At beginning of the month, I’m here to provide a single post for Azure updates on the previous month. In this blog, we will be covering up November month updates from Azure. Each update on this blog is not an exhaustive list of all the monthly updates. I want to call out the most specific updates from Infrastructure technologies (compute, storage, networking, identity, monitoring & security, etc.) and have categorized the updates based on high- level sections.
Azure Compute
New constrained vCPUs capable VMs now available
Azure offers various VM sizes to constrain the VM vCPU count to reduce the cost of software licensing, while maintaining the same memory, storage, and I/O bandwidth. The Esv4, Edsv4, and Easv4 memory- optimized Azure VM series now offers new constrained vCPU VM sizes.
For example, the current VM size Standard_GS5 comes with 32 vCPUs, 448 GB RAM, 64 disks (up to 256 TB), and 80,000 IOPs or 2 GB/s of I/O bandwidth. The new VM sizes Standard_GS5-16 and Standard_GS5-8 comes with 16 and 8 active vCPUs, respectively, while maintaining the rest of the specs of the Standard_GS5 for memory, storage, and I/O bandwidth.
For a list of VM Sizes, please visit : Microsoft article: https://docs.microsoft.com/en-us/azure/virtual-machines/constrained-vcpu
Azure Backup—Soft delete for SQL Server and SAP HANA running in Azure VM
Azure Backup soft delete for SQL Server in Azure Virtual Machines and SAP HANA in Azure Virtual Machines workloads is now available along with soft delete for Azure Virtual Machines, which was already supported.
Soft delete is a security feature to help protect backup data even after deletion. With soft delete, even if a malicious actor deletes the backup of a database, or backup data is accidentally deleted, the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. This additional retention of 14 days of the backup data in the soft delete state doesn’t incur any costs.
Besides, support for SAP HANA incremental backups is currently in public preview across all Azure regions except for Germany Northeast, Germany Central, France South, and US Gov IOWA.
Azure Monitor for Virtual Machines Guest Health is in public preview
VM Guest Health feature has a parent-child hierarchical model. It monitors the health state change of CPU, disks, and memory for a virtual machine and notifies you about the changes. The three states: Healthy, Warning, and Critical, are defined based on the thresholds set by you for each child monitor. Each monitor measures the health of a particular component. The overall health of the virtual machine is determined by the health of its individual monitors and it matches the state of the child monitor with the worst health state. Several key capabilities have been released in the preview:
- A simple experience to monitor the overall health of your virtual machine
- Out-of-the-box metrics to track the health of your virtual machine
- Out-of-the-box alerts to notify if the virtual machine is unhealthy
This feature can be accessed from the ‘Guest VM Health’ column from the ‘Get Started’ page of Azure Monitor for Virtual Machines and from the Azure Monitor for Virtual Machines section – ‘Health’ tab.
Azure Bastion with VNet peering (preview):
Azure Bastion and VNet peering can be used together. When VNet peering is configured, We don’t have to deploy Azure Bastion in each peered VNet. This means if We have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host. For more information about VNet peering, see About virtual network peering. Azure Bastion works with the following types of peering:
- Virtual network peering: Connect virtual networks within the same Azure region.
- Global virtual network peering: Connecting virtual networks across Azure regions.
Azure Database
SQL Server Analysis Services and Reporting Services Virtual Machine images now available
It can also help make customer workloads more efficient and enables an easier onboarding experience to the cloud. With this feature, customer can leverage additional benefits from moving to the cloud by selecting these preconfigured images on the Azure marketplace. This enables customer to easily see different virtual machine workloads and manage them.
Now customers have the ability to deploy an Analysis Services virtual machine (SSAS) using pre-configured Standard and Enterprise edition image types for ease of deployment. The images will be available with pay-as-you-go licensing only.
Now customers have the ability to deploy a Reporting Services virtual machine (SSRS) using Standard and Enterprise edition (SQL Server 2016, 2017 and 2019) using pre-configured image types for ease of deployment. This also introduces the choice to deploy a SSRS virtual machine with flexible licensing model using Pay As You Go pricing or leverage your Software Assurance license mobility or Azure Hybrid Benefit when deploying on an Azure virtual machine.
Azure Networking & Security
New Azure Firewall capabilities
Finally, some long awaited new capabilities are being lit up in Azure Firewall. The below capabilities will be generally available in Q4 2020:
- Custom DNS: The DNS server setting lets to configure customer own DNS servers for Azure Firewall name resolution. we can configure a single server or multiple servers.
- DNS Proxy capability: We can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server. If We configure a custom DNS server, then enable DNS proxy to avoid a DNS resolution mismatch, and enable FQDN (fully qualified domain name) filtering in the network rules.
- If we don’t enable DNS proxy, then DNS requests from the client might travel to a DNS server at a different time or return a different response compared to that of the firewall. DNS proxy puts Azure Firewall in the path of the client requests to avoid inconsistency.
- FQDN filtering in network rules: we can use this based on DNS resolution from Custom DNS or Azure DNS. This capability is recommended for protocols that are not supported with FQDN filtering in application rules today.
General availability: VPN over ExpressRoute private peering
For customers such as those in need of security over the network connectivity (VPN), double encryption over both their private WANs and Azure WAN is a key compliance requirement. VPN over ExpressRoute private peering allows customers to use IPsec tunnels over their ExpressRoute private peering to satisfy this need.
We can configure a Site-to-Site VPN to a virtual network gateway over an ExpressRoute private peering using an RFC 1918 IP address. This configuration provides the following benefits:
- Traffic over private peering is encrypted.
- Point-to-site users connecting to a virtual network gateway can use ExpressRoute (via the Site-to-Site tunnel) to access on-premises resources.
Multiple new features for Azure VPN Gateway are now generally available
Azure announced below features for VPN Gateway:
- High availability for RADIUS servers in point-to-site VPN – This feature enables highly available configuration for customers using RADIUS/AD authentication for their point-to-site VPN.
- Custom IPsec/IKE policy with DPD timeout – Setting IKE DPD (Dead Peer Detection) timeout allows customers to adjust the IKE session timeout value based on their connection latency and traffic conditions to minimize unnecessary tunnel disconnect, improving both reliability and experience. This feature brings the entire custom IPsec/IKE policy configuration experience to Azure Portal.
- APIPA support for BGP speaker – This feature supports customers with legacy VPN routers and Amazon Web Service (AWS) VGW, Google Cloud Platform (GCP) VPN which use Automatic Private IP Addressing (APIPA) addresses as their Border Gateway Protocol (BGP) speaker IP addresses. Now they can establish BGP sessions with Azure VPN gateways using APIPA (169.254.x.x) addresses.
- FQDN support for site-to-site VPN – This feature supports customer branches or locations without static public IP addresses to connect to Azure VPN gateways. Customers can now leverage dynamic DNS services and use their Fully Qualified Domain Name (FQDN) instead of IP addresses. Azure VPN gateways will automatically resolve and update the VPN target to establish IPsec/IKE connections.
- Session management and revocation for point-to-site VPN users – Enterprise administrators can now list and revoke individual user connections to their VPN gateways from Azure Portal in real time, addressing a key management asks.
Other Azure Services
PowerShell support for Server Migration with Azure Migrate is now generally available
The Server Migration tool in Azure Migrate helps you easily migrate servers and applications to Azure virtual machines. The tool offers agentless options for migration of VMware virtual machines and Hyper-V virtual machines to Azure, and an agent-based option for migration of physical servers, and servers from other clouds.
With the addition of a new PowerShell based management interface for the Server Migration tool, you can now configure and manage replication of servers to Azure and migrate them to Azure virtual machines using Azure PowerShell cmdlets. Use the PowerShell cmdlets to perform migrations in an automated repeatable manner and achieve the migration scale and velocity you need. The new Azure Migrate Azure PowerShell module, now in public preview.
Export and manage Azure Policy as code with GitHub
The much-expected action from Microsoft, now we can export our Azure policies to GitHub directly from the portal. The “Export definitions” functionality is now available from the definitions view blade. Once exported, you can use GitHub actions to create customized workflows to deploy policies from GitHub to Azure. These tasks include:
- Export policy definitions and assignments to GitHub
- Push policy objects updated in GitHub to Azure
- Trigger a compliance scan from the GitHub action
Azure Site Recovery – Support for increased disk size in Azure VM disaster recovery is now generally available
we can now enable disaster recovery for Azure VMs with data disks up to 32 TB in size. This applies to Azure VMs with managed disks that replicate to a secondary Azure region using Site Recovery. The feature is deployed in Azure public and government clouds.
Thanks for your time, and I hope you had some quick preview of list updates from November month.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
