Everything You Need to Know About Azure Infrastructure – February 2021 Edition
Over the last couple of weeks, I’ve spotted lots of tiny little changes in the Azure Portal. And my feeds have lit up over the last few hours. There must be a big Microsoft conference happening right around now? Yup, Microsoft Ignite (March 2021) is here and that means there will be lots of cool new things to check out. One of the nice little ones that didn’t get an announcement is a new user interface for Network Security Groups, enabling you to easily select a common higher-level protocol, such as SMTP, and not need to know/specify the transport protocol and port number (TCP 25).
Azure Firewall Premium Preview
Microsoft announced a preview for Azure Firewall Premium recently. Before we get to the features, we should talk about something that is very clear with this new SKU. Last July, Microsoft made Azure Firewall Policy/Azure Firewall Manager generally available. This new way to managed Azure Firewall configuration and rules originally created a duplicate of what could be done directly in the firewall resource. But then came along a new feature: whitelisting for Threat Intelligence. This was the clue of what was to come – this new feature was only in Azure Firewall Policy and there was no sign of it in the firewall resource. I could read the tea leaves; Azure Firewall were planning on moving the interface to Azure Firewall Policy only. And that’s quite clear with the Premium features – they are available only through a Premium SKU of Azure Firewall Policy.
So what are these new features?
- TLS Inspection: TLS (what SSL is now) is certificate-based encryption. When TLS traffic passes through a firewall, the firewall can normally not inspect the data because it is encrypted. TLS Inspection allows the firewall to peek inside the packets – and this feature plays a role in enabling some of the other features.
- IDPS: This feature has me excited. Intrusion Detection/Prevention System allows the firewall to inspect streams/flows and detect threats that are logged and can generate alerts and even be automatically blocked. Imagine a micro-segmented network with this in the hub – the fear of ransomware could be drastically minimised!
- URL Filtering: Application rules allow us to control outbound access to HTTP/S and SQL Server URIs. URL filtering allows us to extend that to specify wildcards and specific paths in addition to a basic FQDN.
- Web Categories: How much does your organisation pay for web content filtering? Work-from home and Azure Virtual WAN are driving more user browsing through the Azure-based firewall. Azure Firewall can inspect your web requests and log/stop unwanted browsing activity.
X is Retiring on February 2025
If you have been running things on Azure for a while then there is a chance that February 2024 (3 years away) will be an important date to note. Microsoft made a bunch of announcements about Azure features that will be retired that month:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
- We’re retiring Network Performance Monitor on 29 February 2024
- We’re retiring Azure Network Watcher Connection Monitor (classic) on 29 February 2024
- Jenkins plug-ins for Azure are being retired on 29 February 2024
- AKS legacy Azure AD integration will be retired on 29 February 2024
- We’re retiring Classic Application Insights on 29 February 2024
- Update your scripts to use Az PowerShell modules by 29 February 2024
- Update your Azure Media Services REST API and SDKs to v3 by 29 February 2024
- Please upgrade your Azure AD Connect sync to a newer version by 29 February 2024
- We are retiring Azure Cognitive Services Text Analytics v2.x on 29 February 2024
- We’re retiring the standard version of Custom Voice on 29 February 2024
- Azure Batch rendering VM images & licensing will be retired on 29 February 2024
- Azure Application Gateway analytics will be retired on 29 February 2024
- Azure Batch Transcription and Customization Rest API v2 will be retired by 29 February 2024
- Update the Azure Cosmos DB Java SDK by 29 February 2024
- Action required: Switch to Azure Data Lake Storage Gen2 by 29 February 2024
- We are retiring Classic Azure Migrate on 29 February 2024
“Right Aidan, that’s 3 years away and I don’t need to worry”. You might feel like that today – but once you are depending on Azure resources, I find that they are less flexible. You need to make plans, and many of the above-listed resources are the kinds of transformative tech that worm their way into very large and business-driving workloads that take years to modify. Start now, and don’t be stressing out when you get a reminder in January 2024 – and the sooner you get onto the new alternative, the sooner you’ll be able to avail of new features that will otherwise be unavailable to you.
Other Announcements from Microsoft
- General availability: Soft delete for Azure file shares is now on by default for new storage accounts
- Azure DDoS Protection—2020 year in review
- Azure Front Door Standard and Premium now in public preview
- Azure Front Door enhances secure cloud CDN with intelligent threat protection
Azure Virtual Machines
- Microsoft Azure Attestation is now generally available
- Automatic Azure VM extension upgrade capabilities now in public preview
- New disk bursting metrics
- Azure Image Builder Service now generally available
Azure Backup & Site Recovery
- Support for more workloads, tag based policies now in Backup Center public preview
- Azure Backup for SAP HANA: Soft limit increased from 2 TB to 8 TB
- Azure Backup for SAP HANA: Incremental backup is now generally available
- Cross Region Restore of Azure VMs now generally available
- Update rollup 54 for Azure Site Recovery
- Azure Backup: Operational backup for Azure Blobs is now in public preview
- Application Insights availability troubleshooting report for URL tests
- Generally available: Application Insights synthetic monitoring SLA report template
Azure Security Center
- Azure Security Center—General availability updates for January 2021
- Azure Security Center—Public preview updates for January 2021
- Azure Security Center: General availability updates for February 2021
- Azure Security Center: Public preview updates for February 2021
- Microsoft will establish its next U.S. datacenter region (East US 3) in Georgia’s Fulton and Douglas Counties
- Microsoft plans to establish first datacenter region in Indonesia
- Azure role-based access control (RBAC) for Azure Key Vault data plane authorization is now generally available
- Azure Automation 2020 recap and what’s new
And Now for Something Different
I thought that my days of being an accidental database administrator (DBA) were over.
Once upon a time, there were systems administrators (and infrastructure consultants, like me), programmers, and somewhere in-between were the DBAs; they were the weird people that aren’t quite accepted in either of the polar camps. They don’t write code, but they don’t do the plumbing either. But apps rely on them to make “data happen” and they aren’t doing server stuff.
But it you were an on-premises admin with Windows Server in your life, then you were what my old buddy, Mark Minasi, once used to call “the accidental DBA”. Just about every product that Microsoft released since BackOffice Server required a SQL Server database. And because those products were deemed as infrastructure, they fell into the realm of administration for the mere Windows admin. And what did we know about SQL Server? We were pretty good and clicking Next, getting it installed, placing the data files onto a dedicated data drive, and maybe even configuring a backup – but heaven forbid we had to restore anything from those backups! Wow! I can remember the sweaty afternoons trying to make restores work for customers.
I thought that those days were behind me. Here I am, working in Microsoft Azure. The database is a PaaS thing now, right? Yeah … no quite! Azure SQL is great for bespoke apps but few existing systems will run on it. SQL Server Managed Instance lies somewhere between old fashioned SQL Server and Azure SQL – it’s platform-based but it’s “mostly compatible” with SQL Server … mostly … “I can’t believe it’s not SQL Server!”.
There are differences. For example:
- Domain accounts require integration with Azure AD and that can be “interesting” depending on how crazy your identity administrations are.
- Backup & restore to .bak devices is via URI (Azure storage containers) and SAS (requiring Azure AD sign-in) credentials only – great fun in a secure network.
- Third-party suppliers of software probably won’t support it – they can’t be expected to support every PaaS alternative to SQL Server in every cloud and remain in business.
Today I spent a couple of hours trying to restore a database (as part of a migration) to a SQL MI in a secure network. A DBA might have accomplished that task in 10 minutes. But I’m a person who does next>next>next when it comes to SQL Server. And here is the fun bit – much like with Active Directory Domain Services, you pretty much will find that people who have the very limited bit of accidental DBA knowledge that I have are probably in their late 30’s or older. And we can expect those databases to linger around in the heart of the corporate business for 20+ years. As long as I Google-Fu remains strong and I can discern SQL from dentures, I’m probably going to remain employable.