Everything You Need to Know About Azure Infrastructure – October 2019

Greetings from Orlando! I have been here for two weeks on vacation with my family, enjoying the parks and the pool in the unusually high heat for October. And next week I will be attending Microsoft Ignite, absorbing all the new Azure goodness to come. Until then, let’s focus on the Azure goodness from October.

Direct Upload as Managed Disks

Microsoft recently published a post called Introducing the preview of direct-upload to Azure managed disks. The description of what this new preview is was a little confusing – not helped by the Microsoft-written title – so I thought that I would give a better explanation here.

We have several ways that we can migrate Hyper-V virtual hard disks to Azure, including a few from Microsoft and other offerings from third-party migration/backup vendors. One of the simplest (with the most downtime) options was to just upload a virtual hard disk as a VDC in Blob storage, and then bring it online as an un-managed disk in Page Blob & Disk storage. That method leaves you with an un-managed disk – a format that Microsoft hasn’t improved in 2-3 years. If you want the current technology, managed disks, then you would have to upgrade the disk, which would require another step, or even two.
The new preview feature allows you to upload the VHD as a managed disk resource, skipping the intermediate conversion steps.
There are two things I want you to understand:

  1. This is not a feature to upload files into a managed disk. The original text was very confusing and had me believing that this was part of the feature – a quick email to the program managers confirmed that this feature moves atomic disks only.
  2. If you are doing a migration then Azure Migrate or a third-party solution is preferred because they reduce the downtime and include a lot more discoverability, application management, and migration control.

Customer-Managed Encryption Keys

As anyone who has had the privilege of touring an Azure region will tell you, Microsoft does not want employees to have access to your data, either deliberately or by accident. Microsoft has slowly been introducing changes to Azure to allow customers to isolate their data and workloads from Microsoft as much as possible, and this continues now (and in the near future).
Note that adding any kind of encryption comes at a price. For example, you lose the ability to restore virtual machine files directly from Azure Backup if the virtual machine’s disks are encrypted. We can assume that using customer-provided keys will introduce further complications. As always, more security equals less usability.
The first preview that is interesting is the ability to use customer-provided encryption keys for storage accounts. In this scenario, your application developers can modify the API calls to storage to include your own keys, possibly stored in a premium-tier Azure Key Vault.
The second preview allows you to deploy disk encryption inside of the guest OS of virtual machines using customer-managed keys that are stored in (and optionally generated by) Azure Key Vault. This means that you create/control the keys and you can use disk encryption with any guest OS (supported by Azure virtual machines) with managed disks. Today, this preview is limited to West US and a single API version, but these will increase over time.

Other Announcements from Microsoft

Here are other Azure IaaS headlines from the past month:

And Now for Something Different

It’s Ignite week! 25,000 or more attendees plus maybe 10,000 staff will cram into the huge Orange County Conference Center (OCCC) in the heart of the theme park territory of Orlando, Florida. The OCCC has been preparing all of last week for this event (I drove past it to the Disney parks) and people started to arrive on Thursday.
My first tip for Ignite attendees is regarding Monday morning. They Satya Nadella keynote is not all that useful. In fact, I find them to be a rambling mess of nonsense phrases. It seems that Ignite is when Nadella’s speech writers debut classics such as “tech intensity”. The room will hold just 3,000 of the attendees, and a large section is reserved for certain audiences. So, if you plan to attend, be extremely early. Otherwise, do what I do. I will go to the room of my following session (the Azure keynote) and wait there. Microsoft will stream the keynote to there. You can choose to watch, or do what I will do, which is to spend my time looking at the Azure blog reading the just-published articles.
My second tip is to explore the expo hall. I was disappointed by the quality of sessions on Monday – it’s a level 100 day. To be honest, if I don’t get some interesting meetings, I will join my family in Disney or Universal Studios after the morning.  The expo hall is huge and there will be lots of Azure product group staff there to chat with – share ideas, work out things on whiteboards, and even ask for a meeting.
My third tip is to expand your horizons. I try to do 1 or 2 sessions outside my normal areas to learn a bit more. I’ve attended IoT, big data, and M365 sessions in the past, and I will do that again this year.
My final tip is for those that are new to Azure. Microsoft is running a number of content tracks where you can attend several sessions over the week that are linked as a track to give you an end-to-end education on some aspect of Microsoft Azure. These, along with hands-on labs, might be a great way to start learning.
If you are at Ignite, then have a great week. If you aren’t able to attend, remember that you can watch most of the breakout sessions, usually within 24-48 hours.