What’s New with Azure – July 2021 Edition

July – a month that many take a vacation in, and it’s the start of the commercial year for Microsoft. That year kicks off with Microsoft Inspire, a conference for the partner community to learn about what Microsoft is launching and how Microsoft wants their partners to sell to customers. Most of the content is the commercial stuff that bores many of us. But this year had one interesting announcement that media insiders have been expecting for around a year.

Cloud PC Announced as Windows 365

Yes! At last! Your Windows license becomes a subscription – not! Rumors have been flying around for quite some time that Microsoft was building a new “managed desktop” on top of Azure Virtual Desktop. In June, Microsoft rebranded Windows Virtual Desktop as Azure Virtual Desktop – that was the first step in the launch.

At Inspire, Microsoft revealed a tiny  bit of information about Windows 365, a service that was internally called Cloud PC – Azure Resource Manager (the API and infrastructure-as-code language) still uses “Cloud PC” in the Azure Virtual Desktop resources to designate Cloud PC resource deployments. We’ll put some conspiracy-oriented minds at ease: Windows is not a subscription-only service – it’s been a  subscription option for enterprises for many years (at least since the early 2000s) but the buy-the-rights-upfront option is still there and continues. Windows 365 (they could have picked a better name … like Cloud PC) is a service where you can subscribe to a Windows virtual machine running the desktop OS that is hosted in Azure and built on Azure Virtual Desktop. Microsoft will provide “management services” for the desktop but I doubt that will be very much to be honest because there is still going to be an enterprise and partner play. To be clear, this is a commercial offering, not a personal offering.

A lot has been written about Windows 365, but little is actually known. The reveal and availability will be on August 2nd, and that’s when we’ll learn:

·         What services Microsoft will add?

·         How does the pricing look? Expect Generation 2 VM prices plus a margin so it won’t be cheap and many media types will be disappointed.

·         What Windows 365 really is from a technical perspective?

That last question is a big one for me. What does Windows 365 really do? Will it be some service that runs in an isolated Microsoft tenant and has no direct connectivity to existing on-premises or cloud services? Most of the customers I have dealt with use RDS/Citrix to access legacy workloads that have been migrated to Azure; they need low-latency network connections – not some VPN or HTTPS thing – being close to the service was the reason that RDS/Citrix was brought online in the first place. If Windows 365 is just “here’s Office and other web clients in the cloud” then I can’t see it being of any use to many of the enterprise customers that it will be pitched at – remember that press releases often “fuzz the facts”.

Azure Firewall Premium is Generally Available

I’ve been looking forward to this release – I’ve even spent a nice chunk of July getting to know some of the new features of Azure Firewall. The new Premium SKU adds some new features:

·         TLS Inspection: Outbound or east-west HTTPS traffic can be decrypted and re-encrypted by the firewall to allow deeper inspection for URL filtering, improve Threat Intelligence filtering and the new IDPS feature. You will need to provide the firewall with a subordinate CA certificate that internal machines trust to make this feature work.

·         IDPS: The firewall is adding an intrusion detection and prevention system that will run in the heart of your network – the hub should see all north-south to/from workloads and east-west traffic between workloads. This inspection uses a pattern-matching program to identity threats communicating on the network and can create alerts and automatically deny the traffic, even if it is allowed by a rule. There is a whitelist/override system for false positives that I have already used for legitimate DNS traffic.

·         Web Categories: You might want to block outbound access to certain types of sites, for example, adult or gambling content. If you route Internet traffic from on-premises through your firewall (Azure Virtual WAN) or you run Azure Virtual Desktop/Citrix in the cloud, then you can use this feature to prevent access to unsuitable material. The feature works, but it is very basic compared to established ADDS-integrated proxy products, lacking user identity (only IP address), supplied reporting, and category edit/override.

·         URL Filtering: Up to now we have only been able to allow or deny access to a site, but not to control access to pages on a site. For example, I can allow access to bing.com, but that also means that people get access to bing.com/travelguide. URL Filtering gives you deeper control over site content access.

Other Announcements from Microsoft

Azure Storage

·         Immutable storage with versioning for Blob Storage is now in public preview

Networking

·         Next-generation firewall capabilities with Azure Firewall Premium

·         VPN NAT now in public preview

·         Public preview of OWASP ModSecurity Core Rule Set 3.2 for Azure Web Application Firewall

·         General availability: Built-in Azure Policy support for Network Watcher Traffic Analytics

·         General availability: Azure ExpressRoute: 3 New Peering Locations Available

·         General availability: Web Application Firewall (WAF) bot protection on Application Gateway

·         General availability: Web Application Firewall (WAF) geomatch custom rules on Application Gateway

Azure Virtual Machines

·         Virtual Machine (VM) bursting is now generally available on more VM types

·         HPC Cache on E-Series VMs Support of Blob NFS 3.0 now generally available

·         General availability: HPC Cache for NVME-based Storage, Storage Target Management, and HIPAA Compliance

·         Azure Bastion Standard SKU public preview

·         Manage RDP and SSH connectivity at scale with Azure Bastion

·         Disk pool for Azure VMware Solution now in public preview

·         VMware Site Recovery Manager is now generally available for Azure VMware Solution

·         Shared disks on Azure Disk Storage are now generally available on all Premium SSD and Standard SSD sizes

Azure Virtual Desktop

·         New ways to deliver a secure hybrid workplace with Azure Virtual Desktop and Windows 365

·         Start VM on connect capability in Azure Virtual Desktop enters general availability

App Services

·         App Service Environment v3 now generally available

·         General Availability of new Azure App Service built-in policies

·         Public preview: Azure App Service Migration Assistant PowerShell-based experience

·         Bring Your Own Storage in Azure Web App

·         Overview of the Various Methods for Deploying Your Infrastructure to App Service

Azure Backup & Site Recovery

·         Azure Site Recovery update rollup 56 is now generally available – July 2021

Management

·         Azure Cost Management and Billing updates – June 2021

·         Log Analytics – Open In Excel

·         July 2021 – Azure PowerShell updates

·         General availability: New Azure Monitor built-in policy for Log Analytics workspace and linked automation account

·         Public preview: New Application Insights standard test for synthetic monitoring

·         Protect your organization’s growth by using Azure Metrics Advisor

·         General availability: Better integration between Azure Monitor and Grafana

·         Azure Cost Management and Billing updates – July 2021

·         Azure Monitor Private Links introduces new modes and enforces Network Isolation strictly

Azure Security Center

·         General availability: Azure Security Center updates for June 2021

Miscellaneous

·         General availability: Azure Automation Customer Managed Keys

And Now for Something Different

Unless you’ve been hiding under a rock for the last few decades, you’ve probably heard of climate change. We can disagree on causes, but climate change is happening – evidence can be seen all over the world. I remember doing a road trip along the western shores of Lake Mead National Recreation Area, near Las Vegas, in 2004. I stopped at a boat dock on the northern end of the lake for lunch while watching the boats bob up and down. I returned in 2007 and that part of the lake was dry. Today, the city of Las Vegas is banning “useless grass” to save water because the supply from the Colorado River is drying up.

Climate change has an impact on The Cloud too. Cloud data centers are huge. Take a look at “East US” near Boydton, Virginia, in satellite view. Imagine all those servers and disks, consuming electricity, and then requiring 1-3 times as much electricity again to cool the same hardware! Those same data centers require a lot of water too. With the US southwest being a popular place for data center construction, is it any wonder why we’re starting to see stories such as:

·         Drought-stricken communities push back against data centers: NBC reporting on the US southwest.

·         Amazon’s second Drogheda data center on hold following An Taisce objection: The Irish times discussing the huge consumption of resources by data centers with little return for the country.

The water consumption of data centers is huge. The demands for electricity and infrastructure are insatiable. And one can certainly argue that there is little return for the locality – the promised jobs mostly last for the very short construction project. The truth is that the global clouds are designed to require very little human presence on the ground – they are even designed to make it an unpleasant place to be.

I suspect that Microsoft has anticipated this resistance for years. If you have been paying attention then you have heard about things such as:

·         Microsoft’s commitment to recycling

·         The acquisition of power from renewable providers

·         Two-phase immersion cooling for server motherboards

·         Project Natick, the experiment to develop an under-sea data center module

The required changes won’t happen quickly. I will not be surprised if the likes of Amazon, Google, and Microsoft face increased resistance to data center construction and one day we will have cloud resource shortages.