Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (June 2019 – Weeks: 23 and 24)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Web Application Firewall (WAF) for Azure Front Door service is generally available

Customers can use WAF to define security policies that allow, block, forward or rate limit access to their web applications delivered through Azure Front Door.

A WAF security policy may consist of an ordered list of custom rules and Azure managed pre-configured rulesets.
Custom rules are based on a combination of client IP addresses, geolocation, http parameters, request methods and size constraints.
The pre-configured default rule set can be enabled to protect your applications from OWASP top 10 threats.
New or updated WAF configurations are deployed globally within minutes, letting you respond quickly to changing attack patterns.
WAF for Azure Front Door is integrated with Azure Monitor and the logs can be accessed through an Azure storage account, Azure Event Hub or Azure Log Analytics.

DevTest Labs supports the Shared Image Gallery feature

It enables lab users to access images from a shared location while creating lab resources. It also helps you build structure and organization around your custom-managed VM images.

High-Performance Computing Virtual Machines are available in West US 2, East US

HC-series Virtual Machines, designed to provide supercomputer-grade performance and scalability with the best price-performance on the public cloud, are generally available in West US 2 and East US.

Azure File Sync is GA for Azure Government cloud

Azure File Sync is generally available for Azure Government cloud. Azure File Sync in Government Cloud can be used with the same v6 agent that a customer would use in public cloud. It is at feature parity with what’s available publicly.

Azure Shared Image Gallery are generally available

Shared Image Gallery provides a simple way to share your applications with others in your organization, within or across Azure Active Directory (AD) tenants and regions. This enables you to expedite regional expansion or DevOps processes and simplify your cross-region HA/DR setup.

Azure DevTest Labs: PowerShell module to simplify management of labs

You can now make use of Az.DevTestLabs, a PowerShell module to simplify the management of Azure DevTest Labs. It provides composable functions to create, query, update and delete labs, virtual machines, custom images and environments.

Advanced data security for SQL servers on IaaS

Advanced data security is now available for SQL Server on Azure Virtual Machines. Advanced data security for SQL Server on Azure Virtual Machines currently includes functionality for surfacing and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate a threat to your server.

Adaptive Network Hardening in Security Center id generally available

Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.

Azure Application Gateway Web Application Firewall custom rules are Generally Available

Custom rules for WAF_v2 allow customers to create their own rules with IP/IP range or String based matching conditions. For example, customers will be able to create rules which block requests from a specific IP range, or those matching a specific regular expression in the request’s header/cookie/URI/queryString/form elements. Users can also join multiple matching conditions into a single custom rule. More details can be found here.

Update rollup for Azure File Sync Agent

Improvements and issues that are fixed

After creating a server endpoint, High CPU usage may occur when background recall is downloading files to the server.
Sync and cloud tiering operations may fail with error ECS_E_SERVER_CREDENTIAL_NEEDED due to token expiration.
Recalling a file may fail if the URL to download the file contains reserved characters.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 6.2.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4489738.

Azure Stack HCI: introduction to the solution

The use of hyper-converged infrastructure in recent years has increased sharply and estimates from authoritative sources report that in the coming 12-18 months investing in solutions of this kind will be among the most significant for the modernization of datacenters, for about the 54% of the organizations. With the arrival of Windows Server 2019, Microsoft introduced the solution Azure Stack HCI, that can run virtual machines and easy connection to Azure with a hyper-converged infrastructure (HCI). This article lists the main features of the solution and its potential.

The trend that is emerging is the transition from a "three tier" traditional infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes by the "magic" of the software, able to combine the layer of compute, storage and network in one solution.

Figure 1 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

All this is made possible by the new operating system Windows Server 2019, that lets you use Hyper-V, a solid and reliable hypervisor, along with Software Defined Storage and Software-Defined Networking solutions. To this is added Windows Admin Center, that allows you to fully manage and with a graphical interface the hyper-converged environment. The whole is implemented on hardware specially validated by various vendors.

Figure 2 – Azure Stack HCI Solution overview

The positioning of the solution Azure Stack HCI is as follows, side-by-side with Azure and Azure Stack, but with specific and distinct purposes.

Figure 3 – Azure Family

Azure Stack HCI is an evolution of Windows Server Software-Defined solution (WSSD) available in the past with Windows Server 2016. Azure Stack HCI was inducted into the Azure family as it shares the same software-defined technologies used from Azure Stack.

Azure Stack HCI allows the execution of virtualized applications in the on-premises environment, on hardware tested and validated specifically. In order to get certified hardware is subjected to rigorous validation testing, that guarantee the reliability and stability of the solution. To consult the different solutions for Azure Stack HCI of the various hardware vendors you can access this page.

Figure 4 – Azure Stack HCI solutions hardware partners

Proper hardware sizing is critical to achieving the desired results in terms of performance and stability, Therefore, you should always use hardware solutions validated in a specific way and do not use hardware components assembled at will. This condition is also required to obtain a solution of Azure Stack HCI fully supported.

Through the use and support of the latest innovations in hardware devices, Azure Stack HCI enables you to achieve very high performance, much to achieve an important record of IOPS (-> 13.798.674) for the hyper-converged platforms, doubling the maximum performance that had been reached with Windows Server 2016.

Figure 5 - Hardware Innovations supported by Azure Stack HCI

The hyper-converged solution with Windows Server 2016 saw a big problem due to the fact that the configuration and management of the environment had to be made predominantly from the command line.

Thanks to the introduction of Windows Admin Center you have the ability to manage and control hyper-converged environment totally via web interface. Furthermore, many vendors of hardware solutions provide the Windows Admin Center extensions to enhance the management capabilities.

The following video shows the management of a hyper-converged environment from Windows Admin Center:

In software-defined storage, the Storage Space Direct technology allows you to take advantage of many features, making it a complete solution, reliable and secure.

Figure 6 – Features in software-defined storage scope

In Windows Server 2019 important improvements have been made in the field of data deduplication and compression that allow you to have a higher quantity of usable storage space.

Figure 7 – Possible disk space savings using deduplication and compression

This configuration can be achieved very easily directly from Windows Admin Center.

Figure 8 – Enabling deduplication and compression from Windows Admin Center

Azure Stack HCI can be used for smaller environments with two nodes and can scale up to a maximum of 16 nodes.

Figure 9 -Scalability of the solution

In the presence of clusters composed by exactly two nodes Windows Server 2019 you can use the Nested resiliency, a new feature in Storage Spaces Direct, introduced in Windows Server 2019, that allows you to support more faults at the same time without losing access to storage.

Figure 10 - Hardware Fault supported

Using this feature you will have a lower capacity than a classic two-way mirror, but you get better reliability, essential for hyper-converged infrastructure, exceeding the limit from previous versions of Windows Server in the presence of cluster environments with only two nodes . The nested resiliency brings together two new options in the resiliency, implemented in software and without the need for specific hardware:

Nested two-way mirror: on each server is used locally a two-way mirror, and an additional resiliency is ensured by a two-way mirror between the two servers. Actually it's a four-way mirror, where there are two copies of the data for each server.
Nested mirror-accelerated parity: mixes two-way mirror, described above, with the nested parity.

Figure 11 – Nested two-way mirror + Nested mirror-accelerated parity

Azure Stack HCI connects on-premises resources to public cloud Azure to extend the feature set, a totally different approach from Azure Stack, that allows you to adopt the Azure services on-premises, getting a totally consistent experience to the public cloud, but with resources that are located in your datacenter.

Figure 12 – Hybrid approach: Azure Stack vs Azure Stack HCI

The ability to connect Azure Stack HCI with Azure services to obtain a hybrid hyper-converged solution is an important added value that differs strongly from other competitors. Also in this case the integration can be done directly from Windows Admin Center to enjoy the following services Azure:

Azure Site Recovery to implement disaster recovery scenarios.
Azure Monitor to monitor, in a centralized way, what happens at the application level, on the network and in its hyper-converged infrastructure, with advanced analysis using artificial intelligence.
Cloud Witness to use Azure storage account as cluster quorum.
Azure Backup for offsite protection of your infrastructure.
Azure Update Management to make an assessment of the missing updates and proceed with its distribution, for both Windows and Linux systems, regardless of their location, Azure or on-premises.
Azure Network Adapter to easily connect on-premises resources with the VMs in Azure via a point-to-site VPN.
Azure Security Center for monitoring and detecting security threats in virtual machines.

Figure 13 – Windows Azure hybrid Integration services from Admin Center

Conclusions

Microsoft has made significant investments to develop, improve and make its own proposition for hyper-converged scenarios more reliable and efficient. Azure Stack HCI is now a mature solution, that exceeds the limits of previous Windows Server Software-Defined solution (WSSD) and incorporates everything you need to create a hyper-converged environment into a single product and a single license: Windows Server 2019. The ability to connect remotely Azure Stack HCI to various Azure services also make it an even more complete and functional solution.

Azure management services and System Center: What's New in May 2019

To stay up to date on news about Azure management services and System Center, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.

Azure Log Analytics

New version Agent for Linux systems

This month the new agent version of Log Analytics for Linux systems introduces improvements concerning the stability and reliability. For more information about this, you can access the GitHub official page.

Availability in new regions

The availability of Azure Log Analytics has been extended for another five new regions: Central US, East US 2, East Asia, West US and South Central US.

Azure Site Recovery

Improvements in the monitor of VMware and physical systems

In the replication scenario of VMware systems and physical machines , the role Process Server acts as replication gateway, then receives replication data, performs an optimization through caching and compression mechanisms, provides encryption and sends them to the storage in the Azure environment. This role is also responsible to make the discovery of virtual machines on VMware systems. There are several factors that may impact on the smooth functioning of this component: high data change rate (churn), network connectivity, bandwidth availability, undersizing of the computing capacity required. In ASR were added different States of health that facilitate troubleshooting for this component. For each alert is also proposed corrective action deemed necessary, in order to better manage this role, essential for the proper functioning of the replication process.

Azure Backup

Network Security Group service tags for Azure Backup

Microsoft announced the ability to use within the Network Security Groups (NSGs) the service tag for Azure Backup. Using the tag AzureBackup it is possible to allow in the NSG outbound access to the Azure Backup service, so you can protect your workloads (SQL Server) on board of the virtual machines, instead of having to manage a whithelist that contains the IP addresses of the service. This is useful, in addition in the presence of the SQL Server workloads to be protected, also to make VM backup via MARS agent.

System Center Configuration Manager

New release for the Technical Preview Branch

For Configuration Manager was released the update 1905 that among the main innovations provides the ability to create application groups to be sent to collection of users or devices into a single deployment. The applications in the group can be installed with a specific order and the group will be displayed in Software Center as a single entity (suite of products).

To verify the details about what's new in this update you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (June 2019 – Weeks: 21 and 22)

Azure

Generation 2 virtual machines in Azure in Public Preview

Generation 2 virtual machines use the new UEFI-based boot architecture vs. the BIOS-based architecture used by Generation 1 VMs. The new architecture enables customers to:

Build large virtual machines (up to 12TB)
Provision OS disks sizes that exceed 2TB, and
Leverage advanced security capabilities like SecureBoot and Virtual Trusted Platform Module (vTPM) to secure their Virtual Machines.

If you want to take advantage of these features, you can now create Generation 2 virtual machines in Azure. For a complete list of capabilities, limitations and details associated with the deployment of Generation 2 virtual machines on Azure, please refer to this documentation.

Azure DDoS Protection Standard introduces DDoS Alert integration with Azure Security Center

DDoS Protection Standard customers can view DDoS Alerts in Azure Security Center (ASC) and this capability is generally available for all ASC and DDoS Standard customers. These DDoS alerts will be available for review in the Security Center in near real-time without any setup or manual integrations required and will provide details on DDoS attacks detected and automatically mitigated by the service.

General availability of Azure NetApp Files

Azure NetApp Files, the industry’s first bare-metal cloud file storage and data management service, is general availability (GA). Azure NetApp Files is an Azure first-party service for migrating and running the most demanding enterprise file-workloads in the cloud including databases, SAP, and high-performance computing applications with no code changes. Azure NetApp Files is a fully managed cloud service with full Azure portal integration. It’s sold and supported exclusively by Microsoft. Customers can seamlessly migrate and run applications in the cloud without worrying about procuring or managing storage infrastructure. Additionally, customers can purchase Azure NetApp Files and get support through existing Azure agreements, with no up-front or separate term agreement.

OpenVPN support in Azure VPN gateways

Microsoft announced the General Availability (GA) of OpenVPN protocol in Azure VPN gateways for P2S connectivity. Form more details you can read this article.

Azure Mv2 Virtual Machines are generally available

Azure Mv2-series virtual machines are hyper-threaded and feature Intel® Xeon® Platinum 8180M 2.5GHz (Skylake) processor, offering up to 208 vCPU in 3TB and 6 TB memory configurations. Mv2 virtual machines provide unparalleled computational performance to support large in-memory databases and workloads such as SAP HANA and SQL Hekaton. Mv2-series VMs are certified by SAP for SAP HANA OLTP and OLAP production workloads. Mv2 VMs are available in US East and US East 2 regions. Mv2 VMs in U.S. West 2, Europe West, Europe North and Southeast Asia regions will become available in the coming months.

Azure Stack

Azure App Service on Azure Stack 1.6 (Update 6) Released

This release updates the resource provider and brings the following key capabilities and fixes:

Updates to App Service Tenant, Admin, Functions portals and Kudu tools. Consistent with Azure Stack Portal SDK version.
Updates to Kudu tools to resolve issues with styling and functionality for customers operating disconnected Azure Stack.
Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.

All other fixes and updates are detailed in the App Service on Azure Stack Update Six Release Notes. The App Service on Azure Stack Update 6 build number is 82.0.1.50.

Azure Networking: Point-to-Site VPN access and what's new

Among the different possibilities to establish a hybrid connectivity with the Azure cloud exist VPN Point-to-Site (P2S). Through the VPN P2S you can enable connectivity from one location to the Azure environment, easily and securely. It is a useful solution to allow communication from remote locations to the Virtual Network of Azure, mostly used for test and development purposes. Can be activated alternatively to Site-to-Site VPN if you must provide connectivity to Azure for a very limited number of systems. This article describes the features of this connectivity and displays the latest news about.

To establish hybrid connectivity with Azure we can use different methodologies, each of which has different characteristics and may be eligible for specific scenarios, providing different levels of performance and reliability.

Figure 1 – Options to enable hybrid connectivity with Azure

The Point-to-Site VPN definitely provide a more limited set of features compared to other hybrid connectivity options and are appropriate in specific cases, where only a limited number of places should be connected to the Azure environment. The P2S connection is established by starting directly from the remote system and in the solution are not expected native systems to activate it in an automatic way.

Figure 2 – Comparison of hybrid connectivity options

Protocols used by the P2S VPN

The Point-to-site VPNs can be configured to use the following protocols:

OpenVPN®: is a protocol recently added in Azure, but already widely used by different solutions, that enriches this type of connectivity. This is an SSL/TLS based VPN Protocol, that due to its characteristics more easily traverses firewalls. Furthermore, it is compatible with different platforms: Android, IOS (version 11.0 and above), Windows, Linux and Mac devices (OSX version 10.13 and later).
Secure Socket Tunneling Protocol (SSTP): This is a Microsoft proprietary VPN protocol based on SSL and it can easily cross firewalls, but has the limitation that can only be used by Windows systems. In particular, Azure supports all versions of Windows that include SSTP (Windows 7 and newer).
IKEv2: This is an IPsec VPN solution that can be used by different client platforms, but in order to function it requires that in the firewall are permitted specific communications. IKEv2 is supported on Windows 10 and Windows Server 2016, but in order to use it you need to install specific updates and set certain registry keys. Previous versions of the OS are not supported and can only use SSTP, orOpenVPN®.

Figure 3 – OpenVPN Protocols® and IKEv2 compared

The Point-to-Site VPN require the presence of a VPN gateway on the active virtual network of Azure and depending on the SKU vary the maximum number of possible connections. It should also be taken into account that the VPN Gateway Basic does not support IKEv2 and OpenVPN protocols.

Figure 4 – Gateway SKU in comparison for VPNs P2S

Coexistence between the P2S VPN and S2S VPN for the same virtual network is possible only in the presence of VPN gateway RouteBased.

Supported client authentications

Point-to-site VPN access provides the ability to use the following authentication methods:

Azure native authentication using certificates. With this mode, the authentication takes place via a client certificate present on the device that needs to connect. Client certificates are generated by a trusted root certificate and must be installed on each system to connect. The root certificate can be issued by an Enterprise solution, or you can generate a self-signed certificate. The client certificate validation process is performed by the VPN gateway while attempting to connect the P2S VPN. The root certificate must be loaded into the Azure environment and is required for the validation process.
Authentication using Active Directory (AD) Domain Server. Thanks to this type of authentication users can authenticate using domain credentials. This methodology requires a RADIUS server integrated with AD. RADIUS system can be deployed on-premises or in the VNet of Azure. Using this mechanism, during the authentication process, the Azure VPN Gateway communicates with the RADIUS system, therefore it is essential to provide this communication flow. If the RADIUS server is deployed on-premises, must therefore be a connectivity through S2S VPN with on-premises systems. The RADIUS server can use certificates issued by an internal Certification Authority as an alternative to certificates issued by Azure, with the advantage that it is not necessary to manage Azure upload root certificates and certificate revocation. Another important aspect is that the RADIUS server can be integrated with third-party authentication mechanisms, thus opening the possibility of also use multifactor authentication for P2S VPN access. At the moment the OpenVPN® Protocol is not supported with RADIUS authentication.

Conclusions

Point-to-Site VPNs (P2S) can be very useful to provide connectivity to the Azure Virtual Networks in very specific scenarios. Thanks to the introduction of the support to OpenVPN® protocol it is possible to activate more easily and from different devices (Windows, Mac and Linux), without neglecting safety aspects.

Azure IaaS and Azure Stack: announcements and updates (May 2019 – Weeks: 19 and 20)

Azure

Public IP Prefix

A Public IP prefix is a reserved range of static IP addresses that can be assigned to your subscription. You can use a prefix to simplify IP address management in Azure. Knowledge of the range ahead of time eliminates the need to change firewall rules as you assign IP addresses to new resources. This predictability significantly reduces management overhead when scaling in Azure. Public IP Prefix is available in all Azure public regions, Government cloud regions and China cloud regions.

Azure Premium Files preview

Azure Premium Files preview is available. Premium Files is a new performance tier for Azure Files, which is designed for IO intensive workloads with low latency and higher throughput requirements. Premium files storage provides consistent low latency and offers high throughput and IOPS that scales with your storage. Premium tier provides 20x capacity, 100x IOPS and 170x throughput as compared to the existing standard tier. For more details, see the Premium Files redefines limits for Azure Files blog.

Update rollup for Azure File Sync Agent: May 2019

An update rollup for the Azure File Sync agent was released today.

Improvements and issues that are fixed:

Windows Admin Center fails to display the agent version and server endpoint configuration on servers which have Azure File Sync agent version 6.0 installed.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 6.1.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4489737.

Azure File Sync is supported in West US 2 and West Central US

Azure File Sync is now supported in West US 2 and West Central US

Azure Cost Management multi-cloud for AWS is in preview

Azure Cost Management for AWS is now in public preview and you can manage your AWS spend along your Azure spend in Azure Cost Management. Features like cost analysis and budgets are availble as part of this feature as well, helping simplify your cost management practice on multi-cloud scenarios.

Advanced Threat Protection for Azure Storage is generally available

Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to protect and address concerns about potential threats to your storage accounts as they occur, without needing to be an expert in security. To learn more, see Advanced Threat Protection for Azure Storage or read about the ATP for Storage price in Azure Security Center pricing page.

Ephemeral OS Disk in Public Preview

Ephemeral OS disks work well for stateless workloads, where applications are tolerant of individual VM failures and are more concerned about the time it takes to deploy at scale or to reimage the individual VMs. In addition, Ephemeral OS disk is free i.e., you incur no storage cost for the Ephemeral OS disk.

Azure Serial Console updated

The Azure Serial Console is an invaluable tool in troubleshooting scenarios where you may be unable to connect to your VM. In addition to VMs, you may now use the Serial Console to troubleshoot and diagnose connectivity issues with your Virtual Machine Scale Set (VMSS) instances. To use Serial Console on a VMSS instance, enable boot diagnostics on the VMSS model and ensure that your instances have been upgraded to the latest model. Use Serial Console just as you would with a VM to troubleshoot and diagnose connectivity issues. In addition, improved language support means that you can now troubleshoot your VMs and VMSS instances in a variety of languages.

Adaptive network hardening in public preview

One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.

Azure ExpressRoute is generally available in additional locations

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. The ExpressRoute footprint is expanding to eight new locations:

Amsterdam2
Frankfurt
London2
Perth
Silicon Valley2
Taipei
Washington DC2
Zurich

Red Hat Enterprise Linux BYOS images now available

Red Hat Enterprise Linux images are now available as both BYOS and PAYG offers.

Azure Lab Services update: Address range feature available

In Azure Lab Services was added the ability to provide address range of virtual machines for the labs. This is useful for scenarios where licensing servers for an application on the lab virtual machines only accept a specific range of IP addresses.

Azure Virtual Machine PowerOff available with fast shutdown

The Azure Compute Virtual Machines API has now been updated to allow users to forcefully skip the graceful shutdown period when executing a power off command. This may be useful in situations where a VM may need to be quickly powered off and the risk for data loss or corruption can be ignored. To use this feature, ensure the skipShutdown flag is added to your API or SDK calls.

High-Performance Computing Virtual Machines in new regions

HB-series, designed to provide supercomputer-grade performance and scalability with the best price-performance on the public cloud, are Generally Available in South Central US and Western Europe.

Reserved instance pricing in the Dev/Test Offer

Reserved instances discounts are available for VMs and Azure SQL Database instances created in Dev/Test offer subscriptions. Dev/Test offer provides you a cost-effective way to run your development and testing workloads and with the support of Reserved instances, you can enjoy additional savings and have more purchase controls for your development and test workloads.

How to discover and optimize cloud costs with Azure Cost Management

One of the main features of the cloud is the ability to create new resources with ease and speed. At the same time an important and fundamental challenge is to be able to keep under control the expenses to be incurred for the resources created in the cloud. The tool Azure Cost Management makes it easy to find from which services are generated costs, prevent unnecessary costs and optimize resource costs. This article lists the characteristics of the solution and provides guidance in order to best use it for maximize and optimize investments in cloud resources.

Features of the solution

Azure Cost Management is enabled by default and accessible from Azure portal for all Microsoft Enterprise Agreement and Pay-As-You-Go subscriptions. The availability of the solution for CSP subscriptions (Cloud Solution Providers) is scheduled for the second half of the year. Azure Cost Management contemplates the Azure services, including reservations, and cost data by the use of third-party solutions coming from the Azure Marketplace. All costs shown are based on negotiated prices and the data is updated every four hours.

Azure Cost Management allows you to do the following regarding the cost of cloud resources.

Monitor the cloud costs

With this solution you can provide, to the various departments involved in the use of cloud resources, cost visibility of resources for which they are responsible. Furthermore, you have the option to go into detail and view the trend of costs with a very intuitive and interactive experience. From section Cost analysis you can view the costs, with a chance to put filters on time period and eventually group them according to different parameters.

Figure 1 – Cost analysis – costs accumulated in the last month

Setting for the selected period the daily granularity you can have a graph that shows precisely the day-by-day costs.

Figure 2 – Cost analysis – costs incurred daily

Azure Cost Management also offers the possibility to export the data to Excel or CSV, after setting the required view in section Cost analysis.

Figure 3 -Export the data view created in Cost analysis

The downloaded file contains details about the context used for file generation:

Figure 4 – Summary of Excel sheet created

This feature can be useful for detailed analysis that require a consolidation of this information with other data.

In case there is a need for more functionality in terms of integration and customization you can use Power BI connectors for the creation of specific dashboards and Azure Cost Management APIs to process information with other solutions.

Assignment of responsibility to the various project teams

To raise awareness of the various project teams by making adequate use of resources in terms of spending, you can define your budget. So you can get a significant cost optimization, with no impact in terms of agility in creating resources .

Figure 5 – Creating a budget

When creating a budget it is defined a spending for a certain period of time and you can set the alert to warn those directly responsible when it reaches a certain percentage of the preset threshold.

Optimization of costs

Although you may opt to manage the various Azure resource costs to team by giving them a budget, you can not always be assumed to know how to optimize resource efficiency and reduce costs. Azure Cost Management is able to provide specific recommendations to achieve cost savings.

Figure 6 – Advisor recommendations

In the specific case, to optimize Azure resource costs , it is recommended the purchase ofVirtual Machine Reserved Instances (VM RIs), estimating the annual savings that could be obtained by adopting VM RIs.

Azure Cost Management will soon be enriched with a new feature (currently in public preview) involving the management of costs incurred in the AWS, with the same characteristics as shown for Azure. This integration simplifies management of costs in multi-cloud scenarios.

The Cost of the Solution

You can use Azure Cost Management for free, in all its features, for the Azure environment. As for the management of AWS costs is expected, in the final release, a charge equal to 1% of total spend managed for AWS. For more details on the cost of the solution you can consult the pricing of Cost Management.

Conclusions

Azure Cost Management is a great tool that allows you to maintain complete visibility of costs and to drive you to have a better manage of the expenses in the cloud resources. Thanks to the flexibility of this tool, constantly evolving, you can get the most from the investment in the cloud easily and intuitively.

Azure DNS overview

The Microsoft public cloud offers various services including Azure DNS, that allows you to host and manage domains DNS (Domain Name System) public and private in the Azure environment. This article lists the characteristics of the solution, the possible use cases and discusses the advantages of adopting this solution.

Public name resolution

The Azure DNS service can be used to resolve public domain names. Azure does not allow direct purchase of public domains, but assuming that you have a public domain, you can use the Azure DNS to resolve domain names.

To do so you need to proceed with the creation of a Dns Zone, this is the procedure to activate it from the portal Azure:

Figure 1 – Creation of DNS Zone

In the activation process of a DNS zone you are prompted to specify the location of the Resource Group, that determines where the metadata associated with the DNS zone are maintained. The Azure DNS service is indeed global and not associated with a specific Azure location.

The creation process is very quick and, at the end of the service creation, you can identify the name servers that you can use for the zone created.

Figure 2 - Name Servers for DNS zone created

After you create the DNS zones in Azure, you must delegate the name resolution for the domain to name servers in Azure. Every Registar has its own tool for managing names, where you can specify NS records, making them point to the four Name Servers provided by Azure DNS service.

At this point you can add and manage any public DNS records on yours DNS zone hosted in Azure environment.

Figure 3 — Add a DNS record

Private name resolution

In Azure Virtual Networks the DNS is integrated into the platform and it is available by default, which allows the resolution of the system names on them attested (Azure-provided). Alternatively, you can specify custom DNS Servers. The Azure DNS service extends these capabilities by enabling new scenarios, thanks to the possibility to use the Azure DNS service, not only to handle name resolution for public domains, currently in preview, you are given the option to enable a private DNS zone. For private DNS zones the virtual networks that can take advantage of the name resolution service, are called resolution virtual networks. While the registration virtual network are those VNet for which it is expected the maintenance of the hostname when you create a VM, when this changes its IP address, or when it is removed.

The creation of a private DNS zone can be done with PowerShell commands and not by the portal Azure.

Figure 4 – PowerShell commands for creating a private DNS zone

By using the PowerShell command New-AzDnsZone you can specify that it is a private zone with parameter ZoneType valued at Private. If you want to use the private zone just for name resolution, without making any future automatic creation of DNS records, you can specify the parameterResolutionVirtualNetworkId, otherwise, if you want the automatic registration of names you should specify the parameterRegistrationVirtualNetworkId. In this regard, currently the initial pairing as RegistrationResolution Virtual Network is only possible if the VNet has not attested systems on it.

At the end of the execution of the PowerShell commands it will be possible to see the private zone also in the Azure portal. The private zones at the moment are distinguished from the others because it does not have the list of Name Servers. It is still possible to register and manage your DNS records, not only using PowerShell or CLI, but also from the portal.

Figure 5 -Example of private DNS zone in the Azure Portal.

Usage scenarios

The presence of the Private Zone in the Azure DNS service allows to be adopted in different scenarios.

Name resolution for a single Virtual Network

This scenario has a single virtual network that takes advantage of the Azure private DNS to resolve internal names. That resolution is totally private and can be used by all resources attested on that specific VNet.

Figure 6 - Azure Private DNS for a single VNet

Name resolution between different Virtual Networks

This scenario is commonly used when multiple virtual networks have access to the same Azure private DNS service. The adoption of this scenario is typical in the presence of architectures Hub-Spoke, where the Hub network can be associated with the private Azure DNS zone in mode Registration, while the various spoke networks may be associated as Resolution virtual network.

Figure 7 – Azure Private DNS for two VNet

Split-Horizon capabilities

It falls in this scenario when for the same DNS zone there is the need to obtain different resolution of the names depending on where the client is located, Azure environment or in Internet.

Figure 8 – Azure Private DNS in a Split-Horizon scenario

The Cost of the Solution

The Azure DNS cost is given by two elements:

Number of DNS zones hosted in Azure (public or private).
Number of DNS queries received.

To get the details of the Azure DNS costs you can see the official page.

Advantages

The ability to host DNS zones in Azure introduces a number of benefits, including:

The DNS service can be provided using the native tools offered by the Azure platform, without having to use custom DNS solutions, thus saving on time and costs.
The service allows you to use all the most common types of DNS records: In, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT.
It provides automatic management of the DNS records for virtual machines on specific Azure Virtual Networks.
Private DNS name resolution can be shared between different Virtual Networks, unlike as it offers the service of name resolution provided by default on the VNet. This expands possible usage scenarios and simplify the architecture, thanks to the Split-horizon capabilities.
The solution can be fully managed via the Azure tools (PowerShell, Azure Resource Manager templates, and REST API), reducing the learning curve for the actual adoption.

Conclusions

The Azure DNS service allows you to host your own DNS domains in Azure, providing the ability to manage them with the same credentials, the same billing policies and support of the other Azure services. The introduction of Private Azure DNS Zones introduces an important element that, when it is officially released, will be taken into consideration in the design of Azure architectures, in order to simplify them and make them more efficient. Azure DNS also provides reliability, scalability, security and availability, as it is based on the Microsoft global network, hardly obtainable with third-party solutions.

Azure IaaS and Azure Stack: announcements and updates (April 2019 – Weeks: 17 and 18)

Azure

Azure VMware Solutions

Microsoft Corp. and Dell Technologies announced they are expanding their partnership to address a wider range of customer needs and help accelerate digital transformations. Through this collaboration, the companies will deliver a fully native, supported, and certified VMware cloud infrastructure on Microsoft Azure.

Azure VMware Solutions are built on VMware Cloud Foundation, a comprehensive offering of software defined compute, storage, networking and management, deployed in Azure. With these solutions, customers can capitalize on VMware’s broadly deployed and trusted cloud infrastructure while experiencing the power of Microsoft Azure.

Azure VMware Solutions give customers the power to seamlessly migrate, extend and run existing VMware workloads from on-premises environments to Azure without the need to re-architect applications or retool operations. Customers will be able to build, run, manage, and secure new and existing applications across VMware environments and Microsoft Azure while extending a single model for operations based on established tools, skills and processes as part of a hybrid cloud strategy. Some of the more popular customer scenarios Azure VMware Solutions will support are app migration and datacenter expansion, disaster recovery, and business continuity and modern application development.

Azure Firewall – Price Reduction

Azure Firewall pricing includes a fixed hourly cost ($1.25/firewall/hour) and a variable per GB processed cost to support auto scaling. Microsoft are announcing a price reduction, effective 01/05/2019, for the firewall per GB cost to $0.016/GB (-46.6%) to ensure that high throughput customers maintain cost effectiveness. There is no change to the fixed hourly cost.

Azure Application Gateway Standard v2 and WAF v2 SKUs

Application Gateway is Azure’s Application Delivery Controller as-a-service offering which provides customers with layer 7 load balancing, security and WAF functionality.

Azure Application Gateway Standard v2 and WAF v2 SKUs are generally available and fully supported with a 99.95 SLA. The v2 SKUs also offer the following additional capabilities to Application Gateway and WAF:

Faster provisioning and configuration update time.
Static VIPs ensure that the Application Gateway VIP will not change over its lifecycle.
Autoscaling allows elasticity to your application enabling it to scale up or down based on application traffic pattern. This also eliminates the need to run Application Gateway at peak provisioned capacity, thus significantly saving cost.
Improved performance offers better application performance and also helps reduce overall cost.
Zone redundancy enables your Application Gateway to survive zonal failures, thereby offering better resilience to your applications.
Header Rewrite allows you to add, remove, or update HTTP request and response headers allowing applications to enable various scenarios like HSTS support, securing cookies, changing cache controls, etc. without changing application code.

For more information about the capabilities available, please visit the Application Gateway documentation webpage.

Azure File Sync v6

Azure File Sync Agent v6 is available.

Improvements and issues that are fixed

Agent auto-update support
Support for Azure file share ACLs
Parallel upload and download sync sessions for a server endpoint
New Cloud Tiering cmdlets to get volume and tiering status
Support for FIPS mode
Miscellaneous reliability improvements for cloud tiering and sync

For more details, see KB4489736.

Agent installation notes

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations.
Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
A restart may be required if files are in use during the update rollup installation.
The agent version for the v6 release is 6.0.0.0.
Installation instructions are documented in KB4489736.

Azure management services and System Center: What's New in April 2019

Microsoft announces constantly news about Azure management services and System Center. Our community releases on a monthly basis this summary that provides a general overview of the main new features of the current month, in order to stay up to date on these news and have the necessary references to conduct further study.

Azure Log Analytics

Agent

This month the new version ofLog Analytics agent for Linux systems fixes important bugs and improves stability. To obtain the updated version of the Log Analytics agent you can access to the GitHub official page.

Figure 1 – News of the new release of Log Analytics agent

Availability in new regions

The availability of Azure Log Analytics has been extended into three new regions: France Central, Korea Central, and North Europe. Furthermore, it can be activated in preview in the following regions: Central US, East US 2, East Asia, West US and South Central US.

Azure Automation

New features in Azure Update Management

Azure Management Update added the option to have as a target of patch deployment groups of virtual machines, generated by queries that rely on native Azure concepts (such as resource group, location, and tags). The virtual machines can be added dynamically to existing patch deployment based on defined criteria.

System Center Configuration Manager

End of support for SCCM 2007 and FEP 2010

Please note that the support for System Center Configuration Manager 2007 and Forefront Endpoint Protection (FEP) 2010 end on 9 July 2019. After this date will be discontinued by Microsoft: updates (security and non), assisted support and for FEP Microsoft will no longer releases antivirus signatures and engine updates. For those who are using these products it is time to consider switching to the latest version of SCCM.

New releases for the Technical Preview Branch

Released version 1903

For Configuration Manager was released the update 1903 and among other changes was the ability to use a new tool for cost estimates for the deployment of cloud management gateway.

Figure 2 – SCCM Clooud Cost Estimator

For full details of what's new in this release you can consult this document.

Released version 1904

For Configuration Manager was also released the update 1904 which includes new dashboards to identify the devices ready to be upgraded to Office 365 ProPlus.

To verify the details about what's new in this update you can see this document.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Support for Windows Server 2012 and for SCOM 2019

After the release of SCOM 2019, Microsoft has decided to change the support statement to allow even the monitor of systems Windows Server 2012. To see the full list of System requirements for System Center Operations Manager 2019 you can consult this document.