October is the month of ghosts and monsters – Halloween (Samhain as we Celts originally called it). Read on to find out what ghouls and creatures crawled from under the floorboards of Azure Infrastructure during October 2023.
Customers can now use custom backups, to back up their web app’s files and configuration data to a firewall-protected storage account if the following requirements are fulfilled:
- The app is integrated with a virtual network, or the app is in a v3 App Service environment.
- The storage account has granted access from the virtual network that the app is integrated with, or that the v3 App Service environment is created with.
I’ve noticed a few recent changes where services are enabling features to work with storage accounts over a virtual network. I would not be shocked to see the default connectivity settings of a storage account to prefer a virtual network in the future.
Enhanced soft delete provides an improvement to the soft delete capability in Azure Backup that enables you to recover your backup data in case of accidental or malicious deletion. With enhanced soft delete, you get the ability to make soft delete always-on and irreversible, thus protecting it from being disabled by any malicious actors.
The Azure Backup team has put a lot of emphasis on rogue users and APTs attacking backups for many years. That work continues.
MUA for Azure Backup adds an additional layer of protection for critical operations on your Backup vaults, providing greater security for your backups. To provide multi-user authorisation, Backup uses a resource guard to ensure critical operations are performed with proper authorisation, similar to how multi-user authorisation currently works for Recovery Services vaults.
It makes sense that the newer Azure Backup resource type gets some of the same protections as the older RSV.
Azure Backup for AKS enables customers to protect their containerized workloads along with application data deployed on AKS clusters. The solution allows you to configure scheduled backups of your AKS clusters and restore them in same or alternate cluster in the scenarios like Operational Recovery, Accidental Deletion and Application Migration. Customers are also looking to utilize their AKS backups to recover application during a regional disaster recovery and also follow industry-wide best practice of 3-2-1 backup strategy.
The important bit is that data is being backed up, not just application code that can be redeployed from repos/container repositories.
The Italy North datacenter region includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.
This is one of the regions that does not have a paired region. Therefore this will impact resources that only replicate to paired regions: RSVs, storage accounts, and so on.
The first hyperscale datacenter region in Israel is
now not available yet.
This post was released and withdrawn.
EDIT: I’m told that the region is available. In a story by Data Center Dynamics, they asked Microsoft to comment but they had not gotten a response by the time the story was posted.
Private Preview : Azure Managed HSM Backup/Restore when Storage Account is Behind a Private Endpoint
We are excited to announce the Private Preview of support for Azure Key Vault Managed HSM backup/restore when the storage account is behind a private endpoint. By becoming a Microsoft Trusted Service, we have enhanced our backup flow by allowing for private endpoint connection to Azure Storage accounts while backing up and restoring Managed HSM resources. This helps reduce the risk of exposure to public internet and helps address compliance needs.
Now you need to secure that storage account!
We are excited to announce the Private Preview of Azure Key Vault Managed HSM integration with Azure Backup which greatly enhances the customer experience of backing up and restoring a Managed HSM. This integration allows the process of backup and restore to take less time and effort. It is a zero-infrastructure solution with Azure Backup service managing the backups with automated retention and backup scheduling.
And how will you secure Azure Backup?
Arc-enabled SCVMM allows customers to connect their SCVMM environment to Azure, enabling them to discover, onboard at-scale, and perform VM lifecycle operations from Azure on their SCVMM managed VMs.
Oh my – there really are monsters at Halloween. I forgot that SCVMM was a thing.
On 31 August 2024, we’ll retire Log Analytics agent–based VM insights. Migrate to Azure Monitor agent–based VM insights, which offers improvements such as:
- Enhanced security and performance.
- Data collection rules to help cut costs.
- Simplified management experience, including efficient troubleshooting.
There have been things to delay this migration but they have been cleared up now. It’s time to switch and migrate.
If you are using automation to enable or disable the connector using the Legacy API, please note that the automation will not be supported, and you will need to recreate it using the new API.
I think this only affects people who configured the settings via API only.
We are excited to announce the general availability to configure Azure Change Tracking & Inventory using the Azure Monitor agent (AMA).
Speaking of things that have been cleared up …
We’re thrilled to introduce the public preview of VMSS Zonal Expansion. This feature enables you to take regionally (non-zonal) configured VMs and distribute across Azure availability zones in a zonal configuration, enhancing your business continuity and resilience with minimal disruption and potentially increasing your availability SLA from 99.95% to 99.99%.
Long story short: If you have stateless VMSS workloads, then new instances will be spread across availability zones if you enable this feature. You can clean up old instances to return the VMSS to the desired scale. Service Fabric, AKS, and stateful workloads are not supported.
Breaking Change Notice: Virtual Machine Scale Set Default Orchestration Mode changing from Uniform to Flexible on PowerShell, Azure CLI
We are announcing an upcoming breaking change to the default orchestration mode for Virtual Machine Scale Sets created on PowerShell and Azure CLI starting November 2023. Once this change is complete, any new VM scale sets created using these clients will automatically default to Flexible orchestration mode instead of Uniform.
Check the defaults being used in your scripts and templates.
You can now automatically create the new host, migrate all your existing VMs, and delete your old host, thus avoiding any manual operations when upgrading your dedicated host. This may also result in cost savings, giving you the ability to run more VMs on the new dedicated host SKUs.
Both customers are delighted.
We are excited to announce that customers can now choose between Replace, Reimage (Preview), or Restart (Preview) as the default repair action performed in response to an “Unhealthy” application signal. These new options provide a less-impactful repair process, ensuring higher application availability while preserving VM properties and metadata for customers with sensitive workloads.
Useful I guess.
As noted, for enhanced security, Azure is moving towards a secure-by-default model. This means default outbound access to the internet will be turned off. After 30 September 2025, Azure will no longer assign a default implicit IP for VMs to communicate to the internet. Existing VMs will not be impacted by this retirement.
See my post for more information.
Through a grace period, you will have the ability to exchange Azure compute reservations (Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations) until at least July 1, 2024.
This change was hinted at in the docs when reserved instances were launched. It looks like Microsoft is giving customers more time to trade in to switch to Savings Plan For Compute, which can guarantee Microsoft more money.
You can now encrypt OS and Data disks of your AKS nodes in production with your own managed keys.
Ephemeral disks are great for workloads where there is a stateless tier of VMs and you want to reset them frequently/quickly. This is an extra level of security with isolation from the provider.
Bastion Developer allows users to establish secure connections to a single VM at a time without the necessity of additional network configurations or exposing public IPs on VMs. Users can directly access their VMs through the connect experience on the VM blade in portal, with RDP/SSH access already available and CLI-based SSH access coming soon. Bastion Developer caters to Dev/Test users seeking secure VM connections without the need for additional features or scalability.
It feels like a solution for “sandbox” scenarios rather than an actual dev/test on production VNets in a hub & spoke.
ExpressRoute Traffic Collector enables you to capture information about IP flows sent over ExpressRoute direct circuits. You can enable flow logs capture for both Private and Microsoft peering with ExpressRoute Traffic Collector. Captured flow logs data get sent to a Log Analytics workspace where you can create your own log queries for further analysis.
You can use this data for:
- Monitoring/diagnostics: Use the log data to understand flows, troubleshoot, and forecast.
- Cost management: figure out what share of traffic a workload is responsible for and divide the cost by that.
- Security: Plug the data into your SIEM
We’re thrilled to announce the public preview launch of our latest Azure API Management pricing tiers: Basic v2 and Standard v2. These new tiers address highly sought-after customer requests, bring quality-of-service enhancements, and offer a flexible starting point for API Management, allowing organizations of any size to embark on their API journey.
Finn, APIM isn’t networking! The new tiers support networking options for isolating the network traffic to and from your API Management service instance. Standard v2 now supports VNet Integration, enabling outbound traffic to be restricted to a single connected VNet. As they get close to general availability, both Basic v2 and Standard v2 will support Private Link for securing inbound and outbound API traffic.
Bad actors can expose a new security vulnerability to initiate a DDoS attack on a customer’s infrastructure. This attack is leveraged against servers implementing the HTTP/2 protocol. Windows, .NET Kestrel, and HTTP .Sys (IIS) web servers are also impacted by the attack. Azure Guest Patching Service keeps customers secure by ensuring the latest security and critical updates are applied using Safe Deployment Practices on their VM and VM Scale Sets.
Make sure that your VMs or VMSSs are patching. WAF limiting rules should help but with so many required exceptions, I wonder if WAF does much!
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team. The Microsoft Threat Intel team analyzes Common Vulnerabilities and Exposures (CVEs) and further adapts the CRS ruleset to address CVEs and reduce false positives.
Who knows when I’ll get to try this out in production – you can’t just switch OWASP rulesets because bat-sh*t bad stuff can happen to your workloads. I wonder if it resolves any issues regarding false positives which many overrides.
We’ve built this experience for customers who heavily use the PowerShell ISE for writing runbooks instead of using the built-in browser-based interface for runbook authoring, while working with PowerShell cmdlets and Automation Assets. With a leg up to the current browser-based interface, the extension makes runbook developers more productive and reduces the E2E time for runbook management.
This might be useful for those that regularly write or edit automation runbooks I do it about once a year 🙂
Windows Virtual Desktop
With this new support, you can now use Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop, allowing users to access and synchronize their files while using a RemoteApp. When a user connects to a RemoteApp, OneDrive can automatically launch as a companion to the RemoteApp. The new support has the same features and usability as the OneDrive on your personal device.
I cannot imagine using O365 without OneDrive. How could it have taken this long?