New Azure Virtual Machines with high-performance local SSD are generally available
The new Dd v4-series and Ed v4-series series Azure Virtual Machines provide up to 64 vCPUs and are based on the Intel® Xeon® Platinum 8272CL processor. This custom processor runs at a base speed of 2.5 Ghz and can achieve up to 3.4 Ghz all core turbo frequency. The Dd v4-series and Dds v4 virtual machine (VM) sizes are well suited for applications that benefit from low latency, high-speed local storage (up to 2,400 GiB.) The Edv4-series and Edsv4-series VM sizes are ideal for various memory-intensive enterprise applications and feature up to 504 GiB of RAM, in addition to high-performance local SSD storage (up to 2,400 GiB.)
Azure Dedicated Hosts now support additional Azure Virtual Machines
Deploy M-series, NV v3-series and NV v4-series Azure Virtual Machines on Azure Dedicated Hosts. This will expand the range of workloads you can run on Dedicated Hosts to include memory-intensive and graphics-intensive applications.
Storage
Azure File Sync agent v10.1
The Azure File Sync agent v10.1 update is being flighted to servers which are configured to automatically update when a new version becomes available.
Improvements and issues that are fixed:
Azure private endpoint support
Sync traffic to the Storage Sync Service can now be sent to a private endpoint. This enables tunneling over an ExpressRoute or VPN connection. To learn more, see Configuring Azure File Sync network endpoints.
Files Synced metric will now display progress while a large sync is running, rather than at the end.
Miscellaneous reliability improvements for agent installation, cloud tiering, sync and telemetry.
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this update rollup:
This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 10.1.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4522411.
Networking
Azure App Service regional virtual network integration for Linux apps is available
The regional virtual network integration feature of Azure App Service, which enables access to resources in your virtual network across service endpoints or ExpressRoute connections, is now available in public regions.
Azure DevTest Labs is now available in the Switzerland North and Switzerland West regions. The support includes full Azure DevTest Labs capabilities.
Azure DevTest Labs environments are now available in Azure Government.
Storage
Object replication public preview for Azure Blob storage
Object replication is a new capability for block blobs that lets you replicate your data from your blob container in one storage account to another anywhere in Azure. Object replication unblocks a new set of common replication scenarios:
Minimize latency – have your users consume the data locally rather than issuing cross-region read requests.
Increase efficiency – have your compute clusters process the same set of objects locally in different regions.
Optimize data distribution – have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide.
Minimize cost – tier down your data to Archive upon replication completion using lifecycle management policies to minimize the cost.
Azure File Sync: new version
Improvements and issues that are fixed:
Storage Sync Agent (FileSyncSvc) crashes frequently after installing the Azure File Sync v10 agent.
More information about this release:
This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 10.0.2.0.
A restart is required for servers that have an existing Azure File Sync agent installation.
Installation instructions are documented in KB4522412.
Azure Ultra Disk Storage available in more regions
Azure Ultra Disks offers high throughput, high IOPS, and consistent low latency disk storage for Azure Virtual Machines (VMs). Azure Ultra Disk Storage is now available in Central US, West US, South Central US, US Gov Virginia, France Central, and Japan East.
Azure server-side encryption with customer-managed keys available for Azure Ultra Disks
Azure Ultra Disk customers already benefit from server-side encription (SSE) with platform-managed keys for Azure Managed Disks enabled by default. SSE with customer-managed keys (CMK) improves on platform-managed keys by giving you control of the encryption keys to meet your compliance needs. SSE with CMK is integrated with Azure Key Vault, which provides highly available and scalable secure storage for your keys backed by hardware security modules (HSM). You can either bring your own keys (BYOK) to your key vault or generate new keys in the Key Vault.
Networking
Azure Firewall updates
New key features are now available in Azure Firewall:
Forced tunneling: configure a default route (0.0.0.0/0) on the AzureFirewallSubnet or publish a default route to the firewall over BGP, to send all traffic to on-premises or nearby NVA.
SQL FQDN filtering: filter outbound SQL traffic using application rules. Support is for SQL proxy mode only. Redirect mode support is tentatively planned for later in 2020.
The limit for Azure DevTest Labs from 100 to 250 for both DNAT and SNAT.
These features are included in the Azure Firewall standard SKU, so there is no change in the price.
Network service tiers with new Routing Preference option in preview Using the new “Routing Preference” option in Azure, customers can choose how their traffic is routed between Azure and the internet. Prior to making “routing preferences” customer selectable, Azure exclusively kept and optimized customer traffic over Azure’s global network. The introduction of this new competitive egress tier adds a secondary option for solutions that do not require the premium predictability and performance of Microsoft’s global network. Instead it will allow customers to further architect their traffic to their needs and allow routing to the public internet as quickly as possible. Customers will have the option to select routing preference while creating a public IP address for an IaaS resource such as a Virtual Machine, Virtual Machine Scale Set or internet-facing Load Balancer, and for their Azure storage account.
Azure Peering Service is generally available
Peering Service is a networking capability that enhances customer connectivity to Microsoft cloud services such as Office 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet. Microsoft has partnered with internet service providers (ISPs), internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers worldwide to provide reliable and high-performing public connectivity with optimal routing from the customer to the Microsoft network.
Enterprises looking for internet-first access to the cloud, or considering SD-WAN architecture, or with high usage of Microsoft SaaS services need robust and high-performing internet connectivity. Customers can work with their Telco/carrier to take advantage of Peering Service, which is now generally available.
Key customer features include:
Best public routing (optimum route hops/AS hops) over the internet to Microsoft cloud services for optimal performance and reliability.
Ability to select the preferred service provider to connect to the Microsoft cloud.
Traffic insights such as latency reporting and prefix monitoring.
Route analytics and statistics: Events for (BGP) route anomalies (leak or hijack detection) and suboptimal routing.
Azure Stack
Azure Stack expands solutions and partner ecosystem A host of new Azure Stack portfolio partners are accelerating time to value for hybrid customers today:
The Aware Group, which builds IoT Edge modules that use AI to detect anomalies and perform noise classification, is now delivering modules and solutions tailored to the industry.
Avanade is offering customers a fully managed Azure Stack Hub leveraging HPE’s Edgeline EL8000, a small form factor that does not require external cooling, making it ideal for locations like retail or manufacturing, where a datacenter may not be available on site.
CloudAssert is providing an enterprise cloud-based solution streamlining the management and operations of multiple Azure Stack Hub deployments, including resources located on-premises and public clouds, with a single pane of glass.
Microsoft is also launching the open-source Fast Healthcare Interoperability Resources (FHIR) server available now for Azure Stack Hub and Azure Stack Edge. Customers can now quickly connect existing data sources such as electronic health record systems or research databases at the edge while addressing compliance and regulatory requirements.
Finally, now available on GitHub, manufacturing customers can get started with an AI solution at the edge that combines the power of Azure Stack Hub and Azure Stack Edge with computer vision to modernize a factory floor.
Azure Stack Hub
Azure Stack Hub updates will simplify fleet and resource management and enable graphic-heavy scenarios New Azure Stack Hub updates will simplify fleet and resource management, and enable accelerated machine learning scenarios, virtual desktop infrastructure and other graphics-heavy scenarios with GPUs:
Azure Stack Hub Fleet Management (private preview): Azure Stack Hub fleet management gives customers a single view and management method from Azure for all their Azure Stack Hub deployments.
ManagedIQ (CloudForms) (public preview): ManagedIQ, formerly known as CloudForms, now allows cloud operators to manage their resources on Azure Stack Hub and use RedHat technical tooling to manage the Azure Stack Hub. ManagedIQ is a supported platform from IBM and RedHat.
AKS Resource Provider on Azure Stack (private preview): The Azure Kubernetes Service (AKS) Resource Provider (RP) on Azure Stack Hub is a fully managed service for easily managing containerized applications for customers to automatically create and manage Kubernetes clusters on Azure Stack Hub.
GPU Partitioning using AMD GPUs (private preview): Graphics processing unit (GPU) partitioning for visualization using AMD GPUs on Azure Stack Hub is now available, enabling virtual desktop infrastructure (VDI) and other graphics-heavy scenarios on Azure Stack Hub.
Support for Windows containers Azure Container Networking Interface on Azure Stack Hub coming soon
Windows containers and Azure Container Networking Interface in Azure Kubernetes Service (AKS) engine deployed Kubernetes clusters will soon be in private preview. The Azure Container Networking Interface plug-in lets you deploy and manage your own Kubernetes clusters with native Azure networking capability by default. This release, which will come as an update to the Azure Kubernetes Service engine, expands the capabilities of Kubernetes clusters on Azure Stack Hub.
Azure Stack Hub supports cross-platform compatibility on PowerShell
Azure Stack Hub now supports cross-platform compatibility on PowerShell and ensures hybrid consistency with Azure. Azure Stack Hub will utilize Az modules with new resource providers from Azure IoT Hub, Azure Stack Edge, and EventHub. This enables full cross-compatibility with Azure and Azure Stack Hub using PowerShell and PowerShell Core. Install PowerShell and connect to Azure Stack Hub on MacOs. This is available through the Az PowerShell installer.
To stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.
The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor
New version of the agent for Linux systems
A new version of the Log Analytics agent has been released this month for Linux systems. The main innovations introduced are:
Stability and reliability improvements.
Improved support for Azure Arc for Server.
FIPS Compliance.
RHEL support 8.
SHA-2 signing for the Log Analytics agent
The Log Analytics agent for Windows will start enforcing SHA-2 signings from 17 August 2020, postponing the date previously set to 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 17 August 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.
Feature extensionsof Azure Monitor
The following enhancements have been made in Azure Monitor that expand its functionality and make it an increasingly complete solution:
Azure Monitor availability for Azure Storage and Azure Monitor for Azure Cosmos DB.
Azure Monitor preview for Azure Key Vault and Azure Monitor for Redis Cache.
Preview of Azure Monitor Application Insights in Azure Monitor Logs workspaces.
Capacity reservation and CMK encryption with Azure Monitor Logs clusters dedicated to large-scale deployments.
Azure Private Link Availability for Azure Monitor The Azure Private Link feature is now also available for Azure Monitor and allows you to have the following features:
Private connectivity to Azure Monitor Logs workspaces and to Azure Application Insights.
Exfiltration data protection with granular access to specific resources.
Protecting resources from access from the public network.
At the moment you need to make a request explicitly to access these features.
Improve the experience when deleting and restoring Azure Monitor Logs workspaces
Microsoft has added soft-delete workspace functionality to make it easier to recover if necessary. In fact, in the event of a cancellation, the workspace will go into a soft-delete state to allow it to be restored if necessary, including data and connected agents, within 14 days. This behavior can be circumvented and permanently deleted the workspace. To avoid the incorrect elimination of the workspaces from the Azure portal, a specific section has been added where you can consult how many solutions are installed and the relative daily data volume received in the last 7 days by data type. Restoring the workspace, can now take place directly from the Azure portal.
Azure Advisor recommendation digests
Azure Advisor introduces the ability to receive a periodic summary of the available best practice recommendations developed by the solution. Advisor Digest Recommendations keep you up-to-date on Azure optimization opportunities outside the Azure portal. Notifications are customizable and handled through Azure Monitor Action Group.
Azure Service Health also includes emerging issues
Azure Service Health now also reports emerging issues in the Azure portal. An emerging problem is a situation in which Azure is aware of a widespread outage but may not yet be fully aware of the extent and amplitude. Previously, emerging problems were only available in the Azure Status page.
Configure
Azure Automation
TLS 1.2 Enforcement
Starting from September 1st 2020, Azure Automation will impose the presence of Transport Layer Security (TLS) version 1.2 or later, for all external HTTPS endpoints.
Secure
Azure Security Center
Changes to the just-in-time service (JIT) virtual machine (VM) Access
In the just-in-time service (JIT) virtual machine (VM) access have been made the following changes:
The recommendation advising to enable JIT on a VM has been renamed by “Just-in-time network access control should be applied on virtual machines” in “Management ports of virtual machines should be protected with just-in-time network access control”.
The recommendation is now activated only if open management ports are detected.
Custom recommendations placed in a separate panel
All the custom recommendations created for your subscriptions are now positioned in the dedicated section “Custom recommendations”.
Account security recommendations moved to the section “Security best practices”
The following recommendations have been included in the section “Security best practices” and therefore do not impact on the secure score:
MFA should be enabled on accounts with read permissions on your subscription (originally in the “Enable MFA” control)
External accounts with read permissions should be removed from your subscription (originally in the “Manage access and permissions” control)
A maximum of 3 owners should be designated for your subscription (originally in the “Manage access and permissions” control)
Microsoft has decided to apply this change as it has determined that the risk of these three recommendations is lower than initially thought.
Protect
Azure Backup
SAP HANA backup for Red Hat Enterprise Linux VM
Azure Backup includes protecting SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.
Protect against accidental deletion of Azure file shares
To provide greater protection against cyberattacks and accidental deletion, Azure Backup has added an extra layer of security to the Azure file shares snapshot management solution. If you delete File Shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a file share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which you can restore the contents and snapshots of your file shares after any accidental deletion operations. Once the share file is restored, backups resume working without the need for additional configurations.
Azure Site Recovery
Zone-to-zone disaster recovery available in new regions
Zone-to-Zone DR is now also available in the Southeast Asia and UK South regions. With this Azure Site Recovery feature, called zone-to-zone DR, there's an opportunity to create disaster recovery plans (DR) for virtual machines (VM), replicating them between different Azure Availability Zones. If a single Azure Availability Zone is compromised, you will be able to fail over virtual machines to a different zone within the same region and access them from the Secondary Availability Zone.
Introduced support for proximity groups
Azure Site Recovery has introduced support for proximity placement groups (PPGs). Thanks to this feature, any virtual machine (VM) hosted within a PPG can be secured using Azure Site Recovery. By enabling replication of that VM, you can provide a PPG in the secondary region as an additional parameter. When a failover process is activated, Site Recovery will place the VM in the user-supplied target PPG.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. Preview of the new solution is initially available in US East and West Europe Azure regions. The new Azure VMware Solution is expected to be generally available in the second half of 2020 and at that time, availability will be extended across more regions.
The new Azure VMware Solution is:
First Party Microsoft Azure service, endorsed by VMware. The new release of Azure VMware Solution is built on Microsoft Azure without the use of a third-party technology. The solution is also cloud verified by VMware and leverages components of the VMware Cloud Foundation framework including vSphere, vCenter, NSX-T, vSAN and HCX.
Seamless integrated Azure experience. In the new solution Microsoft has rearchitected the Software Defined Datacenter (SDDC) layer that underpins the Private Cloud, ensuring a truly seamless Azure experience for customers.
VMware HCX Enterprise now available. The new Azure VMware Solution includes HCX Enterprise edition as an option. With additional features from HCX Enterprise, customers can further simplify their migration efforts to Azure including support for bulk live migrations.
Leverage pricing benefits for Microsoft workloads. Azure VMware Solutions supports the Azure Hybrid Benefit and Azure VMware Solution customers are also eligible for three years of free Extended Security Updates on 2008 versions of Windows Server and SQL Server.
New cloud regions in Italy, New Zealand and Poland
Microsoft announced plans for new cloud datacenter regions in three countries: Italy, New Zealand and Poland. In Italy, Microsoft is building a new datacenter region in Milan, which will provide access to Azure, Microsoft 365/Office 365 and Dynamics 365 and the Power Platform set of tools.
Virtual machine (VM)-level disk bursting
Virtual machine-level disk bursting is a new feature that allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily to handle unforeseen spikey disk traffic smoothly and process batched jobs with speed. The feature is now enabled on all Azure Lsv2-series virtual machines, with support for more virtual machine types and families to come soon. This feature doesn’t cost anything extra and comes enabled by default.
General availability of Azure Spot Virtual Machines
Azure Spot VMs provide access to unused Azure compute capacity at deep discounts. Spot pricing is available on single VMs in addition to VM scale sets (VMSS). This enables you to deploy a broader variety of workloads on Azure while enjoying access to discounted pricing compared to pay-as-you-go rates. Spot VMs offer the same characteristics as a pay-as-you-go virtual machine, the differences being pricing and evictions. Spot VMs can be evicted at any time if Azure needs capacity.
Storage
Azure Blob versioning public preview
Applications and users create, update, and delete data in Azure Blob storage continuously. A common requirement is the ability to manage and access both current and historical versions of the data. As the next step to enhance data management and protection, the Blob storage versioning preview is available. Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users.
Blob Index for Azure Storage in preview
Blob Index, a managed secondary index, allowing you to store multi-dimensional object attributes to describe your data objects for Azure Blob storage. It is now available in preview. Built on top of blob storage, Blob Index offers consistent reliability, availability, and performance for all your workloads. Blob Index provides native object management and filtering capabilities, which allows you to categorize and find data based on attribute tags set on the data.
General availability of geo-zone-redundant storage (GZRS)
GZRS helps achieve higher data resiliency by:
Synchronously writing three replicas of your data across multiple availability zones (like ZRS today) protecting from cluster, datacenter or entire zone failure.
Asynchronously replicating the data to another region within the same geo into a single zone (like LRS today) protecting from a regional outage.
When using GZRS, you can continue to read and write the data even if one of the availability zones in the primary region is unavailable. In the event of a regional failure you can also use read-access geo-zone-redundant storage (RA-GZRS) to continue having read access to your data or execute account failover to also restore write accessibility. GZRS provides a great balance of high performance, high availability and disaster recovery and is beneficial when building highly available applications/services in Azure.
Azure File Sync is removing support for TLS 1.0 and 1.1
Azure File Sync service will remove support for TLS 1.0 and 1.1 in August 2020.
Networking
Azure Virtual Network NAT in Azure Government and Azure China
Azure Virtual Network NAT (network address translation) is now generally available in the Azure Government and Azure China regions. NAT simplifies outbound-only internet connectivity for virtual networks and can be configured for one or more subnets of a virtual network.
Azure Firewall Updates
Two new key features in Azure Firewall are generally available:
Additionally, Microsoft is increasing the limit for multiple public IP addresses from 100 to 250 for both DNAT and SNAT.
Rules Engine for Azure Front Door Service is now in preview
Rules Engine on Azure Front Door Service brings your specific routing needs to the forefront of its application delivery experience, giving you more control over how you define and enforce what content gets served from where. Rules Engine empowers you to modify request and response headers, or dynamically override your existing route behavior based on incoming requests.
Private Link is now available on Event Grid
Azure Event Grid now has Private Link integration for custom topics and event domains, generally available in all Azure regions, allowing virtual network resources within their production workloads to communicate directly to their Event Grid topics without accessing the public internet. This enables enterprise workloads to take advantage of event-driven architectures securely for mission-critical workloads that require network isolation.
Azure Stack
Azure Stack Hub
Azure App Service and Azure Functions on Azure Stack Hub update available
A major update to Azure App Service on Azure Stack Hub is now available. The update build number is 87.0.2.10. All fixes and updates are detailed in the release notes.
This release updates the resource provider and brings new key capabilities and fixes:
Updates to App Service Tenant, Admin, Azure Functions portals, and Kudu tools.
Updates Azure Functions runtime to v1.0.13021.
Updates to core service to improve reliability and error messaging will enable easier diagnosis of common issues.
Updates to the application frameworks and tools including .NET Framework, ASP.NET Core, PHP, NodeJS, and NPM.
Windows Server updates to underlying operating system of all roles.
Cumulative updates for Windows Server are now applied to controller roles as part of deployment and upgrade.
Updated default virtual machine and scale set SKUs for new deployments.
The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated Hosts and isolated virtual machines (VMs). This feature gives you more control over platform maintenance when dealing with highly sensitive workloads. Use this feature to control all host updates, including rebootless updates, within a 35-day window. The ability to control the maintenance window is particularly useful when you deploy workloads that are extremely sensitive to interruptions running on an Azure Dedicated Host or an isolated VM where the underlying physical server runs a single customer’s workload. This feature is not supported for VMs deployed in hosts shared with other customers.
New DCsv2-series virtual machines are available
You can develop confidential applications that protect data while it’s being processed in the CPU with new DCsv2-series virtual machines (VMs), powered by Intel SGX. Traditionally, applications are protected while at rest and in transit. Now, you can deliver applications that protect data while in use. This enables a new set of scenarios like multiparty sharing, where it’s possible to combine data from multiple companies to run machine learning models without the companies getting access to each other’s data.
Windows Server containers in AKS now generally available
Windows Server containers in Azure Kubernetes Service (AKS) are now generally available. You can take advantage of this new feature to run Linux and Windows workloads side-by-side in a single cluster using the same tools. Create/upgrade/scale Windows node pools in AKS through the standard tools (portal/CLI) and Azure will help manage the health of the cluster.
Azure Migrate now available in Azure Government
Microsoft’s service for datacenter migration, Azure Migrate, is now available in Azure Government, unlocking the whole range of functionality for government customers. Azure Migrate V2 for Azure Government includes a one-stop shop for discovery, assessment, and migration of largescale datacenters.
Storage
Enhanced features in Azure Archive Storage
Three new feature enhancements for Azure Block Blob storage and Azure Archive storage are now generally available, making the service faster, simpler, and more capable.
Priority retrieval from Azure Archive. High rehydrate-priority fulfills the need for emergency data rehydrate from archive, with retrievals for blobs of a few GB typically taking less than one hour.
Upload blob direct to access tier of your choice. The PutBlob or PutBlockList API allows you to upload your blob data directly to any access tier (hot, cool, or archive). This enables customers to write cold data directly to Azure Archive, realizing their cost savings immediately.
CopyBlob enhanced capabilities. The CopyBlob API supports the archive access tier, allowing you to copy data into and out of the archive access tier within the same storage account. It also includes support for the other two new features—priority retrieval and direct to access tier of your choice.
Networking
Azure Firewall: support for Windows Virtual Desktop
Azure Kubernetes Service (AKS) Private Link is generally available. You can use it to isolate your Kubernetes API server within your Azure virtual network, enabling fully private communication with the managed Kubernetes control plane hosted by AKS.
Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth.
Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.
The following diagram shows the different areas related to management, which will be covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.
Figure 1 – Management services in Azure overview
Monitor
Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools
Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. They are currently supported as NVIDIA and AMD vendors. This monitoring functionality can be useful for:
Check the availability of GPUs on the nodes, the use of the GPU memory and the status of GPU requests by pods.
View the information collected through the built-in workbook available in the workbook gallery.
Generate alerts on pod status
Export of alerts and recommendations to other solutions
Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.
Workflow automation functionality
Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. Furthermore, manual trigger execution is available for security alerts and for recommendations that have the quick fix option available.
Integration with Windows Admin Center
It is now possible to include Windows Server systems residing on-premises directly from the Windows Admin Center in Azure Security Center.
The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:
gRPC.
Netty/Webflux.
JMS.
Cassandra.
MongoDB.
Retiring the solution for Office 365
For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. The combination of these two solutions is able to offer a better experience in configuration and in its use.
Azure Monitor for Containers: support for Azure Red Hat OpenShift
Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.
Azure Monitor Logs: limitations on concurrent queries
To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, but they should not be relevant for the typical use of the solution.
Secure
Azure Security Center
Dynamic compliance packages available
The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. A summary report will also be available for download for all standards that have been integrated.
Identity recommendations included in Azure Security Center tier free
Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:
“Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”
“A maximum of three owners should be designated for your subscription.”
“Deprecated accounts should be removed from your subscription.”
Protect
Azure Backup
Cross Region Restore (CRR) for Azure virtual machines
Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them completely controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).
Figure 1 – New possible scenarios from Cross Region Restore (CRR)
Azure Files share snapshot management
Azure Backup introduces the ability to create Snapshots of Azure Files share, Daily, weekly, Monthly, and keep them until 10 years.
Figure 2 – Azure Files share snapshot management
Support for replacing existing disks for VMs with custom images
Azure Backup introduced support, during the recovery phases, to replace existing disks on virtual machines created with custom images.
SAP HANA backup
In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. This solution is officially certified by SAP.
Evaluation of Azure
To test for free and evaluate the services provided by Azure you can access this page.
SQL Server 2019 IaaS images with Linux distribution support now available
Azure Marketplace pay-as-you-go images for SQL Server 2019 on RHEL 8.0, Ubuntu 18.04, and SLES 12 SP5 are now generally available.
Virtual machine scale sets: automatic image upgrades for custom images
Virtual machine scale sets now provide the ability to automatically deploy new versions of custom images to scale set virtual machines. Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all virtual machines in the scale set. This capability is now available in preview for custom images through Shared Image Gallery.
Automatic instance repairs for virtual machine scale sets
Virtual machine scale sets now provide the capability to automatically repair unhealthy instances based on application health status. Configure the scale set instances to emit application health by using either the application health extension or Azure Load Balancer health probes. After the automatic repairs policy is enabled, when an instance is found to be unhealthy, the scale set will automatically delete the unhealthy instance and create a new one to replace it.
Azure Migrate is now available in Azure Government
Azure Migrate provides a hub of Microsoft and partner tools to help customers meet their migration needs. Azure Migrate also offers scenarios for database migration, VDI migration, and web application migration, in addition to at-scale migration of VMware, Hyper-V, and physical servers to Azure. All Azure Migrate features, including agentless discovery and assessment, application inventory, and migration, are now available in Azure Government.
Azure File Sync v10 released
The Azure File Sync agent v10 release is being released to servers which are configured to automatically update when a new version becomes available.
Improvements and issues that are fixed:
Improved sync progress in the portal
Improved cloud tiering portal experience
Support for moving the Storage Sync Service and/or storage account to a different Azure Active Directory (AAD) tenant
Evaluation tool now identifies files or directories that end with a period
Miscellaneous performance and reliability improvements
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog by following the steps documented in KB4522409.
Networking
Azure Virtual Network supports reverse DNS lookup
Azure Virtual Network now supports reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default. Use this to quickly look up name of the VM from its IP address. Previously, using DNS queries to look up the fully qualified domain name (FQDN) for a virtual machine from its IP address would result in an NXDOMAIN response. Now, instead of getting an NXDOMAIN, you’ll receive valid FQDN of the virtual machine to which the IP address belongs.
Azure Monitor Log Analytics can collect large amounts of data and it is essential to have effective methods to make it easy to access and analyze it in a simple way. Among the various possibilities offered are the Workbooks, interactive documents that allow you to better interpret the data and do in-depth analysis, also designed for collaboration scenarios. This article lists the key features of the Workbooks and the indications to use them at best.
The Workbooks combine text, Log Analytics query, Azure metrics and parameters, this is an interactive report. Interestingly, they can be accessed and editable by anyone who has access to the same Azure resources. This makes them a powerful collaboration tool between members of a team.
Possible usage scenarios
The Workbooks can be used in different scenarios, for example:
Guide tool for troubleshooting and post-mortem incidents. Not only can you highlight the impact of an application or virtual machine outage, but it will also be possible to combine data and provide written explanations. This can become a guide tool to discuss the steps needed to prevent future service outages.
Explore the use of a particular application or virtual machine when you don't know the metrics of interest in advance. In fact,, unlike other analysis tools, The Workbooks combine multiple types of visualizations and analysis, making them a great tool for freeform exploration.
Show your team the performance of a new application feature or the performance of a new virtual machine, giving visibility of key metrics of interest.
Sharing the results of experimentation work on an application with other team members. You have the ability to detail the objectives of text experimentation and to show the Log Analytics metrics and queries used to evaluate the items of interest.
Advantages of Workbooks
Among the main advantages of Workbooks it is possible to quote:
Support for metrics, logs and Azure Resource Graph data.
Parameter support that enables interactive reports, for example, selecting an item in a table will dynamically update the associated charts and visualizations.
Document-like flow.
Ability to have Workbooks personal or shared.
Experience of simple creation and always with a view to collaboration.
Ability to tap into a public template gallery on GitHub that contains several ready-to-use Workbooks.
Workbooks Limits
The Workbooks they also have the following limitations which should be taken into consideration:
There are no automatic refresh mechanisms.
They are not designed to have a denser layout like dashboards and to have a single centralized control panel. In fact, they are designed to gain insights through an interactive path.
Deploy and use Workbooks
The section Workbooks is accessible from the Azure portal from Azure Monitor Log Analytics that from Application Insights and a gallery is available with a series of Workbooks by default.
Figure 1 – Workbooks Gallery from Azure Portal
In this GitHub repository you can view numerous templates of Workbooks. You can of course contribute by adding new ones or by processing existing ones.
The Workbooks can be composed of different sections that show graphs, Tables, text and input controls, all independently editable.
Figure 2 – Adding section to a Workbook
In order to create Workbooks according to your needs it is useful to know which elements are supported, in this regard, references to the official Microsoft documentation are provided:
Thanks to the adoption of Workbooks it is possible to consult the data collected using visually appealing reports, with advanced features that allow you to greatly enrich the analysis experience from the Azure portal. Interactivity based on user inputs, personalization and sharing are important elements that make very useful to adopt Workbooks in specific scenarios.
Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.
Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.
Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.
Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.
The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:
Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
Export in a CSV file, for individual data exports (one shot).
The configuration is simple and can be carried out using the following procedure.
In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:
Figure 1 – Continuous export in ASC's subscription settings
In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.
Figure 2 - Configuring parameters to make the Continuous Export
The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.
Figure 3 - Automatically create alert rules in Azure Monitor
By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.
These are the two default alert rules created:
Figure 4 – Default Alert rules of Azure Monitor
Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.
The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).
Figure 4 – Tables in Log Analytics
The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:
With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.
Azure Spot Virtual Machines are now generally available
Spot Virtual Machines provide scalability while reducing costs and they’re ideal for workloads that can be interrupted. Get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machines.
Storage
Direct Upload of Azure Managed Disks
Customers can bring an on-premises VHD to Azure as a managed disk in two ways: copy the VHD into a storage account before converting it into a managed disk, or attach an empty managed disk to a virtual machine and do a copy. Both of these have disadvantages. The first option requires maintaining storage accounts, while the second option has the additional cost of running virtual machines. Direct upload addresses both these issues and provides a simplified workflow by allowing you to copy an on-premises VHD directly into an empty managed disk. You can use it to upload to Standard HDD, Standard SSD, and Premium SSD managed disks of all the supported sizes.
New Azure Disk sizes and bursting support
Azure Disks, block-level storage volumes managed by Azure and used with Azure Virtual Machines, now have new 4-GiB, 8-GiB, and 16-GiB sizes available on both premium and standard SSDs. The new disk sizes introduced on standard SSD disk provide the most cost-efficient SSD offering in the cloud, providing consistent disk performance at the lowest cost per GB. In addition, Microsoft now supports bursting on Azure premium SSD disks in all Azure regions in the public cloud. With bursting, even the smallest premium SSD disks at 4-GiB can now achieve up to 3,500 IOPS and 170 MiB/second, and better accommodate spiky workloads. It can be best used for OS disks to accelerate virtual machine (VM) boot or data disks to accommodate spiky traffic. To learn more about disk bursting, read the premium SSD bursting article.
Azure Ultra Disks: Shared disk capability in preview
Attach an Azure managed disk to multiple virtual machines (VMs) simultaneously using the new shared disks feature of Azure Managed Disks. Deploy new or migrate existing clustered applications to Azure by attaching a managed disk to multiple VMs. Shared disks also support SCSI persistent reservation protocol.
Server-side encryption with customer-managed keys for Azure Managed Disks in GA
Azure customers already benefit from server-side encryption with platform-managed keys for Managed Disks enabled by default. Server-side encryption with customer-managed keys improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Today, customers can also use Azure Disk Encryption which leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your virtual machines by encrypting data in the Storage service.
General availability of incremental snapshots of Managed Disks
Incremental snapshots are a cost-effective, point-in-time backup of managed disks. Unlike current snapshots, which are billed for the full size, incremental snapshots are billed for the delta changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage irrespective of the storage type of the parent disks. For additional reliability, incremental snapshots are stored on Zone Redundant Storage (ZRS) by default in regions that support ZRS. Incremental snapshots provide differential capability, enabling customers and independent solution vendors (ISVs) to build backup and disaster recovery solutions for Managed Disks. It allows you to get the changes between two snapshots of the same disk, thus copying only changed data between two snapshots across regions, reducing time and cost for backup and disaster recovery. Incremental snapshots are accessible instantaneously; you can read the underlying data of incremental snapshots or restore disks from them as soon as they are created. Azure Managed Disk inherit all the compelling capabilities of current snapshots and have a lifetime independent from their parent managed disks and independent of each other.
New additions to the Azure Archive Storage partner network
Azure Archive Storage is now integrated with new partners including IBM Spectrum Protect Plus, NetApp StorageGRID, Rubrik, and Veritas NetBackup, making the partner network even more comprehensive. Other Azure Archive Storage partners include Archive360, CloudBerry Lab, Cohesity, Commvault, HubStor, Igneous, NetApp, and Tiger Technology.
Networking
IPv6 for Azure Virtual Network is generally available
IPv6 for Azure Virtual Network is now generally available worldwide. IPv6 support within the Azure Virtual Network and to the internet enables you to expand into the growing mobile and IoT markets with Azure-based applications and to address IPv4 depletion in your own corporate networks.
Azure Container Registry support for Private Link now in preview
Azure Container Registry now supports Private Link, a means to limit network traffic of resources within the virtual network.
Azure Edge Zones extends Azure services to the edge
Azure Edge Zones combines the power of Azure, 5G, carriers, and operators around the world to enable new scenarios for developers, customers and partners. These new offerings are coming to preview and will help local telecoms and carrier partners drive new solutions for business and society, including autonomous vehicles, smart cities, virtual reality, and other smart industry use cases.
Azure Stack
Azure Stack Edge
Azure Stack Edge preview
Microsoft also announced the expansion of Azure Stack Edge preview with the NVIDIA T4 Tensor Core GPU. Azure Stack Edge is a cloud managed appliance that provides processing for fast local analysis and insights to the data. With the addition of an NVIDIA GPU, customers are able to build in the cloud then run at the edge.
Azure Stack Hub
Azure Stack Hub preview
Microsoft, in collaboration with NVIDIA, is announcing that Azure Stack Hub with Azure NC-Series Virtual Machine (VM) support is now in preview. GPU support in Azure Stack Hub unlocks a variety of new solution opportunities. With our Azure Stack Hub hardware partners, customers can choose the appropriate GPU for their workloads to enable Artificial Intelligence, training, inference, and visualization scenarios.
Event Hubs on Azure Stack Hub in preview
We are now announcing the availability of the preview version of Event Hubs on Azure Stack Hub. Event Hubs on Azure Stack Hub will allow you to realize cloud and on-premises scenarios that use streaming and event-based architectures.
