Microsoft Azure has achieved this new certifications:
Its first PCI 3-D Secure (PCI 3DS) certification
It has increased the scope of its HITRUST CSF certification to include 172 Azure offerings across 49 Azure regions. Azure’s HITRUST certification letters are available on the Service Trust Portal and include the full list of HITRUST CSF certified Azure offerings and regions.
New planned datacenter region in Georgia (East US 3)
The new datacenter region will have a presence in Douglas and Fulton counties, in response to growing customer demand, supporting the creation of new jobs and local business growth. Availability Zones in the new East US 3 region will provide customers with high availability and additional tolerance to datacenter failures.
Storage
Soft delete for Azure file shares is now on by default for new storage accounts
Soft delete for Azure file shares is now enabled by default and this change will apply to all new storage accounts. Soft delete protects your Azure file shares from accidental deletion. Soft delete acts like a recycle bin for Azure file shares, meaning that deleted shares remain recoverable for their entire retention period (7 days by default for storage accounts created after January 31st). You will be charged for soft deleted data on the snapshot meter. If you have automated the creation of new storage accounts and the creation/deletion of new file shares within them, you must modify your scripts to explicitly disable soft delete after the creation of a new storage account. Soft delete will remain disabled by default for existing storage accounts.
Azure File Sync agent v11.2
The Azure File Sync agent v11.2 release is being flighted to servers which are configured to automatically update when a new version becomes available.
Improvements and issues that are fixed:
If a sync session is cancelled due to a high number of per-item errors, sync may go through reconciliation when a new session starts if the Azure File Sync service determines a custom sync session is needed to correct the per-item errors.
Registering a server using the Register-AzStorageSyncServer cmdlet may fail with “Unhandled Exception” error.
New PowerShell cmdlet (Add-StorageSyncAllowedServerEndpointPath) to configure allowed server endpoints paths on a server. This cmdlet is useful for scenarios in which the Azure File Sync deployment is managed by a Cloud Solution Provider (CSP) or Service Provider and the customer wants to configure allowed server endpoints paths on a server. When creating a server endpoint, if the path specified is not in the allow list, the server endpoint creation will fail. Note, this is an optional feature and all supported paths are allowed by default when creating a server endpoint. To learn more, see the release notes.
How to obtain and install this update:
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this update rollup:
This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 11.2.0.0.
A restart may be required if files are in use during the installation.
Installation instructions are documented in KB4539952.
Append blob support for Azure Data Lake Storage (limited public preview)
Append blobs allow users to append data to the end of a blob or file quickly and existing content does not need to be modified. This makes append blobs great for applications such as logging that need to add information to existing files efficiently and continuously. Until now, only block blobs were supported in Azure Data Lake Storage accounts. With this preview, applications can use create append blobs in these accounts also and write to them using Append Block operations.
Ingest up to 10 files and blobs with the new Azure Data Explorer intuitive UX
You can now easily ingest blobs or files into Azure Data Explorer with the new ingestion intuitive wizard. This ingestion wizard also allows you to create a table automatically based on the source structure.
Microsoft recently released the new version ofAzure Stack HCI, the solution that allows you to build hyper-converged infrastructures (HCI) to run virtual machines in an on-premises environment and that involves an easy and strategic connection to Azure services. Customers who are now facing a modernization of their data centers may be wondering which product to use. Windows Server 2019 and Azure Stack HCI are intended for different and complementary purposes. This article explains the main differences between the two products and provides guidance on the different scenarios of use.
What is Azure Stack HCI?
With the arrival of Windows Server 2019, Microsoft introduced the solutionAzure Stack HCI, which allows the execution of virtual machines or virtual desktops in an on-premises environment, being able to have a wide connection to the different services offered by Azure.
This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).
Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)
In December 2020, Microsoft released the new Azure Stack HCI solution, deployed as an Azure hybrid service, namedAzure Stack HCI version 20H2 that introduces important changes.
When to use Windows Server 2019?
Windows Server 2019 is a multi-purpose and highly versatile server operating system that allows you to activate dozens of roles and hundreds of features. Windows Server 2019 can be used to:
Host virtual machines or run containers.
Enabling one or more server roles included in the operating system, such as Active Directory, file server, DNS, DHCP or Internet Information Services (IIS).
Traditional infrastructure involving bare-metal systems.
Figure 2 - Usage scenarios of Windows Server 2019
When to use Azure Stack HCI?
Azure Stack HCI builds on the essential components of Windows Server and has been specially designed and optimized to provide a powerful Hyper-converged platform. The new version ofAzure Stack HCI adopts the well-established technologies of Windows Server, as Hyper-V, software-defined networking and Storages Spaces Direct, and adds new specific features for running on-premises virtual machines.
The use of Azure Stack HCI is eligible if:
You want to modernize your infrastructure, adopting a simple hyper-converged architecture based on established technologies. Suitable for both existing workloads in the main datacenter and branch office scenarios.
You want to expect an extension of the on-premises solution by connecting to Azure. This aspect guarantees a constant innovation, the evolution of cloud services and the possibility to take advantage of a common set of tools, simplifying the user experience.
Figure 3 – Azure Stack HCI usage scenarios
The solutionAzure Stack HCI can also be configured with Windows Server 2019, but the new version ofAzure Stack HCI introduces important innovations affecting the following areas::
Dedicated and solution-specific operating system
Virtual machine disaster recovery and failover capabilities inherent in the solution
Optimization of the Storage Spaces resync process
Updates of the entire stack covered by the solution (full-stack updates)
Native integration with Azure services and Azure Resource Manager (ARM)
Despite Azure Stack HCI is running on-premises there is an Azure subscription-based billing, just like any other Azure cloud service. The billing model is simple and provides a fixed daily cost based on the total number of cores present in the physical processors that make up the cluster.
In the new billing model there is no minimum or maximum number of cores to be licensed, much less a minimum activation duration. An important aspect to consider is that for Windows guest virtual machines and paid versions of Linux, these licences should be included separately. The subscription-based cost is only for the software and does not include the hardware of Azure Stack HCI.
Install the Azure Stack HCI software, which includes a free trial version of 30 days, on new hardware or already purchased, as long as it is present in the catalog of solutions specifically tested and validated by the various vendors.
Support provided for the solution
Azure Stack HCI, becoming in effect an Azure solution, is covered by Azure support with the following features:
Support will be provided by a team of experts dedicated to supporting the new solution Azure Stack HCI.
You can easily request technical support directly from the Azure portal.
You can choose from different support plans, depending on your needs.
Conclusions
Despite the new version of Azure Stack HCI is based on technologies also present in Windows Server 2019 it should be specified that these are two solutions that are now intended for different and complementary purposes. Despite also Windows Server 2019 allows you to activate hyper-converged solutions, if you're making an investment right now to activate such a solution, consider adopting the new solution Azure Stack HCI. In fact,, thanks to the changes introduced, you can get a very complete hyper-converged scenario proposition, more integrated and performing. An aspect to be carefully evaluated is that of costs, as they have a significant impact.
New Azure Cloud Services deployment model (preview)
Both deployment models are now available in Azure Cloud Services:
Azure Cloud Services (extended support), in public preview, is a new Azure Resource Manager–based deployment model for Azure Cloud Services. As an existing user of Azure Cloud Services, with Azure Cloud Services (extended support) you can now increase regional resiliency while gaining access to new capabilities such as role-based access control (RBAC), tags, policy, and support for deployment templates.
The Azure Service Manager–based deployment model is now named Azure Cloud Services (classic). You can keep using the existing Azure Cloud Services (classic) deployment model for your Azure Service Manager–based applications.
Availability Zones in new regions
Availability Zones give users additional options for high availability for their most demanding applications and services as well as confidence and protection from potential hardware and software failures by providing three or more unique physical locations within an Azure region. Availability Zones are now generally available in South Central US and in Germany West Central. Availability Zones in this regions are made up of 3 unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.
Since this is a major version upgrade this update will not be automatically applied. You will need to update manually.
Storage
Copy Blob support over private endpoints
Azure Storage now enables you to copy data between storage accounts where one or both the accounts are protected using private endpoints. This includes support for Copy Blob or utilities such as such as AzCopy over Private Endpoints. The feature also enables copying of data between storage accounts, where one account uses a private endpoint and another uses a service endpoint. Azure Storage validates that the client has access to both the source and the destination storage accounts before allowing the data to be copied.
Resource instance rules for access to Azure Storage (preview)
Some Azure resources cannot be isolated through a virtual network or an IP address rule. However, you’d still like to secure and restrict access to your storage account to only your application’s Azure resources. You can now configure your storage accounts to allow access to only specific resource instances of select Azure services by creating a resource instance rule. Resource instances must be in the same tenant as your storage account, but they may belong any resource group or subscription in the tenant. Resource instance rules for access to Azure Storage are now in public preview in all Azure public regions.
Prevent Shared Key authorization on Azure Storage accounts (preview)
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. Microsoft is announcing the public preview of the ability to disable Shared Key authorization for Azure Storage. Before you disable Shared Key authorization on existing storage accounts, Microsoft suggests checking existing access patterns via monitoring.
The new year began with several announcements from Microsoft regarding news related to Azure management services. The Cloud Community releases this summary monthly, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
Cross query between Azure Monitor and Azure Data Explorer (preview)
The ability to query between Azure Monitor and Azure Data Explorer allows you to query data exported to Azure Data Explorer or Azure blob storage and merge them with any Azure Monitor Log Analytics workspace.
Among the various features recently released we find the ability to perform queries:
Between Azure Data Explorer and Azure Monitor services (Log Analytics / Application Insights) and vice versa
On Azure Monitor logs exported from an Azure blob storage account using Azure Data Explorer
In Azure Monitor Log Analytics, the maximum data retention time frame is limited to 2 years. This aspect can be limiting in some areas, to the point that certain compliance criteria are not met. To overcome this limitation, you can export logs to an Azure blob storage. This new feature allows you to cross-query by including data exported to Azure blob storage in an integrated way.
Monitoring Azure Data Explorer Cluster with Azure Monitor (preview)
Azure Monitor expands its capabilities with Azure Monitor for Azure Data Explorer, which allows you to perform a complete monitor of Azure Data Explorer clusters, providing a single view of performance, of operations, and actual use.
Integration between Azure Monitor workbooks and Application Change Analysis (preview)
The recently released integration between Azure Monitor and Application Change workbooks allows you to create different types of charts, using as a data source the information regarding the changes that are made in the Azure environment. For example,, you can create charts to see when important changes have occurred in the last few 24 hours, or use the ability to merge to see what changed before a spike in memory that occurred on a VM.
ITSM Connector for ServiceNow ITOM with Secure Export (preview)
Secure Export is the new version (in preview) of the’IT Service Management Connector (ITSM) of Azure Monitor, which allows you to automatically create work items in an ITSM tool, when an Azure Monitor alert is activated. As part of the preview, a new integration with ServiceNow IT Operations Management was introduced (ITOM) using Secure Export.
Azure Monitor Network Insights
Azure Monitor Network Insights is now available and allows , through a centralized console, to monitor your Azure network infrastructure. The main features of Network Insights are as follows:
Unique console for the network monitor.
Agent configuration is not required.
Centralized access to traffic and connectivity monitor tools, that allow you to check health state, metrics, alerts, and data.
Viewing the network topology, with the ability to view functional dependencies. This will make it easier to solve any problems.
Access resource metrics to debug when needed, without having to write queries or create specific workbooks.
Availability in new regions
Azure Monitor Log Analytics is now available in the following Azure regions: “Germany West Central”, “UAE North”, and “Switzerland West”. Furthermore, Azure Log Analytics is available in preview in two new regions: “UAE Central” and “Japan West”. To check the availability of the service in all the Azure regions you can consult this document.
Configure
Azure Automation
Availability in new regions
Azure Automation is now available in the “UAE North” and in the region of “Switzerland West”. To check the availability of the service in all the Azure regions you can consult this document.
Govern
Azure Policy
Support for NSG Flow Logs
TheNSG flow logs in the Azure platform, they allow you to maintain the visibility of network traffic entering and leaving the Network Security Groups. To simplify the deployment experience, NSG flow logs Integrated support has been introduced in the Azure Policy, which allows you to check the enabled status and to force the collection of NSG flow logs when disabled, specifically by using the following policies:
Audit policy: NSGs flag without Flow logs enabled
DeployIfNotExists policy: Enable Flow logs on NSGs where it is disabled
Azure Cost Management
Updates related to Azure Cost Management and Billing
Microsoft is constantly looking for new ways to improve Azure Cost Management and Billing, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . In this article some of the latest improvements and updates regarding this solution are reported, including:
New cost view for resource groups
Saving the last scope used
What's New in Cost Management Labs
Definition of roles and responsibilities
Cost-saving methodologies by running .NET apps on Azure
New ways to save money
New videos to deepen these issues
Documentation updates
Secure
Azure Security Center
Vulnerability assessment for on-premises and multi-cloud systems
The Azure Security Center solution has recently been enriched with the ability to carry out an integrated Vulnerability Assessment, not just virtual machines in Azure, but also systems located on-premises or in multi-cloud environments, as long as Azure Arc has been enabled.
The vulnerability scanning included in Azure Defender for servers is done through the solutionQualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems.
Thanks to this update, it is possible to harness the power of Azure Defender for server to consolidate the vulnerability management program on all resources in your environment (Azure and not). Among the main features we find:
Monitoring the VA scan (vulnerability assessment) on Azure Arc machines
Provisioning the VA agent on Azure Arc Windows and Linux machines (manually and on a large scale)
Receiving and analyzing vulnerabilities detected by distributed agents (manually and on a large scale)
Unified experience for Azure VMs and Azure Arc machines
What's new in Azure Security Center
Azure Security Center development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:
Azure Security Benchmark becomes the default initiative
Secure score for management groups (preview)
Secure score API
DNS sangling security added to Azure Defender for App Service
Multi-cloud connectors
Exemption, for subscriptions and management groups, for recommendations from the secure score
Users can request visibility “tenant-wide”
35 recommendations in previews added
CSV export of filtered lists of recommendations
Resources “Not applicable” are reported as “Compliant” in Azure Policy assessments
Weekly export of secure score and regulatory compliance data through continuous export (preview)
Azure Defender for SQL updates and enhancements
In Azure Security Center, the following updates and improvements have been made to Azure Defender for SQL:
Azure Backup offers the ability, at the moment by accessing a limited preview, to protect managed disks. All this takes place through the periodic creation of snapshots that are kept for a duration established by backup policy. The solution does not require the presence of specific agents and supports backup and recovery of both operating system and data disks (including shared disks), regardless of whether or not they are connected to a virtual machine running in Azure.
Encryption at rest with keys “customer-managed”
Azure Backup introduces encryption at rest support using customer-managed keys. This feature encrypts backup data in recovery services vaults using your keys in the Azure Key Vault. Data is protected using a data encryption key (DEK) AES-based 256, which in turn is protected using the keys stored in the Key Vault. Compared to encryption that uses keys managed by the Azure platform (available by default), this support gives you more control over encryption key management, enabling you to best meet your compliance needs.
Azure Site Recovery
New Update Rollup
For Azure Site Recovery was released theUpdate Rollup 53 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
To achieve a high level of security in your public cloud environment, you need to provide protection for the individual resources that are activated, however it is also appropriate to monitor the service that allows the distribution and management of the resources themselves. In the Microsoft public cloud, the deployment and management service is defined as Azure Resource Manager, a crucial service connected to all Azure resources, therefore a potential and ambitious target for attackers. Microsoft, aware of this aspect, recently announced Azure Defender for Resource Manager. This article describes the features of this solution that allows you to carry out an advanced security analysis, in order to detect potential threats and be alerted to suspicious activity affecting Azure Resource Manager.
In Azure Defender, there are protections designed specifically for individual Azure services, such as for Azure SQL DB, Azure Storage, Azure VMs, and protections that transversally affect all those components that can be used by the various Azure resources. These include Azure Defender for Azure Network, Key Vault and the availability of Azure Defender for Azure DNS and Azure Resource Manager was also announced recently. These tools allow you to obtain an additional level of protection and control in your Azure environment.
Figure 1 – Azure Defender Threat Protection for Azure Workloads
Azure Resource Manager provides the management layer that allows you to create, update and delete resources in the Azure environment. It also provides specific features for the governance of the Azure environment, such as access control, locks and tags, that help protect and organize resources after they are distributed.
Azure Defender for Resource Manager automatically monitors the organization's Azure resource management operations, regardless of whether these are done through the Azure portal, Azure REST APIs, the command line interface or with other Azure programming clients.
Figure 2 – Protection of Azure Defender for Resource Manager
To activate this type of protection, simply enable the specific Azure Defender plan in the Azure Security Center settings:
Figure 3 - Activation of Azure Defender for Resource Manager
Azure Defender for Resource Manager can enable protection when the following conditions occur:
Resource management operations classified as suspicious, such as operations from dubious IP addresses, disabling the antimalware component and ambiguous scripts running through the VM extensions.
Use of exploitation toolkits such as Microburst or PowerZure.
Lateral shift from the Azure management layer to the Azure resources data plane.
A complete list of alerts that Azure Defender for Resource Manager is able to generate, is located in this Microsoft's document.
Security alerts generated by Azure Defender for Resource Manager are based on potential threats that are detected by monitoring Azure Resource Manager operations using the following sources:
Azure Activity Log, the Azure platform log providing information about subscription-level events.
Azure Resource Manager Internal Logs, not accessible by customers, but only by Microsoft personnel.
In order to obtain a better and more in-depth investigation experience, it is advisable to merge the Azure Activity Logs into Azure Sentinel, following the steps in this Microsoft's document.
Simulating an attack on the Azure Resource Manager layer using the PowerZure exploitation toolkits, Azure Defender for Resource Manager generates an alert with high severity, as shown in the following image:
Figure 4 – Alert generated by Azure Defender for Resource Manager
For such an alert you can also receive a notification by appropriately setting up an action group in Azure Monitor. Furthermore, if the integration between Azure Security Center and Azure Sentinel has been activated, the same alert would also be present in Azure Sentinel, with the relevant information necessary to start the investigation process and provide a prompt response to a problem of this type.
Conclusions
Protecting resources effectively in the Azure environment also means adopting the appropriate tools to deal with potential attacks that can exploit the distribution and management mechanisms of the resources themselves. Thanks to the new tool Azure Defender for Resource Manager it is possible to take advantage of effective protection in a fully integrated way in the Azure platform, without having to install specific software or enable additional agents.
Microsoft has announced plans for a new datacenter region in Chile, as part of a “Transforma Chile” initiative. A skilling program as well as an Advisory Board are also part of the initiative, targeted at reaching 180,00 Chileans.
NCas_T4_v3-Series VMs are now generally available
NCas_T4_v3Virtual Machines feature 4 NVIDIA T4 GPUs with 16 GB of memory each, up to 64 non-multithreaded AMD EPYC 7V12 (Rome) processor cores, and 448 GiB of system memory. These virtual machines are ideal to run ML and AI workloads utilizing Cuda, TensorFlow, Pytorch, Caffe, and other frameworks or the graphics workloads using NVIDIA GRID technology. NCas_T4_v3 VMs are now generally available in West US2, West Europe, and Korea Central regions.
Networking
Public IP SKU upgrade
Azure public IP addresses now support the ability to be upgraded from Basic to Standard SKU. Additionally, any Basic Public Load Balancer can now be upgraded to a Standard Public Load Balancer, while retaining the same public IP address. This is supported via PowerShell, CLI, templates, and API and available across all Azure regions.
Microsoft to better meet the needs of adopting solutions that can extend your environment, from the main datacenter to the peripheral sites, with innovative Azure services, makes the Azure Stack portfolio available to its customers. It is a set of hybryd cloud solutions, that allow you to deploy and run your application workloads consistently, without restrictions imposed by the geographical location. This article provides an overview of the Azure Stack Edge platform (ASE) and its characteristics, examining the use cases and the main features.
Before going into the specifics of Azure Stack Edge it is good to specify that the solutions included in the Azure Stack portfolio are the following:
Azure Stack Edge: the Azure managed appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer.
Azure Stack HCI: the solution that allows the execution of virtual machines and an easy connection to Azure thanks to a hyper-converged infrastructure (HCI).
Azure Stack Hub: the offer for enterprise companies and public sector customers, needing a cloud environment but disconnected from the Internet, or need to meet specific regulatory and compliance requirements.
Figure 1 – Azure Stack Product Family
To get an overview of these solutions I invite you to read this article.
Azure Stack Edge value proposition
The results that can be obtained by adopting the Azure Stack Edge solution are the following:
Possibility of adopting an on-premises model Infrastructure as a service (IaaS) for workloads on peripheral sites (edge), where both hardware and software are provided by Microsoft.
Ability to run applications at customer sites, in order to keep them close to the data sources. Furthermore, allows you to run not only proprietary and third-party applications at the edge, but also to take advantage of different Azure services.
Availability of built-in hardware accelerators that allow you to run machine learning and AI scenarios at the edge, right where the data is, without having to send data to the cloud for further analysis.
Possibility of having an integrated cloud storage gateway that allows easy data transfer from the edge to the cloud environment.
Usage scenarios
The main scenarios for using Azure Stack Edge are the following:
Machine learning at peripheral sites: thanks to the presence of integrated hardware accelerators and the processing capabilities offered by the solution, you have the ability to cope with these scenarios right where the data resides, processing them in real time, without having to send them to Azure.
Computational capacity at edge: customers can run their business applications and IoT solutions at peripheral sites, without necessarily having to rely on constant connectivity to the cloud environment.
Network transfer of data from the edge to the cloud: used in scenarios where you want to periodically transfer data from the edge to the cloud, for further analysis or storage purposes.
Form factors
To support the different usage scenarios reported, vertically between industrial sectors, Azure Stack Edge is available in three separate form factors:
Azure Stack Edge Pro, a 1U blade server with one or two GPUs.
Azure Stack Edge Pro R, a rugged server with GPU, in a sturdy carrying case, complete with UPS and backup battery.
Azure Stack Edge Mini R, a machine with a reduced form factor with a battery and a low weight (less than 3,5 Kg).
Figure 2 – Azure Stack Edge Form Factors
Azure Stack Edge "rugged" versions allow resistance to extreme environmental conditions, and battery-powered versions allow easy transport.
Azure Stack Edge stack software
The customer can place the Azure Stack Edge order and provisioning directly from the Azure portal, and then use the classic Azure management tools to monitor and perform updates. Hardware support is provided directly by Microsoft, that will replace the components in case of problems. There is no upfront cost to obtain this appliance, but the cost will be included monthly in the billing of Azure services. Since, once configured, any application running on Azure Stack Edge can be configured and deployed from the Azure portal, eliminates the need for IT staff in the edge location.
Azure Stack Edge Computational Capacity
The ability to offer computational capacity taken from the edges is one of the key features of Azure Stack Edge, which can be provided in one of the following ways:
IoT Edge: the execution of containerized workloads distributed through the IoT hub has always been supported since the launch of Azure Stack Edge and continues to be so.
Kubernetes: recently, support was introduced for the execution of containerized workloads in Kubernetes clusters running on Azure Stack Edge.
Virtual machines: another way to run applications is by activating workloads on board virtual machines.
Kubernetes environment in Azure Stack Edge
Kubernetes is becoming the de facto standard for the execution and orchestration of containerized workloads, but those who know these environments, is aware of some of the operational challenges that can arise from managing a Kubernetes cluster. In this context, the goal of Azure Stack Edge is to simplify the deployment and management of Kubernetes clusters. With a simple configuration, you can activate a Kubernetes cluster on Azure Stack Edge.
Once the Kubernetes cluster has been configured, you must perform additional management steps, that are simplified in ASE with simple add-ons. Among these operations we find:
The ability to easily enable hardware accelerators.
The provisioning of the storage system to create persistent volumes.
Keep it up to date with Kubernetes releases by taking the latest updates available.
The ability to apply security and governance mechanisms from their own infrastructure.
Cluster environment configuration completed, Simple mechanisms are provided for deploying and managing workloads on the Kubernetes cluster, by using the following modes:
Azure Arc: ASE comes with native integration with Azure Arc. With just a few steps you can enable Azure Arc, allowing applications to be distributed in the Kubernetes cluster directly from the Azure portal.
IoT Hub: by enabling the IoT hub add-on it is possible to use it for the distribution of conteiners.
Kubectl: finally supports the native way kubectl, typically used in disconnected environments or if you have an existing infrastructure that already integrates with this mode.
Figure 3 – Kubernetes deployment in Azure Stack Edge
Virtual machines in Azure Stack Edge
Another variant to offer computational capacity at the edges is the activation of virtual machines. Azure Stack Edge allows you to host virtual machines, both Windows and Linux, offering the ability to deploy and manage these virtual machines directly from Azure or by acting locally.
Figure 4 – Virtual Machines in Azure Stack Edge
One thing to consider is that Azure Stack Edge allows you to set up simpler network topologies than Azure or Azure Stack Hub.
Regarding the hardware acceleration features in Azure Stack Edge, these two variants are supported:
GPU NVIDIA T4, fully integrated with the GPU stack
Intel Movidius Visual Processing Unit (VPU), for AI and ML scenarios
Azure services that can be deployed in Azure Stack Edge
The number of services that can be activated in Azure Stack Edge is large, among those recently introduced we find:
Live Video Analytics: a platform for creating video solutions and applications based on artificial intelligence, to carry out real-time insights using video streams.
Spatial Analysis: a real-time computer vision module to analyze videos and understand people's movements in physical spaces. For example,, during the Covid period, many retail stores want to implement social distancing policies and may use a special analytics module to understand certain behavior based on videos shot in the store.
Azure Monitor: this increases application performance and availability by collecting logs from containers and analyzing them.
Figure 5 – Azure Solutions in Azure Stack Edge
Conclusions
In business realities, the adoption of totally cloud-based solutions does not always turn out to be a viable choice or the best of all, hybrid solutions often have to be adopted, which in any case include the possibility of using the innovations introduced by the cloud. Azure Stack Edge is a flexible and modern solution that allows you to meet your needs, even the most challenging ones, emerging for edge sites, without neglecting the potential offered by the public cloud.
In the last week of the year, there was little news, thanks to the holiday period.This series of blog posts will continue into 2021. I take this opportunity to wish you a Happy New Year!
Azure Application Consistent Snapshot tool (AzAcSnap) is in public preview. It is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).
In December several news regarding Azure management services were announced by Microsoft. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
New Azure Monitor agent and new Data Collection Rules features(preview)
Azure Monitor introduces (in preview) a new unified agent (Azure Monitor Agent – AMA) and a new concept to make data collection more efficient (Data Collection Rules – DCR).
Among the various key features added in this new agent we find:
Support for Azure Arc server(Windows and Linux)
Virtual Machine Scale Set support (VMSS)
Installation via ARM template
With regard to the Data Collection, these innovations have been made:
Better control in defining the scope of data collection (e.g.. ability to collect from a subset of VMs for a single workspace)
Single collection and sending to both Log Analytics and Azure Monitor Metrics
Send to multiple workspaces (multi-homing for Linux)
Ability to better filter Windows events
Better extension management
Azure Monitor for Windows Virtual Desktop (preview)
Azure Monitor now allows you to perform the following operations related to Windows Virtual Desktop environments:
View a summary of the status and health of host pools
Find and resolve any deployment issues
Evaluate resource usage and make decisions about scalability and cost management
Understanding and addressing user feedback
Azure Monitor for containers: tab reports and deployment logs
In Azure Monitor for containers a new tab has been made available Reports that gives customers complete access to all advanced monitoring workbooks for Kubernetes, for example: Node-disk, Node-network, workloads and Persistent Volume monitoring.
Furthermore, you can now view real-time logs of Azure Kubernetes Service deployments (AKS), accessing the live logs of the pods directly. Log Analytics will allow you to search by applying filters to view historical pod deployment logs, useful for diagnosing any issues.
Azure Monitor for containers:support for Private Cluster live logs (preview)
In Azure Monitor for containers support for private cluster live logs has been introduced, this allows you to view in real time container logs, pod events and metrics. For more details please visit the Microsoft-specific documentation.
Infrastructure Encryption for Azure Monitor data
Starting from 1 November 2020 data that flows into Azure Monitor is encrypted twice: at the service level and now also at the infrastructure level, thanks to the double encryption available for Azure storage.
Configure
Azure Automation
Support for Azure Private Link available
Microsoft has introduced support forAzure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:
Establish a private connection with Azure Automation, without opening access from the public network.
Ensure that Azure Automation data is accessible only through authorized private networks.
Protect yourself from data extraction by allowing granular access to specific resources.
Keep all traffic within the Microsoft Azure backbone network.
Availability in new regions
Azure Automation is now available in the “Norway East” and “Germany West Central”. To check the availability of the service in all the Azure regions you can consult this document.
Support for Python3 runbooks (preview)
In Azure Automation, you can now import, create and run runbooks Python 3 in Azure or in a Hybrid Runbook Worker.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Azure VMware Solution: now available in UK South and Japan East Azure regions
The new Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. General Availability of the new Azure VMware Solution was announced at Microsoft Ignite, Sept 2020, with initial availability in US East, US West, West Europe and Australia. Microsoft has now expanded availability to two more Azure regions Japan East and UK South. For updates on more upcoming region availability please visit the product by region page here.
HBv2-series VMs for HPC now available in the UAE North region
HBv2 VMs are now Generally Available in the Azure UAE North region.
Storage
Azure File Sync agent v11.1
Azure File Sync agent v11.1 is now on Microsoft Update and Microsoft Download Center.
Improvements and issues that are fixed:
New cloud tiering modes to control initial download and proactive recall
Initial download mode: you can now choose how you want your files to be initially downloaded onto your new server endpoint. Want all your files tiered or as many files as possible downloaded onto your server by last modified timestamp? You can do that! Can’t use cloud tiering? You can now opt to avoid tiered files on your system. To learn more, see Create a server endpoint section in the Deploy Azure File Sync documentation.
Proactive recall mode: whenever a file is created or modified, you can proactively recall it to servers that you specify within the same sync group. This makes the file readily available for consumption in each server you specified. Have teams across the globe working on the same data? Enable proactive recalling so that when the team arrives the next morning, all the files updated by a team in a different time zone are downloaded and ready to go! To learn more, see Proactively recall new and changed files from an Azure file share section in the Deploy Azure File Sync documentation.
Exclude applications from cloud tiering last access time tracking
You can now exclude applications from last access time tracking. When an application accesses a file, the last access time for the file is updated in the cloud tiering database. Applications that scan the file system like anti-virus cause all files to have the same last access time which impacts when files are tiered. For more details, see the release notes.
Miscellaneous performance and reliability improvements
Improved change detection performance to detect files that have changed in the Azure file share.
Improved sync upload performance.
Initial upload is now performed from a VSS snapshot which reduces per-item errors and sync session failures.
Sync reliability improvements for certain I/O patterns.
Fixed a bug to prevent the sync database from going back-in-time on failover clusters when a failover occurs.
Improved recall performance when accessing a tiered file.
More information about this release:
This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version for this release is 11.1.0.0.
A restart may be required if files are in use during the agent installation.
Installation instructions are documented in KB4539951.
