What's New with Azure – September 2021
Microsoft recently announced that their Ignite (online only) conference will be running again on November 2-4. That means we are approaching peak season for announcements, new public preview releases, and general availability. “Q3” in announcements and roadmaps will often mean between early September and maybe the third week of October – a code freeze will probably kick in to avoid instabilities during live demonstrations – if the past is a good guide.
I guess the worst kind of “supply chain” attack is one that comes via functionality rendered by your cloud services provider. Wiz disclosed a “quartet of zero-days” (vulnerabilities) on September 14th. Since then, there’s been update after update and news story after news story about possible attacks to Linux-based workloads via an Open Management Infrastructure (OMI) agent if they use management features including (but not limited to):
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Container Insights
Those of you running a secure Azure network (limited public IP addresses and micro-segmentation) are probably OK – OMI listens on ports such as 5985, 5986, 1270 – that traffic shouldn’t be allowed from exposed networks!
Apparently, Microsoft ran an auto-update to upgrade the affected agent and that process was due to finish on September 22nd. Since then, Microsoft has shared guidance on how to detect and update affected agents. I would recommend running the detection script – those of you with a SIEM solution might be able to use “threat hunting” to automate this.
Private Link Developments
Based on the queries I’ve seen/received over the last few weeks, Private Link (typically used to connect PaaS resources to a subnet) is getting more adoption. And with that adoption, people are finding that there are issues.
There have been two feature gaps that are hurting customers that are implementing good network security practices:
- Micro-segmentation limits the reach of a workload/attacker and the blast area of a successful penetration
- The first step in security is a DMZ in the form of a hub that contains a firewall. The firewall normally (not in Azure Virtual WAN) relies on user-defined routes to force flows from a spoke subnet through the firewall to route to other spokes using the DMZ.
- The second step is to use Network Security Groups (NSGs) to protect workload resources at the subnet.
There have been two issues with this and Private Link:
- User-defined routes are not supported. Those of you being clever with your BGP route propagation in Azure Virtual Network won’t care about this one.
- Inbound rules in NSGs are not implemented with Private Endpoints (the instantiation of Private Link)
Both of those feature gaps have been addressed with limited region public previews:
- Public preview of Private Link Network Security Group Support
- Public preview of Private Link UDR Support
Be Careful What You Ask For
Everyone wants to go full platform with Active Directory. I’m one of the hold outs that still prefers a good ol’ fashioned VM-based domain controller. But people want to push as much to Azure AD Domain Services, and even Azure AD-only, as much as possible.
To answer that ask, Azure Virtual Desktop now supports virtual machines that are joined only to Azure AD. By the way, one can hold a loaded weapon to one’s own head with the safety off, but that is not typically recommended.
Microsoft has shared some known limitations of this new support:
- Azure Virtual Desktop (classic) doesn’t support Azure AD-joined VMs.
- Azure AD-joined VMs don’t currently support external users.
- Azure AD-joined VMs only supports local user profiles at this time – no FS Logix or roaming profiles.
- Azure AD-joined VMs can’t access Azure Files file shares for FSLogix or MSIX app attach. You’ll need Kerberos authentication to access either of these features.
- The Windows Store client doesn’t currently support Azure AD-joined VMs.
- Azure Virtual Desktop doesn’t currently support single sign-on for Azure AD-joined VMs.
Let’s not forget Group Policy, a very necessary feature to manage the configurations of these machines, the login experience, and the configuration of the profile, user folders & user settings. And then there’s the sticky topic of legacy third-party software – the migration of which to Azure that is causing you to deploy Azure Virtual Desktop – that will expect to see a traditional domain, but those companies are usually pretty flexible with support – NOT!
My guess is that this new feature is used under the covers by Windows 365 – which is powered by Azure Virtual Desktop – and Microsoft just surfaced Azure AD support for Azure Virtual Desktop customers.
Other Announcements from Microsoft
- General availability: Azure Files supports storage capacity reservations for premium, hot, and cool tiers
- SMB Multichannel for Azure Files is generally available
- General availability: Azure Files now supports SMB 3.1.1
- Azure Storage TLS: Critical changes are almost here! (…and why you should care)
- General availability: Enable hierarchical namespace for existing Azure Storage accounts
- General availability: Azure Route Server
- Boost your network security with new updates to Azure Firewall
Azure Virtual Machines
- General availability: Automatic key rotation of customer-managed keys for encrypting Azure disks
- General availability: Change performance tiers for Azure Premium SSDs with no downtime
- Public preview: Automatic scaling with Azure Virtual Machine Scale Sets flexible orchestration mode
- On-demand capacity reservations for Azure Virtual Machines now in public preview
- JetStream Disaster Recovery for Azure VMware Solution now in public preview
- Azure VMware Solution achieves FedRAMP High Authorization
Azure Virtual Desktop
- Screen Capture Protection for Azure Virtual Desktop is now generally available
- Announcing general availability of Azure AD-joined VMs support
- How to check Elastic Premium Plan Function App allocated instance counts history
- Azure App Service support for Availability Zones reaches general availability
Azure Backup & Site Recovery
- Monitor your backups effectively using Azure Monitor Alerts for Azure Backup
- General availability: Oracle consistent snapshots using Azure VM Backup
- Public preview: At-scale management of Azure Monitor alerts in Backup center
- Azure Site Recovery: Upgrade to TLS 1.2 or later by November 15, 2021 – for improved security
- General availability: Cross service queries between Azure Monitor and Azure Data Explorer
- Generally available: Azure Monitor support for Availability Zones
- OpenTelemetry + Azure Monitor
- Azure Monitor Agent and Data Collection Rules now support Windows Server 2022
- Public preview: Management Group Scope for Azure Reservations
- Azure Cost Management and Billing updates – September 2021
- Govern your data wherever it resides with Azure Purview
- Azure Purview is now generally available
- Az module support in Azure Automation is now available
- Azure Automation Hybrid Worker Extension for Azure and Arc-enabled servers now in public preview
And Now for Something Different
Just in case you missed the very subdued announcement, Windows Server 2022 is now generally available. Once upon a time, I used to gather all the new Hyper-V and related features that I discovered and keep the list on my own blog. Today, I struggle to find much news across the entire operating system.
That’s because Windows Server is just a part of Azure Stack HCI – a hyper-converged Hyper-V/Azure Kubernetes Services cluster designed to run on-premises with possible integration into Azure using Azure Arc. Unlike most of you reading this post, I cannot remember the last time I installed Windows Server – all my Windows machines have come from the Azure Marketplace over the last several years.
A lot of what I have read about as a new Windows Server feature usually ends up being an Azure service, so I don’t really think of it as a Windows Server feature – it’s Marketing playing “look over here at this shiny thing”. But there are new features spanning areas such as:
- OS security, including TPM 2.0 usage, for better protection of the OS, secrets, and Hyper-V guest operating systems.
- Network security, including SMB improvements, TLS 1.3 is enabled by default, and Secure DNS.
- Hybrid capabilities – look over here at this shiny thing!
- Application hosting, including Windows Containers and group managed services accounts.
- Hyper-V, including nested AMD virtualization, and Receive Segment Coalescing in the virtual switch.
- Networking performance, where UDP and TCP are faster.
- Storage is improved a lot for HCI, including adjustable storage repair speed, SMB compression, and storage migration.