Microsoft Ignite Diary- Fall 2020
At last, it’s Ignite season again! It is that time of the year when I get incredibly excited about all the new announcements, and I cannot wait to try the new features for myself. Even though Microsoft is doing a great job at running online conferences, I have to admit that it didn’t feel quite as unique as attending in person. Being on-site, immersed in the experience and able to talk to the product teams, makes a whole world of difference. Not to mention the time-zone difference which helps keep the distractions of business-as-usual away.
Nonetheless, the excitement is real, and I am delighted to share it with you!
Overall feeeling
The overall feeling of this year’s Ignite wasn’t that much different from the previous edition. The vision keynote from Satya Nadela felt too familiar with an added mention of the COVID-19 pandemic and the impact it had on the need for Digital Transformation. Satya also went on to mention how Microsoft Teams helps teams stay productive in a fully remote environment and how helpful can innovative devices like the HoloLens be in the new normal. Other than that “Tech Intensity” turned into “Tech Resiliency”, with intensity being a part of resiliency now. All the usual suspects — data, AI, Power Platform and Dynamics 365 were there.
What I found more inspiring, maybe because of my Azure bias, was the now-classic “Inside the Azure Datacentre” session my Mark Russinovich. If you were going to watch only a single session this year, I highly recommend that you chose that one — it is now the de facto “State of Azure” session which gives you a good overview of Microsoft’s different horizons for the cloud platform.
At the time of writing the session wasn’t available on YouTube yet, but I’m more than sure that it will be within weeks.
Azure Bicep
The announcement of Azure Bicept predates the conference, but it is one of significant impact, and thus it received a lot of attention during multiple sessions.
Bicep, in short, is a new Domain-Specific Language (DSL) for declarative Azure resource deployments using the Infrastructure-as-Code approach. The current way of defining Azure resources — JSON-based ARM Templates have been subject to a certain level of criticism. Indeed, the files can quickly get long, complicated and intimidating.
However, the Azure Deployment Team led by Satya Vel is very open to customer feedback, and they are doing a fantastic job trying to make the experience as good as possible.
What Bicep brings is a very familiar, yet more concise, and less verbose syntax. If you’ve worked with ARM templates, you’ll feel quite at home working with the new file format.
When you compile the bicep file, it will automatically generate the good old JSON file. You can then deploy that file using the, also good old, New-AzResourceGroupDeployment PowerShell command (or AZ CLI or the portal if that is your preferred choice). Ultimately the team is looking to abstract that process away from the user and let us pass the .bicep file when executing resource deployments, but that is still on their roadmap.
Azure Bicep is in very early stages of development, currently at version 0.1, and therefore should be considered a preview only. The team mentioned several times that they expect breaking changes and that we shouldn’t rely on Bicep for any production use. They do, however, want to gather early feedback to grow the language in a direction which best suits the user community.
Given that, if you work with programmatic deployments, I highly recommend that you try it out and give feedback. You can find all the relevant information in the GitHub repository:
ARM Template Specs
Templates Specs are yet another massively exciting feature delivered by Satya’s team. If you ever used the tab “Templates” in the Azure Portal, you’ll probably remember that it’s been in preview for a very, very long time. You can think of Template Specs as of Microsoft finally implementing this section correctly.
In a nutshell, the feature provides a way of saving your ARM templates — the Infra as Code Azure resource definitions, as resources themselves. As simple as that may sound, the impact is enormous. It will allow you to share them within your organisation securely, version them, and set RBAC permissions.
From a Landing Zone perspective, it is a groundbreaking improvement — a central team can now create and publish new versions of templates without impacting ongoing projects. Any team will be able to bring in the updated version if and when they see fit.
Looking at the more advanced use cases, we can even see a scenario in which Template Specs can, at least partially, replace Azure Blueprints, which deliver great functionality but are a bit cumbersome to work with.
We have been waiting for this feature for a very long time, and are extremely happy to see it on the horizon. Also, we are already a part of the private preview, and if you to give it a go as well, I recommend watching the video above, Alex has a link to get you onboarded.
Otherwise, you can wait for the public preview which is due in mid-October, and in the meantime, get acquainted with the documentation:
Azure Defender
Aservice which Microsoft announced during the conference is the new Extended Detection and Response (XDR) tool — the Microsoft Defender. It is, in fact, a suite which consists of two products — the Microsoft 365 Defender, which focuses on endpoint, email and identity protection, and Azure Defender, which I’d to tell you about in more detail.
As fancy and intimidating as it sounds, worry not, you do not have to rush learn all about the new security service, without which you will drown in the sea of malicious activity, which the Web has become.
If you read just a bit deeper into the documentation, you will see that the folks at Microsoft themselves admit that it’s mostly a branding exercise. In a nutshell, all the “Advanced Threat Protection” services which were previously available as Security Centre Standard, and now sold as Azure Defender. Despite my cynicism, looking from a customer perspective, I like the change. It was somewhat challenging to explain the differences between Security Centre Basic and Standard, the features and the cost involved. Customers would often ask:
If the Standard SKU is what we should be using, why isn’t it the… standard?
Now, Azure Defender is the paid add-on to the free features offered by Azure Security Centre. It makes more sense.
Apart from branding, Microsoft offers a refreshed UI experience, tighter integration with the cloud-native SIEM (Azure Sentinel) which will now receive specific alerts that the AI deeps important enough to look into, and a handful of new options. Those include:
- Support for multi-cloud protection, including on-premises, AWS and GCP, delivered via Azure Arc
- Azure Security Benchmark v2 — the new control framework which includes controls from NIST SP 800–53 next to CIS v7.1
- Continuous image scan for images stored in Azure Container Registry
- Admission control policy management for Azure Kubernetes Service clusters
As well as many others.
On the one hand, I feel slightly disappointed that we’re getting a lot of buzz around branding, but on the other hand, I appreciate the changes and fact that Microsoft invests in security tooling. But then again, one might argue that they don’t have much of a choice if they want to stay relevant in the game of cloud. Looking from that perspective, I would like to see more tooling included as part of the platform, without additional costs.
To learn more, please head over to the official announcement:
Updates to Azure Networking
During the conference, we also learned about several exciting improvements to the Azure networking stack. Unfortunately, for many of them, information is scarce, so for now, I will explain as much as possible, and I’ll be sure to report in detail whenever I can.
Also, please be mindful that the list does not exhaust everything that Microsoft announced. As always, it’s my subjective selection.
For a more complete list of the new and noteworthy in Azure networking please see the following overview:
Azure Bastion supports on prem and peered vnets
Azure Bastion is a relatively young service, but it is one of those that anyone who operates Virtual Machines should be taking full advantage of. It allows a secure and seamless console (RDP or SSH) access to virtual machines, without exposing a public IP address. The service operates as an HTTPS-to-RDP/SSH gateway with the added benefit of Azure AD pre-authentication.
There is, however, a bit of a downside to using Bastion. Currently, customers can only access machines which are connected to the same Virtual Network as the instance of the service. As a result, entreprises which use the Hub-Spoke network topology, and therefore have several VNETs, need to create numerous instances of the Azure Bastion. That can make the cost of using the service, unnecessarily high.
Thankfully, the said behaviour is about to change. We will now be able to use a single Azure Bastion instance to connect to machines over a VNET peering, given that they are hosted in the same Azure subscription, and on-premises, given that the required connectivity is in place, for example, an Express Route private peering.
Both options are now in Preview.
Express Route encryption with VPN gateway
ExpressRoute itself is also receiving a very welcome improvement. The service offers reliable, dedicated connectivity between the customer’s on-premises network and Microsoft’s edge network. From there we can either reliably access public SaaS offerings such as Office365 and Dynamics365, or configure a connection to an Azure Virtual Network.
A careful reader would probably already notice that I haven’t thus far used the word “secure” when describing ExpressRoute. That is because despite it being a dedicated layer-2 connection, it is not encrypted. For many network professionals, or security teams working in regulated industries, lack of encryption has a big impact on security.
Microsoft uses a technique called Q-in-Q, which you can think of as two-level VLAN tagging, in which you — the customer, control the VLAD ID of the second layer. For many organisations that is not enough, and they require all traffic to be encrypted in transit. If the applications which exchange information support TLS, life is easy, but if they don’t, things can quickly become challenging. Our only option in such a case is to configure a VPN tunnel over the ExpressRoute connection but to do that we need to use a custom virtual appliance, also called an NVA, in Azure. If you’re planning on using an NVA for other purposes, this isn’t as much of a burden, but if all you need is the VPN tunnel, you’d probably prefer to avaoid the hassle of running the appliance.
Thankfully, soon we will be able to use an Azure VPN Gateway to terminate a VPN tunnel which runs on top the ExpressRoute private peering. Unfortunately, I was unable to find any information on timeliness and availability.
Global Load Balancer
If you’re looking for a load balancer in Azure, which would be able to route traffic between different regions, today you have two options:
- Azure Front Door — If your application uses the HTTP protocol, you can use AFD, which is a layer-7 load balancer that offers great features like Web Application Firewall, Network Acceleration, SSL offloading, and others.
- Azure Traffic Manager — If, however, your application uses a different protocol, your only option is TM, which is a DNS-based load balancer. Traffic Manager is reliable and battle-proven, but it in case of a regional outage, we will encouter problems related to DNS caching.
This set of options allows us to deliver several different solutions, but for specific cases, it isn’t enough. Customers looking for non-HTTP load balancing, which would preserve the client IP address and provide an immediate response to region outages, were left unsatisfied.
Microsoft, however, hasn’t been deaf to the feedback, and they’ve just announced the global network load balancer. It uses a single anycast IP address and takes full advantage of the fantastic Microsoft Backbone Network. As a result, it is optimised for low latency and high-performance, and it will preserve the client IP address.
From the Azure resource perspective, we get a new flavour of the good, old Azure Load Balancer. When creating a new LB, we have to select the Standard SKU, and we will then be able to choose the “Tier” property, which can be set to Regional or Global.
The feature is said to already be available for preview, however, at the time of writing, I was unable to deploy a global load balancer, even using the preview portal. I did not attempt a command-line deployment.
To learn more about the possibilities and current limitations, please see the following documentation:
Network Configuration Manager
It’s no secret that I am a massive fan of the Azure Virtual WAN service. It streamlines the configuration of hub-spoke network topology, and it reduces a great deal of management overhead which we experience with the traditional approach based on manual VNET peering and custom Route Tables.
It is, however, more expensive. Not only do we pay a base fee for vWAN itself, but we also have to use the Premium tier for our ExpressRoute circuits.
That is why I was delighted to see the sneak peek of Centralised Network Management, which Mark Russinovich gave in his “Inside the Azure Datacentre” session. The service looks like a rather early version, but it promises to automate and simplify at least a part of the actions involved in deploying a hub-spoke network. In the demo, we’ve only seen the functionality which configures peerings, but I would hope to see routing added as time goes by.
One thing to keep in mind is that Microsoft will have to be careful to balance functionality between the new service and Virtual WAN. Too much overlap will create confusion among the customers. I will be keeping an eye out for any additional information on the topic, so be sure to hear from me whenever that happens.
Closing Thoughts
Even though we couldn’t go to meet the teams behind our favourite services, as always, Ignite was great. It has given me enough good energy for months to come. And the next one is not that far away — we only have to wait until March next year.
With that said, I am curious what Microsoft will have in store for us six months from now. Seeing services like Azure Orbital, which offers satellite ground stations as a service, makes me think that hyperscalers are running out of obvious ideas on how to differentiate themselves. Also, the cloud platforms are already too big for one person to know it all. Well, maybe Mark can :)
