Deployment enhancements for SQL Server on Azure Virtual Machines
A great update to our Azure Marketplace image with SQL is you can now configure the instance during deployment. Most companies have standards for their SQL instances and can now make configuration changes during deployment vs keeping the preconfigured image settings. Items like moving the system database to a data disk, configuring tempdb data and log files, configuring the amount of memory and more. During SQL VM deployment under SQL Server Settings, you have the options to change the defaults by clicking Change Configuration for storage or Change SQL Instance settings for customizing memory limits, collation, and ad hoc workloads.
Networking
New Azure Firewall capabilities
New Azure Firewall capabilities are available:
Azure Firewall network rule name logging: previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.
Azure Firewall premium performance boost: this feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps).
Performance whitepaper: to provide customers with a better visibility into the expected performance of Azure Firewall, Microsoft is releasing the Azure Firewall Performance documentation.
Azure Bastion now supports file transfer via the native client (preview)
With the new Azure Bastion native client support in public preview and included in Standard SKU, you can now:
Use either SSH or RDP to upload files to a VM from your local computer.
Use RDP to download files from a VM to your local computer.
Custom virtual network support in Azure Container Apps (preview)
You can now create Azure Container Apps environments into new or existing virtual networks. This enables Container Apps to receive private IP addresses, maintain outbound internet connectivity, and communicate privately with other resources on the same virtual network.
New features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities have recently received general availability status and no longer need registration for use:
The new year started with several announcements from Microsoft regarding news related to Azure managementservices. The monthly release of this summary allows you to have an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
News regarding Azure Monitor alerts
The following changes have been introduced in Azure Monitor regarding alerts:
Frequency of 1 minute for alert logs. Alert logs allow users to use a Log Analytics query to evaluate, with a set frequency, resource logs and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. Now you have the ability to evaluate the alert query every minute, thus reducing the overall time for activating an alert log. By adopting this frequency of evaluation it should be taken into account that it also has an impact on the costs of Azure Monitor.
New way of creating alert rules: the experience of creating an alert rule has been transformed from an articulated process into a simple and intuitive wizard.
New agent: support for Private Links
The new Azure Monitor agent introduced support for network configurations via private link. This configuration allows you to operate in restricted environments that require special network requirements and a high degree of isolation.
New version of the agent for Linux systems
A new version of the Log Analytics agent has been released this month for Linux systems thanks to which several improvements and greater stability are introduced.
Govern
Azure Cost Management
Improvements in Azure Advisor recommendations for virtual machines
Azure has improved the Azure Advisor recommendation named “Shutdown/Resize your virtual machines”. This recommendation offers customers the opportunity to save costs by targeting virtual machines that are not being used efficiently.
Among the main improvements we have made are:
Resizing of series between different SKUs: up to this new version, the sizing recommendations provided by Azure Advisor were mostly within the same SKU family. This means if you were using a D3 v2 inefficiently, a D2 v2 or a D1 v2 was recommended, or a smaller SKU but within the same family. Now the recommendations take into account, to increase savings, the ability to move to different families by using SKUs that adapt perfectly to the workload based on the data collected.
Adoption of new versions of SKU families: in general, newer versions of SKU families are more optimized, offer more features and a better performance / cost ratio than previous versions. If the workload is found to be running on an older version and can achieve cost benefits without impacting performance on a newer version, is reported by Azure Advisor.
Improvements on the quality of reports: Microsoft received feedback that some recommendations were not feasible as they did not take certain criteria into account. In order to improve the quality of the recommendations, they are now generated taking into account even more characteristics, such as accelerated network support, support for premium storage, availability in a region, inclusion in an availability set, etc. . Furthermore, to increase the quality, the robustness and applicability of the recommendations the entire recommendation engine has been completely revamped to base it on new automatic and cutting-edge machine learning algorithms.
Multitasking in cost analysis (preview)
Azure Cost Management introduces a new cost analysis experience that allows you to do them more effectively. The preview includes a new tabbed experience to simplify analysis. Starting with an integrated view list, you can open multiple tabs to explore different cost aspects at the same time.
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Microsoft Defender for Cloud
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Microsoft Defender for Resource Manager has been updated with new alerts and a greater emphasis has been introduced on high-risk operations mapped to MITER ATT&CK® Matrix
Introduced recommendations for enabling Microsoft Defender plans on workspaces (preview)
Automatic provisioning of the Log Analytics agent on Azure Arc-enabled machines (preview)
Protect
Azure Backup
Changes in security settings
Azure Backup recently released the following changes regarding security settings for workloads protected by Microsoft Azure Recovery Service Agent, Azure Backup Server, or System Center Data Protection Manager:
Integration with MUA (Multi-user authorization): the operation of “disabling safety functions” is now defined as a critical operation that can be protected by a Resource Guard.
To provide protection against accidental or harmful elimination, it is no longer possible to unregister a protected server if the security features are enabled for the vault and there are associated backup items, in active or soft delete state.
Customers will not have to incur any costs for backup data kept in the soft delete state.
The backup policy is not applied to data kept in the soft delete state and therefore no data is deleted for 14 days.
Azure Site Recovery
Support for Azure Policy
Microsoft has introduced the ability to use Azure Policies to enable Azure Site Recovery for virtual machines (VM) on a large scale, thus allowing you to more easily and quickly adhere to organizational standards. After creating a Disaster Recovery policy for a specific subscription or for a specific resource group, all new virtual machines added to that subscription or to the resource group will have Azure Site Recovery enabled automatically. The policy in question is called "Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery“. In addition to enabling replication for large-scale virtual machines, the Policies make it possible to maintain control over the achievement of organizational standards. In fact,, compliance with policies can be monitored and, if virtual machines are found to be non-compliant, you can create a remediation activity to make the subscription or resource group compliant with the 100%.
Support for Managed Diskof Zone Redundant Storage type (ZRS)
Azure Site Recovery (ASR) introduced support for ZRS type managed disks. Therefore, ASR now allows you to protect virtual machines that take advantage of ZRS managed disks, replicating them in a secondary region of your choice. ASR identifies the source disks as ZRS managed disks and creates equivalent ZRS managed disks in the secondary region. If there is an outage in a region and it is necessary to fail over to the secondary region, ASR will activate the virtual machines in the secondary region with ZRS managed disks, ensuring the same level of resilience.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill.
Storage
Azure Ultra Disk Storage is available in West US 3
Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.
Networking
Multiple custom BGP APIPA addresses for active VPN gateways
All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.
Load Balancer SKU upgrade through PowerShell script
You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you.
Azure Traffic Manager: additional IP addresses for endpoint monitoring service
Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.
Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.
In the past two weeks, Microsoft hasn’t made any major announcements regarding these topics. However, here are some links to interesting videos made by John Savill, Principal Cloud Solution Architect at Microsoft:
In December, Microsoft announced news regarding Azure managementservices. Thanks to the release of this summary, which occurs on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Audit Logs for Azure Monitor queries
Azure Monitor allows you to collect data from the entire ecosystem, including telemetry data at the application and operating system level, security log, network log, diagnostic logs from Azure resources and custom logs. All these data can be queried with the powerful KQL language, useful for obtaining detailed information and making correlations. Microsoft has included the ability to control Azure Monitor queries. In fact,, by enabling this functionality through the Azure diagnostic mechanism, you can collect telemetry data about who ran a query, when it was performed, which tool was used to run the query, the text of the query and performance statistics relating to the execution of the query. This telemetry, like any other Azure Diagnostic-based telemetry, can be sent to an Azure Storage Blob, to an Azure Event Hub, or in the Azure Monitor logs.
Govern
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Microsoft Defender for Cloud
Microsoft Defender for Containers adds new features for Kubernetes(preview)
Microsoft Defender for Containers, is a new offering that combines the functionality of Azure Defender for Kubernetes and Azure Defender for Container registries, adding several new features related to Kubernetes on Azure:
AKS Profile: onboarding and maintenance as an AKS profile, so as to no longer have a dependency on the Log Analytics agent.
Multi cloud support: multi cloud support for AKS, Amazon EKS, Kubernetes on-prem / IaaS (GCP will be added in the future).
Visibility of vulnerabilities: a new recommendation monitors Kubernetes clusters and shows a list of running images with any vulnerabilities, based on evaluation scans provided by Qualys. This allows you to focus on the most critical vulnerabilities that expose runtime environments to security threats and attacks.
Advanced Threat Protection: Kubernetes compatible AI analysis and anomaly detection.
Improved ACR vulnerability assessment: the Azure Container Registry Vulnerability Assessment Recommendation (ACR) has been improved by adding runtime information to image scan results. This allows for the assignment of priorities and to apply filters based on the distribution status of the image.
Continuous scanning of images: in addition to periodic scanning of Azure Container Registry images (ACR) over the past 30 days, continuous image scanning periodically scans ACR images running on Kubernetes clusters.
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Public preview of VM restore point is available, a new resource that stores VM configuration and a point-in-time snapshot of one or more managed disks attached to a VM. VM restore points supports multi-disk application consistent snapshots and can be leveraged to easily capture backups of your VM and disks. You can easily restore the VM using VM restore points in cases of data loss, corruption, or disasters. Microsoft is also introducing a new Azure Resource Manager (ARM) resource called Restore Point Collection, which will act as a container for all the restore points of a specific VM.
Placement polices for Azure VMware Solution
Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution Software-Defined Data Center (SDDC). These constraints allow the you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster.
Storage
Secure access to storage account from a virtual network/subnet in any region (preview)
You can secure access to your storage account by enabling a service endpoint for Storage in the subnet and configuring a virtual network rule for that subnet through the Azure storage firewall. You can now configure your storage account to allow access from virtual networks and subnets in any Azure region. By default, service endpoints enable connectivity from a virtual network to a storage account in the same Azure region as the virtual network or it’s paired Azure region. This preview enables you to register your subnet to allow service endpoint connectivity to storage accounts in any Azure region across the globe.
Attribute-based Access Control (ABAC) conditions with principal attributes (preview)
Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments expressed as a predicate using these attributes. This update to the preview enables the use of Azure AD custom security attributes for principals in role assignment conditions. You can now use combine principal attributes with resource and request attributes in your condition expressions.
Soft delete for blobs capability for Azure Data Lake Storage
Soft delete for blobs capability for Azure Data Lake Storage is now generally available. This feature protects files and directories from accidental deletes by retaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object, i.e. file or directory, to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted. All soft deleted files and directories are billed at the same rate as active ones until the retention period has expired.
Azure Stack
Azure Stack HCI
Windows Server guest licensing offer for Azure Stack HCI (preview)
To facilitate guest licensing for Azure Stack HCI customers, we are pleased to announce a new offer that brings simplicity and more flexibility for licensing. The new Windows Server subscription for Azure Stack HCI is available in public preview as of December 14, 2021. This offer will allow you to purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime and preview pricing is $0 until general availability (GA). At GA, the offer will be charged at $23.60 per physical core per month. This offer simplifies billing through an all-in-one place Azure subscription and in some cases will be less expensive for customers than the traditional licensing model.
West Central US: Microsoft expands cloud services with two new datacenters in Wyoming
Microsoft is announcing the launch of two new Microsoft datacenters in Cheyenne – Wyoming, one in Cheyenne Business Parkway and another in Bison Business Park, enabling to expand and support the growth and demand for digital services in West Central US datacenter region. Cheyenne has been home to Microsoft’s cloud infrastructure services since 2012 and this expansion will enable us to continue providing services to current and new customers.
New Azure Virtual Machines DCasv5 and ECasv5-series (preview)
Azure DCasv5/ECasv5 confidential virtual machines (VMs) powered by 3rd Gen AMD EPYC™ processors with SEV-SNP are available in preview.
SQL Server IaaS Agent extension for Linux SQL VMs
Microsoft is making the capabilities of SQL Server IaaS Agent extension available to Linux platforms, starting with Ubuntu with plans for other distributions in time.
If you are already running SQL Server on Azure using an Ubuntu Linux Virtual Machine, the SQL Server IaaS Agent extension now enables you to leverage integration with the Azure portal and unlocks the following benefits for SQL Server on Linux Azure VMs:
Compliance: The extension offers a simplified method to fulfill the requirement of notifying Microsoft that the Azure Hybrid Benefit has been enabled as is specified in the product terms. This process negates needing to manage licensing registration forms for each resource.
Simplified license management: The extension simplifies SQL Server license management, and allows you to quickly identify SQL Server VMs with the Azure Hybrid Benefit enabled using the Azure portal, Azure PowerShell, or the Azure CLI.
IaaS Agent extension full mode no restart for SQL VMs
You can now enable the full mode of SQL Server IaaS Agent extension with no restart, giving you access to more manageability features for SQL Server on Azure Virtual Machines without interruption to your workloads. Previously, you had to restart the SQL Server services to enable these features. The full mode of SQL Server IaaS Agent extension unlocks many benefits such as Automated Backup, Automated Patching, Storage Optimization, and more, along with license management that comes with lightweight mode.
Storage
Azure File Sync: new agent released
The Azure File Sync agent v14.1 is available. Issue that is fixed in the v14.1 release:
Tiered files deleted on Windows Server 2022 are not detected by cloud tiering filter driver. This issue can also impact Windows 2016 and Windows Server 2019 if a tiered file is deleted using the FILE_DISPOSITION_INFORMATION_EX class.
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this release:
This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 14.1.0.0.
Installation instructions are documented in KB5001873.
Azure NetApp Files application volume group for SAP HANA (preview)
Application volume group (AVG) for SAP HANA enables you to deploy all volumes required to install and operate an SAP HANA database according to best practices in a single one-step and optimized workflow. The application volume group feature includes the use of proximity placement group (PPG) with VMs to achieve automated, low-latency deployments. Application volume group for SAP HANA has implemented many technical improvements that simplify and standardize the entire process to help you streamline volume deployments for SAP HANA. Instead of creating the SAP HANA volumes (data, log, shared, log-backup, file-backup) individually, the new application volume group for SAP HANA creates these volumes in a single ‘atomic’ operation (GUI, RP, API).
Networking
VPN Gateway NAT
Azure VPN NAT (Network Address Translation) supports overlapping address spaces between your on-premises branch networks and your Azure Virtual Networks. NAT can also enable business-to-business connectivity where address spaces are managed by different organizations and re-numbering networks is not possible. VPN NAT provides support for 1:1 Static NAT and 1-to-many dynamic NAT.
Wildcard listener on Application Gateways
Azure Application Gateway now supports the use of wildcard characters such as asterisk (*) and question mark (?) for hostnames on a multi-site HTTP(S) listener. You can now route requests from multiple host-names such as shop.contoso.com, accounts.contoso.com, pay.contoso.com to the same backend pool through a single listener configured with a wildcard hostname such as *.contoso.com.
In November, Microsoft unveiled several news regarding Azure management services, accomplice also the Microsoft Ignite conference 2021. Through these articles released on a monthly basis, we want to provide an overall overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Log Analytics Workspace Insights in Azure Monitor
Microsoft has announced the availability ofLog Analytics workspace insights which allows you to obtain detailed information on the Log Analytics workspaces, providing a comprehensive overview of the following aspects: usage, performance, integrity, agents, query and change logs.
These are the main questions to which the solution can provide an answer:
What are the main tables, those where most of the data is imported?
Which resource sends the most logs to the workspace?
How long does it take for the logs to reach the workspace?
How many agents are connected to the work area? How many are in a health state?
Query control: how many queries run in the workspace? What are their response codes and duration time? What are the slow and inefficient queries that require workspace overhead?
Who has set a daily limit? When data retention has changed?
Useful for keeping a log of changes in workspace settings.
New troubleshooting experiences in Network Insights for VPN Gateway & Azure Firewall
It is now possible to access detailed information and have a new problem solving experience in Azure Monitor Network Insights for VPN Gateway and Azure Firewall.
In fact,, you have the option of:
Access the resource topology that shows the integrity of the same and the related connections
A workbook showing all the key metrics
Direct links to documentation and troubleshooting guide
Azure Monitor container insights for Azure Arc enabled Kubernetes
In Azure Monitor, you can get detailed information about the containers running in Azure Arc-enabled Kubernetes environments. This allows you to centralize the visualization of infrastructure metrics, of container logs and related recommendations. The main features are:
Simple onboarding directly from the Azure portal
Receipt of automatic updates from the monitoring agent
Performance visibility, collecting memory and processor metrics from controllers, nodes and containers
Views via workbook and in the Azure portal
Alerts and queries on historical data for troubleshooting
Ability to examine Prometheus metrics
Manage Log Analytics data export rules in the Azure portal (preview)
The export of Log Analytics data can now be configured in the Azure portal. This allows you to easily manage data export rules by giving you a clear view of existing rules in the workspace, regardless of whether they are in the enabled or disabled state. It is also possible to modify existing rules and create new rules with a few simple steps.
Azure Monitor for SAP: new telemetryand root cause analysis (RCA)
Azure Monitor for SAP Solutions (AMS) introduced support for new telemetry data of SAP HANA (preview) and SAP NetWeaver
For SAP HANA we find:
License status: provides licensing details for all tenants running with SAP HANA MDC.
Multi-Version Concurrency Control (MVCC): report on the consistency of transactional data, isolating the transactions that access the same data at the same time
Details on save point operation
Details on delta merge
Statistics on HANA Alert
Customers who are using the solution will have available, without carrying out any further activities, the above telemetry data. For new customers who want to activate this solution, you can follow this guide to AMS onboarding and configure at least one SAP HANA provider.
Furthermore, customers using SAP in an Azure environment can view the “root cause analysis (RCA)” when a SAP system becomes unavailable due to an outage of the virtual machine or host. In fact,, AMS allows you to view information about the restart, the analysis of the triggering cause, details on the affected system and recommended steps.
AMS is currently available in the following Azure regions: US East, US East 2, US West 2, Europe West, and Europe North. AMS does not incur any additional licensing fees, but only the consumption costs of Azure Monitor are covered.
Configure
Azure Automation
PowerShell runbook support 7.1 (preview)
Azure Automation support for PowerShell runbooks 7.1 has been made available in preview on Azure, Azure Gov and Azure China. This allows for the development and execution of runbooks using PowerShell 7.1, both for cloud processes and for hybrid processes on Azure and non-Azure systems.
Support for Managed Identities
Support for Managed Identities has been introduced in Azure Automation. System Assigned Managed Identities are supported for cloud and hybrid processes, while User Assigned Managed Identities are only supported for cloud processes. This support allows you to reduce the effort of managing Run As Accounts for runbooks. A User Assigned Managed Identities is an independent Azure resource that can be assigned to the Azure Automation account, which can have multiple associated user-assigned identities. The same identity can be assigned to multiple Azure Automation accounts.
Govern
Update Management
Automatic VM guest patching
The new feature called "Automatic VM guest patching" is now available and helps simplify update management and achieve security compliance. Enabling the feature “Automatic VM guest patching” patches classified as critical and security are automatically downloaded and applied to the system. This feature is available for both Windows and Linux systems.
Azure Cost Management
Azure Advisor: tips to save on Azure Cosmos DB resource costs
Specific recommendations have been included in Azure Advisor to help you achieve possible cost savings for Azure Cosmos DB, obtained based on the historical use of resources.
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.
Secure
Microsoft Defender for Cloud
Change to the names of Azure solutions in the security field
In November, durante Ignite 2021, changes have been announced to the names of Microsoft Azure solutions in the security field, as below:
Figure 2 - New names for Azure security solutions
New features, bug fixes and deprecated features of Microsoft Defender for Cloud
Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Azure Security Center and Azure Defender have been unified and are called “Microsoft Defender for Cloud”
Native CSPM for AWS and Threat Protection for Amazon EKS and AWS EC2
Prioritizing sensitive data in cloud workloads, using Azure Purview
Improvements to integration with Microsoft Sentinel
Azure Security Benchmark v3 released
Protect
Azure Backup
Multi-user authorization for backups (preview)
Multi-user authorization for Azure Backup provides advanced protection for Recovery Services vaults against unauthorized critical operations. Azure Backup uses a Resource Guard to ensure that critical operations are performed only with the appropriate authorization. With this mechanism, Azure Backup helps provide better protection against operations that could lead to the loss of backup data, including:
Disabling soft delete and hybrid security settings
Disabling MUA protection
Changes to backup policies
Security changes
Stop protection
Changing the MARS security PIN
The backup administrator, which typically accesses the Recovery Services vault, must acquire the role of Contributor on Resource Guard to be able to perform the above protected operations (Critical). To do this, it must also request the action of the Resource Guard owner, who must approve and grant the requested access. It is also possible to use Azure AD Privileged Identity Management to manage just-in-time access on Resource Guard. Furthermore, it is possible to create the Resource Guard resource in a subscription or in a tenant other than that of the Recovery Services vault, for maximum isolation.
Metrics and related alerts for Azure Backup (preview)
Azure Backup now provides built-in metrics to allow you to monitor the integrity of backups and write custom alert rules based on these metrics.
Azure Site Recovery
Support for failover of multiple IP configurations
Azure Site Recovery has been introduced, for virtual machines on Azure, support for failover of secondary IP configurations. This allows you to configure failover and test failover settings for each secondary IP configuration, currently only in the Azure to Azure scenario (A2A).
New Update Rollup
For Azure Site Recovery was released theUpdate Rollup 59 which solves several problems and introduces someimprovements. Among the most important innovations we find support for Windows Server 2022 for the mobility Service. The details and the procedure to follow for the installation can be found in the specific KB.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Microsoft want to simplify the process required for you to identify the right VM based on your needs and budget. To that end, virtual machines selector is a web-based tool localized in 26 languages and available worldwide. Using the virtual machines selector you can specify your requirements, such as the category of workload you plan to run in Azure, and the technical specifications of your VM (e.g., OS disks storage options, data disks storage performance, Operating System, deployment region, etc.). After a few simple steps, the tool identifies the best VM and disk storage combination based on the information you enter. You will then be able to view the details of the recommended VMs and their prices. You can then add the selected VMs to the pricing calculator to perform a more comprehensive cost analysis.
New cloud region in Sweden
The new sustainable datacenter region in Sweden, with presence in Gävle, Sandviken and Staffanstorp is available. It includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.
Azure VMware Solution now generally available in the France Central Azure Region and in Japan West Azure Region
Azure VMware Solution has expanded availability to Japan West and to France Central. With this release Japan West is now the second region within the Japan sovereign area to become available (joining Japan East).
SQL Server on Azure Virtual Machines: Multi subnet high availability
You can now simplify your SQL Server on Azure Virtual Machines high availability and disaster recovery configuration by deploying virtual machines in multiple subnets, eliminating the need for an Azure Load Balancer. Multi subnet configuration natively helps you match on-premises experience for connecting to your availability group listener or SQL Server failover cluster instance. Additionally, this feature doesn’t have any limitations on unique port or feature interoperability considerations like distributed network name (DNN) for availability group and failover cluster instance. Multi subnet configuration is natively supported by all versions of SQL Server and Windows Server Failover Cluster to simplify deployment, maintenance and improve failover time.
Azure Virtual Machines DCv3-series now available in Europe West and North (preview)
Announcing public preview expansion of the DCv3-series VMs to Europe West and North.
Storage
SFTP support for Azure Blob Storage (preview)
Starting today, SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is available for public preview in select regions. Azure Blob Storage is the only storage platform that supports SFTP over object storage natively in a serverless fashion, enabling you to leverage object storage economics and features. With multi-protocol support, you can run your applications on a single storage platform with no application rewrites necessary, therefore eliminating data silos.
NFSv4.1 support on Azure Files
Azure Files support for NFS v4.1 on premium tier for both locally-redundant storage and zone-redundant storage is available. Now you can deploy these fully POSIX compliant, distributed NFS file shares in your production environments for a wide variety of Linux and container based workloads. Some example workloads include: highly available SAP application layer, enterprise messaging, user home directories, custom line-of-business applications, database backups, database replication, and devops pipelines. NFS 4.1 is available in all regions where the premium tier of Azure Files exists.
Azure Archive rehydration priority update
Azure Archive Storage provides a secure, low-cost means for retaining cold data, including backups and archival storage. Data stored in Archive Storage is offline and unavailable for read access until it is rehydrated to the hot or cool tier. You can choose to rehydrate data with standard or high priority, depending on the urgency of the retrieval request. Previously, it was not possible to change the retrieval priority after initiating a rehydration operation; priority had to be determined in advance, and there was no flexibility to update the priority if the retrieval urgency subsequently changed.
Archive Storage now supports updating the retrieval priority from standard to high while a rehydration operation is pending. You can simplify rehydration management and improve cost efficiency by initiating the rehydration operation with standard priority for a set of blobs, then updating the priority to high for any blobs that require faster retrieval.
Networking
VPN Gateways: increased connection limit
The max number of Site-to-Site/VNet-to-VNet connections on a VPN Gateway has been increased from 30 to 100 tunnels for SKUs VpnGw4, VpnGw5, VpnGw4AZ, and VpnGw5AZ. This change does not affect legacy gateways with the High Performance SKU.
Azure Bastion: new features available with Standard SKU (preview)
With the new Azure Bastion native client support you can:
Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local Windows machine
Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials
Also, with the new Azure Bastion IP based connection capability you can now connect to any target resource reachable from your Bastion using its private IP address. This includes any reachable resources hosted on-premises or in other clouds, allowing you to achieve more secure global remote connectivity with Azure Bastion.
ExpressRoute now supports Azure Virtual Desktop Shortpath RDP over Private Peering
ExpressRoute Private Peering now supports Azure Virtual Desktop RDP Shortpath. After establishing the reverse connect transport, the client and session host starts the RDP connection. With RDP Shortpath configured, the client will require a direct connectivity with the session host to establish a secure TLS connection. You can leverage ExpressRoute Private peering to setup the direct connection to support RDP Shortpath.
