Everything You Need to Know About Azure Infrastructure – October 2018 Edition
You might think that Microsoft had no more news after the crazy announce-a-palooza that was Ignite, but you would be wrong! Some things were quietly released the following week, and then new features started to appear a week later. In The Cloud, no one can hear you scream “no more changes”.
October was a very busy month for those of us working in the community. It’s typically a very big conference month with lots of sessions diving deep into the new information from Microsoft Ignite. I helped organize and spoke at an event in Dublin (Ireland) that my employer sponsored. The theme of that event was change – the idea that cloud has changed business, and whether you like it or not, you must go through a digital transformation or someone else will do it for your employer/competitor instead of you. We need to change how we learn, how we design, and how we maintain systems – the days of 1 web server + 1 database server and upgrade machines/skills every 6-9 years are long over.
Ephemeral OS Disk
Microsoft has announced an Ephemeral OS Disk in limited preview for virtual machine scale sets (VMSS).
In case you don’t know, a VMSS is a cluster of virtual machines that perform a specific task. I can tell Azure to create up to 1000 identical virtual machines to run a task, such as a job or to host a service. Azure can measure the performance of the VMSS and expand (deploy new machines) or shrink (remove machines) the cluster as required. As one might consider, there is a lot of automation/DevOps work to maintain a current & consistent image for all instances in the VMSS.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
If you have worked with Azure virtual machines then you have worked with ephemeral disks; this is a term that Microsoft uses to describe what we often call the temp drive. The temp drive, where the paging file resides, is stored on a host and not in a storage cluster where the OS disk and data disks normally are – there are exceptions to OS disk and data disk placement such as the L-Series machines. The disk is ephemeral or temporary because it is on the host and cannot move, so you should never keep anything you cannot afford to lose on this disk. The benefit of placement on the host is that it is closer to the CPU and makes for faster disk-based caching, such as the guest OS paging file, and this is further improved by using flash storage on the host (everything except the A-Series).
The ephemeral OS disk is a new concept for VMSS deployments. Instead of the OS disk of up to 1000 machines being stored on a storage cluster(s), the OS disk will reside on the host. This solution is intended for VMSS deployments that will be stateless (the state is stored externally to the virtual machines). In return, you will get lower latency and higher performance for the OS disk – my guess is that deployment time for new instances should be much better.
There are some things to know about before you consider ephemeral OS disks so check out Microsoft’s documentation first.
Customer Lockbox for Azure VMs
Some customers are really worried that Microsoft will start poking around inside their virtual machines. Firstly, Microsoft is not Google. Secondly, as any person that has been lucky enough to visit a Microsoft data centre will tell you, these systems were designed to be operator proof. And thirdly, you have lots of ways to stop unwanted inspection, starting with disk encryption.
Another system that Microsoft is adding to Azure is one that comes from Office 365 called Customer Lockbox. Once you enable this service, in the preview for Azure VMs, you will lock down operator access to your services in Azure.
If you open a support case for a virtual machine, if Customer Lockbox is enabled on the tenant, the access method changes for support engineers; they must request access from you via the Azure Portal. Only with this access can they access your machines.
Other Announcements from Microsoft
Here are other Azure IaaS headlines from the past month:
- Microsoft joins Open Invention Network to help protect Linux and open source
- Identify your move-groups and target sizes for migration with Azure Migrate
- Protect data in use with the public preview of Azure confidential computing
- Microsoft Azure portal October 2018 update
- Azure PowerShell – Cross-platform “Az” module replacing “AzureRM”
- Detecting fileless attacks with Azure Security Center
- Seven best practices for Continuous Monitoring with Azure Monitor
- Azure Availability Zones expand with new services and to new regions
- Control and improve your security posture with Azure Secure score
- Simplified restore experience for Azure Virtual Machines
- Avere vFXT for Azure for HPC workloads now generally available
- Azure App Service: Price reductions for App Service on Linux basic and premium tiers
- Fine-grained password policy support in Azure AD DS
- Scoped synchronization from Azure AD to your Azure AD DS managed domain
- Improved synchronization performance from Azure AD to Azure AD DS managed domain
- Azure AD DS now supports Azure managed disks
- Disable NTLM, TLS v1 and secure your Azure AD DS managed domain
- Azure Site Recovery – Update Rollup 30
- General availability: Metric alerts for logs
- Azure DevTest Labs: Configure enforcing auto shutdown schedule for your lab
- Limited public preview: Premium blobs in the Azure portal
- Azure Security Center update September 2018
- Public preview: Azure AD authentication for Azure Files SMB access
- Advanced Threat Protection for Azure Storage now in public preview
- Disaster recovery for Azure Disk Encryption–enabled virtual machines
My Azure Posts on Petri
Here are my Azure posts from the month of August:
- What is Azure Firewall
- Changes to Azure Germany Operations
- What is Azure Front Door?
- What is Azure Public IP Address Prefix?
- What is Standard SSD Managed Disks?
- Don’t Be Stupid – Microsoft Is Not Killing Surface
- Azure AD Domain Services Gets a Few Improvements
And Now for Something Different
What the heck happened to Windows Server 2019? Where is it? Why can’t I use it? These are all valid questions. Some of it is related to the well documented issues with Windows 10. And some of it I wrote about on my own blog on October 4th – before it hit the news last week.
WS2019 did not “release to manufacturing” (RTM). This was the traditional process where Microsoft would share the finished bits with companies such as Dell, HPE, and so on, to let them get ready for general availability. Their work required updating firmware and drivers to be ready for the changes and, specifically, any features that leveraged hardware such as VSS, VMQ, or RSS. Some weeks or months later, general availability (GA) would be reached and the OEMs would have updated installers for their hardware ready for customers – the results were often hit-and-miss.
This time around, Microsoft made WS2019 generally available to everyone at the same time. The intention was to get the bits out earlier to those requiring the software (without hardware dependencies). If they had stuck to the old schedule, RTM would have happened in October, and GA would have happened in January/February of next year – so don’t start complaining!
This alteration has complicated things and the Windows 10 issues have not helped us much either – remember the server and desktop OS share the same core.
Those of you working on hardware probably should not elect to use WS2019 when they get the bits. This is because your manufacturer probably won’t have supported drivers and firmware until early 2019. In fact, Microsoft is soft-blocking deployments of software-defined networking (Network Controller) and storage (Storage Spaces Direct) until there is widespread support from manufacturers. You can choose to “go it alone” by opening a free support call to get the required registry key to bypass the soft-block.
the first place that we expected to see support for the new server OS was Microsoft Azure. But as of this time, Windows Server 2019 is still not available on Microsoft Azure, this is probably related to the Windows 10 issues.
My attitude to WS2019 is to wait until a post-RTM GA would have happened, which is early 2019. Yes, there are some cool bits in WS2019, but I like not being sacked because I chose to run an unsupported system that bluescreened all the time on unready hardware. Be patient, and the cool features will be there for you in due time.