Everything You Need to Know About Azure Infrastructure – June 2019
Welcome to the start of Summer, when kids are off school, the weather (allegedly) gets warmer, and Microsoft effectively shuts down for two months. I always struggled to come up with new articles to write at this time of year. As a blogger, I depended on new things appearing so I could try them out and write about them. But as Summer approaches, Microsoft goes into review mode, and then they disappear for the summer. It wasn’t until late August that things would start to happen again in the Azure world – right before the build-up to Microsoft Ignite. This year, the Summer drought could be long because Ignite is not until November.
Smarter NSG Planning
A lot of Azure customers get their first taste of the cloud in a migration process. They assess their machines, plan a migration, and get their machines up and running in Azure. One of the changes they will encounter is more granular network security. It’s amazing, especially after the plague of ransomware that we have witnessed, that most corporate server networks are pretty open once you get to the inside. In Azure, we are encouraged to lock things down more – think of small security zones where a server can only have limited communications with servers in other security zones.
We implement this software-defined network security, at the most basic level, with network security groups (NSGs) – a simple policy that either allows or denies inbound or outbound traffic.
Those customers migrating to the cloud often don’t know what security rules to put in place to lock down the network. They know they should lock things down, and they want to, but knowing exactly what source and destination IP addresses to use can be hard, especially when you come from a mature open network.
Adaptive Network Hardening (Azure Security Center standard tier) was launched in the last month to solve this. You will introduce an NSG to a subnet and maybe lock things down a little (source/destination network addresses). Over time, Security Center will observe actual traffic and make recommendations on how to lock things down even more. Over time, with this information, you should be able to lock down your NSG rules even more without a huge risk of breaking service availability or integrations.
But be warned! Information in Security Center is not an instruction from Microsoft. In fact, some of the recommendations contradict Microsoft’s own best practices! Instead, treat any recommendations as things to be investigated.
This new preview feature got a lot of attention when Microsoft announced it a couple of weeks ago. If you work in a secure server environment, you might have to access your servers indirectly from your PC: first you remote (RDP or SSH) into a bastion host or jump box, and then you remote into the actual machine that you wanted to connect to. This airgap prevented RDP or SSH being used as an attack vector without introducing VPN clients which open attack vectors on the sanity of your helpdesk staff member.
Azure Bastion is a per-virtual network service (with a cost) that enables you to RDP or SSH into a an Azure virtual machine from the Azure Portal without using a public IP address in the Azure virtual network – so no firewall or NAT rules are required from the Internet.
You can see why this release might create a lot of publicity and social media activity. Sadly, few understood the limitations of this preview release:
- It does not support VNet peering so the costs will escalate, and management will be a challenge.
- Users of RDP will miss most of the functionality that they take for granted.
- Azure Bastion is not an SSL gateway like you might have used for SSH or RDP before – it must be used via the Azure Portal.
- There is no separation of guest from the Azure Portal – you must have access to the resources via the Azure Portal to sign into the guest, which will be a breaking point for many customers.
- Multi-factor authentication (MFA) is not present yet for the connection – it’s once again relying on the Azure Portal.
The good news is that Microsoft is aware of all the failings of Azure Bastion and will be working on them. I have no idea how far those backlog items are down the sprint schedules, so I couldn’t tell you if v1, v2, v3 or what release of Azure Bastion will include essential features for this service to be usable for mid-large customers. In the meantime, continue using your SSL gateways that you can manage fully and can give you MFA, separation of client from portal, RDP features, and so on.
Azure is in the Middle East
The first Azure regions in the Middle East have opened in the United Arab Emirates (UAE). Some of The Cloud’s biggest spenders are in the oil and gas industry – and I’m sure that their presence in The Gulf has no impact on Microsoft’s planning!
The new Abu Dhabi and Dubai regions are the first locations in The Gulf to provide Microsoft’s cloud services: Azure, Office 365 and Dynamics 365. This means that there are now approximately 48 production Azure regions – the new Swedish footprint hasn’t been defined, and Norway, Germany, and Switzerland are still not publicly available.
Other Announcements from Microsoft
Here are other Azure IaaS headlines from the past April:
- Azure Cost Management updates – May 2019
- Announcing service monitor alliances for Azure Deployment Manager
- Customize your automatic update settings for Azure Virtual Machine disaster recovery
- Securing the hybrid cloud with Azure Security Center and Azure Sentinel
- Azure Shared Image Gallery now generally available
- Taking advantage of the new Azure Application Gateway V2
- Three ways to get notified about Azure service issues
- Azure Security Expert Series: Best practices from Ann Johnson
- Virtual machine scale set insights from Azure Monitor
- Azure HC-series Virtual Machines cross 20,000 cores for HPC workloads
- Customer Lockbox general availability
- Announcing the general availability of Azure premium files
- New PCI DSS Azure Blueprint makes compliance simpler
- Microsoft and Oracle to interconnect Microsoft Azure and Oracle Cloud
And Now for Something Different
Who doesn’t love a bit of licensing? Generally speaking, the phrases “good news” and “licensing” are rarely in the same paragraph. But I have some good news, because Microsoft has updated some licensing to add useful security functionality to their customers.
Microsoft 365 is a suite of products that provide desktop OS (Windows 10), Office 365, and varying security & management features depending on if you by the Business, Enterprise E3, or Enterprise E5 per-user licenses. The Business SKU, which is aimed at the breadth market (small/medium enterprises or SMEs) is a good bundle but if you wanted some of the nicer security pieces you needed one of the Enterprise SKUs.
Lately, Microsoft has been talking a lot about passwords – and how they want to kill passwords. People (amazingly) are hearing the term “passphrase” for the first time lately – a rethinking of passwords to make them easier for users for remember (a sentence), easier to support (no forced complexity and fewer forced changes), and more mathematically secure (longer minimum lengths). But a password by itself is useless – you need more. Unfortunately “more” has always been outside the purchase price of an SME. That changes with the addition of Azure AD Conditional Access to the Business SKU of M365. Now you can control where a verified user can access services from.
This is a pretty useful addition to M365 Business and has been part of a trend that started Summer of last year – essential features either being fully surfaced or added to the version of M365 that most businesses are likely to buy and benefit from.