What’s Cool in Azure — September 2019
With numerous updates or announcements almost every weekday, it seems as though the folks at Microsoft don’t know the concept of slowing down. And with Ignite just around the corner, we can expect the last quarter of the year to be especially inspiring for us, Azure geeks.
Before we get into that exciting period, however, I’m happy to present you with yet another selection of news from the Azure ecosystem.
New Azure regions in Germany
Just a few days after announcing the availability of the new Azure regions in Switzerland, Microsoft added two locations in Germany to the list:
- Germany West Central, located in the Frankfurt area, as the default region in the German geography
- Germany North, located in the Berlin area, which acts as the secondary region for customers who have workloads deployed in West Central and need in-country disaster recovery capabilities
What is crucial is that the two new locations are a part of the general Azure Cloud, and not a part of Azure Germany, the sovereign cloud operated by T-Systems. The other two German regions, which have been around for a while now, Central and Northeast, are a part of a wholly isolated offering. That isolation allowed customers operating in highly regulated markets to remain compliant with German regulations. However, it made integrations with the rest of Azure very challenging.
With that in mind, I expect that the new offering will help drive Azure adoption within Europes largest economy.
You can read the press release from Microsoft here:
Azure Private Link is now in public preview
The announcement of Azure Private Link, to me, is one of the most significant improvements which we’ve seen throughout this year. The impact on security and the number of scenarios which this service enables are genuinely inspiring.
The service allows operators to create private links between certain Azure services and a Virtual Network, thus enabling secure access.
The benefits of using Azure Private Link include:
- Reducing the surface area for data exfiltration by allowing access to only specific instances of PaaS services, as opposed to Service Endpoints
- Allowing on-premises workloads secure access to PaaS services without having to configure of ExpressRoute Public Peering
- Enabling private access to services published by a partner or service provider within a different AzureAD tenant
To make use Azure Private Link, we create a Private Endpoint, which from a technical perspective is represented by a Network Interface (NIC) resource. This NIC is then connected via Azure Software Defined Network to the service which we want to access. Therefore, traffic never leaves the Azure Backbone Network.
On the protected resource itself the firewall configuration only needs access from “Trusted Microsoft Services” to be enabled. However, you also need to configure DNS records pointing to the private IP’s, either by using Azure Private DNS or by deploying IaaS Virtual Machines which host DNS.
The service is still in very early preview, so it is rough around the edges, supports a minimal set of resources and is available in only a handful of American regions. At the time of writing, we could only create a Private Endpoint for the following services:
- Storage Account
- Data Lake Storage Gen 2
- SQL Database
- SQL Data Warehouse
- Virtual Machines behind a Standard Load Balancer
From my initial tests, I can, however, say that the scenarios which are currently supported work well.
We would love to see the Key Vault and App Service added to the list of supported services, along with availability in the most popular European Regions. I hope that we get those, and possibly other, updates during Ignite later this year.
For more details, please head over to the official documentation:
Microsoft acquired Movere
At the beginning of the month, Microsoft announced the acquisition of Movere, a company which specialises in IT landscape assessments.
The company’s solution collects an extensive set of data regarding servers, databases, containers, applications and licenses. IT then provides valuable insights regarding usage, security and cloud readiness.
The tool will be integrated into Azure Migrate and will offer customers additional migration assessment capabilities next to the build-in mechanisms and existing third-party offerings.
It’s not yet an option when configuring an Azure Migrate Project, and sadly we don’t have any information regarding timelines for availability. We are, however, very eager to try it out with a few of our customers once it finally lands.
You can read the entire announcement here:
New ARM Template Viewer
One of the Azure Cloud Architects from Microsoft UK — Ben Coleman published his ARM Template Viewer VS Code extension to the Visual Studio Marketplace.
It’s free, increasingly popular, rated 5 out of 5, easy to use and very handy. Especially while working with large or linked ARM templates, it can be incredibly valuable to visualise the contents in the form of a resource map.
With a single click of a button, you get a canvas populated with resource icons. You can zoom, move them around, view names and check a basic set of information. Simple yet powerful.
Ben also seems to be very enthusiastic when it comes to dealing with issues and further developing the extension. I personally really hope to see it grown and intend to use it continuously.
You can get the extension here:
Azure Sentinel is now generally available
The cloud-native Security Information and Event Management (SIEM) tool from Microsoft, which has been in public preview since March this year, has just entered general availability.
During the six-month preview period, Microsoft claims to have had twelve thousand early adopters which provided comprehensive feedback and fueled multiple improvements.
Since the trials have started the following adjustments have been made:
- The service now provides a long list of both Microsoft and third-party connectors which allow organisations to ingest security events across their digital landscape.
- There are more than a hundred built-in, AI-driven alert rules which help detect security threats. Advanced algorithms correlate data from different sources and easily find anomalies to help security officers in their struggle for a safer cloud presence.
- Threat hunting has been made easier by providing pre-cooked queries and python libraries which can be used with Jupyter notebooks.
- Incident handling is now streamlined with tagging, comments, assignments, graph visualisations and Logic Apps integration.
- Sentinel is now integrated with Azure Lighthouse allowing service providers to support their customers from a single place.
Next to that, there already is a growing Github community around Azure Sentinel which contributes hunting, exploratory and detection queries. Folks from Microsoft Threat Intelligence Center are among the most significant contributors, so you can expect quality.
As far as pricing goes, we get two options — pay-as-you-go (PAYG) and Reserved Capacity (RC). PAYG costs EUR 2,20 per GB of ingested data which does not seem like a lot. Looking at the RC options, however, which start at around EUR 110 per day per 100 GB of daily data ingestion, we can expect that Azure Sentinel can become an expensive adventure for large organisations. Smaller companies should be able to keep costs under control, though.
You can check out the entire announcement here:
Register VMs with Azure SQL Provider
Azure offers a broad spectrum of services providing the functionality of Microsoft SQL Server. Starting from pre-configured Virtual Machine (VM) images, through Managed Instances and Azure SQL, all the way to a serverless option. Although the core SQL Server functionality remains the same, different choices bring different sets of features, varying requirements, changing capabilities and different cost.
Our most common recommendation is to choose SaaS above PaaS, and PaaS above IaaS, that is the option which is the simplest to use, given that it meets the requirements of the business process. Some customers, however, still prefer or have to run SQL Server inside IaaS VMs. There are several valid reasons for following such a path, just to mention a couple, it might be a legacy configuration, licensing, or any compliance nuances.
In such a case, previously, customers had to create an Azure VM using a pre-installed SQL Server image choosing either the “Bring Your Own License” (BYOL) or “Pay As You Go” (PAYG) licensing model.
With the recent changes, however, that is no longer the case. Customers can now register a self-installed SQL Server VM with the Azure SQL Resource Provider. This means that we can choose any plain Windows Server image we might need, install any particular version of SQL SQL which we require and register the machine with Azure as a SQL VM.
There are numerous benefits of doing so:
- Flexible Licensing — upon registering with the SQL RP users can easily transition from using existing licenses to the PAYG model. When the Software Assurance required by the Hybrid Benefit licensing expires, the VM can be quickly reconfigured to include the license in the monthly running costs.
- Full Manageability — registering with the SQL RP gives access to management features such as automated backup, patching, AlwaysOn configuration, KeyVault integration and automated storage configuration. Customers can pick which features to opt-in for.
- Unified views — soon Azure will offer two new views in the portal — “Azure SQL” and “SQL Virtual Machines” which should help with managing and creating new SQL Servers. The refreshed portal experience should also help with essential monitoring.
VMs hosting SQL Server can be registered with the resource provider either via the lightweight extension or the full extension. The former one is agentless but will only enable edition discovery and licensing flexibility. For all advanced features, you’ll have to go with the full extension.
You can find the entire announcement here:
