Is security a big deal? Is the same-old-systems approach of the past still securing you? If 2020 didn’t teach you that being flexible, modern, and staying out of technical debt wasn’t important, then along came “Solorigate” to end our year with a smack of a cold, wet fish across the face.

Template Specs in Preview

Microsoft announced that ARM Template Specs is now Public Preview.  Let the happy dancing begin! Wait – you probably don’t know what Template Specs are because you’re … normal.

Imagine that you created something that you think is cool – it speeds up doing complex things that normally take a lot of time. With your cool invention, people could quickly and easily replicate your results and everybody wins.

In Microsoft Azure, ARM templates can be something cool. The idea is that you might create a template that does something – maybe it deploys a VNet with App Service Environment and SQL Managed Instance in a firewalled environment. If you’ve read up on that stuff, then you know that’s a lot of work! But if you can run a template, it might be a couple of minutes work for you while Azure spins for a few hours while you’re binge-watching something at home.

But ARM templates have never had a good method for being shared internally. Managed Applications is suitable only for third-party vendors selling their wares through the Azure Marketplace. Blueprints … they’ve been in preview for since the Earth started spinning and we all know what that means in the era of “fail fast”!

The idea of Template Specs is that I can take an ARM Template and share it across my tenant with other Azure users. They can then run my template to deploy their own services. This is the sort of thing I’ve had customers ask for and we wasted endless hours investigating what Azure had. Eventually, we created our own Git-based system, but Template Specs might be much more user-friendly – normal people don’t seem to like living a DevOps life.

Expansion of Availability Zones

When Microsoft makes an announcement about a new Azure location, the media get all confused and tell us about a new data center. What Microsoft really announces is a new Azure region. In some cases, for example, Norway West, The region is in a single data center (hosted by a third-party with this example). But in many examples, the region is made up of many data centers, such as East US or North Europe.

I can remember a case a few years ago when a single sensor failed in North Europe and brought down a single storage cluster in a single room, in a single data center. For a lot of customers, including my then employer, that meant downtime. Yes, we had run availability sets, but that just guaranteed that our virtual machines were running on different hosts in a cluster; the machines were still in the same data center.

Availability zones is where the data centers in the region are broken down into multiple zones. Each zone has independent power and networking and can survive independently of the other zones in the region. We can then leverage this higher level of availability:

• Zone redundant or zonal network resources
• Virtual machines across availability zones
• ZRS replication of storage

When possible, I use availability zones to increase the availability of my customers’ services. The number of regions supporting availability zones is still low, but it is increasing. In the last month, the following regions were added:

• South Central US
• Germany West Central

Other Announcements from Microsoft

Azure Storage

• Public preview | Azure NetApp Files: Application Consistent Snapshot tool (AzAcSnap)
• Access Storage Accounts behind Firewalls from Logic Apps within the same region
• Public preview: Prevent Shared Key authorization on Azure Storage accounts
• Generally available: Copy Blob support over private endpoints in Azure Storage
• Resource instance rules for access to Azure Storage now in public preview

Networking

• Built-in Azure Policy support for NSG Flow Logs is now available
• Public IP SKU upgrade generally available
• Azure Monitor Network Insights is now generally available

Azure Virtual Machines

• NCas_T4_v3-Series VMs are now generally available
• Accelerated Networking on HB, HC, HBv2 and NDv2
• Public preview of Linux Diagnostics Agent 4.0

App Services

• Deploying to Network-secured sites
• Migrate from Windows Azure Pack Websites to Azure App Service
• App Service Authentication portal experience is now in public preview
• New App Service Anti-virus Logs in Public Preview
• Logic Apps Anywhere: Networking Possibilities with Logic App Preview
• New App Service + Database create blade (preview)

Azure Backup & Site Recovery

• Azure Backup: Encryption at rest using customer-managed keys is now generally available
• Backup for Azure Managed Disk is in limited preview
• Azure Site Recovery update rollup 53 is now available – January 2021

Management

• Cross resource query between Azure Monitor and Azure Data Explorer in public preview
• View change data through Azure Monitor workbook integration with Application Change Analysis
• Linking storage accounts to your Workspace made easy with new Azure Portal UX
• Azure Monitor ITSM Connector for ServiceNow ITOM with Secure Export
• Changes in Azure Monitor Logs for the AzureDiagnostics table is now available

Azure Security Center

• Azure Security Center—News and updates for December 2020
• Azure Defender for SQL (in Azure Security Center)—News and updates for December 2020

Miscellaneous

• Microsoft to establish new datacenter region in Chile
• Azure Automation Runbooks moving to GitHub
• Azure Policy – Perform policy operations through Azure DevOps
• Confidential computing using Always Encrypted with secure enclaves now in public preview

Rethinking Security

Wow, didn’t 2020 end with a bang? I was on a month’s personal leave and the Solarwinds breach was one of the only IT-related things I read during December. The hackers were clever – they understood that even in the most secured networks (with “secure zones” or micro-segmentation), certain products, such as monitoring or anti-malware, always have open ports from/to every machine. If you can compromise that software, then you can penetrate entire networks with ease. I don’t know how we stop that – how does customer X stop supplier Y from being hacked?

We do need to rethink IT security. We need to understand how we’re being attacked (ID and email first). We need to implement micro-segmentation. And I think we need to assume that we have been breached; my customers have heard me discuss running a network like a ballistic nuclear submarine – isolated from the outside, untrusting of the inside, and if a compartment is breached, its already locked down and you can survive without those sailors.

All this requires work and using new tools. Microsoft Azure makes it easy to deploy things quickly and at scale. I apply that to securing networks. If you enable all the possible logging from Network Security Groups and Azure Firewall, then you can quickly track network/rules failures. If you use Service Map you can plan those rules in advance.

If you send all your security and security-adjacent data to a Log Analytics Workspace then querying and reporting is easy. But you can also become the hunter instead of the prey by using Azure Sentinel – there’s a huge wealth of work already done by the open-source community for incident hunting/alerting, but you can do more yourself.

The days of saying “it’s all too much work” are over. Security is more than anti-malware. The hackers know that, and you’re leaving the castle gates open if you do not.