Monthly updates from Azure (October 2020)

At another end of the month, I’m here to provide a single post for Azure updates on the previous month. In this blog, we will be covering up august month updates from Azure. Each update on this blog is not an exhaustive list of all the monthly updates. I want to call out the most specific updates from Infrastructure technologies (compute, storage, networking, identity, monitoring & security, etc..) and have categorizsed the updates based on high- level sections.

Azure Compute

Azure Kubernetes Service (AKS) updates

• General Availability: Azure Spot in AKS

Generate significant savings on compute costs for workloads that can tolerate interruptions with Azure Spot support for Azure Kubernetes Service (AKS). A spot node pool is a node pool backed by a spot virtual machine scale set. Using spot VMs for nodes with your AKS cluster allows you to take advantage of Azure`s unutilized capacity in Azure at a significant cost savings. The amount of available unutilized capacity will vary based on many factors, including node size, region, and time of day.

Scenarios such as batch processing and machine learning often do not require guaranteed, on-demand compute availability. In those cases, customers may prefer to run their workloads only when compute is available at a particular cost. With Azure Spot, you can leverage lower-cost compute based on its availability within a given Azure region and pull that compute into an AKS cluster for scheduling containerized workloads. When coupled with the cluster autoscaler, evicted compute capacity can often be replaced within minutes, ensuring limited disruption.

When deploying a spot node pool, Azure will allocate the spot nodes if their capacity is available. But there’ ‘s no SLA for the spot nodes. A spot scale set that backs the spot node pool is deployed in a single fault domain and offers no high availability guarantees. At any time when Azure needs the capacity back, the Azure infrastructure will evict spot nodes.

• General Availability: Azure Kubernetes Service support for proximity placement groups

When deploying your application in Azure, spreading Virtual Machine (VM) instances across regions or availability zones creates network latency, impacting the overall application`s performance. A proximity placement group is a logical grouping used to make sure Azure compute resources are physically located close to each other. Some applications like gaming, engineering simulations, and high-frequency trading (HFT) require low latency and complete tasks quickly. For high-performance computing (HPC) scenarios such as these, consider using proximity placement groups (PPG) for your cluster’s node pools.

When using proximity placement groups on AKS, colocation only applies to the agent nodes. Node to node and the corresponding hosted pod to pod latency is improved. The colocation does not affect the placement of a cluster’s control plane.

• Preview: Azure Monitor for containers now support capacity monitoring of Persistent Volume (PV)

Azure Monitor for containers now supports the preview of capacity monitoring of Persistent Volume (PV) attached to the AKS cluster. Beginning with agent version ciprod10052020, Azure Monitor for containers will start collecting capacity metrics for all the PVs except the kubesystem namespace. This preview supports:

• Visualization of the all the PVs associated with your Pods via Workloads workbook.
  • Monitoring capacity usage trends & status of the PVs.
  • Enable fast metrics-based alert via recommended alerts (preview).
  • Query and consume PV capacity data at Log Analytics via KQL query.

App Service Private Endpoints now generally available

Azure App Service support for Private Endpoints has now entered General Availability in all Azure public regions for both Windows and Linux apps. Private Endpoints enables you to consume your app through a specific IP address located in your Azure Virtual Network (VNet), eliminating exposure to the public internet. Available in Premium v2, Premium v3, and Functions Elastic Premium, this feature is now fully supported with a 99.95 SLA. With Private Endpoints, you can:

• Enable hosting secure and internal Line of Business applications: With a private IP address for inbound traffic, you can build applications that only are accessible from inside the VNet or across connections to the VNet.

• Expose your apps inside your VNet without data exfiltration issues: The private endpoint only enables you to reach your app.

• Build secure multi-tier web applications: Private Endpoints only enables inbound connectivity to your app and does not enable outbound connectivity into a VNet, but this can be achieved with VNet integration, so by combining features such as VNet Integration, you can build complex applications that can call to secure backend API endpoints quickly.

If you just need a secure connection between your VNet and your Web App, a Service Endpoint is the simplest solution. If you also need to reach the web app from on-premises through an Azure Gateway, a regionally peered VNet, or a globally peered VNet Private Endpoint is the solution.

Azure Database

Register Your Azure SQL Virtual Machines with SQL Server IaaS Agent extension today

Enable the automatic registration feature in the Azure portal to automatically register all current and future SQL Server on Azure VMs with the SQL VM resource provider in lightweight mode. The SQL VM resource provider allows you to manage your SQL Server VM from the Azure portal. Additionally, the resource provider enables a robust feature set, including automated patching, automated backup, and well as monitoring and manageability capabilities. It also unlocks licensing and edition flexibility. Previously, these features were only available to SQL Server VM images deployed from Azure Marketplace.

Access several number of features designed to save you money and increase manageability by providing a PaaS-like service while still maintaining the ability to customize your data estate that is integral to any IaaS service.

Public preview: Zone redundant configuration for Azure SQL DB general- purpose tier:

Now in preview, new and existing Azure SQL Databases and elastic pools that use the general-purpose tier can enable the zone redundant configuration. The zone redundant design utilizes Azure Availability Zones to replicate databases across multiple physical locations within an Azure region. By selecting zone redundancy, you can make your single general-purpose single databases and elastic pools resilient to a much broader set of failures, including catastrophic datacenter outages, without any application logic changes.

Azure Storage

Soft delete for Azure file shares is now generally available in all regions

Soft delete acts like a recycle bin for Azure file shares, protecting the Azure file shares from accidental deletion. This enhances Azure files’ data protection capabilities. Now when a file share is deleted, it transitions to a soft- deleted state in the form of a soft deleted snapshot. You get to configure how long soft deleted data is recoverable for before it is permanently erased. In January 2021, soft delete will be enabled by default for all new storage accounts with a default retention period of 7 days. Settings for existing storage accounts will not change.

Soft-deleted shares can be listed, but you must undelete to mount them or view their contents, you must undelete them. Upon undelete, the share will be recovered to its previous state, including all metadata and snapshots (Previous Versions).

Policy to control the minimum TLS version used with Azure Storage now generally available

Azure Storage now offers administrators the flexibility to specify the minimum version of TLS that a client application must use to communicate with a storage account. Microsoft recommends that you follow a DRAG (Detection-Remediation-Audit-Governance) framework to manage secure TLS for your storage accounts continuously secure TLS for your storage accounts.

Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

By default, Azure Storage accounts permit clients to send and receive data with the oldest version of TLS, TLS 1.0, and above. To enforce stricter security measures, you can configure your storage account to require that clients send and receive data with a newer version of TLS. If a storage account requires a minimum version of TLS, any older version requests, will fail.

Azure Blob storage point-in-time restore now generally available

Announcing the general availability of Azure Blob storage point-in-time restore. Point-in-time restore adds continuous data protection to your blob data providing restoration back to a specific date and time. For customers that want to protect and recover from accidental deletion and modification or, from test runs that modify block blob data, point-in-time restore adds to existing protection features to restore across an entire storage account, or a set of containers.

Point-in-time restore protects protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state. Point-in-time restore is useful in scenarios where a user or application accidentally deletes data or where an application error corrupts data. Point-in-time restore also enables testing scenarios that require reverting a data set to a known state before running further tests.

The Point in time restore for Azure Blob Storage provides storage account administrators the ability to restore a subset of containers or blobs within a storage account to a previous state. An administrator can do to a specific past date and time in the event of an application corrupting data, a user inadvertently deleting contents, or a test run of a machine learning model.

Azure Networking & Security

Standard Load Balancer and Public IP addresses support resource group move

Standard Load Balancers and Standard Public IP addresses now support being moved across resource groups within the same subscription. Moving a resource only moves it to a new resource group. It doesn’t change the location of the resource or the subscription. Moving Standard Load Balancers and Public IP addresses across resource groups ars supported in all Azure public cloud regions.

Preview: Azure Load Balancer now supports cross-region load balancing

Azure Load Balancer supports Cross- Region Load Balancing. Previously, Standard Load Balancer had a regional scope. With this release, you can load balance across multiple Azure regions via a single, static, global anycast Public IP address.

Cross-region Load Balancer delivers high availability for your critical workloads using its health probes, which monitor your backends both for health and latency. The backend port of load, your balancing rule on the cross-region load balancer, your balancing rule on the cross-region load balancer should match the frontend port of the load balancing rule/inbound nat rule on the regional standard load balancer.

The Cross-region load balancer is currently in preview and not generally available. To access the preview for Cross-region load balancer, contact: [email protected].

Limitations

• Cross-region frontend IP configurations are public only. An internal frontend is currently not supported.

• Private or internal load balancer can’t be added to the backend pool of cross-regional load balancer

• Cross-region IPv6 frontend IP configurations aren’t supported.

• A health probe can’t be configured currently. A default health probe automatically collects availability information about the regional load balancer every 20 seconds.

Other Azure Services

Azure role-based access control (RBAC) for Azure Key Vault data plane authorization is now in preview

With Azure role-based access control (RBAC) for Azure Key Vault on data plane, we can achieve unified management and access control across Azure Resources. With this capability, we can now manage RBAC for Key Vault keys, certificates, and secrets with roles assignment scope available from management group to an individual key, certificate, and secret. When enabled, Azure AD users and services will be validated exclusively by Azure RBAC.

Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Azure RBAC allows users to manage Key, Secrets, and Certificates permissions. It provides one place to manage all permissions across all key vaults.

Azure Monitor Log Analytics data export is in public preview

As it’s being collected, data from selected tables in your Log Analytics workspace can be continuously exported to an Azure storage account hourly or to Azure Event Hubs in near-real-time. Once data export is configured for your Log Analytics workspace, any new data sent to the selected tables in the workspace is automatically exported to your storage account hourly or to your event hub in near-real-time. All data from the included tables are exported without a filter. For example, when you configure a data export rule for the SecurityEvent table, all data sent to the SecurityEvent table is exported starting from the configuration time.

When exporting to Storage, each table is kept under a separate container. Similarly, when exporting to Event Hub, each table is exported to a new Event Hub instance, e.g., am-securityevent. This data export preview provides several key advantages:

• Low- cost data retention in storage
• More straightforwardSimpler compliance with auditing and security when longer data retention is involved
• Integration with Azure and third-party solutions such as Azure Data Lake and Splunk
• Low latency export to Event Hub, allowing near-real-time monitoring and alerting

Thanks for your time, and I hope you had some quick preview of list updates from October month.