Category Archives: Datacenter Management

Cloud Security Posture Management (CSPM) in Defender for Cloud: protect your assets with an advanced security solution

In the context of today's digital landscape, the adoption of cloud computing has opened up new opportunities for organizations, but at the same time new challenges have emerged in terms of security of cloud resources. The adoption of a Cloud Security Posture Management solution (CSPM) is critical to ensuring that cloud resources are configured securely and that security standards are properly implemented. Microsoft Azure offers Defender for Cloud, a complete solution that combines the power of a CSPM platform with advanced security features to help organizations protect their cloud resources effectively. This article dives into the CSPM features offered by Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The features of Microsoft Defender for Cloud are able to contemplate three major pillars of security for modern architectures that adopt cloud components:

  • DevOps Security Management (DevSecOps): Defender for Cloud helps you incorporate security best practices early in the software development process. In fact,, helps secure code management environments (GitHub and Azure DevOps), the development pipelines and allows to obtain information on the security posture of the development environment. Defender for Cloud currently includes Defender for DevOps.
  • Cloud Security Posture Management (CSPM): it is a set of practices, processes and tools aimed at identifying, monitor and mitigate security risks in cloud resources. CSPM offers broad visibility into the security posture of assets, enabling organizations to identify and correct non-compliant configurations, vulnerabilities and potential threats. This proactive approach reduces the risk of security breaches and helps maintain a secure cloud environment.
  • Cloud Workload Protection Platform (CWPP): Proactive security principles require implementing security practices that protect workloads from threats. Defender for Cloud includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the Azure subscriptions and in hybrid and multi-cloud environments.

Figure 1 – The security pillars covered by Microsoft Defender for Cloud

CSPM in Defender for Cloud

Defender for Cloud is the advanced security solution from Microsoft Azure that contemplates the CSPM scope to offer a wide range of security features and controls for cloud resources. With Defender for Cloud, organizations can get complete visibility into their assets, identify and resolve vulnerabilities and constantly monitor the security posture of resources. Some of the key features offered by Defender for Cloud include:

  • Configuration analysis: Defender for Cloud examines cloud resource configurations for non-compliant settings and provides recommendations to fix them. This ensures that resources are configured securely and that security standards are met.
  • Identification of vulnerabilities: the solution continuously scans cloud resources for known vulnerabilities. Recommendations and priorities are provided to address these vulnerabilities and reduce the risk of exploitation by potential threats.
  • Continuous monitoring: Defender for Cloud constantly monitors the security posture of cloud resources and provides real-time alerts in the event of insecure configurations or suspicious activity. This enables organizations to respond promptly to threats and maintain a secure cloud environment.
  • Automation and orchestration: Defender for Cloud automates much of the process of managing the security posture of cloud environments, allowing organizations to save valuable time and resources.

Defender for Cloud offers core CSPM capabilities for free. These features are automatically enabled on any subscription or account that has onboarded Defender for Cloud. If deemed necessary, it is possible to expand the set of features by activating the plan Defender CSPM.

Figure 2 – Comparison between CSPM plans

For a complete comparison you can refer to Microsoft's official documentation.

The optional Defender CSPM plan offers advanced security posture management capabilities, among the main ones we find:

  • Security Governance: security teams are responsible for improving the security posture of their organizations, but they may not have the resources or authority to actually implement the security recommendations. Assigning managers with expiration dates and defining governance rules create accountability and transparency, so you can lead the process of improving your organization's security.
  • Regulatory compliance: with this feature, Microsoft Defender for Cloud simplifies the process of meeting regulatory compliance requirements, providing a specific dashboard. Defender for Cloud continuously assesses the environment to analyze risk factors based on the controls and best practices of the standards applied to the subscriptions. The dashboard reflects your compliance status with these standards. The Microsoft cloud security benchmark (MCSB) instead it is automatically assigned to subscriptions and accounts when you sign in to Defender for Cloud (foundational CSPM). This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies them with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP) and for other Microsoft clouds.
  • Cloud Security Explorer: allows you to proactively identify security risks in your cloud environment by graphically querying the Cloud Security Graph, which is the context definition engine of Defender for Cloud. Requests from the security team can be prioritized, taking into account the context and the specific rules of the organization. With the Cloud Security Explorer it is possible to interrogate the security problems and the context of the environment, such as resource inventory, Internet exposure, the permissions and the “lateral movement” across resources and across multiple clouds (Azure and AWS).
  • Attack path analysis: analyzing attack paths helps address security issues, related to the specific environment, which represent immediate threats with the greatest potential for exploitation. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach the specific environment. Furthermore, highlights security recommendations that need to be addressed to mitigate them.
  • Agentless scanning for machines: Microsoft Defender for Cloud maximizes coverage of OS posture issues and goes beyond the coverage provided by specific agent-based assessments. Get instant visibility with agentless scanning for virtual machines, wide and unobstructed regarding potential posture problems. All without having to install agents, meet network connectivity requirements or impact machine performance. Agentless scanning for virtual machines provides vulnerability assessment and software inventory, both through Microsoft Defender Vulnerability Management, in Azure and Amazon AWS environments. Agentless scanning is available in both Defender Cloud Security Posture Management (CSPM) both in Defender for Servers P2.

Conclusions

In the increasingly complex context of IT asset security, especially in the presence of hybrid and multi-cloud environments, the Cloud Security Posture Management (CSPM) has become an essential component of an organizations security strategy. Defender for Cloud in Microsoft Azure offers an advanced CSPM solution, which combines configuration analysis, identification of vulnerabilities, continuous monitoring and automation to ensure that IT assets are adequately protected. Investing in a CSPM solution like Defender for Cloud enables organizations to mitigate security risks and protect IT assets.

Azure IaaS and Azure Stack: announcements and updates (May 2023 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Microsoft Azure available from new cloud region in Poland

The newest cloud region in Poland is available with Azure Availability Zones and provides customers with the highest standards of security, privacy, and regulatory-compliant data storage in the country.

Ebsv5 and Ebdsv5 NVMe-enabled VM sizes

The Ebsv5 and Ebdsv5 VM series are the first Azure VM series to support NVMe storage protocol. NVMe support enables these series to achieve the highest Disk Storage IOPS and throughput of any Azure VMs to date. NVMe is a high-performance storage interface that is faster and more efficient compared to other traditional storage protocols like SCSI, which is the only other protocol that most Azure VMs use currently. With NVMe interface supported, customers can now use these VMs to achieve even higher VM-to-disk throughput and IOPS performance per core, with up to 8,000 MBps and 260,000 IOPS. This enables customers that process extremely data-intensive workloads to process more data on fewer core compute resources, potentially saving them money on infrastructure and commercial software licensing costs.

DCesv5 and ECesv5-series Confidential VMs with Intel TDX (preview)

There is an expansion of Confidential VM family with the launch of the DCesv5-series and ECesv5-series in preview. Featuring 4th Gen Intel® Xeon® Scalable processors, these VMs are backed by an all-new hardware-based Trusted Execution Environment called Intel® Trust Domain Extensions (TDX). Organizations can use these VMs to seamlessly bring confidential workloads to the cloud without any code changes to their applications.

Networking

Cloud Next-Generation Firewall (NGFW) Palo Alto Networks – an Azure Native ISV Service

Cloud NGFW Palo Alto Networks is the first ISV next-generation firewall service natively integrated in Azure. Developed through a collaboration between Microsoft and Palo Alto Networks, this service delivers the cutting-edge security features of Palo Alto Networks NGFW technology while also offering the simplicity and convenience of cloud-native scaling and management. NGFWs provide superior network security by offering enhanced capabilities compared to traditional firewalls. These include deep packet inspection, advanced visibility and control features, and the use of AI to improve threat detection and response.

Palo Alto Networks SaaS Cloud NGFW Integration with Virtual WAN (preview)

Palo Alto Networks Cloud NGFW is the first security software-as-a-service (SaaS) solution to be integrated in Azure Virtual WAN, allowing you to enjoy the simplicity of a SaaS security offering without the hassles of managing provisioning, scaling, resiliency, software updates, or routing.

Cloud NGFW SaaS integration with Virtual WAN provides you with the following benefits:

  • protect workloads with a highly available NGFW powered by machine learning to
  • detect and stop known, unknown and zero-day threats;
  • fully managed infrastructure and software lifecycle under SaaS model;
    consumption-based pay-as-you-go billing;
  • dedicated and streamlined support channel between Azure and Palo Alto Networks to provide a delightful customer support experience;
  • simple one-click routing to inspect on-premises, Azure VNets and Internet traffic;
  • deep and cohesive integration with Azure that provides a cloud-native experience.

Application Gateway V1 will be retired on 28 April 2026

Because Application Gateway V1 retires on 28 April 2026, please transition to Application Gateway V2 by that date.

Alongside the Application Gateway V1 features you already use, Application Gateway V2 provides:

  • additional features – Autoscaling, zone redundancy, URL rewrite, mutual authentication mTLS , Azure Kubernetes Service Ingress Controller, Keyvault integration;
  • increased performance – 5x Better TLS offload performance compared to V1;
  • enhanced security – Faster update of security rules, WAF custom rules and policy associations, bot protection-

From now through 28 April 2026, you can continue using Application Gateway V1 but begin transitioning to Application Gateway V2.

New customers (customers who doesn’t not have Application Gateway V1 SKU in their subscriptions in the month of June 2023) won’t be able to create V1 gateways from 1st July 2023.

Existing customers with subscriptions containing V1 gateways, will no longer be able to create V1 gateways after 28th August 2024. However, they can manage V1 gateways until the retirement date of 28 April 2026. After 28 April 2026, Application Gateway V1 will not be supported.

Storage

Cross-region service endpoints for Azure Storage

Cross-region service endpoints is now generally available for Azure Blob and Data Lake Storage in all Azure regions. Virtual Network (VNet) service endpoints provide secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Service endpoints in Azure Storage already allow the ability to connect to a storage account to VNets in the same or paired region. With this release, cross-region service endpoints can be configured to allow access to an Azure Blob or Data Lake storage account from VNets in any region. This is valuable for customer scenarios such as global storage resource and access management.

Azure Blob Storage adds a new online access: Cold Storage (preview)

Azure Blob Storage is optimized for storing massive amounts of unstructured data. With blob access tiers, you can store your blob data in the most cost-effective manner based on how frequently it will be accessed and how long it will be retained. Now Azure Blob Storage adds a new online access tier, cold, in addition to hot, cool and archive.

Cold tier pricing is positioned between cool and archive, with 90-day early deletion policy. See the prices in Azure Blob Storage pricing. You can seamlessly use the cold tier the way you use hot and cool, through REST API, SDK, tools, and lifecycle management policy. Cold public preview is now available in Canada Central, Canada East, France Central and Korea Central.

Azure Management services: what's new in April 2023

Microsoft is constantly announcing news regarding Azure management services. This summary, published monthly, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor for Prometheus has updated the AKS add-on to support Windows nodes

Azure Monitor for Prometheus managed service has updated the AKS metrics add-on to support collection of Prometheus metrics from Windows nodes in AKS clusters. Azure Monitor Metrics add-on integration allows Windows pod DaemonSets to start running on node pools. Are supported both Windows Server 2019 also Windows Server 2022.

Azure Monitor Metrics Dataplane API released

The Azure Metrics Dataplane API is a new approach to Azure Monitor that improves the collection of resource information enabling greater query capacity and efficiency. With this API it is possible to retrieve data on metrics, for a maximum of 50 ID of resources in the same subscription and region, in one batch API call. This improves query throughput, reduces the risk of throttling and provides a smoother experience for customers who want to gather information about Azure resources.

Configure

Update management center

Hotpatch availability for Windows Server VMs in Azure with Desktop Experience
Hotpatch is now available for preview images of Windows Server Azure Edition virtual machines with the Desktop Experience installation mode.

Hotpatch is a feature that allows you to patch and install updates to Windows Server Azure Edition virtual machines in an Azure environment, without requiring a restart. It was previously available for Server Core installation mode, but now also Windows Server Azure Edition virtual machines installed with Desktop Experience installation mode can take advantage of this security update installation mode, by providing:

  • less impact on workloads by having to do fewer reboots;
  • faster deployment of updates, as the packages are smaller, they install faster and patch orchestration is easier with Azure Update Manager;
  • better protection, because hotpatch update packages are dedicated to Windows security updates that install faster without reboots.

Govern

Azure Cost Management

Azure Advisor: advice for the right sizing of VM/VMSS with a custom reference time

Customers using Azure Advisor can improve the relevance of recommendations to make them more actionable, resulting in additional cost savings. In fact,, right sizing recommendations help optimize costs, identifying idle or underutilized virtual machines based on their CPU activity, storage and network over the default seven-day reporting period. Now, thanks to the latest update, customers can set the reporting period to get recommendations based on 14, 21, 30, 60 or even 90 days of use. The configuration can be applied at the subscription level. This feature is especially useful when workloads peak biweekly or monthly.

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Microsoft Defender for Cloud

Integration between Azure API Management and Microsoft Defender for API (preview)

It is now possible to obtain a higher level of API security thanks to the integration between Azure API Management and Microsoft Defender for APIs. This integration enables a comprehensive defense strategy for:

  • gain visibility into Azure APIs;
  • understand their security posture;
  • prioritize vulnerability fixes;
  • detect and respond to active threats in runtime, using anomalous and suspicious API usage detections based on machine learning.

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features.

Protect

Azure Backup

Support for Azure VMs using Premium SSD v2 (preview)

In Azure Backup it is now possible to enable the protection of Azure virtual machines that use Premium SSD v2. Enabling these backups is currently available in select regions, and Microsoft plans to add support in more regions in the coming weeks..

Azure Site Recovery

Large disk support for disaster recovery of Hyper-V virtual machines

In Azure Site Recovery it is now possible to enable disaster recovery of Hyper-V virtual machines with data disks up to 32 TB. This applies to Hyper-V VMs replicating to managed disks in any Azure region.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:

  • possibility to create a business case by importing the list of servers through a .csv file;
  • building a business case using Azure Migrate for:
    • servers and workloads running in Microsoft Hyper-V and physical/bare-metal environments, as well as IaaS services from other public clouds;
    • SQL Server Always On Failover Cluster instances and Always On availability groups.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (April 2023 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Hotpatch for Windows Server VMs on Azure with desktop experience

Hotpatch is now available for Windows Server Azure edition VMs running the desktop experience. Hotpatch is a feature that allows you to patch and install updates to Windows Server Azure Edition virtual machines on Azure without requiring a reboot. It was previously available for the server core installation mode, but now, Windows Server Azure edition VMs installed with the desktop experience mode (the Windows Explorer shell, Start Menu, etc.) will no longer reboot every month for security updates, providing:

  • lower workload impact with less reboots;
  • faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager;
  • better protection, as the hotpatch update packages are scoped to Windows security updates that install faster without rebooting.

Trusted launch on existing Azure Gen2 VMs (preview)

Trusted launch provides a seamless way to improve the security of Azure Generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies which can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM). The preview is available to support to enable Trusted launch on existing Gen2 VMs by upgrading the security type of the Gen2 VM to Trusted launch. This will help improve the foundational security of existing Gen2 VMs.

Networking

Azure CNI overlay in generally available

Azure CNI overlay addresses performance, scalability and IP exhaustion challenges while using traditional Azure Container Networking Interface (CNI). With Azure CNI overlay AKS clusters can be scaled to very large sizes by assigning pod IP addresses from user defined overlay address space which are logically different from VNet IP address space hosting the cluster nodes. Additionally, user defined private CIDR can be reused in different AKS clusters, truly extending the IP space available for containerized applications in AKS. Pod and node traffic within the cluster use an overlay network via Azure Software Defined Network (SDN) without any additional encapsulation. Network Address Translation (using the node’s IP address) is used to reach resources outside the cluster.

Storage

Azure Storage Mover is now Generally Available

Azure Storage Mover is a new, fully managed migration service that enables you to migrate your files and folders to Azure Storage while minimizing downtime for your workload. You can use Storage Mover for different migration scenarios such as lift-and-shift, and for cloud migrations that you have to repeat occasionally. Azure Storage Mover also helps maintain oversight and manage the migration of all your globally distributed file shares from a single storage mover resource.

Support for Linux clients to use identity-based access to Azure file shares over SMB

Azure Files now supports Linux clients to use identity-based authentication over Server Message Block (SMB). Previously only Windows clients were supported by Azure Files.

In order to leverage identity based authentication and authorization, the clients need to be domain joined to one of the following Domain Services:

  • On-premises Active Directory Domain Services (AD DS)
  • Azure Active Directory Domain Services (Azure AD DS)

Azure Active Directory (Azure AD) Kerberos for hybrid identities is NOT supported yet for Linux clients. This capability will enable customers who are moving a mix of Windows and Linux environments to cloud to have a consistent identity system across both Windows and Linux workstations.

Azure Elastic SAN Public Preview is now available in more regions

Azure Elastic SAN, which is currently in preview, is available with locally redundant storage (LRS) in several regions, including Australia East, Southeast Asia, France Central (including ZRS), North Europe (including ZRS), Sweden Central, UK South, West Europe (including ZRS), East US, East US 2, South Central US, West US 2 (including ZRS), and West US 3. By combining SAN-like capabilities with the advantages of being a cloud-native service, Azure Elastic SAN provides a storage solution that is highly scalable, cost-effective, high-performing, and resilient. It caters to various storage needs, whether you’re migrating your on-premises SAN to the cloud or creating your application directly in the cloud.

How the End of Support of Windows Server 2012 can be a great opportunity for CTOs

The end of support for operating systems Windows Server 2012 and 2012 R2 is fast approaching and, for Chief Technology Officer (CTO) of companies, this aspect must be carefully evaluated as it has significant impacts on the IT infrastructure. At the same time, end of support can be an important opportunity to modernize the IT environment in order to ensure greater security, new features and improved business continuity. This article outlines the strategies you can adopt to deal with this situation, thus avoiding exposing your IT infrastructure to security issues caused by this situation.

When does Windows Server 2012/2012R2 support end and what does it mean?

The 10 October 2023 marks the end of extended support for Windows Server 2012 and Windows Server 2012 R2. Without the support of Microsoft, Windows Server 2012 and Windows Server 2012 R2 will no longer receive security patches, unless you take certain actions below. This means that any vulnerabilities discovered in the operating system will no longer be fixed and this could make systems vulnerable to cyber attacks. Furthermore, this condition would result in a state of non-compliance with specific regulations, such as the General Data Protection Regulation (GDPR).

Furthermore, users will no longer receive bug fixes and other updates needed to keep the operating system in line with the latest technology, which could lead to compatibility issues with newer software and introduce potential performance issues.

On top of all that, Microsoft will no longer provide online technical support and technical content updates for this operating system.

All these aspects have a significant impact on the IT organizations that still use these operating systems.

Possible strategies and opportunities related to the end of support

This situation is certainly not very pleasant for those who find themselves facing it now, given the limited time, but it can also be seen as an important opportunity for renewal and innovation of its infrastructure. The following paragraphs show the possible strategies that can be implemented.

Upgrading on-premises systems

This strategy involves moving to a new version of Windows Server in an on-premises environment. The advice in this case is to approach at least Windows Server 2019, but it is preferable to adopt the latest version, Windows Server 2022, that can provide the latest security innovations, application performance and modernization.

Furthermore, where technically possible it is preferable not to proceed with in place updates of the operating system, but to manage migration in side-by-side.

This method usually requires the involvement of the application provider, to ensure software compatibility with the new version of the operating system. Since the software is not recent, often it require the adoption of updated versions of the same, which may comprise architecture adjustment and an in-depth phase of testing for the new release . By adopting this upgrade process, the time and effort are considerable, but the result you get is critical to complying with the technological renewal.

Maintaining Windows Server 2012/2012 R2, but with security updates for others 3 years

To continue receiving security updates for Windows Server 2012\2012 R2 hosted on on-premises environment, one option is to join the programExtended Security Update (ESU). This paid program guarantees the provisioning of Security Updates classified as "critical" and "important" for an additional three years, in the specific case until 13 October 2026.

The Extended Security Update program (ESU) is an option for customers who need to run some legacy microsoft products beyond the end of support and who are not in a position to undertake other strategies. The updates included in the ESU program do not include new features and non-security related updates.

Azure adoption

Migrating systems to Azure

Migrating Windows Server Systems 2012 and Windows Server 2012 R2 on-premises in Azure environment will continue to receive security updates for another three years, classified as critical and important, without having to join the ESU program. This scenario is not only useful to ensure compliance with its systems, but it opens the way towards hybrid architectures where you can get the cloud advantages. In this regard, Microsoft offers a great solution that can provide a large set of tools needed to best deal with the most common migration scenarios: Azure Migrate, that structure the migration process in different phase (discovery, assessment, and migration).

Also Azure Arc can be very useful for inventory digital assets in heterogeneous and distributed environments.

Adopting this strategy can be faster than upgrading systems and allows you to have more time to deal with software renewal. In this regard, the cloud allows you to have excellent flexibility and agility in testing applications in parallel environments.

Before starting the migration path to Azure, it is also essential to structure the networking of the hybrid environment appropriately and evaluate the iterations with the other infrastructure components, to see whether the application can also work well in the cloud.

Migration to Azure can take place to IaaS virtual machines or, in the presence of a large number of systems to be migrated in a VMware environment, Azure VMware Solution can be a solution to consider to face a massive migration quickly and minimizing the interruption of the services provided.

Extending Azure in your datacenter with Azure Stack HCI

Azure Stack HCI is the Microsoft solution that allows you to create a hyper-converged infrastructure (HCI) for running workloads in an on-premises environment and that provides a strategic connection to various Azure services. Azure Stack HCI was specifically designed by Microsoft to help customers modernize their hybrid datacenter, offering a complete and familiar Azure experience in an on-premises environment. For more information on the Microsoft Azure Stack HCI solution, I invite you to readthis article or to viewthis video.

Azure Stack HCI allows you to get free, just like in Azure, important security patches for Microsoft's legacy products that are past their end of support, through the Extended Security Update program (ESU). For further information you can consult this Microsoft's document. This strategy allows you to have more time to undertake an application modernization process, without neglecting security aspects.

Application modernization

Under certain circumstances, an application modernization process could be undertaken, maybe focused on the public cloud, with the aim of increasing innovation, agility and operational efficiency. Microsoft Azure offers the flexibility to choose from a wide range of options to host your applications, covering the spectrum of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Container-as-a-Service (CaaS) and serverless. In a journey to move away from legacy operating systems, customers can use containers even for applications not specifically designed to use microservices-based architectures. In these cases, it is possible to implement a migration strategy for existing applications that only involves minimal changes to the application code or changes to configurations. These are strictly necessary changes to optimize the application in order to be hosted on PaaS and CaaS solutions. To get some ideas about it, I invite you to read on this article.

Steps to a successful transition

For companies intending to undertake one of the strategies listed, there are some important steps that need to be taken to ensure a successful transition.

Regardless of the strategy you decide to adopt, the advice is to make a detailed assessment, so you can categorize each workload by type, criticality, complexity and risk. This way you can prioritize and proceed with a structured migration plan.

Furthermore, it is necessary to carefully evaluate the most suitable transition strategy considering how to minimize any disruption to company activities. This may include scheduling tests and creating adequate backup sets before migration.

Finally, once the migration is complete, It is important to activate a modern monitor system to ensure that the application workload is stable and working as expected.

Conclusions

Windows Server end of support 2012 and Windows Server 2012 R2 presents a challenge for many companies that still use these operating systems. However, it can also be seen as an opportunity for companies to start an infrastructure or application modernization process. In this way you will have more modern resources, also taking advantage of the opportunities they offer in terms of security, scalability and performance.

Azure IaaS and Azure Stack: announcements and updates (April 2023 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New General-Purpose VMs: Dlsv5 and Dldsv5

The Dlsv5 and Dldsv5 VM series are ideal for workloads that require less RAM per vCPU than standard general purpose VM sizes. Target workloads include web servers, gaming, video encoding, AI/ML, batch processing and more. These VM series can potentially improve price-performance and reduce the cost of running workloads that do not require more memory per vCPU. The new VMs feature sizes with and without local temporary storage.

Networking

Azure Firewall enhancements for troubleshooting network performance and traffic visibility (preview)

Microsoft Azure Firewall now offers new logging and metric enhancements designed to increase visibility and provide more insights into traffic processed by the firewall. IT security administrators may use (in preview) a combination of the following to root cause application performance issues:

o    Latency Probe metric
o    Flow Trace Log
o    Top Flows Log

Private Application Gateway v2 (preview)

Application Gateway v2 is introducing a collection of new capabilities to further enable you to control network exposure using Application Gateway v2 skus:

  • private IP only frontend configuration (elimination of Public IP);
  • enhanced control over Network Securtiy Groups:
    • eliminate GatewayManager service tag requirement;
    • enable definition of Deny All Outbound rule;
  • enhanced control over Route Table rules:
    • forced Tunelling Support (learning of 0.0.0.0/0 route via BGP);
    • route Table rule of 0.0.0.0/0 next hop Virtual Appliance.

Storage

Azure File Sync agent v16

The Azure File Sync agent v16 release has finished flighting and is now available on both Microsoft Update and the Microsoft Download Center.

Improvements and issues that are fixed:

  • improved Azure File Sync service availability:
    • Azure File Sync is now a zone-redundant service which means an outage in a zone has limited impact while improving the service resiliency to minimize customer impact. To fully leverage this improvement, configure your storage accounts to use zone-redundant storage (ZRS) or Geo-zone redundant storage (GZRS) replication. To learn more about different redundancy options for your storage accounts, see: Azure Storage redundancy
  • immediately run server change enumeration to detect files changes that were missed on the server:
    • Azure File Sync uses the Windows USN journal feature on Windows Server to immediately detect files that were changed and upload them to the Azure file share. If files changed are missed due to journal wrap or other issues, the files will not sync to the Azure file share until the changes are detected. Azure File Sync has a server change enumeration job that runs every 24 hours on the server endpoint path to detect changes that were missed by the USN journal. If you don’t want to wait until the next server change enumeration job runs, you can now use the Invoke-StorageSyncServerChangeDetection PowerShell cmdlet to immediately run server change enumeration on a server endpoint path;
  • bug fix for the PowerShell script FileSyncErrorsReport.ps1;
  • miscellaneous reliability and telemetry improvements for cloud tiering and sync.

More information about this release:

  • this release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations;
  • the agent version for this release is 16.0.0.0;
  • installation instructions are documented in KB5013877.

Azure Files NFS: nconnect support

Azure Files NFS v4.1 share now support nconnect option. Nconnect is a client-side Linux mount option that increases performance at scale. With nconnect, the NFS mount uses more TCP connections between the client and the Azure Files service for NFSv4.1. Using Nconnect can improve a client’s throughput/IOPS upto 4X and reduce TCO by upto 70%. There is no additional billing cost associated to using this feature. This feature is available to all existing and new shares.

Azure Premium SSD v2 Disk Storage in new regions

Azure Premium SSD v2 Disk Storage is now available in East US 2, North Europe, and West US 2 regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

Maximize the performance of Azure Stack HCI: discover the best configurations for networking

Hyperconverged infrastructure (HCI) are increasingly popular as they allow you to simplify the management of the IT environment, reduce costs and scale easily when needed. Azure Stack HCI is the Microsoft solution that allows you to create a hyper-converged infrastructure for the execution of workloads in an on-premises environment and which provides a strategic connection to various Azure services to modernize your IT infrastructure. Properly configuring Azure Stack HCI networking is critical to ensuring security, application reliability and performance. In this article, the fundamentals of configuring Azure Stack HCI networking are explored, learning more about available networking options and best practices for networking design and configuration.

There are different network models that you can take as a reference to design, deploy and configure Azure Stack HCI. The following paragraphs show the main aspects to consider in order to direct the possible implementation choices at the network level.

Number of nodes that make up the Azure Stack HCI cluster

A single Azure Stack HCI cluster can consist of a single node and can scale up to 16 nodes.

If the cluster consists of a single server at the physical level it is recommended to provide the following network components, also shown in the image:

  • single TOR switch (L2 or L3) for north-south traffic;
  • two-four teamed network ports to handle management and computational traffic connected to the switch;

Furthermore, optionally it is possible to provide the following components:

  • two RDMA NIC, useful if you plan to add a second server to the cluster to scale your setup;
  • a BMC card for remote management of the environment.

Figure 1 – Network architecture for an Azure Stack HCI cluster consisting of a single server

If your Azure Stack HCI cluster consists of two or more nodes you need to investigate the following parameters.

Need for Top-Of-Rack switches (TOR) and its level of redundancy

For Azure Stack HCI clusters consisting of two or more nodes, in production environment, the presence of two TOR switches is strongly recommended, so that we can tolerate communication disruptions regarding north-south traffic, in case of failure or maintenance of the single physical switch.

If the Azure Stack HCI cluster is made up of two nodes, you can avoid providing a switch connectivity for storage traffic.

Two-node configuration without TOR switch for storage communication

In an Azure Stack HCI cluster that consists of only two nodes, to reduce switch costs, perhaps going to use switches already in possession, storage RDMA NICs can be connected in full-mesh mode.

In certain scenarios, which include for example branch office, or laboratories, the following network model can be adopted which provides for a single TOR switch. By applying this pattern, you get cluster-wide fault tolerance, and is suitable if interruptions in north-south connectivity can be tolerated when the single physical switch fails or requires maintenance.

Figure 2 – Network architecture for an Azure Stack HCI cluster consisting of two servers, without storage switches and with a single TOR switch

Although the SDN services L3 are fully supported for this scheme, routing services such as BGP will need to be configured on the firewall device that sits on top of the TOR switch, if this does not support L3 services.

If you want to obtain greater fault tolerance for all network components, the following architecture can be provided, which provides two redundant TOR switches:

Figure 3 – Network architecture for an Azure Stack HCI cluster consisting of two servers, without storage switches and redundant TOR switches

The SDN services L3 are fully supported by this scheme. Routing services such as BGP can be configured directly on TOR switches if they support L3 services. Features related to network security do not require additional configuration for the firewall device, since they are implemented at the virtual network adapter level.

At the physical level, it is recommended to provide the following network components for each server:

  • two-four teamed network ports, to handle management and computational traffic, connected to the TOR switches;
  • two RDMA NICs in a full-mesh configuration for east-west traffic for storage. Each cluster node must have a redundant connection to the other cluster node;
  • as optional, a BMC card for remote management of the environment.

In both cases the following connectivities are required:

Networks Management and computational Storage BMC
Network speed At least 1 GBps,

10 GBps recommended

 At least 10 GBps Tbd
Type of interface RJ45, SFP+ or SFP28 SFP+ or SFP28 RJ45
Ports and aggregation Twofour ports in teaming Two standalone ports One port

Two or more node configuration using TOR switches also for storage communication

When you expect an Azure Stack HCI cluster composed of more than two nodes or if you don't want to preclude the possibility of being able to easily add more nodes to the cluster, it is also necessary to merge the traffic concerning the storage from the TOR switches. In these scenarios, a configuration can be envisaged where dedicated network cards are maintained for storage traffic (non-converged), as shown in the following picture:

Figure 4 – Network architecture for an Azure Stack HCI cluster consisting of two or more servers, redundant TOR switches also used for storage traffic and non-converged configuration

At the physical level, it is recommended to provide the following network components for each server:

  • two teamed NICs to handle management and computational traffic. Each NIC is connected to a different TOR switch;
  • two RDMA NICs in standalone configuration. Each NIC is connected to a different TOR switch. SMB multi-channel functionality ensures path aggregation and fault tolerance;
  • as optional, a BMC card for remote management of the environment.

These are the connections provided:

Networks Management and computational Storage BMC
Network speed At least 1 GBps,

10 GBps recommended

 At least 10 GBps Tbd
Type of interface RJ45, SFP+ or SFP28 SFP+ or SFP28 RJ45
Ports and aggregation Two ports in teaming Two standalone ports One port

Another possibility to consider is a "fully-converged" configuration of the network cards, as shown in the following image:

Figure 5 – Network architecture for an Azure Stack HCI cluster consisting of two or more servers, redundant TOR switches also used for storage traffic and fully-converged configuration

The latter solution is preferable when:

  • bandwidth requirements for north-south traffic do not require dedicated cards;
  • the physical ports of the switches are a small number;
  • you want to keep the costs of the solution low.

At the physical level, it is recommended to provide the following network components for each server:

  • two teamed RDMA NICs for traffic management, computational and storage. Each NIC is connected to a different TOR switch. SMB multi-channel functionality ensures path aggregation and fault tolerance;
  • as optional, a BMC card for remote management of the environment.

These are the connections provided:

Networks Management, computational and storage BMC
Network speed At least 10 GBps Tbd
Type of interface SFP+ or SFP28 RJ45
Ports and aggregation Two ports in teaming One port

SDN L3 services are fully supported by both of the above models. Routing services such as BGP can be configured directly on TOR switches if they support L3 services. Features related to network security do not require additional configuration for the firewall device, since they are implemented at the virtual network adapter level.

Type of traffic that must pass through the TOR switches

To choose the most suitable TOR switches it is necessary to evaluate the network traffic that will flow from these network devices, which can be divided into:

  • management traffic;
  • computational traffic (generated by the workloads hosted by the cluster), which can be divided into two categories:
    • standard traffic;
    • SDN traffic;
  • storage traffic.

Microsoft has recently changed its approach to this. In fact,, TOR switches are no longer required to meet every network requirement regarding various features, regardless of the type of traffic for which the switch is used. This allows you to have physical switches supported according to the type of traffic they carry and allows you to choose from a greater number of network devices at a lower cost, but always of quality.

In this document lists the required industry standards for specific network switch roles used in Azure Stack HCI implementations. These standards help ensure reliable communication between nodes in Azure Stack HCI clusters. In this section instead, the switch models supported by the various vendors are shown, based on the type of traffic expected.

Conclusions

Properly configuring Azure Stack HCI networking is critical to ensuring that hyper-converged infrastructure runs smoothly, ensuring security, optimum performance and reliability. This article covered the basics of configuring Azure Stack HCI networking, analyzing the available network options. The advice is to always carefully plan the networking aspects of Azure Stack HCI, choosing the most appropriate network option for your business needs and following implementation best practices.

Azure Management services: what's new in March 2023

In March there were several news announced by Microsoft regarding Azure management services. In this series of articles, published on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Ingestion client libraries

Microsoft announces the initial release of the Azure Monitor Ingestion client libraries for .NET, Java, JavaScript e Python. Libraries allow you to:

  • Upload custom logs to a Log Analytics workspace.
  • Modernize security standards by requiring Azure Active Directory token-based authentication.
  • Complete Azure Monitor Query libraries, used to query logs in a Log Analytics workspace.

Collecting Syslog from AKS nodes using Azure Monitor Container Insights (preview)

Customers can now use Azure Monitor Container Insights to collect Syslog from their Azure Kubernetes Service cluster nodes (AKS). In combination with SIEM systems (Microsoft Sentinel) and monitor tools (Azure Monitor), syslog collection tracks security and health events of IaaS and containerized workloads.

The Azure Monitor for Prometheus managed service now supports querying PromQL

Thanks to Azure Workbooks support for Azure Monitor Prometheus managed service, users are provided with the ability to use Prometheus workbooks to run PromQL queries in the portal. Furthermore, users have the benefit of creating custom reports for Prometheus workbooks.

Azure Monitor supports Availability Zones in new regions

Azure Monitor continues to expand its availability zone support by adding three regions: Canada Central, France Central and Japan East.

Azure Monitor alerts support cloning

When viewing the details of an alert rule in the Azure portal, a new option is now available “duplicate”, which allows you to duplicate the alert rule. When selecting this option for an existing alert rule, the rule creation wizard starts, pre-populated with the original alert rule configuration, while allowing you to make changes.

Configure

Azure Automation

Announced the retirement of the agent-based Hybrid Worker (Windows and Linux) for the 31 August 2024

Azure Automation is deprecating the agent-based Hybrid Runbook Worker (Windows and Linux) and this will definitely happen on 31 August 2024. You must migrate to extension-based Hybrid Workers by that date (Windows and Linux).

The main advantages of the extension-based Hybrid Runbook Worker are:

  • uses system-assigned managed identities, so you don't need to manage certificates for authentication;
  • offers automatic updating of minor versions;
  • simplify hybrid worker management at scale with native integration with Azure Resource Manager and governance with Azure Policy.

Migrating authentication from Run As account to Managed Identity in ASR

It is now possible to migrate the authentication type of accounts, moving to managed identities, using Azure Site Recovery from the Azure portal. Authentication of runbooks via Run As accounts will be deprecated on 30 September 2023. Before that date, runbooks need to be migrated to enable the use of Managed Identities.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article the latest improvements and updates concerning this solution are reported.

Azure Arc

Improved Azure Arc integration with Datadog

Microsoft is improving the ability to observe and manage IT infrastructure thanks to the integration of Microsoft Azure Arc with Datadog. Based on the consolidated collaboration, Microsoft is integrating Datadog with Azure Arc natively, to meet Datadog customers, providing rich insights from Azure Arc-enabled resources directly into Datadog dashboards. Customers can monitor real-time data during cloud migrations and performance of applications running in both public cloud and hybrid or multicloud environments.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

  • availability of a new Defender for Storage plan, which includes near real-time scanning for malware and detection of threats to sensitive data;
  • data-aware security posture (preview);
  • new experience for managing Azure default security policies;
  • Defender per CSPM (Cloud Security Posture Management) is now available (GA);
  • ability to create custom security standards and recommendations in Microsoft Defender for Cloud;
  • Microsoft Cloud Security Benchmark (MCSB) version 1.0 is now available (GA);
  • some regulatory compliance standards are now available in government clouds;
  • new preview recommendation for Azure SQL Servers;
  • new notice in Defender for Key Vault.

Protect

Azure Backup

Immutable vaults for Azure Backup

Immutable vaults are now also available for production environments and offer greater security for backups, ensuring that recovery points created once cannot be deleted before they expire. Azure Backup prevents any operation on immutable vaults which could lead to backup data loss. Furthermore, you can lock immutable vault ownership to make it irreversible. This helps protect your backups from threats such as ransomware attacks and malicious actors, preventing operations such as deleting backups or reducing retention in backup policies.

Backup per Azure Kubernetes Service (preview)

Organizations using Azure Kubernetes Services (AKS) increasingly run stateful applications on their clusters, deploying workloads such as Apache Kafka-based messaging queues and databases such as Postgres and MongoDB. With data storage within the cluster, backup and recovery become a major concern of IT managers. Make sure Kubernetes backup capabilities are scalable, flexible and purpose-built for Kubernetes is central to an overall data protection plan. Azure Backup introduced now Backup for AKS. This solution simplifies the backup and recovery of containerized applications and data and allows customers to configure a scheduled backup for both cluster state and application data. Backup for AKS is aligned with the Container Storage Interface (CSI) to offer Kubernetes-aware backup capabilities. The solution allows customers to unlock different scenarios, such as data backup for application security and regulatory requirements, cloning of development/test environments and rollback management.

Azure Backup allows you to keep backups in vaults for Azure Blob and for Azure File (preview)

Azure Backup now supports transferring Azure Blob and Azure File backups to vaults. A vault is a logical entity that stores backups and recovery points created over time. In this regard, you can define a backup schedule for creating recovery points and specify retention settings that determine how long backups will be stored in the vault. Backups in the vault are isolated from the source data and allow you to tap into the data even if the source data has been compromised, performing resets.

Listed below are some of the main features that can be achieved by placing backups in vaults:

  • Offsite copy of data: allows you to restore mission-critical data from backups, regardless of the state of the source data.
  • Long-term retention of backup data, which helps you meet compliance requirements, particularly in the financial and healthcare sectors, with strict guidelines on the data retention period.
  • Recovery in alternate location: allows you to restore data to an alternate account if the source storage account is compromised or create different copies of your data for testing or development purposes.
  • Centralized management through the backup center: backups in vaults can be monitored and analyzed at scale alongside other protected workloads using Azure Backup.
  • Safe backups. The built-in security features of Azure Backup, such as multi-user authorization (MUA) for critical backup operations, data encryption and role-based access control (RBAC), help protect the backups in the vault and meet your backup security needs.

Azure Site Recovery

Improved the ability to rename network interfaces and disks of protected virtual machines

ASR introduces a new, easier way to name and rename network interfaces (NIC) and the virtual machine disks in the recovery service vaults.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, This month, the biggest news is support for web app discovery and assessment for Azure app service for Hyper-V and physical servers.

Azure Database Migration

Offline Azure SQL Database migrations with the Azure SQL Migration extension

Offline migrations of SQL Server databases running on-premises, on Azure virtual machines or any virtual machine running in the cloud (private, public) to Azure SQL Database it is possible to do it through the Azure SQL Migration extension. The new migration feature of the Azure SQL Migration extension for Azure Data Studio provides an end-to-end experience to modernize SQL Server on Azure SQL Database. The extension allows you to prepare for the migration with actions to remediate any blockages and allows you to obtain recommendations to adequately size the Azure SQL Database targets, including hardware configuration in the Hyperscale service tier.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (March 2023 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution: Azure Hybrid Benefit for SQL Server

Azure Hybrid Benefit (AHB) for SQL Server is now available in Azure VMware Solution (AVS). With AHB for SQL Server on Azure VMware Solution, you can take advantage of the unlimited virtualization licensing capability included with the SQL Server Software Assurance. To this end, you can configure and enable VM-Host placement policies via the Azure portal and apply Azure Hybrid Benefit.

Networking

Azure Firewall Basic

Azure Firewall Basic is a new SKU for Azure Firewall designed for small and medium-sized businesses. Azure Firewall Basic can be deployed inside a virtual network or a virtual hub. This gives businesses the flexibility to choose the deployment option that best meets their needs.

The main benefits are:

  • Comprehensive, cloud-native network firewall security
    • Network and application traffic filtering
    • Threat intelligence to alert on malicious traffic
    • Built-in high availability
    • Seamless integration with other Azure security services
  • Simple setup and easy-to-use
    • Setup in just a few minutes
    • Automate deployment (deploy as code)
    • Zero maintenance with automatic updates
    • Central management via Azure Firewall Manager
  • Cost-effective
    • Designed to deliver essential, cost-effective protection of your resources within your virtual network

Pricing and billing for Azure Firewall Basic with secured virtual hub will be effective starting May 1, 2023.

Azure Virtual Network Manager

Azure Virtual Network Manager (AVNM) is now generally available. AVNM is a highly scalable and available network management solution that allows you to simplify network management across subscriptions globally. Using its centralized network management capabilities, you can manage your network resources at scale from a single plane of glass.

Key features of Azure Virtual Network Manager include:

  • global management of virtual network resources across regions, subscriptions, and tenants;
  • automated management and deployment of virtual network topology to create hub and spoke*;
  • high-priority security rule enforcement at scale to protect your network resources*;
  • safe deployment of network configurations across desired regions.

*The mesh topology and security admin rule features remain in public preview and will become generally available soon

Azure Traffic Manager: reserved namespaces for subdomains

Azure Traffic Manager has added functionality for reserving domain labels for traffic manager profiles. Any customer requesting a traffic manger profile of the form label1.trafficmanager.net will have “label1” label reserved for the tenant and another user will not be able to create a new traffic manager profile with this name or subdomains below it. For example if a user creates a profile names label1.trafficmanager.net then “label1” and all labels of form “<labelN>….<lable2>.<label1>.trafficmanager.net” will be reserved for the subscription. With these enhancements, once a namespace is created by a customer under trafficmanager.net domain, it will not be available for any other tenant. This enhancement ensures that customers have full control over the labels tree used in their traffic manager profiles and enables customers better manage their namespace without having to worry about a specific name/label being in use by other tenants.

Illumio for Azure Firewall (preview)

Microsoft partnered with Illumio, the leader in Zero Trust Segmentation, to build Illumio for Azure Firewall, an integrated solution that brings the benefits of Zero Trust Segmentation to Azure Firewall.

Illumio for Azure Firewall uses the Azure platform to protect your resources across your Azure virtual networks and at your Azure perimeter. It enables organizations to understand application traffic and dependencies and apply consistent protection across your environment – limiting exposure, containing breaches, and improving efficiency. Illumio for Azure Firewall also helps simplify Zero Trust Segmentation by enhancing visibility, streamlining policy management, and providing scalable security.

Key benefits:

  • Reduce security risks with a single view of your east-west and north-south traffic based on Azure Firewall flow data within your Azure subscriptions.
  • Gain a holistic view of your application traffic with real-time visibility of interactions and dependencies across your environment.
  • Easily deploy and configure Azure application-based polices within the Illumio platform.
  • Deploy Azure Firewall policies confidently with policies that automatically scale along with your applications.
  • Avoid application downtime by understanding the impact of Azure Firewall policies before they are enforced.
  • Works with all 3 SKUs of Azure Firewall – Basic, Standard, and Premium – to meet the needs of any organization.

Accelerated Connections for Network Virtual Appliances now in Azure Marketplace (preview)

Accelerated Connections is a new product that enhances Accelerated Networking enabled vNICs, enabling customer flexibility in selecting the best option of CPS capabilities suited to match their Azure implementation. This offering will enable you to achieve the first bare-metal-like performance levels for connections per second (CPS) in Azure.

Storage

Ephemeral OS disks supports encryption at host using customer managed keys

Ephemeral OS disks can be encrypted at host using platform managed keys or customer managed keys. The default is platform managed keys. This feature would enable our customers to meet your organization’s compliance needs.

Azure Ultra Disk Storage in Brazil Southeast, South Africa North and UAE North

Azure Ultra Disk Storage is now available in one zone in Brazil Southeast, South Africa North and UAE North region. Azure Ultra Disk Storage offers high throughput, high IOPS and consistent low latency disk storage for Azure Virtual Machines (VMs). Ultra Disk Storage is well suited for data-intensive workloads such as SAP HANA, top-tier databases and transaction-heavy workloads.

Encryption scopes on hierarchical namespace enabled storage accounts

Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The capability is available for REST, HDFS, NFSv3 and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.

Performance Plus for Azure Disk Storage (preview)

Azure Disk Storage now offers a new feature called Performance Plus, which enhances the IOPS and throughput performance of Standard HDD, Standard SSD, and Standard HDD disks that are sized 1TB or larger. Performance Plus is offered for free and is available to use through deployments on Azure Command-Line Interface (CLI) and PowerShell.

The importance of Azure Policy in the context of Cloud Technical Governance

The adoption of cloud computing is becoming more widespread, but managing and controlling cloud resources can be a daunting challenge for organizations. In this context, Microsoft's Azure Policies represent a fundamental tool for cloud governance, able to help companies define, apply and enforce security and compliance policies in a consistent and automated manner. This article will explore the importance of Azure Policies in managing cloud services, illustrating the benefits of using this solution and some more common use cases. Furthermore, some useful tips for defining effective policies and for integrating Azure Policies into the overall cloud governance strategy will be presented.

The common need and possible approaches

The common requirement is to standardize, and in some cases impose, how resources are configured in the cloud environment. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of the different architectures.

Getting this result is not easy, especially in complex environments where you can find different Azure subscriptions on which different groups of operators develop and operate.

These goals can be achieved with a traditional approach, which provides for a block of operators in direct access to cloud resources (through the portal, API or cli):

Figure 1 – Traditional approach

However, this type of traditional approach is not very flexible, because it involves a loss of agility in controlling the deployment of resources.

In this regard, it is instead recommended to use a mechanism that is provided natively by the Azure platform, which allows you to pilot governance processes to achieve the desired control, but without impacting the speed, fundamental element in operations in modern IT with resources in the cloud:

Figure 2 – Modern approach with Azure Policy

What can be achieved thanks to Azure Policies

By activating the Azure Policy it is possible:

  • activate and carry out real-time evaluation of the criteria present in the policies;
  • evaluate policy compliance periodically or upon request;
  • activate operations for real-time remediation, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

How the Azure Policy mechanism works

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 3 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon specific request to evaluate the compliance status of existing resources.

Figure 4 – Working principle of Azure Policy in resource control

Azure already has many built-in policies ready to apply, or you can configure them to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described inthis Microsoft's document. You also have the possibility of creatingInitiatives, they are a collection of multiple policies.

When you have the desired policy definition, you can assign it to a Management Group, to a subscription and possibly in a more limited way to a specific Resource Group. The same goes for Initiatives. You also have the ability to exclude certain resources from applying the policy if necessary.

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Use cases for Azure policies

The main areas that can be governed by appropriately adopting the Azure Policies are reported:

  • financial: resources deployed in Azure for which a consistent metadata strategy needs to be applied to achieve effective cost mapping;
  • data location: sovereignty requirements that require data to reside in certain geographic locations;
  • unnecessary expenses: resources that are no longer used or that have not been properly disposed of resulting in unnecessary expenses for the company;
  • management inefficiencies: an inconsistent resource naming and tagging strategy can make troubleshooting and routine maintenance demands of existing architectures difficult;
  • business interruption: SLAs are required to ensure that systems are built in accordance with business requirements. Therefore, architectures must be designed according to SLAs and must be investigated if they do not meet them.

Conclusions

In the context of Cloud Technical Governance it is essential to define and apply rules that make it possible to ensure that Azure resources always comply with the defined company standards. Thanks to the use of Azure Policies, also increasing the complexity and quantity of services, you can always ensure advanced control of your Azure environment.