Another end of month, I`m here to provide a single post for Azure updates on previous month. This blog, we will be covering up July month updates from Azure. Each update on this blog is not an exhaustive list of all the monthly updates. I would like to call out most specific updates from Infrastructure technologies (compute, storage, networking, identity, containers & security, etc..) and have categorised the updates based on high level sections.
Azure Compute:
Virtual machine scale sets—Automatic image upgrades for custom images
Automatically deploy new versions of custom images to scale set virtual machines using the new capabilities of virtual machine scale sets. Automatic OS image upgrade monitors the image gallery and automatically begins scale set upgrades when a new image version is deployed, facilitating faster image deployment without additional overhead. Enabling automatic OS image upgrades will safely upgrade the OS disk for all virtual machines in the scale set, helping to ease update management.
An upgrade works by replacing the OS disk of a VM with a new disk created using the latest image version. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, upgrades take place in batches, with no more than 20% of the scale set upgrading at any time.
AKS-managed Azure Active Directory
Azure Kubernetes Service (AKS)-managed Azure Active Directory (Azure AD) support is now generally available. This simplifies AKS integration with Azure AD. Customers are no longer required to create client apps or service apps or require tenant owners to grant elevated permissions. AKS creates appropriate roles/role bindings with group memberships though delegated permissions to facilitate administration. The service limitations are:
- AKS-managed Azure AD integration can’t be disabled.
- non-RBAC enabled clusters aren’t supported for AKS-managed AAD integration
- Changing the Azure AD tenant associated with AKS-managed AAD integration isn’t supported
Azure Networking & Security:
Azure Security Centre—News and updates
There few lists of updates announced for Azure security centre from last month and below is the high-level list:
- From this update, we can deploy vulnerability assessment tools to ‘custom’ Windows and Linux machines.
- Threat protection for Azure File and Azure data lake storage gen 2 is in preview.
- Azure Security centre threat protection has been added for virtual machines, App Service plans, Azure SQL Database servers, SQL servers on machines, Azure Storage accounts, Azure Kubernetes Service clusters, Azure Container Registry registries, and Azure Key Vault vaults.
- New recommendation for using NSGs to protect non-internet-facing virtual machines
- New policies for enabling threat protection and advanced data security.
Azure Firewall Manager
This has become generally available across all azure public regions. Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters. It is used to deploy and configure multiple Azure Firewall instances that span different Azure regions and subscriptions. The benefits are:
- Centralized management of Azure Firewall deployment and configuration.
- Hierarchical architecture for applying IT security policy to regional and local firewall deployments.
- Integrated with third-party security-as-a-service for advanced security.
- Filter traffic using two security providers—Azure Firewall for private traffic and security partner provider for internet traffic.
- Automated routing to secure traffic flow in secured virtual hubs in Azure Virtual WAN.
Azure Virtual WAN: Multiple capabilities available
Azure virtual WAN is one of cool Network services from Azure, which brings network, security and routing functionalities together to provide a single operational interface across networking and security. This service is now generally available and provides below functionality:
- Hub to Hub connectivity providing fully meshed virtual hubs.
- Custom Routing adding advanced routing enhancements: custom route tables and optimization of virtual network routing.
- Virtual Network Transit with 50 Gbps transit speeds between Virtual Networks (Vnets) connected with Virtual WAN.
- VPN and ExpressRoute Transit for seamless interconnectivity between VPN/SD-WAN and ExpressRoute connected sites and users.
Azure Load Balancer support for IP-based backend pool management
With this update, we can pre-allocating your backend pool with an IP address range which you plan to later create virtual machines and virtual machine scale sets, configure your backend pool by IP address and VNET ID combination. Azure Load Balancer now supports load balancing across IP addresses in the backend pool. Previously, it could only add network interfaces associated virtual machines in the backend of a Load Balancer. With this release, we can load balance to resources in Azure via your private Ipv4 or Ipv6 addresses using Standard Load Balancer. This feature is not available in portal and available by Cli and Azure PowerShell, Azure CLI, or Azure Rest APIs.
Azure Load Balancer Insights using Azure Monitor
Azure monitor for network has a packaged solution for health monitoring and configuration analysis of Azure load balancer. Built as part of Azure Monitor for Networks, customers now have topological maps for all their Load Balancer configurations and health dashboards for their Standard Load Balancers preconfigured with relevant metrics free of charge. we can access this through the Insights blade of each Load Balancer resource and Azure Monitor for Networks, a central hub which provides access to health and connectivity monitoring for all your network resources.
Azure Storage:
Azure Shared Disks for Azure IaaS is now available
Shared disks are a feature of Azure Disk Storage that allows a single disk to be attached to multiple virtual machines. This enables you to run your most demanding enterprise applications—like clustered databases, parallel file systems, persistent containers, and machine learning applications—in the cloud, without compromising well-known deployment patterns for fast failover and high availability.
This is another greatest feature in Azure, which leads to migrate or create SQL or windows Server clusters in Azure Virtual Machines (IaaS). Azure shared disks are a new feature for Azure managed disks that allows to attach a managed disk to multiple virtual machines (VMs) simultaneously. Attaching a managed disk to multiple VMs allows you to either deploy new or migrate existing clustered applications to Azure.
Allow or disallow blob public access on Azure Storage accounts
Azure Storage now supports anonymous public read access for containers and blobs. By default, all requests to a container and its blobs must be authorized by using either Azure Active Directory (Azure AD) or shared key authorization. When you configure a container’s public access level setting to permit anonymous access, clients can read data in that container without authorizing the request. Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but may also present a security risk.
Performance tiers for Azure Disk Storage
Azure Disk Storage now enables you to set performance tiers (in limited preview) of your Premium SSD for a specific duration of time without increasing the capacity of the disk. Performance tiers provide the flexibility to achieve higher performance while controlling costs. This helps to sustain high-performance demands such as running a training environment during daytime, performance-testing, or an event like Black Friday.
For example, if you provision a P10 disk (128GB), your baseline performance tier is set as P10 (500 IOPS and 100MB/s). You can upgrade the tier to match the performance of P50 (7500 IOPS and 250MBs) and return to P10 when higher performance is no longer needed.
Private endpoints for Azure File Sync
Starting with Azure File Sync agent 10.1, Azure File Sync supports private endpoints in all Azure cloud regions where Azure File Sync is available. Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network. This allows you to:
- Securely connect to your Azure resources from on-premises networks using a VPN or ExpressRoute connection with private-peering.
- Secure your Azure resources by disabling the public endpoints for Azure Files and File Sync.
- Increase security for your Azure virtual networks by blocking exfiltration of data from your network boundaries.
Azure Blob storage—Network File System 3.0
Network File System (NFS) 3.0 protocol support for Azure Blob storage is now in preview. Blob storage now supports the Network File System (NFS) 3.0 protocol. This support enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises. NFS 3.0 is available to block blob storage accounts with premium performance in the following regions: US East, US Central, and Canada Central.
Azure Private Link support for Azure Disk storage
Azure Disk Storage integration with Azure Private Links is now available in preview. With the integration, you can now restrict access to your data by only allowing import and export from your private Azure virtual networking for enhanced security.
Other Azure Services:
Azure Private Link support for Azure Automation.
This feature enables to use Azure Private Link to securely connect virtual networks to Azure Automation using private endpoints (in preview). Private link helps as:
- Establish a private connection to Automation without opening public network access.
- Ensure your Automation data is only accessed through authorized private networks.
- Protect data exfiltration with granular access to specific resources.
- Protect resources from public network access.
Azure Site Recovery supports replication with private links
Azure Site Recovery now supports Private Links, which can be used to replicate Azure machines, VMware machines, physical machines, and Hyper-V machines. Using Private Link ensures secured connectivity to Site Recovery service URLs. One private endpoint will be required in your private network for access to recovery services vault and a second endpoint for data replication to cache storage account.
Thanks for your time and hope you had some quick preview of list updates from July month.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.