Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (August 2024 – Weeks: 33 and 34)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Stack, as officially released by Microsoft in the past two weeks.

Azure

General

Enable Multifactor Authentication by 15 October 2024

Starting on 15 October 2024, Azure will require all users to utilize multifactor authentication (MFA) when signing into the Azure portal, Microsoft Entra admin center, and Intune admin center. To ensure continued access for users, it is crucial to enable MFA by the specified date. For those unable to implement MFA by 15 October 2024, there is an option to apply for a postponement of the enforcement date. Failure to enable MFA or apply for a postponement will result in users being required to set up MFA when accessing these services. Azure provides documentation to assist in identifying which users are signing in with or without MFA.

Azure Chaos Studio Supports New Network Isolation Fault for Virtual Machines

Azure Chaos Studio has introduced a new agent-based fault action for both Windows and Linux virtual machines (VMs) and virtual machine scale sets (VMSS). The Network Isolation fault allows customers to isolate an Azure VM from network connections by dropping all packets for a specified duration, subject to certain environment limitations. This feature is designed to help test the resilience of applications running inside VMs against network traffic loss. Users can implement this fault in Chaos Experiments through templates, the REST API, or directly in the Azure portal.

Compute

Attach and Detach of VMs on Virtual Machine Scale Sets for a Single Fault Domain (preview)

In a new public preview, Azure now offers support for attaching and detaching Virtual Machines (VMs) to and from Virtual Machine Scale Sets (VMSS) configured with Flexible Orchestration Mode and a fault domain count of 1. Once a VM is attached to the VMSS, it becomes part of the scale set, gaining access to features such as autoscale, Instance Repair, and Automatic OS Upgrades, all without requiring downtime. Conversely, if troubleshooting outside of the scale set is needed, the VM can be easily detached for further investigation. This functionality is designed to streamline the management of VMs within and across scale sets.

Instance Mix on Virtual Machine Scale Sets (preview)

Azure has introduced the public preview of Instance Mix, a feature designed to enhance the flexibility and cost efficiency of Virtual Machine Scale Set (VMSS) deployments. Instance Mix allows users to specify a variety of VM sizes within a single VMSS, enabling better alignment with workload requirements. The feature also includes an allocation strategy that optimizes either price or capacity. Key benefits include the ability to mix different VM sizes to meet diverse task demands, achieve cost savings by utilizing appropriately sized VMs, and simplify management by overseeing a heterogeneous VM set under one scale set. This new capability helps to maximize performance by ensuring the right resources are allocated to each task.

Networking

Dedicated Log Analytics Tables in Application Gateway

Azure Application Gateway has introduced general availability for storing logs in dedicated log analytics tables. This new feature allows customers to opt for resource-specific tables instead of using the existing Azure Diagnostic table. In resource-specific mode, separate tables are created for each selected category in the diagnostic settings within the chosen workspace. This enhancement offers better log querying capabilities, along with reduced ingestion latencies and faster query times, making it easier to analyze and manage logs efficiently.

Storage

Double Encryption at-Rest for Azure NetApp Files

Azure NetApp Files has introduced a double encryption at-rest feature, adding multiple independent encryption layers to protect data from threats that could compromise a single encryption layer. This feature mitigates risks such as the compromise of a single encryption key, errors in encryption algorithm implementations, and misconfigurations in data encryption. Users can opt for double encryption when creating capacity pools, ensuring that all volumes within these pools are automatically protected without additional steps. Customers requiring their own encryption key management can configure customer-managed keys for this purpose. Importantly, this enhanced security does not significantly impact performance, allowing existing applications to benefit from FIPS-140 certified double encryption without sacrificing efficiency.

Azure NetApp Files Now Supports 50 GiB Minimum Volume Sizes

Azure NetApp Files has introduced support for 50 GiB minimum volume sizes, a significant enhancement from the previous 100 GiB minimum. This new capability allows customers to create storage volumes as small as 50 GiB, optimizing costs for workloads that require less storage. By enabling customers to right-size their volumes, this update offers more efficient storage management and cost savings, particularly for those with smaller-scale storage needs.

Azure NetApp Files Storage with Cool Access for All Service Levels

Azure NetApp Files has reached general availability with its cool access feature, offering a cost-effective storage solution across all service levels, including standard, premium, and ultra. The cool access feature allows data that is infrequently accessed to be transparently moved to Azure storage accounts, optimizing storage costs. This feature includes configurable options for the “coolness period”, determining the duration after which cold data is tiered to a cool storage tier, based on your workload’s access patterns. While this may introduce some latency due to data being tiered, it significantly reduces overall storage expenses. Additionally, in scenarios involving cross-region or cross-zone replication, cool access can be configured for destination volumes, ensuring data protection while optimizing costs.

Customer Managed Planned Failover for Azure Storage (preview)

Azure Storage has introduced a public preview of the planned failover feature, empowering users with enhanced disaster recovery capabilities. Planned failover allows for the seamless failover of a storage account while maintaining geo-redundancy, with no data loss and without the need to reconfigure geo-redundant storage (GRS) after the operation. This feature facilitates the swapping of primary and secondary endpoints, ensuring continuous availability of storage service endpoints. Once the failover is completed, all new data writes are directed to the region that was previously the secondary, now designated as the new primary region. This feature is ideal for scenarios like planned disaster recovery testing, proactive disaster preparedness, or recovery from non-storage related outages.

Azure Stack

Azure Stack HCI

Upgrade and Update from Azure Stack HCI Version 22H2 to 23H2 Now Available

Azure has announced the gradual availability of upgrade and update from Azure Stack HCI version 22H2 to 23H2, the latest iteration of its hyper-converged infrastructure solution. This new version integrates seamlessly with Azure Arc infrastructure, enabling streamlined provisioning and management of workloads such as Arc-enabled virtual machines, Azure Kubernetes Services, and Azure Virtual Desktop. With the 23H2 release, Azure Stack HCI transitions from being solely a cloud-connected operating system to becoming a fully Arc-enabled solution. This evolution layers Azure Arc and the Orchestrator (also known as the Lifecycle Manager) atop the base operating system, packaged together following an Infrastructure as Code (IaC) model for improved deployment and management efficiency.

Upgrading from version 22H2 to 23H2 introduces a host of new capabilities and represents a significant advancement in functionality. The upgrade process involves several key steps: first, updating the existing operating system to the new version using preferred methods such as PowerShell (recommended), Windows Admin Center, or other manual approaches; followed by performing necessary post-upgrade tasks, validating the solution’s readiness, and finally applying the complete solution upgrade.

It’s important to distinguish this upgrade from regular updates, which are periodic changes applied to enhance performance, security, or stability within the same version. Organizations are encouraged to perform this upgrade to leverage the enhanced features and integrations offered by Azure Stack HCI, version 23H2.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Stack. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Stack: announcements and updates (August 2024 – Weeks: 31 and 32)

Azure

General

Azure Carbon Optimization (preview)

Azure Carbon Optimization, now in preview, equips Azure developers and IT professionals with the data and insight to optimize the carbon footprint of their cloud consumption. By providing insights into carbon emissions and offering recommendations to enhance the efficiencies of cloud resources, organizations can make more informed decisions to meet their business and cloud sustainability goals. Key features include granular emissions data at the resource level, optimization recommendations, role-based access control, carbon equivalents for better visualization, and integration with Microsoft Azure emissions insights (preview) for deeper analytics capabilities.

Storage

Azure Blob Storage Lifecycle Management Now Supports Improved Control on Archiving

Lifecycle management now offers users more control over how objects rehydrated from the archive tier are returned to archive after access. The daysAfterLastTierChangeGreaterThan option has been expanded, allowing users to specify a minimum duration that rehydrated objects stay accessible in an online tier. This prevents immediate re-archiving of recently rehydrated objects by applying the daysAfterLastTierChangeGreaterThan property in lifecycle rules based on Creation Time and Last Accessed Time, in addition to the existing Last Modified Time.

Azure NetApp Files zone volume placement enhancement – Populate existing volume
Azure NetApp Files has introduced an enhancement to its availability zone volume placement feature, allowing users to populate previously deployed, existing volumes with logical availability zone information. This update aligns volumes with other Azure services within the same availability zone, without moving them between zones. The enhancement is particularly beneficial for workloads initially deployed regionally, enabling them to align with virtual machines in the same failure domain, which is essential for high-availability architectures across availability zones. Additionally, this feature supports replication across availability zones, facilitating improved data protection.

Azure NetApp Files cross-zone replication
Azure NetApp Files has launched a new cross-zone replication feature, enabling asynchronous replication of volumes across different availability zones within the same Azure region. Leveraging SnapMirror® technology, this feature ensures that only changed blocks are transferred in a compressed format, optimizing network usage and reducing replication times. Cross-zone replication is designed to protect data against unforeseen zone failures without requiring host-based replication. It minimizes data transfer requirements, thereby lowering replication time and achieving a smaller Restore Point Objective (RPO). Additionally, this feature is highly cost-effective as it does not involve any network transfer costs.

Azure NetApp Files Volume Encryption Key Transition (preview)

This new feature in preview allows customers to transition their existing volumes protected with platform-managed keys (PMK) to volumes encrypted using customer-managed keys (CMK) stored in Azure Key Vault. CMK provides enhanced key manageability and security by enabling direct management of key rotation, access, permissions, and auditing tasks. This feature helps organizations comply with regulatory requirements and manage encryption keys securely without impacting performance, as the CMK protects the account encryption key using Azure Key Vault.

Azure Stack

Azure Stack HCI

Optimize Azure Stack HCI with the Well-Architected Framework

Microsoft is announcing the Azure Well-Architected Framework Service Guide for Azure Stack HCI. This guide contains design checklists and detailed configuration recommendations to assist cloud architects in designing and deploying Azure Stack HCI according to the guiding principles of the Well-Architected Framework: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency. Whether planning a new deployment or enhancing an existing one, the guide provides tailored advice, rationales for recommendations, and links to product documentation for further details.

Conclusion

Azure Management services: what’s new in July 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, the aim is to provide an overview of the most relevant new features. The goal is to keep you constantly informed about these developments, providing you with essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Introduction of Agent and Gateway Extensions in Azure Monitor SCOM MI

Microsoft has announced the general availability (GA) of Agent and Gateway Server extensions in Azure Monitor SCOM MI. This new functionality enables large-scale, programmatic monitoring on Windows machines in Azure and Azure Arc-enabled machines. Now, it is possible to monitor virtual machines both in Azure and outside of Azure.

The Agent and Gateway extensions offer the following advantages:

Monitoring Anywhere: SCOM MI can monitor virtual machines and guest applications hosted both in and outside Azure through the Arc channel. Managed Gateways can monitor isolated virtual machines.
Large-scale Deployment: Users can enable large-scale virtual machine monitoring through the Azure portal or PowerShell scripts, improving operational efficiency.
Agile Transition: With multi-homing support, users can transition monitoring from on-premises SCOM to Azure Monitor SCOM MI at their own pace and needs.
Security and Automatic Updates: SCOM MI agents use managed identities and certificate-based authentication, providing a significant improvement over legacy Kerberos authentication. Agents are automatically updated, eliminating the need for frequent update management.

Thanks to these capabilities, Azure Monitor SCOM MI becomes easier to operate. During the Public Preview, over 20 customers deployed more than 1,200 agents, and their feedback has helped further streamline the experience.

As more SCOM customers are expected to transition to monitoring with SCOM MI, the goal is to make the process as smooth as possible through the following features:

Extended Onboarding Experiences: Onboarding monitoring agents at scale via ARM templates, Azure policies, and Azure Automation.
Scheduled Updates: Providing the flexibility to schedule agent updates according to the organization’s change management process.

New Azure Monitor Auxiliary Logs Plan (Preview)

Azure Monitor Logs introduces a new tiered strategy plan for optimal consumption and cost optimization: Auxiliary Logs. Auxiliary Logs are designed for verbose logs and are economical, while providing a range of functionalities to manage and consume data.

Azure Monitor’s multi-tier strategy now supports three plans – Analytics, Basic, and the new Auxiliary – allowing all logs to be stored in one place and different types of data to be retained for the desired time at a cost-effective price.

With Auxiliary Logs, you can:

Optimize Costs: Funnel low-value or verbose logs into the Auxiliary table.
Long-Term Data Retention: Retain data for up to 12 years at a low cost.
Query Access: Use queries to access the last 30 days of data or search for older data using search jobs.
Summary Rules (Preview): Aggregate data and ingest the results into a table with an Analytics plan for use in dashboards, alerts, or performing complex analysis on aggregated data.

During the initial preview period, billing for Auxiliary Logs (ingestion, long-term retention, query, and search jobs) is not yet enabled. The billing start date will be announced on Azure Updates, and current feature users will be given advance notice before billing begins. The Auxiliary Logs plan is currently in public preview and subject to certain limitations, including regional availability, as indicated in the Microsoft documentation.

New Features Added to Azure Monitor Basic Logs Plan

The Azure Monitor Basic Logs plan has seen widespread adoption by customers and continues to grow rapidly. To meet the increasing demand and customer needs, Microsoft is enhancing Basic Logs with additional features that provide greater benefits. The following improvements are being introduced for this plan:

Extended Interactive Retention Period: The interactive retention period has been increased from 8 to 30 days, with support for interactive queries throughout the period.
Enhanced Query Language Capabilities: Support for queries on Basic Logs has been extended from reduced KQL to full KQL on a single table, with the ability to search for additional data in Analytics tables.

VM insights based on Log Analytics agent: Migration Required by August 31, 2024

Microsoft has announced that by August 31, 2024, VM insights based on the Log Analytics agent will be retired. Users are encouraged to migrate to VM insights based on Azure Monitor agent. This new version offers several improvements, including enhanced security and performance, data collection rules that help reduce costs, and a simplified management experience that includes troubleshooting. It is essential to complete the migration by the specified date to continue using a supported version of VM insights

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs.This article reports some of the latest improvements and updates regarding this solution.

Azure Arc

Azure Arc-enabled Kubernetes Available in the Italy North Region

Azure Arc-enabled Kubernetes is now available in the Italy North region of Azure. This service allows users to manage and govern Kubernetes clusters distributed anywhere, leveraging the centralized management capabilities of Azure Arc.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

The development of Microsoft Defender for Cloud is constantly evolving, with continuous improvements being introduced. To stay updated on the latest developments, Microsoft updates this page, which provides information on new features, bug fixes, and deprecated features. Specifically, this month’s main news includes:

Security Assessments for GitHub Without Additional License: Starting July 22, 2024, GitHub users in Defender for Cloud no longer need a GitHub Advanced Security license to view security assessments. This change covers code vulnerabilities, IaC misconfigurations, and container image vulnerabilities detected during the build phase. Users with a GitHub Advanced Security license will continue to receive additional assessments for exposed credentials, open-source dependency vulnerabilities, and CodeQL results.
End of Support for MMA in Defender for Servers Plan 2: The Log Analytics agent will no longer be supported from August 2024. Server protection will rely on integration with Microsoft Defender for Endpoint (MDE) and agentless capabilities provided by the cloud platform. Some functionalities will continue to be supported until November 2024: File Integrity Monitoring (FIM) and Security Baseline.
Public Preview of Binary Drift for Containers: The public preview of Binary Drift for Defender for Containers is available, identifying and reporting potentially malicious binary processes in containers.
Automatic Remediation Scripts for AWS and GCP: Automatic remediation scripts for AWS and GCP are available in GA, allowing programmatic correction of recommendations on a large scale.
Update GitHub Application Permissions: GitHub users need to update the Microsoft Security DevOps application permissions to include read permissions for GitHub Copilot Business.
New Compliance Standards: Compliance standards added in preview in March, such as CIS Google Kubernetes Engine Benchmark, ISO/IEC 27001 and 27002, and others, are now available in GA.
Inventory Experience Improvements: Starting July 11, 2024, the inventory experience has been improved with updates to the Azure Resource Graph query logic.
Default Running Container Mapping Tool in GitHub: From August 12, 2024, the container mapping tool will run by default as part of the Microsoft Security DevOps action in GitHub.

Protect

Azure Backup

Customer-Managed Key Encryption for Backup Vaults

Azure Backup now supports the use of customer-managed keys (CMK) for encrypting backup data in Backup Vaults. This functionality, already available for Recovery Services Vaults, is now accessible for all Backup Vaults in Azure public regions. Users can create new backup vaults or update the encryption settings of existing ones to use CMK.

Backup and Restore of Virtual Machines with Private Endpoint-Enabled Disks

Backup and restore of Azure virtual machines using disks with private endpoints enabled are now available. This support is available for both standard and enhanced backup policies and can be configured through standard Azure Backup experiences. During the restore, users can specify the network access settings for the restored disks, choosing from using the same network configuration as the source disks, access only from specific networks, or public access from all networks.

Azure Site Recovery

Support for Azure Trusted Launch VMs (Windows OS)

Microsoft announces the availability of support for Azure Site Recovery for Azure Trusted Launch VMs. Azure Trusted Launch VMs offer advanced security for Azure Generation 2 VMs, enabling Secure Boot and vTPM capabilities. This availability is specific to Windows operating systems.

Deletion or Reset of Azure Site Recovery Replication Appliance

Microsoft has announced the option to delete or reset the Azure Site Recovery replication appliance. If all components of the appliance are in a healthy state, it is possible to reset the appliance to factory state. If the appliance is in a critical state and there is no connectivity with the appliance, it can be deleted from the Azure portal.

Azure Evaluation

For those who wish to explore and personally evaluate the services offered by Azure, a unique opportunity is available: by accessing this page, you can test various features and services for free. This will allow you to better understand how Azure can adapt and improve your IT operations, while ensuring security and innovation.

Azure IaaS and Azure Stack: announcements and updates (July 2024 – Weeks: 29 and 30)

Azure

General

Azure Lab Services is being retired on June 28, 2027

Azure Lab Services will be retired on June 28, 2027, due to the availability of other Microsoft VDI services such as Azure Virtual Desktop, Windows 365, Azure DevTest Labs, and Microsoft Dev Box. Existing customers can continue to use the service until the retirement date, but new customers will not be allowed to sign up starting July 15, 2024. Microsoft recommends reviewing the retirement guide for more details about partner options. After June 28, 2027, Azure Lab Services will no longer be supported, and users will lose access to their lab accounts, lab plans, and labs.

Compute

Upgrade existing Azure Gen1/Gen2 VMSS to Gen2-Trusted launch (preview)

Microsoft is excited to announce preview support for enabling Trusted launch on existing Azure Gen1/Gen2 Virtual Machine Scale Sets (VMSS) Uniform by upgrading the VMSS Uniform resource to Gen2-Trusted launch. This upgrade aims to improve the foundational security of existing Azure VMSS resources. Trusted Launch VMs provide enhanced compute security for Azure Generation 2 VMs by enabling Secure Boot and vTPM capabilities, which protect the OS against rootkits and bootkits and enable attestation by measuring the boot chain of the VM.

Public Preview: 6th generation Intel-based VMs – Dv6/Ev6 (preview)

Microsoft is pleased to announce the public preview of the D and E family VMs built on the new 5th Gen Intel® Xeon® Platinum 8537C (Emerald Rapids) processor. These new Intel-based VMs come with three different memory-to-core ratios and offer options with and without local SSD across all the new VMs – the General Purpose Dsv6, Dlsv6, Ddvs6, and Dldsv6 series and the Memory Optimized Esv6 and Edsv6 series. Additionally, constrained core variants for the Esv6 series are ideal for workloads that require high data throughput without a high number of vCPUs.

These VMs, available initially in the US West and US East regions, offer up to 27% higher vCPU performance and 3x larger L3 cache than the previous generation Intel Dv5/Ev5 VMs, with up to 192vCPU and 1.8TB of memory. Azure Boost technology enables up to 400k IOPS and 12 GB/s remote storage throughput and up to 200 Gbps VM network bandwidth. The new Dv6 VMs balance memory to vCPU ratio with scalability up to 128 vCPUs and 512 GiB of RAM, while the Ev6 VMs cater to memory-intensive workloads with up to 192 vCPUs and 1832 GiB of RAM. These VMs also feature enhanced security through Total Memory Encryption (TME) technology and significantly larger local SSD capacity.

Networking

Azure Virtual Network Manager mesh and direct connectivity

As of June 13, 2024, Azure Virtual Network Manager’s mesh connectivity configuration and direct connectivity option in the hub and spoke connectivity configuration are generally available in all public regions. This feature allows a group of virtual networks to directly communicate with each other without an additional hop, reducing latency and management overhead. For instance, in a hub and spoke topology, a subset of spoke virtual networks that require low latency can directly communicate with each other. Traffic between these virtual networks can be filtered using network security groups (NSGs) and Azure Virtual Network Manager’s security admin rules while maintaining direct connectivity.

ExpressRoute FastPath Support for VNet Peering & UDR

Microsoft is announcing support for ExpressRoute FastPath VNet Peering and User Defined Routes (UDR) connectivity. This feature enhances data path performance between on-premises customer networks and Azure Virtual Networks, enabling 100Gbps connectivity to VMs in hub and spoke designs over ExpressRoute. With FastPath enabled, network traffic is sent directly to virtual machines within the virtual network, reducing hops and potential bottlenecks. While a virtual network gateway is still required to exchange routes between the virtual network and on-premises network, FastPath now supports traffic directly to VMs in “spoke” virtual networks and honors any UDRs configured on the Gateway Subnet.

ExpressRoute Traffic Collector support for provider circuits

Azure ExpressRoute customers can now configure ExpressRoute Traffic Collector on their 1G+ provider circuits. This expansion of the existing service, which previously only supported ExpressRoute Direct circuits, allows for improved visibility into circuit traffic. ExpressRoute Traffic Collector is a fully managed traffic monitoring solution that logs IPFIX flow records, which can then be queried for insights into circuit traffic patterns.

Storage

Azure Data Box now supports select cross region transfers (preview)

Azure Data Box has introduced cross-region data transfer capabilities, now in preview, to support seamless ingestion of on-premises data from a source country/region to select Azure destinations in a different country/region. For example, data can now be copied from Singapore or India to the West US Azure destination region. The Azure Data Box device is not shipped across commerce boundaries; instead, it is transported within the originating country or region, and data transfer to the destination Azure region occurs over the Azure network without incurring additional fees.

Azure NetApp Files Large Volume Enhancement – Increased Throughput and Maximum Size Limit of 2 PiB Volume

Azure has announced an exciting update to Azure NetApp Files, significantly enhancing large volumes with increased maximum throughput and size limits. The update brings a size limit increase to 1-PiB, accessible via Azure Feature Exposure Control (AFEC), offering more robust data management solutions for workloads such as HPC, EDA, VDI, and more. Additionally, a public preview of an even larger volume type, ranging from 1-PiB to 2-PiB, is available upon request, subject to regional availability and capacity. Key benefits of this update include performance enhancements up to 12.5-GiB/s per large volume, scalability from 50-TiB to 2-PiB, selection of service levels (Standard, Premium, Ultra), advanced data management features, and cost efficiency through consolidation.

Convert to Azure Premium SSD v2 disks (preview)

Azure has announced the Public Preview of the feature for converting to Premium SSD v2 disks (Pv2). This new feature allows users to confidently move their workloads to Pv2, leveraging its balance of price and performance. The conversion process is designed to be straightforward, enabling the migration of existing Standard SSD, Standard HDD, or Premium SSD v1 disks to PV2 disks with minimal downtime. Notably, this feature avoids disk destruction, eliminates the need to use snapshots as a staging resource, and removes the requirement for waiting for background data copying. This enhancement simplifies the migration process and ensures that users can take full advantage of Pv2 disks efficiently.

Azure Stack

Azure Stack HCI

Introducing the Comprehensive Azure Stack HCI OEM License

The new Azure Stack HCI OEM license is designed to provide a streamlined and efficient licensing solution for Azure Stack HCI hardware, including Azure Stack HCI Premier Solutions, Integrated Systems, and Validated Nodes. This license is valid for the entire lifetime of the hardware and covers up to 16 cores, with additional two-core and four-core license add-ons available for larger systems.

The Azure Stack HCI OEM license includes three essential services for your cloud infrastructure:

Azure Stack HCI – Ensures you have a robust and scalable cloud infrastructure.
Azure Kubernetes Services (AKS) – Provides container orchestration for deploying, managing, and scaling containerized applications.
Windows Server Datacenter 2022 or earlier version supported guest virtual machines (VMs) – Supports your virtual machine needs with the latest Windows Server capabilities.

Key Benefits:

Simplified Licensing and Activation: A single license covers Azure Stack HCI, AKS, and Windows Server 2022 guest VMs, reducing complexity and cost.
No Activation Tools Needed: The Azure Stack HCI operating system is automatically activated without additional tools or keys.
Unified Procurement and Support: Purchase hardware, software, and get full stack support from a single vendor, streamlining your procurement process.

Requirements and Recommendations:

Active Azure Account: Necessary for license activation.
Latest Software Installations: Ensure you install the most recent versions of Azure Stack HCI, AKS, and Windows Server Datacenter 2022 guest VMs.
Continuous Updates: Keep Azure Stack HCI and AKS up to date to receive the latest features and security patches. Upgrade to newer versions when the current version reaches the end of its lifecycle.

For managing Windows Server VMs, you can use Automatic Virtual Machine Activation (AVMA) client keys through Windows Admin Center or PowerShell.

In mixed-node scenarios, where clusters consist of different hardware models, operating system versions, or billing models, the OEM license ensures clarity. If any server in your cluster lacks the OEM license, you will receive a notification in your monthly billing statement. To identify servers without the OEM license, check the OEM license column under Overview > Nodes.

The Azure Stack HCI OEM license not only simplifies the licensing process but also enhances the operational efficiency of your cloud infrastructure by ensuring you have access to the latest technologies and support in a unified manner.

Azure Arc gateway for Azure Stack HCI, version 23H2 (preview)

For enterprises implementing Azure Stack HCI, the new Arc gateway will significantly streamline the deployment and management process. The Arc gateway reduces the number of required endpoints for Azure Stack HCI clusters. Upon creating the Arc gateway, it can be used for both new and existing deployments. This gateway introduces the Arc gateway resource, which serves as a common entry point for Azure traffic through a specific domain or URL, and the Arc proxy, which runs as a service and functions as a forward proxy for Azure Arc agents and extensions. Traffic flows through Arc agentry, gateway router, enterprise proxy, Arc gateway, and finally to the target service, with each Azure Stack HCI cluster node having its own Arc agent.

Local UI to bootstrap Azure Stack HCI (preview)

Microsoft has introduced a new local web-based UI to facilitate the bootstrapping and registration of servers intended to cluster as an Azure Stack HCI system. This local UI simplifies the initial setup and management of Azure Stack HCI clusters, making the process more user-friendly and efficient.

Conclusion

Azure IaaS and Azure Stack: announcements and updates (July 2024 – Weeks: 27 and 28)

Azure

Compute

Retirement: Azure Cloud Services Guest OS Families 2, 3, and 4

In July 2024, Azure announced the upcoming retirement of Guest OS Families 2, 3, and 4 for Cloud Services and Cloud Services Extended Support. The end-of-life dates are as follows: Windows Server 2008 R2 will retire in December 2024, while Windows Server 2012 and Windows Server 2012 R2 will retire in February 2025. Customers utilizing these OS families need to take action to ensure their cloud services remain supported. To identify which cloud services are running the soon-to-be-retired OS Families, Azure provides a PowerShell script. The script will help pinpoint services that need migration, with recommendations to move to Guest OS family 7 (Windows Server 2022) for continued functionality and support.

Networking

Cisco Firepower Threat Defense (FTD) integration with Virtual WAN (preview)

Azure has announced the public preview of integrating Cisco Firepower Threat Defense (FTD) with Virtual WAN. Customers can now deploy Cisco FTD directly into a Virtual WAN hub, jointly managed by Microsoft Azure and Cisco. This integration allows the Cisco FTD in the hub to perform Next-Generation Firewall capabilities, inspecting all North-South, East-West, and Internet-bound traffic.

Storage

Azure File Sync Agent v18.2 Release

Azure has released version 18.2 of the Azure File Sync agent, now available on Microsoft Update and Microsoft Download Center. This release includes a rollup update for previous v18 and v18.1 releases, along with sync reliability improvements. It supports installations on Windows Server 2016, 2019, and 2022. Notably, a server restart is required for existing agent installations. The agent version for this release is 18.2.0.0, with detailed installation instructions provided in KB5023059.

Azure Elastic SAN Feature Updates

Azure has introduced significant updates to the Elastic SAN feature, now generally available. Customers can delete unused space on their SANs and scale down as necessary. This capability is useful for those who realize they do not need as much capacity as initially allocated. Note that scaling down can only occur at the SAN level, not at the volume level. Additionally, Azure has released diagnostic logging capabilities, allowing configuration of Elastic SAN to send Azure platform logs and metrics to various destinations. Two log configurations are available: “All” for every resource log and “Audit” for logs that record customer interactions with data or service settings.

Azure Stack

Azure Stack HCI

CISPE and Microsoft Agree Settlement in Fair Software Licensing Case

On July 11, 2024, Microsoft and CISPE reached an agreement related to CISPE’s competition complaint filed against Microsoft with the European Commission in November 2022. Microsoft committed to changes addressing European CISPE members’ claims, leading CISPE to withdraw its complaint. Amazon Web Services, Google Cloud Platform, and AliCloud are excluded from these terms. A significant part of the agreement is the collaboration to release an enhanced version of Azure Stack HCI for European cloud providers. This will include features such as multi-session virtual desktop infrastructure, free Extended Security Updates, and pay-as-you-go SQL Server licensing. An independent European Cloud Observatory will monitor the agreement’s implementation. Microsoft has nine months to fulfill its commitments, or CISPE may refile its complaint.

Conclusion

Azure IaaS and Azure Stack: announcements and updates (June 2024 – Weeks: 25 and 26)

Azure

Compute

Upgrade Policies for Virtual Machine Scale Sets with Flexible Orchestration (preview)

Azure has introduced public preview support for upgrade policies in Virtual Machine Scale Sets with Flexible Orchestration. Previously available only for Uniform Orchestration, these policies—Automatic, Manual, and Rolling—now extend to Flexible Orchestration. The Rolling upgrade policy also includes the MaxSurge option to create new instances with the updated scale set model, replacing virtual machines using the old model.

ED25519 SSH Key Support for Linux Virtual Machines (preview)

Azure now supports ED25519 SSH key pairs for Linux virtual machines, enhancing security and performance with a smaller key size compared to RSA encryption. Customers can create ED25519 SSH key pairs directly within the Azure Portal and use them via Azure CLI and PowerShell, simplifying key management while improving security and deployment efficiency.

Networking

Azure Cross-Subscription Load Balancer (preview)

Azure announces the public preview of cross-subscription load balancing. This feature allows load balancer components to be located in different subscriptions, enabling the frontend IP address or backend instances to reside in separate subscriptions from the load balancer. Cross-subscription load balancing is available in all Azure public regions, China cloud regions, and Government cloud regions.

ExpressRoute Resiliency Enhancements (preview)

Azure introduces several enhancements to ExpressRoute for improved resiliency. Customers can now create ExpressRoute circuits with three levels of resiliency: maximum, high (ExpressRoute Metro), and standard. Zonal resiliency is also supported, allowing non-zone redundant gateways to migrate to availability zone-enabled gateways. Upcoming features include resiliency validation, insights, and a revised SLA model effective October 1, 2024, with differentiated levels of network availability.

JavaScript (JS) Challenge on Azure WAF Integrated with Azure Application Gateway (preview)

Azure Web Application Firewall (WAF) integrated with Azure Application Gateway now supports JavaScript (JS) challenge. The JavaScript challenge is an invisible web challenge used to distinguish between legitimate users and bots, protecting web applications by causing malicious bots to fail the challenge. This feature, part of the Bot Manager rule set and custom rules, reduces friction for legitimate users as it does not require human intervention.

Azure CDN Standard from Microsoft (Classic) Zero-Downtime Migration to Azure Front Door (preview)

Azure announces the public preview of zero-downtime migration from Azure CDN Standard from Microsoft (classic) to Azure Front Door. Azure Front Door is a modern cloud content delivery network (CDN) and global load balancer service that enhances security, performance, and scalability. The migration capability allows for a seamless transition to Azure Front Door Standard or Premium, offering improved security, flexible routing logic, and enhanced logging and metrics.

Storage

Force Detach Zone Redundant Data Disks During Zone Outage (preview)

Azure announces the public preview support for force detaching ZRS data disks from VMs affected by zone outages. This feature allows customers to detach ZRS data disks and attach them to another VM, reducing the Recovery Time Objective (RTO). Zone-redundant storage (ZRS) synchronously replicates Azure managed disks across three availability zones, providing 99.9999999999% (12 9’s) durability annually, and is supported on Premium SSDs and Standard SSDs.

Conclusion

Azure Management services: what’s new in June 2024

This month, Microsoft introduced a series of updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant updates. Our goal is to keep you constantly informed about these developments, providing you with essential information to explore these topics further.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figures 1 – Overview of Management Services in Azure

Configure

Update management

Starting from August 31, 2024, Automation Update Management and the associated Log Analytics agent will be deprecated, making migration to Azure Update Manager essential for update management needs. Useful tools for this migration are detailed in the following paragraphs.

Tool for Migration from Update Management v1 to v2

Azure Update Manager introduces the v2 migration tool, now available in General Availability (GA), designed to facilitate the transition from Automation Update Management (Update Management v1). This tool simplifies the migration process by automatically moving machines and schedules to Azure Update Manager, minimizing manual intervention.

Tool for Migration from Automation Update Management to Azure Update Manager

Azure provides comprehensive guidance for migrating machines and schedules from the previous solution to Azure Update Manager. The migration tooling includes automated scripts that simplify the process, ensuring minimal disruption to production workloads.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Azure Arc

Connecting to AWS with the Multicloud Connector in Azure Portal (Preview)

Azure Arc introduces the multicloud connector in preview, enabling the integration of AWS resources within Azure environments via the Azure portal. This feature expands Azure Arc’s capabilities, allowing unified management of AWS cloud environments alongside Azure services. To establish this connection, users must deploy a CloudFormation template within their AWS account, which automatically configures the necessary resources for integrated management via Azure Arc.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

Copilot for Security in Defender for Cloud (Preview): the integration of Microsoft Copilot for Security in Defender for Cloud has been announced in public preview. The integrated Copilot experience in Defender for Cloud allows users to ask questions and receive answers in natural language. Copilot can help understand the context of a recommendation, evaluate the impact of its implementation, follow the necessary steps to implement it, assist in delegating recommendations, and correct misconfigurations in the code.
New DevOps Security Recommendations: new DevOps security recommendations have been announced to improve the security posture of Azure DevOps and GitHub environments. These recommendations provide the necessary steps for resolution when issues are detected. The new recommendations are available for environments connected to Microsoft Defender for Cloud via Azure DevOps or GitHub. All recommendations are included in the Foundational Cloud Security Posture Management.
IaC Scanning with Checkov in Defender for Cloud: the integration of Checkov for Infrastructure-as-Code (IaC) scanning via MSDO has been announced. As part of this release, Checkov will replace Terrascan as the default IaC analyzer run as part of the MSDO CLI. Terrascan can still be manually configured via MSDO environment variables but will not run by default. Security results from Checkov will be represented as recommendations for Azure DevOps and GitHub repositories.
Price Change for Defender for Containers in Multicloud: as Defender for Containers multicloud is now generally available, it is no longer free.

Migrate

Azure Migrate

New releases and features of Azure Migrate

Azure Migrate is the service in Azure that includes a broad portfolio of tools that can be used, through a guided user experience, to effectively address the most common migration scenarios. To stay updated on the latest developments of the solution, you can consult this page, which provides information on new releases and new features.

Azure Evaluation

Azure IaaS and Azure Stack: announcements and updates (June 2024 – Weeks: 23 and 24)

Azure

Compute

Azure VMware Solution: Microsoft and Broadcom to support license portability for VMware Cloud Foundation

Microsoft and Broadcom are expanding their partnership to support VMware Cloud Foundation subscriptions on Azure VMware Solution. This initiative allows customers who own or purchase VMware Cloud Foundation licenses to use them on Azure VMware Solution and in their own data centers, providing greater flexibility to adapt to changing business needs.

Key Benefits and Features:

License Portability: customers with eligible VMware Cloud Foundation entitlements can purchase subscriptions and use them interchangeably between on-premises environments and Azure VMware Solution. This flexibility supports seamless mobility and transfer of licenses as business requirements evolve.
Continued Purchase Options: customers can still buy Azure VMware Solution with VMware licenses included or use their own existing VMware licenses. This provides a range of purchasing options to suit different preferences and needs.

In addition to the new VMware license portability benefit, VMware Rapid Migration Plan provides an additional and comprehensive set of licensing benefits and programs to reduce the cost and time it takes for organizations to migrate to Azure VMware Solution:

Price Protection: customers can secure pricing for one, three, or five years through reserved instances.
Savings on Windows Server and SQL Server: organizations with Software Assurance for on-premises Windows Server and SQL Server licenses can benefit from the Azure Hybrid Benefit, allowing them to use these licenses on Azure VMware Solution. Additionally, free Extended Security Updates are available for older versions facing end of support.
Migration Support: the Azure Migrate and Modernize program offers resources, expert assistance, and funding from Microsoft and its partners to streamline the migration process.
Azure Credits: customers purchasing a new reserved instance for Azure VMware Solution can receive additional Azure credits, applicable to Azure VMware Solution or other Azure services.

This collaboration enhances the flexibility and cost-effectiveness of deploying VMware environments in the cloud, enabling businesses to optimize their operations and infrastructure with greater ease.

Storage

Azure NetApp Files Launch in Italy North Region

Azure NetApp Files has expanded its availability to the Italy North Azure Region. This expansion allows customers in the region to leverage high-performance file storage solutions, enhancing their ability to manage and scale their data storage needs efficiently.

Azure File Sync Agent v17.3 and v18.1 Security-Only Updates Released

Microsoft has announced the release of the Azure File Sync agent versions v17.3 and v18.1, focusing solely on security updates. The v17.3 update addresses a critical issue that might have allowed unauthorized users to delete files in restricted locations, as outlined in CVE-2024-35253. This update is available for servers running Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022, and is applicable to servers with agent versions v16.x and v17.x installed. The corresponding agent version is 17.3.0.0, with installation instructions detailed in KB5039814.

Similarly, the v18.1 update is targeted at servers with the v18 agent version installed and is compatible with Windows Server 2016, Windows Server 2019, and Windows Server 2022. The agent version for this release is 18.1.0.0, with installation instructions available in KB5023058. Notably, these updates are distributed through Microsoft Update and not the Microsoft Download Center. The next release, version 18.2, expected in the coming weeks, will be available across all prior versions of Azure File Sync agents and through multiple distribution channels, including the Microsoft Download Center, Microsoft Update, and Microsoft Update Catalog.

Azure Stack

Azure Stack HCI

Azure Stack HCI – 2405 Update

The Azure Stack HCI, version 23H2, introduces multiple release trains including 2306 (limited release), 2311, 2402, and now 2405. Each release train encompasses a baseline build and subsequent updates. The baseline build is the initial software version in a release train, and upgrading to the next version within the same train necessitates deploying the baseline build first.

The baseline update 2405 addresses several issues and improvements. Key fixes include:

During cluster deployments with a large Active Directory, a timeout issue when adding users to the local administrator group has been resolved.
New ARM templates for cluster creation are released, simplifying the creation of dependency resources and addressing missing mandatory fields.
The secret rotation PowerShell command Set-AzureStackLCMUserPassword now supports a parameter to skip the confirmation message.
Secret rotation reliability is improved, especially when services do not restart promptly.
Deployment is now enabled when a disjoint namespace is used.
Fixed an issue in deployment related to setting the diagnostic level in Azure and on the device.
A new PowerShell command is released to update the SBE partner property values provided at deployment.
An issue preventing the update service from responding after an SBE-only update run is fixed.
An issue preventing a node from joining Active Directory during an add server operation is resolved.
Improved reliability of Network ATC when configuring host networking with certain network adapter types.
Enhanced reliability in detecting firmware versions for disk drives.
Update notifications for health check results sent from the device to AUM (Azure Update Manager) are improved. Previously, large message sizes caused no results to be shown in AUM.
Fixed a file lock issue causing update failures for the trusted launch VM agent (IGVM).
Resolved an issue preventing the orchestrator agent from restarting during an update run.
Addressed a rare condition causing delays in the update service discovering or starting an update.
Fixed an issue with Cluster-Aware Updating (CAU) interaction with the orchestrator when an update is in progress.
The naming schema for updates is adjusted to differentiate between feature and cumulative updates.
Enhanced reliability in reporting cluster update progress to the orchestrator.
Resolved an issue where the Azure Arc connection was lost when the Hybrid Instance Metadata service (HIMDS) restarted, ensuring the device now automatically reinitiates the Azure Arc connection.

Known issues in this release involve:

When viewing readiness check results for an Azure Stack HCI cluster via the Azure Update Manager, there may be multiple readiness checks with the same name.
During the registration of Azure Stack HCI servers, an error may appear in the debug logs: “Encountered internal server error. One of the mandatory extensions for device deployment may not be installed.”
There is an intermittent issue where the Azure portal incorrectly reports the update status as “Failed to update” even though the update is complete.

Conclusion

Azure IaaS and Azure Stack: announcements and updates (June 2024 – Weeks: 21 and 22)

Azure

General

RISE with SAP is Available on ItalyNorth Azure Region

RISE with SAP, a comprehensive Platform-as-a-Service offering, is now accessible in the ItalyNorth Azure Region. This service bundles SAP software licensing, cloud infrastructure, and managed services under a single SAP contract, applicable to R3, SAP Business Suite, and S/4HANA. This availability in the Italy North region aims to provide localized support and optimized performance for enterprises utilizing SAP solutions.

Update on Inter-Availability Zone Data Transfer Pricing

Azure has announced that it will no longer charge for data transfers across availability zones, regardless of whether private or public IPs are used on Azure resources. Availability zones enable Azure services to enhance greater resiliency for customers’ cloud infrastructure. This change aims to further encourage and support customers’ efforts in building more resilient and efficient applications and solutions on Azure.

Activity Log Alerts Can Now Run in EU Data Boundary

Activity log alert rules can now be saved in one of the following EU Data Boundary regions: North Europe and West Europe. This capability is available when creating a new activity log alert rule. Saving the rule in a European region ensures that the alert rule metadata and its processing remain within the EU Data Boundary. In all other cases, users can select the default Global region. Additionally, action groups can also be saved in EU regions, allowing for an end-to-end experience within Europe, encompassing alert evaluation and actions.

Next-Gen Dashboards Experience in Azure Portal (preview

A new Dashboards experience within the Azure Portal has been introduced. This experience includes a richer editing experience, dashboard as a view, mobile support, and works in parallel with the current experience. Currently, dashboards provide a focused and organized view of cloud resources in the Azure portal, allowing users to monitor resources and quickly launch tasks for day-to-day operations. The new experience is accessible through the Dashboard Hub, the Browse experience, and the Azure Mobile app. Users can create new dashboards or transform existing ones into the new experience. Both the new and current experiences will run in parallel to ensure parity and safely roll out new features.

Compute

VM Hibernation for General Purpose VMs

VM hibernation for general-purpose VMs is now generally available in all public regions. Hibernation is supported on both Linux and Windows operating systems. This feature enables users to hibernate their VMs to save compute costs. When a VM is hibernated, Azure persists the VM’s in-memory state in the OS disk and deallocates the VM, so users do not have to pay for the VM during hibernation, only for associated storage and networking resources. When the VM is restarted, applications and processes resume from their previous state, allowing users to quickly pick up from where they left off. This feature can be used on both existing and new VMs.

Azure Cobalt 100 Arm-based Virtual Machines (preview)

Microsoft is announcing the preview of the new Cobalt 100 Arm-based virtual machines (VMs). These are the first generation of VMs that feature the new Cobalt 100 chipset, custom-built using an Arm-based architecture, and optimized for efficiency and performance when running general-purpose and cloud-native workloads. Users can expect up to 40% improved performance compared to the previous generation of Arm-based Azure VMs. These VMs offer performance consistency and linear performance scaling with workloads like web applications, microservices, and open-source databases.

Azure Compute Fleet (preview)

Azure is pleased to announce the public preview of Azure Compute Fleet, a new service that streamlines the provisioning and management of Azure compute capacity across different virtual machine (VM) types, availability zones, and pricing models to achieve desired scale, performance, and cost. Azure Compute Fleet provides features to deploy and manage diverse groups of VMs at scale, including integration of multiple pricing models within a single fleet request, automated configuration of a fleet of VMs, and adjustable settings to prioritize deployment speed, operational cost, or a balance of both. It can manage and deploy up to 10,000 VMs in a region within a single fleet, providing flexibility and reliability through automated spot VMs, VM mix, and cross-zonal deployment features.

Networking

Azure Firewall: New Regions Availability

To meet new workload demands, Azure Firewall Basic, Standard, Premium, and Azure Firewall Manager are now generally available in four new regions: Israel Central, Italy North, Mexico Central, and Spain Central. With these new regions, Azure Firewall is now available in 64 regions worldwide, utilizing the Microsoft global network backbone.

Azure Firewall Integration in Microsoft Copilot for Security (preview)

The public preview of Azure Firewall integration in Microsoft Copilot for Security is now available. This feature allows users to retrieve the top IDPS signature hits for an Azure Firewall, enriching the threat profile of IDPS signatures with additional details. Users can perform fleet-wide searches for threats across all their Firewalls and generate recommendations to secure their environment using Azure Firewall’s IDPS feature.

Azure Web Application Firewall (WAF) Integration in Microsoft Copilot for Security (preview)

Azure Web Application Firewall (WAF) integrated into the Microsoft Copilot for Security standalone experience is now available in public preview. This integration is available with both Azure Front Door WAF and Azure Application Gateway WAF. It provides top WAF rules triggered analysis, generating summaries of WAF requests blocked due to web application and API attacks. Additionally, it includes an analysis of the top offending IPs, highlighting malicious IPs in customer environments along with related WAF rules triggered. The SQL injection and cross-site scripting WAF detection summaries provide contextual details about WAF blocks, including WAF rules, pattern matches, and related IPs.

Azure Application Gateway v2 Basic SKU (preview)

The Application Gateway Basic SKU is a new offering within the Application Gateway family, designed for small and medium-sized customers. It is ideal for applications with lower traffic and SLA requirements that do not need advanced traffic management features. The Basic SKU includes built-in high availability and supports HTTP2/HTTPS and WebSocket protocols. It offers core application-level load balancing features such as URL-based, host-based, and multi-site routing, along with cookie-based affinity. It supports flexible backends, including AKS, VMSS, App Services, and on-premises deployments. Customers can select the Basic SKU either directly from the Azure Portal or through their preferred scripting languages.

Azure Load Balancer Health Event Logs (preview)

Azure Load Balancer health event logs are now available in public preview. These logs enable users to collect, store, and analyze information to understand the health of their Azure Load Balancer resources. They help troubleshoot specific scenarios and identify availability issues affecting the load balancer. Examples include traffic distribution issues, port exhaustion, and the absence of healthy backends. Health event logs allow monitoring of load balancer health without the need for complex metric-based alerts or custom data ingestion pipelines. The preview is currently rolling out to all public regions.

Azure Front Door Server Variable Enhancement Generally Available

Azure Front Door’s rule set and server variable feature, allowing dynamic modification of request and response at the edge, is now generally available. This feature enables the redirection of clients based on request information, URL rewriting, and HTTP header modifications. It supports security headers to prevent browser-based vulnerabilities, routing requests based on geographic or device data, and applying different caching policies. The new enhancement includes support for URL path segment capture and rewrite, adding more flexibility for users needing to manipulate URL paths dynamically.

Azure Virtual Network Manager’s virtual network verifier (preview)

Virtual network verifier enables users to check if their network policies allow or disallow traffic between their Azure network resources, helping them answer simple diagnostic questions, triage why reachability isn’t working as expected, and prove conformance of their Azure setup to their organization’s security compliance requirements. Within their network manager resource, users can access Virtual Network Verifier’s capabilities by creating a verifier workspace, then defining reachability analysis intents that capture the traffic they want to evaluate. Once they run an analysis on their intent, they can visualize the reachability outcome and parse the reachability analysis results’ JSON. Virtual network verifier’s reachability analysis evaluates several Azure policies and resources within the network manager’s scope. Users can even delegate Virtual Network Verifier resources to non-network manager users for troubleshooting reachability.

Azure Bastion Premium (preview)

Azure Bastion Premium is a new SKU targeting customers handling highly sensitive virtual machine workloads. Its mission is to offer enhanced security features that ensure customer virtual machines are connected securely and to monitor VMs for any anomalies that may arise. The first set of features focuses on ensuring private connectivity and graphical recordings of virtual machines connected through Bastion. With the new Azure Bastion Premium SKU, users can now record all virtual machine sessions that are connected via a session-recording Bastion and view the configured session recording. Additionally, users can connect to Bastion via a private endpoint.

Azure Load Balancer now supports Admin State (preview)

Azure has announced the public preview of Azure Load Balancer Administrative State (Admin State) to simplify and enhance the management of VMs in the backend pool of Azure Load Balancer. With Admin State, users can override the Load Balancer’s health probe behavior for each individual backend pool instance (usually VMs or VMSS instances) without making changes to network security rules or closing ports on their VM. Users can set the Admin State of the backend instance to be up or down, overriding the Load Balancer health probe. This setting changes how the Load Balancer directs new or existing connections to the backend instance. Admin State allows for easy removal of virtual machines from the backend pool for maintenance, patching, or applying fixes without additional overhead of closing ports or updating security rules. Admin State is available in all Azure public regions, Azure China cloud regions, and Azure Government cloud regions.

Storage

Azure NetApp Files Backup

Azure NetApp Files has enhanced its online snapshots with the addition of backup capabilities. This new feature allows users to offload their Azure NetApp Files snapshots to a Backup Vault efficiently and cost-effectively, protecting data from accidental deletion. The backup mechanism extends Azure NetApp Files’ snapshot technology by only copying and storing changed data blocks relative to previously vaulted snapshots. These vaulted snapshots are represented in full and can be restored individually and directly, which eliminates the need for an iterative full-incremental recovery process.

Azure NetApp Files Support for Large Volumes up to 500TiB in Size

Azure NetApp Files now supports the creation of large volumes ranging from 50TiB to 500TiB, significantly expanding beyond the previous 100TiB limit. This enhancement supports various high-performance computing (HPC), AI/ML, and large file content repositories that require a single namespace. Additionally, these large volumes feature cross-zone and cross-region replication, ensuring data resilience and business continuity. HPC workloads, crucial for simulating processes and electronic design automation, benefit from enhanced data protection and availability. AI/ML workloads, involving extensive datasets, gain improved security and recovery options, while large file repositories enjoy optimized cost and scale with robust data protection.

Azure NetApp Files Application Volume Group for Oracle (preview)

The application volume group (AVG) for Oracle is now in public preview, enabling the deployment of all necessary Azure NetApp Files volumes for Oracle databases in a single, optimized workflow. This feature ensures that all volumes are placed in the same availability zone as the VMs, optimizing latency and performance. With technical improvements that streamline the deployment process, this feature supports various Oracle database layouts from small to multi-hundred TiB sizes. It promises reduced deployment times and enhanced application performance and stability across all Azure NetApp Files enabled regions.

Azure NetApp Files support for Active Directory connection per NetApp account (preview)

The Azure NetApp Files support for Active Directory connection per NetApp account feature now allows each NetApp account to connect to its own Active Directory Forest and Domain, providing the ability to manage more than one Active Directory connection within a single region under a subscription. This enhancement enables distinct Active Directory connections for each NetApp account, facilitating operational isolation and specialized hosting scenarios. Active Directory connections can be configured multiple times for multiple NetApp accounts to make use of it. With the creation of SMB volumes in Azure NetApp Files now tied to these Active Directory connections in the NetApp account, the management of Active Directory environments becomes more scalable, streamlined, and efficient. Additionally, the public preview for the “Shared AD support for multiple accounts to one Active Directory per region per subscription” feature is concluding, and new registrations will no longer be accepted. Customers are recommended to transition to this new capability instead.

Conclusion

Azure Management services: what’s new in May 2024

This month, Microsoft introduced a series of significant updates related to Azure management services. Through this series of monthly articles, we aim to provide an overview of the most relevant news. The goal is to keep you constantly informed about these developments, providing you with the essential information to further explore these topics.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Overview of Management Services in Azure

Monitor

Azure Monitor

Azure Log Analytics improves resilience with workspace replication across regions (preview)

Azure Log Analytics introduces workspace replication, a new feature that enhances resilience against regional incidents. By enabling replication, a copy of the workspace is created in another region. From that moment, new logs in the primary workspace are also replicated to the secondary workspace (existing logs are not copied). The secondary workspace cannot be managed or accessed directly and serves only to create an active-passive configuration: at any time, there is an active instance of the workspace and an inactive one updated in the background. In case of an interruption affecting the primary workspace, failover can be activated to switch to the secondary workspace. This operation redirects all ingestion and query requests to the secondary workspace, allowing continued monitoring of resources and applications. The secondary workspace maintains a copy of all logs from the time replication is enabled, allowing for a smooth transition and continued use of alerts, workbooks, and other services accessing the logs, such as Sentinel. During this period, the secondary workspace also replicates incoming logs to the primary workspace, allowing a return to the primary region when it is operational again and continuing to work normally. Workspace replication is billed per replicated GB, and replication can be applied to a subset of Data Collection Rules (DCRs) to limit the scope of replication and related costs.

Filtering Kubernetes metadata and logs in Azure Monitor Container Insights (preview)

Filtering Kubernetes metadata and logs enriches the ContainerLogsV2 schema with additional Kubernetes metadata such as PodLabels, PodAnnotations, PodUid, Image, ImageID, ImageRepo, and ImageTag. The log filtering feature provides filtering capabilities for both workload and platform logs (e.g., system namespaces) from containers. This feature enhances the Kubernetes metadata experience by leveraging the Grafana dashboard to visualize log levels, volume, rate, records, and more. Users gain a richer context and improved visibility into their workloads.

Monitoring applications with Java metrics in Azure Container Apps (preview)

It is now possible to monitor the performance and health of applications with Java metrics such as garbage collection and memory usage. These metrics are automatically collected and reported in Azure Monitor, where they can be viewed in an integrated dashboard. It is also possible to set alerts and troubleshoot issues based on these metrics.

Data analysis using Log Analytics Simple mode (preview)

Azure Monitor Logs introduces a significant improvement in the log analysis experience: Simple mode. This new feature offers users a powerful set of tools to explore their logs and gain meaningful insights from the data. Until now, Azure Monitor Logs relied on the Kusto Query Language (KQL) to formulate queries, a powerful and easy-to-learn language, but it still requires some knowledge to use effectively. Simple mode was developed to bridge this knowledge gap, allowing the use of the most common KQL operators and actions through a simple and intuitive point-and-click experience that requires no KQL knowledge. For advanced users, KQL mode continues to offer the full potential of the Kusto language to gain deeper insights from the logs. Currently, Simple mode is an optional experience: to try it, just select “Try the new Log Analytics”. It is possible to return to the classic Log Analytics experience at any time.

Govern

Azure Cost Management

Updates related to Microsoft Cost Management

Microsoft is constantly seeking new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns, and optimize costs. This article reports some of the latest improvements and updates regarding this solution.

Secure

Microsoft Defender for Cloud

New features, bug fixes, and deprecated features of Microsoft Defender for Cloud

Remediate security baseline recommendation: Microsoft Defender for Cloud has enhanced the Center for Internet Security (CIS) benchmarks by offering security baselines supported by Microsoft Defender Vulnerability Management (MDVM). The new recommendation “Machine should be configured securely (powered by MDVM)” helps secure servers by providing suggestions to improve security posture.
Configure email notifications for attack paths: It is now possible to configure email notifications for attack paths in Defender for Cloud. This feature allows receiving email notifications when an attack path with a specified risk level is detected. This update helps security teams respond promptly to potential attacks, improving responsiveness and overall protection.
Integration of Defender for Cloud alerts and incidents with Microsoft Defender XDR: This integration allows security teams to access Defender for Cloud alerts and incidents within the Microsoft Defender Portal. Providing richer context for investigations involving cloud resources, devices, and identities, this feature improves response capabilities and the effectiveness of security operations.
Checkov integration for IaC scanning in Defender for Cloud (preview): The public preview of Checkov integration for DevOps security in Defender for Cloud has been announced. This integration improves both the quality and the total number of Infrastructure-as-Code (IaC) checks performed by the MSDO CLI command when scanning IaC templates. During the preview, Checkov must be explicitly invoked via the ‘tools’ input parameter for the MSDO CLI command.
Permissions management in Defender for Cloud: The general availability (GA) of permissions management in Defender for Cloud has been announced. This feature enables advanced permissions management, improving security and access control in cloud resources.
Security posture management for AI in Defender for Cloud: This feature provides security posture management capabilities for AI in Azure and AWS.
Threat protection for AI workloads in Azure (preview): Threat protection for AI workloads in Defender for Cloud provides contextual insights into threat protection, integrating with Responsible AI and Microsoft Threat Intelligence. Security alerts for AI workloads are integrated into Defender XDR in the Defender portal. This plan helps monitor Azure OpenAI-powered applications at runtime for malicious activities, identifying and mitigating security risks.
Updated security policy management: Cross-cloud (Azure, AWS, GCP) security policy management is now generally available (GA). This feature allows security teams to manage their security policies consistently and with new characteristics:

A simplified and uniform cross-cloud interface to create and manage the Microsoft Cloud Security Benchmark (MCSB) and custom recommendations based on KQL queries;
Management of regulatory compliance standards in Defender for Cloud across Azure, AWS, and GCP environments;
New filtering and export capabilities for reporting.

Public preview of Defender for open-source databases on AWS: The public preview of Defender for open-source databases on AWS has been announced, adding support for various Amazon Relational Database Service (RDS) instance types. This integration improves the security and management of open-source databases running on AWS instances.

Protect

Azure Backup

Migration of virtual machine backups to enhanced backup policies (preview)

Azure Backup now supports the migration of virtual machine backups from the standard backup policy to the enhanced backup policy. This migration offers several benefits:

Improved RPO: The recovery point objective (RPO) can be reduced to as little as 4 hours.
Retention of recovery points: Recovery points can be retained as snapshots for up to 30 days.
Multi-disk consistency: The enhanced policy ensures multi-disk crash consistency for protected VMs.
Zone-level resilience: Recovery points created with the enhanced policy are zone-resilient.
Trusted Launch security: Protected virtual machines can be converted to Trusted Launch security.
Use of premium SSDv2 or ultra-disk: Migration to the enhanced policy allows the use of premium SSDv2 or ultra-disk without interrupting existing backups.

These improvements make migrating to the enhanced backup policy an excellent choice for optimizing the protection and management of virtual machines on Azure.

Azure Site Recovery

Built-in Azure Monitor alerts for Site Recovery

Built-in Azure Monitor alerts for Azure Site Recovery (ASR) are now generally available. This innovation enables organizations using ASR to benefit from an advanced set of alerting and notification features offered by the Azure Monitor platform. Users can leverage standard Azure Monitor experiences and interfaces to manage ASR alerts at scale, using a single platform. This represents a significant step towards achieving a homogeneous and consistent set of monitoring and alerting experiences for all Business Continuity and Disaster Recovery (BCDR) scenarios on Azure.

Out of Box Reports for Azure Site Recovery (preview)

Out of Box Reports for Azure Site Recovery are now available in preview. This new reporting feature offers organizations using ASR a clear and detailed view of job and health status for protected items. Integrated into the Azure Business Continuity Center and Recovery Services Vault, this feature allows BCDR administrators to effectively monitor and manage all protected items in large-scale backup and site recovery processes.

Support for Azure Trusted Launch VMs (preview)

Microsoft has announced the Public Preview of Azure Site Recovery support for Azure Trusted Launch VMs. Azure Trusted Launch VMs provide security for second-generation Azure virtual machines, enabling Secure Boot and vTPM features. This public preview is currently available only for the Windows operating system.

Migrate

Azure Migrate

New releases and features of Azure Migrate