Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (November 2019 – Weeks: 45 and 46)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

In this dedicated post you can find the most important announcements and major updates officialized last week during Microsoft Ignite 2019 conference.

Azure

Save more on Azure usage: reservations for six more services

With reserved capacity, you get significant discounts over your on-demand costs by committing to long-term usage of a service. Microsoft is pleased to share reserved capacity offerings for the following additional services:

  • Blob Storage (GPv2) and Azure Data Lake Storage (Gen2).
  • Azure Database for MySQL.
  • Azure Database for PostgreSQL.
  • Azure Database for MariaDB.
  • Azure Data Explorer.
  • Premium SSD Managed Disks.

With the addition of these services, Microsoft supports reservations for 16 services, giving you more options to save and get better cost predictability across more workloads.

Azure Key Vault Virtual Machine extension generally available

The Azure Key Vault Virtual Machine extension makes it easier for apps running on virtual machines to use certificates from a key vault, by abstracting the common tasks as well as best practices.

Azure Disk Encryption

Azure Disk Encryption enables you to encrypt your Azure Virtual Machine disks with your keys safeguarded in Azure Key Vault. Previously this capability was available through PowerShell and CLI, now this capability is also available in the Azure portal, which makes it very easy to use. Microsoft has also added support for the latest versions of the common Linux distros on Azure, including Red Hat Enterprise Linux 7.6 and 7.7 as well as CentOS Linux 7.6 and 7.7.

HB and HC Virtual Machines in additional regions

The HB-series VMs are optimized for HPC applications driven by memory bandwidth, such as fluid dynamics, explicit finite element analysis, and weather modeling. The HB-Series VM is now available in East US. HC-series VMs are optimized for HPC applications driven by intensive computation, such as implicit finite element analysis, reservoir simulation, and computational chemistry. The HC-Series VM is now available in Japan East. 

Azure Monitor: the news about network monitoring in Azure

Monitor Azure is a cloud-based solution that can collect different types of telemetry data, analyze them and take certain actions. Among the various features provides the ability to monitor the health of the networking, connectivity to applications and is able to provide detailed information on network performance. All this not only for cloud environments, but even in the presence of hybrid architectures. This article shows important changes that were recently announced by Microsoft to make the solution even more comprehensive.

Before focusing on the new features that have been introduced it is good to specify that Azure Monitor includes different specific solutions to monitor the Azure networking, including Network Performance Monitor (NPM), The suite includes the following features:

In addition to the tools included in the Network Performance Monitor (NPM) you can use Traffic Analytics, allowing you to have an overall visibility on network activities that are undertaken in the cloud environment. How this solution works is based on the principle that in Azure, to allow or deny network communication to Azure Virtual Networks-connected resources (vNet), it uses the Network Security Group (NSG), containing a list of access rules. The NSGs are applied to network interfaces connected to the virtual machines, or directly to the subnet (recommended). The platform uses NSG flow logs to maintain the visibility of inbound and outbound network traffic from the Network Security Group. Traffic Analytics is based on the analysis ofNSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment. The news that interests Traffic Analytics is that you can now process this data more frequently, at time intervals each time 10 minutes, against the 60 minutes previously possible.

Figure 1 – Traffic Analytics Processing Frequency

Azure Monitor for Networks

For greater visibility into network activities in the cloud Microsoft released Azure Monitor for Networks that introduces a useful visual view on the health of all network resources in your environment, enriched by their metrics. Everything is available without the need to make any specific configuration.

Figure 2 – Overview of Azure Monitor for Networks

In the top pane, you can set up search parameters to quickly identify the resources of interest, while on the right there is a panel showing any critical alerts.

Selecting individual components gives you more detail.

Figure 3 – VPN connection status details

In particular, currently only for Application Gateways, a very useful view of the Dependency, which helps you pinpoint component configuration and track error conditions more quickly. This representation shows the relationships between the front-end IPs, the listeners, the rules and the backend pool of Application Gateway. Colors make it easy to identify problematic health states on resources.

The view also lists key metrics for Application Gateways.

Figure 4 – List of Application Gateways

Figure 5 - Dependency view of a specific Application Gateway

The graph also allows easy access to the various component configurations. In order to identify connectivity issues and start troubleshooting operations, you have the option, right-clicking on the single virtual machine, of access directly to VM Insight and to Connection troubleshoot.

Figure 6 – Access resources to do machine troubleshooting

Conclusions

The new solution Network Insights present in Azure Monitor allows you to have a comprehensive view of network resources in a simple and intuitive way. The solution is particularly useful in the presence of complex environments and the console of Dependency view is a help also to document the implementations of the Application Gateway. It is currently a feature in preview and as such will surely be enriched in the short term with further news, allowing you to have a more complete and intuitive monitor of the network architecture in Azure.

Azure IaaS and Azure Stack: announcements and updates (Microsoft Ignite 2019 – Special Edition)

This special edition includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft this week during Microsoft Ignite 2019 conference. Microsoft announced several important additions to its Azure infrastructure as a service (IaaS) portfolio and the Microsoft infrastructure services continue to evolve to optimize the experience of running business-critical workloads.

Azure

Azure Arc: Extended Azure management and security to any infrastructure

Azure Arc enables Azure services anywhere and extends Azure management to any infrastructure for unified management, governance and control across clouds, datacenters and edge. They look and feel just like Azure resources, and they provide unified auditing, compliance, and role based access control across multiple environments and at scale.
As a result, customers can modernize any infrastructure with cloud management and security protection. With cloud practices that work anywhere, Microsoft is delivering these resources, from cloud to datacenter to edge, and enabling cloud security anywhere.
With Azure Arc, customers can now take advantage of Azure’s robust cloud management experience for their own servers (Linux and Windows Server) and Kubernetes clusters by extending Azure management across environments.
Customers can seamlessly inventory, organize, and govern their own resources at scale through a consistent and unified experience through the Azure Portal.

Virtual Machines

Azure generation 2 virtual machines generally available

Generation 2 virtual machines are now generally available on Azure. Generation 2 VMs provide support for Intel Software Guard Extensions (Intel SGX), UEFI boot architecture, and the ability to provision large VMs (up to 12TB) and OS Disks sizes that exceed 2TB. 

Proximity placement groups generally available

A proximity placement group is a logical grouping capability for Azure Virtual Machines that you can use to decrease the network latency between a set of virtual machines. When you assign your virtual machines to a proximity placement group, their placement is optimized to deliver lower latency for your latency-sensitive workloads. Now this feature is generally available in most Azure regions.

Azure VMware Solutions available in West Europe

Azure VMware Solutions are available in the West Europe Azure region. Azure VMware Solutions delivers the ability to run your VMware environment natively on Azure. This gives you the option to leverage your existing VMware skills and investments while taking full advantage of the scale and automation Azure offers. Azure VMware Solutions is now supported in East US, West US, and West Europe regions.

Azure Spot VMs

Azure Spot Virtual Machines, give you access to unused Azure compute capacity at deep discounts, will be available soon (we expect to preview this by early 2020). Spot Virtual Machines will be ideal for workloads that can be interrupted, providing scalability while reducing costs. You will be able to take advantage of Spot Virtual Machine pricing for Azure Virtual Machines or Virtual Machine Scale Sets (VMSS) to deploy opportunistic workloads of all sizes.

New virtual machine scale sets capabilities in preview

New virtual machine scale sets features simplify the management of virtual machines while improving their runtime and performance capabilities.

Vulnerability assessment in Azure Security Center

Applications that are installed in virtual machines could often have vulnerabilities that could lead to a breach of the virtual machine. Microsoft announced that the Security Center Standard tier includes built-in vulnerability assessment for virtual machines for no additional fee.

Advanced data security for SQL servers on Azure Virtual Machines

Azure Security Center’s support for threat protection and vulnerability assessment for SQL DBs running on IaaS virtual machines (VMs) is in preview.

New Azure Dav4-series and Eav4-series virtual machines

New Azure Dav4-series and Eav4-series virtual machines (VMs) based on AMD EPYC™ are available. They are ideal for general purpose (Dav4-series) and memory intensive workloads (Eav4-series).

New NVv4 series Azure Virtual Machines in preview

NVv4 (currently in preview) offers, for Windows Virtual Desktops and high-performance computing (HPC) workloads, enhanced GPU resourcing flexibility, giving customers more choice by offering partitioned GPUs built using industry-standard SR-IOV technology. Customers can select the right size of GPU Virtual Machines with as little as 2GB of dedicated GPU frame buffer for an entry-level desktop in the cloud, and up to the whole GPU with 16GB of frame buffer to provide powerful engineering workstations.

Updated NDv2 Azure Virtual Machines preview

The NDv2-series Virtual Machines, currently in preview, are the latest, fastest, and most powerful addition to the GPU family, specifically designed for the cutting edge demands of distributed HPC, AI, and machine learning workloads.

HBv2 Azure Virtual Machines for HPC workloads coming soon

HBv2 VMs are designed to deliver supercomputer-class performance, message passing interface (MPI) scalability, and cost efficiency for a variety of real-world HPC workloads. HBv2 Virtual Machines support up to 80,000 cores for single MPI jobs to deliver performance that rivals some of the world’s largest and most powerful bare metal supercomputers.

Networking

Azure Bastion is generally available

Microsoft announced the general availability (GA) of Azure Bastion, a fully managed platform as a service (PaaS) service that provides more secure and seamless RDP and SSH access to virtual machines directly through the Azure portal.

Azure Firewall Manager is now in preview

Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters. It works with Azure Virtual WAN Hub, a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a Secured Virtual Hub.

Native Azure Active Directory authentication support in point-to-site VPN

Native Azure Active Directory (Azure AD) authentication support for OpenVPN protocol, and Azure VPN Client for Windows are now available. Native Azure AD authentication support was widely requested by enterprise customers because Azure AD integration enables user-based policies, conditional access, and multi-factor authentication (MFA) for P2S VPN. Native Azure AD authentication requires both Azure VPN gateway integration and a new Azure VPN Client to obtain and validate an Azure AD token.

Azure Private Link is now available in all regions

Azure Private Link, which provides private connectivity to Azure services, is now available in all regions.

Azure Peering Service in managed preview

Azure Peering Service is a partnership with service providers to provide highly reliable and optimized internet connectivity to Microsoft services. It also provides internet latency telemetry and route monitoring with alerting against hijacks, leaks, and any other BGP mal configurations.  Azure Peering Service is targeting customers with an internet-first network strategy for accessing Azure and SaaS services such as Office 365. Through partnering with internet service providers, customers are able to take advantage of optimized routing of their internet traffic to the Microsoft cloud.

Enhancements to Azure Virtual WAN

Significant enhancements include the preview of hub-to-hub and any-to-any connectivity. Virtual WAN users can connect multiple hubs for full mesh connectivity to further simplify their network architecture. Additionally, ExpressRoute and Point to Site are now Generally Available with Virtual WAN.

IPv6 for Azure Virtual Network is generally available

IPv6 support within the virtual network and to the internet enables you to expand into the growing mobile and IoT markets with Azure-based applications and to address IPv4 depletion in your own corporate networks.

Azure ExpressRoute for satellites is available

ExpressRoute, with one of the largest networking ecosystems in the public cloud, now includes satellite connectivity partners, bringing new options and coverage.

Storage

Azure Data Share is available

Azure Data Share enables organizations to easily and securely share data with other organizations to expand analytics datasets for enhanced insights.

Azure Stack

Azure Stack, the extension of Azure that brings the innovation of cloud computing to build and deploy hybrid applications anywhere, is being renamed “Azure Stack Hub“. Also, Azure Data Box Edge, the Microsoft data-transfer devices, is being renamed as “Azure Stack Edge“.

So, Azure Stack will expand to include a portfolio of products consisting of:

  • Azure Stack HCI
  • Azure Stack Hub (previously Azure Stack)
  • Azure Stack Edge (previously Azure Data Box Edge):
    • It is an Azure managed appliance that brings the compute, storage, and intelligence of Azure to the edge.
    • It is a first party Microsoft appliance, delivered to customers’ sites to run Azure services with no upfront costs (you pay monthly in your Azure bill).
    • Customers can use the Azure portal to order and provision Azure Stack Edge; Azure management tools are used for monitoring and running updates.

Azure Stack Hub

Microsoft is sharing some new updates for Azure Stack Hub roadmap, including N-Series virtual machines enabled by NVIDIA V100 GPUs. It’s also announcing the general availability of Kubernetes on Azure Stack Hub. You can now easily provision Kubernetes clusters on Azure Stack Hub using Azure Kubernetes Service (AKS) engine to automate the creation, update, and scaling of Kubernetes clusters. In the first half of 2020, Event Hubs and Azure Stream Analytics will also be available for public preview.

Azure Stack Edge

Azure Stack Edge will soon support new compute and AI capabilities including virtual machines, Kubernetes clusters, NVIDIA GPU support and high-availability support. With these capabilities, Azure Stack Edge is quickly evolving to the forefront of edge computing in the market. Microsoft is also enabling private cellular networks as a service by adding the tech preview of multi-access edge compute (MEC) on Azure Stack Edge.

Azure Stack portfolio and Azure Arc

Azure Arc and Azure Stack portfolio are complementary, so you can combine the benefits of Azure Arc with Azure Stack portfolio, where Azure Arc can manage virtual machines, containers, and run Azure Data Services on Azure Stack portfolio of validated and integrated systems while leveraging the compute and cloud capabilities of Azure Stack.

Conclusions

The most important announcement from Microsoft Ignite 2019 for me is Azure Arc, the Microsoft’s new approach to hybrid. Enterprises rely on a hybrid technology approach to take advantage of their on-premises investment and, at the same time, utilize cloud innovation. As more business operations and applications expand to include edge devices and multiple clouds, hybrid capabilities must enable apps to run seamlessly across on-premises, multi-cloud, and edge devices, while providing consistent management and security across all distributed locations. Hybrid cloud capabilities in Microsoft is evolving to enable innovation anywhere, while providing a seamless development, deployment and ongoing management experience.

Azure IaaS and Azure Stack: announcements and updates (November 2019 – Weeks: 43 and 44)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

New Cost Management features

Here are the Cost Management features that are generally available as of October 2019.

Azure Mv2-series VMs with 12TB memory now GA in new regions

Azure Mv2-series Virtual Machines with 12TB memory are generally available for the US West 2, US East, US East 2, Southeast Asia, EU West and EU North regions. Azure Mv2-series virtual machines are hyper-threaded and feature Intel® Xeon® Platinum 8180M 2.5GHz (Skylake) processors, offering up to 416 vCPU in 3TB, 6 TB and 12 TB memory configurations. This is by far the largest-memory virtual machine offered on Azure. Mv2-series virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton.

Azure Monitor’s Service Map is available in new regions

The Service Map feature of Azure Monitor is now available in South Central US, West US, Central US, North Central US, East Asia, and Central India.  Around the world is it available in eighteen public regions. Service map automatically discovers application components on Windows and Linux systems and maps the communication between services. With service map, you can view your servers in the way that you think of them—as interconnected systems that deliver critical services. Service map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, with no configuration required other than the installation of an agent.

Server-side encryption with customer-managed keys for Azure Managed Disks (preview)

The preview for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks is available. Azure customers already benefit from server-side encryption with platform managed keys (PMK) for Azure Managed Disks enabled by default. Customers also benefit from Azure disk encryption (ADE) that leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer managed keys within the guest virtual machine. Server-side encryption with customer-managed keys improves on platform managed keys by giving you control of the encryption keys to meet your compliance needs. It improves on Azure disk encryption by enabling you to use any OS types and images for your virtual machines by encrypting data in the storage service. Server-side encryption with customer-managed keys is integrated with Azure Key Vault (AKV) that provides highly available and scalable, secure storage for RSA cryptographic keys backed by hardware security modules (HSMs). You can either import your RSA keys to Azure Key Vault or generate new RSA keys in Azure Key Vault.

Azure File Sync is available in new regions

Azure File Sync is available in South Africa and UAE regions. To get the latest list of supported regions, see this document.

Azure File Sync agent v8 release

Azure File Sync is now on Microsoft Update and Microsoft Download Center. Improvements and issues that are fixed:

  • Restore performance improvements
    • Faster recovery times for recovery done through Azure Backup.Restored files will sync back down to Azure File Sync servers much faster.
  • Improved cloud tiering portal experience
    • If you have tiered files that are failing to recall, you can now view the recall errors in the server endpoint properties. Also, the server endpoint health will now show an error and mitigation steps if the cloud tiering filter driver is not loaded on the server.
  • Simpler agent installation
    • The Az\AzureRM PowerShell module is no longer required to register the server making installation simpler and fast.
  • Miscellaneous performance and reliability improvements

More information about this release:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 8.0.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4511224.

Azure management services and System Center: What's New in October 2019

In October were announced, by Microsoft, a considerable number of news regarding the Azure management services and System Center. Our community, through these articles that are released on a monthly basis, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Azure Log Analytics

Availability in new regions

Azure Log Analytics is now available in the new regions “Switzerland North”, to allow you to collect log and perform related trend analysis on the use of resources.

New option for the pricing model

For Azure Monitor Log Analytics is available from November 1 2019 a new pricing model, allowing you to pay a fixed fee for data ingestion, based on the capacity of the selected tier. The tier start at 100 GB per day and allow you to get a saving of up to 25%, compared to the Pay-As-You-Go cost.

New version of the agent for Linux systems

This month the new agent version of Log Analytics introduces enhancements for Linux systems in particular concerning the installation process and performance. For more information about this, you can access theGitHub official page.

Retention configurable by data type

Azure Monitor Log Analytics introduces the ability to configure data retention, that is, the retention period of the data, for each type of data, instead of having a single retention setting for the entire workspace. The configuration at the time must be made through ARM commands. This new possibility allows for greater flexibility and savings in retention costs from the collated data from October (release date of this functionality). For more details please visit the Microsoft's official documentation.

Changing the saving of data in Service Map in Log Analytics

Data for Service Map, until now saved in custom log tables ServiceMapComputer_CL and ServiceMapProcess_CL will be moved to specific Log Analytics data types. These new tables will be called VMComputer and VMProcess, Inl.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 41 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Update for Windows servicing stack and SHA-2

For the Azure Site Recovery Mobility agent was issued a specific update required to enable Windows servicing stack and SHA-2 support.

Availability in new regions

Azure Site Recovery is now available in “Norway East” and “Norway West, North Dakota”. To check the availability of the service in all the Azure regions you can consult this document.

Azure Backup

Support for disks up to 32 TB

Support for large Managed disks has been announced for Azure Backup, up to 32 TB. For further information you can consultthis article.

System Center Configuration Manager

New releases for the Technical Preview Branch

For Configuration Manager was released the update 1910 that one of the main innovations is the ability to deploy and manage Microsoft Edge. With this integration, you can also easily manage the deployment of new versions of Microsoft Edge from the beta channel (updated every 6 weeks) and the Dev channel (updated weekly).

To check the details of what's included in these updates, you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

Evaluation of Azure and System Center

To test and evaluate free of charge the service offered by Azure you can access this page, while to try out the various components of System Center you must Access to theEvaluation Center and, after registering, you can start the trial period.

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation

Conclusions

The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

Azure IaaS and Azure Stack: announcements and updates (October 2019 – Weeks: 41 and 42)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure DNS private zones is now generally available

Azure DNS private zones is now production ready and backed by Azure DNS SLA. Azure DNS private zones provide reliable, secure DNS service to host, resolve and manage domain names from a virtual network without the need to add a custom DNS solution.  Azure DNS private zones enables you to effortlessly tailor your DNS namespace design to best suit your organization’s needs without having to worry about scalability, security and performance issues that arise from operating a custom DNS solution. Unlike public DNS zone, private DNS zones are not accessible over internet. DNS queries made against a private DNS zones can be resolved only from the virtual networks linked to the zone.

Customer Provided Keys with Azure Storage Service Encryption

Microsoft presents enhancement to storage service encryption to support granular encryption settings on storage account with keys hosted in any key store. Customer provided keys (CPK) enables you to store and manage keys in on-premises or key stores other than Azure Key Vault to meet corporate, contractual, and regulatory compliance requirements for data security.

New Azure Active Directory roles to reduce the number of Global administrators

Microsoft introduces 16 new roles in Azure AD designed to help you reduce the number of Global administrators by delegating administration tasks and assigning lower-privileged roles.

New Azure Resource Graph functionality

An update to Azure Resource Graph API now allows you to see further details about the changes to your Azure resources. For each change record, an overall changeType is returned indicating if the overall change to the resource was a Create, Update, or Delete action. When you set the fetchPropertyChanges flag to true in your request, the response body will contain a new section called propertyChanges that contains the list of property changes made, including the property name, the before value, the after value, and the change type for that property change (Insert, Update, or Remove).

Large file shares (100 TiB) for Azure Files standard tier

Microsoft announces the general availability of larger, more powerful files shares (100TiB) for Azure Files on standard tier. Large file shares on standard shares significantly improves customers’ experience on standard shares by increasing not only the capacity limits to 100 TiB (20x increase), but also the performance limits up to 10,000 IOPS (10x increase) and 300 MiB/s (5x increase). Large file shares for standard tier is now live in 13 Azure regions with support to enable large file shares on existing accounts.

SR-IOV availability schedule on NCv3 Virtual Machines SKU

As part of Azure’s ongoing commitment to providing industry-leading performance, Microsoft is enabling support for all MPI types and versions, and RDMA verbs for InfiniBand-equipped virtual machines, beginning with NCv3 coming in early November 2019.

Azure Monitor updates

  • Azure Monitor for VMs is available in South Central US, West US, Central US, North Central US, East Asia, and Central India. It’s available around the world in eighteen public regions.
  • In April 2019 Microsoft added support for Azure Kubernetes Services (AKS) in China regions. As part of this support, multi-cluster view is now available in the table of contents so you can monitor multiple clusters at once. Also, AKS-Engine is now supported for China regions. 
  • Azure Monitor for containers has updated the agent to support pod annotation settings. This supports Prometheus metrics scrapping per namespace configurations via config map. Also supports descriptive error outputs to troubleshoot scrape settings.
  • Grafana dashboard template is now available for out-of-the-box metrics collected by Azure Monitor for containers.

How to address the end of lifecycle for Windows Server 2008\2008 R2

The end of Microsoft support for Windows Server 2008 and Windows Server 2008 R2 is imminent and planned for 14 January 2020. As of this date, Microsoft will no longer release free security updates for these platforms in an on-premises environment. Unfortunately, there are still many systems in production that adopt these operating system versions. This article discusses the approaches you can take to address this situation, avoiding exposing your infrastructure to security issues caused by the unavailability of the necessary updates.

The end of the extended support for these platforms implies that Microsoft, unless certain actions are taken, will no longer release its security updates. Under these conditions the exposure to security attacks is considerable and would result in the state of non-compliance with respect to specific regulations, such as the General Data Protection Regulation (GDPR). This condition, certainly not very pleasant for those who find themselves to face it now, given the limited time, it can also be seen as an important opportunity for renewal and innovation of the infrastructure.

To continue receiving security updates for Windows Server 20082008 R2 hosted on on-premises environment, the only possibility is to join to the program Extended Security Update (ESU). The fee program is only available for customers in Software Assurance and ensures the provision of Security Update classified as "critical" and "important" for a further three years, from 14 January 2020.

If the ESU program is not appropriate to their needs you can be assessed two totally different upgrade paths.

Upgrade on-premises

This path provides for the transition to a new version of Windows Server environment on-premises. The advice in this case is to approach at least Windows Server 2016 and not to proceed, whenever possible, with upgrade in place of the operating system, but to manage migration in side-by-side. This method usually requires the involvement of the application provider, to ensure software compatibility with the new version of the operating system. Since the software is not recent, often it require the adoption of updated versions of the same, which may comprise architecture adjustment and an in-depth phase of testing for the new release . By adopting this upgrade process, the time and effort are considerable, but the result you get is critical to complying with the technological renewal.

Migrating to Azure

Migrating Windows Server Systems 2008 and Windows Server 2008 R2 on-premises in Azure environment will continue to receive security updates for another three years, classified as critical and important, without having to join the ESU program. This scenario is not only useful to ensure compliance with its systems, but it opens the way towards hybrid architectures where you can get the cloud advantages. In this regard, Microsoft offers a great solution that can provide a large set of tools needed to best deal with the most common migration scenarios: Azure Migrate,  that structure the migration process in different phase (discovery, assessment, and migration). This approach may be more immediate than upgrading systems and gives you more time to deal with software renewal. In this regard, the cloud allows you to have excellent flexibility and agility in testing applications in parallel environments. Before starting the migration path towards Azure is fundamental to structure the hybrid networking environment in a timely manner and evaluate the iterations with the other infrastructure components, to see whether the application can also work well in the cloud.

Regardless of the upgrade path you decide to take the advice is to make a detailed assessment, so you can categorize workloads by type, criticality, complexity and risk. In this way it is possible to prioritize, and proceed with a structured migration plan.

Conclusions

For all those who, inside their own datacenter have Windows Server 2008 or Windows Server 2008 R2 is appropriate to manage the condition that Microsoft will not release more security updates, free of charge, exposing systems to potential security issues. At the same time there are various possibilities offered by Microsoft to address this situation in the best possible ways. The migration path to Azure is definitely a very interesting option to start the journey to expand your datacenter into the Microsoft public cloud.

Azure Networking: the new way to privately access services in Azure

The need to be able to access data and services in Azure in a totally private and secure way, in particular from on-premises environment, it's definitely very much felt and more and more widespread. For this reason, Microsoft has announced the availability of Azure Private Link, this simplifies the network architecture by establishing a private connection to services in Azure, without the need for exposure to Internet. This article describes the characteristics of this type of connectivity and how you can enable it.

Thanks to Azure Private Link you can bring Azure services to a virtual network and map them with a private endpoint. In this way, all traffic is routed through the private endpoint, keeping it on the Microsoft global network. The data does not pass ever on the Internet, this reduces exposure to threats and helps to meet the compliance standards.

Figure 1 - Overview of Azure Private Link

The concept that underlies Azure Private Link is already partly known under the Azure networking and invokes the Virtual Network Service Endpoints. Before the introduction of Azure Private Link the only available way to increase the level of security when accessing Azure services, such as Azure Storage and SQL Azure Database, was given by the VNet Service Endpoints. The difference is substantial, as using VNet Service Endpoints traffic remains in the Microsoft backbone network, allowing access to PaaS resources only from its own VNet, but the PaaS endpoint is still accessed via the public IP of the service. Consequently, the operating principle of the VNet Service Endpoints does not extend to on-premises world even in the presence of connectivity with Azure (VPN or ExpressRoute). In fact,, to provide access from on-premises systems you must continue to use the firewall rules to limit the connectivity only to your public IP.

Thanks to Azure Private Link you can instead access the PaaS resources via a private IP address of your VNet, which it is potentially also accessible from:

  • On-premises systems via Azure ExpressRoute private peering andor Azure VPN gateways.
  • Systems on VNet in peering.

All traffic resides within the Microsoft network and you do not need to configure access through public IPs of the PaaS Service.

Figure 2 – Access from on-premises and peered networks

Azure Private Link greatly simplifies the way you can access Azure services (Azure PaaS, Azure, Microsoft partners and private services) as they support cross configurations for Azure Active Directory (Azure AD) tenants.

Figure 3 – Private Link cross Azure Active Directory (Azure AD) tenants

Activating Azure Private link it's simple and requires a limited number of Azure networking-side configurations. Connectivity occurs based on a call approval flow and when a PaaS resource is mapped to a private endpoint, route table and Network Security Groups configuration is not required (NSG).

Since Private link center you can create new services and manage the configuration or configure existing services to take advantage of Private link.

Figure 4 - Starting Configuration from Private link center

Figure 5 - Creating an Azure Storage Account to make it privately accessible

Figure 6 - Classical parameters for the creation of an storage account

Figure 7 - Private endpoint configuration

Figure 8 - Private endpoint connection present in the created storage accounts

At this point the storage account will be available in totally private way. To test the connectivity access a virtual machine was created and verified through "Connection troubleshoot":

Figure 9 – Test performed by "Connection troubleshoot" that demonstrates private connectivity

To connect with each other more Azure Virtual Network are typically used VNet peering, that require there are no overlaps in VNets address spaces. If this condition occurs it is possible to adopt the Azure Private Link as an alternative way to privately connect applications that reside in different VNets with an overlapping address space.

Figure 10 – Azure Private Link in the presence of overlapping address space

Azure Private Link features allow you to have specific access only to explicitly mapped resources. In the event of a security incident within your VNet, this mechanism eliminates the threat of extracting data from other resources using the same endpoint.

Figure 11 - Targeted access only to explicitly mapped resources

The Azure Private Link also opens new scenarios for exposure of service in Azure provided by the service provider. In order to allow access to the services provided to its customers, one of these methods was typically carried out in one of these ways.:

  • They made themselves directly accessible via Public IPs.
  • To make them private, VNet peerings were created, but with scalability issues and potential IP conflicts.

Figure 12 - How Azure Private Links changing scenarios "Consumer Service" - "Service Provider".

The new possibilities that are offered in these scenarios, requiring a totally private access to the service provided, is the following:

  • Service Provider: set up an Azure Standard Load Balancer, creates a Azure Private Link and allows access to the Service Consumer coming from a different VNet, subscription, or Azure Active Directory tenant (AD).
  • Service consumer: create a Private Endpoint in the specific VNet and request access to the service.

Figure 13 – Azure Private Link workflow in “Service Consumer”-“Service Provider” scenario

For more details please visit the Microsoft's official documentation.

Conclusions

This new method allows you to privately consume Azure-delivered solutions within your network infrastructure. This is an important change that you should definitely consider when designing network architectures in Azure, particularly for hybrid scenarios. At the moment the service is in preview, therefore not yet usable for production environments and available for a limited set of Azure services. In the coming months, however, Microsoft has announced that it will also make this feature available to other Azure services and partners, allowing you to have a private connectivity experience, key to having more adoption and dissemination of these services.

Azure IaaS and Azure Stack: announcements and updates (October 2019 – Weeks: 39 and 40)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Large file shares (100 TiB) Azure FIles standard preview available in new regions

Azure Files standard large file shares (LFS) preview in available in two more regions: North Europe and East Asia. Please see the full region list at this page.

New version of Azure Storage Explorer

This month Microsoft released a new version of Azure Storage Explorer, 1.10.0. This latest version of Storage Explorer introduces several new features and delivers significant updates to existing functionality. These features and changes are all designed to make users more efficient and productive when working with Azure Storage, CosmosDB, ADLS Gen2, and, starting with 1.10.0, managed disks. You can download Storage Explorer 1.10.0 to take advantage of all of these new features.

Increment snapshots of Azure managed disks in preview

The preview of incremental snapshots of Azure managed disks is now available. Incremental snapshots are a cost-effective point-in-time backup of managed disks. Unlike current snapshots, which are billed for the full size, incremental snapshots are billed for the delta changes to disks since the last snapshot. They are always stored on the most cost-effective storage i.e., standard HDD irrespective of the storage type of the parent disks. Additionally, for increased reliability, they are stored on Zone redundant storage (ZRS) by default in regions that support ZRS. They cannot be stored on premium storage. 

Windows Virtual Desktop is generally available

Windows Virtual Desktop is generally available worldwide. It is the only service that delivers simplified management, a multi-session Windows 10 experience, optimizations for Office 365 ProPlus, and support for Windows Server Remote Desktop Services (RDS) desktops and apps. With Windows Virtual Desktop, you can deploy and scale your Windows desktops and apps on Azure in minutes. It is available in all geographies, customers will be able to deploy scalable Azure-based virtualization solutions with a number of operating systems, including Windows 10 multi-session, Windows Server, and Windows 7 desktops with free Extended Security Updates for up to three years for customers still completing their move to Windows 10.

Azure Lab Service Updates

Azure Lab Services added this new features:

  • Adjust quota per user, enabling instructors to give additional hours to students as needed.
  • An option to install GPU drivers automatically if a GPU size is picked. 
  • An updated and improved UI experience.

Private Link for Azure SQL Database and Data Warehouse is in preview

Private Link enables you to connect to Azure SQL Database and Data Warehouse via a private endpoint. Use it to establish cross-premises access to the private endpoint using ExpressRoute, private peering, or VPN tunneling, or you can choose to disable all access via public endpoint.

Preview of direct-upload to Azure managed disks

You can directly upload your VHD do Azure Managed disks without converting them. The direct-upload is in preview.

Azure File Sync agent version 4.x will expire

On November 5, 2019, Azure File Sync agent version 4.x will be expired and stop syncing. If you have servers with agent version 4.x, update to a supported agent version (5.x or later). If you don’t update your servers before November 5, 2019, they will stop syncing. To resume syncing, the agent must be updated to a support version.