Category Archives: Microsoft Azure

How to discover and optimize cloud costs with Azure Cost Management

One of the main features of the cloud is the ability to create new resources with ease and speed. At the same time an important and fundamental challenge is to be able to keep under control the expenses to be incurred for the resources created in the cloud. The tool Azure Cost Management makes it easy to find from which services are generated costs, prevent unnecessary costs and optimize resource costs. This article lists the characteristics of the solution and provides guidance in order to best use it for maximize and optimize investments in cloud resources.

Features of the solution

Azure Cost Management is enabled by default and accessible from Azure portal for all Microsoft Enterprise Agreement and Pay-As-You-Go subscriptions. The availability of the solution for CSP subscriptions (Cloud Solution Providers) is scheduled for the second half of the year. Azure Cost Management contemplates the Azure services, including reservations, and cost data by the use of third-party solutions coming from the Azure Marketplace. All costs shown are based on negotiated prices and the data is updated every four hours.

Azure Cost Management allows you to do the following regarding the cost of cloud resources.

Monitor the cloud costs

With this solution you can provide, to the various departments involved in the use of cloud resources, cost visibility of resources for which they are responsible. Furthermore, you have the option to go into detail and view the trend of costs with a very intuitive and interactive experience. From section Cost analysis you can view the costs, with a chance to put filters on time period and eventually group them according to different parameters.

Figure 1 – Cost analysis – costs accumulated in the last month

Setting for the selected period the daily granularity you can have a graph that shows precisely the day-by-day costs.

Figure 2 – Cost analysis – costs incurred daily

Azure Cost Management also offers the possibility to export the data to Excel or CSV, after setting the required view in section Cost analysis.

Figure 3 -Export the data view created in Cost analysis

The downloaded file contains details about the context used for file generation:

Figure 4 – Summary of Excel sheet created

This feature can be useful for detailed analysis that require a consolidation of this information with other data.

In case there is a need for more functionality in terms of integration and customization you can use Power BI connectors for the creation of specific dashboards and Azure Cost Management APIs to process information with other solutions.

Assignment of responsibility to the various project teams

To raise awareness of the various project teams by making adequate use of resources in terms of spending, you can define your budget. So you can get a significant cost optimization, with no impact in terms of agility in creating resources .

Figure 5 – Creating a budget

When creating a budget it is defined a spending for a certain period of time and you can set the alert to warn those directly responsible when it reaches a certain percentage of the preset threshold.

Optimization of costs

Although you may opt to manage the various Azure resource costs to team by giving them a budget, you can not always be assumed to know how to optimize resource efficiency and reduce costs. Azure Cost Management is able to provide specific recommendations to achieve cost savings.

Figure 6 – Advisor recommendations

In the specific case, to optimize Azure resource costs , it is recommended the purchase ofVirtual Machine Reserved Instances (VM RIs), estimating the annual savings that could be obtained by adopting VM RIs.

Azure Cost Management will soon be enriched with a new feature (currently in public preview) involving the management of costs incurred in the AWS, with the same characteristics as shown for Azure. This integration simplifies management of costs in multi-cloud scenarios.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consult the pricing of Cost Management.

Conclusions

Azure Cost Management is a great tool that allows you to maintain complete visibility of costs and to drive you to have a better manage of the expenses in the cloud resources. Thanks to the flexibility of this tool, constantly evolving, you can get the most from the investment in the cloud easily and intuitively.

Azure DNS overview

The Microsoft public cloud offers various services including Azure DNS, that allows you to host and manage domains DNS (Domain Name System) public and private in the Azure environment. This article lists the characteristics of the solution, the possible use cases and discusses the advantages of adopting this solution.

Public name resolution

The Azure DNS service can be used to resolve public domain names. Azure does not allow direct purchase of public domains, but assuming that you have a public domain, you can use the Azure DNS to resolve domain names.

To do so you need to proceed with the creation of a Dns Zone, this is the procedure to activate it from the portal Azure:

Figure 1 – Creation of DNS Zone

In the activation process of a DNS zone you are prompted to specify the location of the Resource Group, that determines where the metadata associated with the DNS zone are maintained. The Azure DNS service is indeed global and not associated with a specific Azure location.

The creation process is very quick and, at the end of the service creation, you can identify the name servers that you can use for the zone created.

Figure 2 - Name Servers for DNS zone created

After you create the DNS zones in Azure, you must delegate the name resolution for the domain to name servers in Azure. Every Registar has its own tool for managing names, where you can specify NS records, making them point to the four Name Servers provided by Azure DNS service.

At this point you can add and manage any public DNS records on yours DNS zone hosted in Azure environment.

Figure 3 — Add a DNS record

Private name resolution

In Azure Virtual Networks the DNS is integrated into the platform and it is available by default, which allows the resolution of the system names on them attested (Azure-provided). Alternatively, you can specify custom DNS Servers. The Azure DNS service extends these capabilities by enabling new scenarios, thanks to the possibility to use the Azure DNS service, not only to handle name resolution for public domains, currently in preview, you are given the option to enable a private DNS zone. For private DNS zones the virtual networks that can take advantage of the name resolution service, are called resolution virtual networks. While the registration virtual network are those VNet for which it is expected the maintenance of the hostname when you create a VM, when this changes its IP address, or when it is removed.

The creation of a private DNS zone can be done with PowerShell commands and not by the portal Azure.

Figure 4 – PowerShell commands for creating a private DNS zone

By using the PowerShell command New-AzDnsZone you can specify that it is a private zone with parameter ZoneType valued at Private. If you want to use the private zone just for name resolution, without making any future automatic creation of DNS records, you can specify the parameterResolutionVirtualNetworkId, otherwise, if you want the automatic registration of names you should specify the parameterRegistrationVirtualNetworkId. In this regard, currently the initial pairing as RegistrationResolution Virtual Network is only possible if the VNet has not attested systems on it.

At the end of the execution of the PowerShell commands it will be possible to see the private zone also in the Azure portal. The private zones at the moment are distinguished from the others because it does not have the list of Name Servers. It is still possible to register and manage your DNS records, not only using PowerShell or CLI, but also from the portal.

Figure 5 -Example of private DNS zone in the Azure Portal.

Usage scenarios

The presence of the Private Zone in the Azure DNS service allows to be adopted in different scenarios.

Name resolution for a single Virtual Network

This scenario has a single virtual network that takes advantage of the Azure private DNS to resolve internal names. That resolution is totally private and can be used by all resources attested on that specific VNet.

Figure 6 - Azure Private DNS for a single VNet

Name resolution between different Virtual Networks

This scenario is commonly used when multiple virtual networks have access to the same Azure private DNS service. The adoption of this scenario is typical in the presence of architectures Hub-Spoke, where the Hub network can be associated with the private Azure DNS zone in mode Registration, while the various spoke networks may be associated as Resolution virtual network.

Figure 7 – Azure Private DNS for two VNet

Split-Horizon capabilities

It falls in this scenario when for the same DNS zone there is the need to obtain different resolution of the names depending on where the client is located, Azure environment or in Internet.

Figure 8 – Azure Private DNS in a Split-Horizon scenario

The Cost of the Solution

The Azure DNS cost is given by two elements:

  • Number of DNS zones hosted in Azure (public or private).
  • Number of DNS queries received.

To get the details of the Azure DNS costs you can see the official page.

Advantages

The ability to host DNS zones in Azure introduces a number of benefits, including:

  • The DNS service can be provided using the native tools offered by the Azure platform, without having to use custom DNS solutions, thus saving on time and costs.
  • The service allows you to use all the most common types of DNS records: In, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT.
  • It provides automatic management of the DNS records for virtual machines on specific Azure Virtual Networks.
  • Private DNS name resolution can be shared between different Virtual Networks, unlike as it offers the service of name resolution provided by default on the VNet. This expands possible usage scenarios and simplify the architecture, thanks to the Split-horizon capabilities.
  • The solution can be fully managed via the Azure tools (PowerShell, Azure Resource Manager templates, and REST API), reducing the learning curve for the actual adoption.

Conclusions

The Azure DNS service allows you to host your own DNS domains in Azure, providing the ability to manage them with the same credentials, the same billing policies and support of the other Azure services. The introduction of Private Azure DNS Zones introduces an important element that, when it is officially released, will be taken into consideration in the design of Azure architectures, in order to simplify them and make them more efficient. Azure DNS also provides reliability, scalability, security and availability, as it is based on the Microsoft global network, hardly obtainable with third-party solutions.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure VMware Solutions

Microsoft Corp. and Dell Technologies announced they are expanding their partnership to address a wider range of customer needs and help accelerate digital transformations. Through this collaboration, the companies will deliver a fully native, supported, and certified VMware cloud infrastructure on Microsoft Azure.

Azure VMware Solutions are built on VMware Cloud Foundation, a comprehensive offering of software defined compute, storage, networking and management, deployed in Azure. With these solutions, customers can capitalize on VMware’s broadly deployed and trusted cloud infrastructure while experiencing the power of Microsoft Azure.

Azure VMware Solutions give customers the power to seamlessly migrate, extend and run existing VMware workloads from on-premises environments to Azure without the need to re-architect applications or retool operations. Customers will be able to build, run, manage, and secure new and existing applications across VMware environments and Microsoft Azure while extending a single model for operations based on established tools, skills and processes as part of a hybrid cloud strategy. Some of the more popular customer scenarios Azure VMware Solutions will support are app migration and datacenter expansion, disaster recovery, and business continuity and modern application development.

Azure Firewall – Price Reduction

Azure Firewall pricing includes a fixed hourly cost ($1.25/firewall/hour) and a variable per GB processed cost to support auto scaling. Microsoft are announcing a price reduction, effective 01/05/2019, for the firewall per GB cost to $0.016/GB (-46.6%) to ensure that high throughput customers maintain cost effectiveness. There is no change to the fixed hourly cost.

Azure Application Gateway Standard v2 and WAF v2 SKUs

Application Gateway is Azure’s Application Delivery Controller as-a-service offering which provides customers with layer 7 load balancing, security and WAF functionality.

Azure Application Gateway Standard v2 and WAF v2 SKUs are generally available and fully supported with a 99.95 SLA. The v2 SKUs also offer the following additional capabilities to Application Gateway and WAF:

  • Faster provisioning and configuration update time.
  • Static VIPs ensure that the Application Gateway VIP will not change over its lifecycle.
  • Autoscaling allows elasticity to your application enabling it to scale up or down based on application traffic pattern. This also eliminates the need to run Application Gateway at peak provisioned capacity, thus significantly saving cost.
  • Improved performance offers better application performance and also helps reduce overall cost.
  • Zone redundancy enables your Application Gateway to survive zonal failures, thereby offering better resilience to your applications.
  • Header Rewrite allows you to add, remove, or update HTTP request and response headers allowing applications to enable various scenarios like HSTS support, securing cookies, changing cache controls, etc. without changing application code.

For more information about the capabilities available, please visit the Application Gateway documentation webpage.

Azure File Sync v6

Azure File Sync Agent v6 is available.

Improvements and issues that are fixed

  • Agent auto-update support
  • Support for Azure file share ACLs
  • Parallel upload and download sync sessions for a server endpoint
  • New Cloud Tiering cmdlets to get volume and tiering status
  • Support for FIPS mode
  • Miscellaneous reliability improvements for cloud tiering and sync

For more details, see KB4489736.

Agent installation notes

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
  • Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
  • A restart may be required if files are in use during the update rollup installation.
  • The agent version for the v6 release is 6.0.0.0.
  • Installation instructions are documented in KB4489736.

Azure management services and System Center: What's New in April 2019

Microsoft announces constantly news about Azure management services and System Center. Our community releases on a monthly basis this summary that provides a general overview of the main new features of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

Azure Log Analytics

Agent

This month the new version ofLog Analytics agent for Linux systems fixes important bugs and improves stability. To obtain the updated version of the Log Analytics agent you can access to the GitHub official page.

Figure 1 – News of the new release of Log Analytics agent

Availability in new regions

The availability of Azure Log Analytics has been extended into three new regions: France Central, Korea Central, and North Europe. Furthermore, it can be activated in preview in the following regions: Central US, East US 2, East Asia, West US and South Central US.

Azure Automation

New features in Azure Update Management

Azure Management Update added the option to have as a target of patch deployment groups of virtual machines, generated by queries that rely on native Azure concepts (such as resource group, location, and tags). The virtual machines can be added dynamically to existing patch deployment based on defined criteria.

System Center Configuration Manager

End of support for SCCM 2007 and FEP 2010

Please note that the support for System Center Configuration Manager 2007 and Forefront Endpoint Protection (FEP) 2010 end on 9 July 2019. After this date will be discontinued by Microsoft: updates (security and non), assisted support and for FEP Microsoft will no longer releases antivirus signatures and engine updates. For those who are using these products it is time to consider switching to the latest version of SCCM.

New releases for the Technical Preview Branch

Released version 1903

For Configuration Manager was released the update 1903 and among other changes was the ability to use a new tool for cost estimates for the deployment of cloud management gateway.

Figure 2 – SCCM Clooud Cost Estimator

For full details of what's new in this release you can consult this document.

Released version 1904

For Configuration Manager was also released the update 1904 which includes new dashboards to identify the devices ready to be upgraded to Office 365 ProPlus.

To verify the details about what's new in this update you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Support for Windows Server 2012 and for SCOM 2019

After the release of SCOM 2019, Microsoft has decided to change the support statement to allow even the monitor of systems Windows Server 2012. To see the full list of System requirements for System Center Operations Manager 2019 you can consult this document.

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Gateway Transit support for Global VNet Peering

Global VNet Peering seamlessly connects Azure virtual networks across regions. After virtual networks are peered, they appear as one for connectivity purposes. Traffic between resources in the peered virtual networks is completely private and stays on the Microsoft Backbone. Gateway Transit is a VNet Peering property that enables one virtual network to use the VPN gateway in the peered virtual network for cross-premises connectivity. Previously, support for Gateway Transit was limited to peering within the same region. Now, Gateway Transit is supported for Global VNet Peering in all Azure public regions, Azure China regions, and Azure Government regions. Gateway Transit enables you to use a peered virtual network’s gateway instead of creating a new gateway for connectivity. As you increase your workloads in Azure, you need to scale your networks across regions and virtual networks to keep up with the growth. VNet peering’s Gateway Transit can help simplify your network architecture.

Full IPv6 support for Azure Virtual Networks

Dual Stack IPv4/IPv6 connectivity with full IPv6 support for Virtual Networks is now available. This lets you bring your private IPv6 space into Azure and enables connectivity over IPv6 within your Virtual Networks. With this, you’re able to address IPv4 depletion, meet regulatory requirements, and expand into the growing mobile and IoT markets with your Azure-based applications.

Azure Cost Management generally available for Pay-As-You-Go customers

The general availability of Azure Cost Management features for all Pay-As-You-Go and Azure Government customers will greatly enhance the ability to analyze and proactively manage cloud costs. These features will allow you to analyze your cost data, configure budgets to drive accountability for cloud costs, and export pre-configured reports on a schedule to support deeper data analysis within your own systems. This release for Pay-As-You-Go customers also provides invoice reconciliation support in the Azure portal via a usage csv download of all charges applicable to your invoices.

New experience and APIs for purchasing Azure reservations

The new user experience also shows purchase recommendations for VM size that have consistent usage over the last 30 days, to help you select the right VM size. You can now add multiple products to your cart and purchase them together from the Azure portal, or use the reservation APIs to purchase individual products.

Rewrite HTTP headers with Azure Application Gateway

Rewriting HTTP headers in Azure Application Gateway is now supported. You can add, remove, or update HTTP request and response headers while the request and response packets move between the client and backend application. You can also add conditions to ensure that the headers you specify are rewritten only when the conditions are met. Rewriting headers helps you accomplish several important scenarios such as removing port information from X-Forwarded-For headers, adding security-related header fields like HSTS/ X-XSS-Protection, removing response header fields which may reveal sensitive information, etc.

Azure Backup support to move Recovery Services vaults across subscriptions and resource groups

Azure Backup support for move functionality for recovery services vaults where you can migrate a vault between subscriptions and resource groups with a few steps, in minimal downtime and without any data-loss of old backups. You can move the vault across resource groups and subscriptions. This is very helpful in scenarios like expiry of old subscription, moving from EA to CSP type subscription, organizational and departmental changes or separation between QA environment and production environment. Post migration, all the settings, backup policies and configurations in the vault are retained, including all backup and recovery points created in the past inside the vault. You can restore from retained backup history in the vault regardless of whether the VM is moved with the vault or not to the target subscription.

Azure Availability Zones in UK South and in Japan East

Azure Availability Zones, a high-availability solution for mission-critical applications, is generally available in UK South and in Japan East. Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, Microsoft offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines. Availability Zones are generally available in select regions.

Azure virtual network service endpoint policies expanded

Public preview for virtual network service endpoint policies for Azure Storage was expanded to four new US regions on March 25. Azure virtual network service endpoint policies enable you to prevent unauthorized access to Azure service resources from your virtual network. You can now allow access to only specific Azure service resources (for example, storage accounts) by using endpoint policies over service endpoints. For details about supported capabilities and limitations, and for configuration guidance, see Virtual network service endpoint policies (preview).

Best practices in Azure deployment with Azure Advisor

In Azure is available the Advisor solution that would provide useful recommendations to optimize the deployment in your environment. Azure Advisor analyzes the configuration of the resources present in the Azure subscriptions and its use, and highlights the issues to consider in order to optimize costs, the performance, high availability and security. This article lists the main characteristics and features of the solution.

Azure Advisor is a totally free solution and included in Azure that allows you to easily optimize the resources in your deployments, offering specific recommendations in the following categories:

  • High availability: it gives directions on how you can increase the availability of your business-critical applications, in order to ensure greater continuity of service.
  • Security: reports on how to best protect Azure resources from security threats.
  • Performance: thanks to constant analysis of resources used, the solution is able to return useful information to increase the speed and responsiveness of applications.
  • Costs: it provides guidance to maximize the economic return on investment in Azure, thanks to the extra touches that can reduce and optimize costs.

All these recommendations are proactive and, to facilitate its implementation, contain proposals for concrete actions to be carried out.

Azure Advisor is accessible from Azure portal and the overview screen includes the recommendations of the four macro-categories mentioned :

Figure 1 – Azure Advisor overview

All information provided by the solution can be downloaded in two different formats (.pdf and .csv), to facilitate the consultation and to keep them documented.

By selecting each category you will be sent to the detail section, where you can check for any recommendation provided, which resources are impacted and the relative level of criticality (high, medium, low).

Figure 2 – High Availability raccomandations

The recommendations in the field of security are integrated with Azure Security Center and you will be sent to the specific section of the Security Center.

Figure 3 – Security raccomandations

The solution is also provided for integration with Azure SQL DB Advisor, to get useful tips even for improving the performance of datatabase.

Figure 4 – Performance raccomandations

Figure 5 – Cost raccomandations

In the specific case, to optimize Azure resource costs , it is recommended the purchase of Virtual Machine Reserved Instances (VM RIs), estimating the savings that could be achieved by adopting VM RIs 3 years.

For ease of reference, you can apply filters to display only the recommendations relating to specific resources on the subscriptions and in certain resource groups, with the ability to select only the desired categories.

Figure 6 – Azure Advisor Resources configuration

It is also possible to modify, at the moment the only rule on the CPU, the threshold of use of virtual machines to be taken into consideration in the relative assessments.

Figure 7 – Azure Advisor Rules configuration

Azure Advisor provides recommendations for virtual machines, availability set, application gateway, Service App, SQL Server and Redis Cache. The solution performs its assessments in the background and automatically intercept new resources created. Since the creation of new resources, can take up to 24 hours to receive its recommendations.

Every single recommendation can be postponed or ignored for a certain period of time.

Figure 8 – Management of the recommendations

Conclusions

This is a very useful support tool to verify that fulfilled the main best practices in the Azure environment and to guide you in taking appropriate corrective actions. Azure Advisor allows you to centralize in a single solution the different recommendations from different Azure services, to have a global vision and improve implementations in the Azure environment.

Security in the cloud with Azure Sentinel solution

Microsoft recently announced a new cloud solution called Azure Sentinel. It is a service that aims to expand the capabilities and potential of the products SIEM (Security Information and Event Management) traditional, going to use the power of the cloud and artificial intelligence to be able to quickly identify and manage security threats affecting your infrastructure. This article lists the main features of the solution.

Azure Sentinel is a solution that allows real-time analysis of security events and information generated within their own hybrid infrastructure, from server, applications, devices and users. It is a cloud-based service, it follows that one can easily scale and have high-speed processing of information, without the need to implement and manage a dedicated infrastructure, to intercept potential security threats.

Azure Sentinel service can be activated directly from the Azure Portal:

Figure 1 - Creation of service Azure Sentinel

Operating principles of Azure Sentinel

Collect data within the infrastructure

Azure Sentinel leans to Azure Monitor that, using the proven and scalable repository of Log Analytics, is able to accommodate a high volume of data, which it is possible to process them effectively thanks to an engine that ensures high performance.

Figure 2 - Adding Azure Sentinel to an existing Log Analytics workspace

With Azure Sentinel you can aggregate different security data from many sources, using the appropriate connectors embedded in the solution. Azure Sentinel is able to connect, in addition to the different platform solutions, even the most widespread and popular network solutions of third-party vendors, including Palo Alto Networks, F5, Symantec, Fortinet and Check Point. Azure Sentinel also has a native integration with logs that meet the standard formats, as common event and syslog.

Figure 3 -Data Connectors

Using this solution, you also have the ability to easily import data from Microsoft Office 365 and combine them with other security data, in order to get a detailed analysis of your environment and have visibility into the entire sequence of an attack.

Figure 4 – Office 365 Connector

Azure Sentinel also integrates with’Microsoft Graph Security API, which allows you to import your own threat intelligence feeds and customize detection rules of potential security incidents and notification.

Analyze and quickly identify the threats by using artificial intelligence

Azure Sentinel uses scalable machine learning algorithms, able to correlate a high amount of security data, to present to the analyst only potential security incidents, all with a high level of reliability. Thanks to this mechanism Azure Sentinel differs from other SIEM solutions, adopting traditional correlation engines, drastically reducing noise and consequently the effort for the analysis required in detecting threats.

Figure 5 – Azure Sentinel Overview

After enabling the Data Collectors required, you will begin to receive data in the workspace of Log Analytics and setting up ofAlert Rules, it can generateCases to report potential security threats. For more details on how to detect threats with Azure Sentinel, see the Microsoft's official documentation.

Investigate suspicious security activities

The data processed by the solution can be found using the dashboards, customizable to suit your needs. Dashboards allow you to conduct investigations by reducing the time needed to understand the scope of an attack and its impact.

Figure 6 – Dashboards available in Azure Sentinel

Figure 7 – Azure Network Watcher dashboard

If security threats are detected, against the Alert Rules set, it is generated a Case, for which you can set the severity, the status and its assignment.

Figure 8 – Cases

Using the console, you can proceed with the investigation of the case:

Figure 9 – Case Investigation

In the same dashboard you can also perform actions. Proactive research activities of suspicious transactions are a fundamental aspect for security analysts, that with Azure Sentinel can be made through two specific features that allow you to automate the analysis: search query (hunting queries) and Azure Notebooks (based on notebook Jupyter), that are constantly updated.

Figure 10 – Hunting queries

Figure 11 -Example of an Azure Notebook

Automate common tasks and response to threats

Azure Sentinel provides the ability to automate and orchestrate the response to common problems, so you don't have to manually perform repetitive tasks. By means of predefined and customizable playbooks you can quickly respond to security threats.

Figure 12 – Alert playbooks

Figure 13 – Logic Apps Designer

Microsoft also announced that more defense and investigation tools will be integrated in the solution increased.

Conclusions

Azure Sentinel is a complete solution that provides native SIEM in the cloud and introduces significant benefits over traditional SIEM solutions, which require to sustain high costs for the maintenance of the infrastructure and for data processing. Azure Sentinel enables customers to simplify the tasks required to maintain high security in the infrastructure and to scale gradually to suit your needs, providing a wide integration with third party solutions.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Azure Front Door Service is generally available

Azure Front Door Service (AFD) is a scalable and secure entry point for fast delivery of your global applications. AFD is a solution for your global website/application and provides:

  • Application and API acceleration with anycast and using Microsoft’s massive private global network to directly connect to your Azure deployed backends means your app runs with lower latency and higher throughput to your end users.
  • Global HTTP load balancing enables you to build your application resiliently across regions, fail-over instantly and offer your users an “always-on” web site availability experience either at a domain or microservice (URL path) level. 
  • SSL offload at a massive scale enables you to maintain security and scale to a rapidly growing or expanding user base, all while reducing latency.
  • WAF @ Edge offering application security against DDoS attacks or malicious users at the edge providing protection at scale without sacrificing on performance.

ExpressRoute Direct is generally available 

ExpressRoute Direct provides 100 Gbps connectivity. It is the first service of its scale in public cloud and focuses on core scenarios around large data-ingestion, R&D, media services, graphics and the like.

ExpressRoute Global Reach is generally available

ExpressRoute Global Reach extends the use of ExpressRoute from on-premises or from your corporate datacenter to Azure, to now also provide connectivity between on-premises sites, using the Microsoft Global network.

Azure Premium Block Blob Storage is generally available

Premium Blob Storage is a new performance tier in Azure Blob Storage for block blobs and append blobs, complimenting the existing Hot, Cool, and Archive access tiers. Premium Blob Storage provides lower and more consistent storage latency, providing low and consistent storage response times for both read and write operations across a range of object sizes, and is especially good at handling smaller blob sizes. Premium Blob Storage is ideal for workloads that require very fast response times and/or high transactions rates, such as IoT, Telemetry, AI, and scenarios with humans in the loop such as interactive video editing, web content, online transactions, and more.

New Azure Disks SKU

All existing Azure Managed Disk offerings (Premium SSD, Standard SSD and Standard HDD) will now feature 8, 16 and 32 TiB disk sizes. In addition, are supported disk sizes up to 64 TiB on Ultra Disks in preview. The performance scale targets for Premium SSD are increased to 20,000 IOPS and 900 MB/sec. Also, Standard SSD performance will now reach up to 6,000 IOPS and 750MBps and Standard HDD to 2000 IOPS and 500MBps .

Advanced Threat Protection for Azure Storage
Advanced Threat Protection for Azure Storage is available. It provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts.

Azure Blob Storage lifecycle management

General availability of Blob Storage lifecycle management so that you can automate blob tiering and retention with custom defined rules. Azure Blob Storage lifecycle management offers a rich, rule-based policy which you can use to transition your data to the best access tier and to expire data at the end of its lifecycle. This feature is available in all Azure public regions.

Azure Firewall in Government Cloud

Azure Firewall Service is now generally available in Government Cloud. Specific regions and limitations can be found here.

New B-series VM size

A new B-series VM size, B1ls, which has the smallest memory and lowest cost among Azure VM instances is available. B1ls has 512 MiB of memory and 1 vCPU.  This offering is in response to customers who were looking for entry-level offerings. B1ls is available only on Linux for the best customer experience. Windows is not supported because the minimum recommended memory for the Windows OS is larger than what B1ls offers. B1ls is best for small web servers, small databases, and development and test environments. It offers a cost-effective way to deploy workloads that don’t need the full performance of the CPU continuously and burst in their performance.

New capabilities in Azure Security Center

Microsoft Azure Security Center has released new capabilities:

  • Advanced Threat Protection for Azure Storage. Layer of protection that helps customers detect and respond to potential threats on their storage account as they occur—without having to be an expert in security.
  • Regulatory compliance dashboard. Helps Security Center customers streamline their compliance process by providing insight into their compliance posture for a set of supported standards and regulations.
  • Support for Virtual Machine Scale Sets (VMSS). Easily monitor the security posture of your VMSS with security recommendations.
  • Dedicated Hardware Security Module (HSM) service, now available in U.K., Canada, and Australia. Provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements.
  • Azure disk encryption support for VMSS. Now Azure disk encryption can be enabled for Windows and Linux VMSS in Azure public regions—enabling customers to help protect and safeguard the VMSS data at rest using industry standard encryption technology.

New Regions for Azure File Sync

Azure File Sync is available in Korea Central and Korea South. To get the latest list of supported regions, see this document.

New Regions for Traffic Analytics

Traffic Analytics is now available in East Asia, Japan West, France Central and Korea Central.

Update rollup for Azure File Sync Agent: April 2019

An update rollup for the Azure File Sync agent was released.

Improvements and issues that are fixed:

  • Reliability improvements for offline data transfer and data transfer resume features.
  • Sync telemetry improvements.

More information about this update rollup:

  • This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
  • The agent version of this update rollup is 5.2.0.0.
  • A restart may be required if files are in use during the update rollup installation.
  • Installation instructions are documented in KB4481061.

 

Azure Stack

Azure Stack HCI

Microsoft announced Azure Stack HCI solutions for customers who want to run virtualized applications on modern hyperconverged infrastructure (HCI) to lower costs and improve performance. Azure Stack HCI solutions feature the same software-defined compute, storage, and networking software as Azure Stack, and can integrate with Azure for hybrid capabilities such as cloud-based backup, site recovery, monitoring, and more.

With Azure Stack, you can run Azure IaaS and PaaS services on-premises to consistently build and run cloud applications anywhere.

Azure Stack HCI is a better solution to run virtualized workloads in a familiar way – but with hyperconverged efficiency – and connect to Azure for hybrid scenarios such as cloud backup, cloud-based monitoring, etc.

Azure management services and System Center: What's New in March 2019

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, there are listed all the main news, accompanied by the necessary references to be able to conduct further studies.

Azure Monitor

Availability in Central Canada and UK South

The new service that allows you to monitor the virtual machines, called Azure Monitor for VMsis also available in Central Canada and UK South.

Azure Log Analytics

Availability in new regions

Azure Log Analytics is now available in the regions of Azure China, Australia East and Central Australia. It is also available in Public Preview in the following regions: France Central, Korea Central and North Europe.

Azure Site Recovery

Support for storage accounts protected with firewall rules

In Azure Site Recovery was introduced support for storage accounts that are configured with firewall rules for the Virtual Networks, in replication scenarios from VMware or physical systems to Azure.

Support for managed disks in replication scenarios with VMWare and physical systems

Azure Site Recovery now supports disaster recovery of VMware virtual machines and physical systems, replicating directly towards the managed disks. This avoids creating and managing different storage accounts target for the replica of these systems. The on-premises data are sended to a cache storage account in the target region and written in managed disk by Site Recovery.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 35 which it addresses several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB 4494485.

Azure Backup

In Azure Backup was officially released the functionality to back up the SQL Server installed in Azure IaaS virtual machines.

Figure 1 – Azure Backup Features for SQL Server in Azure VMs

Among the benefits of this solution there are:

  • Recovery Point Objective (RPO) of 15 minutes
  • Point-in-time restores: to make easy and rapid the recovery operations of the DBs.
  • Long-term retention: ability to keep backups for years.
  • Protection of encrypted databases: chance to make the backup of encrypted SQL databases and safely keep via an encryption at rest integrated into the solution. All backup and restore operations are managed by role-based access control mechanism.
  • Auto-protection: is handled automatically the detection and the protection of new databases.
  • Management and monitoring: allows to carry out a centralized management and monitoring the protection status of the systems.
  • Cost savings: are not required infrastructure costs and allows to easily scale to meet your needs.

System Center

Released System Center 2019

The main novelty regarding System Center is the release in general availability of the major release of System Center 2019. This is the release belonging to the long term servicing channel (LTSC) that will be supported for 10 years and that introduces full support for Windows Server 2019.

Starting from this release, Microsoft has decided to change the System Center product release policies. There will be no more releases in the Semi-Annual Channel (SAC) and new features, before the next release Long-Term Servicing Channel (LTSC), can be obtained via Update Rollup.

System Center 2019 supports upgrade from the two recent Semi-Annual Channel releases (SAC), System Center 1801 and System Center 1807 as well as System Center 2016.

Customers who have a valid license of System Center 2019 can download it from the Volume Licensing Service Center (VLSC).

Among the main features of System Center 2019 we find:

Virtual Machine Manager

  • Integration in VMM with Azure Update Management simplifies patching of virtual machines
  • Dynamic Storage Optimization in VMM enables higher availability of workloads
  • VMM now provides health and operational status of storage disks in Hyper Converged as well as disaggregated deployment
  • New RBAC role in VMM ensures that IT admins can be provided access commensurate with their role and no more
  • Support for latest versions of VMware in VMM (to enable migration to Hyper-V)

Operations Manager

  • SCOM supports integration with Azure services – Dependency Map (Service Map) provides comprehensive visibility of dependencies across servers along with health.
  • Azure Management Pack integrates alerts and performance metrics for Azure resources in SCOM
  • Along with modernized and extensible SCOM web console, subscriptions and notifications are now modernized with support for HTML based email
  • Maintenance schedules in SCOM with SQL server AlwaysOn
  • Update and recommendations for Linux workloads enables discovery of up-to-date MPs for Linux environments
  • Linux monitoring is now resilient to SCOM management server failover
  • All Windows Server Management Packs now support Windows Server 2019

Data Protection Manager

  • Faster backups with DPM with a 75% increase in speed and a monitoring experience for key backup parameters via Log Analytics.
  • DPM further supports backup of VMWare VMs including to tape

More news

  • Orchestrator supports PowerShellv4 +
  • Service Manager has an enhanced AD connector
  • Support for service logon across the System Center suite aligning with security best practices

More information about it can be consulted in the article System Center 2019 is now in general availability.

System Center Configuration Manager

Released version 1902 for the Current Branch

There are many new features in this release designed to enrich and improve different features of the solution. To get the complete list of new features introduced with this build, you can consult this official document. The transition to version 1902 can be done by following the installation checklist, at the end of which it is appropriate to continue with the Checklist post-update.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • System Center Management Pack for Message Queuing version 7.1.10242.0
  • System Center Management Pack for Microsoft Azure Stack version 1.0.3.11
  • System Center Management Pack for SharePoint Server 2019 version 16.0.11426.3000

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure Lab Services: how to create lab environments in the cloud

In Azure there is a service called Azure Lab Services to enable lab environments in the cloud, built from a collection of preconfigured virtual machines, in a simple and rapid way. Thanks to this service you can provide a custom lab environment for training or to work in isolated test and development environments. This article shows how to enable and configure the service and explores the main features of the solution.

Features of the solution

The main features of the solution Azure Lab Services are the following:

  • Users who receive the invitation have immediate access to virtual lab machines. All this is possible without having to provide access permissions on the Azure subscription. Access to the lab is done using a simple user experience, through a dedicated web portal.
  • You have the ability to create customized templates for VMs, from which generates virtual machines for different lab.
  • In order to achieve efficient use of resources, is given the option to schedule the automatic startup shutdown of the VMs and the option to limit the hours of use, using quotas. The end result is an optimization of operating costs.
  • Provides the ability to quickly and easily do the provisioning of systems and to scale in a flexibly way, without having to worry about the infrastructure required.

Possible usage scenarios

The use of theAzure Lab Service is recommended for the following scenarios:

  • Professional training or school classes: to configure the lab VMs in a custom way, according to the requirements of the course, to provide an environment where each participant connect and make practical activities and exercises.
  • Hackathons and hands-on labs: to provide an interactive experience during conferences and events, with the ability to easily scale based on the number of participants.
  • Environments for trial and personalized demo: to provide access at the invitation in a private lab where you can make the demo, before the official release of a software solution.
  • Machines for development and test environments: to provide an environment where you have preconfigured systems, used for purposes of development and application tests.

Configuring the environment

The first configuration needed is the creation of a Lab Account, that it is possible to carry out according to what reported:

Figure 1 – Creating a Lab Account

To create a lab you must have one user who belongs to role Lab Creator of the Lab Account. The user used to create the Lab Account has by default this capability as it belongs to the role Owner, but you can add additional users to the role Lab Creator, as below:

Figure 2 — Add a user to the role Lab Creator

In the Lab Account configuration you can specify whether the resources created in the lab are connected to a specific virtual network, having thus access to resources accessible from it:

Figure 3 – Configuration of access to VNet

As owner of the lab account you can specify which of the Azure Marketplace images you can make available to the Lab Creator for the creation of the lab:

Figure 4 – Selection of usable images from Marketplace

These are images that provide the creation of a single virtual machine, using the deployment Azure Resource Manager (ARM) and do not require additional software licenses.

Completed these configurations you can access the portal dedicated to Azure Lab Services to proceed with the configuration of the lab environment.

Figure 5 – Portal dedicated to Azure Lab Services

Doing with an enabled account (Role Owner, Lab Creator, or Contributor) you can create a new lab, setting its name and the maximum number of VMs:

Figure 6 – Creation of the Lab

Then you are prompted to set the specifications (size, region and image) to create the template, from which the environment of the lab will be generated:

Figure 7 – Specifications for creating the template

In the next step you need to specify the credentials to access the virtual machines:

Figure 8 - Configuring credentials

By selecting the button Create starts the template creation process, based on the selected image and attributes, which can take up to 20 minutes. During the creation process you may see the following screen:

Figure 9 – Template being created

At the end of this creation process you can make changes to the virtual machine template, by directly connecting via Remote Desktop, such as the installation and configuration of additional software.

Figure 10 -Customization of the template

When you feel ready, you can proceed with the template publication:

Figure 11 – Publication of the template

Management and use of the environment

When publishing is complete, by accessing the dashboard, you can manage various aspects of the laboratory:

  • Virtual machines: view the list of virtual machines and their allocation status. For each virtual machine you can manage the start, the shutdown, the cancellation, access via RDP and display how many hours the user has used it.
  • Scheduling: set up a mechanism that allows you to turn on and off automatically the VMs in the lab according to a specific or recurrent scheduling. For full details about schedule management consult this document.
  • Users: manage lab enabled users and obtain its registration link. At the moment Azure Lab Services supports organizational account and Microsoft account. Furthermore, you have the option to set a quota on the maximum working hours of the laboratory by the individual user. For further details please visit the Microsoft documentation.
  • Template: make changes to the template to make a new publication.

Figure 12 – Laboratory Management Dashboard

After completing the registration process, the user can access to the Azure Lab Services site and use the lab environment virtual machine assigned to him.

Figure 13 – Access to the lab virtual machines assigned

Who manages the lab environment can check the status of assignment of individual VMs and govern the entire lab environment.

Figure 14 – Allocation status of virtual machines

Conclusions

Thanks to this service you can turn on cloud systems quickly and easily, for lab environments for specific scenarios. All this happens by using the power of the cloud with obvious benefits in terms of flexibility, dynamism and without neglecting the aspects of governance of their environment. The service is certainly destined to get rich quickly with new features to further expand the possible scenarios of use and also to meet the needs of more articulated lab environments.