Confidential Computing price reduction on DCsv2 virtual machines
DCsv2-series protects the confidentiality and integrity of your data and code while it’s processed in the public cloud. Microsoft is announcing a price reduction on DCsv2-series Azure Virtual Machines by 37%. The new pricing is effective June 1st, 2021, and applies to all the regions where DCsv2-series is available.
Azure Virtual Machines DCsv2-series are available in Australia
Confidential computing DCsv2-series virtual machines (VMs) are now available in Australia East, Austria Southeast will launch in the coming weeks to provide disaster recovery capabilities.
Storage
Azure Blob index tags
Prior to index tags, solutions that required the ability to quickly find specific objects in a blob container would need to keep a secondary catalog. Blob index tags provides a built in capability to add tags and then quickly query for or filter using this information. This provides a simpler solution without requiring a separate query system. This includes the ability to set index tags both upon upload or after upload. You can utilize these indexes as part of lifecycle management that automates deletion and movement between tiers.
Networking
New Azure private MEC solution announced
An evolution of Private Edge Zones, Azure private multi-access edge compute (MEC) expands the scope of possibilities from a single platform and service to a combination of edge compute, multi-access networking stacks, and the application services that run together at the edge. These capabilities help simplify integration complexity and securely manage services from the cloud for high-performance networking and applications.
In addition to the Azure private MEC solution, we are announcing the following Microsoft and partner services and solutions:
New Azure Network Function Manager (public preview) service
Metaswitch Fusion Core third-party services on Azure Stack Edge
Affirmed Private Network Service third-party service on Azure Stage Edge
New Azure Marketplace solutions from our partners’
Default Rule Set 2.0 for Azure Web Application Firewall (preview)
The Default Rule Set 2.0 (DRS 2.0) for Azure Web Application Firewall (WAF) deployments running on Azure Front Door is in preview. This rule set is only available on the Azure Front Door Premium SKU. DRS 2.0 includes the latest changes to our rule set, including the addition of anomaly scoring. With anomaly scoring, incoming requests are assigned an anomaly score when they violate WAF rules and an action is taken only when they breach an anomaly threshold. This helps drastically reduce false positives for customer applications. Also included in DRS2.0 are rules powered by Microsoft Threat Intelligence which offer increased coverage and patches for specific vulnerabilities.
Azure Storage Blob inventory is now available in all public regions (preview)
Azure blob storage inventory provides you the ability to understand the total number of objects, their size, tier, and other information to gain insight into your object storage estate. Inventory can be used with Azure Synapse to calculate summaries by container. Microsoft has expanded preview to all public regions for blob inventory.
Key Rotation and Expiration Policies
Key rotation is one of the best security practices to reduce the risk of secret leakage for enterprise customers. Customers using Azure Storage account access keys can rotate their keys on demand, in the absence of key expiry dates and policies customers find it difficult to enforce and manage this key rotation automatically. The new feature will allow you to not only set key expiration duration but also add policies that can mandate anyone deploying storage endpoints to specify key rotation duration. Furthermore, you would be able to monitor key expiration and set alerts if a key is about to expire. For accounts that are nearing key expiry, you can rotate the keys using APIs, CLI, Powershell, or Azure Portal.
Networking
ExpressRoute Global Reach Pricing Reduction
Microsoft is annoucing a 50% decrease in the data transfer price for ExpressRoute Global Reach. This pricing change will go into effect as of June 1, 2021. For more information about ExpressRoute Global Reach pricing, visit the ExpressRoute Pricing webpage.
Azure Stack
Azure Stack HCI
Azure Kubernetes Service (AKS) on Azure Stack HCI
Azure Kubernetes Services (AKS) on Azure Stack HCI simplifies the Kubernetes cluster deployment on Azure Stack HCI. It offers hybrid capabilities and consistency with Azure Kubernetes Service for ease of app portability and management. You can take advantage of familiar tools and capabilities to modernize both Linux and Windows .NET apps on-premises. Furthermore, its built-in security enables you to deploy your modern applications anywhere: cloud, on-premises, and edge.
Free Trial Now Available
The Azure Stack HCI team has extended the built-in free software trial from 30 days to 60 days giving more time for customers and partners to evaluate their virtual workloads on Azure Stack HCI in planning their purchase decision. There’s nothing you need to do to enable the trial duration, it’s been automatically extended.
Available in China
Azure Stack HCI is now available in the China cloud – making it very easy to get all the benefits of Azure Stack HCI.
New feature called Network ATC
The next update available to Azure Stack HCI subscribers will be 21H2 which is in preview right now. With this update comes a new feature called Network ATC, which simplifies the deployment and management of networking on your HCI hosts.
If you’ve deployed Azure Stack HCI previously, you know that network deployment can pose a significant challenge. You might be asking yourself:
How do I configure or optimize my adapter?
Did I configure the virtual switch, VMMQ, RDMA, etc. correctly?
Are all nodes in the cluster the same?
Are we following the best practice deployment models?
(And if something goes wrong) What changed!?
So, what does Network ATC actually set out to solve? Network ATC can help:
Reduce host networking deployment time, complexity, and errors
Deploy the latest Microsoft validated and supported best practices
Ensure configuration consistency across the cluster
Eliminate configuration drift
Network ATC does this through some new concepts, namely “intent-based” deployment. If you tell Network ATC how you want to use an adapter, it will translate, deploy, and manage the needed configuration across all nodes in the cluster.
To stay constantly updated on news regarding Azure Management services, this summary is released monthly, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Log Analytics workspace insights
Microsoft has announced the availability of Log Analytics workspace insights which allows you to obtain detailed information on the Log Analytics workspaces, providing a comprehensive overview of the following aspects: usage, performance, integrity, agents, query and change logs.
These are the main questions to which the solution can provide an answer:
What are the main tables, those where most of the data is imported?
Which resource sends the most logs to the workspace?
How long does it take for the logs to reach the workspace?
How many agents are connected to the work area? How many are in a health state?
Query control: how many queries run in the workspace? What are their response codes and duration time? What are the slow and inefficient queries that require workspace overhead?
Who has set a daily limit? When data retention has changed?
Useful for keeping a log of changes in workspace settings.
Export of Azure Monitor logs to multiple destinations (preview)
You now have the option to create up to 10 data export rules in each Log Analytics workspace, having the flexibility to decide which tables to export and to which destination (storage accounts oppure event hubs). This configuration possibility makes it possible to address these aspects:
Event hub rate limit
Single storage account rate limit
Different logs can be exported to different destinations.
Updates related to the user interface(UI)
The following user interface updates have been introduced in Log Analytics(UI):
Consultation of custom logs: it is now possible to control and manage the table and the custom fields from a new dedicated panel, offering a new user interface that improves the experience of consulting custom logs.
Azure Dashboard: the parts of Log Analytics added to Azure dashboards support integration with filters.
Query packs in Azure Monitor(preview)
Query packages have been made available in Azure Monitor , which are essentially ARM objects containing several queries. Among the main features we find:
Being ARM objects, precise control of permissions is provided and can be distributed via code and incorporated into policies.
They work in all contexts and in all environments, with the ability to upload them to multiple subscriptions.
They allow organizations to better organize queries based on their taxonomy, thanks to the presence of new metadata.
The clear experience, harmonized and contextual to the environment is incorporated in Log Analytics.
Availability in new regions
Azure Monitor Log Analytics is now also available in the South India region. To check the availability of the service in all the Azure regions you can consult this document.
Secure
Azure Security Center
Integration con GitHub Actions (in public preview)
The integration of Azure Security Center (ASC) with GitHub Actions, in public preview, allows you to easily incorporate security and compliance early in the software development lifecycle. With this integrated experience, you can gain greater visibility into IT operations and IT security, both in the pipeline CI / CD, both in the security scans of container registry within ASC. Furthermore, end-to-end traceability makes it easier for developers to identify issues, improving resolution times and strengthening your cloud security posture.
Re-scanning of containers
Azure Security Center has introduced a new scan for containers that analyzes images to identify vulnerabilities before the push action occurs within the Azure container registries. In the future, ASC will also provide recommendations if you detect workflows that send Docker images without enabling scan actions CI / CD.
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Azure Blob Backup is a managed data protection solution, this helps protect block blobs from various data loss scenarios. The data is stored locally within the source storage account and can be restored from a certain time when necessary. This feature provides a simple means, safe and economical to protect blobs.
Azure Site Recovery
Enable Azure Site Recovery (ASR) when creating virtual machines
While creating new virtual machines from the Azure portal, you can now also enable the Azure Site Recovery replication process. This possibility is included in the virtual machine management options along with those already available, such as Monitoring, Identity, and Backup.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news is the migration of virtual machines and physical servers with operating system disks up to 4 TB, which is now supported using the migration method based on the presence of the agent.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Zone redundant storage (ZRS) option for Azure managed disks (preview)
Zone redundant storage (ZRS) option for Azure managed disks is now available on Premium SSDs and Standard SSDs in public preview in: West Europe, North Europe, West US 2 and France Central regions. Disks with ZRS provide synchronous replication of data across the zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues. Disks with ZRS maintain three consistent copies of the data in distinct Availability Zones in a region, making them tolerant to outages. They also allow you to maximize your virtual machine availability without the need for application-level replication of data across zones, which is not supported by many legacy applications such as old versions of SQL or industry-specific proprietary software. This means that, if a virtual machine becomes unavailable in an affected Zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone. You can also use the ZRS option with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS or GFS2.
Lower pricing for provisioned throughput on Azure Ultra Disks
Microsoft is announcing a price reduction on provisioned throughput for Azure Ultra Disks by 65%. The new pricing is effective May 1st, 2021, and applies to all the regions where Ultra Disks are available. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs).
The Azure Application Consistent Snapshot tool (AzAcSnap) is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL). Since the January 2021 preview announcement, AzAcSnap has seen wide adoption among enterprise customers for fast backup of Azure NetApp Files volumes including multi-TB databases and scale-out scenarios for SAP HANA. Now it is available.
Azure File Sync agent v12.1
The v12.0 agent release had two bugs which are fixed in this release:
Agent auto-update fails to update the agent to a later version.
FileSyncErrorsReport.ps1 script does not provide the list of per-item errors.
If agent version 12.0 is installed on your servers, you will need to update to v12.1 using Microsoft Update or Microsoft Update Catalog (see installation instructions in KB4588751).
More information about this release:
This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
The agent version for this release is 12.1.0.0.
A restart may be required if files are in use during the installation.
Installation instructions are documented in KB4588751.
Networking
Virtual Network peering support for Azure Bastion
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host.
Azure VPN Client for macOS (preview)
Azure VPN Client for macOS, with support for native Azure AD, certificate-based, and RADIUS authentication for OpenVPN protocol is in public preview. Native Azure AD authentication support is highly desired by organizations as it enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and the Azure VPN Client to obtain and validate Azure AD tokens. With the Azure VPN Client for macOS, customers can use user-based policies, Conditional Access, as well as Multi-factor Authentication (MFA) for their Mac devices.
Azure Application Gateway now supports the ability to perform frontend mutual authentication. In addition to the client authenticating Application Gateway in a request, Application Gateway can now also authenticate the client. You can upload multiple client Certificate Authority (CA) certificate chains for Application Gateway to use for client authentication. Additionally, Application Gateway also allows you to configure listener specific SSL policies. You can choose to enable mutual authentication at a per listener level on your gateway, as well as choose to pass client authentication information to the backends through server variables. This feature enables scenarios where Application Gateway needs to authenticate the client in addition to the client authenticating Application Gateway.
Azure ExpressRoute: 5 New Peering Locations Available
New peering locations are now available for ExpressRoute:
Bogota
Madrid
Sao Paulo
Rio de Janeiro
Toronto2
With this announcement, ExpressRoute is now available across 75 global commercial Azure peering locations.
Azure Hybrid Benefit for Linux with RI and VMSS Support
Azure Hybrid Benefit is available for Linux, extending the ability to easily migrate RHEL and SLES servers to Azure beyond existing pay-as-you-go instances to include support for Azure Reserved Instance (RI) and virtual machine scale set (VMSS).
While previous Bring-Your-Own-Subscription cloud migration options available to Red Hat and SUSE customers allowed them to use their pre-existing RHEL and SLES subscriptions in the cloud, Azure Hybrid Benefit for Linux improves upon this with several capabilities unique to Azure making enterprise Linux cloud migration even easier than before:
Applies to all Red Hat Enterprise Linux and SUSE Linux Enterprise Server pay-as-you-go images available in the Azure Marketplace or Azure Portal. No need to provide your own image.
Save time with seamless post-deployment conversions—production redeployment is unnecessary. Simply convert the pay-as-you-go images used during your proof-of-concept testing to bring-your-own-subscription billing.
Lower ongoing operational costs with automatic image maintenance, updates, and patches: Microsoft maintains the converted RHEL and SLES images for you.
Enjoy the convenience of unified user interface integration with the Azure CLI, providing the same UI as other Azure virtual machines, as well as scalable batch conversions.
Get co-located technical support from Azure, Red Hat, and SUSE with just one ticket.
Combine with recently announced Red Hat and SUSE support for Azure shared disks to lift-and-shift failover clusters and parallel file systems, like Global File System.
Fully compatible with Azure Arc, providing end-to-end hybrid cloud operations management for Windows, RHEL, and SLES servers in one solution.
New Azure VMs for general purpose and memory intensive workloads (preview)
The new Dv5, Dsv5, Ddv5, Ddsv5, and Ev5, Edv5 series Azure Virtual Machines, now in preview, are based on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. This custom processor can reach an all-core Turbo clock speed of up to 3.5GHz and features Intel® Turbo Boost Technology 2.0, Intel® Advanced Vector Extensions 512 (Intel® AVX-512) and Intel® Deep Learning Boost. These new offerings deliver a better value proposition for general-purpose, and memory intensive workloads compared to the prior generation (e.g., increased scalability and an upgraded CPU class) including better price to performance.
The Dv5, Dsv5, Ddv5, Ddsv5 VM sizes offer a combination of vCPUs and memory able to meet the requirements associated with most general-purpose workloads and can scale up to 96 vCPUs. The Ddv5 and Ddsv5 VM sizes feature high performance, large local SSD storage (up to 2,400 GiB). The Dv5 and Dsv5 VM series offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Ddv5 or Ddsv5 Azure virtual machines, which are also in Preview.
The Ev5 and Edv5 VM sizes feature up to 672 GiB of RAM and are ideal for memory-intensive enterprise applications. You can attach Standard SSDs and Standard HDDs disk storage to these VMs. If you prefer to use Premium SSD or Ultra Disk storage, please select the Esv5 and Edsv5 VM series, which will be in preview in the near future. The Ev5 and Esv5 VMs offer a lower price of entry since they do not feature any local temporary storage. If you require temporary storage select the latest Edv5 VM series which are also in preview, or the Edsv5 VM series, which will be in preview in the near future.
New NPv1 virtual machines
NPv1 series virtual machines are a new addition to the Azure product offering. These instances are powered by Xilinx Alveo U250 FPGAS. These highly-programmable accelerators benefit a variety of computationally intensive workloads such as genomics, image-processing, security, data analysis and more. The NP series offering is based upon the commercially available U250 from Xilinx and uses a standard shell easing the difficulties of migrating existing FPGA workloads & solutions to the cloud. New Xilinx Alveo U250 FPGA NPv1 VMs are now generally available in West US 2, East US, West Europe, and Southeast Asia.
Microsoft acquires Kinvolk to accelerate container-optimized innovation
Microsoft is excited to bring the expertise of the Kinvolk team to Azure and having them become key contributors to the engineering development of Azure Kubernetes Service (AKS), Azure Arc, and future projects that will expand Azure’s hybrid container platform capabilities and increase Microsoft’s upstream open source contributions in the Kubernetes and container space. Microsoft is also committed to maintaining and building upon Kinvolk’s open source culture. The Kinvolk team will continue to remain active in their existing open source projects and will be essential to driving further collaboration between Azure engineering teams and the larger open source container community.
Storage
Azure Blob storage: NFS 3.0 protocol support public preview now expands to all regions
Azure Blob storage is the only public cloud storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics. This new level of support is optimized for high-throughput, read-heavy workloads where data will be ingested once and minimally modified further, such as large-scale analytic data, backup and archive, media processing, genomic sequencing, and line-of-business applications. Azure Blob Storage NFS 3.0 preview supports general purpose v2 (GPV2) storage accounts with standard tier performance in all publicly available regions. Further, Microsoft is enabling a set of Azure blob storage features in premium blockblob accounts with NFS 3.0 feature enabled such as blob service REST API and lifecycle management.
Attribute-based Access Control (ABAC) in preview
Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This preview includes support for role assignment conditions on Blobs and ADLS Gen2, and enables you to author conditions based on resource and request attributes.
Prevent Shared Key authorization for an Azure Storage account
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the general availability of the ability to disable Shared Key authorization for Azure Storage.
Append blob support in Azure Data Lake Storage
Append blobs provide a simple and effective way of adding new content to the end of a file or blob when the existing content does not need to be modified. This makes append blobs great for applications such as logging that need to add information to existing files efficiently and continuously. Until now, only block blobs were supported in Azure Data Lake Storage accounts. Applications can now also create append blobs in these accounts and write to them using Append Block operations. These append blobs can be read using existing Blob APIs and Azure Data Lake Storage APIs.
Networking
Multiple features for Azure VPN Gateway
The following features for Azure VPN Gateway are general available:
Multiple authentication types for point-to-site VPN – You can now enable multiple authentication types on a single gateway for OpenVPN tunnel type. Azure AD, certificate-based and RADIUS can all be enabled on a single gateway.
BGP diagnostics – You can now see the Border Gateway Protocol session status, route advertised and routes learnt by the VPN Gateway.
VPN connection management – With new enhancements in VPN connection management capabilities, you can now reset an individual connection instead of resseting the whole gateway. You can also set the Internet Key Exchange (IKE) mode of the gateway to responder-only, initiator-only or both and view the Security Association (SA) of a connection.
Microsoft is constantly announcing news regarding Azure management services. This summary, released on a monthly basis, allows you to have an overall overview of the main news of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
New agent version for Windows Systems
A new version of the Log Analytics agent has been released this month for Window systemss. The new version includes a new tool for troubleshooting and handles changes to certificates in Azure services differently.
The uniqueness of the name of the Log Analytics workspaces is now per resource group
In the past, the uniqueness of the Azure Monitor Log Analytics workspace was globally for all subscriptions. This meant that when a workspace name was used by a customer, it could not be reused by others. Microsoft has changed the way in which the uniqueness of the workspace name is requested and is now managed in the context of the resource group.
New definitions built-inof the Azure Policy for data encryption in Azure Monitor
Azure Monitor provides built-in policies for data encryption governance and control over the key used for encryption at rest. Here are the new built-in policies available for data encryption:
Azure Monitor logs clusters should be encrypted with customer-managed key – Audit if log analytics cluster is defined with customer-managed key.
Azure Monitor logs clusters should be created with infrastructure-encryption enabled (double encryption) – Audit log analytics cluster is created with Infrastructure enabled.
Azure Monitor logs for application insights should be linked to a log analytics workspace – Audit if application insights is linked to store data in log analytics workspace. Workspace can then be linked to a log analytics cluster for customer-managed key settings.
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption – Audit if workspace has linked storage account, which allows the encryption using customer-managed key.
Log alert queries in Azure Monitor will be saved in customer storage account, if workspace has linked storage account, which allows the encryption using customer-managed key.
Improvements for Log Alerts
Log Alerts are available in Azure Monitor that allow users to use a Log Analytics query to evaluate the resources logs at a set frequency and activate an alert based on the results obtained. Rules can trigger one or more actions using Action Groups. In this context, two new highly requested features have been released (in preview):
Stateful Log Alert: with this feature enabled, activated alerts are automatically resolved once the condition is no longer satisfied. In this way, the same behavior is adopted as in the alerts related to metrics.
Frequency of 1 minute: with this feature enabled, the alert query is evaluated every minute to verify the specified condition, thus reducing the overall time for activating a Log Alert.
Availability in new regions
Azure Monitor Log Analytics is also available in the region South India.
To check the availability of the service in all the Azure regions you can consult this document.
Container insights: support for the monitor of Kubernetes Azure Arc enabled environment (preview)
Containers insights in Azure Monitor has extended its monitor capabilities to Azure Arc Kubernetes clusters as well, providing the same monitoring capabilities present for the Azure Kubernetes service (AKS), which:
Visibility on the performance of the environment, through the memory and processor metrics for the controllers, nodes and containers.
View information collected through workbooks and in the Azure portal.
Alert and possibility of querying historical data for problem solving.
Ability to verify Prometheus metrics.
Configure
Azure Automation
Availability in new regions
Azure Automation is also available in the region South India.
Support for System Assigned Managed Identities for cloud and Hybrid job(public preview)
Azure Automation has introduced support for System Assigned Managed Identities for cloud and Hybrid jobs. Among the advantages of using Managed Identities we find:
The ability to authenticate to any Azure service that supports Azure AD authentication.
Elimination of the management overhead associated with managing Run As accounts in runbook code. This makes it possible to access resources via the Managed Identity of an Automation account from a runbook, without having to worry about creating RunAsCertificate, RunAsConnection, etc.
It is not necessary to renew the certificate used by the Automation Run As account.
Govern
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Azure Backup has introduced support for the backup and recovery of virtual machines residing on Azure Dedicated Host, physical servers dedicated to your organization whose capacity is not shared with other customers. This feature is available in all Azure regions where Azure Dedicated Host can be activated.
Azure VM Scale sets protection with orchestration templates (preview)
Improvements in encryption using customer managed keys (preview)
Azure Backup now allows you to use your own keys to encrypt backup data residing in the Recovery Services vaults. This new feature allows you to increase the control of the encryption of your data. Furthermore, you can use the Azure Policy to control and apply encryption using keys managed directly by the customer.
Azure Site Recovery
Support for Azure Policy (preview)
The ability to use Azure Policy is now provided to enable large-scale use of Azure Site Recovery for virtual machines. After creating a disaster recovery policy for a resource group, all new virtual machines that will be added to this resource group will have Site Recovery enabled automatically. Furthermore, through a Remediation process, Site Recovery can also be enabled for all virtual machines already present in the Resource Group.
Support for cross-continental disaster recovery (for 3 region pairs)
Azure Site Recovery introduced support for cross-continental disaster recovery. Thanks to this feature, a virtual machine can be replicated from an Azure region in one continent to a region in another continent. In the event of a planned or unplanned outage, you will be able to fail over the virtual machine on all continents and, once the interruption has been mitigated, it can be brought back to the continent of origin (fail-back) and protected. This feature is currently available for the following 3 pairs of intercontinental regions:
Southeast Asia and Australia East
Southeast Asia and Australia Southeast
West Europe and South Central US
Support of “proximity placement groups” in hybrid and cloud disaster recovery scenarios
Azure Site Recovery introduced support for “proximity placement groups (PPG)” in hybrid and cloud disaster recovery scenarios. With this support it will be possible to replicate an on-premises physical or virtual machine or an Azure virtual machine within a PPG, in the chosen Azure target area. Upon activation of the failover plan, Site Recovery will activate the failover VM within the target PPG selected by the user. This functionality is available both through the Azure portal and through PowerShell and REST API, across all Azure regions.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this new release was released this month:
The tools Azure Migrate: Discovery and Assessment and Azure Migrate: Server Migration can be used by connecting privately and securely to the Azure Migrate service via ExpressRoute or via a site-to-site VPN, using Azure private links. This connectivity method is recommended to use when there is an organizational requirement to access the Azure Migrate service and other Azure resources without crossing public networks or if you want to get better results in terms of bandwidth or latency.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
New M-series Msv2/Mdsv2 Medium Memory VMs for memory-optimized workloads
Azure Msv2/Mdsv2 Medium Memory Series offering up to 192vCPU and 4TB memory configurations and running on Cascade Lake processor are now generally available. Msv2/Mdsv2 medium memory VM sizes providing a 20% increase in CPU performance, increased flexibility with local disks, and a new intermediate scale up-option. These virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton.
Azure Virtual Machines DCsv2-series in Azure Government (public preview)
Azure Government customers can build secure, enclave-based applications to protect code and data while it’s in use, in a dedicated cloud that meets stringent government security and compliance requirements. Confidential computing DCsv2-series virtual machines are now in preview for Azure Government customers (federal, state, local governments, and their partners) in US Government Virginia and Arizona regions. These VMs are backed by Intel XEON E-2288G processors with Intel Software Guard Extensions (SGX) technology.
Microsoft announces plans to establish first datacenter region in Malaysia
The new datacenter region is part of the “Bersama Malaysia” initiative to support inclusive economic growth in Malaysia.
Storage
Azure Blob storage supports objects up to 200 TB in size
Workloads that utilize larger file sizes such as backups, media, and seismic analysis can now utilize Azure Blob storage and ADLS Gen2 without breaking these large files into separate blobs. Each blob is made up of up to 50,000 blocks. Each block can now be 4GB in size for a total of 200 TB per blob or ADLS Gen2 file.
Lustre HSM tools to import from or export to Azure Storage
LustreHSM (Hierarchical Storage Management) provides the capability to associate a Lustre file system with an external storage system and migrate file data between them.
Now available are the File System Hydrator and Copy Tool, which enables integrating a Lustre file system with an Azure storage account:
The File System Hydrator is used to import a file system namespace from an Azure storage account into a Lustre file system with the imported files left in the ‘released’/’exist’ state.
The Copy Tool is used to hydrate the content of the files in the storage account into the Lustre file system on-demand. The copy tool can also be used to archive content of files back into the storage account, including changed or added files.
Networking
Application Gateway URL Rewrite
Azure Application Gateway now supports the ability to rewrite host name, path and query string of the request URL. In addition to header rewrites, you can now also rewrite URL of all or some of the client requests based on matching one or more conditions as required. You can choose to route the request based on the original URL or the rewritten URL. This feature enables several important scenarios such as allowing path based routing for query string values and support for hosting friendly URLs.
Virtual machine (VM) level disk bursting available on all Dsv3 and Esv3 families
Virtual machine level disk bursting allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily. This feature is now enabled on all our Dsv3-series and Esv3-series virtual machines, with more virtual machine types and families support soon to come. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.
Cloud Services (extended support) is generally available
Cloud Services (extended support), which is a new Azure Resource Manager (ARM)-based deployment model for Azure Cloud Services, is generally available. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager (ASM). It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, private link support, and use of deployment templates. The ASM-based deployment model for Cloud Services has been renamed Cloud Services (classic). Customers retain the ability to build and rapidly deploy web and cloud applications and services. Customers will be able to scale cloud services infrastructure based on current demand and ensure that the performance of applications can keep up while simultaneously reducing costs. The platform-supported tool for migrating existing cloud services to Cloud Services (extended support) also goes into preview. Migrating to ARM will allow customers to set up a robust infrastructure platform for their applications.
Storage
Azure File Sync agent v12
Improvements and issues that are fixed in the v12 release:
New portal experience to configure network access policy and private endpoint connections
You can now use the portal to disable access to the Storage Sync Service public endpoint and to approve, reject and remove private endpoint connections. To configure the network access policy and private endpoint connections, open the Storage Sync Service portal, go to the Settings section and click Network.
Cloud Tiering support for volume cluster sizes larger than 64KiB
Measure bandwidth and latency to Azure File Sync service and storage account
The Test-StorageSyncNetworkConnectivity cmdlet can now be used to measure latency and bandwidth to the Azure File Sync service and storage account. Latency to the Azure File Sync service and storage account is measured by default when running the cmdlet. Upload and download bandwidth to the storage account is measured when using the “-MeasureBandwidth” parameter. To learn more, see the release notes.
Improved error messages in the portal when server endpoint creation fails
We heard your feedback and have improved the error messages and guidance when server endpoint creation fails.
Miscellaneous performance and reliability improvements
Improved change detection performance to detect files that have changed in the Azure file share.
Performance improvements for reconciliation sync sessions.
Sync improvements to reduce ECS_E_SYNC_METADATA_KNOWLEDGE_SOFT_LIMIT_REACHED and ECS_E_SYNC_METADATA_KNOWLEDGE_LIMIT_REACHED errors.
Files may fail to tier on Server 2019 if Data Deduplication is enabled on the volume.
AFSDiag fails to compress files if a file is larger than 2GiB.
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this release:
This release is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
A restart is required for servers that have an existing Azure File Sync agent installation.
The agent version for this release is 12.0.0.0.
Installation instructions are documented in KB4568585.
Encryption scopes in Azure Storage
Encryption scopes introduce the option to provision multiple encryption keys in a storage account for blobs. Previously, customers using a single storage account for multi-tenancy scenarios were limited to using a single account-scoped encryption key for all the data in the account. With encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level.
Azure Data Explorer external tables
An external table is a schema entity that references data stored outside the Azure Data Explorer database. Azure Data Explorer Web UI can create external tables by taking sample files from a storage container and creating schema based on these samples. You can then analyze and query data in external tables without ingestion into Azure Data Explorer.
In March there were several news announced by Microsoft regarding Azure management services. In this series of articles, reported monthly, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
What's new in Azure Monitor for Windows Virtual Desktop
Azure Monitor for Windows Virtual Desktop, that will be made available in the coming weeks, will allow you to have a centralized view, containing all the monitor information to help you troubleshoot and operate on a large scale. Thanks to the latest updates it is possible to:
View a summary of the status and health of the pool host
Find and resolve deployment issues
Understanding and addressing user feedback
Evaluate resource usage and make scalability decisions, thus achieving optimal cost management
ExpressRoute Monitors in Azure Monitor Network Insights
Azure Monitor Network Insights allows now, through a centralized console, to make the ExpressRoute monitor. The solution displays the following information regarding ExpressRoute connectivity:
Topology of all ExpressRoute circuit components (peering, connections and gateways)
Provisioning and health status of the various components
Circuit metrics (Availability, throughput and packet delivery)
Metrics of the ExpressRoute gateway connected to the circuit
Azure Monitor SQL insights for Azure SQL (preview)
Azure Monitor SQL Insights allows you to collect, the analysis and customized display of telemetry data for SQL Database, SQL Managed Instance and SQL Server on board Azure Virtual Machines. The interactive experience introduced by SQL Insights allows you to customize the collection, the frequency of telemetry and to combine data from multiple sources, providing a unified monitoring experience for the SQL environment. SQL Insights is based on the Azure Monitor platform, giving customers access to all the viewing and notification features in the solution.
Azure Monitor Alerts for Azure Backup(preview)
You can now manage backup alerts through the standard Azure Monitor experience. This integration allows users to have a consistent experience in managing alerts across Azure services, including backup.
Azure monitor for containers: live consultation of pods logs & Replica set
Azure monitor for containers introduced support for real-time access to Azure Kubernetes Service Pods and Replica sets logs (AKS). Thanks to this new feature you can search for, filter and view historical pod logs in Log Analytics, you can also troubleshoot and diagnose pods and replica sets.
Container Insights of Azure Monitor introduces two new features:
Monitoring dei Persistent Volume (PV) for AKS clusters.
A new Reports tab that provides full access to all workbooks related to Kubernetes.
Azure SQL auditing in Log Analytics
It is now possible to merge the audit logs of Azure SQL Database and Azure Synapse Analytics to a Log Analytics workspace and to the Event Hub. This way you can centralize SQL audit logs in one location and do large-scale analysis.
New version of the agent for Linux systems
A new version of the Log Analytics agent has been released this month for Linux systems, which introduces several improvements and greater stability.
Availability in new regions
Azure Monitor Log Analytics is available in the following new regions:
Australia Central 2
To check the availability of the service in all the Azure regions you can consult this document.
Configure
Azure Automation
Availability in new regions
Azure Automation is available in the following new regions:
UK West
Azure Automanage
New features for Windows systems and extension to Linux distro
Azure Automanage is a new solution that automates several operations throughout the entire lifecycle of virtual machines located in Azure. It allows you to automatically implement best practices in virtual machine management ensuring compliance regarding security aspects, corporate compliance and business continuity. In this solution, new features have been added to simplify operations on virtual machines (VM) Windows Server, such as installing security patches without restarting. This feature allows security patches to be deployed in seconds, this makes it easier to protect servers from critical threats. Azure Automanage has also been extended to major Linux distributions.
Govern
Azure Policy
Azure Cost Management
Updates related toAzure Cost Management and Billing
Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:
Ability to monitor spending through alerts on expected costs (forecasted cost alerts)
New view of subscription costs
What's New in Cost Management Labs
Secure
Azure Security Center
New features, bug fixes and deprecated features of Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Integrating Azure Firewall management into Security Center
Inclusion of the “Disable rule” experience in SQL vulnerability assessment (preview)
Azure Monitor Workbooks built into Security Center
Azure Audit reports included in the regulatory compliance dashboard (preview)
Ability to view recommendation data in Azure Resource Graph with “Explore in ARG”
Workflow Automation Deployment Policy Updates
Improvements in the recommendations page
Protect
Azure Backup
Backup Center
The new Backup Center solution is now available and offers a unique experience designed for centralized management of large-scale backups. With Backup Center, you can dynamically explore large backup inventories between vaults, subscriptions, different locations and even tenants using Azure Lighthouse. The Backup Center can also govern any actions related to backups. Thanks to integration with Azure Policies and recent additional features for tag-based Azure Policies, large-scale governance can be implemented and compliance monitoring simplified. Backup Center also provides useful information to detect resources that are not protected from backups.
Backup Center supports the following types of workloads:
Azure Virtual Machines
SQL in Azure Virtual Machines
HANA in Azure VMs
Azure Files
Furthermore, the following workloads are supported in preview:
Azure Disks
Azure Blobs
Azure Database for PostgreSQL Servers
Azure Managed Disk backups
Azure Backup offers the ability to protect managed disks. All this takes place through the periodic creation of snapshots that are kept for a duration established by backup policy. The solution does not require the presence of specific agents and supports backup and recovery of both operating system and data disks (including shared disks), regardless of whether or not they are connected to a virtual machine running in Azure.
SAP HANA Incremental Backup Support
Azure Backup introduces support for creating incremental SAP HANA backups (at the moment in all regions, except Germany Northeast, Germany Central, France South, and US Gov IOWA). Sap HANA's large DB protection is faster and cheaper with this feature.
Support for Archive storage for backup of VMs and SQL on board VMs(preview)
In Azure Backup, you can now move recovery points to save costs and keep your backup data longer. This feature is available for Azure VMs and SQL Servers installed on board Azure VMs. Using Azure PowerShell, you can move these backups from the standard tier to the new archive tier. Restores can be done in an integrated way from the Azure portal, with a simple and intuitive process. In addition to this, Azure Backup will provide, using a specific API, recommendations for moving recovery points to the tier archive.
Backup for Azure Blobs (preview)
Azure Blob backup is an on-premises and managed data protection solution, this helps protect block blobs from various data loss scenarios. Data is stored locally within the source storage account and can be restored from a certain selected time when needed. This feature provides a simple means, safe and economical to protect blobs.
Azure Site Recovery
Expanding DR scenarios to Availability Zonesfrom Azure
Although Availability Zones are traditionally used by customers for high-availability configurations of environments, can now also be leveraged to implement specific disaster recovery scenarios. This feature allows you to define DR plans for scenarios where the maintenance of data residency and local compliance is required, improving the Recovery Point Objective (RPO). This configuration also reduces the complexity of the configurations required to implement a DR strategy in a secondary region.
Migrate
Azure Migrate
New Azure Migrate releases and features
Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features. In particular, this month the main news concern:
Support to provide multiple server credentials on the Azure Migrate appliance needed to detect installed applications (software inventory), perform agentless dependency analysis and discover SQL Server instances and databases in the VMware environment.
Agentless VMware migration now supports simultaneous replication of 500 VMs for vCenter.
Azure Migrate automatically installs the Azure VM agent during migration (using the agentless migration method).
Azure Migrate Hub now includes an app containerization tool (preview), with support for ASP.NET and Java web applications, which allows you to facilitate the migration of containerized applications running on Azure Kubernetes Service (AKS).
Ability to perform assessment for migration to Azure VMware Solution.
The new Azure Migrate PowerShell module (preview) adds support for Server Migration agentless tools for migrating VMware virtual machines (VM) in Azure. Furthermore, you can configure and manage server replication to Azure and migrate them, using Azure PowerShell cmdlets in an automated and repeatable way.
Azure Database Migration
SQL Server discovery and assessment agentless
With Azure Migrate, you can now discover SQL Server instances and databases running in a VMware environment, analyze their configuration, application performance and dependencies to migrate to Azure SQL databases and Azure SQL Managed Instances. The solution can provide information regarding the possibility of migration, correct sizing and SQL Azure cost projections.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Availability Zones give users additional options for high availability for their most demanding applications and services as well as confidence and protection from potential hardware and software failures by providing three or more unique physical locations within an Azure region. Availability Zones in Brazil South are made up of three unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.
Azure expands PCI DSS certification
PCI DSS is a global information security standard designed to secure payments and reduce credit card fraud. Microsoft Azure has increased the scope of its Payment Card Industry Data Security Standard (PCI DSS) certification, providing coverage across all live Azure regions.
Make workloads on AMD-backed virtual machines confidential without recompiling code (limited preview)
Microsoft is further broadening the confidential computing options available to Azure customers through the technology partnership with AMD, specifically by being the first major cloud provider to offer confidential virtual machines on the new AMD EPYC™ 7003 series processors. This new approach complements existing Azure confidential computing solutions such as confidential containers for Azure Kubernetes Service and opens the possibility to create new confidential applications without requiring code modifications which in turn substantially simplifies the process of creating confidential applications.
HBv3-Series VMs: now generally available in some regions
Azure HBv3-series virtual machines (VMs) for high-performance computing (HPC) are generally available in the East US, South Central US, and West Europe Azure regions. HBv3 Virtual Machines feature AMD EPYC™ 7003-series (Milan) CPU cores, 448 GB of RAM, 480 MB of L3 cache, and no simultaneous multithreading (SMT). HBv2 Virtual Machines provide up to 340 GB/sec of memory bandwidth. HBv3 VMs can be deployed with a range of CPU core counts to support a diverse set of HPC workload needs.
Publishing VM Images from Shared Image Gallery to Azure Marketplace
You can now publish a VM Image in Shared Image Gallery (SIG) to Azure Marketplace. This capability simplifies your image preparation, testing, and submission process as you no longer have to extract vhds, upload them, and generate SAS URIs. With this capability, you can now manage the full image lifecycle within Azure. You can simply create your image from the VM or a vhd into Shared Image Gallery, then select the SIG Image to publish it in Partner Center.
New VM series supported by Azure Batch
The selection of VMs that can be used by Azure Batch has been expanded, allowing newer Azure VM series to be used. The following additional VM series can now be specified when Batch pools are created:
DCsv2
HBv3
NCasT4_v3
Storage
Azure Storage Explorer v1.18.0
Azure Storage Explorer helps you upload, download, and manage the data you store in Azure Storage. The released version v1.18.0 includes the following new capabilities:
Decrease startup and load time of Storage Explorer.
New connection flow to make it easier to specify the type of resource.
For faster data transfer, Storage Explorer now uses AzCopy v10.8.0.
Log files now have more descriptive names and, easier way to clean up old logs.
Authorizing via shared access signatures (SAS) is now enabled for ADLS Gen2 accounts. You can now attach to an ADLS Gen2 Storage account, container, or folder via SAS using Storage Explorer.
Networking
IPv6 Support for ExpressRoute Private Peering (preview)
IPv6 support for ExpressRoute Private Peering is now available for public preview with ExpressRoute circuits globally and Azure environments in regions with Availability zones. IPv6 support will unlock hybrid connectivity for you as you look to expand into mobile and IoT markets with Azure, or to address IPv4 exhaustion in your on-premise networks.
Here are the new capabilities available with this support:
Establish BGP sessions between the customer and Microsoft edge over ExpressRoute using IPv4 subnets, IPv6 subnets, or both
Connect to dual-stack deployments in Azure using a new or existing ExpressRoute gateway
Use FastPath with an ExpressRoute connection to route IPv6 traffic
Service Tags for User Defined Routing (preview)
You can now specify a Service Tag for the address prefix parameter in a user defined route for your route table. You can choose from tags representing over 60 Microsoft and Azure services to simplify route creation and maintenance.
You no longer need to manually update routes when services change or add to their list of endpoints. Routes with Service Tags will update automatically to include new changes.
This also eliminates the need for regularly updating routes based on the IP data in the weekly JSON file downloads we provide.
This also helps reduce the likelihood of running into the routes per route table limit (400) which is common when configuring routing for multiple Microsoft and Azure services. By using Service Tags, you can avoid this, since the tag condenses all ranges for that service into one group.
For example, we list more than 4,500 prefixes which collectively represent the Azure address space. You can now use one route with the AzureCloud Service Tag which will include all of these.
The feature is available through REST, PowerShell, CLI, and can also be used in ARM templates. This feature is not currently available through the Azure Portal.
Azure Stack
Stream Analytics runs on Azure Stack Hub
Azure Stream Analytics now is supported on Azure Stack Hub as an IoT Edge module. It allows customer to leverage Azure Stack features, to interact with SQL, Event Hubs, and IoT Hubs running in an Azure Stack Hub subscription. Customers can build truly hybrid architectures for stream processing in your own private, autonomous cloud, which can be connected or disconnected with cloud-native apps using consistent Azure services on-premises.