What’s Cool in Azure — July 2019
July was another conference month — this time it was Inspire which took place in mid-July, in Las Vegas. This means that, despite the holiday season, there were plenty of new features and exciting announcements to look at.
Whether you’re still getting ready to take some time off, or already enjoyed a vacation before peak season, I sincerely hope that you’ll enjoy this subjective compilation of interesting news and announcements from the Azure ecosystem.
Azure Data Share released for public preview
Azure Data Share, a new service, which became available for public preview is a feature aimed at a rather specific use case, but one that will be much appreciated by anyone who ever struggled to solve the problem of sharing data.
Most companies which use any enterprise application, such as CRM, ERP or any other, need to share some business data with their partners. Solutions such as scripted FTP, SMB shares connected by an IPSec VPN tunnel or automated zip-and-email, have been implemented by system administrators, in companies large and small, all over the world. They all, however, come with a specific set of new challenges, sometimes to the point that solving a single problem creates several new ones.
Azure Data Share is about to change that though. It allows operators to share snapshots of datasets, which the receiving party can subscribe to. Invitations are shared via email and offer two scenarios:
- A single one-of snapshot share
- A scheduled daily or hourly snapshot share
Currently supported data sets include Azure Blob Storage and Azure Data Lake (both gen1 and gen2), which are a good entry point, but I do hope that the list grows before general availability is announced.
One thing which I’d like to see in the future is support for Azure File Storage. Coupled with Azure File Sync, it could support even more data sharing scenarios.
I’m defiantly looking forward to seeing this service grow and develop.
To get more information, please see the Azure Friday video and check out the official documentation:
AzureAD FIDO2-based password-less sign-in preview
Security is a hot topic. Regularly, anyone who works in the IT industry hears one of the cliche slogans — “Identity is the new perimeter!”, “Assume breach!” or “It’s not a matter of if, it’s a matter of when!”. Although it might seem a bit too much at some point, it’s the truth — bad people are out there, and they want our data. Not only do they want the data of Fortune500 companies, but also the data of small and mid-size companies.
Microsoft claims that a vast majority of security incidents originate with improperly secured usernames and passwords. Out of the very few breaches which I’ve seen over the last few years, most if not all were caused by compromised credentials. Moreover, sadly, it’s us — IT pros who are also to blame.
After all, who doesn’t enforce a password policy — complexity and rotation requirements are taken for granted, we all do it. However, how often do we stop to consider what negative consequence might there be to such policies?
Imagine Alice, who works in finance. She’s not a power user, but she does comply with all of the IT imposed requirements. Currently, her password is MrGinger0719. Maybe she would have gone with something like mrgingeristhefluffiestintheworld, but the system did not accept it — there aren’t any capital letter, numbers or special characters.
Can you guess what password she’ll use once the rotation policy forces her to make a change next month? By the way, Ginger is the name of her cat — something that even a semi-skilled hacker can extract with social profiling in no time.
The example, although a silly one, I think does a good job of showing why, in general, passwords aren’t the most secure solution. Having multiple sets of credentials to manage, as a species, we tent to make things easier for ourselves by re-using friendly phrases or names and using patterns.
We can, and of course, should use Multi-Factor Authentication (MFA), but it isn’t the most user-friendly solution and adoption is surprisingly scarce. With that in mind, Microsoft has been pushing towards password-less authentication for a while now. Options like Windows Hello and the Authentication App already allow users to authenticate without providing credentials, but as of this month, FIDO-2 hardware tokens, such as USB keys and NFC cards, are also supported. This feature allows organisations to roll out password-less authentication to an ever-larger group of users.
There are also new options in the Azure portal and the converged Registration portal to make the management of hardware keys easier and quicker.
All of the new features are still in preview, but I would still recommend starting a pilot programme to be ready with a production roll-out once the option goes GA.
You can check the entire FIDO-2 support announcement here:
And, if you’re up for a longer read about Microsofts take on password-less, I recommend the following white-paper:
Azure Lighthouse is now generally available
Azure Lighthouse is a service which was created specifically for Managed Service Providers (MSPs) who support several Azure environments for different customers. At first sight, it might seem of less importance to the end customer. However, the game-changing effect which it has for cloud services providers, will quickly translate into significantly improved service quality.
Offerings like AzureAD B2B allowed MSPs to manage different customers with a single identity, but the requirement of switching context made it very challenging to deliver security, monitoring, alerting and other aspects of cloud governance.
Deploying Role-Based Access Control (RBAC) required creating custom automation run-books, which crawled customer tenants while providing a single pane of glass monitoring solution required exporting data to a third-party tool.
With the introduction of Azure Lighthouse, most of such challenges can become a thing of the past. The service builds on top of an ARM capability called “Delegated Resource Management”, and it provides cross-tenant management capabilities. In practice, this means that customers can delegate particular management scopes, such as Subscriptions, Resource Groups or even single resources, to their providers. Once this delegation is set up, the service provider can manage their customers’ resources as if they were local to their Azure AD tenant.
Azure Policy, Graph, Log Analytics, and Update Management all support the new cross-tenant management capabilities, finally allowing actual centralized management.
What is also very helpful is that, all licensing models, that is CSP, EA and PAYG are supported.
You can find the entire announcement here:
Azure Migration Program and the Cloud Adoption Framework
During the Inspire conference, Microsoft announced its new Azure Migration Program. The program is a collection of previously existing services and resources, some of which are being updated or extended, all packaged into a single, user-friendly offering. Despite little novelty, I see it as a very nice update to the Azure ecosystem — anything that helps organisations successfully onboard their workloads into Azure in a welcome addition.
The Azure Migration Program is a collection of a few benefits, which, when bundled together, help make the migration a success. These include:
- Cost incentives, especially for customers looking to migrate Windows Server 2008 and SQL Server 2008
- Role-based training to quickly get the IT staff skilled in Azure
- A revamped version of the Azure Migrate Service
- The Cloud Adoption Framework
The new version of Azure Migrate sometimes referred to as v2, became a central hub to manage different migration projects. When creating a new project, customers can choose the tooling that they would like to use, separately for assessing and separately for migrating workloads. The previous functionality of Azure Migrate is still present — it is now one of the multiple tools available for assessments and migrations. Also, on the backend, it still leverages Azure Site Recovery (ASR).
The list of available tools also includes options from well known third-party provides such as Cloudamize, Devide42 and others.
The Cloud Adoption Framework (CAF) is the collection of previously available guidance, now collected in a single place, nicely structured and extended where needed. Those familiar with the Azure Architecture Center, which is a fantastic section on docs.microsoft.com, should quickly find that the CAF builds upon resources like the Cloud Operating Model and the Enterprise Scaffold.
The framework is abundant in information, and it intends to guide customers through the process of:
- Defining their cloud migration drivers and desired outcomes
- Planning a transition to a cloud-focused IT organisation
- Creating a Landing Zone
- Establishing a full Cloud Centre of Expertise
At Schuberg Philis, we are incredibly excited to see this publication. Many of the guidelines and architectural principles are already a part of our Azure designs, but we’re always eager to challenge our ideas.
The following links will provide more information:
Updates to Azure DevOps
In July, we’ve seen the fruit of two Azure DevOps sprints come to life — sprint 154, released July 1st and sprint 155, released on July 22nd. Between the two releases, there were a few features which I think are worth taking a closer look at:
- Azure DevOps CLI became generally available — the extension to Azure CLI was in preview since February, but it’s now ready for production use. The reference documents list a good number of commands, so there shouldn’t be much holding you back from automating away.
- Azure Pipelines app for Jira was announced — the new functionality enables bi-directional data exchange by linking Azure Pipelines releases and one of the most popular issue tracking systems. It does, however, require GitHub as the version control system.
- Wiki received a rich in-browser editor — the new tool supports markdown and allows users to edit documents right in the Wiki section. Using Repos and following a defined lifecycle is still supported, so projects can choose whichever option best fits their needs.
- Azure Boards app for Slack was announced — yet another way to integrate Azure DevOps with Slack, the application for which many users have a separate, dedicated screen. It’s a welcome addition which will make discussions on issues and features more comfortable and more engaging.
- Multi-stage YAML pipelines received several new features — the ultimate solution to CI/CD pipelines keeps growing in features. This time the team behind the platform added four default, read-only, automatically set variables, the possibility to link to work items and an option to configure approvals. We’re very excited about the YAML pipelines.
You can check out the full versions of the release notes here:
and here:
Azure Ephemeral OS Disk is GA
The possibility of using ephemeral OS disks with Virtual Machines is one of the features that Azure was rather late do deliver. Looking at from the perspective of Windows VMs, it might have made sense, after all most of them are far from being stateless. However, given how vocal Microsoft is about their love for Linux, one might have expected such functionality to be delivered sooner.
The feature was released for limited preview following Ignite 2018, it entered the public preview phase back in May this year, and is now generally available.
In a nutshell, when we use the ephemeral OS disk option, Azure will not save the OS disk on the Data Plane, and instead the disk will be stored locally on the hypervisor host. Given that the size of the disk is in such a case limited by the data cache for a given VM SKU, this would mean that it is the same storage as used by the temporary disks in Azure VMs (disk D: for Windows VMs).
As a result, on the upside, we get free, low-latency storage and quick VM re-image operations. The downside, however, is that the OS disk is not persistent. Therefore, all data written during runtime will be lost once the Virtual Machine moves to a different host. With stateless applications this will not be a problem though. And with large-scale deployments, using VM Scale Sets for example, the benefits soon stack up.
Two very important limitations ate that VM’s using ephemeral OS disks cannot be resized once created, and cannot be stop-deallocated.
Other limitiations and further information can be found here:
NSG’s Now Support ICMP
Ntwork Security Groups are the network access control lists of Azure VNETs. We would typically link an NSG to a Subnet to get a more traditional experience of securing networks. Such a solution works well, but it always had a simple, yet a significant drawback which left numerous Network Engineers baffled.
For someone who hasn’t worked a lot with Virtual Machines in Azure, this might come as a surprise, but until the end of July, Azure Network Security Groups did not support ICMP as a protocol of choice. As a result, to perform a basic PING, for example, we had to set Port/Protocol to Any/Any in the NSG configuration. With proper Source and Destination configuration, we could minimise the risk, but it always left a bad taste.
Although much overdue, the feature is a very welcome update.
