines, with API server and load balancers that satisfy the requests of Azure Stack HCI users. Workloads are distributed on Linux or Windows OS-based worker nodes.
Figure 4 - AKS architecture on Azure Stack HCI
Each Kubernetes cluster runs on its own dedicated set of virtual machines, protected by hypervisor-based isolation, allowing you to securely share the same physical infrastructure even in scenarios that require workload isolation.
AKS on Azure Stack HCI supports both Linux-based and Windows-based containers. When you create a Kubernetes cluster you simply need to specify the type of container you intend to run and on the hyper-converged platform the installation procedure of the required operating system is automatically started on the nodes of the Kubernetes cluster .
Benefits of AKS on Azure Stack HCI
AKS simplifies the deployment of Kubernetes clusters by providing a layer of abstraction that can mask some of the more challenging implementation details.
Among the main benefits of AKS in the Azure Stack HCI environment we find:
Simplified deployments of containerized apps in a cluster environment. Using the Windows Admin Center you have a guided installation process of the AKS management cluster. Windows Admin Center also facilitates the installation of individual Kubernetes clusters that contain worker nodes, through an automatic installation process of all relevant software components, including management tools such as kubectl.
Ability to scale horizontally to manage computational resources, adding or removing Kubernetes cluster nodes.
Simplified management of cluster resource storage and network configurations.
Automatic updates of cluster nodes to the latest version of Kubernetes available. Microsoft manages the Windows Server and Linux images for the cluster nodes and updates them monthly.
Strategic connection, using Azure Arc, to Azure services such as: Microsoft Azure Monitor, Azure Policy, and Azure Role-Based Access Control (RBAC).
Centralized management of Kubernetes clusters and related workloads through the Azure portal, thanks to the adoption of Azure Arc for Kubernetes. Azure portal-based management also integrates traditional Kubernetes administration tools and interfaces, like the command line utility kubectl and the Kubernetes dashboard.
Managing the automatic failover of virtual machines acting as Kubernetes cluster nodes if there is a localized failure of the underlying physical components. This complements the high availability inherent in Kubernetes, able to automatically restart containers in failed state.
Conclusions
Thanks to Azure Stack HCI, the adoption of container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud. The deployment process is also very simplified and intuitive. Furthermore, Azure Stack HCI allows you to further improve the agility and resilience of Kubernetes deployments in an on-premises environment.
On-demand capacity reservations for Azure Virtual Machines (preview)
On-demand capacity reservations for Azure Virtual Machines, now in public preview, enable IT organization to reserve compute capacity for a VM size. The reservation can be for any length of time in any public Azure region or Availability Zone and supports most VM series. You can create and cancel an on-demand capacity reservation at any time, no commitment is required. The ability for you to access compute capacity, with SLA guarantees when on-demand capacity reservations become generally available, ahead of actual VM deployments is particularly important to ensure the availability of business-critical applications running on Azure. On-demand capacity reservations can be combined with Azure Reserved VM Instances (RIs) to significantly reduce costs.
Run Commands for Azure VMware Solution (preview)
Run commands are a collection of PowerShell packages available in the Azure VMware Solution portal that simplify the execution of certain operations on vCenter. With this announcement your cloud administrator can now more easily run management tasks that require elevated privileges.
Microsoft has enabled elastic virtual machine profile and automatic scaling for Azure Virtual Machine Scale Sets with flexible orchestration elastic profile and automatic scaling. The features are now in public preview, and provide:
Up to 1000 instances in a scale set (general purpose virtual machine sizes only)
Ability to manually add VM instances to the scale set
The option to spread instances across fault domains automatically, or specify a fault domain
Place on demand and Spot VMs in the same scale set
(New) Define a VM profile and specify instance count
(New) Automatically scale out and scale in based on metrics, schedule, or AI prediction (private preview)
(New) In guest patching that respects high availability / FD constraints
(New) Automatic extension updates
(New) Automatic instance repair/replacement of unhealthy instances
(New) Terminate notification for on demand and Spot VMs
(New) Secure by default networking – customers must explicitly define outbound connectivity
(New) Improved scale out and scale in reliability, latency, and elasticity
Server Message Block (SMB) 3.1.1 is the most recent version of the SMB protocol, released with Windows 10, containing important security and performance updates. Azure Files SMB 3.1.1 ships with two additional encryption modes, AES-128-GCM and AES-256-GCM, in addition to AES-128-CCM which was already supported. In addition to SMB 3.1.1, Azure Files exposes security settings that change the behavior of the SMB protocol. With this release, you may configure allowed SMB protocol versions, SMB channel encryption options, authentication methods, and Kerberos ticket encryption options. By default, Azure Files enables the most compatible options, however these options may be toggled at any time.
Server Message Block (SMB) Multichannel enables you to improve the IO performance of your SMB client 2-4x, increasing performance and decreasing total cost of ownership.
Storage capacity reservations for Azure Files enable you to significantly reduce the total cost of ownership of storage by pre-committing to storage utilization. To achieve the lowest costs in Azure, you should consider reserving capacity for all production workloads.
Zone redundant storage (ZRS) for Azure Disk Storage
Zone redundant storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. They also enable you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS, or GFS2.
Automatic key rotation of customer-managed keys for encrypting Azure disks
Azure Disk Storage now enables you to automatically rotate keys for encryption of your data.
Change performance tiers for Azure Premium SSDs with no downtime
On Azure Premium SSDs, you can now change the performance tiers without any downtime to your application (generally available). You can change the performance tier of a disk even when it is attached to running virtual machines. For planned events like a seasonal sales promotion or running a training environment, you need to achieve sustained higher performance for a few hours or days and then return to the normal performance levels. With performance tiers on Premium SSDs, you have the flexibility to scale the disk performance without increasing the disk size by selecting a higher performance tier. You can also change tiers to bring it back to your baseline performance tier, enabling you to achieve higher performance and cost savings.
Networking
New updates to Azure Firewall
New Azure Firewall capabilities:
Azure Firewall supports US West 3, Jio India West, and Brazil Southeast.
Auto-generated self-signed certificates for Azure Firewall Premium SKU.
Secure Hub now supports Availability Zones.
Deploy Azure Firewall without public IP in Forced Tunnel mode.
Configure pre-existing Azure Firewalls in Force Tunnel mode using stop or start commands.
Azure Route Server
Azure Route Server simplifies dynamic routing between your network virtual appliance (NVA) and your virtual network. When you establish a Border Gateway Protocol (BGP) peering between your NVA and Azure Router Server, you can advertise IP addresses from your NVA to your virtual network. Your NVA will also learn what IP addresses your virtual network has. Azure Route Server is a fully managed service and is configured with high availability.
Several key Azure Route Server benefits include:
Simplify network appliance operations
Deploy it in your existing setup
Support any network appliance
Enable new network topology
Private Link Network Security Group Support (preview)
Private Endpoint support for Network Security Groups (NSGs) is now in public preview. This feature enhancement will provide you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.
Private Link UDR Support (preview)
Private Endpoint support for User Defined Routes (UDRs) is now in public preview. This feature enhancement will provide you with the ability to apply custom routes to traffic destined to a private endpoint with a wider subnet range. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.
Address changes on an Azure virtual network that has active peerings (preview)
You can now update your virtual network address space without needing to remove the peering links on their virtual networking and incurring any downtime.
Azure ExpressRoute: new ExpressRoute Direct and Peering locations
New locations are available for ExpressRoute Direct:
Denver
Newport (Wales)
Pune
The new locations support dual 10Gbps or 100Gbps connectivity into Microsoft’s global network.
New peering locations are available for ExpressRoute:
Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
The IT Service Management Connector is certified with the Quebec version of ServiceNow
The IT Service Management Connector (ITSM) of Azure Monitor is now certified for the Quebec version of ServiceNow. This connector allows you to establish a two-way connection between Azure and ITSM tools, useful for managing incidents and solving problems faster. Furthermore, it is possible to create work items in the ITSM tool, based on Azure alerts(Metric Alerts, Activity Log Alerts, e Log Analytics alert).
Lower levels for reservations for Azure Monitor dedicated clusters
Microsoft has reduced the capacity reservation (capacity reservation) minimum required for Azure Monitor dedicated clusters, bringing it from 1.000 GB to 500 GB per day. This allows you to take advantage of advanced features such as customer-managed keys, lockbox, and infrastructure encryption, even to customers with lower data entry volume.
The retirement of the Log Analytics agent has been announced
Microsoft announced that the 31 August 2024 the Log Analytics agent used in Azure Monitor will be retired. Therefore, before that date, you should use the new Azure Monitor agent (AMA) and data collection rules (DCR) of Azure Monitor to monitor virtual machines and servers.
Configure
Azure Automation
New features coming soon to be released
Microsoft has announced that the following new features will soon be released for Azure Automation:
Azure AD support: ability to use Azure AD-based authentication for public automation endpoints
Support for Powershell 7: ability to run Azure Automation runbooks, in production scenarios, using PowerShell 7.1
Azure Automation Hybrid Worker Extension for Azure and for Azure Arc machines: possibility of onboarding hybrid workers using the hybrid extension for Azure and Azure Arc machines.
Support for Availability Zones, useful for increasing the levels of reliability and resilience.
Native support of the Powershell Az module.
Govern
Azure Policy
Azure Guest Configuration Policy: possibility of applying settings within the systems as well(preview)
Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they do not apply configurations. However, Microsoft has announced in preview the possibility to apply configurations provided by Microsoft or to create your own configuration packages using PowerShell DSC version 3.
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Azure Security Center
Azure Defender for SQL available from Azure SQL Virtual Machine blade
This new Azure Defender information browsing experience for SQL VMs, allows you to view, directly from the SQL virtual machine panel, information about security best practices for related SQL Server databases.
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Support for Archive storage for backup of VMs and SQL on board VMs
In Azure Backup, you can now move recovery points to save costs and keep your backup data longer. This feature is available for Azure VMs and SQL Servers installed on board Azure VMs. Using Azure PowerShell, it is possible to move these backups from the standard tier to the new archive tier.
When moving backup data from vault-standard to vault-archive, Azure Backup converts incremental data into full backup. This procedure involves an increase in the total GB used, but costs are reduced due to the huge difference in cost per GB between the two storage tiers. To simplify this process, Azure Backup provides advice on Recovery Points (RPs) for which migration to the vault-archive is recommended. Restores can be done in an integrated way from the Azure portal, with a simple and intuitive process.
Azure Site Recovery
ASR support for global disaster recovery
Azure Site Recovery (ASR) introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected.
Extended the date of withdrawal of Hard coded IP address
Microsoft has extended the retirement date for hard coded IP addresses to connect with Azure Site Recovery services to 31 August 2024. This allows you to have more time to adjust the configurations of the environments to use the Azure service tags.
Migrate
Azure Migrate
Software inventory and agentless dependency analysis
In Azure Migrate it is now possible to inventory applications, roles and features installed and perform dependency analysis, on Windows and Linux servers, without installing any agent. Agentless dependency analysis allows you to identify and understand dependencies between servers, supporting data collection for up to 1000 servers at the same time.
Discovery and assessment of ASP.NET Web Apps with Azure Migrate(preview)
Azure Migrate now allows you to identify and assess ASP.NET Web Apps running on the on-premises IIS Web server and manage their migration. Until now, it was necessary to use tools such as App Service Migration Assistant to evaluate the Web Apps. Thanks to the introduction of this feature in Azure Migrate, it is possible to discover the .NET Web Apps running in your VMware environment and create assessments to manage the migration to Azure IaaS or Azure App Service.
Containerization of apps and migration to AKS or Azure App Service
The Azure Migrate app containerization tool allows you to modernize existing ASP.NET and Java web applications, using a containerization approach that requires little or no application changes. The tool groups existing applications running on servers in a container image and allows them to be deployed in containers running in Azure Kubernetes Service(AKS) or in Azure App Service. As part of the migration process, the tool allows you to parameterize the application configurations, outsource file system dependencies using persistent volumes and configure the containerized application monitor using Application Insights.
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Placement polices for Azure VMware Solution (preview)
Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution software-defined data center (SDDC). These constraints allow you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual Machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster. When you create a placement policy, it creates a vSphere Distributed Resource Scheduler (DRS) rule in the specified vSphere cluster. It also includes additional logic for interoperability with Azure VMware Solution operations.
New VM series supported by Azure Batch
The selection of VMs that can be used by Azure Batch has been expanded, allowing newer Azure VM series to be used. The following additional VM series can now be specified when Batch pools are created:
H-series Azure Virtual Machine sizes (H8, H8m, H16, H16r, H16m, H16mr, H8 Promo, H8m Promo, H16 Promo, H16r Promo, H16m Promo, and H16mr Promo) on 31 August 2022.
ND-series virtual machine sizes on 31 August 2022.
Basic and Standard A-series VMs on 31 August 2024.
Azure Government Top Secret now generally available for US national security missions
Azure Government Top Secret is available for US and this is a significant milestone in Microsoft commitment to bringing unmatched commercial innovation to US government customers across all data classifications. This announcement, together with new services and functionality in Azure Government Secret, provides further evidence of Microsoft’s relentless commitment to the mission of national security, enabling customers and partners to realize the vision of a multi-cloud strategy and achieve greater agility, interoperability, cost savings, and speed to innovation.
Storage
Azure Blob storage inventory
Inventory provides an easy way to gain insights into the containers and all block, append, and page blobs stored within an account. Blob Inventory can be selected to provide a full listing of all blobs and containers on a daily or weekly basis. Prior to Inventory, either a separate catalog system or, listing of all blobs and analyzing added complexity and cost to solutions that used blob storage. With inventory, all blobs and containers that match an optional filter will be listed on a daily or weekly basis to a CSV or Parquet file that can then be processed for insights.
Azure Archive Storage events for easy rehydration of archived blobs
The Azure Archive Storage provides a secure, low-cost means for retaining cold data including backups and archival storage. When your data is stored in Archive Storage, the data is offline and not available for read until it is moved to the hot or cool tier. Previously, the only way to determine when blob rehydration was complete and available to be read was to repeatedly poll the status of the rehydration operation, increasing complexity and cost. Azure Event Grid now supports events that fire when a blob is rehydrated from the archive tier. The Microsoft.Storage.BlobCreated event fires when a blob is copied from the archive tier to a new destination blob in the hot or cool tier. The Microsoft.Storage.BlobTierChanged event fires when the archived blob’s tier is changed to hot or cool. Your application can handle these events in order to respond to blob rehydration.
Azure Blob storage: last access time tracking
Last access time tracking integrates with lifecycle management to allow the automatic tiering and deletion of data based on when individual blobs are last accessed. This allows greater cost control as well as an automatic workflow including deletion of data after it is no longer used. Last access time can also be used without lifecycle management by any solution that needs to understand when individual blobs are last read and then take action. Lifecycle management with last access time tracking is available in all public regions for accounts with flat namespace used. Azure Data Lake Storage Gen2 will be supported later this year.
Networking
Network Insights: enhanced troubleshooting experiences for additional resources
You now have access to rich insights and enhanced troubleshooting experiences for four additional networking resources in Network Insights: Private Link, NAT Gateway, Public IP, and NIC.
With the onboarding of these resources, customers can access:
A resource topology showing resource health and connected resources
A pre-built workbook showing all key metrics along multiple
Direct links to documentation and troubleshooting help
