What’s New with Azure – September 2021

Microsoft recently announced that their Ignite (online only) conference will be running again on November 2-4. That means we are approaching peak season for announcements, new public preview releases, and general availability. “Q3” in announcements and roadmaps will often mean between early September and maybe the third week of October – a code freeze will probably kick in to avoid instabilities during live demonstrations – if the past is a good guide.

OMIGOD!

I guess the worst kind of “supply chain” attack is one that comes via functionality rendered by your cloud services provider. Wiz disclosed a “quartet of zero-days” (vulnerabilities) on September 14th. Since then, there’s been update after update and news story after news story about possible attacks to Linux-based workloads via an Open Management Infrastructure (OMI) agent if they use management features including (but not limited to):

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Container Insights

Those of you running a secure Azure network (limited public IP addresses and micro-segmentation) are probably OK – OMI listens on ports such as 5985, 5986, 1270 – that traffic shouldn’t be allowed from exposed networks!
Apparently, Microsoft ran an auto-update to upgrade the affected agent and that process was due to finish on September 22nd. Since then, Microsoft has shared guidance on how to detect and update affected agents. I would recommend running the detection script – those of you with a SIEM solution might be able to use “threat hunting” to automate this.

Private Link Developments

Based on the queries I’ve seen/received over the last few weeks, Private Link (typically used to connect PaaS resources to a subnet) is getting more adoption. And with that adoption, people are finding that there are issues.
There have been two feature gaps that are hurting customers that are implementing good network security practices:

  • Micro-segmentation limits the reach of a workload/attacker and the blast area of a successful penetration
  • The first step in security is a DMZ in the form of a hub that contains a firewall. The firewall normally (not in Azure Virtual WAN) relies on user-defined routes to force flows from a spoke subnet through the firewall to route to other spokes using the DMZ.
  • The second step is to use Network Security Groups (NSGs) to protect workload resources at the subnet.

There have been two issues with this and Private Link:

  1. User-defined routes are not supported. Those of you being clever with your BGP route propagation in Azure Virtual Network won’t care about this one.
  2. Inbound rules in NSGs are not implemented with Private Endpoints (the instantiation of Private Link)

Both of those feature gaps have been addressed with limited region public previews:

Be Careful What You Ask For

Everyone wants to go full platform with Active Directory. I’m one of the hold outs that still prefers a good ol’ fashioned VM-based domain controller. But people want to push as much to Azure AD Domain Services, and even Azure AD-only, as much as possible.
To answer that ask, Azure Virtual Desktop now supports virtual machines that are joined only to Azure AD. By the way, one can hold a loaded weapon to one’s own head with the safety off, but that is not typically recommended.
Microsoft has shared some known limitations of this new support:

  • Azure Virtual Desktop (classic) doesn’t support Azure AD-joined VMs.
  • Azure AD-joined VMs don’t currently support external users.
  • Azure AD-joined VMs only supports local user profiles at this time – no FS Logix or roaming profiles.
  • Azure AD-joined VMs can’t access Azure Files file shares for FSLogix or MSIX app attach. You’ll need Kerberos authentication to access either of these features.
  • The Windows Store client doesn’t currently support Azure AD-joined VMs.
  • Azure Virtual Desktop doesn’t currently support single sign-on for Azure AD-joined VMs.

Let’s not forget Group Policy, a very necessary feature to manage the configurations of these machines, the login experience, and the configuration of the profile, user folders & user settings. And then there’s the sticky topic of legacy third-party software – the migration of which to Azure that is causing you to deploy Azure Virtual Desktop – that will expect to see a traditional domain, but those companies are usually pretty flexible with support – NOT!
My guess is that this new feature is used under the covers by Windows 365 – which is powered by Azure Virtual Desktop – and Microsoft just surfaced Azure AD support for Azure Virtual Desktop customers.

Other Announcements from Microsoft

Azure Storage

Networking

Azure Virtual Machines

Azure Virtual Desktop

App Services

Azure Backup & Site Recovery

Management

Governance

Azure Automation

Miscellaneous

And Now for Something Different

Just in case you missed the very subdued announcement, Windows Server 2022 is now generally available. Once upon a time, I used to gather all the new Hyper-V and related features that I discovered and keep the list on my own blog. Today, I struggle to find much news across the entire operating system.
That’s because Windows Server is just a part of Azure Stack HCI – a hyper-converged Hyper-V/Azure Kubernetes Services cluster designed to run on-premises with possible integration into Azure using Azure Arc. Unlike most of you reading this post, I cannot remember the last time I installed Windows Server – all my Windows machines have come from the Azure Marketplace over the last several years.
A lot of what I have read about as a new Windows Server feature usually ends up being an Azure service, so I don’t really think of it as a Windows Server feature – it’s Marketing playing “look over here at this shiny thing”.  But there are new features spanning areas such as:

  • OS security, including TPM 2.0 usage, for better protection of the OS, secrets, and Hyper-V guest operating systems.
  • Network security, including SMB improvements, TLS 1.3 is enabled by default, and Secure DNS.
  • Hybrid capabilities – look over here at this shiny thing!
  • Application hosting, including Windows Containers and group managed services accounts.
  • Hyper-V, including nested AMD virtualization, and Receive Segment Coalescing in the virtual switch.
  • Networking performance, where UDP and TCP are faster.
  • Storage is improved a lot for HCI, including adjustable storage repair speed, SMB compression, and storage migration.