Category Archives: Microsoft Azure

Azure IaaS and Azure Stack: announcements and updates (February 2019 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Serial console for Azure Virtual Machines (feature update)

The serial console for Azure Virtual Machines enables you to reboot your VM from within the console experience. This ability will help you if you want to reboot a stuck VM or enter the boot menu of your VM.

Azure File Sync v5 release

Improvements and issues that are fixed:

Support for Azure Government cloud
- Added preview support for the Azure Government cloud. This requires a white-listed subscription and a special agent download from Microsoft.
Support for Data Deduplication
- Data Deduplication is now fully supported with cloud tiering enabled on Windows Server 2016 and Windows Server 2019. Enabling deduplication on a volume with cloud tiering enabled lets you cache more files on-premises without provisioning more storage.
Support for offline data transfer (e.g. via Data Box)
- Easily migrate large amounts of data into Azure File Sync via any means you choose. You can choose Azure Data Box, AzCopy and even third party migration services. No need to use massive amounts of bandwidth to get your data into Azure, in the case of Data Box.
Improved sync performance
- Customers with multiple server endpoints on the same volume may have experienced slow sync performance prior to this release. Azure File Sync creates a temporary VSS snapshot once a day on the server to sync files that have open handles. Sync now supports multiple server endpoints syncing on a volume when a VSS sync session is active. No more waiting for a VSS sync session to complete so sync can resume on other server endpoints on the volume.
Improved monitoring in the portal
- Charts have been added in the Storage Sync Service portal to view:
  - Number of files synced
  - Size of data transferred
  - Number of files not syncing
  - Size of data recalled
  - Agent connectivity status
Improved scalability and reliability
- Maximum number of file system objects (directories and files) in a directory has increased to 1,000,000. Previous limit was 200,000.
- Sync will try to resume data transfer rather than retransmitting when a transfer is interrupted for large files

Agent installation notes:

The Azure File Sync agent is supported on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
Azure File Sync agent version 4.0.1.0 or a later version is required to upgrade existing agent installations.
A restart may be required if files are in use during the installation.
The agent version for the v5 release is 5.0.2.0.

Installation instructions are documented in KB4459989.

Service tags are available in Azure Firewall network rules

A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field. You can use them in place of specific IP addresses. Service tags are fully supported in all public regions using PowerShell/REST/CLI by simply including the tag string in a network rule destination field. Portal support is being rolled out and will incrementally be available in all public regions in the near future.

Azure IaaS and Azure Stack: announcements and updates (February 2019 – Weeks: 05 and 06)

Azure

Standard Load Balancer and Standard Public IP are available in Azure Government

Azure Standard Load Balancer and Standard Public IP are now generally available in Azure Government cloud regions. Standard Load Balancer offers resiliency and ease of use for all your virtual machine resources inside a virtual network. It supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. You can use load-balancing rules with TCP/HTTP/HTTPS health probes, HA port load-balancing rules for network virtual appliances, inbound NAT rules for port forwarding, and outbound rules to scale and tune your outbound connectivity.

Global VNet Peering in Azure China cloud

Global VNet Peering is generally available in all Azure China cloud regions. This means you can peer virtual networks across the China cloud regions. You cannot peer across Azure China and Azure public cloud regions.

General availability of the Lsv2-series Azure Virtual Machines (VMs)

The Lsv2-series is well suited for your high throughput and high IOPS workloads including big data applications, SQL and NoSQL databases, data warehousing, and large transactional databases. The Lsv2-series features high throughput, low latency, and directly mapped local NVMe storage. The Lsv2 VMs run on the AMD EPYCTM 7551 processor with an all core boost of 2.55GHz. The Lsv2-series VMs offer various configurations from 8 to 80 vCPUs with simultaneous multi-threading. Each VM features 8 GiB of memory and one 1.92TB NVMe SSD M.2 device per 8 vCPUs, with up to 19.2TB (10 x 1.92TB) available on the 80vCPU L80s v2.

M-series virtual machines (VMs) are available in Australia Central 2 region

Azure M-series VMs are now available in the Australia Central 2 region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Account failover for Azure Storage (public preview)

The preview for account failover for customers with geo-redundant storage (GRS) enabled storage accounts is available. Customers using GRS or RA-GRS accounts can take advantage of this functionality to control when to failover from the primary region to the secondary region for their storage accounts. If the primary region for your geo-redundant storage account becomes unavailable for an extended period of time, you can force an account failover. When you perform a failover, all data in the storage account is failed over to the secondary region, and the secondary region becomes the new primary region. The DNS records for all storage service endpoints – blob, Azure Data Lake Storage Gen2, file, queue, and table – are updated to point to the new primary region. Once the failover is complete, clients can automatically begin writing data to the storage account using the service endpoints in the new primary region, without any code changes.

Reserved instances applicable to classic VMs, cloud services, and Dev/Test subscriptions

Classic VMs, Cloud Services users, Enterprise Dev/Test and Pay-As-You-Go Dev/Test subscriptions can now benefit from the RI discounts.

Resource group control for Azure DevTest Lab

As a lab owner, you now have the option to configure all your lab virtual machines (VMs) to be created in a single resource group. This helps prevent you from reaching resource group limits on your Microsoft Azure subscription. The feature will also help by enabling you to consolidate all your lab resources within a single resource group. In result this will simplify tracking those resources and applying policies to manage them at the resource group level.

Azure Stack

Azure Stack 1901 update

The update includes improvements, fixes, and new features for Azure Stack. This update package is only for Azure Stack integrated systems. Do not apply this update package to the Azure Stack Development Kit. The Azure Stack 1901 update build number is 1.1901.0.95.

Azure IaaS and Azure Stack: announcements and updates (January 2019 – Weeks: 03 and 04)

Azure

Azure Guest OS Family 6 (Windows Server 2019)

Azure Guest OS Family 6, based on Windows Server 2019, is now generally available. Windows Server 2019 is the operating system that bridges on-premises environments with Azure, adding layers of security while helping you modernize your applications and infrastructure.

Azure Availability Zones in East US 2

Azure Availability Zones, a high-availability solution for mission-critical applications, is generally available in East US 2.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, Microsoft offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines.

Update rollup for Azure File Sync Agent: January 2019

An update rollup for the Azure File Sync agent was released and addresses the following issues:

Files are not tiered after upgrading the Azure File Sync agent to version 4.x.
AfsUpdater.exe is now supported on Windows Server 2019.
Miscellaneous reliability improvements for sync.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 installations that have Azure File Sync agent version 4.0.1.0 or later installed.
The agent version of this update rollup is 4.3.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4481059.

Azure Migrate is available in Asia and Europe

Azure Migrate now supports Asia and Europe as migration project locations. This means that you can now store your discovered metadata in Asia (Southeast Asia) and Europe (North Europe/West Europe) regions.

In addition to Asia and Europe, Azure Migrate also supports storing the metadata in United States and Azure Government geographies. Support for other Azure geographies is planned for the future.

Note that the project geography does not restrict you from planning your migration for a different target location. Azure Migrate supports more than 30 regions as assessment target locations. The project geography is only used to store the discovered VM metadata.

M-series virtual machines (VMs) are available in Australia Central region

Azure M-series VMs are available in the Australia Central region. M-series VMs offer configurations with memory from 192 GB to 3.8 TiB (4 TB) RAM and are certified for SAP HANA.

Azure Governance: introduction to Azure Policy

IT governance is the process through which an organization can ensure an effective and efficient use of IT resources, in order to achieve their goals. Azure Policy is a service available in the Microsoft public cloud that can be used to create, assign and manage policies to control the resources in Azure. Azure Policy, natively integrated into the platform, are a key element for the governance of the cloud environment. In this article, the principles of operation and features of the solution are reported.

In Azure environments you can find different subscriptions on which develop and operate several groups of operators. The common requirement is to standardize, and in some cases impose, how to configure the resources in the cloud. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of different architectures. These goals can be achieved with a traditional approach, that includes a block of operators (Dev/Ops) in the direct access to cloud resources (through the portal, API or cli). This traditional approach is, however, inflexible, because it involves a loss of agility in controlling the deployment of resources. Instead, using the mechanism that comes natively from Azure platform is possible to drive the governance to achieve the desired control, without impacting speed, the basic element in the operations of the modern IT.

Figure 1 – Traditional approach vs cloud-native governance

In Azure Policy you can do the following reported:

Enable built-in policy or configure them to meet your needs.
Perform real-time evaluation of the criteria set out in the policy and force execution.
Assess the compliance of the policy periodically or on request.
Enable audit policy on the virtual machine guest environment (Vm In-Guest Policy).
Apply policies on Management Groups in order to gain control over the entire organization.
Apply multiple criteria and aggregate the various states of the policies.
Configure scope over which the exclusions are applied.
Enable real-time remediation steps, also for existing resources.

All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.

The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.

Figure 2 – Working principle of Azure Policy in creating resources

The same mechanism is then repeated periodically or upon request, to assess the compliance of existing resources.

Figure 3 – Working principle of Azure Policy in resource control

Azure already contains many built-in policies ready to be applied. Furthermore, in this GitHub repository you can find different definitions of Azure Policies, that can be used directly or modified to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described in this Microsoft's document. You also have the possibility of creating Initiatives, they are a collection of multiple policies.

Figure 4 – Example of defining a Azure Policy

When you have the desired policy definition, it is possible to assign it to a subscription and possibly in a more limited way to a specific Resource Group. You also have the option of excluding certain resources from the application of the policy.

Figure 5 – Process of assigning an Azure Policy

Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.

Figure 6 – State of compliance

Figure 7 -Example of remediation action

Conclusions

Through the use of Azure Policy you can totally control your own Azure environment, in a simple and efficient way. Statistics provided by Microsoft cite that considering the 100 top Azure Customers, 92 these use Azure Policy to control their environment. This is because, when you increase the complexity and amount of services on Azure is essential to adopt instruments, as Azure Policy, to have effective governance policies.

Azure IaaS and Azure Stack: announcements and updates (January 2019 – Weeks: 01 and 02)

Azure

Azure Migrate is available in Azure Government and Azure Asia

Azure Migrate now supports Azure Government and Azure Asia as a migration project location. This means that you can store your discovered metadata in an Azure Government region (US Gov Virginia) and in Asia region (Southeast Asia).

General availability of Azure Data Box Disk

Azure Data Box Disk, an SSD-based solution for offline data transfer to Azure is now available in the US, EU, Canada, and Australia, with more country/regions to be added over time. Microsoft also is launching the public preview of Azure Data Box Blob Storage. When enabled, this feature will allow you to copy data to Blob Storage on Data Box using blob service REST APIs.

Azure Networking: security services overview

In the modern era of cloud computing, the tendency is to move more frequently workloads in the public cloud and to use hybrid cloud. Security is often perceived as an inhibitor element for the use of cloud environments. Can you extend the datacenter to the cloud while maintaining a high level of network security? How to ensure safe access to services in the cloud and with which tools? One of the main reasons to use Azure, for your own applications and services, is the possibility to take advantage of a rich set of functionality and security tools integrated in the platform. This article will be a overview of network security services in Azure, reporting guidelines and useful tips to best utilize the potential of the platform, in order to structure the network in Azure respecting all security principles.

In field Azure Networking are available different services for enabling connectivity to distinct environments, according to different modes, to activate the protection of the network and to configure the application delivery. All these services are integrated with monitor systems offered by Azure, going to create a complete ecosystem for the provision of network services.

Figure 1 – Azure Networking Services

In order to configure the network protection for Azure we find the following services, available natively in the platform.

Network Security Group (NSG)

Network Security Groups (NSGs) are the main tool to control network traffic in Azure. Through the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. Furthermore, you can apply filters on communications with systems that reside on-premises, connected to the Azure VNet, or for communications to and from Internet. Network Security Groups (NSGs) can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. The advice is to apply them if possible directly on the subnet, to have a comprehensive and more flexible control of ACLs. The NSGs can contain rules with Service Tags, that allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (ex. AzureMonitor, Appservice, Storage, etc.).

The rules of the Network Security Groups can also be referenced Application Security Groups (ASGs). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups also enable you no longer have to manage in the rules of NSGs IP addresses of Azure virtual machines , as long as these IPs are related to VMs attested on the same VNet.

Figure 2 -Example of a NSG rule that contains a Service Tag and ASG

Figure 3 - Graphical display of network traffic segregation via NSG

Service Endpoints

Through the Virtual Network (VNet) service endpoints, you can increase the level of security for Azure Services, preventing unauthorized access. The vNet Service Endpoints allow you to isolate the Azure services, allowing access to them only by one or more subnets defined in the Virtual Network. This feature also ensures that all traffic generated from the VNet towards the Azure services will always remain within the Azure backbone network. For the supported services and get more details about this you can see the Microsoft documentation.

Figure 4 – Summary of Sevice Endpoints

Azure Firewall

The Azure Firewall is a firewall, fully integrated into the Microsoft public cloud, of type stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. Azure Firewall also allows you to filter traffic between the virtual networks of Azure and on-premises networks, interacting with connectivity that is through the Azure VPN Gateway and with Express Route Gateway. For more details about it you can see the article Introduction to Azure Firewall.

Figure 5 – Placement of Azure Firewall

Web Application Firewall

The application delivery may be made using the Azure Application Gateway, a service managed by the Azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular, in the latter case, it is recommended to turn on Web Application Firewall (WAF), that provides application protection, based on rules OWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Figure 6 – Overview of Application Gateway with WAF

DDoS protection

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

For more details about it you can see the article Protection from DDoS attacks in Azure.

Synergies and recommendations for the use of the various protection services

In order to obtain an effective network security and direct you in the use of the various components, are reported the main recommendations which is recommended to consider:

Network Security Groups (NSGs) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs is recommended to use them to filter traffic between the resources that reside within a VNet, while the Azure Firewall is useful for providing network and application protection between different Virtual Networks.
To increase the security of Azure PaaS services is advised to use the Service endpoints, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs. To do this, you can enable the service endpoint in the Azure Firewall subnet, disabling the subnet present in the Spoke VNet.
Azure Firewall provides network protection Layer 3 for all ports and protocols, it also guarantees a level of application protection (Layer 7) for outbound HTTP/S traffic. For this reason, if you wish to make a secure application publishing (HTTP/S in inbound) you should use the Web Application Firewall present in the Application Gateway, then placing it alongside Azure Firewall.
Azure Firewall can also be supported by third-party WAF / DDoS solutions.

All these protection services, suitably configured in a Hub-Spoke network architecture allow you to perform a segregation of network traffic, achieving a high level of control and security.

Figure 7 – Security services in a Hub-and-Spoke architecture

Conclusions

Azure provides a wide range of services that allow you to achieve high levels of security, acting on different fronts. The security model that you decide to take, you can resize it and adapt flexibly, depending on the type of application workloads to be protected. A winning strategy can be obtained by applying a mix-and-match of different network security services, to get a protection on more layers.

Protection from DDoS attacks in Azure

A cyber attack of type distributed denial-of-service (DDoS attack – Distributed Denial of Service) is intended to exhaust deliberately the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way. This article will show the security features that you can have in Azure for this type of attacks, in order to best protect the applications on the cloud and ensure their availability against DDoS attacks.

DDoS attacks are becoming more common and sophisticated, to the point where it can reach sizes, in bandwidth, increasingly important, which make it difficult to protect and increase the chances of making a downtime to published services, with a direct impact on company business.

Figure 1 – DDoS Attack Trends

Often this type of attack is also used by hackers to distract the companies and mask other types of cyber attacks (Cyber Smokescreen).

Features of the solution

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

Figure 2 - Comparison of the features available in different tiers for DDoS Protection

Figure 3 – Overview of Azure DDoS Protection Standard

The Azure DDoS Protection Standard is able to cope with the following attacks:

Volumetric attacks: the goal of these attacks is to flood the network with a considerable amount of seemingly legitimate traffic (UDP floods, amplification floods, and other spoofed-packet floods).
Protocol attacks: These attacks are aiming to make inaccessible a specific destination, exploiting a weakness that is found in the layer 3 and in the layer 4 of the stack (for example SYN flood attacks and reflection attacks).
Resource (application) layer attacks: These attacks are targeting the Web application packages, in order to stop transmitting data between systems. Attacks of this type include: violations of the HTTP protocol, SQL injection, cross-site scripting and other attacks in level 7. To protect themselves from attacks of this type is not sufficient DDoS protection standard, but you must use it in conjunction with the Web Application Firewall (WAF) available in Azure Application Gateway, or with third-party web application firewall solution, available in the Azure Marketplace.

Enabling DDoS protection Standard

The DDoS protection Standard is enabled in the virtual network and is contemplated for all resources that reside in it. The activation of the Azure DDoS Protection Standard requires you to create a DDoS Protection Plan which collects the virtual networks with DDoS Protection Standard active, cross subscription.

Figure 4 – Creating a DDoS Protection Plan

The protection Plan is created in a particular subscription, which will be associated with the cost of the solution.

Figure 5 – Enabling DDoS protection Standard on an existing Virtual Network

The Standard tier provides a real-time telemetry that can be consulted via views in Azure Monitor.

Figure 6 – DDoS Metrics available in Azure Monitor

Any DDoS protection metrics can be used to generate alerts. Using the metric "Under DDoS attack"you can be notified when an attack is detected and DDoS mitigation action is applied.

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address associated with a protected resource, so that resides on a virtual network with active the DDoS standard service.

Figure 7 – Monitor mitigation metrics available in Azure

To report generation, regarding the actions undertaken to mitigate DDoS attacks, you must configure the diagnostics settings.

Figure 8 – Diagnostics Settings in Azure Monitor

Figure 9 - Enable diagnostics of Public IP to collect logs DDoSMitigationReports

In the diagnostic settings it is possible to also collect other logs relating to mitigation activities and notifications. For more information about it you can see Configure DDoS attack analytics in the Microsoft documentation. The metrics for the DDoS protection Standard are maintained in Azure for Moniotr 30 days.

Figure 10 – Attack flow logs in Azure Log Analytics

How to test the effectiveness of the solution

Microsoft has partnered withBreakingPoint Cloud and, thanks to a very intuitive interface, it allows you to generate traffic, towards the public IPs of Azure, to simulate a DDoS attack. In this way you can:

Validate the effectiveness of the solution.
Simulate and optimize responses against incident related to DDoS attacks.
Document the compliance level for attacks of this type.
Train the network security team.

Costs of the solution

The Basic tier foresees no cost, while enabling the DDoS Protection Standard requires a fixed monthly price (not negligible) and a charge for data that are processed. The fixed monthly price includes protection for 100 resources, above which there is an additional unit cost for each protected resource. For more details on Azure DDoS Protection Standard costs you can see the Microsoft's official page.

Conclusions

The protection from DDoS attacks in Azure allows us to always have active a basic protection to deal with such attacks. Depending on the application criticality, can be evaluated the Standard protection, which in conjunction with a web application firewall solution, allows you to have full functionality to mitigate distributed denial-of-service attacks.

Azure IaaS and Azure Stack: announcements and updates (December 2018 – Weeks: 50 and 51)

Azure

Update rollup for Azure File Sync Agent: December 2018

An update rollup for the Azure File Sync agent was released this month which addresses the following issues:

A Stop error 0x3B or Stop error 0x1E may occur when a VSS snapshot is created.
A memory leak may occur when cloud tiering is enabled

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 installations that have Azure File Sync agent version 3.1.0.0 or a later version installed.
The agent version of this update rollup is 4.2.0.0.
A restart may be required if files are in use during the update rollup installation.
Installation instructions are documented in KB4459990.

Automate Always On availability group deployments with SQL Virtual Machine resource provider

A new automated way to configure high availability solutions for SQL Server on Azure Virtual Machines (VMs) is now available using SQL VM resource provider.

Virtual Network Service Endpoints for serverless messaging and big data

Azure Event Hubs, a highly reliable and easily scalable data streaming service, and Azure Service Bus, which provides enterprise messaging, are the new set of serverless offerings joining the growing list of Azure services that have enabled Virtual Network Service Endpoints.

Azure Stack

Azure Stack 1811 update

The 1811 update package includes fixes, improvements, and new features for Azure Stack. This update package is only for Azure Stack integrated systems. Do not apply this update package to the Azure Stack Development Kit.

Azure Monitor: introduction to monitor service for virtual machines

In Azure Monitor was introduced a new service that allows you to monitor virtual machines, called Azure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies. This article shows the characteristics of the solution and describes the procedure to be followed to effect the activation.

Features of the solution

The service Azure Monitor for VMs is divided into three different perspectives:

Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met. This feature, at the moment, is present only for systems that reside in Azure.
Performance: shows summary details of performance, from the guest operating system.
Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

Azure Monitor for VMs requires the presence of a workspace of Log Analytics. Since this is a feature currently in preview, workspace are supported in these regions: West Central US, East US, West Europe and Southeast Asia. Enabling a Log Analytics workspace can occur according to these modes:

To identify the operating systems that are supported by this solution, please visit the Official Microsoft documentation.

How to enable Azure Monitor for VMs

To enable the solution for a single virtual machine, from the Azure Portal, it is possible to proceed by accessing the section Insights from the virtual machine:

Figure 1 – Enabling Azure Monitor for VMs on a single VM

Enabling the solution on a single virtual machine it is possible to choose which Log Analytics workspace use and possibly create a new one. The advice is to precede before with the creation of workspace, so you can assign a meaningful name. The workspace of Log Analytics must be configured as follows:

You must have installed the solutions ServiceMap and InfrastructureInsights. The installation of this solutions can be done via JSON templates, according to the instructions in this document.

Figure 2 – Presence of solutions ServiceMap and InfrastructureInsights

Must be configured to collect performance counters. This configuration can be done manually as described in this document, or through this Powershell script.

Figure 3 – Collecting the performance counters enabled on Log Analytics workspace

Azure Monitor for VMs requires Log Analytics agent on virtual machines, also the functionality of Map requires the installation of the Microsoft Dependency agent. This is an additional agent which relies on Log Analytics agent for the connection to the workspace.

If you want to enable the solution for systems in Azure, you can activate the Dependency agent using the appropriate extension, that do the installation. For virtual machines that reside on Azure you must install it manually or via a solution that automates the deployment (such as System Center Configuration Manager).

To enable this feature automatically on new virtual machines created in Azure environment and achieve a high level of compliance you can also use the Azure Policy. Through the Azure Policy you can:

Deploy the Log Analytics agent and Dependency agent.
Having a report on the status of compliance
Start remediation actions for non-compliant VMs.

Figure 4 – Adding an Assignment

Figure 5 - Initiative definition to enable Azure Monitor for VMs

Figure 6 - Check of the state of compliance of the Policy

Consulting data collected from the solution

To analyze and identify critical operating system events, detect suboptimal performance and network issues, you can refer to the data provided by this solution directly from VM or using Azure Monitor, in case you want to have an aggregated view of the various virtual machines. All this allows you to detect and identify if problems are related to specific dependencies on other services.

Figure 7 – State of Health of a single virtual machine

Figure 8 – Performance gathered from multiple VMs, accessible by Azure Monitor

Figure 9 – Dependencies Map of various services present on VMs, accessible by Azure Monitor

For more information about using the features of Health you can consult this Microsoft documentation, while the article View Azure Monitor for VMs Map shows how to identify and analyze the dependencies detected from the solution.

Costs of the solution

By activating the solution Azure Monitor for VMs, the data collected by the virtual machines are sent and maintained in Azure Monitor and can depend on several factors, such as the number of logical disks and network adapters. The costs are those related to Azure Monitor, which has costs on the basis of the following elements:

Data ingested and collected.
Number of health monitored criteria.
Alert rule created.
Notifications sent.

Conclusions

The service Azure Monitor for VMs allowing you to have a fully integrated tool in Azure to monitor the virtual machines and to obtain a complete control of systems, regardless of where they reside. This solution is also particularly useful to conduct troubleshooting operations in a simple and immediate way. This service, although it is currently in preview, is already full enough and it will be enriched soon with new features.

Azure IaaS and Azure Stack: announcements and updates (December 2018 – Weeks: 48 and 49)

Azure

Azure Dedicated Hardware Security Module (HSM)

The Microsoft Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices with complete and exclusive control of the HSM appliance. Azure Dedicated HSM addresses a unique set of customer needs for secure key storage scenarios in Azure.

The Dedicated HSM service is available in eight Azure regions, namely East US, West US, South Central US, East US 2, Southeast Asia, East Asia, West Europe, and North Europe

Improving Azure Virtual Machine resiliency with predictive ML and live migration

Since early 2018, Azure has been using live migration in response to a variety of failure scenarios such as hardware faults, as well as regular fleet operations like rack maintenance and software/BIOS updates. The use of live migration to handle failures gracefully allowed us to reduce the impact of failures on availability by 50 percent. Using the deep fleet telemetry, Microsoft enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies. Azure team partnered with Microsoft Research (MSR) on building the ML models that predict failures with a high degree of accuracy before they occur. As a result, Microsoft is able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Update rollup for Azure File Sync Agent: December 2018

An update rollup for the Azure File Sync agent was released which addresses the following issues:

A Stop error 0x3B or Stop error 0x1E may occur when a VSS snapshot is created.
The server may become unresponsive because of a cloud-tiering memory leak.
Agent installation fails with the following error: Error 1921. Service ‘Storage Sync Agent’ (FileSyncSvc) could not be stopped. Verify that you have sufficient privileges to stop system services.
The Storage Sync Agent (FileSyncSvc) service may crash when memory usage is high.
Miscellaneous reliability improvements for cloud tiering and sync.

More information about this update rollup:

This update is available for Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 installations that have Azure File Sync agent version 3.1.0.0 or a later version installed.
The agent version of this update rollup is 4.1.0.0.
A restart may be required if files are in use during the update rollup installation.

Installation instructions are documented in KB4459988.

Virtual network service endpoints for Azure Database for MariaDB (preview)

Virtual network service endpoints for Azure Database for MariaDB are accessible in preview in all available regions. Virtual network service endpoints allow you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. Traffic to Azure Database for MariaDB from the virtual network service endpoints stays within the Azure network, preferring this direct route over any specific routes that take internet traffic through virtual appliances or on-premises.