Category Archives: Microsoft Azure

The new way to keep Windows virtual machines up to date in Azure

Common corporate cybersecurity practices involve timely application of software updates that eliminate vulnerabilities that enable the implementation of specific cyberattacks on business systems. To facilitate the application of patches to virtual machines located in Azure, Microsoft recently announced the availability of a new feature called "Automatic VM guest patching". This article describes the characteristics and peculiarities of this solution that helps simplify the management of updates and achieve compliance in the security field.

The main features of Automatic VM guest patching are the following:

  • Are automatically downloaded and applied to virtual machines in Azure patches classified as Critical or of security.
  • Patches are applied during non-peak hours considering the time zone set on the virtual machine.
  • Patch orchestration is managed by the Azure platform and patches are applied taking into account the native Azure availability principles.
  • The health of the virtual machine, determined through Azure platform health signals, is monitored to detect any errors in the application of patches.
  • Works for all Windows virtual machines, regardless of the configured size.

How to Install Updates on Windows Virtual Machines

Azure Windows Virtual Machines, thanks to the introduction of this new feature, support three different ways to install updates:

  • Automatic managed by the operating system (Automatic Updates). This is the default method set for Windows virtual machines.
  • Automatic managed by the Azure platform. This is the mode recently introduced and described in this article. This mode provides for the disabling of automatic updates on board the virtual machine. Enabling this mode on the virtual machine will install the extension CPlat.Core.WindowsPatchExtension, fully managed by the Azure platform.
  • Manual. This mode, configured when different system patching solutions are adopted, disabling Automatic Updates.

Figure 1 – Choices for installing patches when creating a new VM

Requirements

Enabling the feature Automatic VM guest patching requires that the following requirements be met on the virtual machine:

  • The Azure VM Agent must be installed.
  • The Windows Update service must be running.
  • Windows Update or Windows Server Update Services server endpoints must be reachable (WSUS).
  • Compute APIs must be version 2020-06-01 or higher.

How the auto-update mechanism works?

Enabling the feature Automatic VM guest patching only critical and security-classified patches are automatically downloaded and applied to the system. This periodic update process starts automatically every month when new patches are released through Windows Update. The scanning mechanism ensures that all missing patches on the system are discovered as soon as possible, updates can be installed at any day during off-peak hours, and it happens within 30 days after Microsoft's monthly release of updates. This means that you do not have complete control over when you install updates. The upgrade process also involves restarting the virtual machine if it is required by patching.

The patch installation process is orchestrated globally by Azure for all virtual machines on which is enabled the feature Automatic VM guest patching and the principles of availability provided by Azure are covered.

For a group of virtual machines involved in the upgrade process, Azure platform will orchestrate updates taking into account the following principles.

Cross-distribution of updates on regions:

  • To avoid errors globally in the distribution of updates, they will be released gradually on the different regions.
  • An update phase can affect one or more regions and it can move on to the next phases only if the updates are completed successfully.
  • The geo-paired regions are never updated at the same stage to avoid the simultaneous installation of updates.

Deploying updates within a region:

  • VMs residing in different Availability Zones are not updated at the same time.
  • VMs that are not part of an Availability Zones are grouped together to prevent updates from being distributed simultaneously on all VMs belonging to a specific subscription.

Deploying updates within an Availability Zone:

  • VMs belonging to the same Availability Zones are not updated at the same time and updates will be installed in accordance with the Update Domain principle.

Conclusions

This new method provided by the Azure platform allows you to keep Windows systems updated in a simple way, direct and with very little administrative effort. However, often there is a need to have much greater control regarding the distribution of updates on systems and in the Azure environment it is possible to adopt the alternative and more complete solution called Update Management. This solution, compared to the feature Automatic VM guest patching, allows you to have total visibility on the compliance of updates for both Windows and Linux systems and allows you to schedule deployments for the installation of updates by defining specific maintenance windows.

Azure IaaS and Azure Stack: announcements and updates (September 2020 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Virtual Machines DCsv2-series are available in Southeast Asia

Confidential computing DCsv2-series virtual machines (VMs) are available in Southeast Asia in multiple availability zones.

Storage

Azure Blob storage object replication

Object replication is a new capability for block blobs that lets you replicate your data from your blob container in one storage account to another anywhere in Azure.

Object replication unblocks a new set of common replication scenarios:

  • Minimize latency: users consume the data locally rather than issuing cross-region read requests.
  • Increase efficiency: compute clusters process the same set of objects locally in different regions.
  • Optimize data distribution: data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide.
  • Minimize cost: tier down your data to Archive upon replication completion using lifecycle management policies to minimize the cost.

Change feed support is generally available for Azure Blob Storage

Change feed provides a guaranteed, ordered, durable, read-only log of all the creation, modification, and deletion change events that occur to the blobs in your storage account. Change feed is the ideal solution for bulk handling of large volumes of blob changes in your storage account, as opposed to periodically listing and manually comparing for changes. It enables cost-efficient recording and processing by providing programmatic access such that event-driven applications can simply consume the change feed log and process change events from the last checkpoint.

Azure Blob storage lifecycle management now supports append blobs

Azure Blob storage lifecycle management offers a rich, rule-based policy for Azure storage accounts. You can use the policy to transition your data to the appropriate access tiers or expire at the end of the data’s lifecycle. Azure Blob storage lifecycle management now supports expiration of append blobs.

Azure Blob access time tracking and access time-based lifecycle management (preview)

Once access time tracking is enabled, each blob has a new property called last access time which is updated when the blob is read. Azure Blob lifecycle management supports using last access time as a filter to transition data between access tiers and manage data retention. You can minimize your storage cost automatically by setting up a policy based on last access time to:

  • Transition your data from a hotter access tier to a cooler access tier (hot to cool, cool to archive, or hot to archive) if there is no access for a period.
  • Transition your data from the cool tier to the hot tier immediately if there is an access on the data.
  • Delete your data if there is no access for an extended period.

NFS 4.1 support for Azure Files (preview)

NFS file system is very popular choice for Linux applications and end users for their shared storage needs. Having a fully managed NFS file system in Azure will enable customers to easily lift-and-shift their enterprise workloads and leverage the elasticity, scale and cost savings of cloud. Azure Files is built on Azure Storage platform which by nature is highly durable, highly available and highly secure. It is backed by same Azure Storage SLA. NFS on Azure Files is being offered first on the highly performant SSD backed Premium Files tier enabling customers to run their most demanding enterprise applications. The NFS file system can grow and shrink to meet your scale and performance requirement from 100 GiB to 100 TiB per volume. Azure Files NFS can be accessed from a variety of clients like Azure VM Linux distros like Ubuntu, RHEL, SUSE etc., Azure Kubernetes Service(AKS), Azure Container Instances (ACI), Azure VMWare Service (AVS), VMSS, etc. NFS has a broad range of use cases. 

Azure NetApp Files: cross region replication (preview)

With this new disaster recovery capability, you can replicate your Azure NetApp Files volumes from one Azure region to another in a fast and cost-effective way, protecting your data from unforeseeable regional failures.

The new Microsoft solution for hyper-converged scenarios

Very frequently to the strong tendency to move workloads to the public cloud for cost benefits, efficiency and innovation, alongside the need to maintain specific on-premises application environments. The reasons can be different and range from compliance reasons, specific needs in terms of latency or for certain business reasons. Microsoft, aware of these needs, recently announced the release of a new version of Azure Stack HCI, the solution that allows you to build a hyper-converged infrastructure (HCI) to run virtual machines in an on-premises environment and that involves an easy and strategic connection to Azure services. This article lists the main features that will be introduced in the new version of Azure Stack HCI.

What is Azure Stack HCI?

With the arrival of Windows Server 2019, Microsoft introduced the solution Azure Stack HCI, which allows the execution of virtual machines and a wide access to different services offered by Azure.

This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

Azure Stack HCI belongs to the Azure Stack family, which includes a comprehensive and flexible range of solutions to meet the different needs for implementing infrastructure. The Azure Stack portfolio ranges from Azure Stack Hub, which is an Azure extension that can bring the agility and innovation of cloud computing to the on-premises environment, to Azure Stack Edge, a managed Azure appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer. For more information about the Azure Stack portfolio, see this article.

Figure 2 – Azure Stack portfolio

The new Azure Stack HCI solution, deployed as an Azure hybrid service is named Azure Stack HCI version 20H2 and includes important news.

Figure 3 - Overview of Azure Stack HCI version 20H2 components

Full stack for a Hyper-Converged infrastructure

The operating system of the new Azure Stack HCI solution is based on the core components of Windows Server and has been specially designed and optimized to provide a powerful Hyper-converged platform. The new version of Azure Stack HCI adopts well-established Windows Server technologies such as Hyper-V, software-defined networking and Storages Spaces Direct, and adds new specific features. Following, the innovation areas of this solution are reported.

Dedicated and solution-specific operating system

The operating system of the new solution Azure Stack HCI it is a specific operating system with a simplified composition and newer components than Windows Server 2019.

This operating system does not include roles that are not required for the solution, such as the print server, DNS role, DHCP server, Active Directory Domain Services, services relating to certificates and federated services.

Furthermore, there is the most recent hypervisor also used in the Azure environment, with software-defined networking and storage technologies optimized for virtualization.

The local user interface is minimal and is designed to be managed remotely.

Figure 4 - Azure Stack HCI OS interface

Disaster Recovery Features and virtual machine failover inherent in the solution

In the new version of Azure Stack HCI is included the ability to create stretched clusters to extend a cluster of Azure Stack HCI in two different locations (rooms, buildings or even two cities). This feature provides a replica of storage (synchronous or asynchronous) and contemplates encryption, on-premises site resiliency and automatic failover of virtual machines.

Figure 5 – Stretched cluster in a hyper-converged Azure Stack HCI architecture

In the build phase of creating a new cluster, you can select whether it is an implementation on a single site or stretched on two different sites.

Figure 6 – Options when creating an Azure Stack HCI cluster

If there is a stretched cluster, when creating a volume, you can configure storage replication between the two sites.

Figure 7 – Volume replication options when there is stretched cluster

Optimized the Storage Spaces resync process

In Azure Stack HCI version 20H2 has been completely re-engineered the Storage Spaces Resync, used for storage space repair, to the point where the length of the process is significantly reduced (up to 4-5 times). This improvement makes it possible to speed up the restart of the various systems after the updates are applied.

Figure 8 - Comparison of the times for the monthly application of operating system patches

Updates of the entire stack covered by the solution (full-stack updates)

To reduce the complexity and operational costs of the solution update process, in the new version of Azure Stack HCI a process is contemplated that involves full-stack updating (Firmware / driver along with the operating system) for certain selected partners.

Figure 9 – Solution updates of a Dell EMC-branded Azure Stack HCI solution

Azure Hybrid Service

This new version of Azure Stack HCI is provided as an Azure service, applying a subscription-based licensing model and offering integrated hybrid capabilities.

To expand the capabilities of your solution, you can use Azure solutions to monitor, activate disaster recovery scenarios, manage backup protection, as well as a centralized view of the various implementations of Azure Stack HCI direct from the Azure Portal. Following, details about this Azure hybrid service are reported.

Native integration in Azure

The new Azure Stack HCI natively integrates with Azure services and Azure Resource Manager (ARM). No agent is required for this integration, but Azure Arc is integrated directly into the operating system. This allows you to view, direct from the Azure Portal, the cluster Azure Stack HCI on-premises exactly like an Azure resource.

Figure 10 – Azure Stack HCI integration scheme in Azure

By integrating with Azure Resource Manager, you can take advantage of the following benefits of Azure-based management:

  • Adopting Standard Azure Resource Manager-Based Constructs (ARM)
  • Classification of Clusters with Tags
  • Organizing Clusters in Resource Groups
  • Viewing all clusters Azure Stack HCI in one centralized view
  • Managing access using Azure Identity Access Management (IAM)

Billing based on a subscription model

Despite being running on-premises, Azure Stack HCI provides invoicing based on Azure subscription, just like any other Azure cloud service. The model is simple and has a cost of 10$ / core / Month, which depends on the cores of the physical processor. In the new pricing model there is no minimum or maximum on the number of licensed cores, much less in the activation duration.

Figure 11 – New licensing model applied for Azure Stack HCI

Dedicated Azure Support Team

Azure Stack HCI becomes an Azure solution, therefore it will be covered by Azure support with the following features:

  • You can easily request technical support directly from the Azure portal.
  • Support will be provided by a new team of experts dedicated to supporting the new solution Azure Stack HCI.
  • You can choose from different support plans, depending on your needs.

For more information, you can access this page.

Familiarity in management and operation

The Azure Stack HCI solution can be activated on different hardware models of your choice and does not require specific software tools to be administered.

Choosing and customizing your hardware

There are several hardware vendors that offer suitable solutions to run Azure Stack HCI and can be consulted by accessing this link. The choice is wide and falls on more than 200 solutions of more than 20 different partners. Azure Stack HCI requires hardware that is specifically tested and validated by various vendors.

The solutions Azure Stack HCI included in the catalog are composed of:

  • A server system
  • An host bus adapter
  • A family of network adapters

Furthermore, you can customize your hardware solution to suit your needs, going to configure the processor, memory, storage and features of network adapters, always respecting the supplier's compatibility matrices.

Figure 12 – Hardware composition for Azure Stack HCI solutions

Management and integration tools

The administrative management of Azure Stack HCI does not require specific software, but you can use existing management tools such as Admin Center, PowerShell, System Center Virtual Machine Manager and even third-party tools.

Using the Windows Admin Center, you can install and configure new architectures Azure Stack HCI and activate virtual systems. Furthermore, With native Windows Admin Center integration with Azure, you can extend functionality with different Azure services, including:

  • Azure Site Recovery to implement disaster recovery scenarios.
  • Azure Monitor to monitor, in a centralized way, what happens at the application level, on the network and in its hyper-converged infrastructure, with advanced analysis using artificial intelligence.
  • Azure Backup for offsite protection of your infrastructure.
  • Azure Security Center for monitoring and detecting security threats in virtual machines
  • Azure Update Management to make an assessment of the missing updates and proceed with its distribution, for both Windows and Linux systems, regardless of their location, Azure or on-premises.
  • Cloud Witness to use Azure storage account as cluster quorum.

Conclusions

The innovations introduced in Microsoft's new hyper-converged solution are very interesting and concern various areas. Azure Stack HCI integrates seamlessly with the existing on-premises environment and offers an important added value: the ability to connect Azure Stack HCI with Azure services to achieve a hybrid hyper-converged solution. This aspect in particular strongly differentiates it from other competitors who offer solutions in this area. Thanks to the changes introduced by this new version it is possible to obtain a complete and more integrated and performing proposition for hyper-converged scenarios.

Azure IaaS and Azure Stack: announcements and updates (September 2020 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Dedicated Hosts now support new Azure Virtual Machines series

Azure Dedicated Host provides a single-tenant physical server to host your Azure Virtual Machines for Windows and Linux. The server capacity is not shared with other customers. Address specific organizational compliance requirements or plan your maintenance window by deploying your workloads on Azure Dedicated Hosts. You can now deploy Dsv4, Ddsv4, Esv4, and Edsv4 Azure Virtual Machines on Dedicated Hosts. New Azure Dedicated Host SKUs featuring new hardware types for the Dsv3 and Esv3 Azure VM series are now generally available as well. With this update, we continue to expand the range of general purpose and memory intensive workloads that you can run on Azure Dedicated Hosts while providing greater performance.

New Azure VMs for general purpose and memory intensive workloads

The new D v4 and E v4 series Azure Virtual Machines, now generally available, are based on the Intel Xeon Platinum 8272CL custom processor, which can achieve up to 3.4Ghz all core turbo frequency. These new Azure Virtual Machines do not provide any temporary storage. If you require temporary storage select the latest Dd v4 and Ed v4 Azure virtual machines, which are also generally available.

  • The D v4 / Ds v4 virtual machine sizes offer a combination of vCPUs and memory able to meet the requirements associated with most general-purpose workloads. You can attach Standard SSDs and Standard HDDs disk storage to the D v4 virtual machines. If you prefer to use Premium SSD or Ultra Disk storage, please select the Ds v4 virtual machines.
  • The E v4 / Es v4 virtual machines feature up to 504 GiB of RAM and are ideal for various memory-intensive enterprise applications. You can attach Standard SSDs and Standard HDDs disk storage to the E v4 VMs. If you prefer to use Premium SSD or Ultra Disk storage, please select the Es v4 virtual machines.

Automated deployment of Always On availability groups through the Azure portal (Public preview)

A new, automated way to deploy Always On availability groups is now in preview for SQL Server on Azure Virtual Machines (VMs) using the SQL VM resource provider. The VM resource provider simplifies configuring Always On availability groups by handling infrastructure and network configuration details. It offers a reliable deployment method with the correct resource dependency settings and internal re-try policies. Deploying automated Always On availability groups with SQL VM resource provider today will improve availability for SQL Server on Azure Virtual Machines. Learn more about Always On availability group deployments.

Storage

AzCopy: new version available

AzCopy v10.6 has released with support for:

  • Sync command now includes access control lists (ACLs) between supported resources (e.g. Windows and Azure Files) using persist-smb-permissions flag
  • Sync also includes SMB properties (Created Time, Last Write Time, and attributes such as Read Only) between supported resources (e.g. Windows and Azure Files) using the persist-smb-info flag
  • Support for higher block & blob size.  Blob block size up to 4,000 MiB supported.  This provides block blob sizes up to 190.7 TiB (4,000 MiB x 50,000 blocks)
  • Support for Blob Versioning using list-of-versions flag for both download and delete operations

Azure Data Lake Storage Gen2: access control list recursive update (public preview)

The ability to recursively propagate access control list (ACL) changes from a parent directory to its existing child items for Azure Data Lake Storage (ADLS) Gen2 is now available in public preview. This public preview is available globally in all Azure regions, through PowerShell, .NET SDK, and Python SDK.

Azure Blob versioning is now general available

Azure storage strives to protect your business critical data from any accident or attack. To support that goal, Microsoft is announcing the general availability of Azure Blob versioning. Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users.

Networking

Azure DNS: Introducing automatic child zone delegation

A new update released to general availability in all clouds that makes it easier for you to create Child Zones which are easily attached to Parent Zones. Prior to this release, when a customer was creating a new child zone, they would add their resource records to the newly created zone but often missed the step adding the complicated nameserver records back to the parent zone, causing name resolution failure when the customer would try to test the newly created zone.  This update creates an option for you to identify their new zone as a child (please see illustration) of an existing zone in Azure DNS. When this selection has been made, the name server records for the child zone will be automatically populated in the parent, saving you 4 additional steps. For a quick explanation on how to create child zones, please check out our tutorial guide.

Upcoming changes to Standard Public IPs and Standard Load Balancers

With Network API version 2020-08-01, zone behavior for Standard SKU resources (Azure Load Balancer and Public IP addresses) will be updated such that:

  • when no zone is specified, a non-zonal resource is created
  • when a single zone is specified, a zonal resource is created 
  • when multiple zones are specified in a region with Availability Zones, a zone-redundant resource is created

A zone-redundant resource can only be created in regions where Availability Zones are supported

Azure Stack

Azure Stack Hub

Stream Analytics can be run on Azure Stack Hub

Azure Stream Analytics now can be run on Azure Stack Hub as an IoT Edge module. Configurations have been added to the IoT Edge module which allows it to interact with blob storage, Event Hubs, and IoT Hubs running in an Azure Stack Hub subscription. Customers can build truly hybrid architectures for stream processing in your own private, autonomous cloud, which can be connected or disconnected with cloud-native apps using consistent Azure services on-premises.

Azure Management services: what's new in August 2020

Microsoft constantly releases news about Azure management services. Our community publishes this monthly summary to provide an overview of the top news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. In addition to solving several issues, some new features are introduced, among the main ones we find:

  • Support for Red Hat Enterprise Linux 8
  • Support for Azure Arc for servers
  • FIPS compliance
  • Limiting ingestion to prevent service degradation in the event of extremely high data volume

Azure Monitor for containers: support for viewing Kubernetes environment resources (preview)

With the Kubernetes resource monitor from the Azure portal, you can now use the kubernetes “point and click” to get real-time details of workloads hosted in the AKS environment. The public preview of this feature includes support for different resources (deployments, pods, and replica sets) and supports the following features:

  • Viewing Workloads Running on the Cluster, including the ability to filter resources by namespaces
  • Find the node on which an application is running and its IP address of the pod
  • View pods in set replica, the status of each pod and the images associated with each pod
  • Drill down for individual deployments to view their real-time status and details
  • Perform on-the-fly changes on YAML to validate devtest scenarios

Audit Logs for Azure Monitor queries (preview)

The Azure Monitor team has announced in public preview one of the most requested features: the ability to check Azure Monitor query logs. When enabled, through the Azure diagnostic mechanism, you can collect telemetry data about who ran a query, when it was performed, which tool was used to run it, text and performance statistics related to the performance of the same. This telemetry, like any other Azure Diagnostic-based telemetry, can be sent to an Azure storage blob, Event Hub or Azure Monitor.

New dedicated blade for System Center

System Center now has its own dedicated blade in Log Analytics. To display the new System Center panel, you need to access the Log Analytics workspace and select “System Center” from the left navigation bar, in the group “Workspace Data Sources”. The new System Center blade lets you view and manage SCOM instances connected to your Log Analytics workspace.

New limits for data ingestion in Log Analytics

Azure Monitor is a large-scale service designed to serve thousands of customers who send high volumes of data every month at an increasing rate. As with any multi-tenancy platform, Microsoft has realized that limits must be placed to protect customers from sudden spikes in ingestion that can affect customers who share the environment and resources. Until now, there was only one import volume speed limit for Azure resource data from Diagnostic Settings. Now you've added the limit to other Log Analytics data sources, including: Diagnostic Settings, agents and data collection APIs. The limit is applied to compressed data approximated 6 GB / Min, where this limit may vary depending on the types of data and its compression ratio. This limit for import volume speed in Log Analytics can be increased by opening a support request.

Log Analytics REST APIs: released a new version

The new version (2020-08-01) of the Log Analytics REST API for the resource provider OperationalInsights was released. This version supports new features such as customer-managed keys(CMK), Bring Your Own Storage (BYOS) and consolidates the functionality of all previous versions.

Govern

Azure Policy

Azure Policy Compliance Scan Action for Workflows GitHub (preview)

In preview, the following were released Azure Policy Compliance Scan Action for Workflows GitHub. The new GitHub actions will make it easier to activate compliance analysis than the subscription-based Azure Policy, resource groups or other resources and will automate the next steps in the GitHub workflow based on resource compliance status.

Protect

Azure Backup

Selective disk backup for virtual machines in Azure (preview)

Azure Backup introduced the ability to selectively back up virtual machine disks. This feature primarily introduces the following benefits:

  • Cost Optimization
  • Faster backup and restore operations

Configuring Azure file shares

Azure Backup has simplified the backup configuration experience for Azure file shares, providing the ability to enable backup directly from the file share management panel.

Configuring Azure file shares backup now consists of only the following two steps:

  • Creating or choosing the recovery services vault
  • Create or choose the backup policy

Improvements in virtual machine protection

Azure Backup introduces the following improvements in the protection of VMs:

  • Introduces the ability to restore unmanaged disks of a VM by turning them into managed disks during the restore phase.
  • Supports the backup and restore of Virtual Machine Scale Sets in the orchestration mode described in this document.
  • Allows disk replacement as an option for VMs that have assigned Managed Service Identities (MSI).

Encryption of backups using customer managed keys (preview)

Azure Backup introduces the possibility, when you back up Azure Virtual Machines, to encrypt data using proprietary and managed keys. Azure Backup allows you to use RSA keys stored in Azure Key Vaults to encrypt backups. The data will then be protected using a data encryption key (DEK) AES-based 256, which in turn is protected using keys stored in Key Vaults. This gives you full control over the data protection and keys that are used for encryption.

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup has released the ability to protect SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 49 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Assessment of physical servers and servers in AWS and GCP

Azure Migrate introduces support for assessment of physical servers and systems residing in Amazon Web Services (AWS), Google Cloud Platform (GCP) or at any cloud. Thanks to this evolution in the solution it is possible to evaluate any machine in the cloud or on-premises even when you can not access the hypervisor. The assessment is able to provide the following information:

  • Analyze suitability in Azure environment
  • Planning for migration costs
  • Performance-based scaling
  • Support for application dependency analysis (agent-based)

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (August 2020 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New GPU NCas T4 v3 VMs (preview)

The NCas T4 v3 Series virtual machine is a new addition to the Azure GPU family specifically designed for the AI and machine learning workloads. The VMs feature 4 NVIDIA T4 GPUs with 16 GB of memory each, up to 64 non-multithreaded AMD EPYC 7V12(Rome) processor cores, and 448 GiB of system memory. These virtual machines are ideal to run ML and AI workloads utilizing Cuda, TensorFlow, Pytorch, Caffe, and other Frameworks or graphics workloads using NVIDIA GRID technology.

Azure Virtual Machines DCsv2-series in West US 2

Confidential computing DCsv2-series virtual machines (VMs) are now available in two availability zones in West US 2.

Storage

Azure Blob storage: Network File System 3.0 protocol support region expansion (preview)

Azure Blob storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with crucial object storage economics. NFS 3.0 support to block blob storage accounts with premium performance public preview regions now include: US East, US Central, US West Central, Australia Southeast, North Europe, UK West, Korea Central, Korea South, and Canada Central.

Azure Blob storage: Soft Delete for Containers (preview)

Soft delete for containers expands upon Azure Blob Storage’s existing capabilities such as soft delete for blobs, account delete locking, and immutable blobs, making our data protection and restore capabilities even better. When container soft delete is enabled for a storage account, any deleted container and their contents are retained in Azure Storage for the period that you specify. During the retention period, you can restore previously deleted containers and any blobs within them. Container soft delete is available in preview in the following regions: France Central, Canada East, and Canada Central. There is no additional charge to enable container soft delete. Data in soft deleted containers is billed at the same rate as active data.

Azure Ultra Disk: generally available in more regions and Availability Zones

Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs). It is now available in Australia East, East Asia, Brazil South, and Canada Central. Moreover, Azure Ultra Disk support is now expanded to the 3 Availability Zones in US East 2 and Japan East.

Azure Data Box Disk is now available in South Africa and China

Data Box Disk is an SSD-disk-based option for offline data transfer to Azure. It’s ideal for a recurring or one-time data migration of up to 40 TB to Azure and is especially well-suited for data migration from multiple remote or branch offices. Azure Data Box Disk is now Generally Available in South Africa and China. This is in addition to the regions where Data Box Disk is now generally available.

Cloud Governance: how to control cloud costs through budgets

In the public cloud, the simplicity of delegation and the consumer-related cost model exposes companies to a risk of loss of control over them. Always having a supervision on the expenses to be incurred for the resources created in the cloud environment therefore becomes an aspect of fundamental importance to implement an effective governance process. The solutionAzure Cost Management provides a comprehensive set of cloud cost management features, including the ability to set up budgets and expense alerts. This article describes how to best use budgets to proactively control and manage cloud service costs.

Budgets are spending thresholds that can be set in the solution Azure Cost Management + Billing, capable of generating notifications when they are reached. Cost and resource utilization data are generally available within 20 hours and budgets are evaluated against these costs each 12-14 hours.

The procedure for setting budgets from the Azure portal involves the following steps.

Figure 1 – Add a budget from Cost Management

Figure 2 – Parameters required when creating budgets

During the budget configuration phase, you must first assign the scope. Depending on the type of Azure account, you can select the following scopes:

  • Azure role-based access control (Azure RBAC)
    • Management groups
    • Subscription
  • Enterprise Agreement
    • Billing account
    • Department
    • Enrollment account
  • Individual agreements
    • Billing account
  • Microsoft Customer Agreement
    • Billing account
    • Billing profile
    • Invoice section
    • Customer
  • AWS scopes
    • External account
    • External subscription

For more information about the use of scopes, see this Microsoft's document.

To create a budget that aligns with the billing period, you can select a reset period for the month, quarter or year of billing. If, on the other hand, you intend to create a budget aligned to the calendar month, you must select a reset period monthly, quarterly or yearly.

Later, it is possible to set the expiration date from which the budget becomes invalid and its cost evaluation is interrupted.

Based on the fields you choose when you define your budget, a chart is shown to help you set the spending threshold to be used. By default, the suggested budget is based on the higher expected cost that could be incurred in future periods, but the budget amount can be changed to suit your needs.

After you set up your budget, you are prompted to configure your alerts. Budgets require at least one cost threshold (% budget) and an email address to use for notifications.

Figure 3 – Configure alerts and e-mail addresses to use for notifications

For a single budget, you can include up to five thresholds and five email addresses. When a budget threshold is reached, email notifications are normally sent within an hour of the evaluation.

When creating or editing a budget, but only if the scope defined for the same is a subscription or a resource group, you can configure it to invoke an Action Group. TheAction Group allows you to customize notifications to suit your needs and can perform various actions when the budget threshold is reached, including:

  • Voice call or text message (for enabled countries)
  • Sending an email
  • Calling a webhook
  • Sending data to ITSM
  • Recalling a Logic App
  • Sending a push notification on mobile app of Azure
  • Running a runbook of Azure Automation

Figure 4 – Associating an Action Group when a threshold is reached

After you finish creating a budget, you can view it in the respective section.

Figure 5 – Budget created and its percentage of usage

The visualization of the budget with respect to the expenditure trend is one of the first actions that is generally taken into consideration in the cost analysis phase.

Figure 6 – View budget in cost analysis

When a certain threshold is reached in a budget, in addition to the notifications you set, an alert is also generated in the Azure portal.

Figure 7 – Alert generated when a certain threshold is reached

When the budget thresholds that you create are exceeded, notifications are triggered, but none of the cloud resources are changed and as a result consumption is not interrupted.

Integration with Amazon Web Services (AWS) Cost and Usage report (CUR) you can monitor and control AWS costs in Azure Cost Management and define budgets for AWS resources too.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consultthe pricing of Cost Management.

Conclusions

Cost control is a key component to maximize the value of your cloud investment. By using budgets, you can easily activate an effective mechanism to proactively control and manage the costs of cloud services located on both Microsoft Azure and Amazon Web Services (AWS).

Azure IaaS and Azure Stack: announcements and updates (August 2020 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

SQL Server FCI on Shared Disks for SQL Server on virtual machines

Azure Shared Disks for SQL Server Failover Cluster Instance (SQL FCI) on Azure IaaS is now in general availability. Azure Shared disks for SQL FCI enables lift and shift migrations for the most commonly used high availability configuration on-premises to Azure IaaS.

Storage

New regions for Azure Blob storage object replication (preview)

Object replication is a new capability for block blobs that lets you replicate your data from your blob container in one storage account to another anywhere in Azure. Microsoft has expanded the preview regions to include East US 2 and Central US.

Azure Blob storage: Network File System 3.0 protocol support (preview)

Network File System (NFS) 3.0 protocol support for Azure Blob storage is now in preview. Azure Blob storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with crucial object storage economics. This new level of support helps with large scale read-heavy sequential access workloads where data will be ingested once and minimally modified further including large scale analytic data, backup and archive, NFS apps for seismic and subsurface processing, media rendering, genomic sequencing, and line-of-business applications. NFS 3.0 is available to block blob storage accounts with premium performance in the following regions: US East, US Central, and Canada Central. Support for GPV2 accounts with standard tier performance will be announced soon. During the preview, test data stored in your NFS 3.0-enabled storage accounts will be billed at the same capacity rate (per GB per month) as Azure Blob storage. Pricing for transactions is subject to change and will be determined when generally available.

Azure File Sync agent v10.1

Azure File Sync agent v10.1 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Azure private endpoint support
  • Files Synced metric will now display progress while a large sync is running, rather than at the end.
  • Miscellaneous reliability improvements for agent installation, cloud tiering, sync and telemetry.

Installation instructions are documented in KB4522411.

Networking

Upcoming billing changes to Azure Bandwidth

On a rolling basis throughout September 2020, Microsoft will move Bandwidth to a source–destination billing model. Additionally, metering will be divided into inter-region meter IDs. As a result, Bandwidth charges for inter-region data transfers will either remain the same or decrease. First 5 GB of outbound data transfers will remain free of charge and the current data volume tiers will be replaced by one flat price.

Azure Management services: What's new in July 2020

Microsoft continuously announces news about Azure management services and as usual our community releases this monthly summary. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor Logs connector

The Azure Monitor Logs connector component has been released and allows you to create automated workflows using hundreds of actions for a variety of services with Azure Logic Apps and Power Automate.

Azure Monitor for SAP Solutions (preview)

Azure Monitor for SAP is a new solution that allows you to natively monitor your SAP environment in Azure. This solution allows you to collect and consolidate telemetry from your Azure infrastructure and SAP databases. This data is used to achieve a correlation between the different components that allows for faster troubleshooting. This feature is currently present in public preview in the following regions: US East, US East 2, US West 2, West Europe.

Azure Monitor Community Repository

The Azure Monitor Community GitHub repository has been made available and provides a collaborative space for community members to share and explore Azure Monitor artifacts as queries [KQL], workbooks and alerts. This repository is public and accepts contributions from any user, for the benefit of the entire Azure Monitor community.

Azure Log Analytics saved searches are moving to Query Explorer

Azure Log Analytics Saved Searches are now available in Query Explorer, which allows you to use and manage different queries. To manage them, access to the section Logs in the Azure Monitor Log Analytics workspace or from Application Insights and select Query explorer from the main menu.

Configure

Azure Automation

Introduced support for Azure Private Link (preview)

Microsoft has introduced support for Azure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:

  • Establish a private connection with Azure Automation, without opening access to the public network.
  • Ensure that Azure Automation data is accessible only through authorized private networks.
  • Protect yourself from data extraction by allowing granular access to specific resources.
  • Protect resources from access from the public network.

Govern

Azure Policy

Azure Policy for Azure Kubernetes Service (AKS) pods (preview)

To improve the security of Azure Kubernetes Service clusters (AKS) you can now protect pods by using Azure Policies. This integration allows you to control pod requests and detect requests that violate policies set. At the moment, you can choose from a list of 16 integrated policies and two initiatives (that match the standards set in the Kubernetes pod security policy) .

Azure Cost Management

Azure Cost Management + Billing updates

During the month of July, news was announced regarding the following areas of Azure Cost Management and Billing:

Secure

Azure Security Center

Advanced threat protection for Azure Storage

Advanced threat protection preview for Azure Storage supports Azure Files and Azure Data Lake Storage Gen2 API, helping customers protect data stored in file shares and data stores designed for corporate big data analytics. This protection provides an additional layer of security information by providing alerts when unusual and potentially malicious attempts to access or exploit storage accounts are detected. These security alerts are integrated with the Security Center and are also emailed to subscription administrators, with details about suspicious activity and advice on how to investigate and resolve threats.

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 48 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Support for replication via Private Link

Azure Site Recovery introduced support for private links, These can be used to replicate Azure virtual machines, VMware and Hyper-V systems and physical machines. Using Private Links provides secure connectivity to Azure Site Recovery service URLs. A private endpoint on the network will be required for access to the recovery services vault and a second endpoint for data replication to the cache storage account. This feature will be available in almost all public regions by August 2020.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Security Center: Azure Storage protection

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting hybrid architectures, it also provides enhanced protection for storage resources in Azure. The solution detects unusual and potentially harmful attempts to access or use Azure Storage. This article describes how to effectively protect storage in Azure with this solution, looking at the news recently announced in this area.

Azure Security Center (ASC) is possible to activate it in two different tiers:

  • Free tier. In this tier ASC is totally free and performs a continuous assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Advanced Threat Protection (ATP) for Azure Storage, it is one of several features in Azure Security Center Standard.

Figure 1 – Comparison of the features of the different tiers of ASC

Enabling the Security Center Standard tier is strongly recommended to improve security postures in your Azure environment.

The Advanced Threat Protection feature (ATP) for Azure Storage was announced last year, allowing you to detect common threats such as malware, access from suspicious sources (including TOR nodes), data exfiltration activities and more, but all limited to blob containers. Support for Azure Files and Azure Data Lake Storage Gen2 has also been included recently. This also helps customers protect data stored in file shares and data stores designed for the analysis of corporate big data.

Enabling this feature from the Azure portal is very simple and can be done at the Security Center-protected subscription level or selectively on individual storage accounts.

To enable this protection on all storage accounts in your subscription, you must go to the "Pricing & Settings” of Security Center and activate the protection of Storage Accounts.

Figure 2 – ATP activation for Azure Storage at the subscription level

If you prefer to enable it only on certain storage accounts, you need to activate it in the respective settings of Advanced security.

Figure 3 – ATP activation on the single storage account

When anomaly occurs on a storage account, security alerts are sent by email to Azure subscription administrators, with details of detected suspicious activity and related recommendations on how to investigate and resolve threats.

Details included in the event notification include::

  • The nature of the anomaly
  • The name of the storage account
  • The time of the event
  • The type of storage
  • Potential causes
  • The recommended steps to investigate what has been found
  • The actions to be taken to remedy what happened

Figure 4 – Example of a security alert sent in the face of a detection of a threat

In this example, the EICAR test file was used to validate that the solution was working correctly.. This is a file developed by the’European Institute for Computer Anti-Virus Research (EICAR) which is used to securely validate security solutions.

Security alerts can be viewed and managed directly from Azure Security Center, where details and actions to investigate current threats and address future threats are displayed..

Figure 5 – Example of a security alert in the ASC Security alerts tile

To get the full list of possible alerts generated by unusual and potentially malicious attempts to log in or use storage accounts, you can access the Threat protection for data services in Azure Security Center.

This protection is very useful even if you have architecture that uses the service Azure File Sync (AFS), which allows you to centralize the network folders of your infrastructure in Azure Files.

Conclusions

Business companies are increasingly moving their data to the cloud, looking for distributed architecture, high performance and cost optimization. All features offered by the public cloud require you to strengthen cybersecurity, particularly given the increasing complexity and sophistication of cyberattacks. By adopting Advanced Threat Protection (ATP) for Azure Storage, you can increase the level of storage security used in your Azure environment easily and effectively.