Category Archives: Microsoft Azure

Azure Management services: what's new in February 2021

The month of February was full of news and there are several updates that have affected the Azure management services. This article provides an overview of the month's top news, so that we can stay up to date on these topics and have the necessary references to conduct further insights.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Availability in new regions

Azure Monitor Log Analytics is available in the following new regions:

UAE Central
Japan West
Australia Central 2 (preview)

To check the availability of the service in all the Azure regions you can consult this document.

The new Azure Monitor agent and the new data collection rules features(preview) extend to new regions and distros

Azure Monitor currently has (in preview) a new unified agent (Azure Monitor Agent – AMA) and a new concept to make data collection more efficient (Data Collection Rules – DCR).

Among the various key features of this new agent we find:

Support for Azure Arc server(Windows and Linux)
Virtual Machine Scale Set support (VMSS)
Installation via ARM template

As far as the Data Collection is concerned, it introduces these innovations:

Better control in defining the scope of data collection (e.g.. ability to collect from a subset of VMs for a single workspace)
Single collection and sending to both Log Analytics and Azure Monitor Metrics
Send to multiple workspaces (multi-homing for Linux)
Ability to better filter Windows events
Better extension management

AMA on Linux supports the following new distros for data collection (Data Collection Rules – DCR):

CentOS Linux 8*
Debian 10
Oracle Linux 8*
Red Hat Enterprise Linux Server 8*
SUSE Linux Enterprise Server 15.2*
SUSE Linux Enterprise Server 15.1*
Ubuntu 20

_*_{Known issue with Syslog events. Currently only Performance Counters are supported (CPU, Memory, Disk, Network)}

Furthermore, AMA and DCR are now available in new regions:

UK West (Wuk)
Korea Central (If)
France Central (Frc)
South Africa North (Jnb)
Switzerland North

New disk bursting metrics

Azure Monitor allows you to obtain detailed information on the resources deployed and running in the Azure environment. Through metrics, which are resource performance indicators in Azure, you can get detailed information about what's happening. Azure Monitor releases new metrics to help you better understand disk bursting performance. These new metrics provide the expected performance from Premium SSD disks and indicate the amount of bursting credits that have been used.

Configure

Azure Automation

Availability in new regions

Azure Automation is available in the following new regions:

Japan West
UAE Central

To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Cost Management

Availability for Azure Government Pay-As-You-Go subscription

Azure Cost Management features are now also available for Azure Government Pay-As-You-Go subscriptions.

Updates related toAzure Cost Management and Billing

Microsoft is constantly looking for new methodologies to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported, including:

Secure

Azure Security Center

What's new in Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Azure Backup stores the backup data in the Recovery Service vault on which a geographical redundancy is set by default. This results in the backup data in the primary region being geographically replicated to the associated secondary region (paired region). However, replicated data in the secondary region is available for recovery only if Azure declares an emergency in the primary region. By adopting this new functionality in Azure Backup, you will be able to start restores of virtual machines in a secondary region at will, making them completely controlled by the customer. To do this, however, the Recovery Service vault that holds the backups must be set up in geographical redundancy. Recovery between different Azure regions is available, still in preview, also for SQL and SAP HANA.

New features for Azure Backup Center (preview)

Backup Center, currently in preview, now also supports the following workloads: SQL in Azure VM, SAP HANA in Azure VM and Azure Files. With the Backup Center, you can centrally manage and monitor backups of all supported Azure workloads.

Furthermore, new built-in policies for Azure Backup have been included in the Backup Center that allow you to configure the backups of virtual machines in Azure based on the resource groups they belong to and the assigned tags.

Azure Backup for SAP HANA: soft limit increased by 2 TB to 8 TB

Thanks to the new data transfer features, Azure Backup now helps protect larger SAP HANA DB. Azure Backup for SAP HANA now allows you to reach data transfer speeds up to 420 MBps for non-log backups (for example full, differential and incremental) and 100 MBps for log backups. Thanks to this improvement in data transfer capacity it is possible to back up ~ 1,5 TB per hour, which results in 6-8 TB of full backups in 4-6 hours. The Azure Backup Service allows you to provide similar speeds even during restore operations.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 54 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (February 2021 – Weeks: 05 and 06)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure achieves new certifications

Microsoft Azure has achieved this new certifications:

Its first PCI 3-D Secure (PCI 3DS) certification
It has increased the scope of its HITRUST CSF certification to include 172 Azure offerings across 49 Azure regions. Azure’s HITRUST certification letters are available on the Service Trust Portal and include the full list of HITRUST CSF certified Azure offerings and regions.

New planned datacenter region in Georgia (East US 3)

The new datacenter region will have a presence in Douglas and Fulton counties, in response to growing customer demand, supporting the creation of new jobs and local business growth. Availability Zones in the new East US 3 region will provide customers with high availability and additional tolerance to datacenter failures.

Storage

Soft delete for Azure file shares is now on by default for new storage accounts

Soft delete for Azure file shares is now enabled by default and this change will apply to all new storage accounts. Soft delete protects your Azure file shares from accidental deletion. Soft delete acts like a recycle bin for Azure file shares, meaning that deleted shares remain recoverable for their entire retention period (7 days by default for storage accounts created after January 31^st). You will be charged for soft deleted data on the snapshot meter. If you have automated the creation of new storage accounts and the creation/deletion of new file shares within them, you must modify your scripts to explicitly disable soft delete after the creation of a new storage account. Soft delete will remain disabled by default for existing storage accounts.

Azure File Sync agent v11.2

The Azure File Sync agent v11.2 release is being flighted to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed:

If a sync session is cancelled due to a high number of per-item errors, sync may go through reconciliation when a new session starts if the Azure File Sync service determines a custom sync session is needed to correct the per-item errors.
Registering a server using the Register-AzStorageSyncServer cmdlet may fail with “Unhandled Exception” error.
New PowerShell cmdlet (Add-StorageSyncAllowedServerEndpointPath) to configure allowed server endpoints paths on a server. This cmdlet is useful for scenarios in which the Azure File Sync deployment is managed by a Cloud Solution Provider (CSP) or Service Provider and the customer wants to configure allowed server endpoints paths on a server. When creating a server endpoint, if the path specified is not in the allow list, the server endpoint creation will fail. Note, this is an optional feature and all supported paths are allowed by default when creating a server endpoint. To learn more, see the release notes.

How to obtain and install this update:

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 11.2.0.0.
A restart may be required if files are in use during the installation.
Installation instructions are documented in KB4539952.

Append blob support for Azure Data Lake Storage (limited public preview)

Append blobs allow users to append data to the end of a blob or file quickly and existing content does not need to be modified. This makes append blobs great for applications such as logging that need to add information to existing files efficiently and continuously. Until now, only block blobs were supported in Azure Data Lake Storage accounts. With this preview, applications can use create append blobs in these accounts also and write to them using Append Block operations.

Ingest up to 10 files and blobs with the new Azure Data Explorer intuitive UX

You can now easily ingest blobs or files into Azure Data Explorer with the new ingestion intuitive wizard. This ingestion wizard also allows you to create a table automatically based on the source structure.

Windows Server 2019 compared with the new version of Azure Stack HCI

Microsoft recently released the new version ofAzure Stack HCI, the solution that allows you to build hyper-converged infrastructures (HCI) to run virtual machines in an on-premises environment and that involves an easy and strategic connection to Azure services. Customers who are now facing a modernization of their data centers may be wondering which product to use. Windows Server 2019 and Azure Stack HCI are intended for different and complementary purposes. This article explains the main differences between the two products and provides guidance on the different scenarios of use.

What is Azure Stack HCI?

With the arrival of Windows Server 2019, Microsoft introduced the solutionAzure Stack HCI, which allows the execution of virtual machines or virtual desktops in an on-premises environment, being able to have a wide connection to the different services offered by Azure.

This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

In December 2020, Microsoft released the new Azure Stack HCI solution, deployed as an Azure hybrid service, namedAzure Stack HCI version 20H2 that introduces important changes.

When to use Windows Server 2019?

Windows Server 2019 is a multi-purpose and highly versatile server operating system that allows you to activate dozens of roles and hundreds of features. Windows Server 2019 can be used to:

Host virtual machines or run containers.
Enabling one or more server roles included in the operating system, such as Active Directory, file server, DNS, DHCP or Internet Information Services (IIS).
Traditional infrastructure involving bare-metal systems.

Figure 2 - Usage scenarios of Windows Server 2019

When to use Azure Stack HCI?

Azure Stack HCI builds on the essential components of Windows Server and has been specially designed and optimized to provide a powerful Hyper-converged platform. The new version ofAzure Stack HCI adopts the well-established technologies of Windows Server, as Hyper-V, software-defined networking and Storages Spaces Direct, and adds new specific features for running on-premises virtual machines.

The use of Azure Stack HCI is eligible if:

You want to modernize your infrastructure, adopting a simple hyper-converged architecture based on established technologies. Suitable for both existing workloads in the main datacenter and branch office scenarios.
You want to expect an extension of the on-premises solution by connecting to Azure. This aspect guarantees a constant innovation, the evolution of cloud services and the possibility to take advantage of a common set of tools, simplifying the user experience.

Figure 3 – Azure Stack HCI usage scenarios

The solutionAzure Stack HCI can also be configured with Windows Server 2019, but the new version ofAzure Stack HCI introduces important innovations affecting the following areas::

Dedicated and solution-specific operating system
Virtual machine disaster recovery and failover capabilities inherent in the solution
Optimization of the Storage Spaces resync process
Updates of the entire stack covered by the solution (full-stack updates)
Native integration with Azure services and Azure Resource Manager (ARM)

For more information on this subject I invite you to read the article "The new Microsoft solution for hyper-converged scenarios".

Other aspects to consider

Costs of the solution

Despite Azure Stack HCI is running on-premises there is an Azure subscription-based billing, just like any other Azure cloud service. The billing model is simple and provides a fixed daily cost based on the total number of cores present in the physical processors that make up the cluster.

In the new billing model there is no minimum or maximum number of cores to be licensed, much less a minimum activation duration. An important aspect to consider is that for Windows guest virtual machines and paid versions of Linux, these licences should be included separately. The subscription-based cost is only for the software and does not include the hardware of Azure Stack HCI.

For more details on costs please visit the Microsoft's official page.

Enabling Azure Stack HCI

There are two options to activate a solution based on the new version of Azure Stack HCI:

Buy a hardware solution validated by one of the Microsoft partners, with pre-installed Azure Stack HCI software.
Install the Azure Stack HCI software, which includes a free trial version of 30 days, on new hardware or already purchased, as long as it is present in the catalog of solutions specifically tested and validated by the various vendors.

Support provided for the solution

Azure Stack HCI, becoming in effect an Azure solution, is covered by Azure support with the following features:

Support will be provided by a team of experts dedicated to supporting the new solution Azure Stack HCI.
You can easily request technical support directly from the Azure portal.
You can choose from different support plans, depending on your needs.

Conclusions

Despite the new version of Azure Stack HCI is based on technologies also present in Windows Server 2019 it should be specified that these are two solutions that are now intended for different and complementary purposes. Despite also Windows Server 2019 allows you to activate hyper-converged solutions, if you're making an investment right now to activate such a solution, consider adopting the new solution Azure Stack HCI. In fact,, thanks to the changes introduced, you can get a very complete hyper-converged scenario proposition, more integrated and performing. An aspect to be carefully evaluated is that of costs, as they have a significant impact.

Azure IaaS and Azure Stack: announcements and updates (January 2021 – Weeks: 03 and 04)

Azure

Compute

New Azure Cloud Services deployment model (preview)

Both deployment models are now available in Azure Cloud Services:

Azure Cloud Services (extended support), in public preview, is a new Azure Resource Manager–based deployment model for Azure Cloud Services. As an existing user of Azure Cloud Services, with Azure Cloud Services (extended support) you can now increase regional resiliency while gaining access to new capabilities such as role-based access control (RBAC), tags, policy, and support for deployment templates.
The Azure Service Manager–based deployment model is now named Azure Cloud Services (classic). You can keep using the existing Azure Cloud Services (classic) deployment model for your Azure Service Manager–based applications.

Availability Zones in new regions

Availability Zones give users additional options for high availability for their most demanding applications and services as well as confidence and protection from potential hardware and software failures by providing three or more unique physical locations within an Azure region. Availability Zones are now generally available in South Central US and in Germany West Central. Availability Zones in this regions are made up of 3 unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.

Linux Diagnostics Agent 4.0 (preview)

The Linux Diagnostic Extension (LAD) 4.0 is now available in public preview. This release contains,

Azure Monitor Metric Sink enabled by default
Support for Ubuntu 20.04
Removal of OMI for a modified version of Telegraf
Bug and stability improvements
Performance improvements

Since this is a major version upgrade this update will not be automatically applied. You will need to update manually.

Storage

Copy Blob support over private endpoints

Azure Storage now enables you to copy data between storage accounts where one or both the accounts are protected using private endpoints. This includes support for Copy Blob or utilities such as such as AzCopy over Private Endpoints. The feature also enables copying of data between storage accounts, where one account uses a private endpoint and another uses a service endpoint. Azure Storage validates that the client has access to both the source and the destination storage accounts before allowing the data to be copied.

Resource instance rules for access to Azure Storage (preview)

Some Azure resources cannot be isolated through a virtual network or an IP address rule. However, you’d still like to secure and restrict access to your storage account to only your application’s Azure resources. You can now configure your storage accounts to allow access to only specific resource instances of select Azure services by creating a resource instance rule. Resource instances must be in the same tenant as your storage account, but they may belong any resource group or subscription in the tenant. Resource instance rules for access to Azure Storage are now in public preview in all Azure public regions.

Prevent Shared Key authorization on Azure Storage accounts (preview)

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the public preview of the ability to disable Shared Key authorization for Azure Storage. Before you disable Shared Key authorization on existing storage accounts, Microsoft suggests checking existing access patterns via monitoring.

Azure Management services: what's new in January 2021

The new year began with several announcements from Microsoft regarding news related to Azure management services. The Cloud Community releases this summary monthly, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Monitor

Azure Monitor

Cross query between Azure Monitor and Azure Data Explorer (preview)

The ability to query between Azure Monitor and Azure Data Explorer allows you to query data exported to Azure Data Explorer or Azure blob storage and merge them with any Azure Monitor Log Analytics workspace.

Among the various features recently released we find the ability to perform queries:

Between Azure Data Explorer and Azure Monitor services (Log Analytics / Application Insights) and vice versa
On Azure Monitor logs exported from an Azure blob storage account using Azure Data Explorer

In Azure Monitor Log Analytics, the maximum data retention time frame is limited to 2 years. This aspect can be limiting in some areas, to the point that certain compliance criteria are not met. To overcome this limitation, you can export logs to an Azure blob storage. This new feature allows you to cross-query by including data exported to Azure blob storage in an integrated way.

Monitoring Azure Data Explorer Cluster with Azure Monitor (preview)

Azure Monitor expands its capabilities with Azure Monitor for Azure Data Explorer, which allows you to perform a complete monitor of Azure Data Explorer clusters, providing a single view of performance, of operations, and actual use.

Integration between Azure Monitor workbooks and Application Change Analysis (preview)

The recently released integration between Azure Monitor and Application Change workbooks allows you to create different types of charts, using as a data source the information regarding the changes that are made in the Azure environment. For example,, you can create charts to see when important changes have occurred in the last few 24 hours, or use the ability to merge to see what changed before a spike in memory that occurred on a VM.

ITSM Connector for ServiceNow ITOM with Secure Export (preview)

Secure Export is the new version (in preview) of the’IT Service Management Connector (ITSM) of Azure Monitor, which allows you to automatically create work items in an ITSM tool, when an Azure Monitor alert is activated. As part of the preview, a new integration with ServiceNow IT Operations Management was introduced (ITOM) using Secure Export.

Azure Monitor Network Insights

Azure Monitor Network Insights is now available and allows , through a centralized console, to monitor your Azure network infrastructure. The main features of Network Insights are as follows:

Unique console for the network monitor.
Agent configuration is not required.
Centralized access to traffic and connectivity monitor tools, that allow you to check health state, metrics, alerts, and data.
Viewing the network topology, with the ability to view functional dependencies. This will make it easier to solve any problems.
Access resource metrics to debug when needed, without having to write queries or create specific workbooks.

Availability in new regions

Azure Monitor Log Analytics is now available in the following Azure regions: “Germany West Central”, “UAE North”, and “Switzerland West”. Furthermore, Azure Log Analytics is available in preview in two new regions: “UAE Central” and “Japan West”. To check the availability of the service in all the Azure regions you can consult this document.

Configure

Azure Automation

Availability in new regions

Azure Automation is now available in the “UAE North” and in the region of “Switzerland West”. To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Policy

Support for NSG Flow Logs

TheNSG flow logs in the Azure platform, they allow you to maintain the visibility of network traffic entering and leaving the Network Security Groups. To simplify the deployment experience, NSG flow logs Integrated support has been introduced in the Azure Policy, which allows you to check the enabled status and to force the collection of NSG flow logs when disabled, specifically by using the following policies:

Audit policy: NSGs flag without Flow logs enabled
DeployIfNotExists policy: Enable Flow logs on NSGs where it is disabled

Azure Cost Management

Updates related to Azure Cost Management and Billing

Microsoft is constantly looking for new ways to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . In this article some of the latest improvements and updates regarding this solution are reported, including:

New cost view for resource groups
Saving the last scope used
What's New in Cost Management Labs
Definition of roles and responsibilities
Cost-saving methodologies by running .NET apps on Azure
New ways to save money
New videos to deepen these issues
Documentation updates

Secure

Azure Security Center

Vulnerability assessment for on-premises and multi-cloud systems

The Azure Security Center solution has recently been enriched with the ability to carry out an integrated Vulnerability Assessment, not just virtual machines in Azure, but also systems located on-premises or in multi-cloud environments, as long as Azure Arc has been enabled.

The vulnerability scanning included in Azure Defender for servers is done through the solutionQualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems.

Thanks to this update, it is possible to harness the power of Azure Defender for server to consolidate the vulnerability management program on all resources in your environment (Azure and not). Among the main features we find:

Monitoring the VA scan (vulnerability assessment) on Azure Arc machines
Provisioning the VA agent on Azure Arc Windows and Linux machines (manually and on a large scale)
Receiving and analyzing vulnerabilities detected by distributed agents (manually and on a large scale)
Unified experience for Azure VMs and Azure Arc machines

What's new in Azure Security Center

Azure Security Benchmark becomes the default initiative
Secure score for management groups (preview)
Secure score API
DNS sangling security added to Azure Defender for App Service
Multi-cloud connectors
Exemption, for subscriptions and management groups, for recommendations from the secure score
Users can request visibility “tenant-wide”
35 recommendations in previews added
CSV export of filtered lists of recommendations
Resources “Not applicable” are reported as “Compliant” in Azure Policy assessments
Weekly export of secure score and regulatory compliance data through continuous export (preview)

Azure Defender for SQL updates and enhancements

In Azure Security Center, the following updates and improvements have been made to Azure Defender for SQL:

Protect

Azure Backup

Azure Managed Disk backups (limited preview)

Azure Backup offers the ability, at the moment by accessing a limited preview, to protect managed disks. All this takes place through the periodic creation of snapshots that are kept for a duration established by backup policy. The solution does not require the presence of specific agents and supports backup and recovery of both operating system and data disks (including shared disks), regardless of whether or not they are connected to a virtual machine running in Azure.

Encryption at rest with keys “customer-managed”

Azure Backup introduces encryption at rest support using customer-managed keys. This feature encrypts backup data in recovery services vaults using your keys in the Azure Key Vault. Data is protected using a data encryption key (DEK) AES-based 256, which in turn is protected using the keys stored in the Key Vault. Compared to encryption that uses keys managed by the Azure platform (available by default), this support gives you more control over encryption key management, enabling you to best meet your compliance needs.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 53 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Security: how to secure the Azure Deployment and Resource Management service

To achieve a high level of security in your public cloud environment, you need to provide protection for the individual resources that are activated, however it is also appropriate to monitor the service that allows the distribution and management of the resources themselves. In the Microsoft public cloud, the deployment and management service is defined as Azure Resource Manager, a crucial service connected to all Azure resources, therefore a potential and ambitious target for attackers. Microsoft, aware of this aspect, recently announced Azure Defender for Resource Manager. This article describes the features of this solution that allows you to carry out an advanced security analysis, in order to detect potential threats and be alerted to suspicious activity affecting Azure Resource Manager.

In Azure Defender, there are protections designed specifically for individual Azure services, such as for Azure SQL DB, Azure Storage, Azure VMs, and protections that transversally affect all those components that can be used by the various Azure resources. These include Azure Defender for Azure Network, Key Vault and the availability of Azure Defender for Azure DNS and Azure Resource Manager was also announced recently. These tools allow you to obtain an additional level of protection and control in your Azure environment.

Figure 1 – Azure Defender Threat Protection for Azure Workloads

Azure Resource Manager provides the management layer that allows you to create, update and delete resources in the Azure environment. It also provides specific features for the governance of the Azure environment, such as access control, locks and tags, that help protect and organize resources after they are distributed.

Azure Defender for Resource Manager automatically monitors the organization's Azure resource management operations, regardless of whether these are done through the Azure portal, Azure REST APIs, the command line interface or with other Azure programming clients.

Figure 2 – Protection of Azure Defender for Resource Manager

To activate this type of protection, simply enable the specific Azure Defender plan in the Azure Security Center settings:

Figure 3 - Activation of Azure Defender for Resource Manager

Azure Defender for Resource Manager can enable protection when the following conditions occur:

Resource management operations classified as suspicious, such as operations from dubious IP addresses, disabling the antimalware component and ambiguous scripts running through the VM extensions.
Use of exploitation toolkits such as Microburst or PowerZure.
Lateral shift from the Azure management layer to the Azure resources data plane.

A complete list of alerts that Azure Defender for Resource Manager is able to generate, is located in this Microsoft's document.

Security alerts generated by Azure Defender for Resource Manager are based on potential threats that are detected by monitoring Azure Resource Manager operations using the following sources:

Azure Activity Log, the Azure platform log providing information about subscription-level events.
Azure Resource Manager Internal Logs, not accessible by customers, but only by Microsoft personnel.

In order to obtain a better and more in-depth investigation experience, it is advisable to merge the Azure Activity Logs into Azure Sentinel, following the steps in this Microsoft's document.

Simulating an attack on the Azure Resource Manager layer using the PowerZure exploitation toolkits, Azure Defender for Resource Manager generates an alert with high severity, as shown in the following image:

Figure 4 – Alert generated by Azure Defender for Resource Manager

For such an alert you can also receive a notification by appropriately setting up an action group in Azure Monitor. Furthermore, if the integration between Azure Security Center and Azure Sentinel has been activated, the same alert would also be present in Azure Sentinel, with the relevant information necessary to start the investigation process and provide a prompt response to a problem of this type.

Conclusions

Protecting resources effectively in the Azure environment also means adopting the appropriate tools to deal with potential attacks that can exploit the distribution and management mechanisms of the resources themselves. Thanks to the new tool Azure Defender for Resource Manager it is possible to take advantage of effective protection in a fully integrated way in the Azure platform, without having to install specific software or enable additional agents.

Azure IaaS and Azure Stack: announcements and updates (January 2021 – Weeks: 01 and 02)

Azure

Compute

New datacenter region in Chile

Microsoft has announced plans for a new datacenter region in Chile, as part of a “Transforma Chile” initiative. A skilling program as well as an Advisory Board are also part of the initiative, targeted at reaching 180,00 Chileans.

NCas_T4_v3-Series VMs are now generally available

NCas_T4_v3Virtual Machines feature 4 NVIDIA T4 GPUs with 16 GB of memory each, up to 64 non-multithreaded AMD EPYC 7V12 (Rome) processor cores, and 448 GiB of system memory. These virtual machines are ideal to run ML and AI workloads utilizing Cuda, TensorFlow, Pytorch, Caffe, and other frameworks or the graphics workloads using NVIDIA GRID technology. NCas_T4_v3 VMs are now generally available in West US2, West Europe, and Korea Central regions.

Networking

Public IP SKU upgrade

Azure public IP addresses now support the ability to be upgraded from Basic to Standard SKU. Additionally, any Basic Public Load Balancer can now be upgraded to a Standard Public Load Balancer, while retaining the same public IP address. This is supported via PowerShell, CLI, templates, and API and available across all Azure regions.

Azure Hybrid Cloud: Azure Stack Edge solution overview

Microsoft to better meet the needs of adopting solutions that can extend your environment, from the main datacenter to the peripheral sites, with innovative Azure services, makes the Azure Stack portfolio available to its customers. It is a set of hybryd cloud solutions, that allow you to deploy and run your application workloads consistently, without restrictions imposed by the geographical location. This article provides an overview of the Azure Stack Edge platform (ASE) and its characteristics, examining the use cases and the main features.

Before going into the specifics of Azure Stack Edge it is good to specify that the solutions included in the Azure Stack portfolio are the following:

Azure Stack Edge: the Azure managed appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer.
Azure Stack HCI: the solution that allows the execution of virtual machines and an easy connection to Azure thanks to a hyper-converged infrastructure (HCI).
Azure Stack Hub: the offer for enterprise companies and public sector customers, needing a cloud environment but disconnected from the Internet, or need to meet specific regulatory and compliance requirements.

Figure 1 – Azure Stack Product Family

To get an overview of these solutions I invite you to read this article.

Azure Stack Edge value proposition

The results that can be obtained by adopting the Azure Stack Edge solution are the following:

Possibility of adopting an on-premises model Infrastructure as a service (IaaS) for workloads on peripheral sites (edge), where both hardware and software are provided by Microsoft.
Ability to run applications at customer sites, in order to keep them close to the data sources. Furthermore, allows you to run not only proprietary and third-party applications at the edge, but also to take advantage of different Azure services.
Availability of built-in hardware accelerators that allow you to run machine learning and AI scenarios at the edge, right where the data is, without having to send data to the cloud for further analysis.
Possibility of having an integrated cloud storage gateway that allows easy data transfer from the edge to the cloud environment.

Usage scenarios

The main scenarios for using Azure Stack Edge are the following:

Machine learning at peripheral sites: thanks to the presence of integrated hardware accelerators and the processing capabilities offered by the solution, you have the ability to cope with these scenarios right where the data resides, processing them in real time, without having to send them to Azure.
Computational capacity at edge: customers can run their business applications and IoT solutions at peripheral sites, without necessarily having to rely on constant connectivity to the cloud environment.
Network transfer of data from the edge to the cloud: used in scenarios where you want to periodically transfer data from the edge to the cloud, for further analysis or storage purposes.

Form factors

To support the different usage scenarios reported, vertically between industrial sectors, Azure Stack Edge is available in three separate form factors:

Azure Stack Edge Pro, a 1U blade server with one or two GPUs.
Azure Stack Edge Pro R, a rugged server with GPU, in a sturdy carrying case, complete with UPS and backup battery.
Azure Stack Edge Mini R, a machine with a reduced form factor with a battery and a low weight (less than 3,5 Kg).

Figure 2 – Azure Stack Edge Form Factors

Azure Stack Edge "rugged" versions allow resistance to extreme environmental conditions, and battery-powered versions allow easy transport.

Azure Stack Edge stack software

The customer can place the Azure Stack Edge order and provisioning directly from the Azure portal, and then use the classic Azure management tools to monitor and perform updates. Hardware support is provided directly by Microsoft, that will replace the components in case of problems. There is no upfront cost to obtain this appliance, but the cost will be included monthly in the billing of Azure services. Since, once configured, any application running on Azure Stack Edge can be configured and deployed from the Azure portal, eliminates the need for IT staff in the edge location.

Azure Stack Edge Computational Capacity

The ability to offer computational capacity taken from the edges is one of the key features of Azure Stack Edge, which can be provided in one of the following ways:

IoT Edge: the execution of containerized workloads distributed through the IoT hub has always been supported since the launch of Azure Stack Edge and continues to be so.
Kubernetes: recently, support was introduced for the execution of containerized workloads in Kubernetes clusters running on Azure Stack Edge.
Virtual machines: another way to run applications is by activating workloads on board virtual machines.

Kubernetes environment in Azure Stack Edge

Kubernetes is becoming the de facto standard for the execution and orchestration of containerized workloads, but those who know these environments, is aware of some of the operational challenges that can arise from managing a Kubernetes cluster. In this context, the goal of Azure Stack Edge is to simplify the deployment and management of Kubernetes clusters. With a simple configuration, you can activate a Kubernetes cluster on Azure Stack Edge.

Once the Kubernetes cluster has been configured, you must perform additional management steps, that are simplified in ASE with simple add-ons. Among these operations we find:

The ability to easily enable hardware accelerators.
The provisioning of the storage system to create persistent volumes.
Keep it up to date with Kubernetes releases by taking the latest updates available.
The ability to apply security and governance mechanisms from their own infrastructure.

Cluster environment configuration completed, Simple mechanisms are provided for deploying and managing workloads on the Kubernetes cluster, by using the following modes:

Azure Arc: ASE comes with native integration with Azure Arc. With just a few steps you can enable Azure Arc, allowing applications to be distributed in the Kubernetes cluster directly from the Azure portal.
IoT Hub: by enabling the IoT hub add-on it is possible to use it for the distribution of conteiners.
Kubectl: finally supports the native way kubectl, typically used in disconnected environments or if you have an existing infrastructure that already integrates with this mode.

Figure 3 – Kubernetes deployment in Azure Stack Edge

Virtual machines in Azure Stack Edge

Another variant to offer computational capacity at the edges is the activation of virtual machines. Azure Stack Edge allows you to host virtual machines, both Windows and Linux, offering the ability to deploy and manage these virtual machines directly from Azure or by acting locally.

Figure 4 – Virtual Machines in Azure Stack Edge

One thing to consider is that Azure Stack Edge allows you to set up simpler network topologies than Azure or Azure Stack Hub.

Regarding the hardware acceleration features in Azure Stack Edge, these two variants are supported:

GPU NVIDIA T4, fully integrated with the GPU stack
Intel Movidius Visual Processing Unit (VPU), for AI and ML scenarios

Azure services that can be deployed in Azure Stack Edge

The number of services that can be activated in Azure Stack Edge is large, among those recently introduced we find:

Live Video Analytics: a platform for creating video solutions and applications based on artificial intelligence, to carry out real-time insights using video streams.
Spatial Analysis: a real-time computer vision module to analyze videos and understand people's movements in physical spaces. For example,, during the Covid period, many retail stores want to implement social distancing policies and may use a special analytics module to understand certain behavior based on videos shot in the store.
Azure Monitor: this increases application performance and availability by collecting logs from containers and analyzing them.

Figure 5 – Azure Solutions in Azure Stack Edge

Conclusions

In business realities, the adoption of totally cloud-based solutions does not always turn out to be a viable choice or the best of all, hybrid solutions often have to be adopted, which in any case include the possibility of using the innovations introduced by the cloud. Azure Stack Edge is a flexible and modern solution that allows you to meet your needs, even the most challenging ones, emerging for edge sites, without neglecting the potential offered by the public cloud.

Azure IaaS and Azure Stack: announcements and updates (December 2020 – Weeks: 53)

In the last week of the year, there was little news, thanks to the holiday period. This series of blog posts will continue into 2021. I take this opportunity to wish you a Happy New Year!

Azure

Azure NetApp Files: Application Consistent Snapshot tool (preview)

Azure Application Consistent Snapshot tool (AzAcSnap) is in public preview. It is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).

Azure Management services: what's new in December 2020

In December several news regarding Azure management services were announced by Microsoft. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Monitor

Azure Monitor

New Azure Monitor agent and new Data Collection Rules features(preview)

Azure Monitor introduces (in preview) a new unified agent (Azure Monitor Agent – AMA) and a new concept to make data collection more efficient (Data Collection Rules – DCR).

Among the various key features added in this new agent we find:

Support for Azure Arc server(Windows and Linux)
Virtual Machine Scale Set support (VMSS)
Installation via ARM template

With regard to the Data Collection, these innovations have been made:

Better control in defining the scope of data collection (e.g.. ability to collect from a subset of VMs for a single workspace)
Single collection and sending to both Log Analytics and Azure Monitor Metrics
Send to multiple workspaces (multi-homing for Linux)
Ability to better filter Windows events
Better extension management

Azure Monitor for Windows Virtual Desktop (preview)

Azure Monitor now allows you to perform the following operations related to Windows Virtual Desktop environments:

View a summary of the status and health of host pools
Find and resolve any deployment issues
Evaluate resource usage and make decisions about scalability and cost management
Understanding and addressing user feedback

Azure Monitor for containers: tab reports and deployment logs

In Azure Monitor for containers a new tab has been made available Reports that gives customers complete access to all advanced monitoring workbooks for Kubernetes, for example: Node-disk, Node-network, workloads and Persistent Volume monitoring.

Furthermore, you can now view real-time logs of Azure Kubernetes Service deployments (AKS), accessing the live logs of the pods directly. Log Analytics will allow you to search by applying filters to view historical pod deployment logs, useful for diagnosing any issues.

Azure Monitor for containers: support for Private Cluster live logs (preview)

In Azure Monitor for containers support for private cluster live logs has been introduced, this allows you to view in real time container logs, pod events and metrics. For more details please visit the Microsoft-specific documentation.

Infrastructure Encryption for Azure Monitor data

Starting from 1 November 2020 data that flows into Azure Monitor is encrypted twice: at the service level and now also at the infrastructure level, thanks to the double encryption available for Azure storage.

Configure

Azure Automation

Support for Azure Private Link available

Microsoft has introduced support forAzure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:

Establish a private connection with Azure Automation, without opening access from the public network.
Ensure that Azure Automation data is accessible only through authorized private networks.
Protect yourself from data extraction by allowing granular access to specific resources.
Keep all traffic within the Microsoft Azure backbone network.

Availability in new regions

Azure Automation is now available in the “Norway East” and “Germany West Central”. To check the availability of the service in all the Azure regions you can consult this document.

Support for Python3 runbooks (preview)

In Azure Automation, you can now import, create and run runbooks Python 3 in Azure or in a Hybrid Runbook Worker.