Everything You Need to Know About Azure Infrastructure – February 2021 Edition

Over the last couple of weeks, I’ve spotted lots of tiny little changes in the Azure Portal. And my feeds have lit up over the last few hours. There must be a big Microsoft conference happening right around now? Yup, Microsoft Ignite (March 2021) is here and that means there will be lots of cool new things to check out. One of the nice little ones that didn’t get an announcement is a new user interface for Network Security Groups, enabling you to easily select a common higher-level protocol, such as SMTP, and not need to know/specify the transport protocol and port number (TCP 25).

Azure Firewall Premium Preview

Microsoft announced a preview for Azure Firewall Premium recently. Before we get to the features, we should talk about something that is very clear with this new SKU. Last July, Microsoft made Azure Firewall Policy/Azure Firewall Manager generally available. This new way to managed Azure Firewall configuration and rules originally created a duplicate of what could be done directly in the firewall resource. But then came along a new feature: whitelisting for Threat Intelligence. This was the clue of what was to come – this new feature was only in Azure Firewall Policy and there was no sign of it in the firewall resource. I could read the tea leaves; Azure Firewall were planning on moving the interface to Azure Firewall Policy only. And that’s quite clear with the Premium features – they are available only through a Premium SKU of Azure Firewall Policy.
So what are these new features?

  • TLS Inspection: TLS (what SSL is now) is certificate-based encryption. When TLS traffic passes through a firewall, the firewall can normally not inspect the data because it is encrypted. TLS Inspection allows the firewall to peek inside the packets – and this feature plays a role in enabling some of the other features.
  • IDPS: This feature has me excited. Intrusion Detection/Prevention System allows the firewall to inspect streams/flows and detect threats that are logged and can generate alerts and even be automatically blocked. Imagine a micro-segmented network with this in the hub – the fear of ransomware could be drastically minimised!
  • URL Filtering: Application rules allow us to control outbound access to HTTP/S and SQL Server URIs. URL filtering allows us to extend that to specify wildcards and specific paths in addition to a basic FQDN.
  • Web Categories: How much does your organisation pay for web content filtering? Work-from home and Azure Virtual WAN are driving more user browsing through the Azure-based firewall. Azure Firewall can inspect your web requests and log/stop unwanted browsing activity.

X is Retiring on February 2025

If you have been running things on Azure for a while then there is a chance that February 2024 (3 years away) will be an important date to note. Microsoft made a bunch of announcements about Azure features that will be retired that month:

“Right Aidan, that’s 3 years away and I don’t need to worry”. You might feel like that today – but once you are depending on Azure resources, I find that they are less flexible. You need to make plans, and many of the above-listed resources are the kinds of transformative tech that worm their way into very large and business-driving workloads that take years to modify. Start now, and don’t be stressing out when you get a reminder in January 2024 – and the sooner you get onto the new alternative, the sooner you’ll be able to avail of new features that will otherwise be unavailable to you.

Other Announcements from Microsoft

Azure Storage

Networking

Azure Virtual Machines

App Services

Azure Backup & Site Recovery

Management

Azure Security Center

Miscellaneous

And Now for Something Different

I thought that my days of being an accidental database administrator (DBA) were over.
Once upon a time, there were systems administrators (and infrastructure consultants, like me), programmers, and somewhere in-between were the DBAs; they were the weird people that aren’t quite accepted in either of the polar camps. They don’t write code, but they don’t do the plumbing either. But apps rely on them to make “data happen” and they aren’t doing server stuff.
But it you were an on-premises admin with Windows Server in your life, then you were what my old buddy, Mark Minasi, once used to call “the accidental DBA”. Just about every product that Microsoft released since BackOffice Server required a SQL Server database. And because those products were deemed as infrastructure, they fell into the realm of administration for the mere Windows admin. And what did we know about SQL Server? We were pretty good and clicking Next, getting it installed, placing the data files onto a dedicated data drive, and maybe even configuring a backup – but heaven forbid we had to restore anything from those backups! Wow! I can remember the sweaty afternoons trying to make restores work for customers.
I thought that those days were behind me. Here I am, working in Microsoft Azure. The database is a PaaS thing now, right? Yeah … no quite! Azure SQL is great for bespoke apps but few existing systems will run on it. SQL Server Managed Instance lies somewhere between old fashioned SQL Server and Azure SQL – it’s platform-based but it’s “mostly compatible” with SQL Server … mostly … “I can’t believe it’s not SQL Server!”.
There are differences. For example:

  • Domain accounts require integration with Azure AD and that can be “interesting” depending on how crazy your identity administrations are.
  • Backup & restore to .bak devices is via URI (Azure storage containers) and SAS (requiring Azure AD sign-in) credentials only – great fun in a secure network.
  • Third-party suppliers of software probably won’t support it – they can’t be expected to support every PaaS alternative to SQL Server in every cloud and remain in business.

Today I spent a couple of hours trying to restore a database (as part of a migration) to a SQL MI in a secure network. A DBA might have accomplished that task in 10 minutes. But I’m a person who does next>next>next when it comes to SQL Server. And here is the fun bit – much like with Active Directory Domain Services, you pretty much will find that people who have the very limited bit of accidental DBA knowledge that I have are probably in their late 30’s or older. And we can expect those databases to linger around in the heart of the corporate business for 20+ years. As long as I Google-Fu remains strong and I can discern SQL from dentures, I’m probably going to remain employable.