In this blog, we will be covering up February month updates from Azure. Each update on this blog is not an exhaustive list of all the monthly updates. I want to call out the most specific updates from Infrastructure technologies (compute, storage, networking, identity, monitoring & security, etc.) and have categorised the updates based on high- level sections.
Azure Compute
Cross Region Restore of Azure VMs now generally available
Azure Backup stores backup data in Recovery service vault which defaults storage settings to geo-redundancy, and the backed-up data in the primary region is geo-replicated to an Azure-paired secondary region. However, the data that is replicated to the secondary region is available to restore in the secondary region only if Azure declares a disaster in the primary region. Customers who opt-in for this feature can initiate restores in the secondary region at any time. Hence customer controlled secondary region restores are made possible in both times of primary region being available or unavailable.
Azure Backup supports all managed and unmanaged VMs for Cross Region Restore. Classic VMs remains to be unsupported.
Azure Image Builder Service now generally available
Azure Image Builder service offers unification and simplification for your image building process across Azure and Azure Stack with an automated image building pipeline. Whether you want to build Windows or Linux virtual machine images, you can use existing image security configurations to build compliant images for your organization and patch existing custom images using Linux commands or Windows Update. Azure Image Builder supports images from multiple Linux distributions, Azure Marketplace, and Windows Virtual Desktop environments and you can build images for specialized VM sizes, such as creating images for GPU VMs.
Several key VM Image Builder capabilities are:
- Create & customize secure and compliant VM images with global distribution and management.
- Patching existing custom images.
- Hybrid image building for Azure and Azure Stack.
- Azure DevOps integration for integration with new or existing build pipelines.
- Image creation support for Windows Virtual Desktop environment.
- Integration in Azure with VNET connectivity and Enterprise networking options to deploy the image builder without a Public IP address.
Azure Storage
Soft delete for Azure file share is enabled default
Soft delete protects Azure file shares from accidental deletion. Soft delete acts like a recycle bin for Azure file shares, meaning that deleted shares remain recoverable for their entire retention period (7 days by default for storage accounts created after January 31st).
Customer will be charged for soft deleted data on the snapshot meter. If you have automated the creation of new storage accounts and the creation/deletion of new file shares within them, you must modify your scripts to explicitly disable soft delete after the creation of a new storage account.
Soft delete will remain disabled by default for existing storage accounts.
Azure Networking & Security
Azure Firewall Premium
- Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. The premium version is in public preview and perform the following new capabilities:
- Transport Layer Security (TLS) Inspection: Azure Firewall Premium decrypts outbound traffic, performs the required value-added security functions and re-encrypt the traffic which is sent to the original destination.
- Intrusion Detection and Prevention System (IDPS): Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns.
- Web Categories: Allows administrators to allow or deny user access to the Internet based on categories (e.g. social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs.
- URL Filtering: Allow users to access specific URLs for both plain text and encrypted traffic, typically being used in congestion with web categories.
Azure Security Center—News and updates for February 2021
The following updates and enhancements were made to Azure Security Center:
– New security alerts page in the Azure portal released for General Availability (GA)
– Kubernetes workload protection recommendations released for General Availability (GA)
– Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 2019 and Windows 10 Virtual Desktop (WVD) (in preview).
– SQL data classification recommendation no longer affects the secure score.
Other Azure Services
Azure Key vault data plane RBAC is now available.
Azure RBAC allows users to manage Key, Secrets, and Certificates permissions. It provides one place to manage all permissions across all key vaults. The Azure RBAC model provides the ability to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates
Microsoft recommendation is to use a vault per application per environment (Development, Pre-Production, and Production). Individual keys, secrets, and certificates permissions should be used only for specific scenarios:
- Multi-layer applications that need to separate access control between layers
- Sharing individual secret between multiple applications
Azure Backup for SAP HANA: Soft limit increased from 2 TB to 8 TB
No Azure support Up to 8 TB of full backup size per SAP HANA instance (soft limit). The larger SAP HANA DBs (such as Mv2 – 12 TB RAM machines) with the enhanced data transfer capabilities from Azure Backup. Azure backup for SAP HANA now attempts to provide data transfer speeds upto 420 MBps for non-log backups (such as full, differential and incremental) and 100 MBps for log backups. This enhanced data transfer ability means that you can backup ~1.5 TB per hour which then translates to 6-8 TB of full backups in 4-6 hours. The Azure backup service also attempts to provide similar speeds during restore operations too.
Azure announces retirement of classic services
- Azure has announced quite a few legacy services to retire on 29th Feb 2024. Microsoft has given huge time to customers to move or migrate to the new services. The list of services is:
- Azure AD connect sync version 1.1.751.0, and older will be retired.
- Retire AKS legacy Azure AD integration. The customer has to use managed Azure AD integration.
- Retire Classic Application insights. Customers have to use workspace-based application insights.
- AzureRM PowerShell modules will be retired and start to use Az modules.
- Azure Application gateway analytics will be retired, and to monitor application gateway, start using Azure monitor network insights workbook.
- Classic Azure migrate will be retired, and the new version is available from Jul 2019.
- Azure network watcher connection monitor classic will be retired. From 1st July 2021 cannot create a classic connection.
- Azure network performance monitor classic version will be retired.
Thanks for your time, and I hope you had some quick preview of list updates from February month.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
