Days are flying, and we are here in February. This blog is to provide a single post for Azure updates on the previous month. In this blog, we will be covering up January month updates from Azure. Each update on this blog is not an exhaustive list of all the monthly updates. I want to call out the most specific updates from Infrastructure technologies (compute, storage, networking, identity, monitoring & security, etc.) and have categorized the updates based on high- level sections.
Azure Compute
Automatic Cluster Upgrades in AKS – Public preview
Azure customers can now configure an AKS cluster to automatically upgrade to a user defined version on a regular basis. Users can specify between multiple upgrade channels, such as the latest rapid minor version, an older stable minor version, or the latest patch version. This eliminates the need for customers to manually track and upgrade Kubernetes releases to their clusters and nodes. Part of the AKS cluster lifecycle involves performing periodic upgrades to the latest Kubernetes version. It is important you apply the latest security releases, or upgrade to get the latest features.
An AKS cluster upgrade triggers a cordon and drain of your nodes. If you have a low compute quota available, the upgrade may fail.
Confidential computing using Always Encrypted with secure enclaves now in public preview
Always Encrypted with secure enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and rich confidential queries, including pattern matching, range comparisons, and sorting. It leverages the Intel SGX technology available in the new DC-series hardware configuration. Intel SGX enables computations on sensitive plaintext data inside a server-side hardware-based secure enclave that protects data confidentiality from rogue admins and malware.
Always Encrypted with secure enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with secure enclaves is available in SQL Server 2019 (15.x) and in Azure SQL Database (in preview).
Always Encrypted feature protects the confidentiality of sensitive data from malware and high-privileged unauthorized users: DBAs, computer admins, cloud admins, or anyone else who has legitimate access to server instances, hardware, etc., but should not have access to some or all of the actual data. Always Encrypted uses secure enclaves as illustrated in the following diagram:
Azure Storage
Resource instance rules for access to Azure Storage now in public preview
Some Azure resources cannot be isolated through a virtual network or an IP address rule. However, you’d still like to secure and restrict access to your storage account to only your application’s Azure resources. You can now configure your storage accounts to allow access to only specific resource instances of select Azure services by creating a resource instance rule.
Resource instances must be in the same tenant as your storage account, but they may belong any resource group or subscription in the tenant.
Public preview: Prevent Shared Key authorization on Azure Storage accounts
Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key.
When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed.
Azure Storage supports Azure AD authorization for requests to Blob and Queue storage only. If you disallow authorization with Shared Key for a storage account, requests to Azure Files or Table storage that use Shared Key authorization will fail. Because the Azure portal always uses Shared Key authorization to access file and table data, if you disallow authorization with Shared Key for the storage account, you will not be able to access file or table data in the Azure portal.
This service is in public preview at this stage.
Backup for Azure Managed Disk is in limited preview
Azure Backup offers a turnkey solution that provides snapshot lifecycle management for managed disk by automating periodic creation of snapshots and retain them for a configured duration using Backup policy. You can easily manage the disk snapshots with zero infrastructure cost and without need for custom scripting or any management overhead. This is a crash-consistent backup solution that takes point in time backup of a managed disk using incremental snapshots with support for multiple backups per day.
Fill this form to sign-up for preview.
Azure Networking & Security
Azure Security Center—News and updates for January 2020
The following updates and enhancements were made to Azure Security Center:
- Azure Security Benchmark is now the default policy initiative for Azure Security Center
- Vulnerability assessment for on-premise and multi-cloud machines is released for General Availability (GA)
- Secure score for management groups is now available in preview
- Secure score API is released for General Availability (GA)
- Dangling DNS protections added to Azure Defender for App Service
- Multi-cloud connectors are released for General Availability (GA)
- Exempt entire recommendations from your secure score for subscriptions and management groups
- Users can now request tenant-wide visibility from their global administrator
- 35 preview recommendations added to increase coverage of Azure Security Benchmark
- CSV export of filtered list of recommendations
- Azure Defender for SQL servers on machines is generally available
- Azure Defender for SQL support for Azure Synapse Analytics dedicated SQL pool is generally available
Azure Monitor Network Insights is now generally available
Azure Monitor Network Insights provides a centralized console for network monitoring. You get an agentless health monitoring experience and access to key resource metrics upfront without writing queries. The key features of Network Insights:
- Single console for network monitoring
- No agent configuration required
- Access to health state, metrics, alerts, & data from traffic and connectivity monitoring tools in one place
- View network topology with functional dependencies for simpler troubleshooting
- Access resources metrics to debug issues without writing queries or authoring workbooks
- Get resource-specific diagnostics and troubleshooting help
Other Azure Services
Azure Backup: Encryption at rest using customer-managed keys is now generally available
Support for encryption at rest using customer-managed keys is now generally available. This gives you the ability to encrypt the backup data in your Recovery Services vaults using your own keys stored in Azure Key Vault. The encryption key used for encrypting backups in the Recovery Services vault may be different from the ones used for encrypting the source. The data is protected using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys stored in the Key Vault. Compared to encryption using platform-managed keys (which is available by default), this gives you more control over your keys and can help you better meet your compliance needs
Thanks for your time, and I hope you had some quick preview of list updates from January month.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
