Azure VMware Solution achieves FedRAMP High Authorization
With this certification, U.S. government and public sector customers can now use Azure VMware Solution as a compliant FedRAMP cloud computing environment, ensuring it meets the demanding standards for security and information protection.
JetStream Disaster Recovery for Azure VMware Solution (preview)
JetStream Disaster Recovery is now available on Azure VMware Solution in public preview, enabling DR protection needed for business and mission-critical applications. JetStream Disaster Recovery on Azure VMware Solution is also cost-effective, as it uses minimal resources at the DR site by leveraging cloud storage, such as Azure Blob Storage.
Azure AD-joined VMs support
With this latest update, you can now:
Join your Azure Virtual Desktop virtual machines directly to Azure Active Directory (Azure AD.)
Connect to the virtual machine from any device with basic credentials.
Automatically enroll the virtual machines with Microsoft Endpoint Manager.
Management Group Scope for Azure Reservations (preview)
You can scope a reservation to a management group. When you set the scope to a management group, the reservation discount is applied to matching resources in the list of subscriptions that are a part of the management group and the billing context.
Storage
Azure Archive Storage now available in three new regions
Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in three new regions: Norway East, UAE North, and Germany West Central.
The hyper-converged Azure Stack HCI solution allows you to activate the Azure Kubernetes Service orchestrator in an on-premises environment (AKS) for running containerized applications at scale. This article explores how Azure Kubernetes in Azure Stack HCI environment offers the possibility of hosting Linux and Windows containers in your datacenter, going to explore the main benefits of this solution.
Before going into the specifics of AKS in the Azure Stack environment, a summary of the solutions involved is reported.
What is Kubernetes?
Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field, through:
Generally simpler deployments that allow automatic implementations and rollbacks.
Better application management with the ability to monitor the status of services to avoid implementation errors. In fact,, the various features include service integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly.
Ability to scale automatically based on usage and, exactly the same as for containers, manage the cluster environment in a declarative manner, allowing version-controlled and easily replicable configuration.
Figure 1 – Kubernetes cluster with related architecture components
What is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. The use of this managed service is integrated with the container development and deployment pipelines.
Figure 2 - Azure Kubernetes Service architecture example (AKS)
What is Azure Stack HCI?
Azure Stack HCI is the solution that allows you to create a hyper-converged infrastructure (HCI) for the execution of workloads in an on-premises environment and which provides for a strategic connection to Azure services. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).
Figure 3 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)
What is AKS in Azure Stack HCI?
AKS in the Azure Stack HCI environment is a Microsoft implementation of AKS, which automates the deployment and management of containerized applications.
Microsoft, after introducing AKS as a service in Azure, has extended its availability also to on-premises environments. However, there are some important differences:
In Azure, Microsoft manages the control plane of each AKS cluster. Furthermore, the cluster nodes (management node and worker node) run on Azure virtual machines or on Azure virtual machine scale sets.
In an on-premises environment , the customer manages the entire environment, where the AKS cluster nodes are running on virtual machines hosted on the hyper-converged infrastructure.
AKS architecture on Azure Stack HCI
The implementation of AKS in Azure Stack HCI consists of two types of clusters:
A management cluster of AKS. This cluster acts as a dedicated control plane for managing Kubernetes clusters running on the hyper-converged platform. This cluster consists of Linux virtual machines, that host Kubernetes system components such as API servers and load balancers.
One or more Kubernetes clusters. These clusters consist of control nodes and worker nodes. Control nodes are implemented as Linux virtual machines, with API server and load balancers that satisfy the requests of Azure Stack HCI users. Workloads are distributed on Linux or Windows OS-based worker nodes.
Figure 4 - AKS architecture on Azure Stack HCI
Each Kubernetes cluster runs on its own dedicated set of virtual machines, protected by hypervisor-based isolation, allowing you to securely share the same physical infrastructure even in scenarios that require workload isolation.
AKS on Azure Stack HCI supports both Linux-based and Windows-based containers. When you create a Kubernetes cluster you simply need to specify the type of container you intend to run and on the hyper-converged platform the installation procedure of the required operating system is automatically started on the nodes of the Kubernetes cluster .
Benefits of AKS on Azure Stack HCI
AKS simplifies the deployment of Kubernetes clusters by providing a layer of abstraction that can mask some of the more challenging implementation details.
Among the main benefits of AKS in the Azure Stack HCI environment we find:
Simplified deployments of containerized apps in a cluster environment. Using the Windows Admin Center you have a guided installation process of the AKS management cluster. Windows Admin Center also facilitates the installation of individual Kubernetes clusters that contain worker nodes, through an automatic installation process of all relevant software components, including management tools such as kubectl.
Ability to scale horizontally to manage computational resources, adding or removing Kubernetes cluster nodes.
Simplified management of cluster resource storage and network configurations.
Automatic updates of cluster nodes to the latest version of Kubernetes available. Microsoft manages the Windows Server and Linux images for the cluster nodes and updates them monthly.
Strategic connection, using Azure Arc, to Azure services such as: Microsoft Azure Monitor, Azure Policy, and Azure Role-Based Access Control (RBAC).
Centralized management of Kubernetes clusters and related workloads through the Azure portal, thanks to the adoption of Azure Arc for Kubernetes. Azure portal-based management also integrates traditional Kubernetes administration tools and interfaces, like the command line utility kubectl and the Kubernetes dashboard.
Managing the automatic failover of virtual machines acting as Kubernetes cluster nodes if there is a localized failure of the underlying physical components. This complements the high availability inherent in Kubernetes, able to automatically restart containers in failed state.
Conclusions
Thanks to Azure Stack HCI, the adoption of container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud. The deployment process is also very simplified and intuitive. Furthermore, Azure Stack HCI allows you to further improve the agility and resilience of Kubernetes deployments in an on-premises environment.
On-demand capacity reservations for Azure Virtual Machines (preview)
On-demand capacity reservations for Azure Virtual Machines, now in public preview, enable IT organization to reserve compute capacity for a VM size. The reservation can be for any length of time in any public Azure region or Availability Zone and supports most VM series. You can create and cancel an on-demand capacity reservation at any time, no commitment is required. The ability for you to access compute capacity, with SLA guarantees when on-demand capacity reservations become generally available, ahead of actual VM deployments is particularly important to ensure the availability of business-critical applications running on Azure. On-demand capacity reservations can be combined with Azure Reserved VM Instances (RIs) to significantly reduce costs.
Run Commands for Azure VMware Solution (preview)
Run commands are a collection of PowerShell packages available in the Azure VMware Solution portal that simplify the execution of certain operations on vCenter. With this announcement your cloud administrator can now more easily run management tasks that require elevated privileges.
Microsoft has enabled elastic virtual machine profile and automatic scaling for Azure Virtual Machine Scale Sets with flexible orchestration elastic profile and automatic scaling. The features are now in public preview, and provide:
Up to 1000 instances in a scale set (general purpose virtual machine sizes only)
Ability to manually add VM instances to the scale set
The option to spread instances across fault domains automatically, or specify a fault domain
Place on demand and Spot VMs in the same scale set
(New) Define a VM profile and specify instance count
(New) Automatically scale out and scale in based on metrics, schedule, or AI prediction (private preview)
(New) In guest patching that respects high availability / FD constraints
(New) Automatic extension updates
(New) Automatic instance repair/replacement of unhealthy instances
(New) Terminate notification for on demand and Spot VMs
(New) Secure by default networking – customers must explicitly define outbound connectivity
(New) Improved scale out and scale in reliability, latency, and elasticity
Server Message Block (SMB) 3.1.1 is the most recent version of the SMB protocol, released with Windows 10, containing important security and performance updates. Azure Files SMB 3.1.1 ships with two additional encryption modes, AES-128-GCM and AES-256-GCM, in addition to AES-128-CCM which was already supported. In addition to SMB 3.1.1, Azure Files exposes security settings that change the behavior of the SMB protocol. With this release, you may configure allowed SMB protocol versions, SMB channel encryption options, authentication methods, and Kerberos ticket encryption options. By default, Azure Files enables the most compatible options, however these options may be toggled at any time.
Server Message Block (SMB) Multichannel enables you to improve the IO performance of your SMB client 2-4x, increasing performance and decreasing total cost of ownership.
Storage capacity reservations for Azure Files enable you to significantly reduce the total cost of ownership of storage by pre-committing to storage utilization. To achieve the lowest costs in Azure, you should consider reserving capacity for all production workloads.
Zone redundant storage (ZRS) for Azure Disk Storage
Zone redundant storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. They also enable you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS, or GFS2.
Automatic key rotation of customer-managed keys for encrypting Azure disks
Azure Disk Storage now enables you to automatically rotate keys for encryption of your data.
Change performance tiers for Azure Premium SSDs with no downtime
On Azure Premium SSDs, you can now change the performance tiers without any downtime to your application (generally available). You can change the performance tier of a disk even when it is attached to running virtual machines. For planned events like a seasonal sales promotion or running a training environment, you need to achieve sustained higher performance for a few hours or days and then return to the normal performance levels. With performance tiers on Premium SSDs, you have the flexibility to scale the disk performance without increasing the disk size by selecting a higher performance tier. You can also change tiers to bring it back to your baseline performance tier, enabling you to achieve higher performance and cost savings.
Networking
New updates to Azure Firewall
New Azure Firewall capabilities:
Azure Firewall supports US West 3, Jio India West, and Brazil Southeast.
Auto-generated self-signed certificates for Azure Firewall Premium SKU.
Secure Hub now supports Availability Zones.
Deploy Azure Firewall without public IP in Forced Tunnel mode.
Configure pre-existing Azure Firewalls in Force Tunnel mode using stop or start commands.
Azure Route Server
Azure Route Server simplifies dynamic routing between your network virtual appliance (NVA) and your virtual network. When you establish a Border Gateway Protocol (BGP) peering between your NVA and Azure Router Server, you can advertise IP addresses from your NVA to your virtual network. Your NVA will also learn what IP addresses your virtual network has. Azure Route Server is a fully managed service and is configured with high availability.
Several key Azure Route Server benefits include:
Simplify network appliance operations
Deploy it in your existing setup
Support any network appliance
Enable new network topology
Private Link Network Security Group Support (preview)
Private Endpoint support for Network Security Groups (NSGs) is now in public preview. This feature enhancement will provide you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.
Private Link UDR Support (preview)
Private Endpoint support for User Defined Routes (UDRs) is now in public preview. This feature enhancement will provide you with the ability to apply custom routes to traffic destined to a private endpoint with a wider subnet range. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.
Address changes on an Azure virtual network that has active peerings (preview)
You can now update your virtual network address space without needing to remove the peering links on their virtual networking and incurring any downtime.
Azure ExpressRoute: new ExpressRoute Direct and Peering locations
New locations are available for ExpressRoute Direct:
Denver
Newport (Wales)
Pune
The new locations support dual 10Gbps or 100Gbps connectivity into Microsoft’s global network.
New peering locations are available for ExpressRoute:
Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
The IT Service Management Connector is certified with the Quebec version of ServiceNow
The IT Service Management Connector (ITSM) of Azure Monitor is now certified for the Quebec version of ServiceNow. This connector allows you to establish a two-way connection between Azure and ITSM tools, useful for managing incidents and solving problems faster. Furthermore, it is possible to create work items in the ITSM tool, based on Azure alerts(Metric Alerts, Activity Log Alerts, e Log Analytics alert).
Lower levels for reservations for Azure Monitor dedicated clusters
Microsoft has reduced the capacity reservation (capacity reservation) minimum required for Azure Monitor dedicated clusters, bringing it from 1.000 GB to 500 GB per day. This allows you to take advantage of advanced features such as customer-managed keys, lockbox, and infrastructure encryption, even to customers with lower data entry volume.
The retirement of the Log Analytics agent has been announced
Microsoft announced that the 31 August 2024 the Log Analytics agent used in Azure Monitor will be retired. Therefore, before that date, you should use the new Azure Monitor agent (AMA) and data collection rules (DCR) of Azure Monitor to monitor virtual machines and servers.
Configure
Azure Automation
New features coming soon to be released
Microsoft has announced that the following new features will soon be released for Azure Automation:
Azure AD support: ability to use Azure AD-based authentication for public automation endpoints
Support for Powershell 7: ability to run Azure Automation runbooks, in production scenarios, using PowerShell 7.1
Azure Automation Hybrid Worker Extension for Azure and for Azure Arc machines: possibility of onboarding hybrid workers using the hybrid extension for Azure and Azure Arc machines.
Support for Availability Zones, useful for increasing the levels of reliability and resilience.
Native support of the Powershell Az module.
Govern
Azure Policy
Azure Guest Configuration Policy: possibility of applying settings within the systems as well(preview)
Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they do not apply configurations. However, Microsoft has announced in preview the possibility to apply configurations provided by Microsoft or to create your own configuration packages using PowerShell DSC version 3.
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Azure Security Center
Azure Defender for SQL available from Azure SQL Virtual Machine blade
This new Azure Defender information browsing experience for SQL VMs, allows you to view, directly from the SQL virtual machine panel, information about security best practices for related SQL Server databases.
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Support for Archive storage for backup of VMs and SQL on board VMs
In Azure Backup, you can now move recovery points to save costs and keep your backup data longer. This feature is available for Azure VMs and SQL Servers installed on board Azure VMs. Using Azure PowerShell, it is possible to move these backups from the standard tier to the new archive tier.
When moving backup data from vault-standard to vault-archive, Azure Backup converts incremental data into full backup. This procedure involves an increase in the total GB used, but costs are reduced due to the huge difference in cost per GB between the two storage tiers. To simplify this process, Azure Backup provides advice on Recovery Points (RPs) for which migration to the vault-archive is recommended. Restores can be done in an integrated way from the Azure portal, with a simple and intuitive process.
Azure Site Recovery
ASR support for global disaster recovery
Azure Site Recovery (ASR) introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected.
Extended the date of withdrawal of Hard coded IP address
Microsoft has extended the retirement date for hard coded IP addresses to connect with Azure Site Recovery services to 31 August 2024. This allows you to have more time to adjust the configurations of the environments to use the Azure service tags.
Migrate
Azure Migrate
Software inventory and agentless dependency analysis
In Azure Migrate it is now possible to inventory applications, roles and features installed and perform dependency analysis, on Windows and Linux servers, without installing any agent. Agentless dependency analysis allows you to identify and understand dependencies between servers, supporting data collection for up to 1000 servers at the same time.
Discovery and assessment of ASP.NET Web Apps with Azure Migrate(preview)
Azure Migrate now allows you to identify and assess ASP.NET Web Apps running on the on-premises IIS Web server and manage their migration. Until now, it was necessary to use tools such as App Service Migration Assistant to evaluate the Web Apps. Thanks to the introduction of this feature in Azure Migrate, it is possible to discover the .NET Web Apps running in your VMware environment and create assessments to manage the migration to Azure IaaS or Azure App Service.
Containerization of apps and migration to AKS or Azure App Service
The Azure Migrate app containerization tool allows you to modernize existing ASP.NET and Java web applications, using a containerization approach that requires little or no application changes. The tool groups existing applications running on servers in a container image and allows them to be deployed in containers running in Azure Kubernetes Service(AKS) or in Azure App Service. As part of the migration process, the tool allows you to parameterize the application configurations, outsource file system dependencies using persistent volumes and configure the containerized application monitor using Application Insights.
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Placement polices for Azure VMware Solution (preview)
Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution software-defined data center (SDDC). These constraints allow you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual Machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster. When you create a placement policy, it creates a vSphere Distributed Resource Scheduler (DRS) rule in the specified vSphere cluster. It also includes additional logic for interoperability with Azure VMware Solution operations.
New VM series supported by Azure Batch
The selection of VMs that can be used by Azure Batch has been expanded, allowing newer Azure VM series to be used. The following additional VM series can now be specified when Batch pools are created:
H-series Azure Virtual Machine sizes (H8, H8m, H16, H16r, H16m, H16mr, H8 Promo, H8m Promo, H16 Promo, H16r Promo, H16m Promo, and H16mr Promo) on 31 August 2022.
ND-series virtual machine sizes on 31 August 2022.
Basic and Standard A-series VMs on 31 August 2024.
Azure Government Top Secret now generally available for US national security missions
Azure Government Top Secret is available for US and this is a significant milestone in Microsoft commitment to bringing unmatched commercial innovation to US government customers across all data classifications. This announcement, together with new services and functionality in Azure Government Secret, provides further evidence of Microsoft’s relentless commitment to the mission of national security, enabling customers and partners to realize the vision of a multi-cloud strategy and achieve greater agility, interoperability, cost savings, and speed to innovation.
Storage
Azure Blob storage inventory
Inventory provides an easy way to gain insights into the containers and all block, append, and page blobs stored within an account. Blob Inventory can be selected to provide a full listing of all blobs and containers on a daily or weekly basis. Prior to Inventory, either a separate catalog system or, listing of all blobs and analyzing added complexity and cost to solutions that used blob storage. With inventory, all blobs and containers that match an optional filter will be listed on a daily or weekly basis to a CSV or Parquet file that can then be processed for insights.
Azure Archive Storage events for easy rehydration of archived blobs
The Azure Archive Storage provides a secure, low-cost means for retaining cold data including backups and archival storage. When your data is stored in Archive Storage, the data is offline and not available for read until it is moved to the hot or cool tier. Previously, the only way to determine when blob rehydration was complete and available to be read was to repeatedly poll the status of the rehydration operation, increasing complexity and cost. Azure Event Grid now supports events that fire when a blob is rehydrated from the archive tier. The Microsoft.Storage.BlobCreated event fires when a blob is copied from the archive tier to a new destination blob in the hot or cool tier. The Microsoft.Storage.BlobTierChanged event fires when the archived blob’s tier is changed to hot or cool. Your application can handle these events in order to respond to blob rehydration.
Azure Blob storage: last access time tracking
Last access time tracking integrates with lifecycle management to allow the automatic tiering and deletion of data based on when individual blobs are last accessed. This allows greater cost control as well as an automatic workflow including deletion of data after it is no longer used. Last access time can also be used without lifecycle management by any solution that needs to understand when individual blobs are last read and then take action. Lifecycle management with last access time tracking is available in all public regions for accounts with flat namespace used. Azure Data Lake Storage Gen2 will be supported later this year.
Networking
Network Insights: enhanced troubleshooting experiences for additional resources
You now have access to rich insights and enhanced troubleshooting experiences for four additional networking resources in Network Insights: Private Link, NAT Gateway, Public IP, and NIC.
With the onboarding of these resources, customers can access:
A resource topology showing resource health and connected resources
A pre-built workbook showing all key metrics along multiple
Direct links to documentation and troubleshooting help
The new operating system Windows Server 2022, based on the solid foundation of the predecessor Windows Server 2019, brings numerous innovations in the field of security, in integration and hybrid management in the Azure environment, and as an application platform. The article is divided into two parts, in first part the available editions have been discussed, functionalities for hybrid environments and aspects related to the application platform. This second part shows the main features of the new server operating system in the security and storage area, but not only.
Security
Windows Server 2022 combines different security features in different areas to provide advanced multi-layered protection capable of effectively countering increasingly sophisticated security threats.
Secured-core server
Windows Server 2022 is part of the program Secured-Core of Microsoft. This program was initially launched with PC hardware partners and then extended to the server area as well. Secured-core offers transversal security on hardware and firmware, integrated into the functionalities of the operating system, that can help protect servers from advanced threats.
Using a combination of identity features, virtualization, operating system and hardware defenses, Secured-Core servers offer both hardware and software protection. With Windows Defender System Guard, integrated into Windows Server 2022, Secured-Core servers allow organizations to have guarantees on the integrity of the operating system and checks to help prevent firmware attacks.
Secured-core server is based on three fundamental pillars:
Simplified security: when purchasing hardware from an OEM for Secured-core servers, you can be sure that the vendor provides a hardware set with firmware and drivers capable of fulfilling the Secured-core promise. Furthermore, the Windows Server configuration experience will be simple and the Secured-core security features can be enabled directly from the Windows Admin Center.
Advanced security by contemplating the following areas:
Root-of-trust hardware (TPM 2.0 come standard)
Firmware protection
Virtualization-based security (VBS)
Preventive defense: enabling the Secured-core functionality helps to proactively defend oneself and to interrupt many of the paths that attackers can use to compromise a system.
Secure connectivity
To increase the level of security in communications, in Windows Server 2022 the following new features have been introduced:
Transport: HTTPS e TLS 1.3 enabled by default
Secure DNS: DNS name resolution requests encrypted with DNS-over-HTTPS
Server Message Block (SMB): introduced support for AES-256 encryption for the SMB protocol
SMB: East-West SMB encryption controls for internal communications of cluster systems. Failover clusters now support granular control of intra-node communication encryption and signing for Cluster Shared Volumes (CSV) and for the storage bus layer (SBL). This means that when using Storage Spaces Direct, you can decide to encrypt or sign east-west communications within the cluster itself for greater security.
SMB over QUIC. QUIC is a standard protocol designed to provide a more reliable connection over unsecured networks, like the Internet. QUIC uses a TLS encrypted tunnel 1.3 on the UDP port 443. Inside this tunnel all SMB traffic, including the authentication and authorization process, it is never exposed on the network and SMB behaves in a completely normal way offering the usual capabilities. SMB over QUIC in Windows Server 2022 Datacenter: Azure Edition uses the updated version of the SMB protocol (version 3.1.1). Using SMB over QUIC in conjunction with TLS 1.3, users and applications can securely and reliably access data on file servers running in the Azure environment, without having to adopt VPN connections.
Storage innovations
In the storage field Windows Server 2022 brings the following news:
Storage Migration Service: there are several improvements regarding this service, useful for simplifying storage migrations to both Windows Server and Azure, including:
Migration of local users and groups to the new server.
Storage migration between failover clusters, and migration between standalone servers and failover clusters.
Storage migration from Linux servers using Samba.
Easier synchronization of migrated shares with Azure, using Azure File Sync.
Easier migration to new environments, such as Azure.
Migration of NetApp CIFS servers from NetApp FAS arrays to Windows servers and clusters.
Storage Space Direct introduces the new feature User adjustable storage repair speed which gives you greater control over the data resync process by allocating resources to repair copies of the data (resilience) or to run active workloads (performance).
SMB compression: thanks to improvements on the SMB side in Windows Server 2022 and Windows 11 files can be compressed during network transfer, thus obtaining benefits in transfer times.
Storage bus cache is also available for standalone servers. This feature can significantly improve read and write performance, maintaining high storage efficiency and low operating costs. As is the case in its implementation for Storage Spaces Direct, this function merges the fastest media (for example, NVMe or SSD) with slower media (for example, HDD) to create different tiers. Some of the faster media is reserved for the cache.
More new features
In addition to the aspects covered in the previous paragraphs, the following features have been announced:
La Nested Virtualization in Windows Server 2022 it is also available for AMD processors, thus expanding the choice of hardware for your environment.
Microsoft Edge is included with Windows Server 2022, in place of Internet Explorer. Edge can be used with the Server Core and Server with Desktop Experience installation options.
Conclusions
Windows Server 2022 evolves the mature and consolidated Windows Server platform by introducing a series of innovative updates in different areas. There are therefore various advantages for companies to evaluate the adoption of this new server operating system, in particular, for those who use Windows Server in an Azure environment.
The new operating system Windows Server 2022, based on the solid foundation of the predecessor Windows Server 2019, brings numerous innovations in the field of security, in integration and hybrid management in the Azure environment, and as an application platform. The article is divided into two parts, this first part shows the main features of the new server operating system relating to the editions available, the features designed for hybrid environments and the new aspects related to the application platform.
Editions
Windows Server 2022 is characterized by the following aspects relating to the editions:
Windows Server 2022 will have a Standard edition, a Datacenter edition and a new version called Azure Datacenter.
The Azure Datacenter edition of Windows Server 2022 it will only be supported on Azure (Azure IaaS or Azure Stack HCI – 21H2) and offers specific features not available outside of these environments (hotpaching, SMB over QUIC, and Azure Extended Networking).
For all editions Windows Server 2022 there are both Core and Desktop installation options.
You will be able to upgrade in place Windows Server 2019 Datacenter Edition to bring it to the new Windows Server 2022 Datacenter Azure edition. Nevertheless, the upgrade in place for server operating systems is a practice to be carefully evaluated and, if possible, to be avoided.
Microsoft recently updated its servicing model for server operating systems. In fact,, Microsoft has decided to abandon the semi-annual versions of Windows Server and, starting with Windows Server 2022, there is only one main release channel, the Long-Term Servicing Channel. With the Long-Term Servicing Channel, a new major version of Windows Server is released every 2-3 years. Users are entitled to 5 years of mainstream support and 5 years of extended support. This channel provides systems with prolonged maintenance and functional stability. The Long-Term Servicing Channel receives security and non-security updates, but it does not receive new features and new functionalities. The Semi-Annual Channel, available in previous versions of Windows Server, it was suitable for containers and microservices. In these areas, innovation will continue with Azure Stack HCI. In this regard, please note that the operating system of the Azure Stack HCI solution is a specific and dedicated operating system with a simplified composition, which includes only the roles needed by the solution.
Hybrid Functionality
Using Windows Server 2022 it is possible to increase efficiency and agility by using features designed for hybrid environments and fully integrated into the operating system.
Azure Automanage – Hotpatch
The Hotpatch feature, part of Azure Automanage, is supported in Windows Server 2022 Datacenter: Azure Edition. Support is currently for Core mode installations, but will also be extended to Desktop installations in the future. Hotpatching is a new mechanism, used to install updates on Windows Server Azure Edition virtual machines, which allows you to reduce the number of reboots required to install updates.
Azure Automanage allows you to orchestrate the installation of security patches on top of a Cumulative Update, which is released every three months. Cumulative Update requires a system restart, but the security patches released between the Cumulative Updates can modify the code running in memory without the need to reboot the machine.
Windows Admin Center (WAC) introduces specific improvements for management of Windows Server 2022, among which WAC allows you to check the status of the Secured-core and, where applicable, allows its enabling.
Azure Arc
Also Windows Server 2022 allows Azure Arc to be enabled for management, physical servers and virtual machines residing outside Azure (on the on-premises corporate network or at other cloud providers), consistent with the management methodologies of native virtual machines residing in the Azure environment. In fact, connecting a machine to Azure through Arc is considered in all respects as an Azure resource. Each connected machine has a specific ID, it is included in a resource group and benefits from standard Azure constructs.
Application platform
There are several improvements that Windows Server 2022 brings to the application field, among the main ones we find:
Reducing the size of the Windows Container image down to 40%, which leads to a faster boot time than the 30% and better performance.
Ability to run applications that depend on Azure Active Directory with group Managed Services Accounts (gMSA) without having to join the host container domain.
Windows Container support of Microsoft Distributed Transaction Control (MSDTC) and Microsoft Message Queuing (MSMQ).
Simplification of the Windows Container experience in the Kubernetes environment, including: support for host-process containers for node configuration, IPv6 and the implementation of network policies with Calico.
In addition to the platform improvements, Windows Admin Center has been updated to simplify containerization of .NET applications. Once the application is in a container, you can host it in an Azure Container Registry and then deploy it to other Azure services, even Azure Kubernetes Service (AKS).
Thanks to the support of Intel Ice Lake processors, Windows Server 2022 supports large-scale business-critical applications, such as SQL Server, which take up to 48 TB of memory e 2.048 logical cores running on 64 physical sockets. Using Intel Secured Guard Extension Confidential computing technology (SGX) available on Intel Ice Lake, you can get an improvement in the area of application security, isolating them from each other through memory protection.
The second part of the article reports the main features of the new server operating system in the security and storage area, but not only.
Azure Virtual Machine extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The ability to automatically upgrade VM extensions is now available for Azure Virtual Machines and Virtual Machine Scale Sets. If the automatic extension upgrade feature is enabled for an extension on a VM or a VM scale set, the extension is upgraded automatically whenever the extension publisher releases a new version. Azure manages the upgrade rollout and the upgrades are safely applied following availability-first principles, keeping your environments more secure and up to date.
Storage
Azure File Sync agent v13
Improvements and issues that are fixed in the v13 release:
Authoritative upload: authoritative upload is a new mode available when creating the first server endpoint in a sync group. It is useful for the scenario where the cloud (Azure file share) has some/most of the data but is outdated and needs to be caught up with the more recent data on the new server endpoint. This is the case in offline migration scenarios like DataBox, for instance. When a DataBox is filled and sent to Azure, the users of the local server will keep changing / adding / deleting files on the local server. That makes the data in the DataBox and thus the Azure file share, slightly outdated. With Authoritative Upload, you can now tell the server and cloud, how to resolve this case and get the cloud seamlessly updated with the latest changes on the server. No matter how the data got to the cloud, this mode can update the Azure file share if the data stems from the matching location on the server. Be sure to avoid large directory restructures between the initial copy to the cloud and catching up with Authoritative Upload. This will ensure you are only transporting updates. Changes to directory names will cause all files in these renamed directories to be uploaded again. This functionality is comparable to semantics of RoboCopy /MIR = mirror source to target, including removing files on the target that no longer exist on the source. Authoritative Upload replaces the “Offline Data Transfer” feature for DataBox integration with Azure File Sync via a staging share. A staging share is no longer required to use DataBox. New Offline Data Transfer jobs can no longer be started with the AFS V13 agent. Existing jobs on a server will continue even with the upgrade to agent version 13.
Portal improvements to view cloud change enumeration and sync progress: when a new sync group is created, any connected server endpoint can only begin sync, when cloud change enumeration is complete. In case files already exist in the cloud endpoint (Azure file share) of this sync group, change enumeration of content in the cloud can take some time. The more items (files and folders) exist in the namespace, the longer this process can take. Admins will now be able to obtain cloud change enumeration progress in the Azure portal to estimate an eta for completion / sync to start with servers.
Support for server rename: if a registered server is renamed, Azure File Sync will now show the new server name in the portal. If the server was renamed prior to the v13 release, the server name in the portal will now be updated to show the correct server name.
Support for Windows Server 2022 Preview: the Azure File Sync agent is now supported on Windows Server 2022 Preview build 20348 or later. Note: Windows Server 2022 adds support for TLS 1.3 which is not currently supported by Azure File Sync. If the TLS settings are managed via group policy, the server must be configured to support TLS 1.2.
Miscellaneous improvements:
Reliability improvements for sync, cloud tiering and cloud change enumeration.
If a large number of files is changed on the server, sync upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
The Invoke-StorageSyncFileRecall cmdlet will now recall all tiered files associated with a server endpoint, even if the file has moved outside the server endpoint location.
Explorer.exe is now excluded from cloud tiering last access time tracking.
New telemetry (Event ID 6664) to monitor the orphaned tiered files cleanup progress after removing a server endpoint with cloud tiering enabled.
More information about this release:
This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 Preview installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 13.0.0.0.
Installation instructions are documented in KB4588753.
Networking
Re-size Azure virtual networks that are peered (preview)
Virtual networks in Azure have had a long-standing constraint where any address space change is only allowed if the virtual network does not have any peerings. Microsoft is announcing that this limitation has been lifted, and customers can freely resize their virtual networks without incurring any downtime. With this feature, existing peerings on the virtual network do not need to be deleted prior to adding or deleting an address prefix on the virtual network.
Azure VPN Client for macOS
Azure VPN Client for macOS is available with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol.
Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, you can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for your Mac devices.
Azure ExpressRoute Global Reach: 2 new locations
There are 2 new locations for ExpressRoute Global Reach:
South Africa (Johannesburg only)
Taiwan
For more information about ExpressRoute Global Reach and available locations, visit ExpressRoute Global Reach webpage.
The corporate business is heavily dependent on IT solutions and often these are not properly structured to deal with incidents of any kind, even the most remote, which could cause damage, an interruption or loss of data. VMware Site Recovery Manager (SRM) is a disaster recovery solution that allows you to minimize the downtime of workloads in the VMware environment in the event of a disaster. SRM is very popular for customers who use VMware at on-premises datacenters and recently the possibility of using the same solution with Azure VMware Solution was announced (AVS). This article describes how SRM for AVS can simplify the management of Disaster Recovery strategies, ensuring rapid and predictable recovery times.
What is VMware Site Recovery Manager (SRM)?
VMware Site Recovery Manager is an automation solution, which integrates with underlying replication technology, able to offer:
Recovery test without service interruptions
Workflow able to guarantee the orchestration of DR plans in an automated way
Automatic reset of network and security settings (integration with VMware NSX)
The solution offers the possibility to insure in a simple and reliable way, restore and move virtual machines between multiple VMware sites with little or no downtime.
Site Recovery Manager allows you to natively take advantage of VMware vSphere and use the SDDC architecture (Software-Defined Data Center) integrating with other VMware solutions, such as VMware NSX (network virtualization) and VMware vSAN.
Site Recovery Manager requires one of the following underlying replication technologies to orchestrate virtual machine recovery operations:
VMware vSphere Replication: replication focused on VMs and based on the hypervisor. It is the solution natively integrated with Site Recovery Manager and included in most versions of vSphere.
Third party solutions: Site Recovery Manager uses plug-in SRA (Storage Replication Adapter) developed by storage partners for integration with third-party systems.
How to purchase SRM
Site Recovery Manager is available in two versions: Standard ed Enterpirse. Both versions of Site Recovery Manager are licensed “per protected virtual machine”.
SRM STANDARD
SRM ENTERPRISE
Licenses
As far as 75 Protected VMs per site
No license limit on the number of protected VMs
Exclusive features
– Integration with VMware NSX
– VMotion orchestrated movement between multiple vCenter instances
– Extended storage support
– Policy-based storage management
What is Azure VMware Solution (AVS)?
Azure VMware Solution (AVS) is a service that allows the provisioning and execution of an environmentVMware Cloud Foundationfull in Azure.VMware Cloud Foundation is VMware's hybrid cloud platform for managing virtual machines and orchestrating containers, where the entire stack is based on a hyperconverged infrastructure (HCI). This architecture model ensures consistent infrastructure and operation across any private and public cloud, including Microsoft Azure.
Figure 1 – Azure VMware Solution overview
The solutionAVS allows customers to adopt a full set of VMware features, with the guarantee of holding the validation "VMware Cloud Verified". At the same time the platform is maintained by Microsoft and automatic and regular updates are guaranteed, that allow you to take advantage of the latest feature sets, as well as obtaining high security and stability.
Thanks to this solution it is therefore possible to have consistency, performance and interoperability for existing VMware workloads, without sacrificing speed, the scalability and availability of the global Azure infrastructure.
An Azure VMware Solution Private Cloud includes:
vCenter server for managing ESXi and vSAN
Dedicated bare-metal servers provided with ESXi VMware hypervisor
VMware vSAN datastore for vSphere vMs
VMware NSX-T software defined networking for vSphere vMs
VMware HCX for workload mobility management
Figure 2 - Azure VMware Solution interconnection with the on-premises and Azure environment
Azure Private Cloud infrastructure contains vSphere clusters on dedicated bare metal systems, able to scale from 3 to 16 host. It also provides the ability to have multiple clusters in a single Azure Private Cloud. The hosts are high-end and equipped with two Intel processors 18 core, 2,3 GHz and 576 GB RAM.
VMware Site Recovery Manager (SRM) with Azure VMware Solution (AVS)
Site Recovery Manager (SRM) for Azure VMware Solution (AVS) is able to automate and orchestrate failover and failback processes in the following Disaster Recovery scenarios:
On-premise VMware to Azure VMware Solution private cloud disaster recovery
Primary Azure VMware Solution to a secondary disaster recovery Azure VMware Solution private cloud
Furthermore, thanks to the ability to perform failover tests without generating disruption to the production environment, it is possible to periodically guarantee the achievement of the recovery time objectives required for the disaster recovery plans.
Figure 3 - Diagram of a DR scenario between two Azure VMware Solution environments
Also in this scenario SRM is licensed and supported directly by VMware. Customers cannot reuse SRM licenses from the on-premises environment even in AVS environments, but new SRM licenses must be available for AVS environments.
Azure VMware Solution also provides a mechanism to simplify the installation and management of the SRM life cycle. In fact,, by accessing the navigation menu in the AVS private cloud it is possible to install VMware SRM with vSphere Replication as an additional service. To do this, simply select “VMware Site Recovery Manager (SRM) - vSphere Replication ”from the Disaster Recovery Solution menu and follow the relevant instructions.
Figure 4 - Enabling of “VMware Site Recovery Manager (SRM) – vSphere Replication” from Disaster Recovery Solution menu of AVS
Use cases
This integration between Azure VMware Solution and Site Recovery Manager can be activated to implement the following types of recovery scenarios:
Planned migration. This is an orderly migration of virtual machines from the protected site to the recovery site where no data loss is expected during the guided migration of workloads.
Disaster Recovery. SRM activates the DR plan when the primary site unexpectedly goes offline. Site Recovery Manager orchestrates the recovery process with replication mechanisms, to minimize data loss and environment downtime.
Bidirectional protection. Bi-directional protection uses a single set of paired SRM sites to protect virtual machines in both directions. Each site can be a protected site and a recovery site at the same time, but for a different set of virtual machines.
Conclusions
Thanks to the introduction of this feature in AVS, starting from the automation functionality of VMware Site Recovery Manager recovery plans and the hypervisor-based replication capabilities of vSphere Replication, you can take advantage of an end-to-end Disaster Recovery solution, able to accelerate the enabling of the protection, as well as simplifying the operations necessary to implement DR plans. In this way, you can make the most of the agility and convenience of this solution in an Azure environment.
Shared disks on Azure Disk Storage are now generally available on all Premium SSD and Standard SSD sizes
Shared disks can now be leveraged on smaller Premium SSDs from 4GiB to 128 GiB and all Standard SSDs from 4 GiB to 32 TiB. This expands shared disk support to Ultra Disk, Premium SSD, and Standard SSD enabling you to optimize for different price and performance options based on your workload needs.
Immutable storage with versioning for Blob Storage (preview)
Immutable storage with versioning for Blob Storage is now available in preview. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable, and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed. Immutable storage with versioning adds the capability to set an immutable policy on the container or object level. It also allows for the immutable protection of all past and current versions of any blob.
Networking
Next-generation firewall capabilities with Azure Firewall Premium
Microsoft Azure Firewall Premium is now available with this key features:
TLS inspection: Azure Firewall Premium terminates outbound and east-west transport layer security (TLS) connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway allowing end-to-end encryption. Azure Firewall performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
IDPS: Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
Web categories: Allows administrators to filter outbound user access to the internet based on categories (for example, social networking, search engines, gambling, and so on), reducing the time spent on managing individual fully qualified domain names (FQDNs) and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
URL filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This capability works for both plain text and encrypted traffic if TLS inspection is enabled.
Application Gateway: new featuresfor Web Application Firewall (WAF)
Bot protection: Web Application Firewall (WAF) bot protection feature on Application Gateway allows users to enable a managed bot protection rule set for their WAF to block or log requests from known malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. This rule set can be used alongside the OWASP core rule sets (CRS) to provide additional protection.
Geomatch custom rules: Web Application Firewall (WAF) geomatch custom rule feature on Application Gateway allows users to restrict access to their web applications by country/region. As with all custom rules, this logic can be compounded with other rules to suit the needs of your application.
Azure ExpressRoute: 3 New Peering Locations Available
Three new peering locations are available for ExpressRoute:
Campinas
Sao Paulo2
Dublin2
With this announcement, ExpressRoute is now available across 79 global commercial Azure peering locations.
New insights in Traffic Analytics
Azure Network Watcher Traffic Analytics solutions is used to monitor network traffic. It now provides WHOIS and Geographic data for all Public IPs interacting with your deployments and further adds DNS domain, threat type & threat description for Malicious IPs. Now, it also supports inter-zone traffic and VMSS level traffic insights.
