What’s cool in Azure — March 2019

5 min readApr 9, 2019

As an Azure enthusiast, I follow multiple podcasts, blogs and professionals to get information about the latest and greatest features around the Microsoft cloud ecosystem. Throughout the month of March I’ve made note of every interesting announcement or article, and I would hereby like to share those with you. I did my best to provide context and additional resources, so you can quickly get an understanding of the topic and dig further should you wish to do so.

Governance in Azure

Governance seems to be a pretty hot topic, not only for us but also for the wider Azure community. Microsoft appears to be embracing this by ever expanding its portfolio of solutions to accommodate these requirements. An example of this is the Azure Blueprint ISO27001 templates which have been released this month. You can read the entire announcement at:

https://azure.microsoft.com/en-gb/blog/simplifying-your-environment-setup-while-meeting-compliance-needs-with-built-in-azure-blueprints/

To get a good overview of the governance solutions portfolio, you can check out this video from last years Ignite:

https://www.youtube.com/watch?v=d6c1nfoySLI

Some things are slightly outdated at this point, but I found it informative regarding the concepts and tools for Governance. There are a lot of demos, and for me personally, the Resource Graph CLI to Policy was very impressive.
To dig a little deeper, you might also want to check out this GitHub repo:

https://github.com/ajf214/personal-arm-templates

Additional resources to follow up:
https://docs.microsoft.com/en-us/azure/governance/
https://app.pluralsight.com/library/courses/microsoft-azure-governance-mastering/table-of-contents

Windows Virtual Desktop available for preview

During the Ignite Tour Amsterdam event, MSFT finally released the WVD for Public Preview. Initially introduced as Remote Desktop Modern Infrastructure at Ignite 2017, later rebranded to WVD and Ignite 2018, but only in Private Preview until today.

I’m sure that many of you already looked into this, or even attended a session during Microsoft Ignite the Tour Amsterdam, but for those who haven’t a quick summary. This offering is the VDI as a Service (VDIaaS) solution from MSFT which is based on Windows Remote Desktop Services (RDS). RDS, in turn, is the native equivalent of what you’ve probably used Citrix for. Traditionally you had to deploy a few IaaS VMs, thus creating an RDS Farm. To achieve any level of HA, you needed 3–7 boxes only for the management plane, that is to facilitate roles such as RD Gateway, RD Broker, RG Web, SQL Database, Cluster Witness, etc. RD Session Hosts (RDSH) came on top of the management plane. Windows 2016 introduced a couple of significant improvements allowing us to use a storage account as a Cloud Witness, and to use AzureSQL as the database, but we still relied mostly on IaaS.
What WVD offers is in some way similar to Azure Kuberetes Service — the management plane is provided as PaaS by Azure, and you only need to deploy RDSH machines. It’s as simple as uploading a golden image. It’s also worth mentioning that the new architecture significantly improves security — all traffic comes in via a channel established from the inside, so no public facing VMs are involved.

My findings are, for now, limited to two points, which I find interesting:
Before deploying WVD one must keep in mind a strong dependency on AD and AAD — your RDSH hosts must be domain joined, and the AD must be connected (synchronised) to the AAD where your WVD deployment lives. This significantly limited any multi-tenant scenarios.
MSFT now recommends FSLogix solution for user profile management. User Profile Disks (UPDs) are said to be deprecated.

Additional resources to follow up:
https://www.youtube.com/watch?v=VQSsgEYamBs
https://docs.microsoft.com/en-us/azure/virtual-desktop/overview

Azure Data Box now enables import to Managed Disks

As of this month, we can use Azure Data Box to move large quantities of data from on-premises storage into Azure Managed Disks. This can significantly speed up a lift-and-shift migration which involves multiple large vhd files.

Azure Pipelines approvals from Slack and more

Azure DevOps pre- and post-deployment approvals can now be done via Slack instead of the good old email. Especially useful for slack-first companies.

Or watch more about it at:
https://www.youtube.com/watch?v=4etK6Wp7UaU

Also, worth mentioning are other recent improvements — Azure Boards gained support for Github Enterprise integration and Azure Pipelines now support the new AZ PowerShell module. The migration from AzureRM to AZ is inevitable, so it’s good to know that we can already start.

See more about the improvements delivered with the March 19th sprint at: https://docs.microsoft.com/en-us/azure/devops/release-notes/2019/sprint-149-update

Azure Firewall received new capabilities

Azure Firewall is an Azure-native Firewall as a Service (FaaS) option. It does what you’d expect from an on-premises firewall appliance, but delivered as a service, which tightly integrates with management and monitoring mechanisms of Azure. Naturally, it is highly available by nature and scales automatically as the amount of flowing traffic increases.
The idea is that you deploy it in your hub VNET and use it to protect both internal and external traffic — just like you would be using a third party Network Security Appliance from the Marketplace. It might not be as feature rich as some appliances provided by the titans of the industry, but as a native FaaS solution, it is much easier to administer and maintain. It is also bound to regularly receive new features so with time the functionality gap will slowly close.
As an interesting side-note ABN AMRO was one of the two featured customers during the 2018 Ignite presentation.

Additional resources to follow up:
https://www.youtube.com/watch?v=CiIftxD2CHw&t=716s
https://docs.microsoft.com/en-us/azure/firewall

Updates to the Azure Security Center

The Azure Security Center is a native tool to secure your virtual datacenter. It’s not cheap, but of the box, it does quite a few things:
- Allows you to manage your security policies across all the subscriptions in your Azure AD tenant
- Scans your environment for new resources and, once discovered, evaluates their configuration against a predefined set of security best practices
- Protects your resources for threats
- Educates your staff on how to mitigate risks and stay secure
- Provides Just-In-Time access to VMs using standard management protocols

The Azure Security Center recently received a few updates which are worth mentioning:
- It leverages AI to help customers fine-tune their Network Security Groups (NSGs). NSGs act as ACLs on subnets or network interfaces, and have been somewhat challenging for many customers. The AI engine can now examine the traffic between applications to produce an NSG which only permits the connectivity required for proper operations.
- Adaptive Application Controls (AAC) now also covers Linux VMS and on-premises VMs. AAC is a mechanism which provides application whitelisting, thus allowing easier auditing for potentially malicious applications.
- Network Map now supports VNET peering, meaning that you can now see traffic flow beset peered VNETs. Private IPs only, however.

Following:
https://azure.microsoft.com/en-gb/blog/announcing-new-azure-security-center-capabilities-at-rsa-2019/?ocid=AID765057&wt.mc_id=CFID0436

Additional Resources on the Azure Security Center:
https://www.youtube.com/watch?v=Kb_xeIJVROo
https://docs.microsoft.com/en-us/azure/security-center/