Everything You Need to Know About Azure – February 2020 Edition
I did think about calling this the typo edition – I just bought a Microsoft Sculpt ergonomic keyboard and it might be preventing physical strain but my mental state as a result of the change is a whole other matter.
For the previous two months, I’ve been posting mostly “filler” material because there was so little new stuff to report. But the Bear of Redmond has awoken from its slumber and new Azure goodies are starting to appear.
If you attended Microsoft Ignite 2019 or watched sessions online, the network and architecture content had a big emphasis on micro-segmentation, the concept of using many networks and network security mechanisms to break up an otherwise flat hacker-friendly network into many secure zones: core infrastructure, services, tiers of services and so on.
If you’re working with virtual machines, then pretty much all the tools you need are there right now to implement micro-segmentation. You can justifiably argue that some of the implementation and troubleshooting are a little harder than they should be – Microsoft program managers have had an ear-full of that from me. But over in the platform (PaaS) world, things just aren’t quite there yet … yet.
That “yet” might be sooner than you thought. The first essential piece is the general availability of Azure Private Link, which happened in the last month. Private Link is a service that enables a PaaS resource (not the service, as with Service Endpoints) to be connected to a subnet in your virtual network using a Private Endpoint, which is an IP address in your subnet. Things like Azure SQL storage accounts, and others, have had preview support for this for a while, and I think that they might become generally available pretty soon. Azure Key Vault is also joining the preview club.
Standard & Premium tiers of App Services just sent Regional VNet Integration into general availability. This means that an App Service can use a subnet to route outbound traffic. General availability added support for:
- Outbound flow control via NSG.
- User-defined routes.
- Routing Non-RFC1918 (public ranges) via the virtual network instead of directly to the Internet (off by default).
Azure Firewall isn’t letting App Services take all the glory for manageable routing of RFC1918 addresses. Up until recently, Azure Firewall forcefully sent packets to public IP addresses to the Internet, causing issues for organizations (universities, typically) that used their generous allocation of IPv4 addressing behind the firewall on their LAN(s)l; that meant that packets leaving Azure with Azure Firewall in the route, destined to on-premises were instead sent to the Internet and lost.
Azure Firewall had a couple of big announcements:
New Azure Firewall certification and features in Q1 CY2020
- ICSA Labs Corporate Firewall Certification
- IP Groups preview, enabling ranges of IP addresses to be abstracted as a label.
- A preview for forced tunneling
- Support for high port numbers increasing from 64,000 to 65535
- And support for customer configured SNAT for public IP addresses being used privately
- Azure Firewall Manager now supports virtual networks: Adding a preview for managing firewall rules & configuration via a hierarchy of policy resources.
Azure Files as User File Share (Preview)
When I worked in the small/medium business market, this had to be one of the top asks in the market: can we use Azure Files as a file share for end-users with Active Directory (not Azure AD) authentication.
This was a big gap for Microsoft. They had been hearing the message for five or more years but kept producing what we didn’t ask for. And then Amazon went and gave customers what they wanted … and you know what … Microsoft finally listened. Maybe free competition does work?
Now (in preview) you can set up a share in an Azure storage account, and users can authenticate against it using good ol’ fashioned Active Directory Domain Controllers. There are some requirements:
- Your Active Directory Domain Services (ADDS) domain (“the domain”) must be synchronized with Azure AD (the tenant).
- Your client devices must be either joined to the domain or hybrid joined to Azure AD.
- The storage account with the file share must be in the same tenant as the synchronized Azure AD.
This is still in preview. Backup is still a bad story for storage accounts. And if you are going to use this, then you really should restrict access to the subscription, limit the roles/rights of those who do have access and use resource locks on the resource group and storage account. You will be putting a lot of trust in the anti-malware of your client devices because there is no protection for Azure Files at this time (Security Center Advanced Threat Protection monitors blobs only). You should consider enabling the firewall for the storage account to limit source IP addresses, and maybe even adding Private Endpoint with ExpressRoute/VPN (point-to-site or site-to-site) because now (much to the satisfaction of 2008 cloud hater) … “your file server on the Internet”.
My ex-colleague Alan Kinane has a nice post on this topic.
Quickie: Cluster Shared Disks
This development solves another big ask of Azure that has been going on for years. Most of us never want to do this, but there are times when you just have to create a virtual machine cluster in Azure. That requires some form of cluster storage, and until now that meant using either:
- Azure Files: The Premium tier is the only option for decent performance for shared SMB 3.0 storage.
- Storage Spaces Direct: Lots of complications there and maybe not compatible with your active/passive workload.
If only we could take a virtual disk and “plug it into” two virtual machines at once. Well now you can (in preview) do just that with SCSI Persistent Reservations too! It’s basically as shared SAS disk. The limited preview supports P15 Premium SSD and larger with Ultra Disks coming soon.
Other Announcements from Microsoft
Here are other Azure IaaS headlines from the past month:
- HBv2-Series VMs are now generally available
- Backup Explorer now available in preview
- Enable managed identities on lab virtual machines in Azure DevTest Labs
- New Azure SQL Database automatic tuning default settings – March 2020
- Native Azure Active Directory authentication support and Azure VPN Client now available
- Azure Resource Manager template support for NSG flow logs
- Introducing the new Azure Monitor Log Analytics table pane (Schema)
- Azure Backup now supports Windows Server 2008 Virtual Machine backup
- Azure Offline Backup with Azure Data Box now in preview
- Upgrade to the latest version of Azure Monitor for virtual machines
- Unified network monitoring with connection monitor now in preview
- Preview of Active Directory authentication support on Azure Files
- Azure Monitor Log Analytics now has new, upgraded visualizations
- Fileless attack detection for Linux is now in preview
- A8-A11 Azure Virtual Machine sizes will be retired on 1 March 2021
- Azure StorSimple 8000/1200 series will no longer be supported starting December 31, 2022
- We’re retiring some Azure Site Recovery support options on March 1, 2023
- Azure Site Recovery data encryption feature will be retired April 30, 2022
- Azure Load Balancer TCP resets on idle timeout is now available
And Now for Something Different
Sorry – there’s really not all that much of interest for me out there outside of Azure these days. It’s still too early to talk about Xbox One X (Hyper-V!!!) and xCloud (Azure which is Hyper-V!!!), I no nothing about M365 or whatever it’s called this month, and Windows 10 *yawn* I’ll just let it upgrade and use Teams, Outlook, ChrEdge, and VS Code as usual.
So … back to Azure!
If you check out the Azure regions page, you’ll find that the editors have been busy. Announced but not open regions now are:
- Mexico Central, announced February 20th
- Spain (not on the map yet), announced February 25th
- Israel announced January 22nd
- Qatar Central, announced December 11th, 2019
- Sweden, (not on the map yet), announced May 29th, 2019
So why are Spain and Sweden not on the map when more recently announced regions are? The Spanish one was interesting because it was tied to a partnership announcement – a Spanish partner with global sales that will help Microsoft grow its cloud revenue. This could have been one of those “yeah, we might build data centers in the future” announcements, but that partner needed some *motivation* to get sales where Microsoft things they should be – welcome to “the channel” where you have to read between the lines.
The Swedish one is interesting. I have seen photos that were allegedly (and I trust the source) of a Microsoft data center construction site. The question might be, is it an Azure region or not. There are many data centers that are locations for other Microsoft cloud services, not just points of presence (PoPs).