Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. The Azure Stack Edge Pro 2 offers the following benefits over its precursor, the Azure Stack Edge Pro series:
This series offers multiple models that closely align with your compute, storage, and memory needs. Depending on the model you choose, the compute acceleration could be via one or two Graphical Processing Units (GPU) on the device.
This series has flexible form factors with multiple mounting options. These devices can be rack mounted, mounted on a wall, or even placed on a shelf in your office.
These devices have low acoustic emissions and meet the requirements for noise levels in an office environment.
The Pro 2 series is designed for deployment in edge locations such as retail, telecommunications, manufacturing, or even healthcare. Here are the various scenarios where Azure Stack Edge Pro 2 can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure:
Inference with Azure Machine Learning: you can run ML models to get quick results that can be acted on before the data is sent to the cloud.
Preprocess data: transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset.
Transfer data over network to Azure: use this solution to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.
The month of February was full of news and there are several updates that have affected the Azure management services. This article provides an overview of the month's top news, so that we can stay up to date on these topics and have the necessary references to conduct further insights.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Azure Monitor Agent: new feature to update the extension automatically
With the new Azure Monitor agent, you can get important updates and security fixes by enabling the automatic extension update function within the agent. Basically, when an update is published, the extension updates and replaces the existing version present in the virtual machine or in the scale set.
The latest version of the Azure Monitor agent is now capable of collecting syslog events from the following vendors, standard device types and formats:
Cisco Meraki, ASA, FTD
Sophos XG
Juniper Networks
Corelight Zeek
CipherTrust
NXLog
McAfee
CEF (Common Event Format)
Azure IoT Edge monitor
Thanks to a deep integration with Azure Monitor it is possible to simplify the monitor of Azure IoT Edge devices, through a set of built-in metrics, the IoT Edge Metrics Collector module and a set of “curated visualization”. Through this integration it is possible:
Analyze the efficiency of the solution
Choose the hardware to meet the performance demands of the devices
Monitor blocked resources
Proactively identify problems
Resolve problems quickly
Create custom metrics and dashboards
Ability to set an exact time range in queries
In the queries on the Log Analytics workspaces it is now possible to specify a specific time range, in this way it is possible to carry out precise and more targeted searches.
TheAzure Monitor ‘action rules’ are now ‘alert processing rules’
Microsoft has renamed the 'action rules” of Azure Monitor in “alert processing rules”, which will continue to provide post-processing capabilities for alerts triggered in Azure Monitor.
Log Analytics data export
The new Azure Monitor Log Analytics data export feature allows you to send log data not only to Log Analytics workspaces, but also to a storage account or Event Hub. Furthermore, data can be streamed continuously from Log Analytics tables to a storage account or to Event Hub if Microsoft has enabled streaming support for those types of tables.
Custom retention for tables AzureActivity and Usage
In Azure Monitor, the ability to set custom retention has been introduced for tables AzureActivity and Usage present in the Log Analytics workspaces . Previously, AzureActivity and Usage had a minimum of retention of 90 days and such data could not be set with a specific retention. Now the minimum retention for those tablesremains of 90 days, useful for audit and troubleshooting purposes, but you can customize the retention period.
Possibility to test the Action Groups (preview)
For Azure Monitor action groups, the ability to test notification settings for alerts has been introduced, in order to:
Check if the notifications work as expected when creating or updating an action group
Self-diagnose the cause of notifications not working as expected
Azure Monitor predictive autoscaling for VM Scale Sets(preview)
Predictive autoscaling, released in preview, uses machine learning algorithms to manage and scale Virtual Machine Scale Sets. This mechanism allows you to predict the overall CPU load on the Virtual Machine Scale Sets, based on historical CPU usage patterns. In this way the scale-out takes place in time to satisfy the demand.
Govern
Azure Cost Management
Anomaly detection
Anomaly detection has been introduced in Azure Cost Management. Thanks to this feature it is possible to consult any anomalies on costs, detected by the tool in the Azure subscriptions, in a specific period.
Enterprise agreement component management in Azure Cost Management and Billing
In Azure Cost Management and Billing you can now create, manage and govern departments, accounts, and subscriptions related to enterprise agreement contracts. In particular, from the Azure portal you can perform the following activities:
Manage the roles of the enterprise agreement contract
Create and manage the hierarchy at the enrollment level(department, account, subscription)
View properties and manage policies
View usage and charges
Download the invoice
View and monitor the Microsoft Azure Consumption Commitment balance (MACC)
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Microsoft Defender for Cloud
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Ability to perform multiple Azure File backups throughout the day
In Azure Backup it is now possible to perform multiple backups during the day, with a maximum frequency of four hours, to take multiple snapshots of the file share. This feature allows you to define a backup schedule in line with working hours, useful for frequent updates to Azure File content. Furthermore, you can use Powershell or the Azure command line interface to create backup policies to generate multiple snapshots during the day according to the defined schedule.
Long term retention for Azure PostgreSQL backup
Azure Backup for PostgreSQL is a scalable solution that does not require the presence of an infrastructure, agents or storage accounts, while providing a simple and consistent experience to centrally manage and monitor backups. Support for long-term backup storage was introduced for this solution.
Automatic backup improvements for SQL Server onboard virtual machines
Automatic backup of Azure Backup, a feature given by the extension of the IaaS SQL agent, provides an automatic backup service for SQL Server on board Azure virtual machines. The following improvements have been added to this functionality:
Longer backup retention time in storage account, passing from 30 days to 90 days.
Ability to choose for each Azure virtual machine a specific container of the storage account as a destination for backups. Previously, it was only allowed to specify a storage account and all backups flowed into the same container.
Restore point cross region for virtual machines
The restore points of a virtual machine are snapshots that contain the metadata of the virtual machine and are consistent for all the disks associated with it. These recovery points can be used to protect workloads from data loss and corruption. Now it is possible to restore points of the virtual machine in any region, regardless of the region in which the virtual machine is deployed.
Azure Site Recovery
Recovery point extended to 15 days
Azure Site Recovery through replication policies allows you to adjust the retention history of recovery points. It is now allowed to keep recovery points up to 15 days instead of 72 hours. Recovery points will be stored with a frequency of 5 minutes for the first 2 hours. Later, they will be deleted and archived less frequently. You can enter any value between 0 and 15 days to configure the retention period in a retention policy. Furthermore, if necessary, it is possible to enable type recovery points “application-consistent” (disabled by default).
New Update Rollup
For Azure Site Recovery was released theUpdate Rollup 60 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
You can patch and install updates to your Windows Server virtual machines on Azure without requiring a reboot using hotpatch. This capability is available exclusively as part of Azure Automanage for Windows Server for Windows Server Azure Edition core virtual machines, and comes with the following benefits:
Lower workload impact with less reboots
Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting
Virtual Machine level disk bursting supports additional VM types
Virtual Machine level disk bursting supports M-series, Msv2-series Medium Memory, and Mdsv2-series Medium Memory VM families allowing your virtual machine to burst its disk IO and throughput performance for a short time, daily. This enables VMs to handle unforeseen spiky disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.
Automatically delete a VM and its associated resources simultaneously
Automatically delete disks, NICs and Public IPs associated with a VM at the same time you delete the VM. With this feature, you can specify the associated resources that should be automatically deleted when you delete a VM. This will allow you to save time and simplify the VM management process.
Storage
Azure NetApp Files: new region and cross-region replication
Azure NetApp Files is now available in Australia Central 2. Additionally, cross-region replication has been enabled between Australia Central and Australia Central 2 region pair.
Application consistent snapshot tool (AzAcSnap) v5.1 is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).
The public preview of application consistent snapshot tool v5.1 supports the following new capabilities:
Oracle Database support
Backint Co-existence
RunBefore and RunAfter capability
These new features can be used with Azure NetApp Files, Azure BareMetal, and now, Azure Managed Disk.
Networking
Application Gateway mutual authentication
Azure Application Gateway is announcing general availability for transport layer security (TLS) mutual authentication. Mutual authentication allows for two-way TLS certificate-based authentication, which allows both client and server to verify each other’s identity. This release strengthens your zero trust networking posture and enables many connected devices, IoT, business to business, and API security scenarios.
You can upload multiple client certificate authority (CA) certificate chains on the Application Gateway to use for client authentication. You can also choose to enable frontend mutual authentication at a per-listener level on Application Gateway. Microsoft is also adding enhancements to server variables supported on Application Gateway to enable you to pass additional client certificate information to backend as HTTP headers.
With this release Microsoft is also extending support for listener specific TLS policies which allows you to configure predefined or custom TLS policies at a per listener granularity, instead of global TLS policies.
Businesses should adopt flexible and cutting-edge solutions to achieve greater stability, continuity and resilience of the main application workloads that support their core business. Azure VMware Solution (AVS) is the service designed, built and supported by Microsoft, and approved by VMware, which allows customers to easily extend or completely migrate their VMware applications residing on-premises to Azure. This article lists the key aspects of this solution that benefits from the efficiency of Microsoft's public cloud, while maintaining operational consistency with the VMware environment.
What is Azure VMware Solution (AVS)?
Azure VMware Solution (AVS) is a service that allows the provisioning and execution of an environment VMware Cloud Foundation full on Azure. VMware Cloud Foundation is VMware's hybrid cloud platform for managing virtual machines and orchestrating containers, where the entire stack is based on a hyperconverged infrastructure (HCI). This architecture model ensures consistent infrastructure and operation across any private and public cloud, including Microsoft Azure.
Figure 1 – Azure VMware Solution overview
The solution Azure VMware allows customers to adopt a full set of VMware features, with the guarantee of holding the validation "VMware Cloud Verified". This solution helps to achieve consistency, performance and interoperability for existing VMware workloads, without sacrificing speed, scalability and availability of Azure global infrastructure.
An Azure VMware Solution Private Cloud includes:
Dedicated bare-metal servers provided with ESXi VMware hypervisor
vCenter server for managing ESXi and vSAN
VMware NSX-T software defined networking for vSphere vMs
On these infrastructures, it will be possible to create, deploy or migrate VMware virtual machines, but with the advantage of also using the various services offered by Azure.
Main adoption scenarios
The Azure VMware solution can be adopted to address the following scenarios:
Need to expand your datacenter
Disaster recovery and business continuity
Application Modernization
Reduction, consolidation or decommissioning of your datacenter
Thanks to this solution it is possible to redistribute your VMware-based virtual machines in an automated way, scalable and highly available without changing the underlying vSphere hypervisor. Systems can be migrated by adopting native VMware solutions (VMware HCX) or using Azure Migrate.
Benefits of the solution
Among the main benefits of adopting this solution it is possible to mention:
Ability to take advantage of investments already made in the skills and tools for managing on-premises VMware environments.
Modernization of your application workloads by adopting Azure services and without facing interruptions.
Convenience especially for running Windows and SQL Server workloads. In fact,, customers who adopt this solution are entitled to three years of free extended security updates for Windows Server and SQL Server. Furthermore, being in effect an Azure service, Azure VMware Solution supports Azure Hybrid Benefits, that allow you to maximize the investments made in local Windows Server and SQL Server licenses during the migration or extension to Azure. Finally, you can get a financial benefit by buying Reserved Instances (to 1 or 3 years) to save on the cost of the Azure VMware Solution.
Features of the solution
Azure Private Cloud infrastructure contains vSphere clusters on dedicated bare metal systems, able to scale from 3 to 16 host. It also provides the ability to have multiple clusters in a single Azure Private Cloud. The hosts are high-end and equipped with two Intel processors 18 core, 2,3 GHz and 576 GB RAM.
Storage
Azure Private Clouds provide cluster-level storage using software-defined technology vMware vSAN. All local storage of each host in a cluster is used in a vSAN datastore and at-rest data encryption is enabled by default. The vSAN datastore also enables deduplication and data compression.
All disk groups use an NVMe cache of 1,6 TB with a raw capacity of 15,4 TB per host, based on SSD disks. The raw capacity of a cluster is the capacity per host multiplied by the number of nodes.
You can use Azure storage to extend the storage capacity of these private clouds. For more information about storage, see the Microsoft-specific documentation.
Networking
The solution offers a private cloud environment accessible from on-premises and Azure-based resources. Services like Azure ExpressRoute, VPN connections or Azure Virtual WAN are required to ensure connectivity.
In particular, ExpressRoute is used to connect physical components to the Azure backbone. Since Virtual Network Gateways connected to an ExpressRoute circuit cannot pass traffic between two circuits (one circuit will go to the on-premises environment and one will go to the Azure VMware solution) Microsoft uses the feature ExpressRoute Global Reach to directly connect the local circuit to AVS.
Figure 3 – Azure VMware Solution Networking
If ExpressRoute Global Reach cannot be activated, it is possible to evaluate the adoption of a routing solution using third-party appliances (NVA) or Azure Virtual WAN. In the scenario with NVA it becomes useful Azure Route Server, which simplifies dynamic routing between the virtual network appliance (NVA) and the Azure virtual network. Azure Route Server allows you to exchange routing information directly through the Border Gateway Protocol (BGP) between any NVA (which supports this protocol) and the Azure virtual network, without the need to configure or maintain routing tables.
When you activate an Azure Private Cloud with Azure VMware Solution private networks are created for management, provisioning and vMotion functionality.
For further information on networking, see the Microsoft documentation and this document where more details are reported on possible scenarios to ensure connectivity.
Access and security
In order to achieve greater security, Azure VMware solution's private clouds use vSphere role-based access control. vSphere SSO LDAP features can be integrated with Azure Active Directory. For more information on this, see this Microsoft's document.
Management of updates and maintenance of the solution
One of the main advantages of this solution is that the platform is maintained by Microsoft and automatic and regular updates are included, providing the latest feature sets and increased security and stability.
The components of the Azure VMware solution that are subject to updates are as follows:
vCenter and ESXi
vSAN
NSX-T
Underlying hardware with bare metal node and network switch drivers and firmware
The following updates are applied to the Azure VMware solution:
Security patches and bug fixes released by VMware.
Major and minor version updates of VMware components.
In addition to performing updates, the Azure VMware solution also provides a backup of the configuration of the following VMware components:
vCenter Server
NSX-T Manager
More details about maintenance and platform updates can be found in this Microsoft article.
Support and Responsibility
Azure VMware Solution is validated, supported and certified by VMware and Microsoft. The support of the solution is provided by Microsoft which is always the first and only point of contact for the customer. If necessary, Microsoft will coordinate with VMware support for specific issues regarding VMware solutions.
Azure VMware Solution uses a shared responsibility model according to the following matrix:
Azure VMware Solution can count on a high degree of security consisting of the following factors:
Figure 5 – Factors that make up the security of Azure VMware Solution
Solution availability
The solution can be adopted in production environments and is currently available on several Azure regions, available at this link.
Solution monitor
The complete monitor of the solution can be done via Azure Monitor and, after the solution is activated in the Azure subscription, automatically starts collecting its logs. Furthermore, you can install the Azure Monitor agent on Linux and Windows virtual machines hosted in the private clouds of the Azure VMware solution, you can also enable the Azure diagnostics extension.
Conclusions
Thanks to the close collaboration between Microsoft and VMware, this solution offers customers who already have an on-premises VMware environment the same possibilities also in the Microsoft public cloud., being able to adopt the wide range of services offered by Azure. Furthermore, this solution allows you to take advantage of a consistent operating model that can increase agility, deployment speed and resiliency of your business critical workloads.
Deployment enhancements for SQL Server on Azure Virtual Machines
A great update to our Azure Marketplace image with SQL is you can now configure the instance during deployment. Most companies have standards for their SQL instances and can now make configuration changes during deployment vs keeping the preconfigured image settings. Items like moving the system database to a data disk, configuring tempdb data and log files, configuring the amount of memory and more. During SQL VM deployment under SQL Server Settings, you have the options to change the defaults by clicking Change Configuration for storage or Change SQL Instance settings for customizing memory limits, collation, and ad hoc workloads.
Networking
New Azure Firewall capabilities
New Azure Firewall capabilities are available:
Azure Firewall network rule name logging: previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.
Azure Firewall premium performance boost: this feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps).
Performance whitepaper: to provide customers with a better visibility into the expected performance of Azure Firewall, Microsoft is releasing the Azure Firewall Performance documentation.
Azure Bastion now supports file transfer via the native client (preview)
With the new Azure Bastion native client support in public preview and included in Standard SKU, you can now:
Use either SSH or RDP to upload files to a VM from your local computer.
Use RDP to download files from a VM to your local computer.
Custom virtual network support in Azure Container Apps (preview)
You can now create Azure Container Apps environments into new or existing virtual networks. This enables Container Apps to receive private IP addresses, maintain outbound internet connectivity, and communicate privately with other resources on the same virtual network.
New features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities have recently received general availability status and no longer need registration for use:
The new year started with several announcements from Microsoft regarding news related to Azure managementservices. The monthly release of this summary allows you to have an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
News regarding Azure Monitor alerts
The following changes have been introduced in Azure Monitor regarding alerts:
Frequency of 1 minute for alert logs. Alert logs allow users to use a Log Analytics query to evaluate, with a set frequency, resource logs and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. Now you have the ability to evaluate the alert query every minute, thus reducing the overall time for activating an alert log. By adopting this frequency of evaluation it should be taken into account that it also has an impact on the costs of Azure Monitor.
New way of creating alert rules: the experience of creating an alert rule has been transformed from an articulated process into a simple and intuitive wizard.
New agent: support for Private Links
The new Azure Monitor agent introduced support for network configurations via private link. This configuration allows you to operate in restricted environments that require special network requirements and a high degree of isolation.
New version of the agent for Linux systems
A new version of the Log Analytics agent has been released this month for Linux systems thanks to which several improvements and greater stability are introduced.
Govern
Azure Cost Management
Improvements in Azure Advisor recommendations for virtual machines
Azure has improved the Azure Advisor recommendation named “Shutdown/Resize your virtual machines”. This recommendation offers customers the opportunity to save costs by targeting virtual machines that are not being used efficiently.
Among the main improvements we have made are:
Resizing of series between different SKUs: up to this new version, the sizing recommendations provided by Azure Advisor were mostly within the same SKU family. This means if you were using a D3 v2 inefficiently, a D2 v2 or a D1 v2 was recommended, or a smaller SKU but within the same family. Now the recommendations take into account, to increase savings, the ability to move to different families by using SKUs that adapt perfectly to the workload based on the data collected.
Adoption of new versions of SKU families: in general, newer versions of SKU families are more optimized, offer more features and a better performance / cost ratio than previous versions. If the workload is found to be running on an older version and can achieve cost benefits without impacting performance on a newer version, is reported by Azure Advisor.
Improvements on the quality of reports: Microsoft received feedback that some recommendations were not feasible as they did not take certain criteria into account. In order to improve the quality of the recommendations, they are now generated taking into account even more characteristics, such as accelerated network support, support for premium storage, availability in a region, inclusion in an availability set, etc. . Furthermore, to increase the quality, the robustness and applicability of the recommendations the entire recommendation engine has been completely revamped to base it on new automatic and cutting-edge machine learning algorithms.
Multitasking in cost analysis (preview)
Azure Cost Management introduces a new cost analysis experience that allows you to do them more effectively. The preview includes a new tabbed experience to simplify analysis. Starting with an integrated view list, you can open multiple tabs to explore different cost aspects at the same time.
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Microsoft Defender for Cloud
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Microsoft Defender for Resource Manager has been updated with new alerts and a greater emphasis has been introduced on high-risk operations mapped to MITER ATT&CK® Matrix
Introduced recommendations for enabling Microsoft Defender plans on workspaces (preview)
Automatic provisioning of the Log Analytics agent on Azure Arc-enabled machines (preview)
Protect
Azure Backup
Changes in security settings
Azure Backup recently released the following changes regarding security settings for workloads protected by Microsoft Azure Recovery Service Agent, Azure Backup Server, or System Center Data Protection Manager:
Integration with MUA (Multi-user authorization): the operation of “disabling safety functions” is now defined as a critical operation that can be protected by a Resource Guard.
To provide protection against accidental or harmful elimination, it is no longer possible to unregister a protected server if the security features are enabled for the vault and there are associated backup items, in active or soft delete state.
Customers will not have to incur any costs for backup data kept in the soft delete state.
The backup policy is not applied to data kept in the soft delete state and therefore no data is deleted for 14 days.
Azure Site Recovery
Support for Azure Policy
Microsoft has introduced the ability to use Azure Policies to enable Azure Site Recovery for virtual machines (VM) on a large scale, thus allowing you to more easily and quickly adhere to organizational standards. After creating a Disaster Recovery policy for a specific subscription or for a specific resource group, all new virtual machines added to that subscription or to the resource group will have Azure Site Recovery enabled automatically. The policy in question is called "Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery“. In addition to enabling replication for large-scale virtual machines, the Policies make it possible to maintain control over the achievement of organizational standards. In fact,, compliance with policies can be monitored and, if virtual machines are found to be non-compliant, you can create a remediation activity to make the subscription or resource group compliant with the 100%.
Support for Managed Diskof Zone Redundant Storage type (ZRS)
Azure Site Recovery (ASR) introduced support for ZRS type managed disks. Therefore, ASR now allows you to protect virtual machines that take advantage of ZRS managed disks, replicating them in a secondary region of your choice. ASR identifies the source disks as ZRS managed disks and creates equivalent ZRS managed disks in the secondary region. If there is an outage in a region and it is necessary to fail over to the secondary region, ASR will activate the virtual machines in the secondary region with ZRS managed disks, ensuring the same level of resilience.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill.
Storage
Azure Ultra Disk Storage is available in West US 3
Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.
Networking
Multiple custom BGP APIPA addresses for active VPN gateways
All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.
Load Balancer SKU upgrade through PowerShell script
You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you.
Azure Traffic Manager: additional IP addresses for endpoint monitoring service
Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.
Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.
When you decide to undertake a strategy based on a hybrid cloud, that combines on-premises IT resources with public cloud resources and services, it is advisable to carefully consider how to connect your local network with the virtual networks present in the public cloud. In Azure one option is to use ExpressRoute, a private and dedicated connection that takes place through a third-party connectivity provider. This article describes possible network architectures with ExpressRoute, together with a series of precautions to be taken into consideration for a successful deployment.
Very often a Site-to-site VPN is used to establish connectivity between the on-premise resources and the resources in Azure environment attested on the Virtual Networks. This type of connectivity is ideal for the following use cases:
Development environments, test, laboratories, but also production workloads where the resources located in the Azure environment do not use the connectivity to the on-premises environment intensively and strategically and vice versa.
When you have an acceptable tolerance for bandwidth and speed in the hybrid connection.
There are some use cases, however, where ExpressRoute should be configured, according to Microsoft best practices, to ensure bidirectional connectivity between the on-premise network and virtual networks (vNet) of Azure of the customer. In fact,, ExpressRoute is suitable for the following use cases:
If high speed requirements are to be met, connection with low latency and high availability / resilience.
In the presence of mission-critical workloads that use hybrid connectivity.
What is ExpressRoute?
Thanks to ExpressRoute it is possible to activate a dedicated private connection, provided by a third party connectivity provider, to extend the on-premises network to Azure. ExpressRoute connections do not go through the public internet. In this way they can offer a higher level of security, greater reliability, faster speeds and consistent latencies than traditional internet connections.
Figure 1 - ExpressRoute logic diagram
ExpressRoute connections enable access to the following services:
Microsoft Azure services (scenario covered in this article).
Services of Microsoft 365. Microsoft 365 it has been designed to be accessed securely and reliably over the Internet. For this reason it is recommended that you use ExpressRoute with Microsoft 365 only in certain scenarios, as described in this Microsoft article.
It is possible to create an ExpressRoute connection between the local network and the Microsoft cloud via four different modes:
Figure 2 - ExpressRoute connectivity models
Connectivity providers can offer one or more connectivity models and you can choose the most appropriate model for your connectivity needs.
Reference architectures
The following reference architecture shows how you can connect your on-premises network to virtual networks in Azure, using Azure ExpressRoute.
Figure 3 - Reference architecture to extend a local network with ExpressRoute
The architecture will consist of the following components.
On-premises corporate network (“On-premises network” in the schema). This is the Customer's private local network.
Local Edge Routers. These are the routers that connect the local network to the circuit managed by the provider.
ExpressRoute Circuit. It is a circuit layer 2 or layer 3, provided by the connectivity provider, which joins the local network to Azure via edge router. The circuit uses the hardware infrastructure managed by the connectivity provider.
Edge router Microsoft. These are routers in an active-active high availability configuration. These routers allow the connectivity provider to connect their circuits directly to the data center.
Virtual network gateway (ExpressRoute). The ExpressRoute virtual network gateway enables the virtual network (VNet) Azure to connect to the ExpressRoute circuit used for connectivity with the local network.
Azure virtual networks (VNet). Virtual networks residing in an Azure region.
In the architecture described above, ExpressRoute will be used as the primary connectivity channel to connect the on-premises network to Azure.
Furthermore, it is possible to use a site-to-site VPN connection as a source of backup connectivity to improve connectivity resilience. In this case, the reference architecture will be the following:
Figure 4 - Reference architecture to use both ExpressRoute and a site-to-site VPN connection
In this scenario they are expected, in addition to the architectural components described above, the following components:
Appliance VPN on-premises. A device or service that provides external connectivity to the local network. The VPN appliance can be a hardware device or a supported software solution for connecting to Azure.
Virtual network gateway (VPN). The VPN virtual network gateway allows the virtual network to connect to the VPN appliance present in the local network.
VPN connection. The connection has properties that specify the type of connection (IPSec) and the key shared with the local VPN appliance to encrypt the traffic.
How to monitor ExpressRoute
To allow you to monitor network resources in the presence of ExpressRoute connectivity, you can use the Azure Monitor platform tool, through which you can check availability, performance, the use and operation of this connectivity.
A screenshot of the solution is shown as an example.
Figure 5 – ExpressRoute circuit monitor via Azure Monitor
This solution will provide a detailed topology mapping of all ExpressRoute components (peering, connections, gateway) in relation to each other. The detailed network information for ExpressRoute will include a dashboard through which the metrics can be consulted, the actual speed, any drop of network packets and gateway metrics.
As an example, a dashboard screen showing the total throughput of inbound and outbound traffic for the ExpressRoute circuit is shown (expressed in bits / second). Furthermore, you can view the throughput for individual connections.
Figure 6 - Metrics relating to the Throughput of ExpressRoute connections
Microsoft in the security baselines for ExpressRoute, refer to the Azure Security Benchmark version 1.0, the Azure-specific set of guidelines created by Microsoft, provides several indications that are recommended to be followed. Among the main ones that should be adopted we find:
Definition and implementation of standard security configurations for Azure ExpressRoute using Azure Policy.
Use of tags for Azure ExpressRoute components in order to provide metadata and a logical and structured organization of resources.
Locking to prevent accidental deletion or unwanted modification of Azure components related to ExpressRoute configuration.
Using Azure Platform Tools to Monitor Network Resource Configurations and Detect Network Resource Changes of ExpressRoute Connections. Creating Alerts in Azure Monitor to be generated when changes are made to critical resources.
Configure centralized collection of Activity Logs for ExpressRoute components.
Conclusions
ExpressRoute offers a fast and reliable connection to Azure with bandwidths that can reach up to 100 Gbps. It is therefore an ideal option for specific scenarios such as periodic data migration, replication for business continuity purposes, the disaster recovery, and the activation of high availability strategies. Thanks to ExpressRoute's fast speed and low latency times, Azure will feel like a natural extension of your data centers. In this way, it is possible to take advantage of the scalability and innovation of the public cloud without compromising in terms of network performance.
In the past two weeks, Microsoft hasn’t made any major announcements regarding these topics. However, here are some links to interesting videos made by John Savill, Principal Cloud Solution Architect at Microsoft:
