Category Archives: Microsoft Azure

The new Microsoft solution for hyper-converged scenarios

Very frequently to the strong tendency to move workloads to the public cloud for cost benefits, efficiency and innovation, alongside the need to maintain specific on-premises application environments. The reasons can be different and range from compliance reasons, specific needs in terms of latency or for certain business reasons. Microsoft, aware of these needs, recently announced the release of a new version of Azure Stack HCI, the solution that allows you to build a hyper-converged infrastructure (HCI) to run virtual machines in an on-premises environment and that involves an easy and strategic connection to Azure services. This article lists the main features that will be introduced in the new version of Azure Stack HCI.

What is Azure Stack HCI?

With the arrival of Windows Server 2019, Microsoft introduced the solution Azure Stack HCI, which allows the execution of virtual machines and a wide access to different services offered by Azure.

This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

Azure Stack HCI belongs to the Azure Stack family, which includes a comprehensive and flexible range of solutions to meet the different needs for implementing infrastructure. The Azure Stack portfolio ranges from Azure Stack Hub, which is an Azure extension that can bring the agility and innovation of cloud computing to the on-premises environment, to Azure Stack Edge, a managed Azure appliance that can bring computational power, cloud storage and intelligence in a remote edge of the customer. For more information about the Azure Stack portfolio, see this article.

Figure 2 – Azure Stack portfolio

The new Azure Stack HCI solution, deployed as an Azure hybrid service is named Azure Stack HCI version 20H2 and includes important news.

Figure 3 - Overview of Azure Stack HCI version 20H2 components

Full stack for a Hyper-Converged infrastructure

The operating system of the new Azure Stack HCI solution is based on the core components of Windows Server and has been specially designed and optimized to provide a powerful Hyper-converged platform. The new version of Azure Stack HCI adopts well-established Windows Server technologies such as Hyper-V, software-defined networking and Storages Spaces Direct, and adds new specific features. Following, the innovation areas of this solution are reported.

Dedicated and solution-specific operating system

The operating system of the new solution Azure Stack HCI it is a specific operating system with a simplified composition and newer components than Windows Server 2019.

This operating system does not include roles that are not required for the solution, such as the print server, DNS role, DHCP server, Active Directory Domain Services, services relating to certificates and federated services.

Furthermore, there is the most recent hypervisor also used in the Azure environment, with software-defined networking and storage technologies optimized for virtualization.

The local user interface is minimal and is designed to be managed remotely.

Figure 4 - Azure Stack HCI OS interface

Disaster Recovery Features and virtual machine failover inherent in the solution

In the new version of Azure Stack HCI is included the ability to create stretched clusters to extend a cluster of Azure Stack HCI in two different locations (rooms, buildings or even two cities). This feature provides a replica of storage (synchronous or asynchronous) and contemplates encryption, on-premises site resiliency and automatic failover of virtual machines.

Figure 5 – Stretched cluster in a hyper-converged Azure Stack HCI architecture

In the build phase of creating a new cluster, you can select whether it is an implementation on a single site or stretched on two different sites.

Figure 6 – Options when creating an Azure Stack HCI cluster

If there is a stretched cluster, when creating a volume, you can configure storage replication between the two sites.

Figure 7 – Volume replication options when there is stretched cluster

Optimized the Storage Spaces resync process

In Azure Stack HCI version 20H2 has been completely re-engineered the Storage Spaces Resync, used for storage space repair, to the point where the length of the process is significantly reduced (up to 4-5 times). This improvement makes it possible to speed up the restart of the various systems after the updates are applied.

Figure 8 - Comparison of the times for the monthly application of operating system patches

Updates of the entire stack covered by the solution (full-stack updates)

To reduce the complexity and operational costs of the solution update process, in the new version of Azure Stack HCI a process is contemplated that involves full-stack updating (Firmware / driver along with the operating system) for certain selected partners.

Figure 9 – Solution updates of a Dell EMC-branded Azure Stack HCI solution

Azure Hybrid Service

This new version of Azure Stack HCI is provided as an Azure service, applying a subscription-based licensing model and offering integrated hybrid capabilities.

To expand the capabilities of your solution, you can use Azure solutions to monitor, activate disaster recovery scenarios, manage backup protection, as well as a centralized view of the various implementations of Azure Stack HCI direct from the Azure Portal. Following, details about this Azure hybrid service are reported.

Native integration in Azure

The new Azure Stack HCI natively integrates with Azure services and Azure Resource Manager (ARM). No agent is required for this integration, but Azure Arc is integrated directly into the operating system. This allows you to view, direct from the Azure Portal, the cluster Azure Stack HCI on-premises exactly like an Azure resource.

Figure 10 – Azure Stack HCI integration scheme in Azure

By integrating with Azure Resource Manager, you can take advantage of the following benefits of Azure-based management:

Adopting Standard Azure Resource Manager-Based Constructs (ARM)
Classification of Clusters with Tags
Organizing Clusters in Resource Groups
Viewing all clusters Azure Stack HCI in one centralized view
Managing access using Azure Identity Access Management (IAM)

Billing based on a subscription model

Despite being running on-premises, Azure Stack HCI provides invoicing based on Azure subscription, just like any other Azure cloud service. The model is simple and has a cost of 10$ / core / Month, which depends on the cores of the physical processor. In the new pricing model there is no minimum or maximum on the number of licensed cores, much less in the activation duration.

Figure 11 – New licensing model applied for Azure Stack HCI

Dedicated Azure Support Team

Azure Stack HCI becomes an Azure solution, therefore it will be covered by Azure support with the following features:

You can easily request technical support directly from the Azure portal.
Support will be provided by a new team of experts dedicated to supporting the new solution Azure Stack HCI.
You can choose from different support plans, depending on your needs.

For more information, you can access this page.

Familiarity in management and operation

The Azure Stack HCI solution can be activated on different hardware models of your choice and does not require specific software tools to be administered.

Choosing and customizing your hardware

There are several hardware vendors that offer suitable solutions to run Azure Stack HCI and can be consulted by accessing this link. The choice is wide and falls on more than 200 solutions of more than 20 different partners. Azure Stack HCI requires hardware that is specifically tested and validated by various vendors.

The solutions Azure Stack HCI included in the catalog are composed of:

A server system
An host bus adapter
A family of network adapters

Furthermore, you can customize your hardware solution to suit your needs, going to configure the processor, memory, storage and features of network adapters, always respecting the supplier's compatibility matrices.

Figure 12 – Hardware composition for Azure Stack HCI solutions

Management and integration tools

The administrative management of Azure Stack HCI does not require specific software, but you can use existing management tools such as Admin Center, PowerShell, System Center Virtual Machine Manager and even third-party tools.

Using the Windows Admin Center, you can install and configure new architectures Azure Stack HCI and activate virtual systems. Furthermore, With native Windows Admin Center integration with Azure, you can extend functionality with different Azure services, including:

Azure Site Recovery to implement disaster recovery scenarios.
Azure Monitor to monitor, in a centralized way, what happens at the application level, on the network and in its hyper-converged infrastructure, with advanced analysis using artificial intelligence.
Azure Backup for offsite protection of your infrastructure.
Azure Security Center for monitoring and detecting security threats in virtual machines
Azure Update Management to make an assessment of the missing updates and proceed with its distribution, for both Windows and Linux systems, regardless of their location, Azure or on-premises.
Cloud Witness to use Azure storage account as cluster quorum.

Conclusions

The innovations introduced in Microsoft's new hyper-converged solution are very interesting and concern various areas. Azure Stack HCI integrates seamlessly with the existing on-premises environment and offers an important added value: the ability to connect Azure Stack HCI with Azure services to achieve a hybrid hyper-converged solution. This aspect in particular strongly differentiates it from other competitors who offer solutions in this area. Thanks to the changes introduced by this new version it is possible to obtain a complete and more integrated and performing proposition for hyper-converged scenarios.

Azure IaaS and Azure Stack: announcements and updates (September 2020 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Dedicated Hosts now support new Azure Virtual Machines series

Azure Dedicated Host provides a single-tenant physical server to host your Azure Virtual Machines for Windows and Linux. The server capacity is not shared with other customers. Address specific organizational compliance requirements or plan your maintenance window by deploying your workloads on Azure Dedicated Hosts. You can now deploy Dsv4, Ddsv4, Esv4, and Edsv4 Azure Virtual Machines on Dedicated Hosts. New Azure Dedicated Host SKUs featuring new hardware types for the Dsv3 and Esv3 Azure VM series are now generally available as well. With this update, we continue to expand the range of general purpose and memory intensive workloads that you can run on Azure Dedicated Hosts while providing greater performance.

New Azure VMs for general purpose and memory intensive workloads

The new D v4 and E v4 series Azure Virtual Machines, now generally available, are based on the Intel Xeon Platinum 8272CL custom processor, which can achieve up to 3.4Ghz all core turbo frequency. These new Azure Virtual Machines do not provide any temporary storage. If you require temporary storage select the latest Dd v4 and Ed v4 Azure virtual machines, which are also generally available.

The D v4 / Ds v4 virtual machine sizes offer a combination of vCPUs and memory able to meet the requirements associated with most general-purpose workloads. You can attach Standard SSDs and Standard HDDs disk storage to the D v4 virtual machines. If you prefer to use Premium SSD or Ultra Disk storage, please select the Ds v4 virtual machines.
The E v4 / Es v4 virtual machines feature up to 504 GiB of RAM and are ideal for various memory-intensive enterprise applications. You can attach Standard SSDs and Standard HDDs disk storage to the E v4 VMs. If you prefer to use Premium SSD or Ultra Disk storage, please select the Es v4 virtual machines.

Automated deployment of Always On availability groups through the Azure portal (Public preview)

A new, automated way to deploy Always On availability groups is now in preview for SQL Server on Azure Virtual Machines (VMs) using the SQL VM resource provider. The VM resource provider simplifies configuring Always On availability groups by handling infrastructure and network configuration details. It offers a reliable deployment method with the correct resource dependency settings and internal re-try policies. Deploying automated Always On availability groups with SQL VM resource provider today will improve availability for SQL Server on Azure Virtual Machines. Learn more about Always On availability group deployments.

Storage

AzCopy: new version available

AzCopy v10.6 has released with support for:

Sync command now includes access control lists (ACLs) between supported resources (e.g. Windows and Azure Files) using persist-smb-permissions flag
Sync also includes SMB properties (Created Time, Last Write Time, and attributes such as Read Only) between supported resources (e.g. Windows and Azure Files) using the persist-smb-info flag
Support for higher block & blob size. Blob block size up to 4,000 MiB supported. This provides block blob sizes up to 190.7 TiB (4,000 MiB x 50,000 blocks)
Support for Blob Versioning using list-of-versions flag for both download and delete operations

Azure Data Lake Storage Gen2: access control list recursive update (public preview)

The ability to recursively propagate access control list (ACL) changes from a parent directory to its existing child items for Azure Data Lake Storage (ADLS) Gen2 is now available in public preview. This public preview is available globally in all Azure regions, through PowerShell, .NET SDK, and Python SDK.

Azure Blob versioning is now general available

Azure storage strives to protect your business critical data from any accident or attack. To support that goal, Microsoft is announcing the general availability of Azure Blob versioning. Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users.

Networking

Azure DNS: Introducing automatic child zone delegation

A new update released to general availability in all clouds that makes it easier for you to create Child Zones which are easily attached to Parent Zones. Prior to this release, when a customer was creating a new child zone, they would add their resource records to the newly created zone but often missed the step adding the complicated nameserver records back to the parent zone, causing name resolution failure when the customer would try to test the newly created zone. This update creates an option for you to identify their new zone as a child (please see illustration) of an existing zone in Azure DNS. When this selection has been made, the name server records for the child zone will be automatically populated in the parent, saving you 4 additional steps. For a quick explanation on how to create child zones, please check out our tutorial guide.

Upcoming changes to Standard Public IPs and Standard Load Balancers

With Network API version 2020-08-01, zone behavior for Standard SKU resources (Azure Load Balancer and Public IP addresses) will be updated such that:

when no zone is specified, a non-zonal resource is created
when a single zone is specified, a zonal resource is created
when multiple zones are specified in a region with Availability Zones, a zone-redundant resource is created

A zone-redundant resource can only be created in regions where Availability Zones are supported.

Azure Stack

Azure Stack Hub

Stream Analytics can be run on Azure Stack Hub

Azure Stream Analytics now can be run on Azure Stack Hub as an IoT Edge module. Configurations have been added to the IoT Edge module which allows it to interact with blob storage, Event Hubs, and IoT Hubs running in an Azure Stack Hub subscription. Customers can build truly hybrid architectures for stream processing in your own private, autonomous cloud, which can be connected or disconnected with cloud-native apps using consistent Azure services on-premises.

Azure Management services: what's new in August 2020

Microsoft constantly releases news about Azure management services. Our community publishes this monthly summary to provide an overview of the top news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. In addition to solving several issues, some new features are introduced, among the main ones we find:

Support for Red Hat Enterprise Linux 8
Support for Azure Arc for servers
FIPS compliance
Limiting ingestion to prevent service degradation in the event of extremely high data volume

Azure Monitor for containers: support for viewing Kubernetes environment resources (preview)

With the Kubernetes resource monitor from the Azure portal, you can now use the kubernetes “point and click” to get real-time details of workloads hosted in the AKS environment. The public preview of this feature includes support for different resources (deployments, pods, and replica sets) and supports the following features:

Viewing Workloads Running on the Cluster, including the ability to filter resources by namespaces
Find the node on which an application is running and its IP address of the pod
View pods in set replica, the status of each pod and the images associated with each pod
Drill down for individual deployments to view their real-time status and details
Perform on-the-fly changes on YAML to validate devtest scenarios

Audit Logs for Azure Monitor queries (preview)

The Azure Monitor team has announced in public preview one of the most requested features: the ability to check Azure Monitor query logs. When enabled, through the Azure diagnostic mechanism, you can collect telemetry data about who ran a query, when it was performed, which tool was used to run it, text and performance statistics related to the performance of the same. This telemetry, like any other Azure Diagnostic-based telemetry, can be sent to an Azure storage blob, Event Hub or Azure Monitor.

New dedicated blade for System Center

System Center now has its own dedicated blade in Log Analytics. To display the new System Center panel, you need to access the Log Analytics workspace and select “System Center” from the left navigation bar, in the group “Workspace Data Sources”. The new System Center blade lets you view and manage SCOM instances connected to your Log Analytics workspace.

New limits for data ingestion in Log Analytics

Azure Monitor is a large-scale service designed to serve thousands of customers who send high volumes of data every month at an increasing rate. As with any multi-tenancy platform, Microsoft has realized that limits must be placed to protect customers from sudden spikes in ingestion that can affect customers who share the environment and resources. Until now, there was only one import volume speed limit for Azure resource data from Diagnostic Settings. Now you've added the limit to other Log Analytics data sources, including: Diagnostic Settings, agents and data collection APIs. The limit is applied to compressed data approximated 6 GB / Min, where this limit may vary depending on the types of data and its compression ratio. This limit for import volume speed in Log Analytics can be increased by opening a support request.

Log Analytics REST APIs: released a new version

The new version (2020-08-01) of the Log Analytics REST API for the resource provider OperationalInsights was released. This version supports new features such as customer-managed keys(CMK), Bring Your Own Storage (BYOS) and consolidates the functionality of all previous versions.

Govern

Azure Policy

Azure Policy Compliance Scan Action for Workflows GitHub (preview)

In preview, the following were released Azure Policy Compliance Scan Action for Workflows GitHub. The new GitHub actions will make it easier to activate compliance analysis than the subscription-based Azure Policy, resource groups or other resources and will automate the next steps in the GitHub workflow based on resource compliance status.

Protect

Azure Backup

Selective disk backup for virtual machines in Azure (preview)

Azure Backup introduced the ability to selectively back up virtual machine disks. This feature primarily introduces the following benefits:

Cost Optimization
Faster backup and restore operations

Configuring Azure file shares

Azure Backup has simplified the backup configuration experience for Azure file shares, providing the ability to enable backup directly from the file share management panel.

Configuring Azure file shares backup now consists of only the following two steps:

Creating or choosing the recovery services vault
Create or choose the backup policy

Improvements in virtual machine protection

Azure Backup introduces the following improvements in the protection of VMs:

Introduces the ability to restore unmanaged disks of a VM by turning them into managed disks during the restore phase.
Supports the backup and restore of Virtual Machine Scale Sets in the orchestration mode described in this document.
Allows disk replacement as an option for VMs that have assigned Managed Service Identities (MSI).

Encryption of backups using customer managed keys (preview)

Azure Backup introduces the possibility, when you back up Azure Virtual Machines, to encrypt data using proprietary and managed keys. Azure Backup allows you to use RSA keys stored in Azure Key Vaults to encrypt backups. The data will then be protected using a data encryption key (DEK) AES-based 256, which in turn is protected using keys stored in Key Vaults. This gives you full control over the data protection and keys that are used for encryption.

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup has released the ability to protect SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 49 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Assessment of physical servers and servers in AWS and GCP

Azure Migrate introduces support for assessment of physical servers and systems residing in Amazon Web Services (AWS), Google Cloud Platform (GCP) or at any cloud. Thanks to this evolution in the solution it is possible to evaluate any machine in the cloud or on-premises even when you can not access the hypervisor. The assessment is able to provide the following information:

Analyze suitability in Azure environment
Planning for migration costs
Performance-based scaling
Support for application dependency analysis (agent-based)

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (August 2020 – Weeks: 33 and 34)

Azure

Compute

New GPU NCas T4 v3 VMs (preview)

The NCas T4 v3 Series virtual machine is a new addition to the Azure GPU family specifically designed for the AI and machine learning workloads. The VMs feature 4 NVIDIA T4 GPUs with 16 GB of memory each, up to 64 non-multithreaded AMD EPYC 7V12(Rome) processor cores, and 448 GiB of system memory. These virtual machines are ideal to run ML and AI workloads utilizing Cuda, TensorFlow, Pytorch, Caffe, and other Frameworks or graphics workloads using NVIDIA GRID technology.

Azure Virtual Machines DCsv2-series in West US 2

Confidential computing DCsv2-series virtual machines (VMs) are now available in two availability zones in West US 2.

Storage

Azure Blob storage: Network File System 3.0 protocol support region expansion (preview)

Azure Blob storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with crucial object storage economics. NFS 3.0 support to block blob storage accounts with premium performance public preview regions now include: US East, US Central, US West Central, Australia Southeast, North Europe, UK West, Korea Central, Korea South, and Canada Central.

Azure Blob storage: Soft Delete for Containers (preview)

Soft delete for containers expands upon Azure Blob Storage’s existing capabilities such as soft delete for blobs, account delete locking, and immutable blobs, making our data protection and restore capabilities even better. When container soft delete is enabled for a storage account, any deleted container and their contents are retained in Azure Storage for the period that you specify. During the retention period, you can restore previously deleted containers and any blobs within them. Container soft delete is available in preview in the following regions: France Central, Canada East, and Canada Central. There is no additional charge to enable container soft delete. Data in soft deleted containers is billed at the same rate as active data.

Azure Ultra Disk: generally available in more regions and Availability Zones

Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs). It is now available in Australia East, East Asia, Brazil South, and Canada Central. Moreover, Azure Ultra Disk support is now expanded to the 3 Availability Zones in US East 2 and Japan East.

Azure Data Box Disk is now available in South Africa and China

Data Box Disk is an SSD-disk-based option for offline data transfer to Azure. It’s ideal for a recurring or one-time data migration of up to 40 TB to Azure and is especially well-suited for data migration from multiple remote or branch offices. Azure Data Box Disk is now Generally Available in South Africa and China. This is in addition to the regions where Data Box Disk is now generally available.

Cloud Governance: how to control cloud costs through budgets

In the public cloud, the simplicity of delegation and the consumer-related cost model exposes companies to a risk of loss of control over them. Always having a supervision on the expenses to be incurred for the resources created in the cloud environment therefore becomes an aspect of fundamental importance to implement an effective governance process. The solutionAzure Cost Management provides a comprehensive set of cloud cost management features, including the ability to set up budgets and expense alerts. This article describes how to best use budgets to proactively control and manage cloud service costs.

Budgets are spending thresholds that can be set in the solution Azure Cost Management + Billing, capable of generating notifications when they are reached. Cost and resource utilization data are generally available within 20 hours and budgets are evaluated against these costs each 12-14 hours.

The procedure for setting budgets from the Azure portal involves the following steps.

Figure 1 – Add a budget from Cost Management

Figure 2 – Parameters required when creating budgets

During the budget configuration phase, you must first assign the scope. Depending on the type of Azure account, you can select the following scopes:

Azure role-based access control (Azure RBAC)
- Management groups
- Subscription
Enterprise Agreement
- Billing account
- Department
- Enrollment account
Individual agreements
- Billing account
Microsoft Customer Agreement
- Billing account
- Billing profile
- Invoice section
- Customer
AWS scopes
- External account
- External subscription

For more information about the use of scopes, see this Microsoft's document.

To create a budget that aligns with the billing period, you can select a reset period for the month, quarter or year of billing. If, on the other hand, you intend to create a budget aligned to the calendar month, you must select a reset period monthly, quarterly or yearly.

Later, it is possible to set the expiration date from which the budget becomes invalid and its cost evaluation is interrupted.

Based on the fields you choose when you define your budget, a chart is shown to help you set the spending threshold to be used. By default, the suggested budget is based on the higher expected cost that could be incurred in future periods, but the budget amount can be changed to suit your needs.

After you set up your budget, you are prompted to configure your alerts. Budgets require at least one cost threshold (% budget) and an email address to use for notifications.

Figure 3 – Configure alerts and e-mail addresses to use for notifications

For a single budget, you can include up to five thresholds and five email addresses. When a budget threshold is reached, email notifications are normally sent within an hour of the evaluation.

When creating or editing a budget, but only if the scope defined for the same is a subscription or a resource group, you can configure it to invoke an Action Group. TheAction Group allows you to customize notifications to suit your needs and can perform various actions when the budget threshold is reached, including:

Voice call or text message (for enabled countries)
Sending an email
Calling a webhook
Sending data to ITSM
Recalling a Logic App
Sending a push notification on mobile app of Azure
Running a runbook of Azure Automation

Figure 4 – Associating an Action Group when a threshold is reached

After you finish creating a budget, you can view it in the respective section.

Figure 5 – Budget created and its percentage of usage

The visualization of the budget with respect to the expenditure trend is one of the first actions that is generally taken into consideration in the cost analysis phase.

Figure 6 – View budget in cost analysis

When a certain threshold is reached in a budget, in addition to the notifications you set, an alert is also generated in the Azure portal.

Figure 7 – Alert generated when a certain threshold is reached

When the budget thresholds that you create are exceeded, notifications are triggered, but none of the cloud resources are changed and as a result consumption is not interrupted.

Integration with Amazon Web Services (AWS) Cost and Usage report (CUR) you can monitor and control AWS costs in Azure Cost Management and define budgets for AWS resources too.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consultthe pricing of Cost Management.

Conclusions

Cost control is a key component to maximize the value of your cloud investment. By using budgets, you can easily activate an effective mechanism to proactively control and manage the costs of cloud services located on both Microsoft Azure and Amazon Web Services (AWS).

Azure IaaS and Azure Stack: announcements and updates (August 2020 – Weeks: 31 and 32)

Azure

Compute

SQL Server FCI on Shared Disks for SQL Server on virtual machines

Azure Shared Disks for SQL Server Failover Cluster Instance (SQL FCI) on Azure IaaS is now in general availability. Azure Shared disks for SQL FCI enables lift and shift migrations for the most commonly used high availability configuration on-premises to Azure IaaS.

Storage

New regions for Azure Blob storage object replication (preview)

Object replication is a new capability for block blobs that lets you replicate your data from your blob container in one storage account to another anywhere in Azure. Microsoft has expanded the preview regions to include East US 2 and Central US.

Azure Blob storage: Network File System 3.0 protocol support (preview)

Network File System (NFS) 3.0 protocol support for Azure Blob storage is now in preview. Azure Blob storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with crucial object storage economics. This new level of support helps with large scale read-heavy sequential access workloads where data will be ingested once and minimally modified further including large scale analytic data, backup and archive, NFS apps for seismic and subsurface processing, media rendering, genomic sequencing, and line-of-business applications. NFS 3.0 is available to block blob storage accounts with premium performance in the following regions: US East, US Central, and Canada Central. Support for GPV2 accounts with standard tier performance will be announced soon. During the preview, test data stored in your NFS 3.0-enabled storage accounts will be billed at the same capacity rate (per GB per month) as Azure Blob storage. Pricing for transactions is subject to change and will be determined when generally available.

Azure File Sync agent v10.1

Azure File Sync agent v10.1 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

Azure private endpoint support
- Sync traffic to the Storage Sync Service can now be sent to a private endpoint. This enables tunneling over an ExpressRoute or VPN connection. To learn more, see Configuring Azure File Sync network endpoints.
Files Synced metric will now display progress while a large sync is running, rather than at the end.
Miscellaneous reliability improvements for agent installation, cloud tiering, sync and telemetry.

Installation instructions are documented in KB4522411.

Networking

Upcoming billing changes to Azure Bandwidth

On a rolling basis throughout September 2020, Microsoft will move Bandwidth to a source–destination billing model. Additionally, metering will be divided into inter-region meter IDs. As a result, Bandwidth charges for inter-region data transfers will either remain the same or decrease. First 5 GB of outbound data transfers will remain free of charge and the current data volume tiers will be replaced by one flat price.

Azure Management services: What's new in July 2020

Microsoft continuously announces news about Azure management services and as usual our community releases this monthly summary. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Monitor

Azure Monitor

Azure Monitor Logs connector

The Azure Monitor Logs connector component has been released and allows you to create automated workflows using hundreds of actions for a variety of services with Azure Logic Apps and Power Automate.

Azure Monitor for SAP Solutions (preview)

Azure Monitor for SAP is a new solution that allows you to natively monitor your SAP environment in Azure. This solution allows you to collect and consolidate telemetry from your Azure infrastructure and SAP databases. This data is used to achieve a correlation between the different components that allows for faster troubleshooting. This feature is currently present in public preview in the following regions: US East, US East 2, US West 2, West Europe.

Azure Monitor Community Repository

The Azure Monitor Community GitHub repository has been made available and provides a collaborative space for community members to share and explore Azure Monitor artifacts as queries [KQL], workbooks and alerts. This repository is public and accepts contributions from any user, for the benefit of the entire Azure Monitor community.

Azure Log Analytics saved searches are moving to Query Explorer

Azure Log Analytics Saved Searches are now available in Query Explorer, which allows you to use and manage different queries. To manage them, access to the section Logs in the Azure Monitor Log Analytics workspace or from Application Insights and select Query explorer from the main menu.

Configure

Azure Automation

Introduced support for Azure Private Link (preview)

Microsoft has introduced support for Azure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:

Establish a private connection with Azure Automation, without opening access to the public network.
Ensure that Azure Automation data is accessible only through authorized private networks.
Protect yourself from data extraction by allowing granular access to specific resources.
Protect resources from access from the public network.

Govern

Azure Policy

Azure Policy for Azure Kubernetes Service (AKS) pods (preview)

To improve the security of Azure Kubernetes Service clusters (AKS) you can now protect pods by using Azure Policies. This integration allows you to control pod requests and detect requests that violate policies set. At the moment, you can choose from a list of 16 integrated policies and two initiatives (that match the standards set in the Kubernetes pod security policy) .

Azure Cost Management

Azure Cost Management + Billing updates

During the month of July, news was announced regarding the following areas of Azure Cost Management and Billing:

Secure

Azure Security Center

Advanced threat protection for Azure Storage

Advanced threat protection preview for Azure Storage supports Azure Files and Azure Data Lake Storage Gen2 API, helping customers protect data stored in file shares and data stores designed for corporate big data analytics. This protection provides an additional layer of security information by providing alerts when unusual and potentially malicious attempts to access or exploit storage accounts are detected. These security alerts are integrated with the Security Center and are also emailed to subscription administrators, with details about suspicious activity and advice on how to investigate and resolve threats.

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 48 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Support for replication via Private Link

Azure Site Recovery introduced support for private links, These can be used to replicate Azure virtual machines, VMware and Hyper-V systems and physical machines. Using Private Links provides secure connectivity to Azure Site Recovery service URLs. A private endpoint on the network will be required for access to the recovery services vault and a second endpoint for data replication to the cache storage account. This feature will be available in almost all public regions by August 2020.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Security Center: Azure Storage protection

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting hybrid architectures, it also provides enhanced protection for storage resources in Azure. The solution detects unusual and potentially harmful attempts to access or use Azure Storage. This article describes how to effectively protect storage in Azure with this solution, looking at the news recently announced in this area.

Azure Security Center (ASC) is possible to activate it in two different tiers:

Free tier. In this tier ASC is totally free and performs a continuous assessment, providing recommendations relating to the security of the Azure environment.
Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Advanced Threat Protection (ATP) for Azure Storage, it is one of several features in Azure Security Center Standard.

Figure 1 – Comparison of the features of the different tiers of ASC

Enabling the Security Center Standard tier is strongly recommended to improve security postures in your Azure environment.

The Advanced Threat Protection feature (ATP) for Azure Storage was announced last year, allowing you to detect common threats such as malware, access from suspicious sources (including TOR nodes), data exfiltration activities and more, but all limited to blob containers. Support for Azure Files and Azure Data Lake Storage Gen2 has also been included recently. This also helps customers protect data stored in file shares and data stores designed for the analysis of corporate big data.

Enabling this feature from the Azure portal is very simple and can be done at the Security Center-protected subscription level or selectively on individual storage accounts.

To enable this protection on all storage accounts in your subscription, you must go to the "Pricing & Settings” of Security Center and activate the protection of Storage Accounts.

Figure 2 – ATP activation for Azure Storage at the subscription level

If you prefer to enable it only on certain storage accounts, you need to activate it in the respective settings of Advanced security.

Figure 3 – ATP activation on the single storage account

When anomaly occurs on a storage account, security alerts are sent by email to Azure subscription administrators, with details of detected suspicious activity and related recommendations on how to investigate and resolve threats.

Details included in the event notification include::

The nature of the anomaly
The name of the storage account
The time of the event
The type of storage
Potential causes
The recommended steps to investigate what has been found
The actions to be taken to remedy what happened

Figure 4 – Example of a security alert sent in the face of a detection of a threat

In this example, the EICAR test file was used to validate that the solution was working correctly.. This is a file developed by the’European Institute for Computer Anti-Virus Research (EICAR) which is used to securely validate security solutions.

Security alerts can be viewed and managed directly from Azure Security Center, where details and actions to investigate current threats and address future threats are displayed..

Figure 5 – Example of a security alert in the ASC Security alerts tile

To get the full list of possible alerts generated by unusual and potentially malicious attempts to log in or use storage accounts, you can access the Threat protection for data services in Azure Security Center.

This protection is very useful even if you have architecture that uses the service Azure File Sync (AFS), which allows you to centralize the network folders of your infrastructure in Azure Files.

Conclusions

Business companies are increasingly moving their data to the cloud, looking for distributed architecture, high performance and cost optimization. All features offered by the public cloud require you to strengthen cybersecurity, particularly given the increasing complexity and sophistication of cyberattacks. By adopting Advanced Threat Protection (ATP) for Azure Storage, you can increase the level of storage security used in your Azure environment easily and effectively.

Azure IaaS and Azure Stack: announcements and updates (July 2020 – Weeks: 29 and 30)

Azure

Storage

Advanced threat protection for Azure Storage

The preview of extending advanced threat protection for Azure Storage is available to support Azure Files and Azure Data Lake Storage Gen2 API, helping customers to protect their data stored in file shares and data stores designed for enterprise big data analytics. With this release, Azure Files customers can benefit from the following capabilities of advanced threat protection for Azure Storage:

World-class algorithms that learn, profile, and detect unusual or suspicious activity in your file shares
Actionable alerts in a centralized view in Azure Security Center with optional email notifications
Integration with Azure Sentinel for efficient threat investigation
Azure-native support for Azure Files with one click enablement from the Azure portal and with no need to modify your application code

Allow or disallow blob public access on Azure Storage accounts

Azure Storage now supports anonymous public read access for containers and blobs. By default, all requests to a container and its blobs must be authorized by using either Azure Active Directory (Azure AD) or shared key authorization. When you configure a container’s public access level setting to permit anonymous access, clients can read data in that container without authorizing the request. Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but may also present a security risk. It’s important to enable anonymous access judiciously and to understand how to evaluate anonymous access to your data. If your scenario does not require it, you can disable it for the storage account.

Azure Blob versioning public preview region expansion

Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users. Microsoft has expanded the preview regions to include East US 2, Central US, West Europe, and North Europe. You can start previewing this feature on any existing or new General-purpose (GPv2) storage accounts in those regions.

Azure shared disks general availability

With shared disks, Azure Disk Storage is the only shared block storage in the cloud that supports both Windows and Linux-based clustered or high-availability applications. This unique offering allows a single disk to be simultaneously attached and used from multiple virtual machines (VMs), enabling you to run your most demanding enterprise applications in the cloud, such as clustered databases, parallel file systems, persistent containers, and machine learning applications, without compromising on well-known deployment patterns for fast failover and high availability.

Improved availability guarantees with single VM SLA for Standard SSD and Standard HDD

To strengthen the availability guarantee of VMs, Microsoft is extending the single-instance VM SLA to all disk types including Standard SSD and Standard HDD. Previously, it offered an SLA of 99.9 percent for single-instance VMs using Premium SSD and Ultra Disks. Now it offer an SLA of 99.5 percent for single-instance VMs using Standard SSD and an SLA of 95 percent for single-instance VMs using Standard HDD, improving the availability guarantee to cover all single-instance VMs.

Azure Disk Storage with Azure Private Link integration is in preview

For enhanced security, you can now restrict access to your data by only allowing import and export from your private Azure virtual network by leveraging the integration with Azure Private Link.

Performance tiers for Azure Disk Storage are in limited preview

Azure Disk Storage now enables you to set performance tiers (in limited preview) of your Premium SSD for a specific duration of time without increasing the capacity of the disk. Performance tiers provide the flexibility to achieve higher performance while controlling costs. This helps to sustain high-performance demands. Your provisioned disk is first set to a baseline performance tier based on its size. When your application has higher performance demands, choose a higher performance tier, then return your provisioned disk to the baseline performance tier when the high-demand period is over.

Networking

Azure Virtual WAN: install network virtual appliances directly into an hub

Several new capabilities for Azure Virtual WAN are now in preview, including the option to install network virtual appliances directly into a virtual WAN hub as an option for SD-WAN connectivity. Microsoft is currently partnering with Barracuda, to be followed by other third-party network virtual appliance partners, to provide this service. This allows you to leverage your vendor’s proprietary path selection and policy management capabilities with Azure infrastructure and virtual WAN routing capabilities.

Azure Application Gateway: URL rewrite and wildcard listener in preview

URL rewrite and wildcard host names in listener for Azure Application Gateway are now available in preview.

Use the URL rewrite capability in Application Gateway to:

Rewrite the host name, path, and query string of the request URL.
Choose to rewrite the URLs of all requests on a listener or only those requests thta match one or more of the conditions you set. These conditions are based on the request and response properties.
Choose to route the request (select the backend pool) based on either the original URL or the rewritten URL.

Use wildcard host names in listener to:

Use wildcard characters like asterisk (*) and question mark (?) in the host name, which can accept any incoming request with the host header matching the pattern.
Configure up to five host names per multisite listener using the new hostnames field.

Azure Stack

New Azure Stack HCI Preview

Microsoft just announced the new Azure Stack HCI, delivered as an Azure hybrid service, at Microsoft Inspire 2020. Azure Stack HCI Preview is a hyperconverged infrastructure host from Microsoft, now delivered as an Azure hybrid service. Run Windows and Linux virtual machines on-premises on a host platform that’s IT friendly and managed by you with existing tools, processes, and skillsets. Easily extend your infrastructure with up-to-date Azure hybrid services for monitoring at scale.

Azure IaaS and Azure Stack: announcements and updates (July 2020 – Weeks: 27 and 28)

Azure

Compute

Virtual machine scale sets: Automatic image upgrades for custom images

Automatically deploy new versions of custom images to scale set virtual machines using the new capabilities of virtual machine scale sets. Automatic OS image upgrade monitors your image gallery and automatically begins scale set upgrades when a new image version is deployed, facilitating faster image deployment without additional overhead. Enabling automatic OS image upgrades will safely upgrade the OS disk for all virtual machines in the scale set, helping to ease update management.

Distributed network name for SQL Server on Virtual Machines

Support for distributed network name (DNN) for SQL Server failover cluster instance (SQL FCI) on Azure IaaS with SQL Server 2019 CU2 and higher is now available. Connectivity configuration with DNN increases the availability and robustness of SQL FCI. By using DNN, you don’t need an Azure Load Balancer, and can simply use the same method you’ve been using on-premises for automated failover.

Storage

Azure Data Lake Storage

The following news have been announced for Azure Data Lake Storage:

Immutable storage for Azure Data Lake Storage is available in preview. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable, and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed.
The archive tier for Azure Data Lake Storage is generally available. The archive tier provides an ultra-low cost tier for long term retention of data while keeping your data available for future analytics needs. Tier your data seamlessly among hot, cool, and archive so all your data stays in one storage account. Lifecycle management policies can be set so files are moved automatically to the archive tier when data access becomes rare. When needed, data in the archive tier can be quickly and easily rehydrated so that the data is available for your analytics workloads.
File snapshots for Azure Data Lake Storage are available in preview. Use file snapshots to take an unlimited number of point-in-time snapshots of your files. These snapshots can be used to revert a file back to that snapshot in the case of accidental or inadvertent updates. Snapshots can also be retained so you can reference the content of a file at that point in time.
Static website for Azure Data Lake Storage is in preview. Use static website to directly host static content from Azure Data Lake Storage, and view that site content from a browser by using the public URL of that website.

Azure Storage 200 TB block blob size in preview

Azure Blob storage provides massively scalable object storage for workloads including application data, HPC, backup, and high-scale workloads. Microsoft has increased the maximum size of a single blob from 5 TB to 200 TB, now available in preview.
The increase in blob size better supports use cases from seismic data processing to genomics that require support for multiple TB object sizes.

Azure Shared Disks for SQL Server failover cluster instance on Azure IaaS (preview)

Preview support is now available for Azure Shared Disks for SQL Server failover cluster instance (SQL FCI) on Azure IaaS with SQL Server 2019 on Windows Server 2019 and higher. Azure Shared Disks for SQL FCI enables lift and shift migrations for the most commonly used HA configuration on-premises to Azure IaaS.

Networking

New Azure Firewall features

The following several new Azure Firewall features have been announced by Microsoft that allow your organization to improve security, have more customization, and manage rules more easily. These new capabilities were added based on customer top feedback:

Custom DNS support now in preview.
DNS Proxy support now in preview.
FQDN filtering in network rules now in preview.
IP Groups now generally available.
AKS FQDN tag now generally available.
Azure Firewall is now HIPAA compliant.

Azure Firewall Manager

Azure Firewall Manager is now generally available and includes Azure Firewall Policy, Azure Firewall in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network. Microsoft is introducing several new capabilities to Firewall Manager and Firewall Policy to align with the standalone Azure Firewall configuration capabilities:

Threat intelligence-based filtering allow list in Firewall Policy is now generally available.
Multiple public IP addresses support for Azure Firewall in Secure Virtual Hub is now generally available.
Forced tunneling support for Hub Virtual Network is now generally available.
Configuring secure virtual hubs with Azure Firewall for east-west traffic (private) and a third-party security as a service (SECaaS) partner of your choice for north-south traffic (internet bound).
Integration of third-party SECaaS partners are now generally available in all Azure public cloud regions.
Zscaler integration will be generally available on July 3, 2020. Check Point is a supported SECaaS partner and will be in preview on July 3, 2020. iboss integration will be generally available on July 31, 2020.
Support for domain name system (DNS) proxy, custom DNS, and fully-qualified domain name (FQDN) filtering in network rules using Firewall Policy are now in preview.

Private endpoints for Azure File Sync

Starting with Azure File Sync agent 10.1, Azure File Sync supports private endpoints in all public and Azure US Government cloud regions where Azure File Sync is available. Private endpoints enable you to assign your Storage Sync Service private IP addresses from within the address space of your virtual network. This allows you to:

Securely connect to your Azure resources from on-premises networks using a VPN or ExpressRoute connection with private-peering.
Secure your Azure resources by disabling the public endpoints for Azure Files and File Sync.
Increase security for your Azure virtual networks by blocking exfiltration of data from your network boundaries.

Azure Virtual WAN: new capabilities

Several key Azure Virtual WAN capabilities are now generally available:

Hub to Hub connectivity providing fully meshed virtual hubs.
Custom Routing adding advanced routing enhancements: custom route tables and optimization of virtual network routing.
Virtual Network Transit with 50 Gbps transit speeds between Virtual Networks (Vnets) connected with Virtual WAN.
VPN and ExpressRoute Transit for seamless interconnectivity between VPN/SD-WAN and ExpressRoute connected sites and users.
New VPN Capabilities supporting custom BGP IP (also known as APIPA or Automatic Private IP Addressing) for VPN Site connections.
New Virtual WAN Partners VMware SD-WAN by Velocloud and Cisco Meraki now supporting automation of IPsec connectivity between their branch VPN/SD-WAN devices and Azure Virtual WAN VPN service.

Azure Load Balancer support for IP-based backend pool management (preview)

Azure Load Balancer now supports load balancing across IP addresses in the backend pool. Previously, you could only add network interfaces associated virtual machines in the backend of a Load Balancer. With this release, you can load balance to resources in Azure via your private IPv4 or IPv6 addresses using Standard Load Balancer.