The big one: Azure Arc

Announced: November 4th, 2019
Source: Azure services now run anywhere with new hybrid capabilities: Announcing Azure Arc

I read recently a stat that said that some ~90% of all workloads are still run on-premises. That’s mind blowing to think that there’s still so much potential for cloud utilisation and workload transformation. This seems like part of the driver for the announcement of Azure Arc – “a set of technologies that unlocks new hybrid scenarios for customers by bringing Azure services and management to any infrastructure.” Let customers continue to leverage their existing infrastructure estate until the value of that investment has run its course and its time to move to the cloud. In the meantime, leverage that existing estate and enhance it with cloud capabilities – lets go hybrid. I’ve not has much involvement with Azure Stack, with my focus being cloud native, but the concept is interesting indeed.

Key take aways:

– Organise and govern workloads of various types (focus on K8s and Azure SQL databases) across clouds or on-premises
– Leverage GitOps and Azure infrastructure as code practices (Azure Resource manager) as a central and consistent means of environment ops
– Azure data services at elastic scale, internet scale, hyper scale (insert other description @ scale )

 

IPv6 now GA for VNets

Announced: November 4th, 2019 (GA)
Source: IPv6 for Azure Virtual Network is now generally available

I recall 6-7 years ago there was a big push for IPv6 (where I even attended a network user group around the topic) and its use everywhere. Fast forward and only in late 2019 IPv6 becomes GA in Azure. I’m not a full time network consultant/architect, so this is interesting that its taken this long for one of the biggest cloud providers to adopt IPv6.

As long as your workload supports IPv6, it should be fine deploy IPv6 address spaces in VNets and take it up.

 

Azure Private Link is now GA in all regions

Announced: November 5th, 2019
Source: Azure Private Link is now available in all regions

Private connectivity to PaaS services is great, especially when you’re in need of that functionality. ExpressRoute does this for connecting on-premises networks to IaaS and PaaS (even SaaS) workloads. Azure Private Link allows for a link between VNets and Azure Storage through private IP address space, hence the name “Private Link”. Similar in concept, but obviously not in delivery in how ExpressRoute does this for connecting to IaaS and PaaS workloads (from on-premises networks). As of today, its available as GA across all regions to connect to such things as: Azure Storage, Azure SQL, Azure SQL Data Warehouse, Azure Cosmos DB.

 

Azure Firewall Manager – Public preview

Announced: November 4th, 2019
Source: Azure Firewall Manager is now in preview

I’m liking Azure Firewall more and more and I think that as the product matures, it will be on par and easily acceptable for cloud security as any bespoke appliance might be. When things get tricky is when you have a need for north/south and east/west traffic flows across multiple VNets, multiple regions or multiple subscriptions. I think with this service, it will make Azure Firewall a more viable product.

Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters. It works with Azure Virtual WAN Hub, a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a Secured Virtual Hub.

Further documentation: https://docs.microsoft.com/en-us/azure/firewall-manager/overview.

 

Azure Monitor – Application change analysis updates

Announced: November 4th, 2019
Source: Azure Monitor—Application change analysis updates

We all know that Azure Monitor is really good at collecting, analysing and acting on telemetry data. The integration across the Azure product estate is still a WIP as the service is always changing and improving. A welcome change is a streamline of the way AppService’s are able to be connected up. You can now do that on the App Service Plan level to connect downstream workloads more efficiently. A minor update, but very handy for those onboarding their existing Azure environment to the service.

 

Azure AD – Multi-Factor Authentication is now FREE

Announced: November 4th, 2019
Source: What’s new in Azure Active Directory at Microsoft Ignite 2019

To make it easy for everyone to adopt more secure and phishing-resistant authentication, today we announced that all customers can now enable MFA for free with the Microsoft Authenticator app. Starting later this month, MFA will be enabled as a security default in all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure. These news defaults will be rolling out gradually to new tenants over the next few months. Customers with more than 150 seats can also now contact Microsoft to set up MFA and security capabilities via FastTrack.

I use the Microsoft Authenticator app for a lot of my MFA requirements and I think this is pretty significant and something that moves the bar for everyone to a more secure world.

 

Container security in Security Centre

Announced: November 4th, 2019 </br>
Source: Threat Protection for Azure Kubernetes Service (AKS) Support in Security Centre
Additional resource(s): Container security in Security Center

Microsoft is really pimping Kubernetes Ops at Ignite, not only with Azure Arc, but with new vulnerability scanning and management integration with Azure Security Centre. Azure Security Centre integration for containers extends to both Azure Container Registry (ACR) and Azure Kubernetes Services (AKS).

ACR – Gets vulnerability scanning by Security Centre itself as well as Qualys scanning all from the Security Centre in the Azure portal. From there recommendations are provided should any alerts be found in your images.
AKS – Gets integration and scanning by Security Centre itself across the stack; from nodes to individual containers/pods to cloud traffic, and security controls. What’s interesting is getting real time protection and alerting across the K8s environment, not just at the node or pod layer.

 

Public preview for Azure Functions integration with Azure Monitor Logs

Announced: November 5th, 2019
Source: Azure Functions integration with Azure Monitor Logs is now in public preview

I really like the idea of serverless. In my limited “play time” with Azure Functions, I was impressed by the ease of use of the service. I did encounter some issues around performance, but I think that was limited to my use case. What would have helped is a greater ability to triage possible issues. With this public preview of direct integration with Azure Monitor, logs can be consolidated, queried, alerted on or forwarded to 3rd parties (like Splunk) to act on (much in the same way- consolidated, queried, alerted on).

 

Azure Virtual WAN updates

Announced: November 6th, 2019
Source: Announcing enhancements to Azure Virtual WAN

I’m relatively new to the Virtual WAN configuration in Azure, in terms of the centralised single operational interface for all things WAN connectivity and Azure. Though I think it’s still relatively new.

What’s even newer is the preview of hub to hub connectivity in a virtual WAN. This is interesting in being able to create full mesh network topologies as opposed to just hub and spoke. Both have advantages and disadvantages, but it expands possibilities which is nice.

Moreover, ExpressRoute is no GA for Azure Virtual WAN integration. So you’ve got full standard SLA and support for the functionality, meaning its good to go in production environments!

 

Microsoft Cloud Adoption Framework – now GA

Announced: November 6th, 2019 (GA)
Source: Success in the cloud: Microsoft Cloud Adoption Framework for Azure
Additional resources: These are two separate sitesMicrosoft Cloud Adoption Framework for Azure, Microsoft Cloud Adoption Framework for Azure

I like a good framework. I liken it to a recipe for a great pasta. There’s many ways to cook a great pasta. You don’t always need a recipe. However, referring back to that recipe can be very beneficial for getting word out there on what a great pasta that actually is and getting lots of people to deliver a similar end product. Slightly off on a tangent there, but I think the message comes across as intended.

After years of operation and thousands of customers using public cloud, its no wonder that in the last year or so the major vendors are starting publish frameworks and detailed best practice guides. I like it a lot as it sets t he minimum benchmark for delivery. It outlines the minimum effort and everything you do above and beyond differentiates your ability from the rest of the pack.

As this is now Generally Available, its worthwhile reading through the six stage process (strategy, plan, ready, adopt, govern, and manage) and adopting some of that crowd sourced knowledge.

 

Azure Bastian is now GA

Announced: November 6th, 2019 (GA)
Source: Azure Bastion is now generally available

This was pretty big news when it went in public preview in [June](https://azure.microsoft.com/en-au/blog/announcing-the-preview-of-microsoft-azure-bastion/) this year after it was leaked a few days before hand. I had a play around with it and it worked seamlessly at the time. Now that its GA, this has to be the standard for administrative remote management of VM instances. RDP and SSH is way to insure to leave those relevant ports open to the world wide web.

 

There’s no doubt that there’s way more announcements that occurred at Ignite, as well as recent enough (say the last few weeks) to count as around the same time. These are a bunch that I thought were relevant to me.

Enjoy!

 


Originally posted on Lucian.Blog. Follow Lucian on Twitter, @LucianFrango.

Category:
Azure Infrastructure
Tags:
, ,