Category Archives: Microsoft Azure

Microsoft Azure: guide for the choice of the Region

Microsoft Azure is located in different places around the world and is the first to have datacenters in more geographical areas than any other cloud providers. This aspect provides a wide scalability, necessary to deliver applications in proximity of the geographical location of users, while preserving the residence of data and providing compliance and resiliency options. You can choose, between different Azure regions, where activate your services, undoubtedly has many advantages, but it is worth considering different aspects when you are faced with this choice. In this article we will be carried over the main elements that should be taken into account in the choice of the region of Azure.

A region in Azure consists of multiple datacenters residing in a specific geographical area and that are connected to each other through a low-latency network. To see the complete list of the Azure regions you can access the page Azure locations. Within a region are present physically distinct location denominated Availability Zones. Each Availability Zone is composed of multiple datacenters equipped independently of the others regarding the power, cooling systems and networks. Each region is paired with another region within the same geographical area, in order to preserve the data resiliency and increase compliance levels.

Figure 1 – Pair regions and Availability Zones within the same data residency boundary

Figures 2 – Azure regional pairs

The choice of the Azure region must be done carefully taking into consideration some key aspects, each of which can have a decisive influence.

Performance

Definitely one of the predominant factors in choosing the region is given by the performance, that they are bound by the network latencies in reaching the Azure datacenters. Typically, you choose the region closest geographically, but you can't always identify easily. In support of this choice you can use some useful third-party tools that provide objective values:

Azure Speed Test 2.0: by accessing this site, you can measure the latency from your web browser to the various Blob Storage Service residing in various Azure regions.

Figures 3 – Result shown from Azure Speed Test

Azure Latency Test: shows the network latency from your location to different Azure regions, with the ability to easily apply filters.

Figures 4 – Result shown from Azure Latency Test

Availability of services

Not all Azure services are available in all regions, it follows that it is appropriate to check carefully whether the Azure service that you intend to use is offered in the selected region. To see the Azure services available in each region you can access this page, that allows you to quickly apply filters to check the availability of services offered for region.

Compliance laws and residence of the data

Many organizations are cautious in the approach to cloud computing because they need their data geographically reside in a certain territory. Maintain the confidentiality of data is essential for all, but for customers who have specific needs in terms of compliance and data-residency, Microsoft offers all the information you need:

Date residency: by accessing this web site you can get all the information about where the data resides, distinguishing between the services for which you choose the region they belong and those who do not provide this selection during deployment.
Compliance: in this portal are listed useful support information for customers who have to comply with specific regulations regarding the use, transmission and archive of data.

Costs

The costs of the various Azure services may vary depending on region. If the others factors are not decisive in choosing, It may be useful to consider to deploy services in the region where they are most economically advantageous. In order to verify the costs of different services you can access the Azure pricing page.

Conclusions

The choice of the Azure region most appropriate for their business needs, must necessarily be made taking into consideration the factors listed. Since this is a strategic choice and not easily editable, the advice is to carefully examine the items listed above, in order to design the best architecture in Microsoft Azure environment.

Azure Virtual WAN: introduction to the solution

Azure Virtual WAN is a new network service that allows you to optimize and automate the branch-to-branch connectivity through Azure. Thanks to this service you can connect and configure network devices in branch to allow communication with Azure (branch-to-Azure). This article examines the components involved in Azure Virtual WAN and shows the procedure to be followed for its configuration.

Figure 1 – Azure Virtual WAN overview

The Azure Virtual WAN configuration includes the creation of the following resources.

Virtual WAN

The Virtual WAN resource represents a virtual layer of Azure network and collect different components. It is a layering that contains links to all the virtual hubs that you want to have inside the Virtual WAN. Virtual WAN resources are isolated and cannot contain common hubs.

Figure 2 – Start the process of creating Azure Virtual WAN

Figure 3 – Creating Azure Virtual WAN

When creating the Virtual WAN resource you are prompted to specify a location. In reality it is a global resource that does not reside in a particular region, but you are prompted to specify it just to be able to manage and locate more easily.

By enabling the option Network traffic allowed between branches associated with the same hub allows traffic between the various sites (VPN or ExpressRoute) associated with the same hub (branch-to-branch).

Figure 4 – Branch-to-branch connectivity option

Site

The site represents the on-prem environment. You will need to create as many sites as are the physical location. For example, if you have a branch office in Milan, one in New York and one in London, you will need to create three separate sites, which contain their endpoints of network devices used to establish communication. If you are using Virtual WAN partner network equipment, provides solutions to natively export this information into the Azure environment.

Figure 5 – Creating a site

In the advanced settings you can enable BGP, which if activated becomes valid for all connections created for the specific site . Among the optional fields you can specify device information, that may be of help to the Azure Team in case of any future enhancements or Azure support.

Virtual Hub

A Virtual Hub is a Microsoft-managed virtual network. The hub is the core component of the network in a given region and there can be only one hub for Azure region. The hub contains different service endpoints to allow to establish connectivity with the on-prem environment. Creating a Virtual Hub involves the generation of a new VNet and optionally a new VPN Gateway. The Hub Gateway is not a classic virtual network gateway that is used for ExpressRoute connectivity and VPN and it is used to create a Site-to-site connection between the on-prem environment and the hub.

Figure 6 – Creating a Hub

Figure 7 -Association of the site with a Hub

The Hubs should be associated with sites residing in the same region where there are the VNet.

Hub virtual network connection

The resource Hub virtual network connection is used to connect the hub with the virtual network. Currently you can create connections (peering) with virtual networks that reside in the same region of the hub.

Figure 8 – Connection of the VNet to a hub

Configuring the VPN device on-prem

To configure the VPN on-prem device, you can proceed manually, or if you are using Virtual WAN partner solutions, the configuration of the VPN devices can occur automatically. In the latter case the device controller gets the configuration file from Azure and applies the configuration to devices, avoiding the need to proceed with manual configurations. It all feels very comfortable and effective, saving time. Among the various virtual WAN partners we find: Citrix, Riverbed, 128 Technology, Barracuda, Check Point, NetFoundry and Paloalto. This list is intended to expand soon with more partners.

By selecting Download VPN configuration creates a storage account in the resource group 'microsoft-network-[location]’ from which you can download the configuration for the VPN device on-prem. That storage account can be removed after retrieving the configuration file.

Figure 9 - Download the VPN configuration

Figure 10 – Download the configuration file on the storage account

After configuration of the on-prem device, the site will be connected, as shown in the following figure:

Figure 11 - State of the connected site

It also provides the ability to establish ExpressRoute connections with Virtual WAN, by associating the circuit ExpressRoue to the hub. It also provides for the possibility of having Point-to-Site connections (P2S) towards the virtual Hub. These features are now in preview.

The Health section contains useful information to check the connectivity for each Hub.

Figure 12 – Check Hub health

Conclusions

Virtual WAN is the new Azure service that enables centralized, simple and fast connection of several branch, with each other and with the Microsoft public cloud. This service allows you to get a great experience of connectivity, taking advantage of the Microsoft global network, which can boast of reaching different region around the world, more than any other public cloud providers.

Azure IaaS and Azure Stack: announcements and updates (October 2018 – Weeks: 40 and 41)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Advanced Threat Protection for Azure Storage (public preview)

Advanced Threat Protection for Azure Storage, available in public preview, detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit storage accounts. This feature helps customers detect and respond to potential threats on their storage account as they occur.

Ephemeral OS Disk (limited preview)

Limited preview of Ephemeral OS Disk, a new type of OS disk created directly on the host node, providing local disk performance and faster boot/reset time. Ephemeral OS Disk is supported for all virtual machines (VM) and virtual machine scale sets (VMSS). Ephemeral OS Disk is ideal for stateless workloads that require consistent read/write latency to OS disk, as well as frequent reimage operations to reset the VM(s) to the original state. This includes workloads such as website applications, game server hosting services, VM pools, computation, jobs and more. Ephemeral OS Disk also works well for workloads that are leveraging low-priority VM scale sets.

Azure confidential computing (public preview)

Azure confidential computing protects your data while it’s in use. It is the final piece to enable data protection through its lifecycle whether at rest, in transit, or in use. It is the cornerstone of Microsoft ‘Confidential Cloud’ vision, which aims to make data and code opaque to the cloud provider. DC-series of virtual machines in US East and Europe West are in public preview. While these virtual machines may ‘look and feel’ like standard VM sizes from the control plane, they are backed by hardware-based Trusted Execution Environments (TEEs), specifically the latest generation of Intel Xeon Processors with Intel SGX technology. You can now build, deploy, and run applications that protect data confidentiality and integrity in the cloud. The DC-series of VMs are the first set of Generation 2 virtual machines. As such, Microsoft has specially configured operating images that are required with these virtual machines (Generation 2 support for Ubuntu Server 16.04 and Windows Server 2016 Datacenter). These images are automatically used when deploying through the portal. Custom images are not yet supported. DC-series VMs will not show up in the size selector for arbitrary marketplace images, as not all images have been updated yet.

Azure IaaS and Azure Stack: announcements and updates (September 2018 – Weeks: 38 and 39)

Azure

Virtual machine serial console

The Azure virtual machine serial console is now generally available in all public regions. New features include magic SysRq keys, non-maskable interrupts, and subscription-wide enable/disable. More details are available in the documentation for Windows and Linux.

Immutable storage for Azure Storage Blobs

Financial services organizations regulated by SEC, CFTC, FINRA, IIROC, FCA, etc., are required to retain business-related communications in a Write-Once-Read-Many (WORM) or immutable state to ensure that they’re non-erasable and non-modifiable for a specific retention interval. The immutable storage requirement is not limited to financial organizations. It also applies to industries such as healthcare, insurance, media, public safety, and legal services.

To address this requirement, immutable storage for Azure Blob storage is now generally available in all Azure public regions. Through configurable policies, users can keep Azure Blob storage data in an immutable state where blobs can be created and read, but not modified or deleted.

For more details on the feature, see the Microsoft Azure blog.

Azure Premium Blob Storage (preview)

Azure Blob Storage introduces a new performance tier—Premium Blog Storage, complimenting the existing hot, cool, and archive tiers. Data in Premium Blob Storage is stored on solid-state drives, which are known for lower latency and higher transactional rates compared to traditional hard drives. Premium Blob Storage is ideal for workloads that require very fast access times. This includes most scenarios with a human in the loop, such as interactive video editing, static web content, and online transactions. It also works well for workloads that perform many transactions that are relatively small, such as capturing telemetry data, message passing, and data transformation.

Azure Availability Zones in West US 2 and North Europe

Azure Availability Zones, a high-availability solution for mission-critical applications, is now generally available in West US 2 and North Europe.

Availability Zones are physically separate locations within an Azure region. Each Availability Zone consists of one or more datacenters equipped with independent power, cooling, and networking. With the introduction of Availability Zones, we now offer a service-level agreement (SLA) of 99.99% for uptime of virtual machines.

Availability Zones are generally available in select regions.

Public IP prefix (preview)

A Public IP prefix is a reserved range of static IP addresses that can be assigned to your subscription. You can use a prefix to simplify IP address management in Azure. Knowledge of the range ahead of time eliminates the need to change firewall rules as you assign IP addresses to new resources. This predictability significantly reduces management overhead when scaling in Azure.

For more information about Public IP prefixes in Azure and how to use them, see Public IP Prefix.

Virtual network peering across Azure Active Directory tenants

Virtual network peering enables direct VM-to-VM connectivity across virtual machines deployed in different virtual networks using the Microsoft backbone. Virtual network peering is now available for virtual networks that belong to subscriptions in different Azure Active Directory tenants.

Azure Load Balancer: Outbound Rules for Standard Load Balance GA

This new ability allows you to declare which public IP or public IP prefix should be used for outbound connectivity from your virtual network, and how outbound network address translations should be scaled and tuned.

Azure Load Balancer TCP resets on idle (preview)

Azure Load Balancer supports sending of bidirectional TCP resets on idle timeout for load balancing rules, inbound NAT rules, and outbound rules. For more information, including pricing details, please visit the Azure Load Balancer TCP reset page.

ExpressRoute Direct 100Gbps connectivity

ExpressRoute Direct provides 100G connectivity for customers with extreme bandwidth needs. This is 10x faster than other clouds. With ExpressRoute Direct you can send 100 Gbps of network traffic to Azure services such as Azure Storage and Azure Virtual Networks. All your traffic can be on a single 100G ExpressRoute Circuit or you subdivide 100G among your business units in any combination of 40G, 10G, 5G, 2G, and 1G ExpressRoute circuits.

ExpressRoute Global Reach

ExpressRoute Global Reach allows you to connect two ExpressRoute circuits together. Your sites that are already connected to ExpressRoute can now privately exchange data via their ExpressRoute circuits. ExpressRoute Global Reach can be enabled on both ExpressRoute Standard and ExpressRoute Premium circuits. ExpressRoute Global Reach is available in the following locations: Hong Kong, Ireland, Japan, Netherlands, United Kingdom, and United States with Korea and Singapore coming soon. More locations will be available later this year.

Zone-Redundant VPN and ExpressRoute Virtual Network Gateways

To improve the resiliency, scalability and availability of gateways, Zone Redundant VPN and ExpressRoute Gateways bring support for Azure Availability Zones. With these new Zone-Redundant/Zonal Gateways, you will be able to deploy Azure VPN and Azure ExpressRoute gateways in Azure Availability Zones, thus making them physically and logically separate within a region to protect your on-premises network connectivity to Azure from zone-level failures.

Azure Firewall: General availability and new capabilities

Azure Firewall, now GA, offers fully stateful network and application level traffic filtering for VNet resources, with built-in high availability and cloud scalability delivered as a service. For more information, please refer to Azure Firewall documentation.

Shared Image Gallery (public preview)

Shared Image Gallery provides an Azure-based solution to make the custom management of virtual machine (VM) images easier in Azure. Shared Image Gallery provides a simple way to share your applications with others in your organization, within or across regions, enabling you to expedite regional expansion or DevOps processes, simplify your cross-region HA/DR setup and more. Shared Image Gallery also enables you to quickly deploy thousands of VMs concurrently from a custom image.

Automatic OS image upgrade in virtual machine scale sets is now generally available.

After you enable this feature for your scale sets, when a new OS image is published with the latest features, security patches, and performance improvements, your scale sets and Azure Service Fabric clusters can receive these updates automatically. The new image will roll out to the VMs in your scale sets in batches based on preconfigured health probes to check for application issues. You can monitor the status of upgrades programmatically or through an out-of-the-box experience in the Azure portal. To learn more about this capability and to start enabling it for your VMs in VM scale sets, see this documentation.

Azure Virtual Machine Image Builder available in private preview

Azure Virtual Machine (VM) Image Builder, now available in private preview, allows you to migrate your image building pipeline to Azure. Submit a template describing your VM source image and customizations, indicate where to distribute a bootable image, and then start building your VM images.

Ultra SSD, a new Azure Managed Disks offering (preview)

Ultra SSD, a new Azure Managed Disks offering for your most demanding data-intensive workloads, is now available in preview. Ultra SSDs can deliver unprecedented and extremely scalable performance with sub-millisecond latency:

Choose a disk size from 4 GiB up to 64 TiB.
Achieve the optimal performance you need per disk even at low storage capacities.
Scale performance up to 160,000* IOPS and 2 GB/s per disk with zero downtime.

Azure Stack

Service Fabric now available on Azure Stack

Azure Service Fabric is now available on Azure Stack. Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers.

Red Hat OpenShift and Microsoft Azure Stack together for hybrid enterprise solutions

OpenShift and Azure Stack present exciting new options for customers who use Microsoft and Red Hat technologies and offer the greatest possible flexibility and consistency where these solutions are run and managed – whether its in the public cloud or on-premises with Azure Stack. OpenShift and Azure Stack enable a consistent application experience across Azure, Azure Stack, bare-metal, Windows and RHEL bringing together Microsoft’s and Red Hat’s developer frameworks and partner ecosystems.

Azure Networking: characteristics of Global VNet peering

The Virtual Networks in Azure are logically isolated, to allow you to securely connect different Azure resources. The Global VNet peering in Azure provides the possibility of connecting virtual networks residing on different regions of Azure. This article discusses the benefits and current constraints imposed by the Global VNet peering. It will also show the procedure for activating a Global VNet peering.

Figure 1 - Sample connection of two Azure VNet in different regions

When you configure the peering between two virtual networks that reside in different regions of Azure, you expand the logical boundary and virtual machines attested on these VNet can communicate with each other with their own private IP addresses, without having to use gateway and public IP addresses. Furthermore, you can use the hub-and-spoke network model, to share resources such as firewalls or virtual appliances, even connecting virtual networks in different regions of Azure, through the Global VNet peering.

Benefits of Global VNet peering

The main benefits that can be obtained using the Global VNet peering to connect virtual networks are:

Traffic between the virtual network remains within the Microsoft's backbone network and is therefore totally private.

Figure 2 – Microsoft's backbone network

You can use a low-latency connectivity and with a high bandwidth.
Setup is simple and does not require gateway to establish VPN tunnel between different networks.

Current constraints of Global VNet peering

Currently there are some constraints that should be taken into account when making a Global VNet peering:

In the presence of a Global peering VNET you can not use the remote gateway (option "use remote gateways") and you can't allow the gateway transit (option "allow gateway transit") on the virtual network. These options are currently usable only when you make a virtual network peering with virtual networks residing within the same region of Azure. It follows then the Global VNet peering are not transitive, then the downstream VNet in a region cannot communicate, using this methodology, with the VNet to another region. For example,, assuming a scenario where between the vNet1 and the vNet2 there is a Global VNet peering and between vNet2 and vNet3 there is another Global VNet peering. In this case there will be no communication between the vNet1 and the vNet3. If needed, you can create an additional Global VNET peering to put them in communication.
For a resource that resides on a virtual network, is not allowed to communicate using the IP address of an internal Azure load balancer that resides on the virtual network in peer. This type of communication is allowed only if the source IP and the IP address of the Load Balancer are in the same VNet.
The Global VNet peering can be created in all Azure public regions, but not with VNet residing in Azure national clouds.
The creation of the Global VNet peering is allowed between VNet residing in different subscriptions, as long as they are associated with the same Active Directory tenant.
The virtual networks can inserted into peering if there is no overlapping in its address space. Furthermore, after the creation of the peering, if you need to modify the address space you must remove the peering.

Global VNet peering configuration

Configuring Global VNet peering is extremely simple. In the following images are documented the steps to connect two virtual networks created in different regions, in this case West Europe and Southeast Australia.

Figure 3 - Adding peering from VNet settings

Figure 4 - Configure the peering parameters

Selecting "Allow virtual network access", allows communication between two virtual networks. With this setting the address space of the VNet in peer is added to the tag Virtual_Network.

Figure 5 – Peering added, in state Initiated

The same operations, documented in Figure 3 and figure 4, must be repeat even on the Virtual Network that resides in the other region and with whom you want to configure the Global VNet peering. The communication will be activated when the status of the peering will be "Connected"on both VNet.

Figure 6 – Peering in state Connected

Selecting a virtual machine, attested on a virtual network configured with the global VNET Peering, you will see a specific route for VNet associated, as shown in the following figure:

Figure 7 – Effective route of the VNet in Global Peering

The Global VNet peering involves costs for inbound and outbound network traffic in transit in the peering and the cost varies depending on the areas covered. For more details you can refer to the official page of costs.

Conclusions

The Global VNet peering allows a great flexibility in managing in a simple and efficient way as various workloads can be connected, allowing to expand the possible implementation scenarios on Azure, without having to consider the geographical boundaries as a limit. Significant benefits can be obtained in particular in data replication and disaster recovery architectures.

Azure IaaS and Azure Stack: announcements and updates (September 2018 – Weeks: 36 and 37)

Azure

Virtual network service endpoints for Azure Key Vault

Virtual network service endpoints are generally available for Azure Key Vault in all public Azure regions.

Configure just-in-time virtual machine access from the VM blade

Just-in-time virtual machine access can now be configured from the virtual machine blade (in preview) to make it even easier for you to reduce your exposure to threats.

Filter VM sizes by current or previous generation

With a recent update to the virtual machine size picker, the default filter set will show current-generation virtual machine sizes only.

Announcing the Public Preview for Azure Active Directory Integration with Azure Files

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with AAD enables SMB access to Azure file shares using AAD credentials from AAD DS domain joined Windows VMs.

Azure Stack

Managed Disks in Azure Stack

Azure Managed Disks simplifies disk management for Azure VMs by managing the storage accounts associated with the VM disks. You only have to specify the type (Premium or Standard) and the size of disk you need, and Azure creates and manages the disk for you. This work will bring more options and simplicity to Azure Stack users when working with VMs. This update applies primarily to Azure Stack users.

Ability to incrementally add capacity to Azure Stack

Azure Stack operators can now add a node to an existing Azure Stack scale unit within the supported scale unit limits. This enables Azure Stack operators to increase the capacity of a single Azure Stack, and specifics should be discussed with hardware partners.

Azure Stack support for Azure Backup

Azure Stack operators can now backup and recover guest OS, data disks, and volumes using Azure Backup. This new ability gives operators more options when developing a backup strategy for Azure Stack.

Azure Government cloud integration for Azure Stack

Azure Stack is now integrated with the Azure Government cloud, enabling connections to Azure Government identity, subscription, registration, billing, backup/DR, and Azure Marketplace. Azure Stack unlocks a wide range of hybrid cloud use cases for government customers, such as tactical edge and regulatory scenarios.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

The Cost of the Solution

Security Center is offered in two different tiers:

Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

Free tier: the Security Center enables the solution SecurityCenterFree.
Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

Azure Site Recovery: the protection of Hyper-V virtual machines using Windows Admin Center

Among the various features that can be managed through Windows Admin Center, there is the possibility to simply drive the protection of virtual machines, present in a Hyper-V environment, with Azure Site Recovery (ASR). This article lists the necessary steps to follow and the possibilities offered by the Admin Center in this area.

Windows Admin Center, formerly known as Project Honolulu, allows through a web console, to manage the infrastructure in a centralized way. Thanks to this tool Microsoft has initiated a process of centralization in a single portal for all administrative console, allowing you to manage and configure your infrastructure with a user experience: modern, simple, integrated and secure.

Windows Admin Center requires no dependency with the cloud in order to function and can be deployed locally to gain control of different aspects of your local server infrastructure. In addition to the component Web Server, that allows access via browser to the tool, the Windows Admin Center consists of a component gateway, through which you can manage your server via Remote PowerShell and WMI over WinRM.

Figure 1 - Basic diagram of the architecture of Windows Admin Center

Connecting your Windows Admin Center gateway to Azure

Windows Admin Center also offers the opportunity to integrate with different Azure services, including Azure Site Recovery. In order to allow the Windows Admin Center gateway to communicate with Azure it is necessary to proceed with its registration process, by following the steps later documented. The wizard, available in the preview version of Windows Admin Center , making the creation of an Azure AD app in its own directory, which allows the Windows Admin Center communication with Azure.

Figure 2 - Start of the registration process from the Admin Center settings

Figure 3 - Generation of the code needed to log in

Figure 4 - Enter the code in the Device Login page

Figure 5 - Start the Azure authentication process

Figure 6 – Sign-in confirmation

Figure 7 – Selection of the Tenant where register the Azure AD app

Figure 8 - Guidance for providing permissions to the Azure AD app

Figure 9 – Assignment of permissions, from the Azure Portal, to the registered app

Figure 10 - Azure integration configuration completed

ASR environment configuration for protecting Hyper-V VMs

After configuring the connection of Windows Admin Center with Azure you can, selecting the Hyper-V system that holds the virtual machines to be replicated to Azure, proceed with the entire configuration of the Recovery Services vault, directly from the web console of Windows Admin Center. The steps below illustrate the simplicity of the activation.

Figure 11 – Start the configuration necessary for protecting VMs

From the Admin Center you are asked to provide basic information for the ASR environment configuration and it provides the ability to create a new Recovery Service vault or select an existing one.

Figure 12 – Configuration of the Hyper-V host in Azure Site Recovery

In the form proposed by the Windows Admin Center are offered only some values, therefore I advise you to proceed before to the creation of the Recovery Service vault and, on the previous screen, select an existing one, created with all configuration parameters at will and to suit your needs.

This step performs the following actions:

Install the ASR agent on the Hyper-V host or on all nodes in a cluster environment.
If you select to create a new vault it proceeds to the creation in the selected region and places it into a new Resource Group (assigning a default name).
It registers the Hyper-V system with ASR and configures a default replication policy.

Figure 13 - Site Recovery Jobs generated by the configuration

Virtual machine protection configuration

After the configuration of the previously reported activity is possible to activate the protection of virtual machines.

Figure 14 - Activation of the VM protection process

Figure 15 - Selection of the storage account and start of protection

At the end of the process of replication, you can validate the replication process by activating the test failover procedure from the Azure Portal.

Conclusions

Being able to interact with certain Azure services directly from Windows Admin Center can facilitate and speed up the administration of an hybrid datacenter. At the moment the possibility of integration with Azure Site Recovery are minimal and not suitable for complex scenarios. However, Windows Admin Center is constantly evolving and will be more and more enriched with new features to better interact with Azure services.

OMS and System Center: What's New in August 2018

In August have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Operations Management Suite (OMS)

Azure Log Analytics

As already announced in the article The management of Log Analytics from the Azure portal Microsoft has chosen to abandon the OMS portal, in favour of the Azure Portal. The date announced for the final withdrawal of the OMS portal is the 15 January 2019. As a result of this choice also creation of new workspace of Azure Log Analytics can be performed only from the Azure Portal. Trying to create a new workspace from the old OMS portal you will be redirected to the Azure portal to complete the task. Have not made any changes to REST API and PowerShell to create workspaces.

Even the Advanced Analytics Portal is incorporated into the Azure Portal. At the moment you can access this portal by logging on to Logs (preview) available in the workspace of Log Analytics.

Figure 1 - Advanced Analytics available in the Logs (preview) from the Azure Portal

Azure Automation

Managing updates through Azure Automation Update Management sees the addition of a new option for the deployment of the updates. When creating or editing an update deployment is now an option the Reboot, that allows you to control whether and when reboot systems. For more information please visit the official technical documentation.

Figure 2 – Reboot option available in the update deployment

In the functionality of Change Tracking the following changes have been made:

To track changes and make the inventory of the files in the Windows environment now you can use: recursion, wildcards, and environment variables. In Linux there is already the support for recursion and wildcards.
As for the changes that are processed in files, both Windows and Linux, introduced the ability to display the content of the changes.
Introduced the possibility to reduce the frequency with which Windows services are collected (frequency is expressed in seconds and runs from a minimum of 10 seconds to a maximum of 30 minutes).

Agent

This month the new version ofOMS agent for Linux systems fixes some bugs and introduces an updated version for several core components, that increase the stability, the safety and improve the installation process. Among the various news is introduced the support for Ubuntu 18.04. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.6.0-163. In the case the OMS agent for Linux systems has been installed using the Azure Extension and if its automatic update is active, this update will be installed independently.

Figure 3 – Bug fixes and what's new for the OMS agent for Linux

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 27 introducing new versions of the following components:

Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.18.4946.1): used for replication scenarios from VMware to Azure.
Microsoft Azure Site Recovery Provider (version 5.1.3550.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
Microsoft Azure Recovery Services agent (version 2.0.9125.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

Unified Setup/Mobility agent version 9.14.0000.0 or later.
Site Recovery Provider (with System Center VMM): version 3.3. x. x or later.
Site Recovery Provider (for replication without VMM): version 5.1.3100.0 or later.
Site Recovery Hyper-V Provider: version 4.6. x. x or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4055712.

In Azure Site Recovery was introduced support for enabling disaster recovery scenarios Cross-subscription, for IaaS virtual machines, as long as belonging to the same Azure Active Directory tenant. This feature is very useful because often you have environments that use different Azure subscriptions, created primarily to have greater control of costs. Thanks to this new support you can more easily reach business continuity requirements creating disaster recovery plans without altering the topology of the Azure subscriptions in your environment.

Figure 4 - VM replica configuration to a different subscription target

Azure Site Recovery now can integrate with Veritas Backup Exec Instant Cloud Recovery (ICR) with the release of Backup Exec 20.2. Using ICR, Backup Exec users are able to configure replication of VMs on-premises to Azure and easily operate the DR plan if necessary, reducing the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Instant Cloud Recovery requires a subscription Azure and supports Hyper-V and VMware virtual machines. For more details and references you can see thespecific announcement.

Azure Backup

In this interesting article there is the procedure to monitor all workloads protected by Azure Backup using Log Analytics.

System Center

System Center Configuration Manager

Released the version 1806 for the Current Branch (CB) of System Center Configuration Manager that introduces new features and major improvements in the product.

Among the main innovations of this update there is a new feature called CMPivot. It is a new utility available in the Configuration Manager console that can provide information in real time about connected devices in your environment. On this information you can apply filters and groupings, then perform certain actions.

Figure 5 – Features and benefits of CMPivot functionality

For a complete list of new features introduced in this version of Configuration Manager, you can consult theofficial announcement.

Released the version 1808 for the branch Technical Preview of System Center Configuration Manager. This update introduces the ability to perform a gradual release of software updates automatically. The button that allows you to configure this operation is shown in figure below and can be found in the console nodes All Software Updates, All Windows 10 Updates, and Office 365 Updates.

Figure 6 – Phased Deployment creation button

For more information about configuring Phased Deployments in Configuration Manager, you can refer to the Microsoft technical documentation .

I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

System Center Operations Manager

Released the updated version of Microsoft System Center 2016 Management Pack for Microsoft Azure (version 1.5.20.18).

There are also the following news:

New community version of the Azure Management Pack, issued by Daniele Grandini.
Released SCOM Dashboard Report Template in PowerBI.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center you must access theEvaluation Center and after the registration you can start the trial period.

Azure Networking: introduction to the Hub-Spoke model

A network topology increasingly adopted by Microsoft Azure customers is the network topology defined Hub-Spoke. This article lists the main features of this network architecture, examines the most common use cases, and shows the main advantages that can are obtained thanks to this architecture.

The Hub-Spoke topology

In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. The Spoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

The architecture basic scheme:

Figure 1 – Hub-Spoke basic network architecture

This architecture is also designed to position in the Hub network a network virtual appliance (NVA) to control the flow of network traffic in a centralized way.

Figure 2 - Possible architecture of Hub vNet in the presence of NVA

In this regard it should be noted that Microsoft recently announced the availability of the’Azure Firewall, a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. At the moment the service is in preview, but soon it will be possible to assess the adoption of Azure Firewall to control centrally, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of Hub-Spoke network architectures , lends itself to be placed in the Hub network, in order to obtain complete control of network traffic.

Figure 3 - Positioning Azure Firewall in the Hub Network

For additional details on Azure Firewall you can see Introduction to Azure Firewall.

When you can use the Hub-Spoke topology

The network architecture Hub-Spoke is typically used in scenarios where these characteristics are required in terms of connectivity:

In the presence of workloads deployed in different environments (development, testing and production) which require access to the shared services such as DNS, IDS, Active Directory Domain Services (AD DS). Shared services will be placed in the Hub virtual network, while the various environments (development, testing and production) will be deployed in Spoke networks to maintain a high level of insolation.
When certain workloads must not communicate with all other workloads, but only with shared services.
In the presence of reality that require a high level of control over aspects related to network security and needing to make a segregation of the network traffic.

Figure 4 – Hub-Spoke architecture design with its components

The advantages of the Hub-Spoke topology

The advantages of this Azure network topology can be summarized as:

Cost savings, because shared services can be centralized in one place and used by multiple workloads, such as the DNS server and any virtual appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, with a cost savings for Azure.
Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops).
Greater flexibility in terms of management and security for the Azure environment.

Useful references for further reading

The following are the references to the Microsoft technical documentation useful to direct further investigation on this topic:

Conclusions

One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establish from the beginning the most appropriate network topology allows you to have a winning strategy and avoid to be in the position of having to migrate workloads, to adopt different network architectures, with all the complications that ensue.

Each implementation requires a careful analysis in order to take into account all aspects and to make appropriate assessments. It is therefore not possible to assert that the Hub-Spoke network architecture is suitable for all scenarios, but certainly it introduces several benefits that make it effective for obtaining certain characteristics and have a high level of flexibility.