Category Archives: Microsoft Azure

Windows Server 2019 compared with the new version of Azure Stack HCI

Microsoft recently released the new version ofAzure Stack HCI, the solution that allows you to build hyper-converged infrastructures (HCI) to run virtual machines in an on-premises environment and that involves an easy and strategic connection to Azure services. Customers who are now facing a modernization of their data centers may be wondering which product to use. Windows Server 2019 and Azure Stack HCI are intended for different and complementary purposes. This article explains the main differences between the two products and provides guidance on the different scenarios of use.

What is Azure Stack HCI?

With the arrival of Windows Server 2019, Microsoft introduced the solutionAzure Stack HCI, which allows the execution of virtual machines or virtual desktops in an on-premises environment, being able to have a wide connection to the different services offered by Azure.

This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

In December 2020, Microsoft released the new Azure Stack HCI solution, deployed as an Azure hybrid service, namedAzure Stack HCI version 20H2 that introduces important changes.

When to use Windows Server 2019?

Windows Server 2019 is a multi-purpose and highly versatile server operating system that allows you to activate dozens of roles and hundreds of features. Windows Server 2019 can be used to:

Host virtual machines or run containers.
Enabling one or more server roles included in the operating system, such as Active Directory, file server, DNS, DHCP or Internet Information Services (IIS).
Traditional infrastructure involving bare-metal systems.

Figure 2 - Usage scenarios of Windows Server 2019

When to use Azure Stack HCI?

Azure Stack HCI builds on the essential components of Windows Server and has been specially designed and optimized to provide a powerful Hyper-converged platform. The new version ofAzure Stack HCI adopts the well-established technologies of Windows Server, as Hyper-V, software-defined networking and Storages Spaces Direct, and adds new specific features for running on-premises virtual machines.

The use of Azure Stack HCI is eligible if:

You want to modernize your infrastructure, adopting a simple hyper-converged architecture based on established technologies. Suitable for both existing workloads in the main datacenter and branch office scenarios.
You want to expect an extension of the on-premises solution by connecting to Azure. This aspect guarantees a constant innovation, the evolution of cloud services and the possibility to take advantage of a common set of tools, simplifying the user experience.

Figure 3 – Azure Stack HCI usage scenarios

The solutionAzure Stack HCI can also be configured with Windows Server 2019, but the new version ofAzure Stack HCI introduces important innovations affecting the following areas::

Dedicated and solution-specific operating system
Virtual machine disaster recovery and failover capabilities inherent in the solution
Optimization of the Storage Spaces resync process
Updates of the entire stack covered by the solution (full-stack updates)
Native integration with Azure services and Azure Resource Manager (ARM)

For more information on this subject I invite you to read the article "The new Microsoft solution for hyper-converged scenarios".

Other aspects to consider

Costs of the solution

Despite Azure Stack HCI is running on-premises there is an Azure subscription-based billing, just like any other Azure cloud service. The billing model is simple and provides a fixed daily cost based on the total number of cores present in the physical processors that make up the cluster.

In the new billing model there is no minimum or maximum number of cores to be licensed, much less a minimum activation duration. An important aspect to consider is that for Windows guest virtual machines and paid versions of Linux, these licences should be included separately. The subscription-based cost is only for the software and does not include the hardware of Azure Stack HCI.

For more details on costs please visit the Microsoft's official page.

Enabling Azure Stack HCI

There are two options to activate a solution based on the new version of Azure Stack HCI:

Buy a hardware solution validated by one of the Microsoft partners, with pre-installed Azure Stack HCI software.
Install the Azure Stack HCI software, which includes a free trial version of 30 days, on new hardware or already purchased, as long as it is present in the catalog of solutions specifically tested and validated by the various vendors.

Support provided for the solution

Azure Stack HCI, becoming in effect an Azure solution, is covered by Azure support with the following features:

Support will be provided by a team of experts dedicated to supporting the new solution Azure Stack HCI.
You can easily request technical support directly from the Azure portal.
You can choose from different support plans, depending on your needs.

Conclusions

Despite the new version of Azure Stack HCI is based on technologies also present in Windows Server 2019 it should be specified that these are two solutions that are now intended for different and complementary purposes. Despite also Windows Server 2019 allows you to activate hyper-converged solutions, if you're making an investment right now to activate such a solution, consider adopting the new solution Azure Stack HCI. In fact,, thanks to the changes introduced, you can get a very complete hyper-converged scenario proposition, more integrated and performing. An aspect to be carefully evaluated is that of costs, as they have a significant impact.

Azure IaaS and Azure Stack: announcements and updates (January 2021 – Weeks: 03 and 04)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New Azure Cloud Services deployment model (preview)

Both deployment models are now available in Azure Cloud Services:

Azure Cloud Services (extended support), in public preview, is a new Azure Resource Manager–based deployment model for Azure Cloud Services. As an existing user of Azure Cloud Services, with Azure Cloud Services (extended support) you can now increase regional resiliency while gaining access to new capabilities such as role-based access control (RBAC), tags, policy, and support for deployment templates.
The Azure Service Manager–based deployment model is now named Azure Cloud Services (classic). You can keep using the existing Azure Cloud Services (classic) deployment model for your Azure Service Manager–based applications.

Availability Zones in new regions

Availability Zones give users additional options for high availability for their most demanding applications and services as well as confidence and protection from potential hardware and software failures by providing three or more unique physical locations within an Azure region. Availability Zones are now generally available in South Central US and in Germany West Central. Availability Zones in this regions are made up of 3 unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.

Linux Diagnostics Agent 4.0 (preview)

The Linux Diagnostic Extension (LAD) 4.0 is now available in public preview. This release contains,

Azure Monitor Metric Sink enabled by default
Support for Ubuntu 20.04
Removal of OMI for a modified version of Telegraf
Bug and stability improvements
Performance improvements

Since this is a major version upgrade this update will not be automatically applied. You will need to update manually.

Storage

Copy Blob support over private endpoints

Azure Storage now enables you to copy data between storage accounts where one or both the accounts are protected using private endpoints. This includes support for Copy Blob or utilities such as such as AzCopy over Private Endpoints. The feature also enables copying of data between storage accounts, where one account uses a private endpoint and another uses a service endpoint. Azure Storage validates that the client has access to both the source and the destination storage accounts before allowing the data to be copied.

Resource instance rules for access to Azure Storage (preview)

Some Azure resources cannot be isolated through a virtual network or an IP address rule. However, you’d still like to secure and restrict access to your storage account to only your application’s Azure resources. You can now configure your storage accounts to allow access to only specific resource instances of select Azure services by creating a resource instance rule. Resource instances must be in the same tenant as your storage account, but they may belong any resource group or subscription in the tenant. Resource instance rules for access to Azure Storage are now in public preview in all Azure public regions.

Prevent Shared Key authorization on Azure Storage accounts (preview)

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the public preview of the ability to disable Shared Key authorization for Azure Storage. Before you disable Shared Key authorization on existing storage accounts, Microsoft suggests checking existing access patterns via monitoring.

Azure Management services: what's new in January 2021

The new year began with several announcements from Microsoft regarding news related to Azure management services. The Cloud Community releases this summary monthly, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Cross query between Azure Monitor and Azure Data Explorer (preview)

The ability to query between Azure Monitor and Azure Data Explorer allows you to query data exported to Azure Data Explorer or Azure blob storage and merge them with any Azure Monitor Log Analytics workspace.

Among the various features recently released we find the ability to perform queries:

Between Azure Data Explorer and Azure Monitor services (Log Analytics / Application Insights) and vice versa
On Azure Monitor logs exported from an Azure blob storage account using Azure Data Explorer

In Azure Monitor Log Analytics, the maximum data retention time frame is limited to 2 years. This aspect can be limiting in some areas, to the point that certain compliance criteria are not met. To overcome this limitation, you can export logs to an Azure blob storage. This new feature allows you to cross-query by including data exported to Azure blob storage in an integrated way.

Monitoring Azure Data Explorer Cluster with Azure Monitor (preview)

Azure Monitor expands its capabilities with Azure Monitor for Azure Data Explorer, which allows you to perform a complete monitor of Azure Data Explorer clusters, providing a single view of performance, of operations, and actual use.

Integration between Azure Monitor workbooks and Application Change Analysis (preview)

The recently released integration between Azure Monitor and Application Change workbooks allows you to create different types of charts, using as a data source the information regarding the changes that are made in the Azure environment. For example,, you can create charts to see when important changes have occurred in the last few 24 hours, or use the ability to merge to see what changed before a spike in memory that occurred on a VM.

ITSM Connector for ServiceNow ITOM with Secure Export (preview)

Secure Export is the new version (in preview) of the’IT Service Management Connector (ITSM) of Azure Monitor, which allows you to automatically create work items in an ITSM tool, when an Azure Monitor alert is activated. As part of the preview, a new integration with ServiceNow IT Operations Management was introduced (ITOM) using Secure Export.

Azure Monitor Network Insights

Azure Monitor Network Insights is now available and allows , through a centralized console, to monitor your Azure network infrastructure. The main features of Network Insights are as follows:

Unique console for the network monitor.
Agent configuration is not required.
Centralized access to traffic and connectivity monitor tools, that allow you to check health state, metrics, alerts, and data.
Viewing the network topology, with the ability to view functional dependencies. This will make it easier to solve any problems.
Access resource metrics to debug when needed, without having to write queries or create specific workbooks.

Availability in new regions

Azure Monitor Log Analytics is now available in the following Azure regions: “Germany West Central”, “UAE North”, and “Switzerland West”. Furthermore, Azure Log Analytics is available in preview in two new regions: “UAE Central” and “Japan West”. To check the availability of the service in all the Azure regions you can consult this document.

Configure

Azure Automation

Availability in new regions

Azure Automation is now available in the “UAE North” and in the region of “Switzerland West”. To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Policy

Support for NSG Flow Logs

TheNSG flow logs in the Azure platform, they allow you to maintain the visibility of network traffic entering and leaving the Network Security Groups. To simplify the deployment experience, NSG flow logs Integrated support has been introduced in the Azure Policy, which allows you to check the enabled status and to force the collection of NSG flow logs when disabled, specifically by using the following policies:

Audit policy: NSGs flag without Flow logs enabled
DeployIfNotExists policy: Enable Flow logs on NSGs where it is disabled

Azure Cost Management

Updates related to Azure Cost Management and Billing

Microsoft is constantly looking for new ways to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . In this article some of the latest improvements and updates regarding this solution are reported, including:

New cost view for resource groups
Saving the last scope used
What's New in Cost Management Labs
Definition of roles and responsibilities
Cost-saving methodologies by running .NET apps on Azure
New ways to save money
New videos to deepen these issues
Documentation updates

Secure

Azure Security Center

Vulnerability assessment for on-premises and multi-cloud systems

The Azure Security Center solution has recently been enriched with the ability to carry out an integrated Vulnerability Assessment, not just virtual machines in Azure, but also systems located on-premises or in multi-cloud environments, as long as Azure Arc has been enabled.

The vulnerability scanning included in Azure Defender for servers is done through the solutionQualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems.

Thanks to this update, it is possible to harness the power of Azure Defender for server to consolidate the vulnerability management program on all resources in your environment (Azure and not). Among the main features we find:

Monitoring the VA scan (vulnerability assessment) on Azure Arc machines
Provisioning the VA agent on Azure Arc Windows and Linux machines (manually and on a large scale)
Receiving and analyzing vulnerabilities detected by distributed agents (manually and on a large scale)
Unified experience for Azure VMs and Azure Arc machines

What's new in Azure Security Center

Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

Azure Security Benchmark becomes the default initiative
Secure score for management groups (preview)
Secure score API
DNS sangling security added to Azure Defender for App Service
Multi-cloud connectors
Exemption, for subscriptions and management groups, for recommendations from the secure score
Users can request visibility “tenant-wide”
35 recommendations in previews added
CSV export of filtered lists of recommendations
Resources “Not applicable” are reported as “Compliant” in Azure Policy assessments
Weekly export of secure score and regulatory compliance data through continuous export (preview)

Azure Defender for SQL updates and enhancements

In Azure Security Center, the following updates and improvements have been made to Azure Defender for SQL:

Protect

Azure Backup

Azure Managed Disk backups (limited preview)

Azure Backup offers the ability, at the moment by accessing a limited preview, to protect managed disks. All this takes place through the periodic creation of snapshots that are kept for a duration established by backup policy. The solution does not require the presence of specific agents and supports backup and recovery of both operating system and data disks (including shared disks), regardless of whether or not they are connected to a virtual machine running in Azure.

Encryption at rest with keys “customer-managed”

Azure Backup introduces encryption at rest support using customer-managed keys. This feature encrypts backup data in recovery services vaults using your keys in the Azure Key Vault. Data is protected using a data encryption key (DEK) AES-based 256, which in turn is protected using the keys stored in the Key Vault. Compared to encryption that uses keys managed by the Azure platform (available by default), this support gives you more control over encryption key management, enabling you to best meet your compliance needs.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 53 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Security: how to secure the Azure Deployment and Resource Management service

To achieve a high level of security in your public cloud environment, you need to provide protection for the individual resources that are activated, however it is also appropriate to monitor the service that allows the distribution and management of the resources themselves. In the Microsoft public cloud, the deployment and management service is defined as Azure Resource Manager, a crucial service connected to all Azure resources, therefore a potential and ambitious target for attackers. Microsoft, aware of this aspect, recently announced Azure Defender for Resource Manager. This article describes the features of this solution that allows you to carry out an advanced security analysis, in order to detect potential threats and be alerted to suspicious activity affecting Azure Resource Manager.

In Azure Defender, there are protections designed specifically for individual Azure services, such as for Azure SQL DB, Azure Storage, Azure VMs, and protections that transversally affect all those components that can be used by the various Azure resources. These include Azure Defender for Azure Network, Key Vault and the availability of Azure Defender for Azure DNS and Azure Resource Manager was also announced recently. These tools allow you to obtain an additional level of protection and control in your Azure environment.

Figure 1 – Azure Defender Threat Protection for Azure Workloads

Azure Resource Manager provides the management layer that allows you to create, update and delete resources in the Azure environment. It also provides specific features for the governance of the Azure environment, such as access control, locks and tags, that help protect and organize resources after they are distributed.

Azure Defender for Resource Manager automatically monitors the organization's Azure resource management operations, regardless of whether these are done through the Azure portal, Azure REST APIs, the command line interface or with other Azure programming clients.

Figure 2 – Protection of Azure Defender for Resource Manager

To activate this type of protection, simply enable the specific Azure Defender plan in the Azure Security Center settings:

Figure 3 - Activation of Azure Defender for Resource Manager

Azure Defender for Resource Manager can enable protection when the following conditions occur:

Resource management operations classified as suspicious, such as operations from dubious IP addresses, disabling the antimalware component and ambiguous scripts running through the VM extensions.
Use of exploitation toolkits such as Microburst or PowerZure.
Lateral shift from the Azure management layer to the Azure resources data plane.

A complete list of alerts that Azure Defender for Resource Manager is able to generate, is located in this Microsoft's document.

Security alerts generated by Azure Defender for Resource Manager are based on potential threats that are detected by monitoring Azure Resource Manager operations using the following sources:

Azure Activity Log, the Azure platform log providing information about subscription-level events.
Azure Resource Manager Internal Logs, not accessible by customers, but only by Microsoft personnel.

In order to obtain a better and more in-depth investigation experience, it is advisable to merge the Azure Activity Logs into Azure Sentinel, following the steps in this Microsoft's document.

Simulating an attack on the Azure Resource Manager layer using the PowerZure exploitation toolkits, Azure Defender for Resource Manager generates an alert with high severity, as shown in the following image:

Figure 4 – Alert generated by Azure Defender for Resource Manager

For such an alert you can also receive a notification by appropriately setting up an action group in Azure Monitor. Furthermore, if the integration between Azure Security Center and Azure Sentinel has been activated, the same alert would also be present in Azure Sentinel, with the relevant information necessary to start the investigation process and provide a prompt response to a problem of this type.

Conclusions

Protecting resources effectively in the Azure environment also means adopting the appropriate tools to deal with potential attacks that can exploit the distribution and management mechanisms of the resources themselves. Thanks to the new tool Azure Defender for Resource Manager it is possible to take advantage of effective protection in a fully integrated way in the Azure platform, without having to install specific software or enable additional agents.

Azure IaaS and Azure Stack: announcements and updates (January 2021 – Weeks: 01 and 02)

Azure

Compute

New datacenter region in Chile

Microsoft has announced plans for a new datacenter region in Chile, as part of a “Transforma Chile” initiative. A skilling program as well as an Advisory Board are also part of the initiative, targeted at reaching 180,00 Chileans.

NCas_T4_v3-Series VMs are now generally available

NCas_T4_v3Virtual Machines feature 4 NVIDIA T4 GPUs with 16 GB of memory each, up to 64 non-multithreaded AMD EPYC 7V12 (Rome) processor cores, and 448 GiB of system memory. These virtual machines are ideal to run ML and AI workloads utilizing Cuda, TensorFlow, Pytorch, Caffe, and other frameworks or the graphics workloads using NVIDIA GRID technology. NCas_T4_v3 VMs are now generally available in West US2, West Europe, and Korea Central regions.

Networking

Public IP SKU upgrade

Azure public IP addresses now support the ability to be upgraded from Basic to Standard SKU. Additionally, any Basic Public Load Balancer can now be upgraded to a Standard Public Load Balancer, while retaining the same public IP address. This is supported via PowerShell, CLI, templates, and API and available across all Azure regions.

Azure Hybrid Cloud: Azure Stack Edge solution overview

Microsoft to better meet the needs of adopting solutions that can extend your environment, from the main datacenter to the peripheral sites, with innovative Azure services, makes the Azure Stack portfolio available to its customers. It is a set of hybryd cloud solutions, that allow you to deploy and run your application workloads consistently, without restrictions imposed by the geographical location. This article provides an overview of the Azure Stack Edge platform (ASE) and its characteristics, examining the use cases and the main features.

Before going into the specifics of Azure Stack Edge it is good to specify that the solutions included in the Azure Stack portfolio are the following:

Azure Stack Edge: the Azure managed appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer.
Azure Stack HCI: the solution that allows the execution of virtual machines and an easy connection to Azure thanks to a hyper-converged infrastructure (HCI).
Azure Stack Hub: the offer for enterprise companies and public sector customers, needing a cloud environment but disconnected from the Internet, or need to meet specific regulatory and compliance requirements.

Figure 1 – Azure Stack Product Family

To get an overview of these solutions I invite you to read this article.

Azure Stack Edge value proposition

The results that can be obtained by adopting the Azure Stack Edge solution are the following:

Possibility of adopting an on-premises model Infrastructure as a service (IaaS) for workloads on peripheral sites (edge), where both hardware and software are provided by Microsoft.
Ability to run applications at customer sites, in order to keep them close to the data sources. Furthermore, allows you to run not only proprietary and third-party applications at the edge, but also to take advantage of different Azure services.
Availability of built-in hardware accelerators that allow you to run machine learning and AI scenarios at the edge, right where the data is, without having to send data to the cloud for further analysis.
Possibility of having an integrated cloud storage gateway that allows easy data transfer from the edge to the cloud environment.

Usage scenarios

The main scenarios for using Azure Stack Edge are the following:

Machine learning at peripheral sites: thanks to the presence of integrated hardware accelerators and the processing capabilities offered by the solution, you have the ability to cope with these scenarios right where the data resides, processing them in real time, without having to send them to Azure.
Computational capacity at edge: customers can run their business applications and IoT solutions at peripheral sites, without necessarily having to rely on constant connectivity to the cloud environment.
Network transfer of data from the edge to the cloud: used in scenarios where you want to periodically transfer data from the edge to the cloud, for further analysis or storage purposes.

Form factors

To support the different usage scenarios reported, vertically between industrial sectors, Azure Stack Edge is available in three separate form factors:

Azure Stack Edge Pro, a 1U blade server with one or two GPUs.
Azure Stack Edge Pro R, a rugged server with GPU, in a sturdy carrying case, complete with UPS and backup battery.
Azure Stack Edge Mini R, a machine with a reduced form factor with a battery and a low weight (less than 3,5 Kg).

Figure 2 – Azure Stack Edge Form Factors

Azure Stack Edge "rugged" versions allow resistance to extreme environmental conditions, and battery-powered versions allow easy transport.

Azure Stack Edge stack software

The customer can place the Azure Stack Edge order and provisioning directly from the Azure portal, and then use the classic Azure management tools to monitor and perform updates. Hardware support is provided directly by Microsoft, that will replace the components in case of problems. There is no upfront cost to obtain this appliance, but the cost will be included monthly in the billing of Azure services. Since, once configured, any application running on Azure Stack Edge can be configured and deployed from the Azure portal, eliminates the need for IT staff in the edge location.

Azure Stack Edge Computational Capacity

The ability to offer computational capacity taken from the edges is one of the key features of Azure Stack Edge, which can be provided in one of the following ways:

IoT Edge: the execution of containerized workloads distributed through the IoT hub has always been supported since the launch of Azure Stack Edge and continues to be so.
Kubernetes: recently, support was introduced for the execution of containerized workloads in Kubernetes clusters running on Azure Stack Edge.
Virtual machines: another way to run applications is by activating workloads on board virtual machines.

Kubernetes environment in Azure Stack Edge

Kubernetes is becoming the de facto standard for the execution and orchestration of containerized workloads, but those who know these environments, is aware of some of the operational challenges that can arise from managing a Kubernetes cluster. In this context, the goal of Azure Stack Edge is to simplify the deployment and management of Kubernetes clusters. With a simple configuration, you can activate a Kubernetes cluster on Azure Stack Edge.

Once the Kubernetes cluster has been configured, you must perform additional management steps, that are simplified in ASE with simple add-ons. Among these operations we find:

The ability to easily enable hardware accelerators.
The provisioning of the storage system to create persistent volumes.
Keep it up to date with Kubernetes releases by taking the latest updates available.
The ability to apply security and governance mechanisms from their own infrastructure.

Cluster environment configuration completed, Simple mechanisms are provided for deploying and managing workloads on the Kubernetes cluster, by using the following modes:

Azure Arc: ASE comes with native integration with Azure Arc. With just a few steps you can enable Azure Arc, allowing applications to be distributed in the Kubernetes cluster directly from the Azure portal.
IoT Hub: by enabling the IoT hub add-on it is possible to use it for the distribution of conteiners.
Kubectl: finally supports the native way kubectl, typically used in disconnected environments or if you have an existing infrastructure that already integrates with this mode.

Figure 3 – Kubernetes deployment in Azure Stack Edge

Virtual machines in Azure Stack Edge

Another variant to offer computational capacity at the edges is the activation of virtual machines. Azure Stack Edge allows you to host virtual machines, both Windows and Linux, offering the ability to deploy and manage these virtual machines directly from Azure or by acting locally.

Figure 4 – Virtual Machines in Azure Stack Edge

One thing to consider is that Azure Stack Edge allows you to set up simpler network topologies than Azure or Azure Stack Hub.

Regarding the hardware acceleration features in Azure Stack Edge, these two variants are supported:

GPU NVIDIA T4, fully integrated with the GPU stack
Intel Movidius Visual Processing Unit (VPU), for AI and ML scenarios

Azure services that can be deployed in Azure Stack Edge

The number of services that can be activated in Azure Stack Edge is large, among those recently introduced we find:

Live Video Analytics: a platform for creating video solutions and applications based on artificial intelligence, to carry out real-time insights using video streams.
Spatial Analysis: a real-time computer vision module to analyze videos and understand people's movements in physical spaces. For example,, during the Covid period, many retail stores want to implement social distancing policies and may use a special analytics module to understand certain behavior based on videos shot in the store.
Azure Monitor: this increases application performance and availability by collecting logs from containers and analyzing them.

Figure 5 – Azure Solutions in Azure Stack Edge

Conclusions

In business realities, the adoption of totally cloud-based solutions does not always turn out to be a viable choice or the best of all, hybrid solutions often have to be adopted, which in any case include the possibility of using the innovations introduced by the cloud. Azure Stack Edge is a flexible and modern solution that allows you to meet your needs, even the most challenging ones, emerging for edge sites, without neglecting the potential offered by the public cloud.

Azure IaaS and Azure Stack: announcements and updates (December 2020 – Weeks: 53)

In the last week of the year, there was little news, thanks to the holiday period. This series of blog posts will continue into 2021. I take this opportunity to wish you a Happy New Year!

Azure

Azure NetApp Files: Application Consistent Snapshot tool (preview)

Azure Application Consistent Snapshot tool (AzAcSnap) is in public preview. It is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).

Azure Management services: what's new in December 2020

In December several news regarding Azure management services were announced by Microsoft. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Monitor

Azure Monitor

New Azure Monitor agent and new Data Collection Rules features(preview)

Azure Monitor introduces (in preview) a new unified agent (Azure Monitor Agent – AMA) and a new concept to make data collection more efficient (Data Collection Rules – DCR).

Among the various key features added in this new agent we find:

Support for Azure Arc server(Windows and Linux)
Virtual Machine Scale Set support (VMSS)
Installation via ARM template

With regard to the Data Collection, these innovations have been made:

Better control in defining the scope of data collection (e.g.. ability to collect from a subset of VMs for a single workspace)
Single collection and sending to both Log Analytics and Azure Monitor Metrics
Send to multiple workspaces (multi-homing for Linux)
Ability to better filter Windows events
Better extension management

Azure Monitor for Windows Virtual Desktop (preview)

Azure Monitor now allows you to perform the following operations related to Windows Virtual Desktop environments:

View a summary of the status and health of host pools
Find and resolve any deployment issues
Evaluate resource usage and make decisions about scalability and cost management
Understanding and addressing user feedback

Azure Monitor for containers: tab reports and deployment logs

In Azure Monitor for containers a new tab has been made available Reports that gives customers complete access to all advanced monitoring workbooks for Kubernetes, for example: Node-disk, Node-network, workloads and Persistent Volume monitoring.

Furthermore, you can now view real-time logs of Azure Kubernetes Service deployments (AKS), accessing the live logs of the pods directly. Log Analytics will allow you to search by applying filters to view historical pod deployment logs, useful for diagnosing any issues.

Azure Monitor for containers: support for Private Cluster live logs (preview)

In Azure Monitor for containers support for private cluster live logs has been introduced, this allows you to view in real time container logs, pod events and metrics. For more details please visit the Microsoft-specific documentation.

Infrastructure Encryption for Azure Monitor data

Starting from 1 November 2020 data that flows into Azure Monitor is encrypted twice: at the service level and now also at the infrastructure level, thanks to the double encryption available for Azure storage.

Configure

Azure Automation

Support for Azure Private Link available

Microsoft has introduced support forAzure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:

Establish a private connection with Azure Automation, without opening access from the public network.
Ensure that Azure Automation data is accessible only through authorized private networks.
Protect yourself from data extraction by allowing granular access to specific resources.
Keep all traffic within the Microsoft Azure backbone network.

Availability in new regions

Azure Automation is now available in the “Norway East” and “Germany West Central”. To check the availability of the service in all the Azure regions you can consult this document.

Support for Python3 runbooks (preview)

In Azure Automation, you can now import, create and run runbooks Python 3 in Azure or in a Hybrid Runbook Worker.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (December 2020 – Weeks: 51 and 52)

Azure

Compute

Azure VMware Solution: now available in UK South and Japan East Azure regions

The new Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. General Availability of the new Azure VMware Solution was announced at Microsoft Ignite, Sept 2020, with initial availability in US East, US West, West Europe and Australia. Microsoft has now expanded availability to two more Azure regions Japan East and UK South. For updates on more upcoming region availability please visit the product by region page here.

HBv2-series VMs for HPC now available in the UAE North region

HBv2 VMs are now Generally Available in the Azure UAE North region.

Storage

Azure File Sync agent v11.1

Azure File Sync agent v11.1 is now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

New cloud tiering modes to control initial download and proactive recall
- Initial download mode: you can now choose how you want your files to be initially downloaded onto your new server endpoint. Want all your files tiered or as many files as possible downloaded onto your server by last modified timestamp? You can do that! Can’t use cloud tiering? You can now opt to avoid tiered files on your system. To learn more, see Create a server endpoint section in the Deploy Azure File Sync documentation.
- Proactive recall mode: whenever a file is created or modified, you can proactively recall it to servers that you specify within the same sync group. This makes the file readily available for consumption in each server you specified. Have teams across the globe working on the same data? Enable proactive recalling so that when the team arrives the next morning, all the files updated by a team in a different time zone are downloaded and ready to go! To learn more, see Proactively recall new and changed files from an Azure file share section in the Deploy Azure File Sync documentation.
Exclude applications from cloud tiering last access time tracking
- You can now exclude applications from last access time tracking. When an application accesses a file, the last access time for the file is updated in the cloud tiering database. Applications that scan the file system like anti-virus cause all files to have the same last access time which impacts when files are tiered. For more details, see the release notes.
Miscellaneous performance and reliability improvements
- Improved change detection performance to detect files that have changed in the Azure file share.
- Improved sync upload performance.
- Initial upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
- Sync reliability improvements for certain I/O patterns.
- Fixed a bug to prevent the sync database from going back-in-time on failover clusters when a failover occurs.
- Improved recall performance when accessing a tiered file.

More information about this release:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version for this release is 11.1.0.0.
A restart may be required if files are in use during the agent installation.
Installation instructions are documented in KB4539951.

The possibilities offered by Azure for container execution

The strong trend in application development involving microservice-based architectures make containers perfect for efficiently deploying software and operating at scale. containers can work on windows operating systems, Linux and Mac, on virtual machines or bare metal, in on-premise data centers and, obviously, in the public cloud. Microsoft is certainly a leading provider that enables enterprise-level container execution in the public cloud. This article provides an overview of the main solutions that can be adopted to run containers in a Microsoft Azure environment.

Virtual machines

IaaS virtual machines in Azure environment can provide maximum flexibility to run Docker containers. In fact,, on Windows and Linux virtual machines it is possible to install the Docker runtime and thanks to the availability of different combinations of CPU and RAM you can have the necessary resources to run one or more containers. This approach is typically recommended in DevTest environments, as the cost of configuring and maintaining the virtual machine is not negligible.

Serverless approaches

Azure Container Instances (ACI)

Azure Container Instances (ACI) is the easiest and fastest way in Azure to run on-demand containers in a managed serverless environment. All this is made possible without having to activate specific virtual machines and the necessary maintenance is almost negligible. The solution Azure Container Instances is suitable in scenarios that require isolated containers, without the need to adopt a complex orchestration system. ACI is in fact able to provide only some basic scheduling features offered by the orchestration platforms and, although it does not cover the valuable services provided by such platforms, can be seen as a complementary solution.

Top-level resources in Azure Container Instances are the Container group, a collection of containers that are scheduled on the same host machine. Containers within a container group share the lifecycle, resources, the local network and storage volumes. Container group concept is similar to pod concept in Kubernetes environment.

Figure 1 – Container group sample in Azure Container Instances

The service Azure Container Instances involves costs that depend on the number of vCPUs and GBs of memory allocated per second. For more details on costs please visit the Microsoft official page.

Azure Web App for Containers

For web-based workloads, there is the ability to run containers from Azure App Service, the Azure web hosting platform, using the service Azure Web App for Containers, with the advantage of being able to exploit the distribution methodologies, scalability and monitors inherent in the solution.

Azure Batch and Containers

If workloads require you to scale with multiple job batches, you can put them in containers and manage scaling through Azure Batch. In this scenario, the combination of Azure Batch and containers turns out to be a winner. Azure Batch allows the execution and resizing of a large number of batch processing processes in Azure, while containers provide an easy way to perform Batch tasks, without having to manage the environment and its dependencies, required to run applications. In these scenarios, it is possible to envisage the adoption of low-priority VMs with Azure Batch to reduce costs.

Containers orchestration

The automation and management tasks of a large number of containers and the ways in which they interact with each other is known as orchestration. In case therefore there is a need to orchestrate more containers it is necessary to adopt more sophisticated solutions such as: Azure Kubernetes Service (AKS) or Azure Service Fabric.

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster.

Kubernetes, also known as “k8s”, provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field. Kubernetes tends to simplify deployments, allowing you to automatically perform implementations and rollbacks. Furthermore, it allows to improve the management of applications and to monitor the status of services to avoid errors in the implementation phase. Among the various functions there are services integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly. Kubernetes also allows you to automatically scale based on usage and exactly like containers, allows you to manage the cluster environment in a declarative way, allowing version-controlled and easily replicable configuration.

Figure 2 - Example of microservices architecture based on Azure Kubernetes Service (AKS)

Azure Service Fabric

Another possibility to orchestrate containers is the adoption of the reliable and flexible platform Azure Service Fabric. This is Microsoft's container orchestrator that allows the deployment and management of microservices in highly intensive cluster environments with very fast deployment times. With this solution you have the opportunity, for the same application, to combine services residing in processes and services within containers. The unique and scalable architecture of Service Fabric allows you to perform data analysis almost in real time, computational calculations in memory, parallel transactions and event processing in applications. Service Fabric provides a sophisticated and lightweight runtime that supports stateless and stateful microservices. A key differentiator of Service Fabric is its robust support for creating stateful services, adopting built-in programming models of Service Fabric or stateful containerized services. For more information on the application scenarios that can take advantage of Service Fabric stateful services you can consult this document.

Figure 3 - Azure Service Fabric overview

Azure Service Fabric can boast of hosting many Microsoft services, including Azure SQL Database, Azure Cosmos DB, Cortana, Microsoft Power BI, Microsoft Intune, Azure Event Hubs, Azure IoT Hub, Dynamics 365, Skype for Business, and many core Azure services.

Conclusions

Microsoft offers a range of options for running containers in its public cloud. The choice of the solution that best suits your needs among all those offered, despite requiring careful evaluation, allows to have a high flexibility. From the adoption of serverless approaches, the management of cluster environments for orchestration, up to the creation of your own infrastructure based on virtual machines, you can find the ideal solution to run containers in the Microsoft Azure environment.