Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (January 2020 – Weeks: 01 and 02)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Lab Services updates

Azure DevTest Labs recently released different updates:

Enables multiple owners to manage a lab.
Added the ability to automatically shut down virtual machines when a users’ remote desktop (RDP) session is disconnected (Windows).
Integration with Azure Bastion, enabling you to connect to your lab virtual machines through a web browser.
It automatically installs the necessary GPU drivers for you when you create a lab with GPU machines. You no longer have to figure out which GPU driver to use on your own.

Azure File Sync agent version 5.x will expire on February 12th

To continuously improve Azure File Sync, Microsoft can only support old versions of the agent for a limited time. On February 12, 2020, Azure File Sync agent version 5.x will be expired and stop syncing. If you have servers with agent version 5.x, update to a supported agent version (6.x or later). If you don’t update your servers before February 12, 2020, they will stop syncing. To resume syncing, the agent must be updated to a supported version.

Azure IaaS and Azure Stack: announcements and updates (December 2019 – Weeks: 51 and 52)

Azure

Serial console for Azure Virual Machines available in US Government Cloud

Serial console is available in preview in the Azure US Government Cloud, allowing customers in the government-only clouds to access the serial console of their VMs or virtual machine scale set instances.

Azure Data Box Disk is available in the East Asia

Data Box Disk is an SSD-disk-based option for offline data transfer to Azure. It’s ideal for a recurring or one-time data migration of up to 40 TB to Azure and is especially well suited for data migration from multiple remote or branch offices. Azure Data Box Disk is now available in the East Asia (Hong Kong) region. This is in addition to the other Azure regions where Data Box Disk is already available: US, EU, Canada, Australia, Japan, Korea, Singapore, and Azure Government (US).

Azure Bastion generally available in East US 2 and West US 2

Azure Bastion is generally available in two more Azure public cloud regions, East US 2 and West US 2. Azure Bastion is a managed PaaS service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL and without any public IPs on your virtual machines.

Azure management services and System Center: What's New in December 2019

In December have been announced, by Microsoft, a significant number of news regarding Azure management services and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Azure Monitor

Improvements in Azure Monitor for containers

The new Azure Monitor agent for containers, introduces several improvements in resource utilization and data volume optimization, thus helping to reduce costs. This update also changes some tables where data is consolidated and you may need some changes to existing queries if they use these fields: Name and Image in the table ContainerLog.

New features in Azure Monitor Metrics Explorer

For Azure Monitor, the Metrics Explorer component has seen the release of the following new features:

More flexibility in chart generation.
The resource selector supports the ability to choose multiple resources in scoping.
More granular charts such as number of data points.
Improved Chart Legends.

For more details you can refer this article.

Azure Backup

Azure Backup: resource group management for virtual machines

Azure Backup introduces the ability to customize the name of the resource group created by the service, acting on the backup policy for protecting virtual machines. Azure Backup creates a specific resource group where restore point collections are placed, hosting the instant recovery points of the managed VMs. Of dafault the naming of this resource group is as follows: AzureBackupRG_Geo_n, but now you get the ability to customize it.

Support for encrypted VMs larger than 4TB

The ability to back up and restore encrypted virtual machines larger than 4 TB has been extended to all Azure regions. In this way, the experience and capabilities provided by Azure Backup to protect these machines is the same, regardless of size.

Microsoft Endpoint Manager

New Update for Microsoft Endpoint Configuration Manager (current branch)

Configuration Manager has officially released the update 1910 that formalizes that Configuration Manager is now part ofMicrosoft Endpoint Manager. The new version also introduces several changes aimed at enriching and improving different features of the solution.

To verify the details about what's new in this update you can see this document.

New release for the Technical Preview Branch

For Configuration Manager was released in the Technical Preview Branch the update 1912 and one of the main innovations allows a device to upload its client logs to the site server. All this is possible by sending a client notification action from the Configuration Manager console.

To check the details of what's included in these updates, you can see this document.

Please note that Releases in the Technical Preview Branch allow you to preview new Configuration Manager features, and it is recommended that you apply these updates only in test environments.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure Arc: a new approach to hybrid environments

The use of hybrid architectures in enterprise reality is more and more predominant, they allow you to continue to benefit from investments made in your on-premises environment and, at the same time, use the innovation introduced by the cloud. The adoption of hybrid solutions is a winner if it takes into account a shared policy for distribution, component management and security. Without consistency in the management of different environments, the costs and complexities are likely to grow exponentially. Microsoft has decided to respond to this need with the solution Azure Arc, involving a range of technologies with the aim of developing new hybrid scenarios, where Azure services and management principles are extended to any infrastructure. This article presents the approach adopted by Azure Arc for hybrid environments.

The complexity of IT environments is constantly expanding to the point where we find reality with applications based on different technologies, active on heterogeneous infrastructures and maybe that adopt solutions in different public cloud. The need for customers is to be able to adopt a solution that centrally allows them to inventory, organize and enforce control policies on their IT resources wherever they are.

The principle behind Azure Arc is to extend Azure management and governance practices to different environments and to adopt typically cloud solutions, as DevOps techniques (infrastructure as code), even for on-premises environments.

Figure 1 – Azure Arc overview

To achieve this, Microsoft has decided to extend the model Azure Resource Manager so that we can also support hybrid environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Management for all resources

Azure Arc consists of a set of different technologies and components that allows you to:

Manage applications in Kubernetes environments: it provides the ability to deploy and configure Kubernetes applications in a consistent manner across all environments, adopting modern DevOps techniques.
Allow Azure data services to run on any infrastructure: everything is based on the adoption of kubernetes and allows achieving more easily meet compliance criteria, to improve the security of data and to have considerable flexibility in deployment time. At the time the services covered are Azure SQL Database and Azure Database for PostgreSQL.
Organize, manage and govern all server systems: Azure Arc extends Azure governance and management capabilities to physical machines and virtual systems in different environments. This solution is specifically called Azure Arc for servers.

Figure 3 – Azure Arc Technologies

Azure Arc involves the use of specific Resource Provider for Azure Resource Manager and the installation of Azure Arc agents is required.

By logging in to the portal, you can see that Azure Arc for Servers is already currently available in public preview, while you need to register to manage Kubernetes environments and data services in preview.

Figure 4 – Azure Arc in the Azure portal

Thanks to the adoption of Azure Arc which introduces an overall view, you can reach, for hybrid architectures, the following objectives, difficult to achieve otherwise:

Standardization of operations
Organization of resources
Security
Cost Control
Business Continuity
Regulatory and corporate compliance

Figure 5 – Cloud-native governance with Azure Arc

Conclusions

Azure Arc was recently announced and although still in an embryonic phase, I think that will evolve significantly enough to revolutionize the management and development of hybrid environments. To keep up to date on how this solution will develop you can register at this page.

Data encryption in Azure

One of the areas related to the improvement of Security Posture of the corporate information system is certainly encryption, through the adoption of specific techniques, that makes the data readable only to those who have the solution to decrypt it. This article provides an overview of how encryption is used in Azure and provides references to further studies.

To protect your data in the cloud, you must first consider the possible states in which the data can be located and evaluate the related controls that can be implemented. Best practices for data security and encryption, particularly in Azure, concern the following states:

At rest: includes all information that statically resides on physical storage media, both magnetic and optical.
In transit: when data is transferred between components, locations or services, are defined in transit. For example,, transferring data across the network, service bus or during processes of input / output.

Encryption at Rest

Encryption at Rest is a highly recommended technique and is a priority requirement for many organizations to comply with data governance and compliance policies. Different industry-specific and government-specific regulations, require the presence of data protection and encryption measures. Encryption at Rest encrypts the data when it is persistent and is used, in addition to meeting compliance and regulatory requirements, also to have a high level of protection for data. The Azure platform natively involves the adoption of advanced physical security mechanisms, data access control and auditing. However, It is important to take overlapping security measures to deal with potential bankruptcies, and encryption at Rest is a great way to ensure confidentiality, compliance and data sovereignty.

Server-Side Data Encryption Models

Server-side data encryption models refer to encryption performed by Azure services. In this model, it is the Azure Resource Provider that performs encryption and decryption. There are several Encryption at Rest templates at Server Side available in Azure, each of which has different characteristics in key management, these can be applied to different Azure resources:

Server-Side Encryption using Service-Managed Keys. In this scenario, the encryption keys are managed by Microsoft and proves to be a good combination of control and convenience.
Server-side encryption using customer-managed keys in Azure Key Vault. In this mode, the encryption keys are controlled by the customer through Azure Key Vault, and includes support for using your keys (BYOK).
Server-side encryption that uses customer-managed keys on customer-controlled hardware. This methodology allows the customer to check the keys that reside on a repository controlled by the customer, outside of Microsoft's control. This feature is called Host Your Own Key (HYOK). However, configuration is articulated and most Azure services do not support this model at this time.

Figure 1 – Server-side encryption model

Client-side data encryption models

The client-side data encryption model refers to encryption performed outside Azure and is performed directly by the calling service or application. When you use this encryption model, the Resource Provider in Azure receives encrypted data without the ability to decrypt it or access the encryption keys. In this model, key management is performed by the calling service or application and is obscure for the Azure service.

Figure 2 – Client-side encryption model

Encryption at Rest for top Azure services

Azure Storage

Azure Storage provides on automatically encrypts the data when they are made persistent in the cloud environment. In fact,, all Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server side encryption of data at rest and some of them also support encryption client-side of data and encryption keys managed by the customer.

Server-side: all default Azure storage services have enabled by default the server-side encryption using keys managed by the service. For Azure Blob storage and Azure Files is also supported using encryption keys managed by the customer in Azure Key Vault. The technology used is called Azure Storage Service Encryption, in automatically able to encrypt the data before being stored and decode them when they are accessed. This process is completely transparent to the user and involves the use of AES encryption 256 bit, one of the most powerful block ciphers currently available. Azure Storage encryption is similar to BitLocker encryption in a Windows environment. Azure Storage encryption is enabled by default for all new storage accounts and cannot be disabled. Storage accounts are encrypted regardless of performance level (standard or premium) or from the deployment model (Azure Resource Manager or classic). All redundancy options provided for storage accounts support encryption and all copies of a storage account are always encrypted. Encryption does not affect the performance of storage accounts and there is no additional cost.

Client-side: this encryption is currently supported by Azure Blobs, Tables, and Queues. When used the data is encrypted by the customer managing their keys and is uploaded as an encrypted blob.

Virtual Machines

All Managed Disks, Snapshots and virtual machine images in Azure are encrypted using Storage Service Encryption via keys managed by the service. When processing data on a virtual machine, data can be kept in the Windows paging file or in the Linux swap file, in a crash dump or an application log. Therefore, to obtain a solution of Encryption at Rest more complete on IaaS virtual machines and virtual disks, which ensures that data is never kept in an unencrypted form, you need to use Azure Disk Encryption . This feature helps you protect Windows virtual machines, using the technology Windows BitLocker, and Linux virtual machines through DM-Crypt. Relying on Azure Disk Encryption you get a full protection of the operating system disks and data volumes. The Encryption keys and the secrets are protected within their own Azure Key Vault. Encrypted virtual machine protection is supported by the Azure Backup service. For more information about Azure Disk Encryption you can see the Microsoft's official documentation.

Azure SQL Database

Azure SQL Database currently supports encryption at rest in the following ways:

Server-side: server-side encryption is guaranteed through a SQL feature named Transparent Data Encryption (TDE) and it can be activated either at the database server level. Starting in June 2017 this feature is on by default for all new database. TDE protects SQL data and log files, using AES encryption algorithms and Triple Data Encryption Standard (3DES). Database files are encrypted at the page level, they are encrypted before being written to disk and de-encrypted when read into memory.
Client-side: client-side encryption of data to SQL Azure Database is supported through the functionality Always Encrypted, that uses keys that are generated and stored on the client side. By adopting this technology it is possible to encrypt data within the client applications before storing in the Azure SQL database.

As with Azure Storage and Azure SQL Database, also for many other Azure services (Azure Cosmos DB, Azure Data Lake, etc.) the data encryption at rest occurs by default, but for other services it can be optionally activated.

Encryption in Transit in Azure

The protection of data in transit must be an essential element to be considered in your data protection strategy. It is generally recommended to protect the movement and exchange of data always using SSL protocols / TLS. Under certain circumstances, it may be appropriate to isolate the entire channel of communication between the on-premises environment and the cloud using a VPN. Microsoft uses the TLS protocol (Transport Layer Security) to protect data when traveling between cloud services and customers. In fact,, a TLS connection is negotiated between the Microsoft datacenter and client systems that connect to the Azure Services. The TLS protocol provides strong authentication, privacy and message integrity (allows detection of tampering, interception and message forgery).

Conclusions

The issue of protection through encryption of the data stored in Azure environment is seen as very important for those who decide to rely on the services in the cloud. Knowing that all Azure services provide encryption at rest options and that basic services encryption is enabled by default, is certainly very comforting. Some services also support the control of the encryption keys from the customer and the client side encryption to provide a greater level of control and flexibility. Microsoft is constantly improving its services to ensure greater control of the encryption at rest options and aims to enable encryption at rest as the default for all customer data.

Azure IaaS and Azure Stack: announcements and updates (December 2019 – Weeks: 49 and 50)

Azure

Azure Dedicated Hosts now generally available

Azure Dedicated Host provides a single-tenant physical server to host your Azure virtual machines for Windows and Linux. The server capacity is not shared with other customers. As a result, you can run general purpose, memory intensive or compute intensive workloads in a hardware-isolated and virtualized server environment dedicated to your organization. With Azure Dedicated Host, you can address specific compliance requirements while increasing visibility and control over your underlying infrastructure.

General Availability of Proximity Placement Groups

Azure proximity placement groups, now in General Availability, enable customers to achieve co-location of Azure Infrastructure as a Service (IaaS) resources with low network latency.

Azure Spot VMs in Preview

Azure Spot VMs let you access unused Azure compute capacity at deep discounts compared to pay-as-you-go VM prices. Spot VMs are ideal for workloads that can be interrupted, providing scalability while reducing costs. You get unique Azure pricing and benefits when running Windows Server workloads on Spot VMs.
You can take advantage of Spot VM pricing for Azure VMs or VM scale sets (VMSS). Select the right deployment model based on your preferences and the characteristics of your application. Like their low-priority VMs predecessors, Spot VMs are engineered to run workloads that don’t need to be completed within a specific timeframe.

New bot protection rule in preview for Web Application Firewall with Azure Front Door service

A new bot protection ruleset is in preview for Azure Web Application Firewall with Azure Front Door service. Adding to this updated ruleset are three bot categories: good, bad, and unknown. There are multiple bot groups within each category. Bot signatures are managed and dynamically updated by Web Application Firewall service. The default action for bad bot groups is set to Block, for the verified search engine crawlers group it’s set to Allow, and for the unknown bot category it’s set to Log. Customers may overwrite the default action with Allow, Block, Log, or Redirect for any type of bot groups.

Maintenance control for platform updates in preview

The preview of a maintenance control feature for Azure Virtual Machines gives more control to customers with highly sensitive workloads for platform maintenance, running on an Azure Dedicated Host or an Isolated VM, where the underlying physical server runs a single customer’s workload. This feature is not supported for VMs deployed in hosts shared with other customers. Using this feature, customers can control all impactful host updates, including rebootless updates, for up to 35 days.

Azure Private Link support in AKS is in preview

AKS now supports Azure Private Link in public preview. With Azure Private Link in AKS, customers can interact with the Kubernetes API server as a private endpoint in their virtual network, ensuring that all Kubernetes management operations remain completely isolated. Because Private Link provides private connectivity from the customer’s virtual network to the Azure-managed Kubernetes control plane, customers can still get all the benefits of AKS but in an even more secure configuration.

Application Gateway Ingress Controller for Azure Kubernetes Service

A new solution to bind Azure Kubernetes Service (AKS) and Application Gateway. This new solution provides an open source Application Gateway Ingress Controller (AGIC) for Kubernetes, which makes it possible for AKS customers to leverage Application Gateway to expose their cloud software to the Internet. Bringing together the benefits of the Azure Kubernetes Service, our managed Kubernetes service, which makes it easy to operate advanced Kubernetes environments and Azure Application Gateway, our native, scalable, and highly available, L7 load balancer has been highly requested by our customers.

HC-Series VMs are now available in South Central US

HC-Series Hi Performance Computing VMs now available in South Central US

Azure Cost Management updates

New updates to Azure Cost Management help you manage costs for cloud solution provider (CSP) subscriptions, build better dashboards by customizing tile names, save money with Azure reservations for 16 different services, along with additional enhancements.

Azure Migrate: Agentless dependency analysis is now available in preview

Azure Migrate now supports agentless dependency analysis in a limited preview. The dependency data is discovered remotely by the Azure Migrate appliance without the installation of any agent or script on virtual machines. This feature is currently available only for VMware servers.

Microsoft plans to establish new cloud datacenter region in Qatar

Microsoft recently announced plans to establish a new cloud datacenter region in Qatar to deliver its intelligent, trusted cloud services and expand the Microsoft global cloud infrastructure to 55 cloud regions in 20 countries. he new region is anticipated to be available starting with Microsoft Azure in 2021, and Office 365, Dynamics 365 and Power Platform to follow.

Azure File Sync agent v9.1

Improvements and issues that are fixed:

Self-service restore support: users can now restore their files by using the previous version feature. Prior to the v9 release, the previous version feature was not supported on volumes that had cloud tiering enabled. This feature must be enabled for each volume separately, on which an endpoint with cloud tiering enabled exists.
Support for larger file share sizes: Azure File Sync now supports up to 64TiB and 100 million files in a single, syncing namespace.
Data Deduplication support on Server 2019: Data Deduplication is now supported with cloud tiering enabled on Windows Server 2019. To support Data Deduplication on volumes with cloud tiering, Windows update KB4520062 must be installed.
Improved minimum file size for a file to tier: The minimum file size for a file to tier is now based on the file system cluster size (double the file system cluster size). For example, by default, the NTFS file system cluster size is 4KB, the resulting minimum file size for a file to tier is 8KB.
Network connectivity test cmdlet: As part of Azure File Sync configuration, multiple service endpoints must be contacted. They each have their own DNS name that needs to be accessible to the server. These URLs are also specific to the region a server is registered to. Once a server is registered, the connectivity test cmdlet (PowerShell and Server Registration Utility) can be used to test communications with all URLs specific to this server. This cmdlet can help troubleshoot when incomplete communication prevents the server from fully working with Azure File Sync and it can be used to fine tune proxy and firewall configurations.
- To run the network connectivity test, run the following PowerShell commands:
  - Import-Module “<SyncAgentInstallPath>\StorageSync.Management.ServerCmdlets.dll”
  - Test-StorageSyncNetworkConnectivity
Remove server endpoint improvement when cloud tiering is enabled: As before, removing a server endpoint does not result in removing files in the Azure file share. However, behavior for reparse points on the local server has changed. Reparse points (pointers to files that are not local on the server) are now deleted when removing a server endpoint. The fully cached files will remain on the server. This improvement was made to prevent orphaned tiered files when removing a server endpoint. If the server endpoint is recreated, the reparse points for the tiered files will be recreated on the server.
Performance and reliability improvements
- Reduced recall failures. Recall size is now automatically adjusted based on network bandwidth.
- Improved download performance when adding a new server to a sync group.
- Reduced files not syncing due to constraint conflicts.

Installation instructions are documented in KB4522360.

Azure Stack

Microsoft has validated the Lenovo ThinkSystem SE350 edge server for Azure Stack HCI

Microsoft and Lenovo have teamed up to validate the Lenovo ThinkSystem SE350 for Microsoft’s Azure Stack HCI program. The ThinkSystem SE350 was designed and built with the unique requirements of edge servers in mind. It is versatile enough to stretch the limitations of server locations, providing a variety of connectivity and security options and can be easily managed with Lenovo XClarity Controller. The ThinkSystem SE350 solution has a focus on smart connectivity, business security, and manageability for the harsh environment.

Azure Networking: managing micro-perimeters with Azure Firewall Manager

Microsoft's public cloud introduces the new management service Azure Firewall Manager that allows you to centrally manage security policies and routing rules. With this solution, you can better govern the security perimeters of your cloud environments and help you protect your business ecosystem. This article lists the key features of the new service, highlighting the benefits that can be gained by using it.

The security model, defined Zero trust by Forrester Research analysts, and in contrast with the conventional models based on perimeter security, directs us to adopt an approach related to micro-segmentation and the definition of granular perimeters in its network architecture. To facilitate this approach, Microsoft has released this tool that, providing a single centralized control panel, is able to simplify the configuration and management of network security policies, which often need to be deployed across multiple Azure Firewall instances.

Azure Firewall Manager at the moment is integrated with Azure Virtual WAN, the service that allows you to implement network architectures that are managed according to the hub and spoke model. Azure Firewall can now be enabled in Virtual WAN Hub networks, and when security and routing policies are associated by Azure Firewall Manager the Hub network is defined as a Secured Virtual Hub.

Figure 1 – Overview of Azure Firewall Manager

Adopting Azure Firewall Manager you can get the following benefits:

Centralized configurations and deployments: deploying and configuring multiple instances of Azure Firewall, in Virtual WAN Hub networks, can be done centrally. These Azure Firewall instances can reside in different Azure regions and on different subscriptions. Furthermore, you can organize a hierarchy of DevOps-optimized Azure Firewall policies, where Global firewall policies are managed by central IT and local policy firewalls are delegated to DevOps to promote better agility in processes.
Automated routing: comes the ability to easily route traffic in a centralized manner from the spoke networks to the Secure Virtual Hub, all without having to manipulate the User Defined Routes of spoke networks.
Integration with Partners Security as a Service (SECaaS) of third party: to further enhance the security features it can be integrated with SECaaS partners, today Zscaler and iBoss, but soon it will be possible even with CheckPoint.

Figure 2 – Central security e route policy management

In detail the steps to adopt the solution are as follows:

Creating the hub-and-spoke network architecture, using the Azure Virtual WAN service and activating an Azure Firewall instance in the Hub network. To do this, you can do by using two separate modes:
1. Creating a new one Secured Virtual Hub by Azure Firewall Manager and adding virtual network connections;
2. Transforming an existing Virtual WAN Hub, activating the Azure Firewall service on the Hub network.

Figure 3 – Start the process using Azure Firewall Manager

Selecting security providers (Optional). This can be done either during the process of creating a Secure Virtual Hub or during the conversion of a Virtual WAN Hub in a Secure Virtual Hub.

Figure 4 – Choosing the Trusted Security Partner

Creating a firewall policy and association with the Network Hub. This is only possible for Azure Firewall Policies, while for Security as a Service solutions policies (SECaaS) provided by partners, you need to use their management tools.

Configuring routing settings on the Secured Hub to attract the traffic of the spoke networks and make it filtered according to the defined policies.

At the moment Azure Firewall Manager is supported only for managing Hub and Spoke architectures created through the Azure Virtual WAN service. Support for managing Azure Firewall instances enabled in Virtual Networks is expected in the first half of next year.

Conclusions

Azure Firewall Manager is a tool that is very useful for managing complex environments composed of different network architectures that adopt the Hub and Spoke model over Azure Virtual WAN. This additional management service despite the dawn, and destined to get rich soon with new features, is essential to manage more easily and effectively the Azure network architecture. At the moment the service is Public Preview, so are not guaranteed SLA (Service-Level Agreements) and it should not be used in production environments.

Azure IaaS and Azure Stack: announcements and updates (December 2019 – Weeks: 47 and 48)

Azure

Microsoft cloud in Norway opens with availability of Microsoft Azure

Microsoft announces the availability of Microsoft Azure from the new cloud datacenter regions in Norway, marking a major milestone as the first global cloud provider to deliver enterprise-grade services in country. The new cloud regions in Norway are targeted to expand in 2020 with Office 365, one of the world’s leading cloud-based productivity solutions, and Dynamics 365 and Power Platform, the next generation of intelligent business applications and tools.

Azure Migrate now supports assessment of physical servers

Support to assess physical servers is now available in Azure preview, in addition to existing support for VMware and Hyper-V servers. The appliance for physical servers can be installed on an existing Windows server. This feature can be used to assess virtual machines where there is no access to the hypervisor, as well as virtual machines on any cloud.

Azure Migrate: assessment of imported servers is supported in preview

Azure Migrate now supports the assessment of server inventories imported using a CSV file. Import the servers into Azure Migrate server assessment by adding server details in a CSV file as per the available template, deploying an appliance isn’t required. This is useful if you’re looking for a quick assessment using CMDB inventory or if you’re waiting for approvals to deploy the Azure Migrate appliance. Performance-based assessments can be run as well by specifying utilization values in the CSV.

Azure DevTest Labs: Azure managed identities to deploy lab environments

Azure managed identities to deploy lab environments As a lab owner, you can now use a user assigned managed identity to deploy environments in a lab. This feature is helpful in scenarios where the environment contains or has references to Azure resources such as key vaults, shared image galleries, and networks that are external to the environment’s resource group. It enables creation of sandbox environments that aren’t limited to the resource group of that environment only.

Azure DevTest Labs: New Dashboard with Cost Estimator

Azure Lab Services added a dashboard view enabling instructors to view the summary of the lab. On the dashboard, you will be able to see cost estimate for the lab based on size of the virtual machine picked, number of students, quota hours and scheduled hours.

HPC Specialized VMs (GPU) – NVv4-Series in preview

NVv4 offers unprecedented GPU resourcing flexibility, giving customers more choice than ever before. Customers can select from VMs with a whole GPU all the way down to 1/8th of a GPU. This makes entry-level and low-intensity GPU workloads more cost-effective than ever before, while still giving customers the option to scale up to powerful full-GPU processing power. NVv4 Virtual Machines support up to 32 vCPUs, 112GB of RAM, and 16 GB of GPU memory.

Kubernetes cluster health with Azure Monitor for containers

Azure Monitor for containers can now monitor and report health status of Kubernetes cluster infrastructure components and all nodes running on any Kubernetes cluster.

Azure private endpoint support for Azure Cosmos DB in preview

Azure private endpoint for Azure Cosmos DB is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network.

Azure management services and System Center: What's New in November 2019

In November, accomplice also the Microsoft Ignite conference 2019, Microsoft has unveiled a number of new features regarding Azure management services and System Center. Our community, through these articles that are released on a monthly basis, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Azure Log Analytics

New version of the agent for Linux systems

This month, the new version of the Log Analytics agent for Linux systems introduces improvements regarding the installation process, performance and resolution of issues in the use of custom logs. For more information about this, you can access theGitHub official page.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 42 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Improvements in resource clean-up

In Azure Site Recovery, the replication scenario of VMs between different Azure regions, the improvements were introduced regarding the clean up of the virtual machines and the related deallocated NIC (failed back), when the primary site is restored as a result of a failback process. In this way are easier the necessary operations to rehabilitate the protection. Furthermore, if you disable replication after a failback, Site Recovery also cleans up disks in the secondary region, as well as the VMs and their NIC.

Azure Backup

New features to protect SQL Server

In Azure backup the following new features regarding SQL Server protection was made available:

Native Protection of SQL Server 2019 on virtual machines Windows Server 2019 in Azure.
Protection of SQL Server 2008 and 2008 R2 for systems migrated to Azure.
Ability to make “Restore as Files”, that enables you to recover protected data as files .bak. This feature allows you to move files anywhere (different subscriptions, regions and on-premises) introducing more flexibility in performing restore operations.

SAP HANA backup

In Azure Backup, SAP HANA DB protection on virtual machines is available in the UK South region, all in an integrated way and without having to provide a specific backup infrastructure. This solution is officially certified BackInt from SAP.

System Center Updates Publisher

New version

A new version of System Center Updates Publisher (SCUP) has been released and is available to this link.

Microsoft Endpoint Manager

New brand for Configuration Manager

Microsoft Endpoint Manager is the name assigned to the Microsoft solution for the integrated management of all devices. Microsoft has decided to unify Configuration Manager and Intune, without having to deal with complex migrations and simplifying licensing. With this approach, Microsoft helps you take advantage of your investments in Configuration Manager and take advantage of the benefits and capabilities of the Microsoft cloud.

The Microsoft Endpoint Manager brand includes the following Microsoft management solutions:

Configuration Manager
Intune
Desktop Analytics
Autopilot
All of the features in theDevice Management Admin Console

New version for Configuration Manager Technical Preview Branch

For Configuration Manager was released the update 1911 (Technical Preview Branch) that among the main innovations officializes that Configuration Manager is now part of Microsoft Endpoint Manager.

To verify the details about what's new in this update you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

Desktop Analytics is now available

The Desktop Analytics solution is publicly available. It is a tool that can provide useful information and provide the automations necessary to keep the Windows machines up-to-date. The possible integration of Desktop Analytics with System Center Configuration Manager, adds the value given by the cloud solution to the local infrastructure.

Evaluation of Azure and System Center

Azure IaaS and Azure Stack: announcements and updates (November 2019 – Weeks: 45 and 46)

In this dedicated post you can find the most important announcements and major updates officialized last week during Microsoft Ignite 2019 conference.

Azure

Save more on Azure usage: reservations for six more services

With reserved capacity, you get significant discounts over your on-demand costs by committing to long-term usage of a service. Microsoft is pleased to share reserved capacity offerings for the following additional services:

Blob Storage (GPv2) and Azure Data Lake Storage (Gen2).
Azure Database for MySQL.
Azure Database for PostgreSQL.
Azure Database for MariaDB.
Azure Data Explorer.
Premium SSD Managed Disks.

With the addition of these services, Microsoft supports reservations for 16 services, giving you more options to save and get better cost predictability across more workloads.

Azure Key Vault Virtual Machine extension generally available

The Azure Key Vault Virtual Machine extension makes it easier for apps running on virtual machines to use certificates from a key vault, by abstracting the common tasks as well as best practices.

Azure Disk Encryption

Azure Disk Encryption enables you to encrypt your Azure Virtual Machine disks with your keys safeguarded in Azure Key Vault. Previously this capability was available through PowerShell and CLI, now this capability is also available in the Azure portal, which makes it very easy to use. Microsoft has also added support for the latest versions of the common Linux distros on Azure, including Red Hat Enterprise Linux 7.6 and 7.7 as well as CentOS Linux 7.6 and 7.7.

HB and HC Virtual Machines in additional regions

The HB-series VMs are optimized for HPC applications driven by memory bandwidth, such as fluid dynamics, explicit finite element analysis, and weather modeling. The HB-Series VM is now available in East US. HC-series VMs are optimized for HPC applications driven by intensive computation, such as implicit finite element analysis, reservoir simulation, and computational chemistry. The HC-Series VM is now available in Japan East.