Category Archives: Microsoft Azure

Azure Management services: what's new in September 2023

In September there were several news that Microsoft announced regarding Azure management services. This article lists the main announcements, accompanied by the necessary references to be able to conduct further studies on.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor VM Insights now available with Azure Monitor Agent

Azure has announced the availability of “Azure Monitor VM Insights” through the use of the Azure Monitor Agent. This service offers a quick and easy way to monitor customer workloads on Azure virtual machines and scale sets, as well as on Azure Arc-enabled servers operating in an on-premises and/or multi-cloud environment.

The new version of the agent offers various benefits, including cost savings, simplified management and improved security and performance. If you were previously using VM Insights using Log Analytics Agent (now deprecated), Microsoft suggests consulting theirs migration guide to switch to the Azure Monitor Agent.

Historical view for Azure Monitor alerts (preview)

Monitoring resources and alerts in Azure is now easier and more intuitive with the new historical preview view of Azure Monitor. This view offers a clear overview of triggered alerts, allowing users to quickly identify problems

OpenTelemetry-based distribution via Node.js from Python

Azure Monitor now offers OpenTelemetry-based distribution for Node.js and Python, allowing developers to easily integrate with Azure Monitor and collect telemetry data. This new feature ensures that developers can effectively monitor their applications, obtaining performance information, on errors and other key metrics.

Configure

Update management

Azure Update Manager: updated and enhanced update management

Azure Update Manager offers a SaaS solution to manage and govern software updates on Windows and Linux machines in Azure environments, on-premises e multi cloud. This is an evolution of the Azure Automation update management solution with new features. Azure Update Manager has been redesigned to provide new capabilities without relying on the Log Analytics agent or Azure Monitor agent. It relies on the Microsoft Azure VM agent to manage update flows on Azure VMs and on the Azure Connected Machine agent to manage Azure Arc-enabled servers.

Govern

Azure Cost Management

Export Cost Management data to firewall-protected storage accounts

You can now export Cost Management data to firewall-protected Azure storage accounts. Users can use the Exports API or the Azure portal to create recurring tasks to automatically export cost data to CSV format. This can be scheduled on a daily basis, weekly or monthly, and the exported data can be used for creating dashboards or integrating with financial systems.

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Secure

Microsoft Defender for Cloud

Malware scanning in Defender for Storage

Defender for Storage introduces malware scanning functionality, overcoming traditional malware protection challenges and providing an ideal solution for highly regulated industries. This function, available as an add-on, represents a significant enhancement of Microsoft Defender for Storage security solutions. With malware scanning you get the following benefits.

  • Protection, in near real time, without agent: ability to intercept advanced malware such as polymorphic and metamorphic ones.
  • Cost Optimization: thanks to flexible pricing, you can control costs based on the amount of data examined and with resource-level granularity.
  • Enablement at scale: without the need for maintenance, supports automated responses at scale and offers several options for activation via tools and platforms such as Azure policy, Bicep, ARM, Terraform, REST API and the Azure portal.
  • Application versatility: based on feedback from beta users over the last two years, Malware scanning has proven useful in a variety of scenarios, as web applications, content protection, compliance, integrations with third parties, collaborative platforms, data streams and datasets for machine learning (ML).

GitHub Advanced Security per Azure DevOps

It is now possible to view GitHub Advanced Security for Azure DevOps alerts (GHAzDO) related to CodeQL, secrets and dependencies, directly in Defender for Cloud. The results will appear in the DevOps section and Recommendations. To see these results, you need to integrate your GHAzDO-enabled repositories into Defender for Cloud.

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. To find out about the main innovations that characterized Defender for Cloud in the summer 2023, outlining how these innovations can represent added value for companies, you can consult this article.

Protect

Azure Backup

Cross Region Restore (CRR) for Recovery Services Agent (MARS) 

Following the General Availability of Cross Region Recovery for VM backups, SQL and SAP HANA and to strengthen the resilience pillar, Microsoft has announced Cross Region Recovery support for the Recovery Services Agent (MARS) using Azure Backup.

Azure customers leverage Recovery Services Agent to back up their files/folders and system state to an Azure Recovery Services Vault. Backup data in the primary region can also be geo-replicated to a secondary region paired with Azure to ensure durability. Previously, data replicated in the secondary region was available for recovery in the secondary region only if Azure declared a disaster in the primary region. With the introduction of this new support, Customers can enable recovery of Recovery Services Agent backups in the secondary region at any time.

This capability can be leveraged in the following scenarios:

  • when the primary region is available to test restores from backup data in the secondary region for audit/compliance purposes;
  • when the primary region is not available, customers can trigger recovery of data backed up in the secondary region even if the primary Azure region is partially unavailable or completely unavailable without any waiting time.

Saving the Azure Backup Recovery Services Agent passphrase (MARS) in Azure Key Vault (preview)

Data security is a priority for Microsoft, and with the new preview feature that allows you to save the Recovery Services Agent encryption passphrase directly in Azure Key Vault, users can now enjoy an even greater level of security. This integration makes the Recovery Services Agent installation smoother and more secure, eliminating the need for custom scripts.

Azure Files Backup in China regions

Azure Files Backup is now generally available in China regions. This feature allows users to back up their files to Azure securely and reliably.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (September 2023 – Weeks: 37 and 38)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Latest generation burstable VMs – Bsv2, Basv2, and Bpsv2

The Bsv2, Basv2, and Bpsv2 series virtual machines represent the latest generation of Azure burstable general-purpose VMs. These VMs provide a baseline level of CPU utilization and can expand to higher CPU utilization as workload volume increases. They are ideal for various applications, including development and test servers, low-traffic web servers, small databases, microservices, proof-of-concept servers, build servers, and code repositories. Compared to the B series v1, these new B series v2 virtual machines offer up to 15% better price-performance, up to 5X higher network bandwidth with accelerated networking, and 10X higher remote storage throughput.

Networking

Sensitive Data Protection for Application Gateway Web Application Firewall

Azure’s regional Web Application Firewall (WAF) running on Application Gateway has introduced support for sensitive data protection through log scrubbing. When a request aligns with the criteria of a rule and activates a WAF action, the event is documented within the WAF logs. These logs are maintained as plain text for easier debugging. However, this means that any patterns matching sensitive customer data, such as IP addresses, passwords, and other personally identifiable information, could potentially be recorded in the logs as plain text. To enhance the security of this sensitive data, users can now establish log scrubbing rules that substitute the sensitive data with “******”. The sensitive data protection feature using log scrubbing facilitates the creation of rules using various variables, including Request Header Names, Request Cookie Names, Request Arg Names, Request Post Arg Names, Request JSON Arg Names, and Request IP Address.

Azure Front Door Standard and Premium support Bring Your Own Certificates (BYOC) based domain ownership validation (preview)

Azure Front Door Standard and Premium now support Bring Your Own Certificates (BYOC) based domain ownership validation. With this feature, Azure Front Door can automatically approve domain ownership if the Certificate Name (CN) or Subject Alternative Name (SAN) of the provided certificate matches the custom domain. This reduces the steps and efforts required to prove domain ownership, streamlining the Dev-Ops experience. For domains created before this feature’s support and whose validation status is not yet approved, users will need to trigger the auto-approval of domain ownership validation manually.

Storage

Azure Premium SSD v2 Disk Storage now available in multiple regions

Azure Premium SSD v2 Disk Storage is now generally available in the Australia East, France Central, Norway East, and UAE North regions. This expansion offers customers in these regions the opportunity to leverage the benefits of Azure Premium SSD v2 Disk Storage for their workloads. Azure Premium SSD v2 Disk Storage provides high-performance and low-latency disk support for virtual machines running I/O-intensive workloads. By utilizing this storage solution, users can expect consistent performance, enhanced durability, and availability.

Azure IaaS and Azure Stack: announcements and updates (September 2023 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Trusted launch as default for VMs deployed through the Azure portal

Azure has introduced “Trusted launch” as a default feature for virtual machines deployed through the Azure portal. Trusted launch hardens Azure virtual machines with security features, ensuring that administrators deploy VMs with verified and signed bootloaders, OS kernels, and a boot policy. The feature encompasses secure boot, vTPM, and boot integrity monitoring, offering protection against boot kits, rootkits, and kernel-level malware. Secure Boot ensures that only signed OSes and drivers boot, while the Virtual TPM (vTPM) safeguards keys, certificates, and secrets within the virtual machine. Additionally, Boot integrity monitoring, in conjunction with Microsoft Azure Attestation and Azure Security Center, provides integrity alerts, recommendations, and remediation actions if remote attestation fails.

Networking

Azure Firewall Single-Click Upgrade and Downgrade Now in General Availability

Azure has introduced a new capability for its Firewall service, allowing users to seamlessly upgrade from the Standard SKU to the Premium SKU, and vice versa. This enhancement simplifies the upgrade and downgrade process, ensuring that users can make these changes without any service interruptions. With just a single click, Azure customers can now easily transition between the two firewall versions. This feature is especially beneficial for those looking to leverage the advanced functionalities of the Premium SKU or revert to the Standard SKU based on their requirements. The Azure Firewall Single-Click Upgrade and Downgrade feature was officially made available on August 31, 2023.

Azure Container Apps support for UDR, NAT Gateway, and smaller subnets

Azure has announced the general availability of Azure Container Apps support for User Defined Routes (UDR), NAT Gateway, and smaller subnets. This enhancement provides users with more flexibility and control over their networking configurations, allowing for more customized and optimized network setups. Azure Container Apps is a fully managed platform for building and running microservices and APIs. With this update, users can now leverage UDR to define custom routes, utilize NAT Gateway for outbound connectivity, and deploy in smaller subnets for more granular network segmentation.

Azure Firewall: Explicit Proxy (preview)

Microsoft Azure has recently introduced a public preview of the Azure Firewall Explicit Proxy. This new feature is designed to enhance the security and performance of Azure’s firewall services. As it is currently in public preview, users can explore its functionalities and provide feedback to help improve the service before its general release. For more details and to stay updated on further developments, you can visit the official announcement page.

Azure Firewall: Auto-Learn SNAT Routes Feature Now in Public Preview (preview)

Azure has introduced a new feature in public preview, named “Auto-Learn SNAT Routes”, promising to simplify and expedite network configurations. This feature allows the Azure Firewall to automatically learn address ranges and configure them to be excluded from SNAT, thereby reducing the time and complexity spent on manually defining private SNAT ranges. To utilize this feature, the Azure Route Server needs to be deployed in the same virtual network as the Azure Firewall. Released on August 31, 2023, this feature promises to be a valuable tool for network administrators seeking to optimize their processes. For more information, you can visit the official page.

Storage

Azure Premium SSD v2 Disk Storage Now Available in Select Regions

Microsoft has announced the general availability of Azure Premium SSD v2 Disk Storage in several regions, including Australia East, France Central, Norway East, and UAE North. This new offering promises to deliver high-quality storage performance while ensuring security and reliability. Users in these regions can now benefit from the advanced storage features offered by Azure, helping to enhance the efficiency and resilience of their systems. For further details, you can visit the official page.

Azure Management services: what's new in August 2023

Microsoft constantly releases news about Azure management services. By publishing this summary, you want an overview of the most significant innovations introduced in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor container insights offers new cost optimization settings

Container insights expands the public preview of cost optimization settings, now enabling a third dimension for adjusting container insights data collection settings, with one configuration per table. Customers can now individually select which data tables to include in their Log Analytics workspace.
Per-table configurations can be enabled through ARM, CLI and Azure Portal.

Configure

Azure Advisor

Improve VM resiliency with Availability Zone recommendations

One of the recommended practices to achieve high resilience, according to the guidelines of the Well Architected Framework (WAF), is the distribution in different zones of the workloads. By adopting this recommendation, now available in Azure Advisor, you can design your solutions to use VM “zonal”, thus ensuring the isolation of virtual machines from potential failures in other areas.

Govern

Azure Cost Management

New cost optimization opportunities using the new workbook template in Azure Advisor
The Azure Cost Optimization Workbook serves as a centralized hub for some of the most used tools that can help the customer achieve their utilization and efficiency goals. It offers a number of recommendations, including Azure Advisor cost recommendations, the identification of idle resources and the management of virtual machines that are not deallocated correctly. Furthermore, provides insights into using the Azure Hybrid benefit options for Windows, Linux e database SQL.

Exporting data to a firewall-protected storage account

Azure Cost Management now supports exporting data to a firewall-protected storage account, ensuring a high level of security. The export can be scheduled on a daily basis, weekly or monthly and the exported data can be used for dashboard creation or for integration with financial systems.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

  • Defender for Container: agentless discovery for Kubernetes;
  • Preview release of GCP support in Defender CSPM;
  • new security alerts in Defender for Servers Plan 2: detection of potential attacks that abuse Azure VM extensions;
  • business model and pricing updates for Defender for Cloud plans.

Protect

Azure Backup

Cross Subscription Restore for Azure Virtual Machines

Microsoft introduced the ability to restore Azure VMs to another subscription within the same tenant as the subscription where the source VM exists, provided you have the necessary permissions. By default, the recovery occurs in the same subscription where the source virtual machine exists. This feature is only allowed if you have Cross Subscription Restore enabled for the Recovery Services vault. Cross Subscription Restore allows you to restore by creating a VM or restoring disks. You can use Cross Zonal Restore and/or Cross Region Restore in conjunction with this restore option.

Azure Backup introduces Cross Region Recovery for PostgreSQL (preview)

Azure Backup has launched a new preview feature: Cross Region restore for PostgreSQL backups. This feature takes advantage of Geo-Redundant storage with Read access, allowing you to keep data in two different regions. The innovation lies in the fact that now not only can backups be accessed when a problem occurs in an Azure region, but you can do it at any time, ensuring greater flexibility and security. This option is particularly useful for those who want to test the readiness of their backups or for those looking for greater data resilience. Currently, this feature is available for PostgreSQL in select regions, enriching the offer of Azure Backup in terms of data accessibility.

Azure Site Recovery

DR for shared disks (preview)

Microsoft released private preview of Azure Shared Disk DR for workloads running Windows Server Failover Clusters (WSFC) on Azure virtual machines. It is therefore possible to protect, monitor and recover WSFC clusters as a single unit throughout its lifecycle, while generating cluster-consistent recovery points.

Salient features:

  • private preview will support the protection of Windows Server failover clusters. Some applications using this architecture are SQL FCI, SAP ASCS, Scale-out File Servers, etc.
    • OS supported: Windows Server 2016 and later;
    • number of nodes: up to 4 nodes per cluster;
    • shared disks: any number of shared disks can be attached to the cluster;
  • the failover operation supports failover of the entire cluster at the same time;
  • once a failover has been performed, you will need to re-enable replication for reverse direction protection.

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 68 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Support in the presence of a higher level of “churn” on the data

Azure Site Recovery now supports scenarios with increased data rotation. This enhancement gives customers the ability to handle scenarios with a high volume of data changes, ensuring greater resiliency and reliability for their critical applications.

Migrate

Azure Migrate

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Azure Database Migration

Azure portal experience for Azure Database Migration Service (preview)

You can now use DMS to perform migrations from both the Azure portal and the ADS extension. The Azure portal experience allows you to perform tasks such as creating a new database migration service from within the Azure portal, initiating the migration from SQL Server on-premises to various Azure targets and accessing an integration runtime configuration page. The Azure portal experience also offers a list of prerequisites, documentation and links to tutorials, customized according to the selected target.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (August 2023 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Mv3 Medium Memory (MM) Virtual Machines (preview)

Microsoft announced the public preview of the next generation Mv3 Medium Memory (MM) virtual machine series. These virtual machines are designed to offer improved performance and higher reliability compared to their predecessors. Some of the key features of the new Mv3 MM VMs include:

  • Powered by the 4th Generation Intel® Xeon® Scalable Processor and DDR5 DRAM technology.
  • Capability to scale for SAP workloads ranging from 250GB to 4TB, ensuring faster performance and a lower total cost of ownership (TCO).
  • With Azure Boost, the Mv3 MM VMs deliver approximately a 25% improvement in network throughput and up to a 1.5X boost in remote storage throughput compared to the previous M-series families.
  • Azure Boost’s isolated architecture enhances security for the Mv3 MM virtual machines by processing storage and networking separately on dedicated hardware, rather than on the host server.
  • Enhanced resilience against failures in memory, disks, and networking, leveraging insights from previous generations.
  • Availability in both disk and diskless configurations, providing customers with the flexibility to select the option that best suits their workload requirements.

For a more detailed exploration of this release, you can read their blog.

Networking

New Monitoring and Logging Updates in Azure Firewall

New Monitoring and Logging Updates in Azure Firewall are available:

  • Structured Logs: new logging format that provides a more detailed view of firewall events. Structured Logs provide the following benefits: they are easier to work with data in log queries and help discover schemas; they improves performance and reduce latency; they allow ability to grant Azure RBAC rights on specific tables.
  • Latency Probe: The Latency Probe metric is designed to measure the overall latency of Azure Firewall and provide insight into the health of the service.
  • Resource Health (preview): monitor that provides visibility into Azure Firewall health status and allows you to address service problems that may affect your Azure Firewall resource.
  • Embedded Firewall Workbooks (preview): Integrated workbooks into the Azure Firewall Portal that provide valuable insights and statistics regarding your firewall activities and events.

Illumio for Microsoft Azure Firewall

Illumio has joined forces with Microsoft to introduce microsegmentation support for Microsoft Azure Firewall, which is now generally available. This collaboration allows Azure customers to enforce Zero Trust Segmentation, going beyond mere network and application filtering. The integration aids firewall operations teams in understanding rules with a richer context of the resources they are safeguarding. With this enriched context, administrators can effortlessly identify which resource is secured by a particular rule, determine its owner, and confidently manage the rule’s lifecycle.

For a more detailed exploration of this integration and its benefits, you can learn more here.

Quick create Azure Front Door endpoints for Azure Storage accounts

You can now create Azure Front Door Standard and Azure Front Door Premium endpoints directly from the Azure portal, similar to any other Azure CDN endpoint. This integration facilitates the management of all Azure Front Door and/or Azure CDN profiles linked to a storage account from a unified interface. Setting up a new Azure Front Door Service and endpoint for a storage account is straightforward. Users can simply browse to their storage account in the Azure portal and navigate to the Front Door and CDN profiles section. From this location, it’s possible to establish new endpoints, swiftly access the endpoint profiles, manage custom domains for the endpoints, and activate security features such as the Web Application Firewall and/or Private Link. For a more detailed understanding, you can read the documentation.

Azure Front Door Standard/Premium in Azure Government

Azure Front Door (AFD) Standard and Premium tier is now generally available in Azure Government, specifically in the regions of Arizona and Texas. With this release, Local Government (US) customers and their partners can leverage the new and enhanced capabilities offered in the standard and premium tiers. Some of these capabilities include improved reporting and diagnostic tools, an expanded rules engine with server variables, an enhanced Web Application Firewall with features like the latest DRS rule set, Bot protection, and more. The integration with Microsoft Sentinel Analytics and other security features such as Private Link connectivity and subdomain takeover prevention further enhance the offering. However, it’s important to note that the managed certificate for enabling HTTPS is currently not supported in Azure Government, and users are advised to utilize their own certificates.

Rate-limit rules for Application Gateway Web Application Firewall (preview)

Azure’s regional Web Application Firewall (WAF) running on Application Gateway has introduced support for rate-limit custom rules. These rules are designed to detect and block unusually high traffic levels aimed at your application. By implementing rate limiting, users can counteract various denial-of-service attacks, safeguard against clients that might have been mistakenly set up to send a large number of requests in a brief period, and manage traffic rates to their site from specific regions.

For more details, you can learn more here.

Storage

Incremental Snapshots for Premium SSD v2 Disk and Ultra Disk Storage

Azure has announced the general availability of incremental snapshots support for Premium SSD v2 and Ultra Disk. This feature comes with an instant restore capability and is available in all regions where Premium SSD v2 and Ultra Disk are supported. With this update, users can instantly restore Premium SSD v2 and Ultra Disks from snapshots and attach them to a running VM without waiting for any background data copy. This new capability allows immediate read and write access to disks after their creation from snapshots. This ensures a quick recovery of data from accidental deletions or disasters.

For more information and a deeper understanding of this feature, you can refer to the documentation.

Custom NFSv4.1 ID domain in Azure NetApp Files (preview)

Azure NetApp Files now supports custom NFSv4.1 ID domains in public preview. This feature allows users to customize the NFSv4.1 ID domain for their volume, ensuring a seamless migration of NFSv4.1 workloads to Azure NetApp Files. This enhancement provides flexibility and aids in the migration of workloads without the need to modify the client configuration.

Azure NetApp Files Cloud Backup for Virtual Machines (preview)

Azure NetApp Files introduces Cloud Backup for Virtual Machines in public preview. This feature provides an integrated, native backup solution for Azure Virtual Machines, ensuring data protection and business continuity. With Cloud Backup for Virtual Machines, you can now create VM consistent snapshot backups of VMs on Azure NetApp Files datastores. The associated virtual appliance installs in the Azure VMware Solution cluster and provides policy based automated and consistent backup of VMs integrated with Azure NetApp Files snapshot technology for fast backups and restores of VMs, groups of VMs (organized in resource groups) or complete datastores lowering RTO, RPO, and improving total cost of ownership.

Azure Elastic SAN Updates: Private Endpoints & Shared Volumes (preview)

As Azure approaches the general availability of Azure Elastic SAN, they have been continuously enhancing the service and introducing new features based on feedback from Azure customers. Recently, they have released support for private endpoints and volume sharing via SCSI (Small Computer System Interface) Persistent Reservation.

With the introduction of private endpoint support, users can now access Elastic SAN volumes either through private endpoints or via public endpoints that are restricted to specific virtual network subnets. This update is crucial for those who need the added layer of security that private endpoints provide. Additionally, the shared volume support allows users to connect and utilize an Elastic SAN volume from multiple compute clients, such as virtual machines. This is done while using SCSI reservation commands to select from various supported access modes to read or write to the volume. Furthermore, persistent reservations are supported, ensuring uninterrupted access to data even across reboots.

For a deeper understanding and more details on these features, you can read the blog and refer to the documentation about Azure Elastic SAN.

Hotpatching in Windows Server: a revolution in virtual machine management

In the digital age, ensuring business continuity is essential, no longer just an added value. For many companies, frequent interruptions, even of short duration, are unacceptable for their critical workloads. However, ensuring that continuity can be complex, whereas the management of virtual machines (VM) with Windows Server operating system is in some respects complex, especially in relation to applying security patches and updates. With the advent of the hotpatching feature from Microsoft, a new chapter in VM management has opened: a more efficient approach that minimizes disruption, guaranteeing servers that are always up-to-date and protected. This article looks at the features and benefits of this innovative solution.

What is Hotpatching?

Hotpatching, introduced by Microsoft, is an advanced technique that allows you to update Windows Server operating systems without the need to restart. Imagine you can “change tires” of your moving car without having to stop it. This is the "magic" of hotpatching.

Where you can use Hotpatching

Hotpatch functionality is supported on “Windows Server 2022 Datacenter: Azure Edition”, that you can use it for VMs running in Azure and Azure Stack HCI environment.

The Azure images available for this feature are:

  • Windows Server 2022 Datacenter: Azure Edition Hotpatch (Desktop Experience)
  • Windows Server 2022 Datacenter: Azure Edition Core

Note that Hotpatch is enabled by default on Server Core images and that Microsoft recently extended hotpatching support to include Windows Server with Desktop Experience, further expanding the scope of this feature.

Updates supported

Hotpatch covers Windows security updates and maintains an alignment with the content of security updates issued in the regular Windows update channel (non hotpatch).

There are some important considerations for running a Windows Server Azure Edition VM with hotpatch enabled:

  • reboots are still required to install updates that are not included in the hotpatch program;
  • reboots are also required periodically after a new baseline has been installed;
  • reboots keep the VM in sync with non-security patches included in the latest cumulative update.

Patches not currently included in the hotpatch program include non-security updates released for Windows, .NET updates and non-Windows updates (as driver, firmware updates, etc.). These types of patches may require a reboot during the Hotpatch months.

Benefits of Hotpatching

The benefits of this technology are many:

  • Better security: with hotpatching, security patches are applied quickly and efficiently. This reduces the window of vulnerability between the release of a patch and its application, offering fast protection against threats.
  • Minimization of downtime: one of the main benefits of hotpatching is the ability to apply updates without the need to restart the server. This means fewer outages and higher availability for applications and services.
  • More flexible management: system administrators have the freedom to decide when to apply patches, without the worry of having to do careful planning to ensure that running processes are not interrupted while applying updates.

How hotpatching works

During a hotpatching process, the security patch is injected into the operating system's running code in memory, updating the system while it is still running.

Hotpatch works by first establishing a baseline with the current Cumulative Update for Windows Server. Periodically (on a quarterly basis), the baseline is updated with the latest Cumulative Update, after which they are released hotpatch for the next two months. For example,, if a Cumulative Update is released in January, February and March would see the release of hotpatch. For the hotpatch release schedule, you can consult the Release Notes for Hotpatch in Azure Automanage for Windows Server 2022.

The hotpatch contain updates that do not require a restart. Because Hotpatch fixes the in-memory code of running processes without the need to restart the process, applications hosted on the operating system are not affected by the patching process. This action is separate from any performance and functionality implications of the patch itself.

The following image shows an example of an annual update release schedule (including examples of unplanned baselines due to zero-day corrections).

Figure 1 – Outline of a sample yearly schedule for releasing Hotpatch updates

There are two types of baselines:

  • Planned Baselines: are released on a regular basis, with hotpatch releases in between. Planned Baselines include all updates in a newer Cumulative Update and require a restart.
  • Unplanned Baselines: they are released when a major update is released (like a zero-day correction) and that particular update cannot be released as a hotpatch. When unscheduled baselines are released, a hotpatch release is replaced with an unplanned baseline in that month. Unplanned Baselines also include all updates in a newer Cumulative Update and require a restart.

The programming shown in the example image illustrates:

  • four baseline releases planned in a calendar year (five total in the diagram) and eight hotpatch releases;
  • two unplanned baselines that would replace the hotpatch releases for those months.

Patch orchestration process

Hotpatch is to be considered as an extension of Windows Update and patch orchestration tools vary depending on the platform in use.

Hotpatch orchestration on Azure

Virtual machines created in Azure are enabled by default for automatic patching when using a supported image of "Windows Server Datacenter: Azure Edition”:

  • patches classified as Critical or Security are automatically downloaded and applied to the VM;
  • patches are applied during off-peak hours considering the time zone of the VM;
  • Azure handles patch orchestration and patches are applied following the availability principles;
  • the health status of the virtual machine, determined through Azure platform health signals, is monitored for patching failures.

Hotpatch orchestration on Azure Stack HCI

Hotpatch updates for active VMs in Azure Stack HCI environment can be orchestrated using:

  • Group Policy to configure Windows Update client settings;
  • Windows Update client settings or SCONFIG per Server Core;
  • a third-party patch management solution.

Considerations and Limitations

However, like any technology, even hotpatching has its nuances. Not all patches are suitable for hotpatching; some may still require a traditional restart. Furthermore, before applying any patches, it remains crucial to test it in a controlled environment to avoid potential problems.

Installing Hotpatch updates does not support automatic rollback. In fact,, if a VM experiences a problem during or after an upgrade, you need to uninstall the update and install the latest known good baseline update. After the rollback you will need to restart the VM.

Conclusion

The introduction of hotpatching by Microsoft represents a significant step forward in the management of VMs running Windows Server operating system. With the ability to apply security patches and updates non-disruptively, administrators can ensure that their servers are protected and updated in a faster and more effective way. In a world where safety is paramount and where every second counts, hotpatching is positioned as a valuable solution for any company that uses Windows Server in an Azure environment or in an Azure Stack HCI environment.

Azure IaaS and Azure Stack: announcements and updates (August 2023 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Networking

Cloud Next-Generation Firewall (NGFW) by Palo Alto Networks – an Azure Native ISV Service

Cloud NGFW by Palo Alto Networks is the first ISV next-generation firewall service natively integrated in Azure. Developed through a collaboration between Microsoft and Palo Alto Networks, this service delivers the cutting-edge security features of Palo Alto Network’s NGFW technology while also offering the simplicity and convenience of cloud-native scaling and management.
NGFWs provide superior network security by offering enhanced capabilities compared to traditional firewalls. These include deep packet inspection, advanced visibility and control features, and the use of AI to improve threat detection and response. The service is now more broadly available in the following 12 regions: US (Central, East, East 2, West, West 3), Australia (East, Southeast), UK (South, West), Canada Central, East Asia and West Europe.

Route Server hub routing preference (preview)

Azure Route Server now supports hub routing preference in public preview. When branch-to-branch is enabled and Route Server learns multiple routes across site-to-site (S2S) VPN, ExpressRoute, and SD-WAN NVAs, for the same on-premises destination route prefix, users can now configure connection preferences to influence Route Server route selection.

Support for new custom error pages in Application Gateway (preview)

In addition to the response codes 403 and 502, the Azure Application Gateway now lets you configure company-branded error pages for more response codes: 400, 405, 408, 500, 503, and 504. You can configure these error pages at a global level to apply to all the listeners on your gateway or individually for each listener. The custom error pages you set are displayed to the clients when the Application Gateway generates these response codes. You can host these error page files at any publicly accessible URLs.

Storage

Azure NetApp Files: SMB Continuous Availability (CA) shares

To enhance resiliency during storage service maintenance operations, SMB volumes used by Citrix App Layering, FSLogix user profile containers and Microsoft SQL Server on Microsoft Windows Server can be enabled with Continuous Availability. Continuous Availability enables SMB Transparent Failover to eliminate disruptions as a result of service maintenance events and improves reliability and user experience. This feature is now Generally Available. It can be enabled on new or existing SMB volumes.

Zone Redundant Storage for Azure Disks is now available in East Asia

Zone Redundant Storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in East Asia region.

Azure Blob Storage Cold Tier

Azure Blob Storage Cold Tier is now generally available. It is a new online access tier that is the most cost-effective Azure Blob offering for storing infrequently accessed data with long-term retention requirements, while providing instant access. Azure Blob Storage is optimized for storing massive amounts of unstructured data. With blob access tiers, you can store your data most cost-effectively based on how frequently it will be accessed and how long it will be retained. The pricing of the cold tier storage option lies between the cool and archive tiers, and it follows a 90-day early deletion policy. You can seamlessly utilize the cold tier in the same way as the hot and cool tiers, through REST API, SDKs, tools, and lifecycle management policies.

Azure Premium SSD v2 Disk Storage is available in more regions

Azure Premium SSD v2 Disk Storage is now available in Brazil South, East Asia and Central India regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

Azure Storage Mover support for SMB and Azure Files (preview)

Azure Storage Mover can now migrate your SMB shares to Azure file shares. Storage Mover is a fully managed migration service that enables you to migrate on-premises files and folders to Azure Storage while minimizing downtime for your workload. Besides the existing general available capability to migrate from an on-premises NFS share to an Azure blob container, Storage Mover will support many additional source and target combinations in the near future.

Azure Management services: what's new in July 2023

Microsoft is constantly announcing news regarding Azure management services and as usual this monthly summary is released. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles:

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor Agent Health experience (peview)

The Azure Monitor Agent (AMA) is responsible for collecting monitoring data from the guest operating system of the virtual machines, both in Azure and hybrid environments, which are then transmitted to Azure Monitor. Thanks to the Azure Monitor Agent Health experience, it is now possible to easily monitor the health of agents on a large scale, both on Azure, both locally (on-premise) or on other cloud infrastructures.

Improved table-level RBAC checking in Azure Monitor Logs

Azure Monitor Logs offers advanced role-based access management capabilities (RBAC) to enable secure management of sensitive logs in complex environments. Table-level access allows you to allow only a specific group of people to read the data, limiting access to only a selected set of tables. This new method works by assigning permissions to the sub-resource of the table, enabling granular RBAC even for custom log tables and ensuring the use of well-known standard Azure RBAC tools.

Events from Azure Event Hubs to Azure Monitor Logs

Azure Event Hubs provide a simple and powerful way to bring data into your Azure Monitor environment. Thanks to new feature, you can now send events directly from an Event Hub into the Log Analytics workspace. Azure Event Hubs is a big data streaming platform that allows you to collect events from different sources, ready to be processed by various Azure services and other external platforms. This ability to ingest data is particularly beneficial for those who already use queue messaging mechanisms and have an interest in moving the data into a Log Analytics workspace, in Sentinel, or to route them to multiple destinations.

Support for Azure Monitor Sandboxing Pod in Container insights

Container Insights now supports container tracking “Pod Sandboxing”. The concept of Pod Sandboxing represents an effective strategy to protect yourself from situations of “Container Breakout”, where a user, both malicious and legitimate, manages to break through container isolation to access the filesystem, to processes, to network interfaces and other resources on the host machine. In the past, isolation could be achieved through the use of node pools, but this approach generated significant operational overhead and required additional resources, increasing overall costs. Thanks to the adoption of Pod Sandboxing, this issue is addressed through kernel-level workload isolation, providing a more efficient and secure solution.

The Azure Monitor agent supports VM Insights in the Government Cloud (preview)

As part of the public preview, Azure Monitor Agent now supports VM Insights within Azure Government Cloud.

Configure

Update management

Hotpatch available on Windows Server VMs on Azure with Desktop Experience install mode

Hotpatch is now available for Windows Server Azure Edition VMs with Desktop Experience install mode, using the newly released image. Hotpatch is a feature that allows you to patch and install operating system security updates on Windows Server Azure Edition virtual machines on Azure without the need to reboot.
It was previously available for Server Core install mode, but now, Windows Server Azure Edition VMs installed with Desktop Experience installation mode no longer need to reboot every month for security updates, by providing:

  • less impact on workload with fewer reboots;
  • faster deployment of updates as packages are smaller, they install faster and have easier patch orchestration with Azure Update Manager;
  • greater protection, since Hotpatch update packages are limited to Windows security updates that install faster without reboots.

Govern

Azure Cost Management

Updates related toMicrosoft Cost Management

Microsoft is constantly looking for new methodologies to improve Microsoft Cost Management, the solution to provide greater visibility into where costs are accumulating in the cloud, identify and prevent incorrect spending patterns and optimize costs . Inthis article some of the latest improvements and updates regarding this solution are reported.

Azure Arc

Deployment of ESU-derived updates on Azure Arc-enabled servers

On the occasion of Inspire, Microsoft has announced Extended Security Updates (ESU) enable Azure Arc. With Azure Arc, organizations will be able to purchase and distribute Extended Security Updates seamlessly (ESU) in on-premises or multicloud environments, direct from the Azure Portal. As well as providing centralized management of security patches, Azure Arc-enabled ESUs offer greater flexibility with a pay-as-you-go subscription model, compared to the classic ESU offered through the Volume Licensing Center which are purchased annually. For more information, please refer to’dedicated article.

Secure

Microsoft Defender for Cloud

New features, bug fixes and deprecated features of Microsoft Defender for Cloud

Microsoft Defender for Cloud development is constantly evolving and improvements are being made on an ongoing basis. To stay up to date on the latest developments, Microsoft updates this page, this provides information about new features, bug fixes and deprecated features. In particular, this month the main news concern:

  • managing automatic updates of Defender for Endpoint for Linux;
  • Agentless scanning of virtual machine secrets in Defender for P2 Servers and DCSPM;
  • new security warning in Defender for Servers plan 2: detection of potential attacks that leverage Azure VM GPU driver extensions;
  • support for disabling detections of specific vulnerabilities;
  • availability of Data Aware Security Posture.

Protect

Azure Backup

Restore points of virtual machines consistent with crashes (preview)

Microsoft has announced support, in public preview, of crash consistent mode (on multiple disks) for VM recovery points. This is a workaround (without agent) to store virtual machine configuration and snapshots, consistent in writing order, at a specific time for all managed disks attached to the virtual machine.

Migrate

Azure Migrate

Updating Windows servers in end of support phase (EOS)

Azure Migrate provides a preview of the feature that allows you to upgrade legacy Windows Server systems without disruption. During the Azure migration process, the ability to upgrade legacy servers is introduced, minimizing efforts, downtime and associated risks. This is accomplished by creating a copy of the server in the Azure environment and later upgrading there. Thanks to this approach, the impact on the original server is minimized, ensuring a safe and efficient transition. For more details and in-depth information, I invite you to refer to’dedicated article.

New Azure Migrate releases and features

Azure Migrate is the service in Azure that includes a large portfolio of tools that you can use, through a guided experience, to address effectively the most common migration scenarios. To stay up-to-date on the latest developments in the solution, please consult this page, that provides information about new releases and features.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (July 2023 – Weeks: 29 and 30)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Boost (preview)

Azure Boost is one of Microsoft Azure’s latest infrastructure innovations. Azure Boost is a new system that offloads virtualization processes traditionally performed by the hypervisor and host OS onto purpose-built hardware and software, such as networking, storage, and host management. By separating hypervisor and host OS functions from the host infrastructure, Azure Boost enables greater network and storage performance at scale, improves security by adding another layer of logical isolation, and reduces the maintenance impact for future Azure software and hardware upgrades.
This innovation enables Azure customers participating in the preview to achieve a 200 Gbps networking throughput and a leading remote storage throughput up to 10 GBps and 400K IOPS, enabling the fastest storage workloads available today.
Azure Boost allows preview users to achieve this performance through access to experimental SKUs. This preview will be important for many customers and partners to integrate critical components of Azure Boost into their current VM solutions, ensuring smooth operation on this new system in the future.
Azure Boost has been providing benefits to millions of existing Azure VMs in production today, such as enabling the exceptional remote storage performance of the Ebsv5 VM series and networking throughput and latency improvements for the entire Ev5 and Dv5 VM series. Azure Boost will continue to innovate and provide benefits for Azure infrastructure users going forward.

The Classic VMs retirement deadline is now September 6, 2023

The deadline to migrate your Iaas VMs from Azure Service Manager to Azure Resource Manager is now September 6, 2023. To avoid service disruption, we recommend that you complete your migration as soon as possible. Microsoft will not provides any additional extenstions after September 6, 2023.

Networking

Updated default TLS policy for Azure Application Gateway

Microsoft has updated the default TLS configuration for new deployments of the Application Gateway to Predefined AppGwSslPolicy20220101 policy to improve the default security. This recently introduced, generally available, predefined policy ensures better security with minimum TLS version 1.2 (up to TLS v1.3) and stronger cipher suites.

Always Serve for Azure Traffic Manager

Always Serve for Azure Traffic Manager (ATM) is now generally available. You can disable endpoint health checks from an ATM profile and always serve traffic to that given endpoint. You can also now choose to use 3rd party health check tools to determine endpoint health, and ATM native health checks can be disabled, allowing flexible health check setups.

Azure Application Gateway for Containers (preview)

Azure Application Gateway for Containers is a new SKU to the Application Gateway family. Application Gateway for Containers is the next evolution of Application Gateway + Application Gateway Ingress Controller (AGIC), providing application (layer 7) load balancing and dynamic traffic management capabilities for workloads running in a Kubernetes cluster.

Application Gateway for Containers introduces the following improvements over AGIC:

  • Performance: Achieve near-to-real-time convergence times to reflect add/remove of pods, routes, probes, and other load balancing configuration within Kubernetes yaml configuration.
  • Scale: push boundaries past current AGIC limits, exceeding 1400 backend pods and 100 listeners with Application Gateway for Containers.
  • Deployment: enable a familiar deployment of ARM resources via ARM, PowerShell, CLI, Bicep, and Terraform or define all configuration within Kubernetes and have Application Gateway for Containers manage the rest in Azure.
  • Gateway API support: the next evolution in defining Kubernetes service networking through expressive, extensible, and role-oriented interfaces.
  • Weighted / Split traffic distribution: enable blue-green deployment strategies and active / active or active / passive routing.

Network observability add-on for AKS (preview)

The new network observability add-on for AKS, now in public preview, provides complete observability into the network health and connectivity of your AKS cluster.

Key benefits:

  • Get access to cluster level network metrics like packet drops, connections stats and more.
  • (GA) Access to pod-level metrics and network debuggability features.
  • Support for all Azure CNIs – AzureCNI and AzureCNI (Powered by Cilium).
  • Support for all AKS node types – Linux and Windows.
  • Easy deployment using native Azure tools – AKS CLI, ARM templates, PowerShell, etc.
  • Seamless integration with the Azure managed Prometheus and Azure-managed Grafana offerings.

Azure Stack

General Availability of Remote Support for Azure Stack systems

Support requests for Azure Stack systems have always been managed through the Azure Portal and covered under your Azure support plan. The next big step is the remote support for all Azure Stack systems.

With remote support, you can temporarily grant Microsoft Support engineers constrained access to your on-premises edge devices to gather logs and fix issues. By default, remote support is off. It’s easy to turn on and off, when needed. After creating an Azure support request, it’s recommended to grant remote support access to enable Microsoft Support to resolve the issue as soon as possible. This takes just a few minutes in only a few steps. Once the support request is closed, you can just as easily turn off remote support access

Remote support for Azure Stack systems provides benefits to both customers and Microsoft Support:

  • Improved time to resolution: eliminate the back-and-forth hassle of scheduling a call and gathering logs yourself.
  • Safe and secure: you can grant just-in-time (JIT) authenticated access and define the access level and duration for each incident. You can revoke access anytime.
  • Audited troubleshooting: Microsoft Support can only run Just Enough Administration (JEA) approved commands and everything they do is recorded for you to audit.
  • Free: Remote support is included in your Azure subscription at no additional cost. You can get remote support for both unregistered and registered Azure Stack HCI systems.

Version availability:

  • For Azure Stack Hub, remote support is available for version 2108 and later.
  • For Azure Stack Edge, remote support is available for version 2110 and later.
  • For Azure Stack HCI, remote support is available for version 22H2 and later.

Azure by your side: new solutions for Windows Server 2012/R2 end of support

In the era of Artificial Intelligence and native services for the cloud, organizations continue to rely on Windows Server as a secure and reliable platform for their mission-critical workloads. However, it is important to note that support for Windows Server 2012/R2 will end on 10 October 2023. After that date, Windows Server 2012/R2 systems will become vulnerable if action is not taken, as they will no longer receive regular security updates. Recently, Microsoft has announced that Azure offers new solutions to better manage the end of support of Windows Server 2012/R2. These solutions will be examined in detail in this article, after a brief summary to set the context.

The impact of end of support for Windows Server 2012 R2: what it means for companies?

Microsoft has announced the end of support for Windows Server 2012 and 2012 R2, fixed for 10 October 2023. This event represents a turning point for many organizations that rely on these servers to access applications and data. But what exactly does end of support mean (EOL) and what are the implications for companies?

Understanding end of support

Microsoft has a lifecycle policy that provides support for its products, including Windows Server 2012 and 2012 R2. End of support refers to when a product is no longer supported by Microsoft, which means no more security updates will be provided, patches or technical support.

Why companies should care

Without regular updates and patches, companies using Windows Server 2012 and 2012 R2 are exposed to security vulnerabilities, such as ransomware attacks and data breaches. Furthermore, using an unsupported product such as Windows Server 2012 or 2012 R2 can lead to non-compliance issues. Finally, outdated software can cause compatibility issues with newer applications and hardware, hampering efficiency and productivity.

An opportunity to review IT strategy

Companies should use the EOL event as an opportunity to review their IT strategy and determine the desired business goals for their technology. In this way, they can align the technology with their long-term goals, leveraging the latest cloud solutions and improving operational efficiency.

The strategies that can be adopted to deal with this situation, thus avoiding exposing your IT infrastructure to security issues, have already been addressed in the article: How the End of Support of Windows Server 2012 can be a great opportunity for CTOs.

About this, Microsoft has introduced two new options, provided through Azure, to help manage this situation:

  • updating servers with Azure Migrate;
  • distribution on Azure Arc-enabled servers of updates deriving from the ESU (Extended Security Updates).

The following paragraphs describe the characteristics of these new options.

Updating Windows servers in end of support phase (EOS) with Azure Migrate

Azure Migrate is a service offered by Microsoft Azure that allows you to assess and migrate on-premises resources, as virtual machines, applications and databases, towards the Azure cloud infrastructure. Recently, Azure Migrate has introduced support for in-place upgrades for Windows Server 2012 and later, when moving to Azure. This allows organizations to move their legacy applications and databases to a fully supported operating system, compatible and compliant as Windows Server 2016, 2019 or 2022.

Key benefits of Azure Migrate's OS update feature

Risk mitigation: Azure Migrate creates a replica of the original server in Azure, allowing the OS to be updated on the replica while the source server remains intact. In case of problems, customers can easily go back to the original operating system.

Compatibility Test: Azure Migrate provides the ability to perform a test migration in an isolated environment in Azure. This is especially useful for OS updates, allowing customers to evaluate the compatibility of their operating system and updated applications without impacting production. This way you can identify and fix any problems in advance.

Reduced effort and downtime: integrating OS updates with cloud migration, customers can significantly save time and effort. With only one additional data, the version of the target operating system, Azure Migrate takes care of the rest, simplifying the process. This integration further reduces downtime of the server and applications hosted on it, increasing efficiency.

No separate Windows licenses: with the Azure Migrate OS update, you do not need to purchase an operating system license separately to upgrade. That the customer uses Azure Hybrid Benefits (AHB) o PAYG, is covered when migrating to an Azure VM using Azure Migrate.

Large-scale server upgrade: Azure Migrate supports large-scale server OS upgrades, allowing customers to upgrade up to 500 server in parallel when migrating to Azure. Using the Azure portal, you will be able to select up to 10 VMs at a time to set up replicas. To replicate multiple VMs you can use the portal and add VMs to be replicated in multiple batches of 10 VMs, or use the Azure Migrate PowerShell interface to configure replication.

Supported OS versions

Azure Migrate can handle:

  • Windows Server 2012: supports upgrading to Windows Server 2016;
  • Windows Server 2012 R2: supports upgrading to Windows Server 2016, Windows Server 2019;
  • Windows Server 2016: supports upgrading to Windows Server 2019, Windows Server 2022;
  • Windows Server 2019: supports upgrading to Windows Server 2022.

Deployment of ESU-derived updates on Azure Arc-enabled servers

Azure Arc is a set of Microsoft solutions that help businesses manage, govern and protect assets in various environments, including on premise, edge e multi-cloud, extending the management capabilities of Azure to any infrastructure.

For organizations unable to modernize or migrate before Windows Server 2012/R2 end of support date, Microsoft has announced Extended Security Updates (ESU) enable Azure Arc. With Azure Arc, organizations will be able to purchase and distribute Extended Security Updates seamlessly (ESU) in on-premises or multicloud environments, direct from the Azure Portal.

To get Extended Security Updates (ESU) for Windows Server 2012/R2 and SQL Server 2012 enable Azure Arc, you need to follow the steps below:

  • Preparing the Azure Arc environment: first of all, you need an Azure environment and a working Azure Arc infrastructure. Azure Arc can be installed on any server running Windows Server 2012/R2 or SQL Server 2012, provided that the connectivity requirements are met.
  • Server registration in Azure Arc: once the Azure Arc environment is set up, you need to register your Windows servers or SQL Server systems in Azure Arc. This process allows systems to become managed resources in Azure, making them eligible for ESUs.
  • Purchase of ESUs: once the servers are registered in Azure Arc, ESUs can be purchased, for each server you want to protect, through Azure.
  • ESU activation: after the purchase of the ESUs, you need to activate them on the servers. This process involves installing a license key and downloading security updates from Windows Update or your local update distribution infrastructure.
  • Installing updates: finally, once the ESUs are activated, you can install security updates on servers. This process can be managed manually or by automating it through update management tools.

Note: ESUs only provide critical and important security updates, they do not include new features or performance improvements. Furthermore, ESUs are only available for a limited time after Microsoft's end of support. Therefore, we recommend that you consider migrating to newer versions of servers to have access to all features, in addition to security updates.

Conclusions

This year, Microsoft celebrates the 30th anniversary of Windows Server, a goal achieved thanks to relentless innovation and customer support. However, customers must commit to keeping their Windows Server systems up-to-date near the end of support. In particular, the end of support for Windows Server 2012 and 2012 R2 poses a significant risk to companies, but it also presents an opportunity to review and improve their IT strategy. Identifying desired business goals, engaging in strategic planning e, if necessary, using these new solutions offered by Azure, companies can ensure a smooth and successful transition, optimizing their IT infrastructure to achieve their long-term goals.