Category Archives: Microsoft Azure

Azure Management services: what's new in September 2021

In September there were several news announced by Microsoft regarding Azure management services. In this summary, which I report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Support for Availability Zones is available

Azure Monitor has introduced support for Availability Zones that help protect applications and data from datacenter failures and can provide resilience for Azure Monitor features such as Application Insights and any other functionality that relies on a Log Analytics workspace. When a workspace is linked to an availability zone, Azure Monitor remains active and operational even if a specific datacenter is not functional or completely inactive. Azure Monitor currently supports Availability Zones for the following regions: East US 2 and West US 2.

Cross query between Azure Monitor and Azure Data Explorer

The ability to query between Azure Monitor and Azure Data Explorer allows you to query data exported to Azure Data Explorer or Azure blob storage and merge them with any Azure Monitor Log Analytics workspace.

Among the various features recently released we find the ability to perform queries:

  • Between Azure Data Explorer and Azure Monitor services (Log Analytics / Application Insights) and vice versa
  • On Azure Monitor logs exported from an Azure blob storage account using Azure Data Explorer

In Azure Monitor Log Analytics, the maximum data retention time frame is limited to 2 years. This aspect can be limiting in some areas, to the point that certain compliance criteria are not met. To overcome this limitation, you can export logs to an Azure blob storage. This new feature allows you to cross-query by including data exported to Azure blob storage in an integrated way.

Support for Windows Server 2022 for the Azure Monitor Agent

The Azure Monitor Agent is now also supported for Windows Server 2022 such as virtual machines, virtual machine scale sets and Arc enabled servers (in on-premise environments and / or non-Azure servers).

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems where several improvements and greater stability are introduced. Furthermore, the OMI component has been updated to version 1.6.8 and introduced support for AWS 2 / Centos 8.4 Linux.

Configure

Azure Automation

Support for the Az module

Azure Automation introduces support for the module “Az”, available by default for all new Automation Accounts. Furthermore, the option is present in the Azure portal “Update Az Modules” which allows you to update the modules to “Az” for existing Automation Accounts.

Govern

Azure Policy

Support for AKS custom policy (preview)

Microsoft has announced in preview support for custom policies for Azure Kubernetes Service clusters (AKS). With this feature, it is possible to create and assign custom policy definitions and constraint templates to AKS clusters, see advanced information about any errors, use the embedded constraint template embedded within the policy definition and more.

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Azure Security Center

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features.

Protect

Azure Backup

New alerts and management in the Backup center (preview)

Azure Backup has released a new Azure Monitor based alerting solution, which allows you to take advantage of the notification capabilities offered by Azure to monitor and effectively act on critical backup incidents. These alerts can also be managed directly by Azure Backup center.

Oracle snapshot with Azure Backup

Azure Backup now allows you to run pre-post scripts to deactivate and reactivate Oracle databases. This allows you to have consistent backups and take advantage of all the advantages of Azure VM backup also for Oracle systems. Database-consistent snapshots can be used for restores from Oracle, they are verifiable by Oracle database clients such as RMAN and have economic advantages as the backup of Azure VMs is intrinsically incremental. The ability to take consistent snapshots at the Oracle database level also means there is no need to stream the full daily data to a storage target, therefore it is possible to significantly reduce the I / O demand on the machine and on the network, as well as reducing the need for large storage spaces. Furthermore, the use of these snapshots guarantees the ability to quickly create clones of Oracle production VMs and it is not necessary to perform intensive I / O operations such as a datapump.

Offline backup with Azure Data Box

Microsoft has made the Azure Offline Backup functionality available using Azure Data Box, which allows you to use Azure Data Box to seed large initial backups offline in an Azure Recovery Service vault.

Azure Site Recovery

New features to simplify the DR scenarios of VMs in a VMware environment (preview)

The following changes have been released in preview in ASR to help improve the activation of Disaster Recovery scenarios for VMware environments:

  • Automatic updates for the ASR replication appliance and for the Mobility agent. A limitation of the current ASR architecture is the need to manually update the various components of the configuration server and the Mobility service. To make things easier, Microsoft has introduced the ability to update automatically: when an update is made available, both the appliance (configuration server) and the Mobility service can be updated automatically. Furthermore, to perform automatic updates, the machine's root / admin credentials are no longer required.
  • Scalability improvements. The appliance becomes a single management unit where all its components have been converted into microservices hosted in an Azure environment. Not only will this make troubleshooting a lot easier, but managing the scalability of the solution will also be easier.
  • High availability for the appliance. Appliance resilience is a required feature and, thanks to this review, it is no longer necessary to perform regular backups of the appliance, but just start a new appliance and transfer all protected machines to the new appliance, without having to repeat a full replication.

Upgrade al TLS 1.2 or later

As part of the Microsoft initiative that provides for Azure to use TLS 1.2 by default and removing dependencies from previous versions, Azure Site Recovery is moving away from legacy protocols to ensure greater security for replication data. Therefore, TLS 1.0 e TLS 1.1 they will no longer be supported. These changes will take effect on 15 November 2021. To continue using Azure Site Recovery without interruption, you should make sure that all the resources that use the Microsoft Azure Recovery Services agent (MARS) are enabled for the use of TLS 1.2 or later.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (September 2021 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution achieves FedRAMP High Authorization

With this certification, U.S. government and public sector customers can now use Azure VMware Solution as a compliant FedRAMP cloud computing environment, ensuring it meets the demanding standards for security and information protection.

JetStream Disaster Recovery for Azure VMware Solution (preview)

JetStream Disaster Recovery is now available on Azure VMware Solution in public preview, enabling DR protection needed for business and mission-critical applications. JetStream Disaster Recovery on Azure VMware Solution is also cost-effective, as it uses minimal resources at the DR site by leveraging cloud storage, such as Azure Blob Storage.

Azure AD-joined VMs support

With this latest update, you can now:

  • Join your Azure Virtual Desktop virtual machines directly to Azure Active Directory (Azure AD.)
  • Connect to the virtual machine from any device with basic credentials.
  • Automatically enroll the virtual machines with Microsoft Endpoint Manager.

Management Group Scope for Azure Reservations (preview)

You can scope a reservation to a management group. When you set the scope to a management group, the reservation discount is applied to matching resources in the list of subscriptions that are a part of the management group and the billing context.

Storage

Azure Archive Storage now available in three new regions

Azure Archive Storage provides a secure, low-cost means for retaining cold data including backup and archival storage. Now, Azure Archive Storage is available in three new regions: Norway East, UAE North, and Germany West Central.

Azure IaaS and Azure Stack: announcements and updates (September 2021 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

On-demand capacity reservations for Azure Virtual Machines (preview)

On-demand capacity reservations for Azure Virtual Machines, now in public preview, enable IT organization to reserve compute capacity for a VM size. The reservation can be for any length of time in any public Azure region or Availability Zone and supports most VM series. You can create and cancel an on-demand capacity reservation at any time, no commitment is required. The ability for you to access compute capacity, with SLA guarantees when on-demand capacity reservations become generally available, ahead of actual VM deployments is particularly important to ensure the availability of business-critical applications running on Azure. On-demand capacity reservations can be combined with Azure Reserved VM Instances (RIs) to significantly reduce costs.

Run Commands for Azure VMware Solution (preview)

Run commands are a collection of PowerShell packages available in the Azure VMware Solution portal that simplify the execution of certain operations on vCenter. With this announcement your cloud administrator can now more easily run management tasks that require elevated privileges.

Automatic scaling with Azure Virtual Machine Scale Sets flexible orchestration mode (preview)

Microsoft has enabled elastic virtual machine profile and automatic scaling for Azure Virtual Machine Scale Sets with flexible orchestration elastic profile and automatic scaling. The features are now in public preview, and provide:

  • Up to 1000 instances in a scale set (general purpose virtual machine sizes only)
  • Ability to manually add VM instances to the scale set
  • The option to spread instances across fault domains automatically, or specify a fault domain
  • Place on demand and Spot VMs in the same scale set
  • (New) Define a VM profile and specify instance count
  • (New) Automatically scale out and scale in based on metrics, schedule, or AI prediction (private preview)
  • (New) In guest patching that respects high availability / FD constraints
  • (New) Automatic extension updates
  • (New) Automatic instance repair/replacement of unhealthy instances
  • (New) Terminate notification for on demand and Spot VMs
  • (New) Secure by default networking – customers must explicitly define outbound connectivity
  • (New) Improved scale out and scale in reliability, latency, and elasticity

Storage

Azure Files: SMB 3.1.1 support, SMB Multichannel and storage capacity reservation

Server Message Block (SMB) 3.1.1 is the most recent version of the SMB protocol, released with Windows 10, containing important security and performance updates. Azure Files SMB 3.1.1 ships with two additional encryption modes, AES-128-GCM and AES-256-GCM, in addition to AES-128-CCM which was already supported. In addition to SMB 3.1.1, Azure Files exposes security settings that change the behavior of the SMB protocol. With this release, you may configure allowed SMB protocol versions, SMB channel encryption options, authentication methods, and Kerberos ticket encryption options. By default, Azure Files enables the most compatible options, however these options may be toggled at any time.

Server Message Block (SMB) Multichannel enables you to improve the IO performance of your SMB client 2-4x, increasing performance and decreasing total cost of ownership.

Storage capacity reservations for Azure Files enable you to significantly reduce the total cost of ownership of storage by pre-committing to storage utilization. To achieve the lowest costs in Azure, you should consider reserving capacity for all production workloads.

Zone redundant storage (ZRS) for Azure Disk Storage

Zone redundant storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. They also enable you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS, or GFS2.

Automatic key rotation of customer-managed keys for encrypting Azure disks

Azure Disk Storage now enables you to automatically rotate keys for encryption of your data.

Change performance tiers for Azure Premium SSDs with no downtime

On Azure Premium SSDs, you can now change the performance tiers without any downtime to your application (generally available). You can change the performance tier of a disk even when it is attached to running virtual machines. For planned events like a seasonal sales promotion or running a training environment, you need to achieve sustained higher performance for a few hours or days and then return to the normal performance levels. With performance tiers on Premium SSDs, you have the flexibility to scale the disk performance without increasing the disk size by selecting a higher performance tier. You can also change tiers to bring it back to your baseline performance tier, enabling you to achieve higher performance and cost savings.

Networking

New updates to Azure Firewall

New Azure Firewall capabilities:

  • Azure Firewall supports US West 3, Jio India West, and Brazil Southeast.
  • Auto-generated self-signed certificates for Azure Firewall Premium SKU.
  • Secure Hub now supports Availability Zones.
  • Deploy Azure Firewall without public IP in Forced Tunnel mode.
  • Configure pre-existing Azure Firewalls in Force Tunnel mode using stop or start commands.

Azure Route Server

Azure Route Server simplifies dynamic routing between your network virtual appliance (NVA) and your virtual network. When you establish a Border Gateway Protocol (BGP) peering between your NVA and Azure Router Server, you can advertise IP addresses from your NVA to your virtual network. Your NVA will also learn what IP addresses your virtual network has. Azure Route Server is a fully managed service and is configured with high availability.

Several key Azure Route Server benefits include:

  • Simplify network appliance operations
  • Deploy it in your existing setup
  • Support any network appliance
  • Enable new network topology

Private Link Network Security Group Support (preview)

Private Endpoint support for Network Security Groups (NSGs) is now in public preview. This feature enhancement will provide you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.

Private Link UDR Support (preview)

Private Endpoint support for User Defined Routes (UDRs) is now in public preview. This feature enhancement will provide you with the ability to apply custom routes to traffic destined to a private endpoint with a wider subnet range. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to Enabled. In addition to toggling this property, you will need to also register for the Microsoft.Network/AllowPrivateEndpointNSG feature.

Address changes on an Azure virtual network that has active peerings (preview)

You can now update your virtual network address space without needing to remove the peering links on their virtual networking and incurring any downtime.

Azure ExpressRoute: new ExpressRoute Direct and Peering locations

New locations are available for ExpressRoute Direct:

  • Denver
  • Newport (Wales)
  • Pune

The new locations support dual 10Gbps or 100Gbps connectivity into Microsoft’s global network.

New peering locations are available for ExpressRoute:

  • Chicago2
  • Pune
  • Seoul2

Azure Management services: what's new in August 2021

Microsoft constantly releases news about Azure management services. By publishing this summary, we want to provide an overall overview of the main news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

The IT Service Management Connector is certified with the Quebec version of ServiceNow

The IT Service Management Connector (ITSM) of Azure Monitor is now certified for the Quebec version of ServiceNow. This connector allows you to establish a two-way connection between Azure and ITSM tools, useful for managing incidents and solving problems faster. Furthermore, it is possible to create work items in the ITSM tool, based on Azure alerts(Metric Alerts, Activity Log Alerts, e Log Analytics alert).

Lower levels for reservations for Azure Monitor dedicated clusters

Microsoft has reduced the capacity reservation (capacity reservation) minimum required for Azure Monitor dedicated clusters, bringing it from 1.000 GB to 500 GB per day. This allows you to take advantage of advanced features such as customer-managed keys, lockbox, and infrastructure encryption, even to customers with lower data entry volume.

The retirement of the Log Analytics agent has been announced

Microsoft announced that the 31 August 2024 the Log Analytics agent used in Azure Monitor will be retired. Therefore, before that date, you should use the new Azure Monitor agent (AMA) and data collection rules (DCR) of Azure Monitor to monitor virtual machines and servers.

Configure

Azure Automation

New features coming soon to be released

Microsoft has announced that the following new features will soon be released for Azure Automation:

  • Azure AD support: ability to use Azure AD-based authentication for public automation endpoints
  • Support for Powershell 7: ability to run Azure Automation runbooks, in production scenarios, using PowerShell 7.1
  • Azure Automation Hybrid Worker Extension for Azure and for Azure Arc machines: possibility of onboarding hybrid workers using the hybrid extension for Azure and Azure Arc machines.
  • Support for Availability Zones, useful for increasing the levels of reliability and resilience.
  • Native support of the Powershell Az module.

Govern

Azure Policy

Azure Guest Configuration Policy: possibility of applying settings within the systems as well (preview)

Guest Configuration Policies allow you to control settings within a machine, both for virtual machines running in Azure environment and for "Arc Connected" machines. At the moment, most of the Azure Guest Configuration Policies only allow you to make checks on the settings inside the machine, but they do not apply configurations. However, Microsoft has announced in preview the possibility to apply configurations provided by Microsoft or to create your own configuration packages using PowerShell DSC version 3.

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Azure Security Center

Azure Defender for SQL available from Azure SQL Virtual Machine blade

This new Azure Defender information browsing experience for SQL VMs, allows you to view, directly from the SQL virtual machine panel, information about security best practices for related SQL Server databases.

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Support for Archive storage for backup of VMs and SQL on board VMs

In Azure Backup, you can now move recovery points to save costs and keep your backup data longer. This feature is available for Azure VMs and SQL Servers installed on board Azure VMs. Using Azure PowerShell, it is possible to move these backups from the standard tier to the new archive tier.

When moving backup data from vault-standard to vault-archive, Azure Backup converts incremental data into full backup. This procedure involves an increase in the total GB used, but costs are reduced due to the huge difference in cost per GB between the two storage tiers. To simplify this process, Azure Backup provides advice on Recovery Points (RPs) for which migration to the vault-archive is recommended. Restores can be done in an integrated way from the Azure portal, with a simple and intuitive process.

Azure Site Recovery

ASR support for global disaster recovery

Azure Site Recovery (ASR) introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected.

Extended the date of withdrawal of Hard coded IP address

Microsoft has extended the retirement date for hard coded IP addresses to connect with Azure Site Recovery services to 31 August 2024. This allows you to have more time to adjust the configurations of the environments to use the Azure service tags.

Migrate

Azure Migrate

Software inventory and agentless dependency analysis

In Azure Migrate it is now possible to inventory applications, roles and features installed and perform dependency analysis, on Windows and Linux servers, without installing any agent. Agentless dependency analysis allows you to identify and understand dependencies between servers, supporting data collection for up to 1000 servers at the same time.

Discovery and assessment of ASP.NET Web Apps with Azure Migrate (preview)

Azure Migrate now allows you to identify and assess ASP.NET Web Apps running on the on-premises IIS Web server and manage their migration. Until now, it was necessary to use tools such as App Service Migration Assistant to evaluate the Web Apps. Thanks to the introduction of this feature in Azure Migrate, it is possible to discover the .NET Web Apps running in your VMware environment and create assessments to manage the migration to Azure IaaS or Azure App Service.

Containerization of apps and migration to AKS or Azure App Service

The Azure Migrate app containerization tool allows you to modernize existing ASP.NET and Java web applications, using a containerization approach that requires little or no application changes. The tool groups existing applications running on servers in a container image and allows them to be deployed in containers running in Azure Kubernetes Service(AKS) or in Azure App Service. As part of the migration process, the tool allows you to parameterize the application configurations, outsource file system dependencies using persistent volumes and configure the containerized application monitor using Application Insights.

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (August 2021 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Placement polices for Azure VMware Solution (preview)

Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution software-defined data center (SDDC). These constraints allow you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual Machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster. When you create a placement policy, it creates a vSphere Distributed Resource Scheduler (DRS) rule in the specified vSphere cluster. It also includes additional logic for interoperability with Azure VMware Solution operations.

New VM series supported by Azure Batch

The selection of VMs that can be used by Azure Batch has been expanded, allowing newer Azure VM series to be used. The following additional VM series can now be specified when Batch pools are created:

Azure Virtual Machines: retired series

Microsoft is retiring:

  • H-series Azure Virtual Machine sizes (H8, H8m, H16, H16r, H16m, H16mr, H8 Promo, H8m Promo, H16 Promo, H16r Promo, H16m Promo, and H16mr Promo) on 31 August 2022.
  • ND-series virtual machine sizes on 31 August 2022.
  • Basic and Standard A-series VMs on 31 August 2024.

Azure Government Top Secret now generally available for US national security missions

Azure Government Top Secret is available for US and this is a significant milestone in Microsoft commitment to bringing unmatched commercial innovation to US government customers across all data classifications. This announcement, together with new services and functionality in Azure Government Secret, provides further evidence of Microsoft’s relentless commitment to the mission of national security, enabling customers and partners to realize the vision of a multi-cloud strategy and achieve greater agility, interoperability, cost savings, and speed to innovation.

Storage

Azure Blob storage inventory

Inventory provides an easy way to gain insights into the containers and all block, append, and page blobs stored within an account. Blob Inventory can be selected to provide a full listing of all blobs and containers on a daily or weekly basis. Prior to Inventory, either a separate catalog system or, listing of all blobs and analyzing added complexity and cost to solutions that used blob storage. With inventory, all blobs and containers that match an optional filter will be listed on a daily or weekly basis to a CSV or Parquet file that can then be processed for insights.

Azure Archive Storage events for easy rehydration of archived blobs

The Azure Archive Storage provides a secure, low-cost means for retaining cold data including backups and archival storage. When your data is stored in Archive Storage, the data is offline and not available for read until it is moved to the hot or cool tier. Previously, the only way to determine when blob rehydration was complete and available to be read was to repeatedly poll the status of the rehydration operation, increasing complexity and cost. Azure Event Grid now supports events that fire when a blob is rehydrated from the archive tier. The Microsoft.Storage.BlobCreated event fires when a blob is copied from the archive tier to a new destination blob in the hot or cool tier. The Microsoft.Storage.BlobTierChanged event fires when the archived blob’s tier is changed to hot or cool. Your application can handle these events in order to respond to blob rehydration.

Azure Blob storage: last access time tracking

Last access time tracking integrates with lifecycle management to allow the automatic tiering and deletion of data based on when individual blobs are last accessed. This allows greater cost control as well as an automatic workflow including deletion of data after it is no longer used. Last access time can also be used without lifecycle management by any solution that needs to understand when individual blobs are last read and then take action. Lifecycle management with last access time tracking is available in all public regions for accounts with flat namespace used. Azure Data Lake Storage Gen2 will be supported later this year.

Networking

Network Insights: enhanced troubleshooting experiences for additional resources

You now have access to rich insights and enhanced troubleshooting experiences for four additional networking resources in Network Insights: Private Link, NAT Gateway, Public IP, and NIC.

With the onboarding of these resources, customers can access:

  • A resource topology showing resource health and connected resources
  • A pre-built workbook showing all key metrics along multiple
  • Direct links to documentation and troubleshooting help

Azure IaaS and Azure Stack: announcements and updates (August 2021 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Automatic Azure VM extension upgrade capabilities

Azure Virtual Machine extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The ability to automatically upgrade VM extensions is now available for Azure Virtual Machines and Virtual Machine Scale Sets. If the automatic extension upgrade feature is enabled for an extension on a VM or a VM scale set, the extension is upgraded automatically whenever the extension publisher releases a new version. Azure manages the upgrade rollout and the upgrades are safely applied following availability-first principles, keeping your environments more secure and up to date.

Storage

Azure File Sync agent v13

Improvements and issues that are fixed in the v13 release:

  • Authoritative upload: authoritative upload is a new mode available when creating the first server endpoint in a sync group. It is useful for the scenario where the cloud (Azure file share) has some/most of the data but is outdated and needs to be caught up with the more recent data on the new server endpoint. This is the case in offline migration scenarios like DataBox, for instance. When a DataBox is filled and sent to Azure, the users of the local server will keep changing / adding / deleting files on the local server. That makes the data in the DataBox and thus the Azure file share, slightly outdated. With Authoritative Upload, you can now tell the server and cloud, how to resolve this case and get the cloud seamlessly updated with the latest changes on the server. No matter how the data got to the cloud, this mode can update the Azure file share if the data stems from the matching location on the server. Be sure to avoid large directory restructures between the initial copy to the cloud and catching up with Authoritative Upload. This will ensure you are only transporting updates. Changes to directory names will cause all files in these renamed directories to be uploaded again. This functionality is comparable to semantics of RoboCopy /MIR = mirror source to target, including removing files on the target that no longer exist on the source. Authoritative Upload replaces the “Offline Data Transfer” feature for DataBox integration with Azure File Sync via a staging share. A staging share is no longer required to use DataBox. New Offline Data Transfer jobs can no longer be started with the AFS V13 agent. Existing jobs on a server will continue even with the upgrade to agent version 13.
  • Portal improvements to view cloud change enumeration and sync progress: when a new sync group is created, any connected server endpoint can only begin sync, when cloud change enumeration is complete. In case files already exist in the cloud endpoint (Azure file share) of this sync group, change enumeration of content in the cloud can take some time. The more items (files and folders) exist in the namespace, the longer this process can take. Admins will now be able to obtain cloud change enumeration progress in the Azure portal to estimate an eta for completion / sync to start with servers.
  • Support for server rename: if a registered server is renamed, Azure File Sync will now show the new server name in the portal. If the server was renamed prior to the v13 release, the server name in the portal will now be updated to show the correct server name.
  • Support for Windows Server 2022 Preview: the Azure File Sync agent is now supported on Windows Server 2022 Preview build 20348 or later. Note: Windows Server 2022 adds support for TLS 1.3 which is not currently supported by Azure File Sync. If the TLS settings are managed via group policy, the server must be configured to support TLS 1.2.
  • Miscellaneous improvements:
    • Reliability improvements for sync, cloud tiering and cloud change enumeration.
    • If a large number of files is changed on the server, sync upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
    • The Invoke-StorageSyncFileRecall cmdlet will now recall all tiered files associated with a server endpoint, even if the file has moved outside the server endpoint location.
    • Explorer.exe is now excluded from cloud tiering last access time tracking.
    • New telemetry (Event ID 6664) to monitor the orphaned tiered files cleanup progress after removing a server endpoint with cloud tiering enabled.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 Preview installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 13.0.0.0.
  • Installation instructions are documented in KB4588753.

Networking

Re-size Azure virtual networks that are peered (preview)

Virtual networks in Azure have had a long-standing constraint where any address space change is only allowed if the virtual network does not have any peerings. Microsoft is announcing that this limitation has been lifted, and customers can freely resize their virtual networks without incurring any downtime. With this feature, existing peerings on the virtual network do not need to be deleted prior to adding or deleting an address prefix on the virtual network.

Azure VPN Client for macOS

Azure VPN Client for macOS is available with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol.

Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, you can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for your Mac devices.

Azure ExpressRoute Global Reach: 2 new locations

There are 2 new locations for ExpressRoute Global Reach:

  • South Africa (Johannesburg only)
  • Taiwan

For more information about ExpressRoute Global Reach and available locations, visit ExpressRoute Global Reach webpage.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 29 and 30)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Storage

Shared disks on Azure Disk Storage are now generally available on all Premium SSD and Standard SSD sizes

Shared disks can now be leveraged on smaller Premium SSDs from 4GiB to 128 GiB and all Standard SSDs from 4 GiB to 32 TiB. This expands shared disk support to Ultra Disk, Premium SSD, and Standard SSD enabling you to optimize for different price and performance options based on your workload needs.

Immutable storage with versioning for Blob Storage (preview)

Immutable storage with versioning for Blob Storage is now available in preview. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable, and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed. Immutable storage with versioning adds the capability to set an immutable policy on the container or object level. It also allows for the immutable protection of all past and current versions of any blob.

Networking

Next-generation firewall capabilities with Azure Firewall Premium

Microsoft Azure Firewall Premium is now available with this key features:

  • TLS inspection: Azure Firewall Premium terminates outbound and east-west transport layer security (TLS) connections. Inbound TLS inspection is supported in conjunction with Azure Application Gateway allowing end-to-end encryption. Azure Firewall performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.
  • IDPS: Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
  • Web categories: Allows administrators to filter outbound user access to the internet based on categories (for example, social networking, search engines, gambling, and so on), reducing the time spent on managing individual fully qualified domain names (FQDNs) and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
  • URL filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This capability works for both plain text and encrypted traffic if TLS inspection is enabled.

Application Gateway: new features for Web Application Firewall (WAF)

  • Bot protection: Web Application Firewall (WAF) bot protection feature on Application Gateway allows users to enable a managed bot protection rule set for their WAF to block or log requests from known malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. This rule set can be used alongside the OWASP core rule sets (CRS) to provide additional protection.

  • Geomatch custom rules: Web Application Firewall (WAF) geomatch custom rule feature on Application Gateway allows users to restrict access to their web applications by country/region. As with all custom rules, this logic can be compounded with other rules to suit the needs of your application.

Azure ExpressRoute: 3 New Peering Locations Available

Three new peering locations are available for ExpressRoute:

  • Campinas
  • Sao Paulo2
  • Dublin2

With this announcement, ExpressRoute is now available across 79 global commercial Azure peering locations.

New insights in Traffic Analytics

Azure Network Watcher Traffic Analytics solutions is used to monitor network traffic. It now provides WHOIS and Geographic data for all Public IPs interacting with your deployments and further adds DNS domain, threat type & threat description for Malicious IPs. Now, it also supports inter-zone traffic and VMSS level traffic insights.

Azure Management services: What's new in July 2021

Microsoft constantly announces news regarding Azure management services and as usual this monthly summary. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New built-in policies for Log Analytics workspaces and linked automation accounts

When designing and deploying Azure Monitor Log Analytics workspaces, it is advisable to adopt specific criteria to distribute them consistently, in compliance with the compliance of their environment. Thanks to a new built-in policy it is possible to automate and control the distribution of Log Analytics workspaces and the Automation Accounts connected to them in your own environments.

Better integration between Azure Monitor and Grafana

Grafana is a very popular open source visualization and analysis software, which allows you to query, view and explore various metrics from multiple data sources in a centralized way. Recently, some updates have been made to the Azure Monitor plug-in for Grafana that allow you to enable additional data sources and easier authentication via managed identity. Among the main improvements we find:

  • Azure Resource Graph in the Azure Monitor Grafana data source. Azure Resource Graph (ARG) is a service in Azure that allows you to perform large-scale queries on a given subscription set, so that you can effectively govern your environment. With Grafana 8.0, Azure Monitor data source supports querying ARG.
  • Managed Identities are supported for the Grafana data source hosted in Azure and for Azure Monitor. Customers hosting Grafana on Azure (e.g.. App Service, Azure Virtual Machine) and have enabled managed identity on their virtual machine, they will be able to use it to configure Azure Monitor in Grafana. This aspect simplifies the configuration of the data source, requiring it to be securely authenticated without having to manually configure credentials through app registrations in Azure AD for each data source.
  • Direct links to the Azure portal for Grafana metrics. To allow easy exploration of Azure Monitor metrics directly from Grafana, when a user selects the result of a query, a menu appears with a link to “View in the Azure portal”. Selecting it will redirect you to the corresponding chart in the Azure Metrics Explorer portal.

Direct proxy and Log Analytics gateway support for the new agent

Following the recent announcement on the availability of the new Azure Monitor agent (AMA) and data collection rules (Data Collection Rules), support for direct proxies and support for Log Analytics gateways is introduced for this agent.

Configure

Azure Automation

Support for User Assigned Managed Identities (preview)

Azure Automation has introduced support for User Assigned Managed Identities, which allows you to eliminate the effort of managing RunAs Accounts for runbooks. A User Assigned Managed Identities is an independent Azure resource that can be assigned to the Azure Automation account, which can have multiple associated user-assigned identities. The same identity can be assigned to multiple Azure Automation accounts.

Govern

Azure Policy

Azure Policy built-in for Network Watcher Traffic Analytics

Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment. The following new built-in policies have been introduced to facilitate the deployment of Traffic Analytics:

  • An audit policy: Flag flow logs resource without traffic analytics enabled
  • DeployIfNotExists policies: Enable Traffic Analytics on NSGs in an Azure region of a subscription or resource group

Azure Cost Management

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Azure Security Center

New features, bug fixes and deprecated features of Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 56 that solves several issues and introduces some improvements. In particular, this update introduces the following new features:

  • Microsoft Azure Site Recovery (services): Improvements have been made to enable replication and new protection operations to be faster than 46%.
  • Microsoft Azure Site Recovery (portal): Replication between any two Azure regions around the world can now be enabled. You are no longer limited to enabling replication on your continent.

The details and the procedure to follow for the installation can be found in the specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 27 and 28)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Free Extended Security Updates only on Azure for Windows Server 2012/R2and SQL Server 2012

On-premises Windows Server and SQL Server customers looking to migrate and modernize can take advantage of the extension of free Extended Security Updates (ESUs) for Windows Server 2012/R2 and SQL Server 2012, as follows:

  • Windows Server 2012 and 2012 R2 Extended Support (ESU) will end on October 10, 2023. Extended Support for SQL Server 2012 ends July 12, 2022. Customers that cannot meet this deadline can protect their apps and data running on these releases for three additional years when they migrate to Windows Server and SQL Server on Azure and take advantage of free ESUs on Azure. Customers running Windows Server and SQL Server on these releases and on-premises will have the option to purchase ESUs.
  • Windows Server and SQL Server 2008 and 2008 R2 three-year ESUs are coming to an end on January 10, 2023, and July 12, 2022, respectively. Customers who need more time to migrate and modernize will be able to take advantage of a Windows Server and SQL Server 2008 and 2008 R2 on Azure, we will now provide one addiitonal year of extended security updates only on Azure.

Virtual Machine (VM) bursting is now generally available on more VM types

Virtual machine level disk bursting is a now enabled for our Dsv4, Dasv4, Ddsv4, Esv4, Easv4, Edsv4, Fsv2 and B-series VM families, which allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily. This enables your VMs to handle unforeseen spikey disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

HPC Cache on E-Series VMs Support of Blob NFS 3.0

The Azure Blob team recently announced that Blob NFS 3.0 protocol support is generally available and now, Azure HPC Cache will follow suit with general availability using E-Series VMs.

Storage

Azure File Sync agent v13

The Azure File Sync agent v13 release is being flighted to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed in the v13 release:

  • Authoritative upload. Authoritative upload is a new mode available when creating the first server endpoint in a sync group. It is useful for the scenario where the cloud (Azure file share) has some/most of the data but is outdated and needs to be caught up with the more recent data on the new server endpoint. This is the case in offline migration scenarios like DataBox, for instance. When a DataBox is filled and sent to Azure, the users of the local server will keep changing / adding / deleting files on the local server. That makes the data in the DataBox and thus the Azure file share, slightly outdated. With Authoritative Upload, you can now tell the server and cloud, how to resolve this case and get the cloud seamlessly updated with the latest changes on the server. No matter how the data got to the cloud, this mode can update the Azure file share if the data stems from the matching location on the server. Be sure to avoid large directory restructures between the initial copy to the cloud and catching up with Authoritative Upload. This will ensure you are only transporting updates. Changes to directory names will cause all files in these renamed directories to be uploaded again. This functionality is comparable to semantics of RoboCopy /MIR = mirror source to target, including removing files on the target that no longer exist on the source. Authoritative Upload replaces the “Offline Data Transfer” feature for DataBox integration with Azure File Sync via a staging share. A staging share is no longer required to use DataBox. New Offline Data Transfer jobs can no longer be started with the AFS V13 agent. Existing jobs on a server will continue even with the upgrade to agent version 13.
  • Portal improvements to view cloud change enumeration and sync progress. When a new sync group is created, any connected server endpoint can only begin sync, when cloud change enumeration is complete. In case files already exist in the cloud endpoint (Azure file share) of this sync group, change enumeration of content in the cloud can take some time. The more items (files and folders) exist in the namespace, the longer this process can take. Admins will now be able to obtain cloud change enumeration progress in the Azure portal to estimate an eta for completion / sync to start with servers.
  • Support for server rename. If a registered server is renamed, Azure File Sync will now show the new server name in the portal. If the server was renamed prior to the v13 release, the server name in the portal will now be updated to show the correct server name.
  • Support for Windows Server 2022 Preview. The Azure File Sync agent is now supported on Windows Server 2022 Preview build 20348 or later. Note: Windows Server 2022 adds support for TLS 1.3 which is not currently supported by Azure File Sync. If the TLS settings are managed via group policy, the server must be configured to support TLS 1.2.
  • Miscellaneous improvements:
    • Reliability improvements for sync, cloud tiering and cloud change enumeration.
    • If a large number of files is changed on the server, sync upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
    • The Invoke-StorageSyncFileRecall cmdlet will now recall all tiered files associated with a server endpoint, even if the file has moved outside the server endpoint location.
    • Explorer.exe is now excluded from cloud tiering last access time tracking.
    • New telemetry (Event ID 6664) to monitor the orphaned tiered files cleanup progress after removing a server endpoint with cloud tiering enabled.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 Preview installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is 13.0.0.0.
  • Installation instructions are documented in KB4588753.

Azure Blob storage: container Soft Delete

Administrators can set a retention policy and recover data from a deletion of a blob container without contacting support.

HPC Cache for NVME-based Storage, Storage Target Management, and HIPAA Compliance

The latest release of HPC Cache adds support for high throughput VMs as well as enhancements to storage target operations.

Disk pool for Azure VMware Solution (preview)

With disk pool, Azure VMware Solution customers can now access Azure Disk Storage for high-performance, durable block storage. Customer can scale their storage independent of compute and handle their growing data needs more cost-effectively.

Networking

Azure Bastion Standard SKU public (preview)

With the new Azure Bastion Standard SKU, you can now perform/configure the following: 

  • Manually scale Bastion host Virtual Machine instances: Azure Bastion supports manual scaling of the Virtual Machine (VM) instances facilitating Bastion connectivity. You can configure 2-50 instances to manage the number of concurrent SSH and RDP sessions Azure Bastion can support. 

  • Azure Bastion admin panel: Azure Bastion supports enabling/disabling features accessed by the Bastion host. 

Azure Web Application Firewall: OWASP ModSecurity Core Rule Set 3.2 (preview)

Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 3.2 (CRS 3.2) for Azure Web Application Firewall (WAF) deployments running on Application Gateway is in preview. This release offers improved security from web vulnerabilities, reduced false positives, and improvements to performance. Microsoft is also announcing an increase in the file upload limit and request body size limit to 4GB and 2MB respectively.

Azure IaaS and Azure Stack: announcements and updates (July 2021 – Weeks: 25 and 26)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VM Image Builder service: custom image building process

Azure VM Image Builder service is a managed service to build custom Linux or Windows virtual machine (VM) images with ease, and be compliant with your company’s security policy across Azure and Azure Stack. With Azure VM Image Builder, the Microsoft managed service built on HashiCorp Packer, you can describe custom images in a template using new or existing configurations and enables VM image building immediately without setting up and managing your own image building pipeline.

New Azure VMs for confidential workloads (Limited Preview)

Microsoft is announcing the limited preview go-live of the DCsv3-series and DCdsv3-series Azure Virtual Machines, starting in the East US 2 region. Leveraging Intel Software Guard Extensions (SGX), you can allocate private regions of memory, called enclaves, giving you more granular protection against processes or administrators with higher privilege levels. These new VMs enable you to protect the confidentiality and integrity your code and data while in use.

Storage

Azure Blob storage: NFS 3.0 protocol support

Network File System (NFS) 3.0 protocol support for Azure Blob Storage is generally available. Azure Blob Storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics. The data stored in your storage account with NFS support is billed at the same rate as blob storage capacity charges with no minimal provisioned capacity required.

Azure NetApp Files: regional Capacity Quota

The default capacity quota for each subscription will be changed from no quota to a quota of 25 TiB, per region, across all service levels. This capacity change will not have any impact on your current service but will ensure (new) capacity pool creation or capacity pool size increases will succeed based on available regional capacity. Any regional capacity quota increase does not incur a billing increase, as billing will still be based on the provisioned capacity pools.

Expansion of credit-based disk bursting to Azure Standard SSDs E30 and smaller

Credit-based disk bursting is now available on Azure Standard SSDs E30 and smaller (less than or equal to 1TiB). With credit-based bursting, your disks can burst IOPS and throughput for a short-time (up to 30 minutes) to handle unexpected disk traffic and process batch jobs with speed. Now you can deploy your disks for their average performance needs instead of for peak performance, enabling you to achieve cost savings. All your existing or new Standard SSD disks (less than or equal to 1TiB) will have credit-based bursting enabled by default with no user action or addition costs.

Expansion of on-demand disk bursting for Premium SSD to more regions (preview)

Microsoft has now expanded the preview of on-demand disk bursting to all production regions. You can enable on-demand bursting on existing or new disks following instructions here.

Networking

VPN NAT (preview)

Azure VPN NAT (Network Address Translation) supports overlapping address spaces between customers on-premises branch networks and their Azure Virtual Networks. NAT can also enable business-to-business connectivity where address spaces are managed by different organizations and re-numbering networks is not possible. VPN NAT preview provides support for 1:1 Static NAT.