Ignite 2022 IaaS Blog Post Of News

This post is my alternative to the Microsoft Ignite “Book of News”.

You’ve probably heard of or even read the Ignite Book of News. This is a PDF that is sent out to those under NDA (media, MVPs, and so on) before Microsoft Ignite starts. After the kickoff, the document is shared publicly. The Book of News is heavily shaped by Marketing, focusing on highlights and the “message” of the conference. The Book of News is not complete, despite all claims by those who are poorly informed – over the years, I’ve found countless announcements from sessions and product group blog posts that were not in the Book of News.

I’m taking part in an “Ignite After Party” to discuss the Book of News. The organiser has encouraged going “off book” so I’ve summarised all the IaaS stuff that I could find (and a little PaaS) – most of this stuff was not in the Book of News. Here you will find all the announcements in that space from Ignite and the time since then (I stopped at November 30th when I wrote this post).

Ignite News

App Services

Go available on App Service

https://azure.github.io/AppService/2022/10/12/Go-on-AppService.html

We are happy to announce that App Service now supports apps targeting Go 1.18 and 1.19 across all public regions on Linux App Service Plans through the App Service Early Access feature. By introducing native support for Go on App Services, we are making one of the top 10 best loved web app development languages available for our developers.

In development: Larger SKUs for App Service Environment v3

https://azure.microsoft.com/en-gb/updates/in-development-larger-skus-for-app-service-environment-v3/

New Isolated v2 SKUs of 64GB/ 128GB/ 256GB provide compelling value to organizations that need a dedicated tenant to run their most sensitive and demanding applications. This is expected to be available in production in Q4 CY2022.

Public preview: Planned maintenance feature for App Service Environment v3

http://azure.microsoft.com/en-us/updates/public-preview-planned-maintenance-feature-for-app-service-environment-v3/

With planned maintenance notifications for App Service Environment v3, you can get a notification 15 days ahead of planned automatic maintenance and start the maintenance when it is convenient for you

Hybrid

Announcing Jumpstart ArcBox for DataOps

https://techcommunity.microsoft.com/t5/azure-arc-blog/announcing-jumpstart-arcbox-for-dataops/ba-p/3647642

ArcBox for DataOps, is our road-tested automation providing our customers a way to get hands-on with the Azure Arc-enabled SQL Managed Instance set of capabilities and features.

Announcing Jumpstart HCIBox

https://techcommunity.microsoft.com/t5/azure-arc-blog/announcing-jumpstart-hcibox/ba-p/3647646

HCIBox is a turnkey solution that provides a complete sandbox for exploring Azure Stack HCI capabilities and hybrid cloud integration in a virtualized environment. HCIBox is designed to be completely self-contained within a single Azure subscription and resource group, which will make it easy for a user to get hands-on with Azure Stack HCI and Azure Arc technology without the need for physical hardware.

CAF

Announcing Landing Zone Accelerator for Azure Arc-enabled SQL Managed Instance

https://techcommunity.microsoft.com/t5/azure-arc-blog/announcing-landing-zone-accelerator-for-azure-arc-enabled-sql/ba-p/3647623

a proven set of guidance designed by subject matter experts across Microsoft to help customers create and implement the business and technology strategies necessary to succeed in the cloud as well as a way to automate a fully deployed Azure Arc-enabled SQL Managed Instance environment, making implementation faster.

AVD

Announcing general availability of support for Azure availability zones in the host pool deployment

https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262

I am pleased to announce that you can now automatically distribute your session hosts across any number of availability zones

New ways to optimize flexibility, improve security, and reduce costs with Azure Virtual Desktop

https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/new-ways-to-optimize-flexibility-improve-security-and-reduce/ba-p/3650895

With the public preview of new integrations with Azure Active Directory, you can use single sign-on and passwordless authentication, leveraging FIDO2 standards and Windows Hello for Business to securely streamline the authentication experience for today’s remote and hybrid workforce.

Now in public preview, customers can use cloud storage to host FSLogix and modern Azure Active Directory authentication for their session hosts (more on that later).

Public preview for confidential virtual machine options for Azure Virtual Desktop is also available now—specifically for Windows 11 virtual machines—with Windows 10 support planned in the future.

customers who require their information to remain on trusted private networks will have the option to use Private Link to enable access to their session hosts and workspaces over a private endpoint in their virtual network.

Cost Management

Optimize and maximize cloud investment with Azure savings plan for compute

https://techcommunity.microsoft.com/t5/azure-compute-blog/optimize-and-maximize-cloud-investment-with-azure-savings-plan/ba-p/3636447

Today, we are announcing Azure savings plan for compute. With this new pricing offer, customers will have an easy and flexible way to save up to 65%* on compute costs, compared to pay-as-you-go pricing, in addition to existing offers in market including Azure Hybrid Benefit and Reservations.

Storage

General availability: Azure Premium SSD v2 Disk Storage

http://azure.microsoft.com/en-us/updates/general-availability-azure-premium-ssd-v2-disk-storage/

In summary, Premium SSD v2 offers the following key benefits:

  • Ability to increase disk storage capacity in 1 GiB increments.
  • The capability to separately provision IOPS, throughput, and disk storage capacity.
  • Consistent sub-millisecond latency.
  • Easier maintenance with scaling performance up and down without downtime.
  • Up to 64TiBs, 80,000 IOPS and 1200 MB/s on a single disk.

Public preview: Azure Elastic SAN

http://azure.microsoft.com/en-us/updates/public-preview-azure-elastic-san/

With Elastic SAN, you can deploy, manage, and host workloads on Azure with an end-to-end experience similar to on-premises SAN. The solution also enables bulk provisioning of block storage that can achieve massive scale, up to millions of IOPS, double-digit GB/s of throughput, and low single-digit millisecond latencies with built-in resiliency to minimize downtime.

Management

Generally available: Azure Automanage for Azure Virtual Machines and Arc-enabled servers

https://azure.microsoft.com/en-gb/updates/generally-available-azure-automanage-for-azure-virtual-machines-and-arcenabled-servers/

Azure Automanage is a service that automates configuration of virtual machines (VMs) to best-practice Azure services, as well as continuous security and management operations across the entire lifecycle of VMs in Azure or hybrid environments enabled through Azure Arc. This allows you to save time, reduce risk, and improve workload uptime by automating day-to-day configuration and management tasks– all with point-and-click simplicity, at scale.

Generally available: Azure Monitor agent support for Windows clients

http://azure.microsoft.com/en-us/updates/generally-available-azure-monitor-agent-support-for-windows-clients/

The Azure Monitor agent and data collection rules now support Windows 10 and 11 client devices via the new Windows MSI installer. Extend the use of the same agent for telemetry and security management (using Sentinel) across your service and device landscape.

Generally available: Azure Monitor agent migration tools

http://azure.microsoft.com/en-us/updates/generally-available-azure-monitor-agent-migration-tools/

Per earlier communication, you must migrate from log analytics agent (MMA or OMS agents) to this agent before August 2024. You can use agent migration tools now generally available to make this process easier for you.

Public preview: Azure Monitor Logs – create granular level RBAC for custom tables

https://azure.microsoft.com/en-gb/updates/public-preview-azure-monitor-logs-create-granular-level-rbac-for-custom-tables/

The Log Analytics product team added two additional capabilities to enable workspace admins to manage more granular data access, supporting read permission at the table level both for Azure tables and customer tables.  

Cost-effective solution for high-volume verbose logs

https://techcommunity.microsoft.com/t5/azure-observability-blog/general-availability-get-more-value-from-your-logs-with-azure/ba-p/3643129

Basic Logs is a new flavor of logs that enables a lower-cost collection of high-volume verbose logs that you use for debugging and troubleshooting, but not for analytics and alerts. This data, which might have been historically stored outside of Azure Monitor Logs, can now be available inside your Log Analytics workspace, enabling one solution for all your log data.

Low-cost long-term storage of your log data

https://techcommunity.microsoft.com/t5/azure-observability-blog/general-availability-get-more-value-from-your-logs-with-azure/ba-p/3643129

Log Archive is an in-place solution to store your data for long-term retention of up to seven years at a cost-effective price point. This lets you store all your data in Azure Monitor Logs, without having to manage an external data store for archival purposes, and query or import data in and out of Azure Monitor Logs. You can access archived data by running a search job or restoring it for a limited time for investigation, as detailed below. 

Search through large volumes of log data

https://techcommunity.microsoft.com/t5/azure-observability-blog/general-availability-get-more-value-from-your-logs-with-azure/ba-p/3643129

A search job can run from a few minutes to hours, scanning log data and fetching the relevant records into a new persistent search job results table. The search job results table supports the full set of analytics capabilities to enable further analysis and investigation of these records.

Investigate archived logs

https://techcommunity.microsoft.com/t5/azure-observability-blog/general-availability-get-more-value-from-your-logs-with-azure/ba-p/3643129

Restore is another tool for investigating your archived data. Unlike the search job, which accesses data based on specific criteria, restore makes a given time range of the data in a table available for high-performance queries. Restore is a powerful operation, with a relatively high cost, so it should be used in extreme cases when you need direct access to your archived data with the full interactive range of analytics capabilities.

Generally available: Windows Admin Center for Azure Virtual Machines

https://azure.microsoft.com/en-gb/updates/windows-admin-center-for-azure-virtual-machines/

Windows Admin Center lets you manage the Windows Server Operating System of your Azure Virtual Machines, natively in the Azure Portal. You can perform maintenance and troubleshooting tasks such as managing your files, viewing your events, monitoring your performance, getting an in-browser RDP and PowerShell session, and much more, all within Azure.

Set up alerts faster with our new and simplified alerting experience (in preview)

https://techcommunity.microsoft.com/t5/azure-observability-blog/what-s-new-in-azure-monitor-ignite-2022/ba-p/3652570

Recommended alert rules provides customers with an easy way to enable a set of best practice alert rules on their Azure resources. This feature, which previously supported only virtual machines, is now being extended to also support AKS and Log Analytics Workspace resources.

Azure VMware Solution

Public preview: Customer-managed keys for Azure VMware Solution

https://azure.microsoft.com/en-gb/updates/public-preview-customermanaged-keys-for-azure-vmware-solution/

Customer-managed keys (CMK) for Azure VMware Solution (AVS) provides you with control over your encrypted vSAN data on Azure VMware Solution. With this feature, you can use Azure Key Vault to generate customer-managed keys as well as centralize and streamline the key management process.

Public preview: Stretched clusters for Azure VMware Solution

http://azure.microsoft.com/en-us/updates/public-preview-stretched-clusters-for-azure-vmware-solution/

provides 99.99% uptime for mission critical applications. Stretched cluster benefits:

  • Improve application availability.
  • Provide a zero-recovery point objective (RPO) capability for enterprise applications without needing to redesign or deploy expensive disaster recovery (DR) solutions.
  • A private cloud with stretched clusters is designed to provide 99.99% availability due to its resilience to availability zone failures.
  • Enables you to focus on core application requirements and features, instead of infrastructure availability.

AKS

Generally available: Azure Hybrid Benefit for AKS and Azure Stack HCI

http://azure.microsoft.com/en-us/updates/generally-available-azure-hybrid-benefit-for-aks-and-azure-stack-hci/

At Ignite, we are expanding Azure Hybrid Benefit to further reduce costs for on-premises and edge locations. Customers with Windows Server Software Assurance (SA) can use Azure Hybrid Benefit for Azure Kubernetes Service (AKS) and Azure Stack HCI to:

  • Run AKS on Windows Server and Azure Stack HCI at no additional cost in datacenter and edge locations. With this, you can deploy and manage containerized Linux and Windows applications from cloud to edge with a consistent, managed Kubernetes service. This applies to Windows Server Datacenter and Standard Software Assurance and Cloud Solution Provider (CSP) customers.
  • Use first-party Arc-enabled infrastructure, Azure Stack HCI, at no additional cost. Windows Server Datacenter Software Assurance customers can modernize their existing datacenter and edge infrastructure to run their VM and container-based applications on modern infrastructure with industry-leading price-performance and built-in connectivity to Azure.

Public preview: Azure Kubernetes Service hybrid deployment options

https://azure.microsoft.com/en-gb/updates/public-preview-azure-kubernetes-service-hybrid-deployment-options/

Azure Kubernetes Service (AKS) on Azure Stack HCI, Windows Server 2019, and 2022 Datacenter can be provisioned from the Azure Portal/CLI. Additionally, AKS is now in public preview on Windows devices and Windows IoT for lightweight Kubernetes orchestration.

Generally available: 5,000 node scale in AKS

http://azure.microsoft.com/en-us/updates/generally-available-5000-node-scale-in-aks/

Azure Kubernetes Service is increasing the maximum node limit per cluster from 1,000 nodes to 5,000 nodes for customers using the uptime-SLA feature.

Generally available: Windows server 2022 host support in AKS

https://azure.microsoft.com/en-gb/updates/generally-available-windows-server-2022-host-support-in-aks/

With this generally available feature, Windows Server 2022 is now supported on AKS. Among other improvements related to security, Windows Server 2022 also provides several platform improvements for Windows Containers and Kubernetes. Windows Server 2022 is available for Kubernetes v1.23 and higher.

Public preview: Kubernetes apps on Azure Marketplace

http://azure.microsoft.com/en-us/updates/public-preview-kubernetes-apps-on-azure-marketplace/

You can now browse the catalog of solutions specialized for Kubernetes platforms under Kubernetes apps offer in marketplace and select a solution for click through deployment to Azure Kubernetes Service (AKS) with automated Azure billing.

Public preview: Azure CNI Overlay mode in Azure Kubernetes Service

https://azure.microsoft.com/en-gb/updates/public-preview-azure-cni-overlay-mode-in-azure-kubernetes-service/

Azure CNI Overlay mode is a new CNI network plugin that allocates pod IPs from an overlay network space, rather than from the virtual network IP space.

General availability: AMD-based confidential VMs for Azure Kubernetes Service

http://azure.microsoft.com/en-us/updates/general-availability-amdbased-confidential-vms-for-azure-kubernetes-service/

With the general availability of confidential virtual machines featuring AMD 3rd Gen EPYC™ processors, with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, organizations get VMs with isolated, encrypted memory, and genuine confidentiality attestation rooted to the hardware.

Public preview: Rules for Azure Kubernetes Service and Log Analytic workspace resources

https://azure.microsoft.com/en-gb/updates/public-preview-rules-for-azure-kubernetes-service-and-log-analytic-workspace-resources/

Enable a set of best practice alert rules on an unmonitored AKS and Log Analytics workspace resource with just a few clicks.

Public preview: Azure Monitor managed service for Prometheus

http://azure.microsoft.com/en-us/updates/public-preview-azure-monitor-managed-service-for-prometheus/

The new fully managed Prometheus compatible service from Azure Monitor delivers the best of what you like about the open-source ecosystem while automating complex tasks such as scaling, high-availability, and long-term data retention. It is available to use as a standalone service from Azure Monitor or as an integrated component of Container Insights and Azure Managed Grafana.

Generally available: ARM64 support in AKS

http://azure.microsoft.com/en-us/updates/generally-available-arm64-support-in-aks/

Announcing the general availability of ARM64 node pool support in AKS. ARM64 provides a better price and compute comparison due to its lower power utilization.

Networking

Public preview: IP Protection SKU for Azure DDoS Protection

https://azure.microsoft.com/en-gb/updates/public-preview-ip-protection-sku-for-azure-ddos-protection/

Instead of enabling DDoS protection on a per virtual network basis, including all public IP resources associated with resources in those virtual networks, you now have the flexibility to enable DDoS protection on an individual public IP.

General availability: Azure DNS Private Resolver – hybrid name resolution and conditional forwarding

http://azure.microsoft.com/en-us/updates/general-availability-azure-dns-private-resolver-hybrid-name-resolution-and-conditional-forwarding/

Azure DNS Private Resolver is a cloud-native, highly available, and DevOps-friendly service. It provides a simple, zero- maintenance, reliable, and secure DNS service to resolve and conditionally forward DNS queries from a virtual network, on-premises, and to other target DNS servers without the need to create and manage a custom DNS solution

WordPress on Azure App Service supports Azure Front Door Integration

https://azure.github.io/AppService/2022/10/12/Announcing-Preview-of-Azure-Front-Door-integration-with-Azure-App-Service.html

We are happy to announce the preview of WordPress on Azure App Service powered by Azure Front Door which enables faster page loads, enhanced security, and increased reliability for your global apps with no configuration or additional code required.

General availability: Custom network interface name configurations of private endpoints

https://azure.microsoft.com/en-gb/updates/general-availability-custom-nic-name-configurations-of-private-endpoints/

This feature allows you to define your own string name at the time of creation of the private endpoint NIC deployed.

General availability: Static IP configurations of private endpoints

http://azure.microsoft.com/en-us/updates/general-availability-static-ip-configurations-of-private-endpoints/

This feature allows you to add customizations to your deployments. Leverage already reserved IP addresses and allocate them to your private endpoint without relying on the randomness of Azure’s dynamic IP allocation.

Public preview: ExpressRoute Traffic Collector

http://azure.microsoft.com/en-us/updates/public-preview-expressroute-traffic-collector/

ExpressRoute Traffic Collector enables sampling of network flows sent over your ExpressRoute Direct circuits. Flow logs get sent to a Log Analytics workspace where you can create your own log queries for further analysis, export the data to any visualization tool or SIEM (Security Information and Event Management) of your choice

In development: Introducing ExpressRoute Metro

https://azure.microsoft.com/en-gb/updates/in-development-introducing-expressroute-metro/

ExpressRoute Metro offers you the ability to create private connections via an ExpressRoute Circuit with dual connections from a Service provider (AT&T, Equinix, Verizon etc.,) or connecting directly with ExpressRoute Direct over a dual 10 Gbps or 100 Gbps physical port in two different Microsoft Edge location in a metropolitan area offering higher redundancy and resiliency. 

Virtual Machines

General availability: New Azure proximity placement groups feature

https://azure.microsoft.com/en-gb/updates/ppgintent/

With the addition of the new optional parameter, intent, you can now specify the VM sizes intended to be part of a proximity placement group when it is created. An optional zone parameter can be used to specify where you want to create the proximity placement group. This capability allows the proximity placement group allocation scope (datacenter) to be optimally defined for the intended VM sizes, reducing deployment failures of compute resources due to capacity unavailability.

General availability: Confidential VM option for SQL Server on Azure Virtual Machines

https://azure.microsoft.com/en-gb/updates/general-availability-confidential-vm-option-for-sql-server-on-azure-virtual-machines/

With the confidential VM option for SQL Server on Azure Virtual Machines, you can now run your SQL Server workloads on the latest AMD-backed confidential virtual machines.

General availability: AMD confidential VM guest attestation

http://azure.microsoft.com/en-us/updates/general-availability-amd-confidential-vm-guest-attestation/

It lets you do the following:

  • Use the guest attestation feature to verify that a confidential VM is running on a hardware-based trusted execution environment (TEE) with security features (isolation, integrity, secure boot) enabled.
  • Allow application deployment decisions (whether to launch a sensitive workload) based on the hardware state returned by the library call.
  • Use remote attestation artifacts (token and claims) received from another system (on a confidential VM) to enable relying parties to gain trust to make transactions with the other system.
  • Receive recommendations and alerts of unhealthy confidential VMs in Microsoft Defender for Cloud.

Announcing the new Ebsv5 VM sizes offering 2X remote storage performance with NVMe-Public Preview

https://techcommunity.microsoft.com/t5/azure-compute-blog/announcing-the-new-ebsv5-vm-sizes-offering-2x-remote-storage/ba-p/3652000

Today, we are announcing the Public Preview of two additional Virtual Machine (VM) sizes, E96bsv5 and E112ibsv5, to the Ebsv5 VM family. The two new sizes are developed with the NVMe protocol and provide exceptional remote storage performance offering up to 260,000 IOPS and 8,000 MBps throughput.

General availability: Azure Monitor predictive autoscale for Azure Virtual Machine Scale Sets

https://azure.microsoft.com/en-gb/updates/general-availability-azure-monitor-predictive-autoscale-for-azure-virtual-machine-scale-sets/

Predictive autoscale uses machine learning to help manage and scale Azure Virtual Machine Scale Sets with cyclical workload patterns. It forecasts overall CPU load to your virtual machine scale set based on your historical CPU usage patterns. By observing and learning from historical usage, it predicts the overall CPU load ensuring scale-out occurs in time to meet demand.

Miscellaneous

Public preview: Microsoft Azure Deployment Environments

https://azure.microsoft.com/en-gb/updates/public-preview-microsoft-azure-deployment-environments/

Azure Deployment Environments has entered public preview. Azure Deployment Environments help dev teams create and manage all types of environments throughout the application lifecycle with features such as:

  • On-demand environments enable developer to spin up environments with each feature branch to enable higher quality code reviews and ensure devs can view and test their changes in a prod-like environment. 
  • Sandbox environments can be used as greenfield environments for experimentation and research.
  • CI/CD pipeline environments integrate with your CI/CD deployment pipeline to automatically create dev, test (regression, load, integration), staging and production environments at specified points in the development lifecycle.
  • Environment types enable dev infra and IT teams to create preconfigured mappings that automatically apply the right subscriptions, permissions and identities to environments deployed by developers based on their current stage of development.
  • Template catalogues housed in a code repo that can be accessed and edited by developers and IT admins to propagate best practices while maintaining security and governance.

Generally available: Azure Site Recovery update rollup 64 – October 2022

https://azure.microsoft.com/en-gb/updates/generally-available-azure-site-recovery-update-rollup-64-october-2022/

Modernized VMware to Azure DR is now generally available.  Added support for: 

  • Protecting physical machines using the modernized experience.
  • Enabling modernized experience with managed identity and private endpoint turned on.

Azure PowerShell Ignite 2022 announcements

https://techcommunity.microsoft.com/t5/azure-tools-blog/azure-powershell-ignite-2022-announcements/ba-p/3649324

  • general availability of Azure PowerShell modules version 9
  • added 12 modules supporting new services and added more than 500 cmdlets
  • With Az 9 we are providing an actionable error message that indicates why a cmdlet is not found.
  • With Az Config you can CENTRALLY CONFIGURE Azure PowerShell settings

Active Directory Connector (ADC) for Arc-enabled SQL Managed Instance is now generally available!

https://techcommunity.microsoft.com/t5/azure-arc-blog/active-directory-connector-adc-for-arc-enabled-sql-managed/ba-p/3652020

Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication.

Azure Backup

Public preview: Immutable vaults for Azure Backup

https://azure.microsoft.com/en-gb/updates/azure-backup-immutable-vaults-preview/

With immutable vaults, Azure Backup provides you an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time.

Public preview: Multi-user authorization for Backup vaults

https://azure.microsoft.com/en-gb/updates/azure-backup-mua-backup-vaults-preview/

Multi-user authorization (MUA) for Backup adds an additional layer of protection for critical operations on your Backup vaults, providing greater security for your backups. To provide multi-user authorization, Backup uses a resource guard to ensure critical operations are performed with proper authorization

Public preview: Enhanced soft delete for Azure Backup

http://azure.microsoft.com/en-us/updates/azure-backup-enhanced-soft-delete-preview/

With enhanced soft delete, you get the ability to make soft delete irreversible, which protects soft delete from being disabled by any malicious actors. Hence, enhanced soft delete provides better protection for your backups against various threats. With enhanced soft delete, you get the ability to make soft delete irreversible, which protects soft delete from being disabled by any malicious actors. Hence, enhanced soft delete provides better protection for your backups against various threats.

General availability: Zone-redundant storage support by Azure Backup

http://azure.microsoft.com/en-us/updates/azurebackupzrssupport/

With the general availability of this feature, you have a broader set of redundancy or storage replication options to choose from for your backup data. Based on your data residency, data resiliency and total cost of ownership (TCO) requirements, you can select either locally redundant storage (LRS), zone-redundant storage (ZRS) or geo-redundant storage (GRS).

After Ignite – Up To November 30th

Cost Management

General availability: Azure savings plan for compute

https://azure.microsoft.com/en-gb/updates/general-availability-azure-savings-plan-for-compute/

The savings plan unlocks lower prices on select compute services when customers commit to spend a fixed hourly amount for one or three years. Choose whether to pay all up front or monthly at no extra cost.

General availability: Virtual Machine software reservations

https://azure.microsoft.com/en-gb/updates/general-availability-virtual-machine-software-reservations/

You can now save on Virtual Machine software from third-party publishers by purchasing software reservations.

Hybrid

Generally available: Auto Extension upgrade for Arc enabled Servers

https://azure.microsoft.com/en-us/updates/auto-extension-upgrade-for-arc-servers/

Automatic Extension upgrade is now generally available for Arc enabled Servers using eligible VM extensions. With this release we are adding support for Azure Portal, PowerShell, CLI, and automatic rollback of failed upgrades

Networking

Visualize and monitor Azure & hybrid networks with Azure Network Watcher

http://azure.microsoft.com/blog/visualize-and-monitor-azure-hybrid-networks-with-azure-network-watcher/

Azure Network Watcher provides an entire suite of tools to visualize, monitor, diagnose, and troubleshoot network issues across Azure and Hybrid cloud environments.

Azure Virtual WAN simplifies networking needs

http://azure.microsoft.com/blog/networking-needs-simplified-with-azure-virtual-wan/

  • Multipool user group support preview
  • Secure hub routing intent preview
  • Hub routing preference (HRP) is generally available
  • Bypass next hop IP for workloads within a spoke VNet connected to the virtual WAN hub generally available
  • Border Gateway Protocol (BGP) Peering with a virtual hub is generally available
  • BGP dashboard is now generally available
  • Virtual Network Gateway VPN over ExpressRoute private peering (AZ and non-AZ regions) is generally available
  • Custom traffic selectors (portal)–generally available
  • High availability for Azure VPN client using secondary profile is generally available
  • ExpressRoute circuit with visibility of Virtual WAN connection
  • Fortinet SDWAN is generally available
  • Aruba EdgeConnect Enterprise SDWAN preview
  • Checkpoint NG Firewall preview

Generally available: Block domain fronting behavior on newly created customer resources

https://azure.microsoft.com/en-us/updates/generally-available-block-domain-fronting-behavior-on-newly-created-customer-resources/

beginning November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.

General availability: Default Rule Set 2.1 for Azure Web Application Firewall

https://azure.microsoft.com/en-gb/updates/general-availability-default-rule-set-21-for-azure-web-application-firewall/

Increase your security posture and reduce false positives with Default Rule Set 2.1, now generally available on Azure’s global Web Application Firewall running on Azure Front Door.

Evolving networking with a DPU-powered edge

https://techcommunity.microsoft.com/t5/azure-stack-blog/evolving-networking-with-a-dpu-powered-edge/ba-p/3672898

SmartNICs or Data Processing Units (DPUs) bring an opportunity to double down on the benefits of a software-defined infrastructure without sacrificing the host resources needed by your line-of-business apps in your (virtual machines) VMs or containers. With a DPU, we can enable SR-IOV usage removing the host CPU consumption incurred by the synthetic datapath, alongside the SDN benefits.

Public preview: Azure Front Door zero downtime migration

http://azure.microsoft.com/en-us/updates/public-preview-azure-front-door-zero-downtime-migration/

You can use this feature to migrate Azure Front Door (classic) to Azure Front Door Standard and Premium with zero downtime.

Public preview: Azure Front Door integration with managed identities

http://azure.microsoft.com/en-us/updates/public-preview-azure-front-door-integration-with-managed-identities/

Azure Front Door Standard and Premium supports enabling managed identities for Azure Front Door to access Azure Key Vault.

Public preview: Upgrade from Azure Front Door Standard to Premium tier

https://azure.microsoft.com/en-gb/updates/public-preview-upgrade-from-azure-front-door-standard-to-premium-tier/

You can now use this feature to upgrade your Azure Front Door Standard profile to Premium tier without downtime.

General availability: Per Rule Actions on regional Web Application Firewall

https://azure.microsoft.com/en-us/updates/general-availability-per-rule-actions-on-regional-web-application-firewall/

Azure’s regional Web Application Firewall (WAF) with Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis.

General availability: TLS 1.3 with Application Gateway

http://azure.microsoft.com/en-us/updates/tls1-3-application-gateway-ga/

Start using the new policies with TLS 1.3 for your Azure Application Gateway to improve security and performance.

Announcing new capabilities for Azure Firewall

http://azure.microsoft.com/blog/announcing-new-capabilities-for-azure-firewall/

  • New GA regions in Qatar central, China East, and China North
  • IDPS Private IP ranges now generally available.
  • Single Click Upgrade/Downgrade now in preview.
  • Enhanced Threat Intelligence now in preview.
  • KeyVault with zero internet exposure now in preview.

AKS

Dapr v1.9.0 now available in the Dapr extension for AKS and Arc-enabled Kubernetes

https://techcommunity.microsoft.com/t5/azure-developer-community-blog/dapr-v1-9-0-now-available-in-the-dapr-extension-for-aks-and-arc/ba-p/3655958

The Dapr v1.9.0 release offers several new features, including pluggable components, resiliency metrics, and app health checks, as well as many fixes in the core runtime and components.

Generally available: Premium SSD v2 disks available on Azure Disk CSI driver

https://azure.microsoft.com/en-gb/updates/generally-available-premium-ssd-v2-disks-available-on-azure-disk-csi-driver/

Premium SSD v2 support is now generally available on AKS.

Public preview: AKS image cleaner

https://azure.microsoft.com/en-gb/updates/public-preview-aks-image-cleaner/

You can now more easily remove unused and vulnerable images stored on AKS nodes.

Public preview: IPVS load balancer support in AKS

https://azure.microsoft.com/en-gb/updates/public-preview-ipvs-load-balancer-support-in-aks/

You can now use the IP Virtual Server (IPVS) load balancer with AKS, with configurable connection scheduling and TCP/UDP timeouts.

Public preview: Azure CNI Powered by Cilium

https://azure.microsoft.com/en-gb/updates/public-preview-azure-cni-powered-by-cilium/

Leverage next generation eBPF dataplane for pod networking, Kubernetes network policies and service load balancing.

Public preview: Rotate SSH keys on existing AKS nodepools

http://azure.microsoft.com/en-us/updates/public-preview-rotate-ssh-keys-on-existing-aks-nodepools/

You can now update SSH keys on existing AKS nodepools post deployment.

Azure VMware Solution

Generally available: New node sizing for Azure VMware Solution

https://azure.microsoft.com/en-gb/updates/generally-available-new-node-sizing-for-azure-vmware-solution/

Optimize workloads with new node sizes, AV52, and AV36P, now generally available in Azure VMware Solution.

Generally available: Azure NetApp Files datastores for Azure VMware Solution

http://azure.microsoft.com/en-us/updates/generally-available-azure-netapp-files-datastores-for-azure-vmware-solution/

Azure NetApp Files datastores is now generally available to run your storage intensive workloads on Azure VMware Solution (AVS).

Virtual Machines

General availability: Ephemeral OS disk support for confidential virtual machines

https://azure.microsoft.com/en-gb/updates/general-availability-ephemeral-os-disk-support-for-confidential-virtual-machines/

Create confidential VMs using Ephemeral OS disks for your stateless workloads.

General availability: New cost recommendations for Virtual Machine Scale Sets

https://azure.microsoft.com/en-gb/updates/general-availability-new-cost-recommendations-for-virtual-machine-scale-sets/

Azure Advisor has expanded recommendations to include cost optimisation recommendation for Virtual Machine Scale Sets too.

Microsoft Intune user scope configuration for Azure Virtual Desktop multi-session VMs is now GA

https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/microsoft-intune-user-scope-configuration-for-azure-virtual/ba-p/3667410

This new update enables you to configure user scope policies using settings catalog, configure user certificates, and configure PowerShell scripts in user context.

Generally available: Encrypt managed disks with cross-tenant customer-managed keys

http://azure.microsoft.com/en-us/updates/generally-available-encrypt-managed-disks-with-crosstenant-customermanaged-keys/

Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys.

General availability: Bot Manager Rule Set 1.0 on regional Web Application Firewall

http://azure.microsoft.com/en-us/updates/general-availability-bot-manager-rule-set-10-on-regional-azure-web-application-firewall/

This rule set provides you enhanced protection against bots and provides granular control over bots detected by WAF by categorizing bot traffic as good, bad, or unknown bots.

Public preview: Azure Bastion now support shareable links

http://azure.microsoft.com/en-us/updates/azure-bastion-shareable-links/

Shareable links allows users to connect to target resources via Azure Bastion without access to the Azure portal.

Storage

Generally available: SFTP support for Azure Blob Storage

http://azure.microsoft.com/en-us/updates/sftp-support-for-azure-blob-storage-now-generally-available/

Azure Blob Storage now supports provisioning an SFTP endpoint with just one click.

Public preview: Availability zone volume placement for Azure NetApp Files

http://azure.microsoft.com/en-us/updates/public-preview-availability-zone-volume-placement-for-azure-netapp-files/

Deploy new Azure NetApp Files volumes in Azure availability zones (AZs) of your choice to support workloads across multiple availability zones.

App Services

App Service Environment version 1 and version 2 will be retired on 31 August 2024

http://azure.microsoft.com/en-us/updates/app-service-environment-version-1-and-version-2-will-be-retired-on-31-august-2024/

Migrate to App Service Environment version 3 by 31 August 2024

Generally available: Azure Static Web Apps now fully supports .NET 7

https://azure.microsoft.com/en-gb/updates/generally-available-azure-static-web-apps-now-fully-supports-net-7/

Azure Static Web Apps now supports building and deploying full-stack .NET 7.0 isolated applications.

Public preview: Azure Static Web Apps now Supports Node 18

https://azure.microsoft.com/en-gb/updates/public-preview-azure-static-web-apps-now-supports-node-18/

Azure Static Web Apps now supports building and deploying full-stack Node 18 applications.

Generally available: Static Web Apps support for skipping API builds

https://azure.microsoft.com/en-gb/updates/generally-available-static-web-apps-support-for-skipping-api-builds/

Azure Static Web Apps provides the option to skip the default API builds via GitHub Actions and Azure pipelines. While setting up the YAML build configuration, you can set the skip_api_build flag to true in order to skip building the APIs.

Generally available: Static Web Apps support for stable URLs for preview environments

https://azure.microsoft.com/en-gb/updates/generally-available-static-web-apps-support-for-stable-urls-for-preview-environments/

Use stable URLs with Azure Static Web Apps preview environments.

Generally available: Static Web Apps support for Gitlab and Bitbucket

https://azure.microsoft.com/en-gb/updates/generally-available-static-web-apps-support-for-gitlab-and-bitbucket/

Deploy Static Web Apps using Gitlab and Bitbucket as CI/CD providers.

Generally available: Static Web Apps support for preview environments in Azure DevOps

https://azure.microsoft.com/en-gb/updates/generally-available-static-web-apps-support-for-preview-environments-in-azure-devops/

Deploy applications to staging environments using Azure DevOps.

Public preview: Go language support on Azure App Service

http://azure.microsoft.com/en-us/updates/public-preview-go-language-support-on-azure-app-service/

Go language (v1.18 and v1.19) is natively supported on Azure App Service, helping developers innovate faster using the best fully managed app platform for cloud-centric web apps. The language support is available as an experimental language release on Linux App Service in November 2022.

Generally available Day 0 support for .NET 7.0 on App Service

https://azure.microsoft.com/en-gb/updates/generally-available-day-0-support-for-net-70-on-app-service/

developers are immediately unblocked to try, test, and deploy .NET apps targeting the version of .NET accelerating time-to-market on the platform they know and use today. It is expected to be available in Q2 FY23.

Miscellaneous

Secure your digital payment system in the cloud with Azure Payment HSM—now generally available

http://azure.microsoft.com/blog/secure-your-digital-payment-system-in-the-cloud-with-azure-payment-hsm-now-generally-available/

the general availability of Azure Payment HSM, a BareMetal Infrastructure as a service (IaaS) that enables customers to have native access to payment HSM in the Azure cloud. With Azure Payment HSM, customers can seamlessly migrate PCI workloads to Azure and meet the most stringent security, audit compliance, low latency, and high-performance requirements needed by the Payment Card Industry (PCI).

Automated Key Rotation Generally Available on Azure Key Vault Managed HSM

https://techcommunity.microsoft.com/t5/azure-confidential-computing/automated-key-rotation-generally-available-on-azure-key-vault/ba-p/3671635

The feature allows you to set up an auto-rotation policy that automatically generates a new key version of the customer-managed key (CMK) stored in the HSM at a specified frequency.

General availability: Azure Automation supports Availability zones

http://azure.microsoft.com/en-us/updates/azure-automation-availability-zones/

Azure Automation now supports Availability zones to provide improved resiliency and reliability to the service, runbooks and other automation assets.

Public preview: Microsoft Azure Managed HSM TLS Offload Library

https://azure.microsoft.com/en-gb/updates/public-preview-managed-hsm-tls-offload-library/

Azure Managed HSM now supports SSL/TLS Offload for F5 and Nginx.

Generally available: Additional Always Free Services for Azure Free Account and PAYG

http://azure.microsoft.com/en-us/updates/generally-available-additional-always-free-services-for-azure-free-account-and-payg/

With an Azure free account, you can explore with free amounts of 55+ always free services.

AVD

Announcing general availability of FSLogix profiles for Azure AD-joined VMs in Azure Virtual Desktop

https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-fslogix-profiles-for-azure-ad/ba-p/3671310

By leveraging Azure AD Kerberos with Azure Files, you can seamlessly access file shares from Azure AD-joined VMs and use them to store your FSLogix profile containers.

Management

General availability: Manage your Log Analytics Tables in Azure Portal

http://azure.microsoft.com/en-us/updates/general-availability-manage-your-log-analytics-tables-in-azure-portal/

announcing the general availability of a new experience for managing Azure Log Analytics table metadata from the Azure Portal. With this new UI you can view and edit table properties directly from Azure Portal in Log Analytics workspaces experience.

New Project Flash Update: Advancing Azure Virtual Machine availability monitoring

http://azure.microsoft.com/blog/advancing-azure-virtual-machine-availability-monitoring-with-project-flash-update/

  • General availability of VM availability information in Azure Resource Graph
  • Preview of a VM availability metric in Azure Monitor
  • Preview of VM availability status change events via Azure Event Grid

General availability: Azure Monitor agent custom and IIS logs

http://azure.microsoft.com/en-us/updates/general-availability-azure-monitor-agent-custom-and-iis-logs/

This new capability is designed to enable customers to collect their text-based logs generated in their service or application. Likewise, Internet Information Service (IIS) logs for a customers’ service can be collected and transferred into a Log Analytics Workspace table for analysis.

General availability: Azure Monitor Logs, custom log API and ingestion-time transformations

http://azure.microsoft.com/en-us/updates/general-availability-azure-monitor-logs-custom-log-api-and-ingestiontime-transformations/

With these new features, you will be able to add a custom ingestion-time transformation to data following into Azure Monitor Logs. These transformations can be used to set up ingestion-time extraction of fields and parsing of complex logs, obfuscation of sensitive data, removal of unneeded fields or even dropping full events for cost control, and many more advanced possibilities.

Announcing GA of revamped Custom Logs features

https://techcommunity.microsoft.com/t5/azure-observability-blog/announcing-ga-of-revamped-custom-logs-features/ba-p/3687366

  • GA of the Log Ingestion API
  • GA of the Ingestion-time Transformations feature
  • A nominal fee per GB dropped will be charged for any data dropped beyond 50% of incoming data, calculated daily

Azure Backup

Limited preview: Azure Backup support for confidential VMs using Platform Managed Keys

https://azure.microsoft.com/en-gb/updates/limited-preview-azure-backup-support-for-confidential-virtual-machines-using-platform-managed-keys/

You can use this feature to back up confidential VMs using Platform Managed Keys.

Public preview: Cross Subscription Restore for Azure Virtual Machines

http://azure.microsoft.com/en-us/updates/preview-cross-subcription-restore-for-azure-virtual-machines/

Cross Subscription Restore allows you to restore Azure Virtual Machine, through create new or restore disks, to any subscription (honoring the RBAC capabilities) from the restore point created by Azure Backup.

Microsoft Ignite 2018: Implement Cloud Backup & Disaster Recovery At Scale in Azure

Speakers: Trinadh Kotturu, Senthuran Sivananthan, & Rochak Mittal

Site Recovery At Scale

Senthuran Sivananthan

WIN_20180927_14_18_30_Pro

Real Solutions for Real Problems

Customer example: Finastra.

  1. BCP process: Define RPO/RTO. Document DR failover triggers and approvals.
  2. Access control: Assign clear roles and ownership. Levarage ASR built-in roles for RBAC. Different RS vault for different BU/tenants. They deployed 1 RSV per app to do this.
  3. Plan your DR site: Leveraged region pairs – useful for matching GRS replication of storage. Site connectivity needs to be planned. Pick the primary/secondary regions to align service availability and quota availability – change the quotas now, not later when you invoke the BCP.
  4. Monitor: Monitor replication health. Track configuration changes in environment – might affect recovery plans or require replication changes.
  5. DR drills: Periodically do test failovers.

Journey to Scale

  • Automation: Do things at scale
  • Azure Policy: Ensure protection
  • Reporting: Holistic view and application breakdown
  • Pre- & Post- Scripts: Lower RTO as much as possible and eliminate human error

Demos – ASR

Rochak for demos of recent features. Azure Policies coming soon.

WIN_20180927_14_33_20_Pro

Will assess if VMs are being replicated or not and display non-compliance.

Expanding the monitoring solution.

Demo – Azure Backup & Azure Policy

Trinadh creates an Azure Policy and assigns it to a subscription. He picks the Azure Backup policy definition. He selects a resource group of the vault, selects the vault, and selects the backup policy from the vault. The result is that any VM within the scope of the policy will automatically be backed up to the selected RSV with the selected policy.

Azure Backup & Security

Supports Azure Disk Encryption. KEK and BEK are backed up automatically.

AES 256 protects the backup blobs.

Compliance

  • HIPAA
  • ISO
  • CSA
  • GDPR
  • PCI-DSS
  • Many more

Built-in Roles

Cumulative:

  • Backup reader – see only
  • Backup Operator: Enable backup & restore
  • Backup contributor: Policy management and Delete-Stop Backup

Protect the Roles

PIM can be used to guard the roles – protect against rogue admins.

  • JIT access
  • MFA
  • Multi-user approval

Data Security

  • PIN protection for critical actions, e.g. delete
  • Alert: Notification on critical actions
  • Recovery: Data kept for 14 days after delete. Working on blob soft delete

Backup Center Demo

Being built at the moment. Starting with VMs now but will include all backup items eventually.

WIN_20180927_15_06_47_Pro

All RSVs in the tenant (doh!) managed in a central place.

Aimed at the large enterprise.

They also have Log Analytics monitoring if you like that sort of thing. I’m not a fan of LA – I much prefer Azure Monitor.

Reporting using Power BI

Trinadh demos a Power BI reporting solution that unifies backup data from multiple tenants into a single report.

Microsoft Ignite–Building Enterprise Grade Applications With Azure Networking’s Delivery Suite

Speakers: Daniel Grickholm & Amit Srivastava

I arrived late to this session after talking to some product group people in the expo hall.

Application Gateway Demo

We see the number of instances dynamically increase and cool down – I think there was an app on Kubernetes in the background.

Application Gateway

Application gateway ingress controller for AKS v2.

  • Attach WAG to AKS clusters.
  • Load balance from the Internet to pods
  • Supports features of K8s ingress resource – TLS, multisite and path-based

Demo: we see a K8s containers app published via the WAG. The backend pool is shown – IPs of containers. Deleting the app in K8s removes the backend pool registration from the WAG (this fails in the demo).

Web Application Firewall

WIN_20180927_13_08_49_Pro

WIN_20180927_13_10_55_Pro

Demo – WAF

App behind a firewall with no exclusion parameters. Backend pool is a simple PHP application. Second firewall is using the same backend VM as a backend pool – a scan exclusion is set up to ignore any field which matches a “comments” string. The second one allows a comment post, the other one does not.

WIN_20180927_13_18_03_Pro

WIN_20180927_13_19_03_Pro

WIN_20180927_13_19_41_Pro

WIN_20180927_13_20_03_Pro

Get performance closer to the customer. Runs in edge sites, not the azure data centers.

WIN_20180927_13_21_53_Pro

WIN_20180927_13_21_53_Pro

Once you hit an edge site via front door, you are on the Azure WAN.

WIN_20180927_13_25_42_Pro

ADN = application delivery network

WIN_20180927_13_25_42_Pro

Big focus on SLA HA and performance. Built for Office.

WIN_20180927_13_25_42_Pro

5 years old and mature.

Can work in conjunction with WAG, even if there is some overlap, e.g. SSL termination.

WIN_20180927_13_25_42_Pro

What will be in the next demo:

WIN_20180927_13_25_42_Pro

Has an app for USA in Central US. Another for UK deployed in UK South. Shows the front door creation – Name/resource group, Configuration screen during creation is a bit different for Azure. Create a global CName and session affinity in fron end hosts. Create backends – app service, gateways, etc. You can set up host headers for custom domains, priority, port translation, priority for failover, weight for load balancing. You can add health probes to the backend pools, to a URL path, HTTP/S, and set the interval. Finally you create a routing rule; this maps frontend hosts to backend pools. You can set if it should be HTTP and/or HTTPS.

Skips to one he created earlier. When he browses the two apps that are in it, he is sent to the closest instance – in central US. You can set up  rules to block certain countries.

You can implement rate limiting and policies for fairness.

You can implement URL rewrites to map to a different path on the web servers.

This is like traffic manager + WAG combined at the edges of the Azure WAN.

WIN_20180927_13_43_14_Pro

WIN_20180927_13_43_50_Pro

Front Door load balances between regions. WAG load balances inside the region – that’s why they work together.

WIN_20180927_13_43_50_Pro

Microsoft Ignite 2018–Functions Deep Dive

Functions v2.0 GA

  • New functions quick starts by language
  • Updated runtime built on .NET Core 2.1
  • .Net functions loading changes
  • New extensibility model
  • Run code form a package
  • Tooling updates: CLI, Visual Studio and VS Code
  • Durable functions GA

Differences From v1.0

There is a long list online:

  • Moved from .Net Framework 4.7.1 to .NET Core 2.1
  • Added assembly violation
  • Supports more Node.js
  • Languages are external to the host
  • Supports webhooks as triggers
  • Single language per function app instead of multiple
  • Use just application insights for observing code performance

Binding and Integrations

  • SDK functions: HTTP/Timer
  • Storage
  • Service Bus
  • Event Hubs
  • Cosmos DB
  • Event Grid
  • And more

And then lots of bullet point to explain architecture that didn’t really explain it. A picture tells a thousand words.

Planning Network Security For Your Mission-Critical Workloads With Virtual Networks

Speakers: Anitha Adusumilli and Mario Lopez

Networking ensure that data remains in your private space in the cloud. So it’s not just a VM thing.

Understanding Cloud Challenges

  • Dynamic, scalable workloads – no fixed network perimeter
  • Attack vectors based on application access patterns
  • Risk of data exposure to exploits, with a mix of IaaS, PaaS, and SaaS services

Cloud network security is evolving as the apps change!

Planning Network Security in Azure

  • Similar controls as on-premises.
  • Pick your network security offerings
  • Layer and scale
  • More flexible than on-premises – faster to deploy/tear down
  • Azure offers managed services

You can build a vNet and add subnets as security boundaries. You can add peered vNets locally and in other regions.  And you might have external connections via VPN/ExpressRoute.

There are a mixture of Azure-native and third-party security offerings.

Application access Patterns

Use these to decide what network security solution to pick. Probably will be a mixture of the below.

  • Service endpoints
  • NSGs
  • ASGs
  • User-defined routes
  • DDoS Protection
  • WAF
  • Azure Firewall
  • NVAs

Security with Azure Services

VMs don’t need public IPs. However, when you use Azure services, they have public IPs, e.g. Azure SQL. This might require you to allow outbound connections that you might not have done before. Anyone with rights for default deployments can access from anywhere. But if you add services to the VNet, via service endpoints, and apply services firewalls, e.g. Azure SQL, then you can restrict access to these platform services.

Two patterns:

  • Add services to a VNet where the VNet is all that can access the service
  • Add services to a VNet to allow private access, but public access is also possible.

Pattern 1: Deploy services into VNet

WIN_20180926_14_29_30_Pro

Example, App Services Environment (ASE) is deployed into a subnet.

Security:

  • NSGs
  • NVAs
  • User-defined routing can control direction of traffic, e.g.a private deployment can only route via a gateway (forced tunnelling)
  • Services in Azure might require outbound access from your VNet. Use Service Tags to limit outbound traffic to local service.

New service tags:

WIN_20180926_14_35_13_Pro

Azure Webapps will be getting preview support soon – an alternative to P2S VPN.

Pattern 2: Service Endpoints

  • Extend VNet identity to the service
  • Secure your critical Azure resources to only your VNet
  • Traffic remains on the Microsoft backbone

WIN_20180926_14_38_42_Pro

How to Secure Your Resources Using Service Endpoints

Normal flow in new setup:

  1. Set endpoint on your endpoint
  2. Lock your service resource to your subnet

One-Time Migration:

  1. Step 1: Add VNet rule without endpoint
  2. Set endpoint on subnet
  3. Remove the public IP setting

All scenarios: Remove “Allow All Azure Services” or “Allow All” settings.

Service Endpoint: Scaling Security

  • Resource locked to a VNet: No access to other VNets or Internet or on-premises.
  • Permit more VNets: Turn on service endpoints on VNets and add under “virtual Networks” on resource
  • Permit on-premises: Add the on-prem NAT IPs under “firewall” on resource.

Careful – locking network access down can prevent Azure services, such as backup. There are docs for these workarounds – ask Anitha Adusumilli.

Stitching Services Together

  • Secure Azure resources to managed service subnets with endpoints
  • More

Securing VNet traffic: Services Tags in NSGs

  • Restrict network access to just the azure services your use.
  • Maintenance of IP addresses for each tag provided by Azure (Service Tags)
  • Support for global and regional tags (varies by service)

Service endpoints: Data-Exfiltration Risk

  • NSG service tags not enough to prevent data exfiltration from VNet
  • Access to unauthorized accounts possible

Option 1: filtering with Azure Firewall or NVAs

  • Service endpoints bypass NVAs for service traffic, if set on originating subnet
  • Optionally, continue using NVAs for auditing/filtering service traffic
  • More

Service Endpoint Policies

  • Prevent unauthorized access to storage accounts
  • Restrict vnet access to specific azure storage accounts
  • Granular access control over service endpoints
  • West Central US and West US2 today

Demo: Service Endpoint Policies

She has a VNet with a subnet. Service endpoints is turned on for Storage (all) in the subnet. She only wants to allow access to a single storage account. Adds that storage account to the subnet’s service endpoint. Logs into VM in the subnet and runs Storage Explorer. Can access files in the configured storage account. Another storage account can also be accessed. Goes to Service Endpoint Policies – a top level resource like NSGs. Adds a new policy, adds it to resource group and names it. Sets a scope – all storage accounts, all accounts in resource group, or specific storage account – picks the allowed storage account. Associates the policy with the subnet – like NSG. Now in the VM, only the authorized storage account can be accessed in Storage Explorer.

Switch to Mario for part 2.

Securing Access From Internet

  • DDoS attacks
  • Web Application Vulnerabilities

New in DDoS Standard

  • Attack analysis
  • Rapid Response – Specialized rapid response team support during active attacks (via support ticket). Custom mitigation policy configuration.
  • Azure Security Center Integration – intelligent DDoS protection virtual network recommendation

New in WAF

WIN_20180926_15_07_06_Pro

WIN_20180926_15_08_26_Pro

WIN_20180926_15_08_26_Pro

WIN_20180926_15_15_40_Pro

WIN_20180926_15_17_22_Pro

WIN_20180926_15_19_01_Pro

They’re flattening the number of subnets using ASGs – tiers of app in one subnet but rules based on on ASGs instead of subnets. Subnets then deployed for Edge/DMZ and app. Using ASGs for micro-segmentation.

WIN_20180926_15_21_36_Pro

WIN_20180926_15_23_09_Pro

Putting it All Together

WIN_20180926_15_29_01_Pro

Microsoft Ignite 2018–Microsoft Information Protection

Speakers:

Questions to Microsoft

  • My data is scattered. I might not even know where it is.
  • I cannoit create unified policies for my data security
  • How do I protect PII for GDPR, etc.

Microsoft Information Protection is a suite of solutions, designed from the ground up, to protect data no matter where it is.

750 regulatory bodies around the world making up to 200 new data security decisions every month.

2025 – 165 zetabytes of data to manage and secure.

Microsoft Information Protection

  • Discover
  • Classicy
  • Protect
  • Monitor

Across:

  • Devices
  • Apps
  • Cloud services
  • On-premises

MS Solution

  • Unified solution to discover, classify and label
  • Automatically apply policy-based actions
  • Proactive monitoring to identify risks
  • Broad coverage across locations

The Way The MS Solution Was

Point solutions in market today:

  • O365 information protection
  • Windows information protection
  • Azure information protection

An incomplete solution because they are point solutions.

MIP unifies these solutions. A new unified UI.

Specialised Workspaces

  • Microsoft 365 Security Center: security.microsoft.com
  • Microsoft 365 Compliance Center compliance.microsoft.com

Clients

Obvious support on Windows Office. Now on Office/Mac and coming to Office/Mobile. Should be GA on all clients by the end of the year.

SharePoint Online will be showing labels, etc when creating sites/groups. Can apply retention labels in SharePoint Online too – auto-classification will determine if a retention policy should be applied.

Beyond Office 365

Windows Information Protection is a Win10 feature. Difference between company and personal data. Can apply rules to company data. Data (since 1809) will understand MIP labels applied to a file. If you try to copy/paste info from a protected file to Twitter, for example, Windows 10 will prevent that. Or if you try to attach the file in Outlook personal, or Gmail, etc. It will also prevent a copy to USB – no more superglue!

Compatibility for Existing AIP Customers

  • New M365 E3 customer can configure labels using the SCC portal. Can try out MIP-enabled AIP add in on Windows. Support coming to Mac and Mobile.
  • M365 or existing AIP customer can use AIP portal.

Customers will be transitioned over time.

Azure Information Protection Scanner

Scan:

  • File server shares
  • SharePoint Server 2010, 2013, 2016

Can discover data and force labelling/protection of documents.

I got bored here – “demos” that were just screenshots on PowerPoint. Weak!

Microsoft Ignite 2018–Windows Server 2019 Deep Dive

Speaker: Jeff Woolsey

Azure

Hybrid is a first-thought thing in MS. It’s not bolted on. How do they make Azure one-click away for customers who need to connect.

Azure Pillar #2 is hybrid. Windows Server 2019 pillar #1 is Hybrid.

Admin Center

1.7 million servers under management since it launched a few months ago. All new features in Windows Server are in this free download. MMC development has stopped. It’s also the portal to hybrid. Feedback driven evolution. Partner solutions built in – Fujitsu and DataON for hardware management highlighted. SquaredUp SCOM and Azure monitoring highlighted. RiverBed highlighted too. HPE is in development (looks limited compared to Fujitsu and DataON). Lenovo has something coming too. No mention of Dell/EMC who are stuck in the 1990s Sad smile

Still a place for System Center – bare metal deployment, application monitoring, etc.

Hybrid

The Azure Network Adapter. If you have a machine in an isolated location that needs to connect to an Azure vNet then one click in Admin Center and it creates a point-to-site VPN connection to an existing gateway. ASR is a one-click replication. Azure Backup now can be enabled on WS2012+ without installing MARS via Admin Center. W2008 R2 still requires a manual MARS installation. Very simplified deployment for file/folder and system state backup from the OS.

Azure Update Management

Extending Windows Update management from Azure to on-premises. This was a very complex deployment in the past. But through Admin Center it’s a short wizard.

Storage Replica TO Azure

This is in preview. You create a VM in Azure via Admin center, join it to a domain, etc via Admin Center. That’s the target. Then replication magically happens – didn’t see the required networking piece here so it might be a bit of an over-simplification.

Hyper-Converged Infrastructure

Hyper-converged is a play in server hardware modernisation – performance, security, support, etc. A video from Lenovo on their XClarity server management solution, that also integrtes into Admin Center – in preview today.

Storage Class Memory

Flash first came by USB. Then it moved to SAS/SATA. Then to PCI. Then NVMe to make it faster. Moving closer to the processor to reduce latency and increase performance. Storage Class Memory is next to the processor in a DIMM socket. It can be configured to look like storage, memory, or a mix of both. Can be an “insanely high speed cache”.

Demo on HCI by Cosmos Darwin. Previous demo in 2016 was 6.69million IOPS from 16 servers. This year they tested with Intel hardware (Optane) to get more performance. They deployed 12 nodes running with just these drive (2 per node) s for caching and NVMe for capacity. Also used future version Xeons. 100 TB of usable storage with free PCI slots and drive bays. The caching devices are striped at the memory controller level. Each NVMe is 8 TB each. They fire up VMs on one node and hit 1 million IOPS. Turn on node 2 and hit 2 million IOPS. Then they power up all 12 nodes VMs and hit 13 million IOPS from 24 U of servers. The growth was linear.

System Insights

  • Via Admin Center
  • Predictive capabilities for Windows Server 2019 locally on the server.
  • Predictive analytics
  • In the charts, it shows historical metrics, and projects how this will continue into the future.
  • Suggested actions, e.g. Extend volume Azure File Sync, Disk cleanup
  • Transform reactive emergencies into proactive management experiences.

Storage Migration

Customers find moving data to be hard. Means that old OS versions are hanging around. Need data to move, shares to move, folder/share ACLs, EFS, IP address, computer naming, etc must be possible to move. Storage Migration Service allows you to move data to Azure or file servers. It has support back to W2003 and up to WS2019 as a source. It inventories the source server. It then copies the data over to target server. Cutover hides the source server, freezes it, and transfers names/addresses to the new server so it becomes the active file server. You can export a CSV file with a log of every file transfer transaction with all the file attributes.

Azure File Sync

Modernize the file server to give it virtually bottomless capacity in Azure. 100 TiB per share support.

Storage

  • Admin center integratin
  • Deduplication with ReFS
  • Mirror accelerated parity
  • Storage class memory support
  • Cluster sets: a cluster of clusters with hundreds of nodes in a single unified namespace
  • Industry leading scale

Cosmos Darwin comes back out. Storage Spaces Direct isn’t just for VMs. Another scenario is a backup target where customers want larger capacity. Now it supports 4 PB of raw storage in a single cluster. With cluster sets, that increases. 4 PB is wikipedia in every language with the complete edit history 50 times. Demo of QCT servers with 527 drives – 72 dives per physical server. 3.64 PB of raw capacity. QCT is selling this today. They’ve benchmarked with Veeam, doing 25 GB/s of sustained data writes per hour.

Scales are up. 400 TB per server, 64 volumes per cluster.

Software-Defined Networking

  • Virtual network peering
  • Encrypted subnets
  • Egress bandwidth metering
  • IPv6 support, single and dual stack
  • Fabric ACLs, SDN ACL logging
  • Gateway performance improvements

Management is coming. Windows Admin Center management for Software-defined networking. Add network Controller to Admin Center. Then add subnets. SDN for mere mortals. SDN monitoring is coming to Admin Center too.

Security

Shielded VMs.

Password Protection with Windows Server AD

Central risk: Passwords. Azure AD solved this issue in Premium. This has been projected down into ADDS. You get the same password checking on-prem that you can in the cloud. A free download that can be installed on WS2012 R2 domain controllers and later. Password enforcement will be the same in the cloud as in on-prem.  Can be deployed in audit or enforcement modes. The agent on the DC talks to a proxy service and the proxy talks to the cloud. You register the proxy with the cloud and then install the agent on DCs. And then cloud-based enforcement starts to work. You can define your own weak password lists.

Features on Demand

  • Server Core numbers are allegedly increasing because of Admin Center.
  • What if I have to go to the VM and I need local tools.
  • What it s/w installer won’t install on Server Core?
  • Features on Demand is Server Core with an additional ISO of around 340 MB.
  • It’s to support those apps that won’t install.
  • It also adds local debugging and tools.
  • When installed you get MMC.EXE, Event Viewer, File Explorer, Device Manager, Resource Monitor, Performance Monitor, PowerSehll ISE, Faulover Cluster Manager.
  • Internet Explorer is in a special ISO by itself.

Exchange Server 2019 supports Core out of the box. SQL Server supports Core already.

Best practices:

  1. Start with Windows Server Core with Admin Center – best way for server hygene
  2. Add FOD – use it – remove it.
  3. Finally use Windows Server with Full Desktop

Looking Forward

  • A new release of Windows Server and Admin Center every 2 weeks for Insiders.
  • There is the semi-annual channel for application innovation twice per year.
  • The next LTSC will be out in 2-3 years time.

Real World Architecture Considerations for Azure–How To Succeed And What To Avoid

Speakers: Tiago Barbosa and Will Eastbury

FastTrack For Azure’s Approach To Azure

FYI, FastTrack is an architectural assistance service for large customers:

  1. Architectural review sessions and/or design/solution reviews
  2. Apply the FastTrack review and guidance framework
  3. Inform and disseminate information from the Azure Architecture Center

  • Design patterns
  • Anti-patterns
  • Reference Architecture
  • Best practices

Where to Start?

  • Purpose: What is the reason of this – high-level functional requirements. What will this solution do?
  • Success criteria: How do you measure success? What is the direction?
  • Stakeholders: Are there internal or external customers involved with an SLA too?

What do we Consider?

  • Business objectives of the solution
  • Pillars of software quality
  • Functional aspects
  • Availability and resilience
  • Performance and scalability
  • Governance, etc
  • Dev/test/
  • Security and ID
  • Cost design
  • Other general observations
  • Service specific aspects

Things To Understand

  • Start with simplicity and low overall cost
  • Add tiering and scalability
  • Add multi-region failover and HA

General Good Practice

  • Determine the budget and NFRs of the solution
  • Understand the Azure storage performance envelope
  • Scale OUT, NOT up.

Choose the Compute Stack Options

  1. IaaS
  2. PaaS
  3. Serverless

Move as close to serverless as you can (me).

Infrastructure Patterns

Some high-level diagrams similar to flow charts that document processes.

I got bored here.

What to Avoid – Scalability

  • Avoid: Keep creating new instances of shred objects
  • Avoid: Sharing infrastructure between test and production environments

What to Avoid – Performance

  • Avoid: Lack of caching or use excessive caching of stale data
  • Avoid: Ignore the differences in cloud latency envelope

What to Avoid – Resiliency

  • Avoid: High SLA, single-region deployment in Azure
  • Avoid: Lack of strategy for resilience within services
  • Avoid: Ignore single points of failure even for low SLA

What to Avoid – DevOps

  • Avoid: Lack of continuous integration
  • Lack of telemetry insight

What To Avoid – Anti-Patterns

  • Busy database: Offload business logic to database consumes valuable CPU. Do it in app layer.
  • Busy front-end: Offload processing to background thread to save front-end performance. Don’t consume front-end CPU.
  • Select * from everywhere: Querying more data than needed slows performance.
  • Blocking I/O: Wasting CPU because the thread is locked while waiting on a result.

Customer Story – Flybe

A budget airline in the UK.

I stopped listening here.

Backup Your Data With Microsoft Azure Backup

Speakers: Saurabh Sensharma & Shivam Garg

Saurabh starts. He shows a real ransomware email. The ransom was 1.7 bitcoins for 1 PC or 29 bitcoins for all PCs. Part of the process to restore was to send files to the attacker to prove decryption works. The two files the customer sent contained customer data! Stuff like this has GDPR implications, brand, etc.

Secure Backup is Your Last Line of Defense

Azure Backup – a built-in service. Lower and predictable TCO. Can be zero-infrastructure. And it offers trust-no-one encryption and secure backups.

Shivam comes up. He’s going to play the role of the customer in this session.

Question: Backup is decades old – what has changed?

Digital transformation. People using the cloud to transform on-prem IT, even if it stays on-prem.

Shivam: Backup should be like a checkbox. Customers want a seamless experience. Backup should not be a distraction.

Azure Backup releases you from the management of a backup infrastructure. Azure Backup is built on:

  • Scalability
  • Availability
  • Resilience

Shivam: What does this “built-in” mean if I have a three-tier .Net app running in the cloud?

We see a demo of restoring a SQL Server database in an Azure VM. We see the point-in-time restore will be an option because there are log backups. Saurabh shows the process to backup SQL Server in Azure VMs. He highlights “auto-protect” – if the instance is being protected then all the databases (even new ones that are created later) are backed up.

Saurabh demos creating a new VM. He highlights the option to enable backup during the VM creation – something many didn’t know was possible when this option wasn’t in the VM creation process. VMs are backed up using a snapshot in local storage. 7 of those are kept, and the incremental is sent to the recovery services vault. If you want to restore from a recent backup, you can restore very quickly from the snapshot.

A new restore option is coming soon – Replace Existing (virtual machine). They place the existing disks of the VM into a staging location – this gives them a rollback if something goes wrong. Then the disks of the VM are replaced from backup. So this solves the availability set issue.

Under the Covers – SQL

Anything that has a native backup engine is referred to as enlightened. Azure Backup talks to the SQL Backup Engine using native APIs via Azure Backup plugin for SQL (VM extension). They ask SQL Backup Engine to create the backup APIs. Data is temporarily stored in VM storage. And then there is a HTTPS transfer using incremental backups to the RSV where they are encrypted at rest using SSE.

It’s all built-in. No manual agents, no backup servers, etc.

Non-Enlightened VM Workloads

E.g. MySQL in a VM. Azure Backup can call a pre-script. This can instruct MySQL to freeze transactions to disk. When you recover, there’s no need to do a fixup. A snapshot of the disks is taken, enabling a backup. And then a post-script is called and the database is thawed. Application providers typically share these on GitHub.

VM Backup

An extension is in every Azure VM. The extension associates itself to a backup policy that you select in the RSV. A command is sent to the backup extension. This executes a snapshot (VSS for Windows). It’s an Instant Recovery Snapshot in the VM storage. A HTTPS transfer to SSE storage as incremental blocks.

Azure Disk Encryption

KEK and BEK keys are stored in Azure Keyvault. These are also protected when you backup the VM. This ensures that the files can be unlocked when restored.

Up to 1000 VMs can be protected in a single RSV now.

Azure VM Restore

VM restore options:

  • Files
  • Disks
  • VM
  • Replace Disks

Replace Disks (new):

  1. They snapshot copy the VMs disks to a staging location. This allows roll backup if the process is broken.
  2. They replace the disks by restore.

This (confirmed) is how restoring a VM will allow you to keep availability set membership.

Azure File Sync

The MS sync/tiering solution. Everything is stored in the cloud. So you can move on-prem backup for file servers to the cloud. Demo of deleting a file and restoring it. Saurabh clicks Manage Backups in the Azure File Share and clicks File Recovery and goes through the process.

When the backup API triggers a backup of Files, it pauses sync to create a snapshot. After the snapshot, the sync resumes. Now they have a means to a file consistent backup.

On-Prem Resources

There is no Azure File Sync in this scenario, but they want to use cloud backup without a backup server. This scenario is Azure Backup MARS agent with Windows Admin Center. A demo of enabling Azure Backup protection via the WAC.

Deleting Backup

  1. Malware cannot delete your backups because this task requires you to manually generate a PIN in the Azure Portal (human authentication)
  2. If a human maliciously deletes a backup, Azure Backup retains backups for 14 days. And it will send an email to the registered notification address(es).

Security

  • Security PIN for critical tasks
  • Azure Disk Encryption support
  • SSE encryption with TLS 1.2
  • RBAC for roles
  • Alerts in the portal and via notifications
  • On-server encryption (on-prem) before transport to Azure

Rich Management

Questions:

  • What’s my storage consumption?
  • Are my backups healthy?
  • Can I get insights by looking at trends?

This is the sort of stuff that normally requires a lot of on-prem infrastructure. Azure leverages Azure features, such as a Storage Account. No infrastructure, enterprise-wide, and it uses an open data model (published online on docs.microsoft.com) that anyone can use (Kusto, etc). You can also integrate with Service Manager, ServiceNow, and more (ITSM).

Custom reports.

And ….. cross-tenant support! Yay! This is a big deal for partners. It’s a PowerBI solution. It’s a content pack that you can import. It ingests Azure reporting data from a storage account.

Once you set this up, it takes up to 24 hours to get data moving, and then it’s real-time after that.

Roadmap

Cloud resources:

  • Azure VM abckup – Standard SSD, resource improvements, 16+ disks, cross-region support
  • Azure Files Backup: Premium Files, 5 TB+ shares, ACL, secondary backups.
  • Workloads: SAP Hana, SQL in Azure VM GA.

Availability Zones:

  • ZRS
  • Recovery from cross-zone backups

And more that I couldn’t grab in time.

Microsoft Ignite 2018–Azure Compute

Speaker: Corey Sanders

95% of Fortune 500 building on Azure. Adobe is building on open source – one of the biggest PostgreSQL customers. NeuroIntiative using GPUs to simulate drug tests for treatments for Alzheimer’s.

There’s no one way to use Azure. Find the bits you want to use and deploy them in a good way that suits.

Infrastructure for Every Workload

54 announced regions. Availability Zones in US, Europe, and Asia, more regions coming soon.

New VM Portfolio

NDv2: 8 x NVIDIA Tesla V100 NVLINK GPUs, 40 Intel SkyLake cores, 672 GB RAM, AI, ML, and HPC workloads.

NVv2: Tesla M60 GPU. Premium SSD suppor, up to 448 GB RAM, CAD, Gaming 3D design

HB: Highest memory bandiwidth in the cloud. 60 AMD EPYC cores, 100 Gbps Infiniband. Memory bandwidth intensive HPC workloads.

HC: Up to 3.7 Ghz clock speed. 44 Intel SkyLake cores, 100 Gbps Infiniband. CPU intensive HPC workloads.

Storage

200 trillion objects. 160 trillion transactions per month.

Standard SSD is GA. Ultra SSD in preview – sub millisecond latency, up to 160,000 IOPS and 2,000 MB/s throughput.

A demo of Ultra SSD. Opens up an E64s_v3 VM with Ultra SSD. Run IOMETER. Gets nearly 80,000 IOPS and .6 millisecond latency. That’s a single disk! Now for demo 2 with a new VM type. Runs IOMETER. Gets 161,000 IOPS on a single ultra SSD without striping or caching – durable writes. Double the performance of the competition.

There will be a single VM SLA for VMs running Ultra SSD.

Networking

100,000 miles of fibre to connect the 54 regions with 130+ edge sites.

ExpressRoute Global Reach allows you to connect your connections together to use the MS WAN as your WAN. Virtual WAN is GA. Front Door uses those edge as a globally available secure entry point to web services in Azure. And Azure ExpressRoute Direct offers 100 Gbps connections to Azure.

SAP

24 TB RAM physical machines. 12 TB RAM VMs on the way. 20+ certified solution architectures on Azure.

Containers

Reasons:

  • Agility
  • Portability
  • Density
  • Rapid Scale

A new feature in Kubernetes (K8s) to allow burst capacity based on Azure Container Instances called Virtual Node. The node is a VM that can be loaded up with ACIs when demand spikes. You get per-second billing to deal with unusual loads.

Hybrid

Microsoft offers the only true consistent hybrid experience. Azure Stack, DevOps, data, AD, and security/management.

A key piece of this is Windows Server 2019, which has hybrid built in. Hybrid: Azure Backup, ASR, Storage Migration Services, Azure Network Adapter

Erin Chapple comes out to demo Windows Admin Center.

Windows Server 2008/R2

End of life coming January 2020, and for SQL Server on July 9, 2019. If you migrate these to Azure, you’ll get 3 years of free security fixes – you’ll have to pay if you stay on-premises.

Edge

Microsoft has announced availability of the first Azure Sphere dev kit.

Data Box Edge is also announced. You can pre-process data on-prem before moving it to the cloud. It has FPGAs (or whatever) built in.

Azure Stack will support more nodes in the coming weeks. Event hubs and Blockchain deployment coming in preview this year.

Security & Management

Starts with the physical and software security of Azure and extends out to the edge and on-premises. 1.2 billion devices and 750,000 user authentications offer a lot of data for analysis.

  • 85+ compliance offerings.
  • 40+ industry specific regulated offerings
  • Trusted, responsible, and inclusive cloud

New announcements:

  • Confidential computing is a new series of VMs – DC-Series. The data is protected even from Azure when being processed by the CPU.
  • Azure Firewall is GA.
  • Azure Security Center improvements.

Governance

Governance normally restricts and slows down. Azure Policy doesn’t slow you down. A new addition, Blueprints, plans out deployments that are known and trusted. DevOps can deploy a blueprint to stay within the guardrails. It’s ARM template + Policy, resource group(s), and RBAC.

In a demo, we see a new Azure Policy feature – the ability to remediate variance.

Migration

CTO of JB Hunt, Gary Downy comes on stage. A trucking company that also does last mile and rail transport. Facing disruptive technologies such as driver-less and a shortage of drivers. They had on-prem systems but they wouldn’t scale with the business. Now they use Azure DevOps, Git, and Kubernetes for most of their systems.

Start with assessment. Then migrate. Then optimize and transition into management & security (ownership).

Tools:

  • Azure Migrate now supports Hyper-V and VMware.
  • Azure Database Migration Service which does Azure SQL, MySQL, PostreSQL, and MongoDB.