Category Archives: Microsoft Azure

OMS and System Center: What's New in June 2018

In June have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community, through these articles released monthly, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Operations Management Suite (OMS)

Log Analytics

Recently it was officially announced that the OMS portal will be deprecated, in favour of the Azure Portal. In this article are examined the aspects related to this change and what you should know to avoid being caught unprepared.

Figure 1 - Notifications in the OMS portal

Azure Backup

Azure Backup is enriched with an important new feature that allows you to natively protect SQL workload, running in IaaS virtual machines that reside in Azure. In this article are showed the benefits and the characteristics of this new feature.

Figure 2 – Protection of SQL Server on Azure VMs with Azure Backup

Released an updated version of the’Azure Backup agent (MARS), which can be obtained by accessing this link.

Using Azure Backup there is the possibility of generating the reports needed to be able to easily check the status of resource protection, details on the different backup jobs configured, the actual storage utilization and status of its alert. All this is made possible by using Power BI, allowing you to have a high degree of flexibility in the generation and customization of reports. In this video, recently published, there is show how to configure a Power BI workspace for sharing reports of Azure Backup within your organization. To analyze the steps required to configure the reporting of Azure Backup you can refer this article.

Figure 3 – Sharing PowerBI reports of Azure Backup

Azure Backup introduces the ability to protect workloads running on Azure Stack environment. The tenant who use the Azure Stack solution can then have a short term protection directly on the Azure Stack environment and can make use of Azure Recovery Service vault for long term retention and to perform offsite. For more details on this you can consult therelease announcement.

Figure 4 – Azure Stack Tenant backup with Microsoft Azure Backup Server

Azure Site Recovery

In Azure Site Recovery (ASR) was announced in "general availability (GA)" the ability to configure the Disaster Recovery (DR) of Azure Virtual Machines. Configuring the replication of virtual machines in different regions of Azure, you have the ability to make applications resilient to a fault affecting a specific Azure region. This feature is available in all the Azure regions where you can use ASR. Azure is the first public cloud to offer a native solution for Disaster Recovery for applications that run in IaaS.

During the preview, Microsoft has taken into account the different feedback from the customers and added to the solution, the following import capabilities:

We highlight these useful references regarding this solution:

Security and Audit

The solution Azure Network Security Group Analytics will be replaced by Traffic Analytics that was released in General availability (GA). This solution, fully cloud-based, allows you to have an overall visibility on network activities that are undertaken in the cloud environment. For more details about you can see "How to monitor network activities in Azure with Traffic Analytics"

System Center

System Center Data Protectrion Manager

In environments where System Center Data Protection Manager (SCDPM) is connected to Azure Backup service was introduced the ability to view all the items protected, details on the use of storage and information about the recovery points, direct from the Azure Portal, within the Recovery Service vault. This feature is supported for SCDPM 2012 R2, 2016 and for Azure Backup Server v1 and v2, as long as you have the latest version of Azure Backup Agent (MARS).

Figure 5 – Information from DPM outlined in Recovery Service vault

System Center Configuration Manager

It is usually released a technical preview per month in Configuration Manager, but this month, due to the considerable number of new features, they were released two.

The first is the version 1806 for the Technical Preview branch of System Center Configuration Manager. The main innovation introduced by this update is the addition of support for third-party software update catalogs. From the Configuration Manager console, you can easily subscribe to third-party software update catalogs, then publish updates via Software Update Point. These updates will be issued to the client by using the classic method of Configuration Manager to deploy software update.

Figure 6 – Access to third-party software update catalogs from the SCCM console

In addition to this new feature were released updates on:

  • Sync MDM policy from Microsoft Intune for a co-managed device
  • Office 365 workload transition in co-management
  • Configure Windows Defender SmartScreen settings for Microsoft Edge
  • Improvements to the Surface dashboard
  • Office Customization Tool integration with the Office 365 Installer
  • Content from cloud management gateway
  • Simplified client bootstrap command line
  • Software Center infrastructure improvements
  • Removed Network Access Account (NAA) requirement for OSD Boot Media
  • Removed Network Access Account (NAA) requirement for Task Sequences
  • Package Conversion Manager
  • Deploy updates without content
  • Currently logged on user information is shown in the console
  • Provision Windows app packages for all users on a device

The second is the version 1806.2 for the Technical Preview branch of System Center Configuration Manager, that mainly includes the following news related to the Phased deployment:

  • Ability to monitor the status natively, from the Deployments node.
  • Ability to create Phased deployment of applications and not just for task sequences.
  • Ability to carry out a gradual rollout during the deployment phase.

Also this preview contains updates regarding:

  • Management Insights for proactive maintenance
  • Mobile apps for co-managed devices
  • Support for new Windows app package formats
  • New boundary group options for optimized P2P behaviors
  • Third-party software updates support for custom catalogs
  • Compliance 9 – Overall health and compliance (Report)

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Released an updated version of the Management Pack for OS Windows Server 2016 and 1709 Plus which includes several updates and issues resolutions. For further information you can consult this article.

Released the version 8.2 of the MP Author that includes several improvements. For a list of what's new in this version you can see theofficial announcement of the release.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

The management of Log Analytics from the Azure portal

For some time, Microsoft has started a process that led to bundle several features and settings of OMS Log Analytics in the Azure portal. Recently it was officially announced that the OMS portal will be deprecated, in favour of the Azure Portal. This article will examine aspects related to this change and what you should know to avoid being caught unprepared.

The choice to leave the OMS portal, in favour of the Azure Portal, was made in order to provide a unique user experience to monitor and manage the systems, regardless of their location (on-premises or on Azure). Thanks to the Azure portal you can browse and manage all Azure services and soon you will also have complete control over OMS Log Analytics. The expectation is that the gap currently present between the two portals is finally filled by the end of summer and short Microsoft will announce the date for the final disposal of the OMS portal.

Figure 1 - Notifications in the OMS portal

Figure 2 – Overview of Log Analytics in the Azure Portal

What does this change?

The disposal of the OMS portal, in addition to a noticeable change in user experience, also entails a change in the use of Log Analytics to aspects reported below.

Management of alerts

Instead of using the Alert management solution of Log Analytics you must use Azure Monitor, in addition to allowing you to monitor all Azure borne resources, also holds the "alerting" engine for the entire cloud platform. The article "The extension of Log Analytics Alerts in Azure Monitor"introduces the new management of the Alerts in Log Analytics and the benefits introduced by this evolution.

Access Permissions for the portal

Access management in the Azure Portal, based on role-based access control (RBAC), is definitely more flexible and powerful than the one in the OMS portal. Azure provides these two default built-in user roles for Log Analytics:

  • Log Analytics Reader
  • Log Analytics Contributor

For details regarding access management of Log Analytics from the Azure portal you can consult this documentation. Starting from 25 June will start the automatic conversion process, during which each user or security group present in the OMS portal will be reported with the appropriate role in the Azure Portal, according to the following association:

Figure 3 - Association between OMS portal permissions and Azure roles

Mobile App

As for the portal OMS, even the OMS mobile app will be deprecated. In its place you can access to the Azure portal directly from the mobile browser, waiting for future extensions of the Azure Mobile App. To receive notifications on mobile devices, when alerts are generated, you can use Azure Action Groups.

Application Insights Connector

TheApplication Insights Connector is used to return the data of Application Insights inside the workspace of Log Analytics. This connector is no longer needed and will be deprecated, from November of this year, given that the same functionality can be achieved using cross-resource queries.

Azure Network Security Group Analytics

The solution Azure Network Security Group Analytics will be replaced by Traffic Analytics, accessible only from the Azure Portal. For more details on this new tool you can refer to the article "How to monitor network activities in Azure with Traffic Analytics"

 

Current gap in the Azure portal

To date it is imposed the use the OMS portal, for who uses the following solutions, as they are not totally usable in the Azure Portal:

Microsoft is working to update this solutions and make them available using the Azure Portal. To stay up to date on changes about this you can refer to the page Azure Updates.

 

Considerations

To manage Log Analytics should be used the Azure portal since today, which enables new tools, to benefit from the better experience offered, and to take advantage of the portal's features, as the dashboards, searches, and tagging for resource management. The OMS portal will be disposed soon, but it can still be required if you need to use the solutions not yet compatible (above reported), waiting for their upcoming update that will make them fully functioning with the Azure Portal.

Azure Backup: the protection of SQL Server in Azure Virtual Machines

Azure Backup is enriched with an important new feature that allows you to natively protect SQL workload, running in IaaS virtual machines that reside in Azure. In this article we will explore the benefits and the characteristics of this new feature.

Figure 1 - Protection with Azure backups of SQL Server in Azure VMs

Azure Backup has always been with an approach cloud-first allowing you to protect your systems quickly, safe and effective. The SQL Server protection in Azure IaaS virtual machines provides the only solution of its kind, characterised by the following elements:

  • Zero-backup infrastructure: you do not need to maintain a classic backup infrastructure, composed from the backup server, by various agents installed on systems and storage that host backups. Furthermore, nor is it required to use backup scripts, often needed in other backup solutions, to protect SQL Server.
  • Monitor backups by Recovery Services Vault: Using the dashboard, you can easily and intuitively monitor various backup jobs for all types of workloads protected: Azure IaaS VMs, Azure Files and SQL server databases. You can also set up email notifications against unsuccessful backup or restore.
  • Centralized management: you have the option to configure common protection policy, usable for databases residing on separate servers, where is defined the scheduling and the retention for short-term and long-term backup.
  • Restore DB to a precise date and time: an intuitive graphical interface allows the operator to restore the most appropriate recovery point for the selected date. Azure Backup will take care of managing the restoration of full backups, differential and log backup chain in order to get the database at the selected time.
  • Recovery Point Objective (RPO) of 15 minutes: You can back up the transaction log every 15 minutes.
  • Pay as you go service (PAYG): billing takes place monthly on the basis of consumption and there are no upfront costs for the service.
  • Native integration with SQL Server APIs: Azure Backup invokes the native APIs of the solution to ensure a high efficiency and reliability of the operations performed. Backup jobs can be viewed using SQL Server Management Studio (SSMS).
  • Support for Always On Availability Group: the solution is able to back up databases that reside within an Availability Group (AG), ensuring the protection in case of failover events, honoring the preference backup set at the AG level.

This new feature supports the following versions of the operating system and SQL Server, independently that are VMs are generated by a marketplace image or less (SQL Server installation done manually).

Supported operating systems

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Linux, at the moment, is not supported.

Supported SQL Server VersionsEditions

  • SQL 2012 Enterprise, Standard, Web, Developer, Express
  • SQL 2014 Enterprise, Standard, Web, Developer, Express
  • SQL 2016 Enterprise, Standard, Web, Developer, Express
  • SQL 2017 Enterprise, Standard, Web, Developer, Express

To take advantage of this feature, the following requirements must be met:

  • Have a Recovery Services vault in the same region where resides the Azure virtual machine hosting SQL databases to be protected.
  • The virtual machine with SQL Server need connectivity to Azure public IPs.
  • On the virtual machine that holds the databases to be protected must be present specific settings. Azure Backup requires the presence of the VM extension AzureBackupWindowsWorkload. This extension is installed in the virtual machine during the process of discovery and enables communication with Azure Backup. The extension installation involves the creation in the VM, by Azure Backup, of the Windows virtual service account named NT Service AzureWLBackupPluginSvc. This virtual service account needs permissions of log in and sysadmin on SQL side, to protect your databases.

To enable the backup of SQL workloads in virtual machine in Azure it is necessary to carry out a process of discovery and later you can configure the protection.

Discovery process

This paragraph shows the procedure to be followed, by accessing the Azure Portal, to enable discovery of databases:

Figure 2 – Initiation of the discovery process

Figure 3 – Discovery in progress

Figure 4 – Discovery of DBs on selected systems

 

Configuring SQL backup

After the discovery phase of the the databases you can proceed with the configuration of SQL Server backup.

Figure 5 - Start the backup configuration, post DBs discovery inside the VMs

Figure 6 – Selection of DBs to be protected

Figure 7 – Creation of the policy that defines the type of SQL backup and data retention

Figure 8 – Enabling backup

 

Backup monitor and restore process

Figure 9 – Dashboard of the Recovery Service vault

Figure 10 - Number of backup items of SQL in Azure VMs

Figure 11 – SQL backup status

By selecting the single DB you can start the restore process.

Figure 12 - Starting the restore process of the DB

Figure 13 – Selecting the destination where to restore the DB

Figure 14 – Selecting the restore point to use

Figure 15 – Restore settings and directories where to place the files

Figure 16 – Starting the restore job

 

The Cost of the Solution

The cost for the protection of SQL Server in Azure Backup is calculated on the number of instances protected (individual Azure VMs or Availability Groups). The cost of a single protected instance depends on the size, which is determined by the overall size of the various protected DBs (without considering the amount of compression and encryption). At this cost it has to be added the cost of Azure storage actually consumed. This is Block Blob Storage including locally redundant storage (LRS) or geo-redundant storage (GRS). For more details on costs please visit the Microsoft's official page.

 

Conclusions

Azure Backup is enhanced with an important feature and confirms to be a great enterprise solution for systems protection, wherever they are. With this feature, Azure differs from any other public cloud, providing a solution for the protection of SQL Server in IaaS virtual machines, totally integrated into the platform. For more information on Azure Backup solution you can consult the official documentation.

Everything you need to know about new Azure Load Balancer

Microsoft recently announced the availability in Azure of Standard Load Balancer. They are load balancers Layer-4, for TCP and UDP protocols that, compared to Basic Load Balancer, introduce improvements and give you more granular control of certain features. This article describes the main features of the Standard Azure Load balancers, in order to have the necessary elements to choose the most suitable type of balancer for your needs.

Any scenario where you can use the SKU Basic of Azure Load balancers, can be satisfied using the Standard SKU, but the two types of load balancers have important differences in terms of scalability, functionality, guaranteed service levels and cost.

Scalability

The Standard Load balancers have higher scalability, compared to Basic Load Balancer, as regards the maximum number of instances (IP Configuration) that can be configured in the backend pool. The SKU Basic allows you to have up to 100 instances, while using the Standard SKU the maximum number of instances is equal to 1000.

Functionality

Backend pool

With regard to the Basic Load Balancer, in the backend pool, can reside exclusively:

  • Virtual machines that are located within an availability set.
  • A single standalone VM.
  • Virtual Machine Scale Set.

Figure 1 – Possible associations in the Basic Load Balancer backend pool

In Standard Load Balancer instead, it is allowed to enter into backend pool any virtual machine attested on a particular virtual network. The integration scope, in this case, is not in fact the availability set, as for the Basic load balancer , but it is the virtual network and all its associated concepts. A requirement to consider, in order to insert into the backend pool of Standard Load Balancer the virtual machines, is that these should not have associated public IP or must have Public IP with Standard SKU.

Figure 2 Standard Load Balancer backend pool association

Availability Zones

Standard Load Balancers provide integration scenarios with Availability Zones, in the regions that include this feature. For more details you can refer this specific Microsoft document, that shows the main concepts and implementation guide lines.

Ports High Availability

The load balancers with Standard SKU, of type "Internal", allow you to balance the TCP and UDP flows on all ports simultaneously. To do that, in the rule of load-balancing, there is the possibility to enable the "HA Ports" option:

Figure 3 - Configuring the load balancing rule with "HA Ports" option enabled

The balancing is done for flow, which is determined by the following elements: source IP address, source port, destination IP address, destination port, and protocol. This is particularly useful in scenarios where are used Network Virtual Appliances (NVA's) requiring scalability. This new feature improves the tasks that are required for NVAs implementations.

Figure 4 - Network architecture which provides the use of LB with "HA Ports" option enabled

Another possible use for this feature is when you need to balance a large number of ports.

For more details on the option "HA Ports" you can see the official documentation.

Diagnostics

Standard Load Balancer introduce the following features in terms of diagnostic capability:

  • Multi-dimensional metrics: You can retrieve various metrics that allow you to see, in real time, usage status of load balancer, internal and public. This information is particularly useful for troubleshooting.

Figure 5 – Load Balancer metrics from the Azure Portal

  • Resource Health: in Azure Monitor you have the opportunity to consult the health status of Standard Load Balancer (currently only available for Standard Load Balancer, type Public).

Figure 6 – Resource health of Load Balancer in Azure Monitor

You can also consult the history of the health state :

Figure 7 – Health history of Load Balancer

All details related to diagnostics, of the Standard Load Balancer, can be found in the official documentation.

Security

The Load Balancer with standard SKU are configured to be secure by default in fact, in order to operate, you must have a Network Security Group (NSG) where the traffic flow is explicitly allowed. As previously reported, the Load Balancer standards are fully integrated into the virtual network, which is characterized by the fact that it is private and therefore closed. The Standard Load Balancer and the public Standard IP are used to allow the access to the virtual network from outside and now by default you must configure a Network Security Group (closed by default) to allow the desired traffic. If there is no a NSG, on the subnet or on the NIC of the virtual machine, you will not be allowed the access by the network stream from the Standard Load Balancer.

The Basic Load Balancers by default are opened and the configuration of a Network Security Group is optional.

Outbound connections

The Load Balancer on Azure support both inbound and outbound connectivity scenarios. The Standard Load Balancer, compared to the Load Balancer Basic, behave differently with regard to outbound connections.

To map the internal and private IP address of the virtual network to the public IP address of the Load Balancer it uses the Source Network Address Translation technique (SNAT). The Load Balancer Standard introduce a new algorithm to have stronger SNAT policies, scalable and accurate, that allow you to have more flexibility and have new features.

Using the Standard Load Balancer you should consider the following aspects with regard to outbound scenarios:

  • Must be explicitly created to allow outgoing connectivity to virtual machines and are defined on the basis of incoming balancing rules.
  • Balancing rules define how occur the SNAT policies.
  • If there are multiple frontend, It uses all the frontend and for each of these multiply the preallocated SNAT ports available.
  • You have the option to choose and control whether a specific frontend you don't want to use for outbound connections.

Basic Load Balancers, in the presence of more public frontend IP, it is selected a single frontend to be used in outgoing flows. This selection can not be configured and occurs randomly.

To designate a specific IP address, you can follow the steps in this section of the Microsoft documentation.

Management operations

Standard Load balancers allow enabling management operations more quickly, much to bring the execution times of these operations under 30 seconds (against the 60-90 seconds to the Load Balancer with Basic SKU). Editing time for the backend pools are also dependent on the size of the same.

Other differences

At the moment, Public Standard Load Balancer cannot be configured with a public IPv6 address:

Figure 8 – Public IPv6 for Public Load Balancer

Service-Level Agreements (SLA)

An important aspect to consider, in choosing the most appropriate SKU for different architectures, is the level of service that you have to ensure (SLA). Using the Standard Load Balancer ensures that a Load Balancer Endpoint, that serve two or more instances of health virtual machines, will be available in time with an SLA of 99.99%.

The Load Balancer Basic does not guarantee this SLA.

For more details you can refer to the specific article SLA for Load Balancer.

 

Cost

As for Basic Load Balancer are not expected cost, for Standard Load Balancer there are usage charge provided on the basis of the following elements:

  • Number of load balancing rules configured.
  • Number of inbound and outbound data processed.

There are no specific costs for NAT rules.

In the Load Balancer cost page can be found the details.

 

Migration between SKUs

For Load Balancer is not expected to move from the Basic SKU to the Standard SKU and vice versa. But it is necessary to provide a side-by-side migration, taking into consideration the previously described functional differences.

Conclusions

The introduction of the Azure Standard Load Balancer allows you to have new features and provide greater scalability. These characteristics may help you avoid having to use, in specific scenarios, balancing solutions offered by third party vendors. Compared to traditional Load balancers (Basic SKU) change operating principles and have distinct characteristics in terms of costs and SLAS, this is good to consider in order to choose the most suitable type of Load Balancer, on the basis of the architecture that you must accomplish.

Azure Backup: as the solution evolves

Microsoft recently announced important news regarding the protection of virtual machines using Azure Backup. Thanks to an update of the backup stack you can get consistent improvements that make the solution more powerful and extend the potential. In this article will be investigated the benefits obtained by the update and will be examined the steps to switch to the new backup stack.

Features introduced by the new backup stack

Instant Recovery points and performance improvements

The Azure Backup job for the protection of virtual machines can be divided into two distinct phases:

  1. Creating a snapshot of the VM.
  2. Snapshot transfer to a Recovery Service vault.

Figure 1 - Steps of the backup job

Updating the backup stack, the recovery point is made available immediately after you create the virtual machine snapshot (Phase 1), and it is usable for restore operations according to the known methods. Unlike before that it was possible to use it only at the end of phase 2. From the Azure portal it is possible to distinguish the type of recovery point, as at the end of phase 1, the recovery point type is defined as "snapshots", while at the end of the snapshot transfer to the backup vault, the recovery point type is marked as "snapshot and vault".

The snapshots created during the backup process are maintained for 7 days. With this change are reduced considerably the execution time of the restore, carried out using the snapshots, which can be used in the same way to the checkpoint created by Hyper-V or VMware.

Support for large disks

The new backup stack also allows you to protect disks of size up to 4TB, both typologies: managed and unmanaged. Previously the limit in the maximum size of protected disks was 1 TB.

Distribution of disks during the recovery of virtual machines

After the upgrade of the backup stack you have the option to choose where to place the disks unmanaged of the virtual machines during the restore process. This reduces the configurations that would be necessary, post restore activities, putting all disks within the same storage account.

The Upgrade process

In order to enjoy the benefits introduced by the new backup stack you must manually upgrade your subscription which owns the Recovery Service Vault in the manner later described.

Consideration Pre-Upgrade

Before dealing with the upgrade of the stack you should consider the following aspects:

  • Since the upgrade is enabled at the Azure subscription level, the method of performing backups is changed for all protected virtual machines, present in the specific subscription. In the future it will be possible to have more granular control of this upgrade process.
  • The snapshots are saved locally to speed up the process of creation of the recovery point and to increase the speed of the restore processes. This means that there will be costs for the storage used by the snapshots preserved for 7 days.
  • The incremental snapshots are saved as page blob. For those who use managed disks there are no additional costs, while those using unmanaged disks must also consider the cost of the saved snapshots (during the 7 days) in the local storage account.
  • In the event of restore of a premium VM, starting from a snapshot recovery point, will be present, when creating the VM performed by the restore process, a temporary storage location.
  • For premium storage account you need to consider an allocation of 10 TB, for snapshots created for the purpose of instant recovery.

How to upgrade

The upgrade can be performed directly from the Azure portal or through PowerShell commands.

By accessing the Recovery Service vault from Azure portal, a notification will appear which indicates the ability to perform the backup stack upgrade.

Figure 2 – Backup stack upgrade notification

Selecting the notification the following message will appear that allows you to start the upgrade process.

Figure 3 - Launch of the backup stack upgrade process

The same operation can be performed using the following Powershell commands:

Figure 4 – Powershell commands to register the subscription to the upgrade process

Upgrade backup stack generally takes several minutes (maximum two hours), but it has no impact on scheduled backups.

Considerations

This major update of the Azure Backup stack shows that the solution is evolving to expand its capabilities and to ensure higher performance levels. To make a contribution with new ideas or vote the features that are considered most important for Azure Backup you can access this page. For more details on Azure Backup you can see the Microsoft's official documentation.

OMS and System Center: What's New in April 2018

Microsoft announces constantly news about Operations Management Suite (OMS) and System Center. Our community releases this summary monthly, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Operations Management Suite (OMS)

Log Analytics

Microsoft has decided to extend the Alerts in Log Analytics from OMS to the Azure Portal, centralizing on Azure Monitor. This process will be done automatically starting from 14 May 2018 (the date has been postponed, Initially it was planned for 23 April), will not result in any change to the configuration of Alerts and related queries, and it does not foresee any downtime for its implementation. For further details please consult the specific article “The extension of Log Analytics Alerts in Azure Monitor“.

Figure 1 – Notification of alerts extension in the OMS portal

To avoid situations where, the resources managed in Log Analytics may send in an unexpected way a high volume of data to the OMS Workspace, is introduced the ability to set a Daily Volume cap. This allows you to limit the data ingestion for your workspace. You can configure the Data volume cap in all regions, accessing to the section Usage and estimated costs:

Figure 2 – Setting the Daily volume cap

The portal also shows the trend of the volume of data in the last 31 days and the total volume of data, grouped by solution:

Figure 3 – Data ingestion for solution (latest 31 days and total)

Log Search API usage, used by the old Log Analytics query language, has been deprecated since 30 April 2018. The Log Search API has been replaced with theAzure Log Analytics REST API, which supports the new query language and introduces greater scalability than the results you can return. For more details on this you can consult theofficial announcement.

Agent

This month the new version ofOMS agent for Linux systems resolves a significant number of bugs and introduces new versions of the various components. It also introduced support for Debian 9, AWS 2017 and Open SSL 1.1. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.6.0-42.

Figure 4 – Bug fixes and what's new for the OMS agent for Linux

Azure Backup

As for Azure Backup, have been announced the following improvements in service scalability:

  • Ability to create up to 500 recovery services vaults in every subscription for region (previously the limit was 25).
  • The number of virtual machines that can be registered in each vault is increased to 1000 (it was previously 200).

Azure Backup, for the protection of Azure Iaas VM, now supports the storage account secured using storage firewalls and Virtual Networks. More details about this can be found on Microsoft's official blog.

Figure 5 - Protection of Azure Iaas VM in storage protected scenarios

There are different rules to enable the long-term backup for Azure SQL Database . The procedure, to keep the backup of Azure SQL DB up to 10 years, expected saving in an Azure Recovery Vault Service. By introducing this new feature, you have the option to keep the long-term backup directly within an Azure Blob Storage and will terminate the need for a Recovery Vault Service. All this gives you more flexibility and greater control of costs. For more details about it you can see the article SQL Database: Long-term backup retention preview includes major updates.

System Center

System Center Configuration Manager

For System Center Configuration Manager has been released the version 1804 for the Technical Preview branch. In addition to general improvements in the solution this update introduce new features concerning the OSD, the Software Center and the Configuration Manager infrastructure. All the new features included in this update can be found in the article Update 1804 for Configuration Manager Technical Preview Branch. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Microsoft has released theUpdate Rollup 5 (UR5) for System Center 2016 Long-Term Servicing Channel (LTSC). This update does not introduce new features, but fixes several bugs.

Following, are the references, about this update, for each System Center product:

There are no updates regarding Service Provider Foundation.

System Center Operations Manager 1801 introduces support for Kerberos authentication when the protocol WS-Management is used from the management server for the communication with UNIX and Linux systems. This allows you to have a higher level of security, eliminating the need to enable basic authentication for Windows Remote Management (WinRM).

Also in System Center Operations Manager 1801 introduces the following improvements on the management of the Linux log file monitor:

  • Support for Wild Card characters in the name and path of the log file.
  • Support for new match patterns that allow customized searches of log.
  • Support for pluging Fluentd published by fluentd community.

Below there are the news concerning the Management Pack of SCOM:

  • MP for Windows Server Operating System 2016 and 1709 Plus 10.0.19.0
  • MP for SQL Server 2008-2012 7.0.4.0
  • MP for SQL Server 2014 7.0.4.0
  • MP for SQL Server 2016 7.0.4.0
  • MP for Microsoft SQL Azure Database 7.0.4.0
  • MP for SQL Server Dashboards 7.0.4.0
  • MP for UNIX and Linux 7.6.1085.0

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

Azure Monitor: how to check the health of Azure Services

Azure Monitor, through the service called Azure Service Health, can provide detailed information in case you experience conditions affecting the functioning of your services in the Microsoft cloud. In this article we will examine how Azure Service Health can help to identify the impact of the problems, send notifications and maintain administrators up to date as the issue is resolved. It will also further how this service can help to prepare for planned maintenance and to understand how these might affect the availability of your resources.

To get a visual on the overall state of Azure health, Microsoft offers its status page, that shows in real time the situation of the various products and services, divided into geographical areas. This page shows all the problems, even those who do not have a direct impact on the status of your services.

To obtain a customized view, covering only your own resources, you can use Azure Service Health. In this way is encouraged early detection of information concerning the following aspects:

  • Problems on services: lists the Azure services issues that impact on own resources.
  • Scheduled maintenance: lists the future maintenance affecting the availability of your own services.
  • Health advisories: these are the changes in Azure services that require attention. Possible examples of this can be reports of certain usage quotas are exceeded or when certain features of Azure are deprecated.

Figure 1 – Azure Service Health sections present in the Azure Portal

By accessing the section Azure Service Health – Service issues, in Azure Monitor, you can create custom dashboards. In order to receive notifications only for resources of interest, you are prompted to select the subsbriptions, the regions and the appropriate services. At the end of this selection, you can save the filters by assigning a name.

Figure 2 – Selection of regions

Figure 3 – Selection of Azure services

Figure 4 – Saving and naming

By selecting the button "Pin filtered world map to dashboard" you can see the custom map in the Azure Portal dashboard, so you instantly have a visual impact on the health status of the subscription, of the services and of the selected regions.

Figure 5 – Map, with filters applied, shown in the dashboard

If issues arise that impact your resources on Azure, by accessing the portal, you will receive a notification similar to the following:

Figure 6 - Reporting an ongoing issue that impacts your services

Selecting the custom map you will be sent in the Azure Service Health of Azure Monitor. This dashboard shows the relevant details and the list of your own resources, that potentially could be impacted by the issue, in addition to its status updates.

Figure 7 - Summary of the issue

From this page you can also download the PDF documentation (in some cases also in CSV format) describing the problem, in order to be sent to those who have no direct access to the Azure Portal. There are also useful links to contact Microsoft support if error condition persist after the issue is reported as solved.

Figure 8 – Resources potentially impacted by the issue

The section Health history shows past problems encountered on Azure services and that have had an impact on the health of your own resources.

Figure 9 - List of problems reported in the Health history

Azure Service Health, in the section Resource health, also displays the state of health of the resources by type.

Figure 10 – Resources Health by type

Selecting the individual Azure service you can consult both the current state of health that any problems that occurred in the past on a given resource.

Figure 11 – Current state of health and past events of a specific Virtual Machine

Thanks to the complete integration of Service Health on Azure Monitor, which holds the alerting engine of Azure, you can configure specific Alerts if there are issues on Azure side, that impact on the operation of the resources present on your own subscription. The notification occurs through Action Groups, that currently includes these possible actions:

  • Voice call (currently only in US) or sending SMS (for enabled countries).
  • Sending an email.
  • Calling a webhook.
  • Sending data to ITSM.
  • Recalling a Logic App.
  • Sending a push notification on mobile app of Azure.
  • Running a runbook of Azure Automation.

Figure 12 – Adding a Service Health Alert

Figure 13 -Configuring a Service Health Alert

Conclusions

The recent availability of Azure Service Health, introduced the ability to receive customized and targeted information on the health of your own resources in Azure, without having to search for potential problems of Azure globally by going to its status page. This saves time and easily understand, in the face of problems or scheduled maintenance, what is the impact on your own services.

The extension of Log Analytics Alerts in Azure Monitor

Being able to take advantage of a centralized and effective service for the management of Alerts of your infrastructure is definitely an important and fundamental part of the monitor strategy. For this purpose Microsoft has introduced a new experience in the management of the Alerts through Azure Monitor. This article will present how to evolve the management of Alerts in Log Analytics and what are the benefits introduced by this change.

In Log Analytics there is the ability to generate Alerts when, in the research that is done with scheduled frequency in the OMS repository, you will get the results that match with the criteria established. When an Alert is generated in Log Analytics you can configure the following actions:

  • Email notification.
  • Invocation of a webhook.
  • Running a runbook of Azure Automation.
  • IT Service Management activities (requires the presence of the connector for the ITSM solution).

Figure 1 – Alerts in Log Analytics

Until now, this type of configuration has been managed from the OMS portal.

Azure Monitor is a service that allows you to monitor all Azure borne resources, and it holds the "alerting" engine for the entire cloud platform. By accessing the service from the Azure portal you will have available, in a unique location, all Alerts of your infrastructure, from Azure Monitor, Log Analytics, and Application Insights. You can then take advantage of a unified experience both with regard to the consultation of the Alerts that for its authoring.

At present the Alerts created in Log Analytics are already listed in the Azure Monitor dashboard, but any change involves accessing to the OMS portal. To facilitate this management Microsoft has therefore decided to extend the Alerts in Log Analytics from the OMS portal to the Azure Portal. This process will be done automatically starting from 23 April 2018, will not result in any change to the configuration of Alerts and related queries, and it does not foresee any downtime for its implementation.

It follows that, after this operation, any actions associated with the Alerts will be made through Action Groups, which will be created automatically by the extension process.

The extension of Log Analytics Alerts in the Azure Portal, besides the advantage of being able to manage them from a single portal, allows you to take advantage of the following benefits:

  • There is no longer the limit of 250 Alerts.
  • You have the ability to manage, enumerate and display not only the Alerts of Log Analytics, but also those from other sources.
  • You have greater flexibility in the actions that can be undertaken against a Alerts, thanks to the use of Action Groups, such as the ability to send SMS or voice call.

If you don't want to wait for the automatic process you can force the migration via API or from the portal OMS, according to the steps later documented:

Figure 2 - Starting the "Extend into Azure" process from the OMS portal

Figure 3 – Step 1: view the details of the extension process.

Figure 4 – Step 2: summary of the proposed changes

Figure 5 – Step 3: confirmation of the extension process

Specifying an email address you can be notified at the end of the migration process, that contains the summary report.

Figure 6 - Notification of the planned extension of the Alerts

During the process of extension of Log Analytics Alerts on Azure you will not be able to make changes to existing and creating new Alerts Alerts shall be made from Azure Monitor.

At the end of the extension process the Alerts will be visible even from the OMS portal and you will receive notification via email, to the address specified during the migration wizard:

Figure 7 – Email notification at the end of the extension process

From the Azure portal, in the section “Monitor – Alerts”, you will have a full management of Log Analytics Alerts:

Figure 8 - Example of modifying an Alert Rule from the Azure Monitor

The extension of the Alerts of Log Analytics in Azure Monitor does not involve costs, but you should be aware that, the use of Azure Alerts generated by Log Analytics query, is not subject to billing only if it falls within the limits and under the conditions reported in the page of Azure Monitor costs.

Conclusions

Thanks to this activity of extension of Log Analytics Alerts, Azure Monitor is confirmed that it is the new management engine of all Alerts, by providing to the administrators a simple and intuitive interface and enriching the possible actions of a notification alert.

OMS and System Center: What's New in March 2018

In March there have been several news announced by Microsoft on Operations Management Suite (OMS) and System Center. In this series of articles, which we make with monthly basis, are listed all the main innovations of the current month, accompanied by the necessary references to be able to conduct further studies.

Operations Management Suite (OMS)

Azure Automation

In Azure Automation new features have been officially released that allow you to:

  • Manage the distribution of updates (Update management).
  • Collect inventory information about the applications installed on systems (Inventory).
  • Track changes made on the machines (Change tracking).

The our article, posted in recent months, shows how to configure the Azure Automation Account to take advantage of these new features and reports the key features.

Figure 1 – Related solutions in Log Analytics


Azure Backup

Azure Backup introduces several new features that address the following aspects:

  • Large disk support: ability to protect disks of size up to 4 TB, both typologies: managed and unmanaged. The limit was previously of 1 TB.
  • Backup and Restore performance improvements: to reduce the execution time of the backup and restore will be retained snapshots, performed during the backup process, for 7 days.
  • Instant recovery point: the recovery point is made available instantly at the moment of creation of the snapshot made by the backup job, in a similar way to the checkpoint created by Hyper-V or VMware.
  • Distribute the disks of restored VM: during the restore process you are given the opportunity to choose where to place the disks unmanaged of virtual machines. This reduces the configurations, post restore activities, that would be required putting all disks within the same storage account .

To take advantage of these improvements you need to upgrade your subscription which owns the Recovery Service Vaults. The upgrade can be performed directly from the Azure Portal (there will be an appropriate notification in the dashboard of the Recovery Service vault ) or via PowerShell commands. For further information you can consult theMicrosoft's official announcement.

Figure 2 – Subscription upgrade process at the new stack

Microsoft has also announced that the Azure Backup service is now also available in the regions of Azure France (France Central and France South).

 

System Center

Microsoft has officialized the release of Windows Server 2019 which will be available to the public in the second half of 2018. In the same time will be made available System Center 2019 and it will have full support for Windows Server 2019 from the very first day of release.

System Center Configuration Manager

During the month has been released the version 1802 for the Current Branch (CB) of System Center Configuration Manager that introduces new features and major improvements in the product.

This summarizes the areas impacted by this update:

Modern Management

  • Endpoint Protection workload transition in co-management
  • Management insights
  • Co-management reporting

Figure 3 – Co-management reporting

Microsoft 365 Adoption

  • Phased deployments
  • Windows AutoPilot Device Information report
  • Support for Windows 10 ARM64 devices
  • Surface Device Dashboard
  • Microsoft Edge browser policies
  • Report to show default browser for client machines
  • Windows 10 Servicing for a specific collection report
  • Improvements to Office 365 client management dashboard
  • Improvements for Windows Defender Exploit Guard
  • New settings for Windows Defender Application Guard

Streamlined Infrastructure

  • Configure Windows 10 Delivery Optimization to use Configuration Manager boundary groups
  • Add management points to your boundary group fallback relationships
  • Moving Distribution Points between sites

Improvements in Cloud Management Gateway

  • Cloud management gateway support for Azure Resource Manager
  • Install user-available applications on Azure AD-joined devices
  • Windows 10 in-place upgrade task sequence over the Internet

Improvements in Software Center

  • Approve application requests for users per device
  • Improvements to client settings for Software Center

Improvements in OSD

  • Improvements to Windows 10 in-place upgrade task sequence
  • Deployment Template for Task Sequences

Miscellaneous Improvements

  • Support for hardware inventory strings greater than 255 characters in length
  • Run scripts

Figure 4 – Run Script status

To see the complete list of new features and to get more details about it you can access the Microsoft's official documentation.

The update will be made available globally in recent weeks and will be displayed in the node "Updates and Servicing" in the SCCM console. To force the availability of this update you can use this PowerShell script.

For System Center Configuration Manager has been released the version 1803 for the Technical Preview branch. In addition to general improvements in the solution are introduced useful changes that can improve the Configuration Manager infrastructure. Furthermore, interesting improvements have been made to the Software Center. All the new features included in this update can be found in the article Update 1803 for Configuration Manager Technical Preview Branch.

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Updates Publisher

System Center Updates Publisher (SCUP) is the Microsoft solution that allows you to manage custom third-party update. This month a new version of SCUP has been officially released and can be downloaded at this link. The new release introduces support for Windows 10 and Windows Server 2016. All details about this release can be found in the’official announcement.

System Center Operations Manager

Following, are reported the news about Management Packs of SCOM:

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try System Center products you can access to the’Evaluation Center and after the registration you can start the trial period.

Azure SQL Database: how to manage connectivity with vNet Service Endpoints

To have more control over accesses performed on SQL Azure Database, last month, Microsoft has publicly released the option to enable Virtual Network (vNet) Service Endpoints for SQL Database. This article will explain the working principle, with resulting benefits, and it will show its configuration.

Characteristics and principles of operation

The vNet Service Endpoints for the Azure SQL Database let you isolate the logical Microsoft SQL Servers in the cloud, guaranteeing access only from one or more subnets that are defined in their own Azure Virtual Network. This feature ensures that all traffic generated by own vNet to Azure SQL Database will always remain within the network backbone of Azure. This is a feature available in all regions of Azure and there are no additional costs for using it.

Figure 1 – Summary of architecture

On the firewall of the Azure SQL Database remains the ability to enable communication from the Azure services and to filter access based on a range of Public IP address.

Figure 2 – Azure SQL Server firewall settings

By enabling the setting 'Allow access to Azure services ' you are granted to access to SQL Server from all public IP address of Azure and from all Azure subnets, including those not of your own. Going to apply additional filters based on the public IP is difficult to manage and require the configuration of static public IP addresses on the Azure resources.

With the introduction of Virtual Network (vNet) Service Endpoints for SQL Server you can have more control over potential communications and less effort for resource management. The operating principle of the vNet Service Endpoints does not extend to the on-premises world even when there is connectivity with Azure (VPN or ExpressRoute), but to allow access from on-premises systems you must continue to use firewall rules to limit connectivity only to the public IP of your membership.

The Virtual Network (vNet) Service Endpoints are available, with the same principle of operation, also for Azure Storage and for Azure SQL Data Warehouse (currently in preview).

How to configure

Enabling vNet Service Endpoints require the activation on the subnet of the virtual network of Azure, from which you plan to connect to SQL Server, of the SQL Server Endpoint (Microsoft.SQL).

Figure 3 – Enabling SQL Server Service Endpoint on the subnet

Figure 4 – SQL Server Service Endpoint successfully enabled on the subnet

Next you must add on the SQL Database side the virtual network, with the Service Endpoint enabled , in the section Firewall and virtual networks.

Figure 5 – Added Virtual Network with Service Endpoints of SQL Server enabled

Each Virtual Network Rule is applied to Azure SQL Database server level and not at the individual database level.

This configuration means that by connecting to DB hosted by the Azure SQL Server from a machine attested on a vNet with Service Endpoints enabled, will be used as the source IP an address in the address space of the vNet. This aspect has to be considered, in existing configurations, to avoid that when you enable SQL Server Service Endpoint on the subnet, blocks access to SQL Server. For this purpose it is possible to avoid it allowing temporarily access with the setting "Allow access to Azure services", or by defining the vNet in firewall rule of SQL Server before enabling the Service Endpoint on the subnet. This requires using the flag IgnoreMissingServiceEndpoint or select the following flag present in the Azure portal:

Figure 6 – Added Virtual Network without Service Endpoints of SQL Server enabled

Conclusions

The Virtual Network (vNet) Service Endpoints are able to expand the virtual networks of Azure and its identity to certain Azure services, as Azure SQL Server, through a direct connection. This increases the security level of the services in the Microsoft cloud, optimize routing to access resources from the Azure vNet and lessens the management effort, all with a few easy steps.