Category Archives: What’s New in Azure Management services

Azure Management services: what's new in October 2020

In October, Microsoft announced a considerable number of news regarding Azure management services. Our community, through these articles that are released on a monthly basis, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

This month, a new version of the Log Analytics agent was released for Linux systems, which includes several improvements and ensures greater stability. Among the main changes is support for Red Hat Enterprise Linux 8, CentOS 8, Ubuntu 20.04 and SLES 15 SP1+, as well as an extension of the features for Azure Arc VMs. Also included is support for Python 3 and a new troubleshooting tool.

Monitor Azure Arc-enabled Kubernetes environments

Azure Monitor for Containers now extends support by contemplating alerts related to metrics of azure arc-enabled kubernetes environments. These metric alerts enable an effective monitor of system resources. To see the list of alerts available for Azure Arc-enabled Kubernetes clusters, please consult this document.

Azure Monitor for containers: Network Policy Manager support (Preview)
It is now possible to monitor the networking of AKS clusters using Network Policy Manager (NPM). In this way Azure monitor for containers will collect the metrics and report any anomalies in the configuration or in the performance of the network.

Azure Monitor for containers: persistent volume monitoring support (PV)

Azure Monitor for containers is now able to monitor the capacity of the persistent volume (PV) connected to the AKS cluster, collecting capacity metrics for all PVs, except for kubesystemnamespace.

Azure Monitor Log Analytics data export (preview)

This feature allows you to continuously export data that resides in certain tables in a Log Analytics workspace to an Azure storage account (every hour) or to Azure Event Hub (almost in real time). When exporting to a storage account, each table is stored in a separate container. Similarly, when you export to event hub, each table is exported to a new event hub instance. There is currently no method for filtering data and limiting the export of only certain events. By adopting this feature you can take advantage of the following benefits:

  • Low cost data retention
  • Easier compliance when data retention is required for an extended period of time
  • Integration with third-party solutions such as Azure Data Lake and Splunk
  • Low-latency export to Event Hub, enabling near real-time monitoring and alerts

Availability in new regions (preview)

Azure Log Analytics is now available in preview in the region of “Brazil Southeast” and “Norway East”. To check the availability of the service in all the Azure regions you can consult this document.

Configure

Azure Automation

Availability in a new region

Azure Automation is now available in the “Switzerland North”. To check the availability of the service in all the Azure regions you can consult this document.

Govern

Azure Policy

Added support for keys, secrets, and certificates in Azure Policy for Key Vault

Azure Policies for Key Vault allow you to control secrets, keys, and certificates stored in the key vault to ensure that set compliance requirements are met. Any secrets, keys, or certificates that do not meet the requirements will appear as non-compliant in the policy compliance dashboard. Furthermore, you can set deny policies to prevent users from creating or importing objects into the key vault that do not comply with the policies that you set. Compliance results can also be published in Azure Security Center.

Azure Cost Management

Azure Cost Management + Billing updates

During this month, news was announced regarding the following areas of Azure Cost Management and Billing:

Azure Advisor

New recommendations

The following recommendations have been added in Azure Adivisor to improve resource performance:

  • Use the Accelerated Writes feature in your HBase cluster
  • Review Azure Data Explorer table cache-period (policy)
  • Optimize MySQL temporary-table sizing
  • Distribute data in server group to distribute workload among nodes

For further information you can consult this article.

Furthermore, to improve the operation of the Azure environment, the following recommendations have been included:

  • Ensure that at least one host pool is Validation Environment enabled
  • Make sure not too many host pools have Validation Environment enabled
  • Use Traffic Analytics to view insights into traffic patterns across Azure resources

More details are available in this article.

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 51 which solves several issues and introduces support for the following Linux distributions: SUSE 15 SP2, RHEL 7.9 e Cent OS 7.9. The related details and the procedure to follow for installation can be found in specific KB.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in September 2020

Also in September, Microsoft announced news regarding Azure management services. Our community publishes this summary monthly to provide an overview of these new features. In this way you can stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New agent version for Windows Systems

A new version of the Log Analytics agent has been released this month for Windows systems, which introduces several improvements and greater stability.

New unified Agent and data collection rules (preview)

Azure Monitor is introducing a new concept for configuring data collection and a new unified agent for Azure Monitor in public preview. The new agent and data collection rules improve some key areas of data collection from virtual machines in Azure Monitor, including:

  • Send data to both Log Analytics and Azure Monitor metrics.
  • Data collection scoping for a subset of virtual machines for a single workspace.
  • Sending data to multiple workspaces for Linux VMs (multi-homing).
  • Improvements in Windows event filters.

New agent for containers

The new version of the Azure Monitor agent for containers introduces these changes:

  • Allows you to monitor the status of your deployments and Horizontal Pod Autoscaler (HPA) via workbook.
  • Accessing the tab Health (limited preview)
  • Bug fixes such as displaying node status “not ready”.

Azure Resource Health

Azure Cloud Services support

In Azure Resource Health real-time health status and status history are now reported for Azure Cloud Services, in particular:

  • Help diagnose and get support for Azure Cloud Service.
  • Reports the current and past status of resources at the level of Deployment, Role & Role Instance.
  • Provides detailed reasons for health status changes.
  • Sets alerts when health status changes.

Govern

Azure Cost Management

Cost Management for Amazon Web Services (AWS)

Adopting a multi-cloud strategy usually results in high complexity in cost control, often given by the different management of different cost models and different billing cycles. Keeping the costs of workloads residing on different cloud providers under control can be difficult to understand as they require the use of different dashboards and views.

Azure Cost Management introduced the ability to centrally manage AWS costs in addition to Azure. This feature allows you to avoid budget surpluses, to maintain control and better manage cloud cost responsibility.

Secure

Azure Security Center

Introduction to Azure Defender

Threat protection services in the Azure Security Center have been renamed to Azure Defender. Furthermore, thanks to the new dashboards, a better experience is offered for detecting security threats and their responses.

Securing SQL databases and virtual machines at any location

With Azure Arc support, Azure Defender can now protect SQL servers located on-premises and in multicloud environments, as well as virtual machines hosted in other public clouds.

Advanced protection for containers

The growing popularity of the adoption of containers and Kubernetes has led to an evolution in Azure Defender for Kubernetes. In fact,, to ensure adequate workload protection in the Kubernetes environment, Azure Defender has included Kubernetes policy management, hardening and application of admission controls.

Furthermore, thanks to the introduction of a mechanism that allows continuous scanning of container images, the possibility of maliciously exploiting the running containers is reduced to a minimum.

IoT protection

Azure Defender for IoT, thanks to the recent acquisition of CyberX, can provide security for IoT devices in agentless mode. The solution provides continuous detection of IoT assets / OT, vulnerability management and threat monitoring for both greenfield and brownfield devices.

Protect

Azure Backup

Backup Center

The new Backup Center solution, currently available in public preview, provides a unique experience designed for centralized backup management at scale. With Backup Center, you can dynamically explore large backup inventories between vaults, subscriptions, locations and even different tenants. The Backup Center can also govern any actions related to backups.

Backup Center supports the following types of workloads:

  • Azure Virtual Machines
  • SQL in Azure Virtual Machines
  • Azure Database for PostgreSQL servers
  • Azure Files

Cross Region Restore

Recovery between different Azure regions, available for virtual machines, has also been extended to support SQL and SAP HANA. Cross Region Restore allows customers to restore their data to secondary regions at any time, essential in the event of the unavailability of the primary region.

Long-term protection of Azure Database for PostgreSQL

Azure Backup and Azure Database Services have merged to provide an enterprise-class backup solution for Azure Database for PostgreSQL (preview). Through managed backup policies you can enable backup retention for up to ten years.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 50 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Introduced support for Availability Zones

In the tool Azure Migrate: Server Migration the support for Availability Zones was introduced when migrating server systems to Azure. The Azure Availability Zones are a mechanism for achieving high availability, protecting applications and data from failure that might occur in Azure datacenters. With this new opportunity, you can achieve better resiliency for application workloads that migrate to your Azure environment.

Support for Windows Virtual Desktop and ASP.NET web applications included

Azure Migrate has recently expanded support to include in migration scenarios:

  • Windows Virtual Desktop. This migration process helped companies provide a secure and reliable remote desktop experience, simplifying the path to the adoption of cloud solutions.
  • ASP.NET Web Applications. By migrating on-premises .NET-based web applications to managed services provided by the Azure platform, such as App Service and Azure SQL, customers are able to reduce costs and simplify application management.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: what's new in August 2020

Microsoft constantly releases news about Azure management services. Our community publishes this monthly summary to provide an overview of the top news released in the last month. This allows you to stay up-to-date on these topics and have the necessary references to conduct further investigations.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. In addition to solving several issues, some new features are introduced, among the main ones we find:

  • Support for Red Hat Enterprise Linux 8
  • Support for Azure Arc for servers
  • FIPS compliance
  • Limiting ingestion to prevent service degradation in the event of extremely high data volume

Azure Monitor for containers: support for viewing Kubernetes environment resources (preview)

With the Kubernetes resource monitor from the Azure portal, you can now use the kubernetes “point and click” to get real-time details of workloads hosted in the AKS environment. The public preview of this feature includes support for different resources (deployments, pods, and replica sets) and supports the following features:

  • Viewing Workloads Running on the Cluster, including the ability to filter resources by namespaces
  • Find the node on which an application is running and its IP address of the pod
  • View pods in set replica, the status of each pod and the images associated with each pod
  • Drill down for individual deployments to view their real-time status and details
  • Perform on-the-fly changes on YAML to validate devtest scenarios

Audit Logs for Azure Monitor queries (preview)

The Azure Monitor team has announced in public preview one of the most requested features: the ability to check Azure Monitor query logs. When enabled, through the Azure diagnostic mechanism, you can collect telemetry data about who ran a query, when it was performed, which tool was used to run it, text and performance statistics related to the performance of the same. This telemetry, like any other Azure Diagnostic-based telemetry, can be sent to an Azure storage blob, Event Hub or Azure Monitor.

New dedicated blade for System Center

System Center now has its own dedicated blade in Log Analytics. To display the new System Center panel, you need to access the Log Analytics workspace and select “System Center” from the left navigation bar, in the group “Workspace Data Sources”. The new System Center blade lets you view and manage SCOM instances connected to your Log Analytics workspace.

New limits for data ingestion in Log Analytics

Azure Monitor is a large-scale service designed to serve thousands of customers who send high volumes of data every month at an increasing rate. As with any multi-tenancy platform, Microsoft has realized that limits must be placed to protect customers from sudden spikes in ingestion that can affect customers who share the environment and resources. Until now, there was only one import volume speed limit for Azure resource data from Diagnostic Settings. Now you've added the limit to other Log Analytics data sources, including: Diagnostic Settings, agents and data collection APIs. The limit is applied to compressed data approximated 6 GB / Min, where this limit may vary depending on the types of data and its compression ratio. This limit for import volume speed in Log Analytics can be increased by opening a support request.

Log Analytics REST APIs: released a new version

The new version (2020-08-01) of the Log Analytics REST API for the resource provider OperationalInsights was released. This version supports new features such as customer-managed keys(CMK), Bring Your Own Storage (BYOS) and consolidates the functionality of all previous versions.

Govern

Azure Policy

Azure Policy Compliance Scan Action for Workflows GitHub (preview)

In preview, the following were released Azure Policy Compliance Scan Action for Workflows GitHub. The new GitHub actions will make it easier to activate compliance analysis than the subscription-based Azure Policy, resource groups or other resources and will automate the next steps in the GitHub workflow based on resource compliance status.

Protect

Azure Backup

Selective disk backup for virtual machines in Azure (preview)

Azure Backup introduced the ability to selectively back up virtual machine disks. This feature primarily introduces the following benefits:

  • Cost Optimization
  • Faster backup and restore operations

Configuring Azure file shares

Azure Backup has simplified the backup configuration experience for Azure file shares, providing the ability to enable backup directly from the file share management panel.

Configuring Azure file shares backup now consists of only the following two steps:

  • Creating or choosing the recovery services vault
  • Create or choose the backup policy

Improvements in virtual machine protection

Azure Backup introduces the following improvements in the protection of VMs:

  • Introduces the ability to restore unmanaged disks of a VM by turning them into managed disks during the restore phase.
  • Supports the backup and restore of Virtual Machine Scale Sets in the orchestration mode described in this document.
  • Allows disk replacement as an option for VMs that have assigned Managed Service Identities (MSI).

Encryption of backups using customer managed keys (preview)

Azure Backup introduces the possibility, when you back up Azure Virtual Machines, to encrypt data using proprietary and managed keys. Azure Backup allows you to use RSA keys stored in Azure Key Vaults to encrypt backups. The data will then be protected using a data encryption key (DEK) AES-based 256, which in turn is protected using keys stored in Key Vaults. This gives you full control over the data protection and keys that are used for encryption.

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup has released the ability to protect SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 49 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Assessment of physical servers and servers in AWS and GCP

Azure Migrate introduces support for assessment of physical servers and systems residing in Amazon Web Services (AWS), Google Cloud Platform (GCP) or at any cloud. Thanks to this evolution in the solution it is possible to evaluate any machine in the cloud or on-premises even when you can not access the hypervisor. The assessment is able to provide the following information:

  • Analyze suitability in Azure environment
  • Planning for migration costs
  • Performance-based scaling
  • Support for application dependency analysis (agent-based)

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: What's new in July 2020

Microsoft continuously announces news about Azure management services and as usual our community releases this monthly summary. The aim is to provide an overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

Azure Monitor Logs connector

The Azure Monitor Logs connector component has been released and allows you to create automated workflows using hundreds of actions for a variety of services with Azure Logic Apps and Power Automate.

Azure Monitor for SAP Solutions (preview)

Azure Monitor for SAP is a new solution that allows you to natively monitor your SAP environment in Azure. This solution allows you to collect and consolidate telemetry from your Azure infrastructure and SAP databases. This data is used to achieve a correlation between the different components that allows for faster troubleshooting. This feature is currently present in public preview in the following regions: US East, US East 2, US West 2, West Europe.

Azure Monitor Community Repository

The Azure Monitor Community GitHub repository has been made available and provides a collaborative space for community members to share and explore Azure Monitor artifacts as queries [KQL], workbooks and alerts. This repository is public and accepts contributions from any user, for the benefit of the entire Azure Monitor community.

Azure Log Analytics saved searches are moving to Query Explorer

Azure Log Analytics Saved Searches are now available in Query Explorer, which allows you to use and manage different queries. To manage them, access to the section Logs in the Azure Monitor Log Analytics workspace or from Application Insights and select Query explorer from the main menu.

Configure

Azure Automation

Introduced support for Azure Private Link (preview)

Microsoft has introduced support for Azure Private Link, necessary to securely connect virtual networks to Azure Automation through the use of private endpoints. This feature is useful for:

  • Establish a private connection with Azure Automation, without opening access to the public network.
  • Ensure that Azure Automation data is accessible only through authorized private networks.
  • Protect yourself from data extraction by allowing granular access to specific resources.
  • Protect resources from access from the public network.

Govern

Azure Policy

Azure Policy for Azure Kubernetes Service (AKS) pods (preview)

To improve the security of Azure Kubernetes Service clusters (AKS) you can now protect pods by using Azure Policies. This integration allows you to control pod requests and detect requests that violate policies set. At the moment, you can choose from a list of 16 integrated policies and two initiatives (that match the standards set in the Kubernetes pod security policy) .

Azure Cost Management

Azure Cost Management + Billing updates

During the month of July, news was announced regarding the following areas of Azure Cost Management and Billing:

Secure

Azure Security Center

Advanced threat protection for Azure Storage

Advanced threat protection preview for Azure Storage supports Azure Files and Azure Data Lake Storage Gen2 API, helping customers protect data stored in file shares and data stores designed for corporate big data analytics. This protection provides an additional layer of security information by providing alerts when unusual and potentially malicious attempts to access or exploit storage accounts are detected. These security alerts are integrated with the Security Center and are also emailed to subscription administrators, with details about suspicious activity and advice on how to investigate and resolve threats.

Protect

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 48 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Support for replication via Private Link

Azure Site Recovery introduced support for private links, These can be used to replicate Azure virtual machines, VMware and Hyper-V systems and physical machines. Using Private Links provides secure connectivity to Azure Site Recovery service URLs. A private endpoint on the network will be required for access to the recovery services vault and a second endpoint for data replication to the cache storage account. This feature will be available in almost all public regions by August 2020.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: What's new in June 2020

In June have been announced, by Microsoft, a considerable number of news regarding Azure management services. Our community, through these articles released monthly, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

This month was released a new version of the agent of Log Analytics for Linux systems. In addition to fixing a number of bugs, the following new features have been introduced:

  • Support for Red Hat Enterprise Linux 8 (Note: specific requirements regarding python)
  • Azure Arc support for servers
  • FIPS compliance
  • Extension package signed protected
  • Ingestion rate limiting to avoid service degradation in the event of extremely high data volume by an agent
  • Deprecating 32-bit support (1.12.15-0 is the latest release that supports 32-bit)
  • New component versions auoms and OMI

Azure Monitor for VMs on Arc Enabled servers (preview)

Azure Monitor for VM enables you to have a monitor system that can provide a global view of your systems, providing information about virtual machine performance and various dependencies. This service is available for VMs in Azure, Azure scale sets and on-premises VMs. Azure Monitor can now leverage Azure Arc to reach on-premises workloads. Although today it is possible to monitor non-Azure VMs even without Azure Arc, using this integration automatically detects and manages agents on VMs. Once integrated, Azure Arc-enabled servers will fit perfectly into existing Azure portal views along with virtual machines in Azure and Azure scale sets.

Azure Monitor for Containers for Azure Arc (preview)

Azure Monitor for Containers extended monitor support for Kubernetes clusters hosted on Azure Arc (currently in preview), offering functionality similar to the AKS service monitor (Azure Kubernetes).

Key Vault Monitor Support (preview)

Azure Monitor introduces the ability to monitor Azure Key Vault and have a unified view with performance, requests, errors and latency of this component.

Azure Load Balancer Monitor using Azure Monitor for Networks

Azure Monitor for Networks now allows you to monitor health and perform an analysis of Azure Load Balancer configuration. Inside the solution there are topological maps for all Load Balancer configurations and integrity dashboards for standard Load Balancers, suitably configured for the collection of metrics.
This new feature will extend the capabilities of Azure networking monitors. The solution therefore becomes more complete and allows for rapid troubleshooting.

Configure

Azure Automation

Updated DNS records for Azure Automation

To support new Azure Automation features, such as Azure private links, the related URLs have been updated. Instead of region-specific URLs, now the URLs are account-specific. Old Azure Automation URLs still remain functional to provide time for migration. For more information about this, please refer to this document.

Protect

Azure Backup

Update Rollup Released 1 for Microsoft Azure Backup Server (MABS) v3

For Azure Backup Server v3 has been released the’Update Rollup 3, which introduces the following major news:

  • Offline Backup using Azure Data Box (in private preview): thanks to the integration with Microsoft Azure Data Box, customers using MABS are able to face the challenge of moving tera bytes of backup data from on-premises storage to Azure. The user experience for this feature is consistent with DPM 2019 and the MARS agent.
  • Protection for Azure VMware Solution. Microsoft recently announced the Azure VMware solution (AVS) which allows customers to fully extend or migrate on-premises VMware systems to Azure. With this update, you can use MABS to protect virtual machines deployed with Azure's VMware solution.
  • Faster backups with tiered storage using SSD. MABS v3 UR1 introduces improvements to the backup process, adopting tiered storage, allows you to make faster backups until 50-70%. Using a small percentage (4% overall storage) SSD storage as a tiered volume in combination with HDD disks,you get much better performance.
  • Improved performance in backing up VMware systems. MABS helps protect VMware virtual machines. With this upgrade, all VMWare virtual machine backup jobs, within a single protection group, are now being run in parallel, leading to faster VMs backup up to 25%. Furthermore, this update also offers the ability to exclude a specific VMware VM disk from backups.
  • Support for ReFS Volume Protection. With this update, you can use MABS to protect ReFS volumes (with deduplication enabled) workloads (Windows Server, SQL Server, Exchange and SharePoint) distributed over ReFS volumes.
  • Support for an additional level of authentication in deleting online backups. MABS v3 UR1 prompts you to enter a security PIN when performing protection stop operations with data deletion.
  • Deprecated the protection agent 32 bit. With the release of UR1 for MABS v3, support for protecting workloads to 32 bit is deprecated. After you install UR1, you will not be able to protect any data source to 32 bit. If there is a protection agent to 32 bit, after installing UR1, this is disabled and any scheduled backups will fail.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 46 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Migrate

Azure Migrate

Evaluate imported servers in Azure Migrate

Azure Migrate introduces the ability to assess imported servers using a CSV file, without the need to deploy an appliance. This system is useful if you want to do a quick pre-evaluation or if you are waiting to deploy the Azure Migrate appliance. You can also perform a performance-based assessment by specifying the system usage values in the CSV file.

Azure Migrate server assessment tool: support for migrating to Azure VMware Solution (Preview)

Azure Migrate has introduced support to manage migration to Azure VMware Solution (Preview), providing an additional option to plan your migration to Azure. Using Azure Migrate server assessment tool, it is possible to analyze on-premises workloads to migrate to Azure's VMware solution, assessing its suitability, planning costs, calculating scaling based on performance and considering application dependencies.

Multiple credential support for physical server discovery (preview)

Azure Migrate included the ability to specify multiple credentials for physical server discovery and assessment. Furthermore, the number of servers that can be found for each individual appliance has been increased by 250 to 1.000. The appliance for physical server can be installed on an existing server and can also be used for the discovery and assessment of virtual machines if you do not have access to the hypervisor, as well as for virtual machines in other cloud environments.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: What's new in May 2020

To stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. The main innovations introduced are:

  • Stability and reliability improvements.
  • Improved support for Azure Arc for Server.
  • FIPS Compliance.
  • RHEL support 8.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 17 August 2020, postponing the date previously set to 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 17 August 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Feature extensions of Azure Monitor

The following enhancements have been made in Azure Monitor that expand its functionality and make it an increasingly complete solution:

  • Azure Monitor availability for Azure Storage and Azure Monitor for Azure Cosmos DB.
  • Azure Monitor preview for Azure Key Vault and Azure Monitor for Redis Cache.
  • Preview of Azure Monitor Application Insights in Azure Monitor Logs workspaces.
  • Capacity reservation and CMK encryption with Azure Monitor Logs clusters dedicated to large-scale deployments.

Azure Private Link Availability for Azure Monitor
The Azure Private Link feature is now also available for Azure Monitor and allows you to have the following features:

  • Private connectivity to Azure Monitor Logs workspaces and to Azure Application Insights.
  • Exfiltration data protection with granular access to specific resources.
  • Protecting resources from access from the public network.

At the moment you need to make a request explicitly to access these features.

Improve the experience when deleting and restoring Azure Monitor Logs workspaces

Microsoft has added soft-delete workspace functionality to make it easier to recover if necessary. In fact, in the event of a cancellation, the workspace will go into a soft-delete state to allow it to be restored if necessary, including data and connected agents, within 14 days. This behavior can be circumvented and permanently deleted the workspace. To avoid the incorrect elimination of the workspaces from the Azure portal, a specific section has been added where you can consult how many solutions are installed and the relative daily data volume received in the last 7 days by data type.
Restoring the workspace, can now take place directly from the Azure portal.

Azure Advisor recommendation digests

Azure Advisor introduces the ability to receive a periodic summary of the available best practice recommendations developed by the solution. Advisor Digest Recommendations keep you up-to-date on Azure optimization opportunities outside the Azure portal. Notifications are customizable and handled through Azure Monitor Action Group.

Azure Service Health also includes emerging issues

Azure Service Health now also reports emerging issues in the Azure portal. An emerging problem is a situation in which Azure is aware of a widespread outage but may not yet be fully aware of the extent and amplitude. Previously, emerging problems were only available in the Azure Status page.

Configure

Azure Automation

TLS 1.2 Enforcement

Starting from September 1st 2020, Azure Automation will impose the presence of Transport Layer Security (TLS) version 1.2 or later, for all external HTTPS endpoints.

Secure

Azure Security Center

Changes to the just-in-time service (JIT) virtual machine (VM) Access

In the just-in-time service (JIT) virtual machine (VM) access have been made the following changes:

  • The recommendation advising to enable JIT on a VM has been renamed by “Just-in-time network access control should be applied on virtual machines” in “Management ports of virtual machines should be protected with just-in-time network access control”.
  • The recommendation is now activated only if open management ports are detected.

Custom recommendations placed in a separate panel

All the custom recommendations created for your subscriptions are now positioned in the dedicated section “Custom recommendations”.

Account security recommendations moved to the section “Security best practices”

The following recommendations have been included in the section “Security best practices” and therefore do not impact on the secure score:

  • MFA should be enabled on accounts with read permissions on your subscription (originally in the “Enable MFA” control)
  • External accounts with read permissions should be removed from your subscription (originally in the “Manage access and permissions” control)
  • A maximum of 3 owners should be designated for your subscription (originally in the “Manage access and permissions” control)

Microsoft has decided to apply this change as it has determined that the risk of these three recommendations is lower than initially thought.

Protect

Azure Backup

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup includes protecting SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Protect against accidental deletion of Azure file shares

To provide greater protection against cyberattacks and accidental deletion, Azure Backup has added an extra layer of security to the Azure file shares snapshot management solution. If you delete File Shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a file share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which you can restore the contents and snapshots of your file shares after any accidental deletion operations. Once the share file is restored, backups resume working without the need for additional configurations.

Azure Site Recovery

Zone-to-zone disaster recovery available in new regions

Zone-to-Zone DR is now also available in the Southeast Asia and UK South regions. With this Azure Site Recovery feature, called zone-to-zone DR, there's an opportunity to create disaster recovery plans (DR) for virtual machines (VM), replicating them between different Azure Availability Zones. If a single Azure Availability Zone is compromised, you will be able to fail over virtual machines to a different zone within the same region and access them from the Secondary Availability Zone.

Introduced support for proximity groups

Azure Site Recovery has introduced support for proximity placement groups (PPGs). Thanks to this feature, any virtual machine (VM) hosted within a PPG can be secured using Azure Site Recovery. By enabling replication of that VM, you can provide a PPG in the secondary region as an additional parameter. When a failover process is activated, Site Recovery will place the VM in the user-supplied target PPG.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure Management services: What's New in April 2020

Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth.

Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.

The following diagram shows the different areas related to management, which will be covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools

Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. They are currently supported as NVIDIA and AMD vendors.
This monitoring functionality can be useful for:

  • Check the availability of GPUs on the nodes, the use of the GPU memory and the status of GPU requests by pods.
  • View the information collected through the built-in workbook available in the workbook gallery.
  • Generate alerts on pod status

Export of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.

Workflow automation functionality

Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. Furthermore, manual trigger execution is available for security alerts and for recommendations that have the quick fix option available.

Integration with Windows Admin Center

It is now possible to include Windows Server systems residing on-premises directly from the Windows Admin Center in Azure Security Center.

Azure Monitor Application Insights: monitors Java applications codeless

The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:

  • gRPC.
  • Netty/Webflux.
  • JMS.
  • Cassandra.
  • MongoDB.

Retiring the solution for Office 365

For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. The combination of these two solutions is able to offer a better experience in configuration and in its use.

Azure Monitor for Containers: support for Azure Red Hat OpenShift

Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.

Azure Monitor Logs: limitations on concurrent queries

To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, but they should not be relevant for the typical use of the solution.

Secure

Azure Security Center

Dynamic compliance packages available

The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. A summary report will also be available for download for all standards that have been integrated.

Identity recommendations included in Azure Security Center tier free

Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:

  • “Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”
  • “A maximum of three owners should be designated for your subscription.”
  • “Deprecated accounts should be removed from your subscription.”

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them completely controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).

Azure Files share snapshot management

Azure Backup introduces the ability to create Snapshots of Azure Files share, Daily, weekly, Monthly, and keep them until 10 years.

Figure 2 – Azure Files share snapshot management

Support for replacing existing disks for VMs with custom images

Azure Backup introduced support, during the recovery phases, to replace existing disks on virtual machines created with custom images.

SAP HANA backup

In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. This solution is officially certified by SAP.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

System Center: What's New in April 2020

In this summary, that we report on a monthly basis, the main announcements regarding System Center are listed, accompanied by the necessary references to be able to conduct further studies on.

System Center Operation Manager (SCOM)

SCOM 2019: Hotfixes for alert management

For SCOM 2019 UR1 was introduced this hotfix which solves several issues regarding the management of alerts.

SCOM 2016: Update Rollup 9

The Update Rollup 9 and for SCOM 2016 introduces fixes to different issues, for more information on this, you can see the specific KB.

New dashboards for the Azure Management Pack

Using the Azure Management Pack (MP) you can monitor Azure subscriptions and resources from SCOM. SCOM's console natively shows alerts and resource status collectively in a single view, without providing the ability to apply filters of any kind. The introduction of the new dashboards resolves this limitation. These are the main benefits introduced:

  • View Azure resources in SCOM in a similar way to the Azure portal.
  • Easily filter and locate resources.
  • Instantly view subscriptions, resource groups and alerts for each Azure resource.
  • Possibility to have modern dashboards with sorting functionality, layout, filter and search.

Adopting these new dashboards requires SCOM 2019. In this link you can access the information you need to activate and configure your Azure MP.

System Center Virtual Machine Manager (SCVMM)

SCVMM 2016: Update Rollup 9

The Update Rollup 9 for SCVMM 2016, in addition to remedying some problems, it introduces the following functions:

  • Ability to deploy Ubuntu Virtual Machines 18.04.
  • VM Connect Console Support Using 'Enhanced Session'

For further details please visit the specific KB.

System Center Data Protection Manager (SCDPM)

SCDPM 2016: Update Rollup 9

The’Update Rollup 9 for SCDPM 2016 in addition to a correction on the pruning jobs, it introduces the following changes:

  • Add an authentication layer for what you consider critical. You will be asked for a security PIN when operations are performed like Stop Protection with Delete data.
  • Adding the parameter -CheckReplicaFragmentation property cmdlet Copy-DPMDatasourceReplica, which calculates the percentage of fragmentation for a replica.

System Center Service Manager (SCSM)

SCSM 2016: Update Rollup 9

The Update Rollup 9 for SCSM 2016 only introduces fixes to problems, for information about it, you can consult the specific KB.

System Center Evaluation

To evaluate the various components of System Center, you must access theEvaluation Center and, after registering, you can start the trial period.

Azure management services and System Center: What's New in March 2020

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Azure Monitor

Azure Security Center integration

In Azure Security Center (ASC) integration with Azure Monitor has been introduced. In fact, in ASC it has been made available the ability to export continues toward a Log Analytics workspace. With this feature, you can configure Azure Monitor alert rules against recommendations and alerts exported from the Security Center. As a result, you can enable action groups to achieve automation scenarios supported by Azure Monitor.

Service availability Azure Monitor for VMs

In Azure monitor, the service that monitors virtual machines has been released, calledAzure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies.

The serviceAzure Monitor for VMsis divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

New agent version for Windows and Linux systems

A new version of the Log Analytics agent has been released this month for Window systemss and for Linux systems. In both cases they are introduced several improvements and increased stability.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 18 may 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 45 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Azure Backup Report

Azure Backup has announced the release of the solution Azure Backup Report. It's a tool available in the Azure portal that provides reports to answer many questions about backup progress, including: “What backup items consume more storage space?”, “Which machines have consistently had abnormal backup behaviors?”, “What are the main causes of the backup job failure?”. Reports provide cross-sectional information across different types of workloads, Vaults, subscriptions, regions and tenants. This tool also provides support for Windows Server 2008, to facilitate the migration steps of the on-premises systems based on Windows Server 2008 to Azure, process by which you can continue to get security patches.

Azure Automation

Availability in new regions

Azure Automation is now available in preview in the regions ” US Gov Arizona”.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure management services and System Center: What's New in February 2020

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Changes to the Log Analytics schema

Important news has been made to the Azure Monitor Log Analytics schema to help you browse your content faster and easier.

Updates in the log view

Azure Monitor Log Analytics has greatly improved the appearance in the log view. New charts have been introduced that can quickly and easily display the collected data and provide the ability to obtain more information from it effectively.

Azure Site Recovery

Retirement of some protection scenarios

Starting from 1 march 2023 you will no longer be able to use Azure Site Recoivery for the following security scenarios:

  • Between customer-owned sites managed by System Center Virtual Machine Manager (SCVMM)
  • Between sites managed by SCVMM to Azure

Therefore, by this date, you must modify the configuration to use the protection scenario between Hyper-V and between Hyper-V and Azure, always without SCVMM. Data for protection scenarios that are no longer supported will be removed from the specified date.

Retirement of Azure Site Recovery data encryption functionality

Starting from 30 April 2022 Azure Site Recovery data encryption functionality will be retired and replaced with more advanced encryption mechanisms such asEncryption at Rest with Azure Site Recovery, usingStorage Service Encryption (SSE). Thanks to the adoption of SSE, the data will be encrypted before residing on the storage and decrypted when it is picked up.

Azure Backup

Azure Offline Backup with Azure Data Box

Customers using Azure Backup can now take advantage of Azure Data Box to move large backups through an offiline migration mechanism. The solution is to use both Azure Data Box (appliance from 100 TB) and also Azure Data Box disks (up to 8 TB each), through Azure Recovery Services Agent, to place large initial backups (up to 80 TB per server) in offline mode to an Azure Recovery Services Vault. Subsequent backups will then be made over the network.

Figure 1 – Azure Offline Backup with Azure Data Box

Windows Server support 2008

Azure Backup announced support for Windows Server systems 2008. This facilitates the migration of On-premises systems based on Windows Server 2008 to Azure, so you can continue to get security patches.

Selective exclusion of disks to be protected

Azure Backup now allows you to selectively exclude disks to protect on a virtual machine. This allows you to achieve cost savings for your solution if there are disks that you don't want to protect using Azure Backup.

Backup Explorer

Azure Backup now offers a new solution, currently in preview, called Backup Explorer, an integrated Azure Monitor Workbook which allows for centralized control in real time on the progress of the various backup.

Figure 2 – Overview di Backup Explorer

System Center

Update Rollup 1 for System Center 2019

For System Center 2019 it was released the first update rollup. This update introduces new features, make error corrections and affects the following products:

Microsoft Endpoint Manager

New releases for the Technical Preview Branch

For Configuration Manager were released in the Technical Preview Branch the’update 2001.2, the’update 2002 and the’update 2002.2. Among the main innovations, improvements to Desktop Analytics and task sequences are introduced. They also allow to obtain novelty inherent in Orchestration Groups, an evolution of the Server Groups.

To check the details of what's included in these updates, you can check these documents:

Please note that Releases in the Technical Preview Branch allow you to preview new Configuration Manager features, and it is recommended that you apply these updates only in test environments.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.