Category Archives: Datacenter Management

Everything you need to know about Windows Server 2022 – Part 2 of 2

The new operating system Windows Server 2022, based on the solid foundation of the predecessor Windows Server 2019, brings numerous innovations in the field of security, in integration and hybrid management in the Azure environment, and as an application platform. The article is divided into two parts, in first part the available editions have been discussed, functionalities for hybrid environments and aspects related to the application platform. This second part shows the main features of the new server operating system in the security and storage area, but not only.

Security

Windows Server 2022 combines different security features in different areas to provide advanced multi-layered protection capable of effectively countering increasingly sophisticated security threats.

Secured-core server

Windows Server 2022 is part of the program Secured-Core of Microsoft. This program was initially launched with PC hardware partners and then extended to the server area as well. Secured-core offers transversal security on hardware and firmware, integrated into the functionalities of the operating system, that can help protect servers from advanced threats.

Using a combination of identity features, virtualization, operating system and hardware defenses, Secured-Core servers offer both hardware and software protection. With Windows Defender System Guard, integrated into Windows Server 2022, Secured-Core servers allow organizations to have guarantees on the integrity of the operating system and checks to help prevent firmware attacks.

Secured-core server is based on three fundamental pillars:

Simplified security: when purchasing hardware from an OEM for Secured-core servers, you can be sure that the vendor provides a hardware set with firmware and drivers capable of fulfilling the Secured-core promise. Furthermore, the Windows Server configuration experience will be simple and the Secured-core security features can be enabled directly from the Windows Admin Center.
Advanced security by contemplating the following areas:
- Root-of-trust hardware (TPM 2.0 come standard)
- Firmware protection
- Virtualization-based security (VBS)
Preventive defense: enabling the Secured-core functionality helps to proactively defend oneself and to interrupt many of the paths that attackers can use to compromise a system.

Secure connectivity

To increase the level of security in communications, in Windows Server 2022 the following new features have been introduced:

Transport: HTTPS e TLS 1.3 enabled by default
Secure DNS: DNS name resolution requests encrypted with DNS-over-HTTPS
Server Message Block (SMB): introduced support for AES-256 encryption for the SMB protocol
SMB: East-West SMB encryption controls for internal communications of cluster systems. Failover clusters now support granular control of intra-node communication encryption and signing for Cluster Shared Volumes (CSV) and for the storage bus layer (SBL). This means that when using Storage Spaces Direct, you can decide to encrypt or sign east-west communications within the cluster itself for greater security.
SMB over QUIC. QUIC is a standard protocol designed to provide a more reliable connection over unsecured networks, like the Internet. QUIC uses a TLS encrypted tunnel 1.3 on the UDP port 443. Inside this tunnel all SMB traffic, including the authentication and authorization process, it is never exposed on the network and SMB behaves in a completely normal way offering the usual capabilities. SMB over QUIC in Windows Server 2022 Datacenter: Azure Edition uses the updated version of the SMB protocol (version 3.1.1). Using SMB over QUIC in conjunction with TLS 1.3, users and applications can securely and reliably access data on file servers running in the Azure environment, without having to adopt VPN connections.

Storage innovations

In the storage field Windows Server 2022 brings the following news:

Storage Migration Service: there are several improvements regarding this service, useful for simplifying storage migrations to both Windows Server and Azure, including:
- Migration of local users and groups to the new server.
- Storage migration between failover clusters, and migration between standalone servers and failover clusters.
- Storage migration from Linux servers using Samba.
- Easier synchronization of migrated shares with Azure, using Azure File Sync.
- Easier migration to new environments, such as Azure.
- Migration of NetApp CIFS servers from NetApp FAS arrays to Windows servers and clusters.
Storage Space Direct introduces the new feature User adjustable storage repair speed which gives you greater control over the data resync process by allocating resources to repair copies of the data (resilience) or to run active workloads (performance).
SMB compression: thanks to improvements on the SMB side in Windows Server 2022 and Windows 11 files can be compressed during network transfer, thus obtaining benefits in transfer times.
Storage bus cache is also available for standalone servers. This feature can significantly improve read and write performance, maintaining high storage efficiency and low operating costs. As is the case in its implementation for Storage Spaces Direct, this function merges the fastest media (for example, NVMe or SSD) with slower media (for example, HDD) to create different tiers. Some of the faster media is reserved for the cache.

More new features

In addition to the aspects covered in the previous paragraphs, the following features have been announced:

La Nested Virtualization in Windows Server 2022 it is also available for AMD processors, thus expanding the choice of hardware for your environment.
Microsoft Edge is included with Windows Server 2022, in place of Internet Explorer. Edge can be used with the Server Core and Server with Desktop Experience installation options.

Conclusions

Windows Server 2022 evolves the mature and consolidated Windows Server platform by introducing a series of innovative updates in different areas. There are therefore various advantages for companies to evaluate the adoption of this new server operating system, in particular, for those who use Windows Server in an Azure environment.

Everything you need to know about Windows Server 2022 – Part 1 of 2

The new operating system Windows Server 2022, based on the solid foundation of the predecessor Windows Server 2019, brings numerous innovations in the field of security, in integration and hybrid management in the Azure environment, and as an application platform. The article is divided into two parts, this first part shows the main features of the new server operating system relating to the editions available, the features designed for hybrid environments and the new aspects related to the application platform.

Editions

Windows Server 2022 is characterized by the following aspects relating to the editions:

Windows Server 2022 will have a Standard edition, a Datacenter edition and a new version called Azure Datacenter.
The Azure Datacenter edition of Windows Server 2022 it will only be supported on Azure (Azure IaaS or Azure Stack HCI – 21H2) and offers specific features not available outside of these environments (hotpaching, SMB over QUIC, and Azure Extended Networking).
For all editions Windows Server 2022 there are both Core and Desktop installation options.
You will be able to upgrade in place Windows Server 2019 Datacenter Edition to bring it to the new Windows Server 2022 Datacenter Azure edition. Nevertheless, the upgrade in place for server operating systems is a practice to be carefully evaluated and, if possible, to be avoided.
Microsoft recently updated its servicing model for server operating systems. In fact,, Microsoft has decided to abandon the semi-annual versions of Windows Server and, starting with Windows Server 2022, there is only one main release channel, the Long-Term Servicing Channel. With the Long-Term Servicing Channel, a new major version of Windows Server is released every 2-3 years. Users are entitled to 5 years of mainstream support and 5 years of extended support. This channel provides systems with prolonged maintenance and functional stability. The Long-Term Servicing Channel receives security and non-security updates, but it does not receive new features and new functionalities. The Semi-Annual Channel, available in previous versions of Windows Server, it was suitable for containers and microservices. In these areas, innovation will continue with Azure Stack HCI. In this regard, please note that the operating system of the Azure Stack HCI solution is a specific and dedicated operating system with a simplified composition, which includes only the roles needed by the solution.

Hybrid Functionality

Using Windows Server 2022 it is possible to increase efficiency and agility by using features designed for hybrid environments and fully integrated into the operating system.

Azure Automanage – Hotpatch

The Hotpatch feature, part of Azure Automanage, is supported in Windows Server 2022 Datacenter: Azure Edition. Support is currently for Core mode installations, but will also be extended to Desktop installations in the future. Hotpatching is a new mechanism, used to install updates on Windows Server Azure Edition virtual machines, which allows you to reduce the number of reboots required to install updates.

Azure Automanage allows you to orchestrate the installation of security patches on top of a Cumulative Update, which is released every three months. Cumulative Update requires a system restart, but the security patches released between the Cumulative Updates can modify the code running in memory without the need to reboot the machine.

For more information about this feature, you can consult the specific Microsoft documentation.

Windows Admin Center

Windows Admin Center (WAC) introduces specific improvements for management of Windows Server 2022, among which WAC allows you to check the status of the Secured-core and, where applicable, allows its enabling.

Azure Arc

Also Windows Server 2022 allows Azure Arc to be enabled for management, physical servers and virtual machines residing outside Azure (on the on-premises corporate network or at other cloud providers), consistent with the management methodologies of native virtual machines residing in the Azure environment. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, it is included in a resource group and benefits from standard Azure constructs.

Application platform

There are several improvements that Windows Server 2022 brings to the application field, among the main ones we find:

Reducing the size of the Windows Container image down to 40%, which leads to a faster boot time than the 30% and better performance.
Ability to run applications that depend on Azure Active Directory with group Managed Services Accounts (gMSA) without having to join the host container domain.
Windows Container support of Microsoft Distributed Transaction Control (MSDTC) and Microsoft Message Queuing (MSMQ).
Simplification of the Windows Container experience in the Kubernetes environment, including: support for host-process containers for node configuration, IPv6 and the implementation of network policies with Calico.
In addition to the platform improvements, Windows Admin Center has been updated to simplify containerization of .NET applications. Once the application is in a container, you can host it in an Azure Container Registry and then deploy it to other Azure services, even Azure Kubernetes Service (AKS).
Thanks to the support of Intel Ice Lake processors, Windows Server 2022 supports large-scale business-critical applications, such as SQL Server, which take up to 48 TB of memory e 2.048 logical cores running on 64 physical sockets. Using Intel Secured Guard Extension Confidential computing technology (SGX) available on Intel Ice Lake, you can get an improvement in the area of application security, isolating them from each other through memory protection.

The second part of the article reports the main features of the new server operating system in the security and storage area, but not only.

Azure IaaS and Azure Stack: announcements and updates (August 2021 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Automatic Azure VM extension upgrade capabilities

Azure Virtual Machine extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The ability to automatically upgrade VM extensions is now available for Azure Virtual Machines and Virtual Machine Scale Sets. If the automatic extension upgrade feature is enabled for an extension on a VM or a VM scale set, the extension is upgraded automatically whenever the extension publisher releases a new version. Azure manages the upgrade rollout and the upgrades are safely applied following availability-first principles, keeping your environments more secure and up to date.

Storage

Azure File Sync agent v13

Improvements and issues that are fixed in the v13 release:

Authoritative upload: authoritative upload is a new mode available when creating the first server endpoint in a sync group. It is useful for the scenario where the cloud (Azure file share) has some/most of the data but is outdated and needs to be caught up with the more recent data on the new server endpoint. This is the case in offline migration scenarios like DataBox, for instance. When a DataBox is filled and sent to Azure, the users of the local server will keep changing / adding / deleting files on the local server. That makes the data in the DataBox and thus the Azure file share, slightly outdated. With Authoritative Upload, you can now tell the server and cloud, how to resolve this case and get the cloud seamlessly updated with the latest changes on the server. No matter how the data got to the cloud, this mode can update the Azure file share if the data stems from the matching location on the server. Be sure to avoid large directory restructures between the initial copy to the cloud and catching up with Authoritative Upload. This will ensure you are only transporting updates. Changes to directory names will cause all files in these renamed directories to be uploaded again. This functionality is comparable to semantics of RoboCopy /MIR = mirror source to target, including removing files on the target that no longer exist on the source. Authoritative Upload replaces the “Offline Data Transfer” feature for DataBox integration with Azure File Sync via a staging share. A staging share is no longer required to use DataBox. New Offline Data Transfer jobs can no longer be started with the AFS V13 agent. Existing jobs on a server will continue even with the upgrade to agent version 13.
Portal improvements to view cloud change enumeration and sync progress: when a new sync group is created, any connected server endpoint can only begin sync, when cloud change enumeration is complete. In case files already exist in the cloud endpoint (Azure file share) of this sync group, change enumeration of content in the cloud can take some time. The more items (files and folders) exist in the namespace, the longer this process can take. Admins will now be able to obtain cloud change enumeration progress in the Azure portal to estimate an eta for completion / sync to start with servers.
Support for server rename: if a registered server is renamed, Azure File Sync will now show the new server name in the portal. If the server was renamed prior to the v13 release, the server name in the portal will now be updated to show the correct server name.
Support for Windows Server 2022 Preview: the Azure File Sync agent is now supported on Windows Server 2022 Preview build 20348 or later. Note: Windows Server 2022 adds support for TLS 1.3 which is not currently supported by Azure File Sync. If the TLS settings are managed via group policy, the server must be configured to support TLS 1.2.
Miscellaneous improvements:
- Reliability improvements for sync, cloud tiering and cloud change enumeration.
- If a large number of files is changed on the server, sync upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
- The Invoke-StorageSyncFileRecall cmdlet will now recall all tiered files associated with a server endpoint, even if the file has moved outside the server endpoint location.
- Explorer.exe is now excluded from cloud tiering last access time tracking.
- New telemetry (Event ID 6664) to monitor the orphaned tiered files cleanup progress after removing a server endpoint with cloud tiering enabled.

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 Preview installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 13.0.0.0.
Installation instructions are documented in KB4588753.

Networking

Re-size Azure virtual networks that are peered (preview)

Virtual networks in Azure have had a long-standing constraint where any address space change is only allowed if the virtual network does not have any peerings. Microsoft is announcing that this limitation has been lifted, and customers can freely resize their virtual networks without incurring any downtime. With this feature, existing peerings on the virtual network do not need to be deleted prior to adding or deleting an address prefix on the virtual network.

Azure VPN Client for macOS

Azure VPN Client for macOS is available with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol.

Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, you can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for your Mac devices.

Azure ExpressRoute Global Reach: 2 new locations

There are 2 new locations for ExpressRoute Global Reach:

South Africa (Johannesburg only)
Taiwan

For more information about ExpressRoute Global Reach and available locations, visit ExpressRoute Global Reach webpage.

Azure VMware Solution: Disaster Recovery scenarios using VMware Site Recovery Manager

The corporate business is heavily dependent on IT solutions and often these are not properly structured to deal with incidents of any kind, even the most remote, which could cause damage, an interruption or loss of data. VMware Site Recovery Manager (SRM) is a disaster recovery solution that allows you to minimize the downtime of workloads in the VMware environment in the event of a disaster. SRM is very popular for customers who use VMware at on-premises datacenters and recently the possibility of using the same solution with Azure VMware Solution was announced (AVS). This article describes how SRM for AVS can simplify the management of Disaster Recovery strategies, ensuring rapid and predictable recovery times.

What is VMware Site Recovery Manager (SRM)?

VMware Site Recovery Manager is an automation solution, which integrates with underlying replication technology, able to offer:

Recovery test without service interruptions
Workflow able to guarantee the orchestration of DR plans in an automated way
Automatic reset of network and security settings (integration with VMware NSX)

The solution offers the possibility to insure in a simple and reliable way, restore and move virtual machines between multiple VMware sites with little or no downtime.

Site Recovery Manager allows you to natively take advantage of VMware vSphere and use the SDDC architecture (Software-Defined Data Center) integrating with other VMware solutions, such as VMware NSX (network virtualization) and VMware vSAN.

Site Recovery Manager requires one of the following underlying replication technologies to orchestrate virtual machine recovery operations:

VMware vSphere Replication: replication focused on VMs and based on the hypervisor. It is the solution natively integrated with Site Recovery Manager and included in most versions of vSphere.
Third party solutions: Site Recovery Manager uses plug-in SRA (Storage Replication Adapter) developed by storage partners for integration with third-party systems.

How to purchase SRM

Site Recovery Manager is available in two versions: Standard ed Enterpirse. Both versions of Site Recovery Manager are licensed “per protected virtual machine”.

SRM STANDARD

SRM ENTERPRISE

Licenses

As far as 75 Protected VMs per site

No license limit on the number of protected VMs

Exclusive features

– Integration with VMware NSX

– VMotion orchestrated movement between multiple vCenter instances

– Extended storage support

– Policy-based storage management

What is Azure VMware Solution (AVS)?

Azure VMware Solution (AVS) is a service that allows the provisioning and execution of an environmentVMware Cloud Foundationfull in Azure.VMware Cloud Foundation is VMware's hybrid cloud platform for managing virtual machines and orchestrating containers, where the entire stack is based on a hyperconverged infrastructure (HCI). This architecture model ensures consistent infrastructure and operation across any private and public cloud, including Microsoft Azure.

Figure 1 – Azure VMware Solution overview

The solutionAVS allows customers to adopt a full set of VMware features, with the guarantee of holding the validation "VMware Cloud Verified". At the same time the platform is maintained by Microsoft and automatic and regular updates are guaranteed, that allow you to take advantage of the latest feature sets, as well as obtaining high security and stability.

Thanks to this solution it is therefore possible to have consistency, performance and interoperability for existing VMware workloads, without sacrificing speed, the scalability and availability of the global Azure infrastructure.

An Azure VMware Solution Private Cloud includes:

vCenter server for managing ESXi and vSAN
Dedicated bare-metal servers provided with ESXi VMware hypervisor
VMware vSAN datastore for vSphere vMs
VMware NSX-T software defined networking for vSphere vMs
VMware HCX for workload mobility management

Figure 2 - Azure VMware Solution interconnection with the on-premises and Azure environment

Azure Private Cloud infrastructure contains vSphere clusters on dedicated bare metal systems, able to scale from 3 to 16 host. It also provides the ability to have multiple clusters in a single Azure Private Cloud. The hosts are high-end and equipped with two Intel processors 18 core, 2,3 GHz and 576 GB RAM.

VMware Site Recovery Manager (SRM) with Azure VMware Solution (AVS)

Site Recovery Manager (SRM) for Azure VMware Solution (AVS) is able to automate and orchestrate failover and failback processes in the following Disaster Recovery scenarios:

On-premise VMware to Azure VMware Solution private cloud disaster recovery
Primary Azure VMware Solution to a secondary disaster recovery Azure VMware Solution private cloud

Furthermore, thanks to the ability to perform failover tests without generating disruption to the production environment, it is possible to periodically guarantee the achievement of the recovery time objectives required for the disaster recovery plans.

Figure 3 - Diagram of a DR scenario between two Azure VMware Solution environments

Also in this scenario SRM is licensed and supported directly by VMware. Customers cannot reuse SRM licenses from the on-premises environment even in AVS environments, but new SRM licenses must be available for AVS environments.

Azure VMware Solution also provides a mechanism to simplify the installation and management of the SRM life cycle. In fact,, by accessing the navigation menu in the AVS private cloud it is possible to install VMware SRM with vSphere Replication as an additional service. To do this, simply select “VMware Site Recovery Manager (SRM) - vSphere Replication ”from the Disaster Recovery Solution menu and follow the relevant instructions.

Figure 4 - Enabling of “VMware Site Recovery Manager (SRM) – vSphere Replication” from Disaster Recovery Solution menu of AVS

Use cases

This integration between Azure VMware Solution and Site Recovery Manager can be activated to implement the following types of recovery scenarios:

Planned migration. This is an orderly migration of virtual machines from the protected site to the recovery site where no data loss is expected during the guided migration of workloads.
Disaster Recovery. SRM activates the DR plan when the primary site unexpectedly goes offline. Site Recovery Manager orchestrates the recovery process with replication mechanisms, to minimize data loss and environment downtime.
Bidirectional protection. Bi-directional protection uses a single set of paired SRM sites to protect virtual machines in both directions. Each site can be a protected site and a recovery site at the same time, but for a different set of virtual machines.

Conclusions

Thanks to the introduction of this feature in AVS, starting from the automation functionality of VMware Site Recovery Manager recovery plans and the hypervisor-based replication capabilities of vSphere Replication, you can take advantage of an end-to-end Disaster Recovery solution, able to accelerate the enabling of the protection, as well as simplifying the operations necessary to implement DR plans. In this way, you can make the most of the agility and convenience of this solution in an Azure environment.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 29 and 30)

Azure

Storage

Shared disks on Azure Disk Storage are now generally available on all Premium SSD and Standard SSD sizes

Shared disks can now be leveraged on smaller Premium SSDs from 4GiB to 128 GiB and all Standard SSDs from 4 GiB to 32 TiB. This expands shared disk support to Ultra Disk, Premium SSD, and Standard SSD enabling you to optimize for different price and performance options based on your workload needs.

Immutable storage with versioning for Blob Storage (preview)

Immutable storage with versioning for Blob Storage is now available in preview. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable, and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed. Immutable storage with versioning adds the capability to set an immutable policy on the container or object level. It also allows for the immutable protection of all past and current versions of any blob.

Networking

Next-generation firewall capabilities with Azure Firewall Premium

Microsoft Azure Firewall Premium is now available with this key features:

TLS inspection: Azure Firewall Premium terminates outbound and east-west transport layer security (TLS) connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway allowing end-to-end encryption. Azure Firewall performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
IDPS: Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
Web categories: Allows administrators to filter outbound user access to the internet based on categories (for example, social networking, search engines, gambling, and so on), reducing the time spent on managing individual fully qualified domain names (FQDNs) and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
URL filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This capability works for both plain text and encrypted traffic if TLS inspection is enabled.

Application Gateway: new features for Web Application Firewall (WAF)

Bot protection: Web Application Firewall (WAF) bot protection feature on Application Gateway allows users to enable a managed bot protection rule set for their WAF to block or log requests from known malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. This rule set can be used alongside the OWASP core rule sets (CRS) to provide additional protection.
Geomatch custom rules: Web Application Firewall (WAF) geomatch custom rule feature on Application Gateway allows users to restrict access to their web applications by country/region. As with all custom rules, this logic can be compounded with other rules to suit the needs of your application.

Azure ExpressRoute: 3 New Peering Locations Available

Three new peering locations are available for ExpressRoute:

Campinas
Sao Paulo2
Dublin2

With this announcement, ExpressRoute is now available across 79 global commercial Azure peering locations.

New insights in Traffic Analytics

Azure Network Watcher Traffic Analytics solutions is used to monitor network traffic. It now provides WHOIS and Geographic data for all Public IPs interacting with your deployments and further adds DNS domain, threat type & threat description for Malicious IPs. Now, it also supports inter-zone traffic and VMSS level traffic insights.

Azure Management services: What's new in July 2021

Microsoft constantly announces news regarding Azure management services and as usual this monthly summary. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New built-in policies for Log Analytics workspaces and linked automation accounts

When designing and deploying Azure Monitor Log Analytics workspaces, it is advisable to adopt specific criteria to distribute them consistently, in compliance with the compliance of their environment. Thanks to a new built-in policy it is possible to automate and control the distribution of Log Analytics workspaces and the Automation Accounts connected to them in your own environments.

Better integration between Azure Monitor and Grafana

Grafana is a very popular open source visualization and analysis software, which allows you to query, view and explore various metrics from multiple data sources in a centralized way. Recently, some updates have been made to the Azure Monitor plug-in for Grafana that allow you to enable additional data sources and easier authentication via managed identity. Among the main improvements we find:

Azure Resource Graph in the Azure Monitor Grafana data source. Azure Resource Graph (ARG) is a service in Azure that allows you to perform large-scale queries on a given subscription set, so that you can effectively govern your environment. With Grafana 8.0, Azure Monitor data source supports querying ARG.
Managed Identities are supported for the Grafana data source hosted in Azure and for Azure Monitor. Customers hosting Grafana on Azure (e.g.. App Service, Azure Virtual Machine) and have enabled managed identity on their virtual machine, they will be able to use it to configure Azure Monitor in Grafana. This aspect simplifies the configuration of the data source, requiring it to be securely authenticated without having to manually configure credentials through app registrations in Azure AD for each data source.
Direct links to the Azure portal for Grafana metrics. To allow easy exploration of Azure Monitor metrics directly from Grafana, when a user selects the result of a query, a menu appears with a link to “View in the Azure portal”. Selecting it will redirect you to the corresponding chart in the Azure Metrics Explorer portal.

Direct proxy and Log Analytics gateway support for the new agent

Following the recent announcement on the availability of the new Azure Monitor agent (AMA) and data collection rules (Data Collection Rules), support for direct proxies and support for Log Analytics gateways is introduced for this agent.

Configure

Azure Automation

Support for User Assigned Managed Identities (preview)

Azure Automation has introduced support for User Assigned Managed Identities, which allows you to eliminate the effort of managing RunAs Accounts for runbooks. A User Assigned Managed Identities is an independent Azure resource that can be assigned to the Azure Automation account, which can have multiple associated user-assigned identities. The same identity can be assigned to multiple Azure Automation accounts.

Govern

Azure Policy

Azure Policy built-in for Network Watcher Traffic Analytics

Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment. The following new built-in policies have been introduced to facilitate the deployment of Traffic Analytics:

An audit policy: Flag flow logs resource without traffic analytics enabled
DeployIfNotExists policies: Enable Traffic Analytics on NSGs in an Azure region of a subscription or resource group

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Azure Security Center

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 56 that solves several issues and introduces some improvements. In particular, this update introduces the following new features:

Microsoft Azure Site Recovery (services): Improvements have been made to enable replication and new protection operations to be faster than 46%.
Microsoft Azure Site Recovery (portal): Replication between any two Azure regions around the world can now be enabled. You are no longer limited to enabling replication on your continent.

The details and the procedure to follow for the installation can be found in the specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 27 and 28)

Azure

Compute

Free Extended Security Updates only on Azure for Windows Server 2012/R2and SQL Server 2012

On-premises Windows Server and SQL Server customers looking to migrate and modernize can take advantage of the extension of free Extended Security Updates (ESUs) for Windows Server 2012/R2 and SQL Server 2012, as follows:

Windows Server 2012 and 2012 R2 Extended Support (ESU) will end on October 10, 2023. Extended Support for SQL Server 2012 ends July 12, 2022. Customers that cannot meet this deadline can protect their apps and data running on these releases for three additional years when they migrate to Windows Server and SQL Server on Azure and take advantage of free ESUs on Azure. Customers running Windows Server and SQL Server on these releases and on-premises will have the option to purchase ESUs.
Windows Server and SQL Server 2008 and 2008 R2 three-year ESUs are coming to an end on January 10, 2023, and July 12, 2022, respectively. Customers who need more time to migrate and modernize will be able to take advantage of a Windows Server and SQL Server 2008 and 2008 R2 on Azure, we will now provide one addiitonal year of extended security updates only on Azure.

Virtual Machine (VM) bursting is now generally available on more VM types

Virtual machine level disk bursting is a now enabled for our Dsv4, Dasv4, Ddsv4, Esv4, Easv4, Edsv4, Fsv2 and B-series VM families, which allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily. This enables your VMs to handle unforeseen spikey disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

HPC Cache on E-Series VMs Support of Blob NFS 3.0

The Azure Blob team recently announced that Blob NFS 3.0 protocol support is generally available and now, Azure HPC Cache will follow suit with general availability using E-Series VMs.

Storage

Azure File Sync agent v13

The Azure File Sync agent v13 release is being flighted to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed in the v13 release:

Authoritative upload. Authoritative upload is a new mode available when creating the first server endpoint in a sync group. It is useful for the scenario where the cloud (Azure file share) has some/most of the data but is outdated and needs to be caught up with the more recent data on the new server endpoint. This is the case in offline migration scenarios like DataBox, for instance. When a DataBox is filled and sent to Azure, the users of the local server will keep changing / adding / deleting files on the local server. That makes the data in the DataBox and thus the Azure file share, slightly outdated. With Authoritative Upload, you can now tell the server and cloud, how to resolve this case and get the cloud seamlessly updated with the latest changes on the server. No matter how the data got to the cloud, this mode can update the Azure file share if the data stems from the matching location on the server. Be sure to avoid large directory restructures between the initial copy to the cloud and catching up with Authoritative Upload. This will ensure you are only transporting updates. Changes to directory names will cause all files in these renamed directories to be uploaded again. This functionality is comparable to semantics of RoboCopy /MIR = mirror source to target, including removing files on the target that no longer exist on the source. Authoritative Upload replaces the “Offline Data Transfer” feature for DataBox integration with Azure File Sync via a staging share. A staging share is no longer required to use DataBox. New Offline Data Transfer jobs can no longer be started with the AFS V13 agent. Existing jobs on a server will continue even with the upgrade to agent version 13.
Portal improvements to view cloud change enumeration and sync progress. When a new sync group is created, any connected server endpoint can only begin sync, when cloud change enumeration is complete. In case files already exist in the cloud endpoint (Azure file share) of this sync group, change enumeration of content in the cloud can take some time. The more items (files and folders) exist in the namespace, the longer this process can take. Admins will now be able to obtain cloud change enumeration progress in the Azure portal to estimate an eta for completion / sync to start with servers.
Support for server rename. If a registered server is renamed, Azure File Sync will now show the new server name in the portal. If the server was renamed prior to the v13 release, the server name in the portal will now be updated to show the correct server name.
Support for Windows Server 2022 Preview. The Azure File Sync agent is now supported on Windows Server 2022 Preview build 20348 or later. Note: Windows Server 2022 adds support for TLS 1.3 which is not currently supported by Azure File Sync. If the TLS settings are managed via group policy, the server must be configured to support TLS 1.2.
Miscellaneous improvements:
- Reliability improvements for sync, cloud tiering and cloud change enumeration.
- If a large number of files is changed on the server, sync upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
- The Invoke-StorageSyncFileRecall cmdlet will now recall all tiered files associated with a server endpoint, even if the file has moved outside the server endpoint location.
- Explorer.exe is now excluded from cloud tiering last access time tracking.
- New telemetry (Event ID 6664) to monitor the orphaned tiered files cleanup progress after removing a server endpoint with cloud tiering enabled.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 Preview installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 13.0.0.0.
Installation instructions are documented in KB4588753.

Azure Blob storage: container Soft Delete

Administrators can set a retention policy and recover data from a deletion of a blob container without contacting support.

HPC Cache for NVME-based Storage, Storage Target Management, and HIPAA Compliance

The latest release of HPC Cache adds support for high throughput VMs as well as enhancements to storage target operations.

Disk pool for Azure VMware Solution (preview)

With disk pool, Azure VMware Solution customers can now access Azure Disk Storage for high-performance, durable block storage. Customer can scale their storage independent of compute and handle their growing data needs more cost-effectively.

Networking

Azure Bastion Standard SKU public (preview)

With the new Azure Bastion Standard SKU, you can now perform/configure the following:

Manually scale Bastion host Virtual Machine instances: Azure Bastion supports manual scaling of the Virtual Machine (VM) instances facilitating Bastion connectivity. You can configure 2-50 instances to manage the number of concurrent SSH and RDP sessions Azure Bastion can support.
Azure Bastion admin panel: Azure Bastion supports enabling/disabling features accessed by the Bastion host.

Azure Web Application Firewall: OWASP ModSecurity Core Rule Set 3.2 (preview)

Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 3.2 (CRS 3.2) for Azure Web Application Firewall (WAF) deployments running on Application Gateway is in preview. This release offers improved security from web vulnerabilities, reduced false positives, and improvements to performance. Microsoft is also announcing an increase in the file upload limit and request body size limit to 4GB and 2MB respectively.

Azure Advisor: the free and personalized guide to Azure best practices

Designing correct architectures in the cloud, with predictable costs, compliant with regulations and security standards is a challenging goal, also given by the nature of the cloud itself which is constantly evolving. The Azure platform provides several tools to make Azure architectures optimized and cost-effective, including Azure Advisor. This article describes the main features and functionalities of the solution.

The Azure Advisor solution is able to provide useful recommendations to optimize the deployments in your Azure environment. Analyzing the configuration of their resources and telemetry data on their use, Azure Advisor is able to propose useful solutions to optimize costs, the performance, reliability, efficiency and security. The solution performs its assessments in the background and automatically intercept new resources created. From the moment of creation of new resources it can take a few hours to receive the related recommendations.

Figure 1 - Azure Advisor overview

Azure Advisor is a totally free solution, included in all Azure environments, which allows you to easily optimize the resources present in your deployments, offering specific recommendations for the following areas:

Costs: it provides guidance to maximize the economic return on investment in Azure, thanks to the extra touches that can reduce and optimize costs.
Security: reports on how to best protect Azure resources from security threats.
Performance: thanks to constant analysis of resources used, the solution is able to report useful information to increase the speed and responsiveness of applications.
Reliability (high availability): it gives directions on how you can increase the availability of your business-critical applications, in order to ensure greater continuity of service.
Operational excellence: highlights the techniques to be used to increase the efficiency of processes and workflows and to improve the management of resources and deployments.

Azure Advisor therefore allows you to achieve the following objectives:

Get personalized advice for your environment, based on Microsoft best practices. The recommendations are proactive and, to facilitate its implementation, contain proposals for concrete actions to be carried out.
Improve performance, efficiency, the security and reliability of your Azure resources, also identifying the opportunities to be seized to reduce the overall spending of Azure services.

Azure Advisor is accessible from the Azure portal and, in the overview screen, brings together the recommendations of the five macro-categories mentioned:

Figure 2 - Overview of Advisor in the Azure portal

All information provided by the solution can be downloaded in two different formats (.pdf and .csv), to facilitate the consultation and to keep them documented.

Furthermore, the Advisor Score is now available, a new way of consulting these recommendations which makes it easy to prioritize, track progress and better assess its impact.

Figure 3 - New Advisor Score

By selecting each category you will be sent to the detail section, where you can check, for each recommendation provided, what are the resources impacted and the relative level of criticality (high, medium, low).

Figure 4 - Cost recommendations

In the specific case, to optimize Azure resource costs , among the recommendations, the purchase of Virtual Machine Reserved Instances prevails (VM RIs), estimating the actual savings that could be obtained by adopting VM RIs in three years.

As for the recommendations related to Security, it should be noted that these are the same provided by the Azure Security Center (ASC) and to obtain a better consultation experience, it is convenient to directly access the interface of the ASC solution.

Selecting the recommended action for a recommendation will open a simple interface that allows you to implement it or you have the option of being directed to the Microsoft documentation that reports the implementation processes.

If you do not want to take immediate action on a recommendation, you can postpone it for a specified period of time or ignore it completely.

If you do not want to receive recommendations for a particular Azure subscription or a specific resource group, Azure Advisor can be configured to generate recommendations only for certain subscriptions and certain resource groups. You also have the option to edit, at the moment for the only rule relating to the use of the CPU, the threshold of use of virtual machines to be taken into consideration in the relative assessments.

Whenever Azure Advisor detects a new recommendation for one of your resources, an event is generated in the Azure Activity log. For these events you can configure Alerts directly from Azure Advisor, which provides a specific creation experience for recommendations.

To always stay informed about the recommendations generated by the solution is also possible to configure the “Recommendation digests”.

Conclusions

Azure Advisor is a very effective tool to verify afterwards that the main implementation best practices in the Azure environment have been respected and to direct the appropriate corrective actions. This tool centralizes in a single solution the different recommendations for different Azure services, present in your environment, useful to have a global view and to improve your implementations in Azure.

Azure Stack HCI: how to monitor the environment in a complete and effective way

Azure Stack HCI is the Microsoft solution that allows you to create hyper-converged infrastructures (HCI) for the execution of workloads in an on-premises environment. Azure Stack HCI, in addition to seamlessly integrating into on-premises datacenters, offers an important added value: the ability to connect with Azure services to obtain a hybrid hyper-converged solution. Among these services we find Azure Monitor and this article reports the benefits and features of the solution to monitor the Azure Stack HCI environment in a complete and effective way.

The solutionAzure Stack HCI Insights is able to provide detailed information on integrity, on the performance and usage of Azure Stack HCI clusters. The version of the clusters must be 21H2, must be connected to Azure andregistered for related monitoring. Azure Stack HCI Insights stores your data in a Log Analytics workspace, thus providing the possibility to use powerful filters and aggregations to better analyze the data collected over time.

Benefits of the solution

The main benefits of adopting Azure Stack HCI Insights are:

Managed by Azure. The solution is accessible directly from the Azure portal, it is constantly updated and no additional infrastructure components or third-party software are required.
Scalability. This is a very scalable solution, able to load more than 400 cluster information set, located on multiple subscriptions, and without limits of domain or physical location.
Advanced customization. The user experience is based on Azure Monitor workbooks. Workbooks allow users to change views, the query, set specific thresholds according to your needs and save these customizations. Furthermore, workbook charts can be added to dashboards in the Azure portal.

Activation requirements

In order to use Azure Stack HCI Insights the following steps must be completed:

Azure Stack HCI cluster registration with Azure. This step ensures that every server in the cluster is automatically Azure Arc-enabled. This action allows Azure Monitor to retrieve details not only of the cluster, but also of the single nodes that compose it.
Enabling Log Analytics, to connect the cluster to a Log Analytics workspace, in which the necessary logs for the monitor will be saved.
Enable monitoring, to allow Azure Monitor to begin collecting the necessary events for the monitor.

Figure 1 - Configuration of the Log Analytics Agent extension and monitoring

Environment monitor

After completing the necessary configurations, you have the possibility to view the monitor data of a single cluster directly from the Azure Stack HCI resource page or you can use Azure Monitor to obtain an aggregate view of multiple Azure Stack HCI clusters.

Figure 2 – Aggregated view of multiple Azure Stack HCI clusters

Is offered the ability to monitor the health of the cluster , the status of individual nodes and virtual machines.

Figure 3 - Overview of the status of the cluster nodes

By accessing the specific tabs it is possible to obtain further detailed information regarding virtual machines and storage (health, usage, and performance).

Information regarding the performance of the Azure Stack HCI environment is also reported. The following performance trends can be consulted through the panels integrated into the solution:

CPU usage
Average latency of storage volumes
IOPS of storage volumes
Storage volume capacity

Figure 4 - Consultation of performance trends

Costs of the solution

There are no specific costs for the use of Azure Stack HCI Insights, but the cost is calculated based on the amount of data that is entered in the Log Analytics workspace and the related retention settings.

Conclusions

Having an effective monitor system for such environments, that allows to detect and prevent anomalous conditions and performance problems is of fundamental importance. This further possibility, offered through the integration of Azure Stack HCI with the Azure Monitor service, makes the solution more and more complete and integrated. This is a further added value compared to other competitors who propose solutions in this area.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 25 and 26)

Azure

Compute

Azure VM Image Builder service: custom image building process

Azure VM Image Builder service is a managed service to build custom Linux or Windows virtual machine (VM) images with ease, and be compliant with your company’s security policy across Azure and Azure Stack. With Azure VM Image Builder, the Microsoft managed service built on HashiCorp Packer, you can describe custom images in a template using new or existing configurations and enables VM image building immediately without setting up and managing your own image building pipeline.

New Azure VMs for confidential workloads (Limited Preview)

Microsoft is announcing the limited preview go-live of the DCsv3-series and DCdsv3-series Azure Virtual Machines, starting in the East US 2 region. Leveraging Intel Software Guard Extensions (SGX), you can allocate private regions of memory, called enclaves, giving you more granular protection against processes or administrators with higher privilege levels. These new VMs enable you to protect the confidentiality and integrity your code and data while in use.

Storage

Azure Blob storage: NFS 3.0 protocol support

Network File System (NFS) 3.0 protocol support for Azure Blob Storage is generally available. Azure Blob Storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics. The data stored in your storage account with NFS support is billed at the same rate as blob storage capacity charges with no minimal provisioned capacity required.

Azure NetApp Files: regional Capacity Quota

The default capacity quota for each subscription will be changed from no quota to a quota of 25 TiB, per region, across all service levels. This capacity change will not have any impact on your current service but will ensure (new) capacity pool creation or capacity pool size increases will succeed based on available regional capacity. Any regional capacity quota increase does not incur a billing increase, as billing will still be based on the provisioned capacity pools.

Expansion of credit-based disk bursting to Azure Standard SSDs E30 and smaller

Credit-based disk bursting is now available on Azure Standard SSDs E30 and smaller (less than or equal to 1TiB). With credit-based bursting, your disks can burst IOPS and throughput for a short-time (up to 30 minutes) to handle unexpected disk traffic and process batch jobs with speed. Now you can deploy your disks for their average performance needs instead of for peak performance, enabling you to achieve cost savings. All your existing or new Standard SSD disks (less than or equal to 1TiB) will have credit-based bursting enabled by default with no user action or addition costs.

Expansion of on-demand disk bursting for Premium SSD to more regions (preview)

Microsoft has now expanded the preview of on-demand disk bursting to all production regions. You can enable on-demand bursting on existing or new disks following instructions here.

Networking

VPN NAT (preview)

Azure VPN NAT (Network Address Translation) supports overlapping address spaces between customers on-premises branch networks and their Azure Virtual Networks. NAT can also enable business-to-business connectivity where address spaces are managed by different organizations and re-numbering networks is not possible. VPN NAT preview provides support for 1:1 Static NAT.