Following Microsoft’s Spring 2021 Ignite event, our cloud specialist, Damian Reffin, lists his top Azure-related infrastructure announcements and updates and shares what they mean for us. Read part one here.
Looking at Azure load-balancing, Networking routing, Azure Front Door and Firewall Premium.
Azure load-balancing options
Azure load-balancing options were released in March 2021. A guided experience helps you choose the options that match your architectural and application requirements.
The functionality gives the flexibility to balance loads across containers and virtual machines (VMs) and VM scale sets associated with their load balancer.
An Azure Public IP SKU upgrade is now generally available, enabling you to upgrade and retain the same IPs without management overheads or notices to your end customers.
It also supports the ability to upgrade from Basic to Standard SKU.
Any basic public load balancer can now be upgraded to a standard public load balancer and retain the same public IP address.
Azure Networking routing preference
Now generally available, Azure Networking routing preference lets you choose how your traffic routes between Azure and the internet. This update gives you greater flexibility to optimise your underlying routing network.
You can choose to optimise:
- For performance with Microsoft network – ‘cold potato routing’
- For cost per workload, with ISP network/open Internet – ‘hot potato routing’
Egress data transfer prices vary according to the routing selection.
Azure Front Door
Azure Front Door with CDN is now available in preview mode. The upgrade provides a secure cloud content delivery network (CDN) service with integrated intelligent security capabilities.
The upgrade enables cybersecurity teams to protect and accelerate apps, APIs, websites and content delivery with a few clicks.
Azure Firewall Premium
Azure Firewall Premium, now available in preview, has been upgraded with a next-generation firewall.
With intrusion detection and prevention system capabilities, the upgrade offers enhanced security for sensitive and highly regulated environments.
The hottest item is the Azure Firewall Premium feature, which is set to improve parity with the third-party marketplace.
Azure Hybrid Networking
Addressing Azure Route Server, ExpressRoute – IPv6, Gateway and Portal, Virtual WAN, Scalable Bastion Gateway and advanced VPN diagnostics.
Azure Route Server
Now available for preview, the Azure Route Server facilitates dynamic routing between a network virtual appliance (NVA) and virtual networks.
By establishing the Border Gateway Protocol (BGP) peering between an NVA and an Azure Route Server, you can inject IP addresses from your NVA to your virtual network. The BGP lets the NVA learn what IP addresses your virtual network has.
Azure Route Server is a fully managed service with built-in high availability.
ExpressRoute IPv6 Support
Released in preview mode in March 2021, ExpressRoute IPv6 Support supports IPv4 and IPv6 private peering in availability zones.
- Enables IoT (the internet of things) scenarios
- Simplifies your enterprise migration or expansion to Azure, even if you run out of IPv4 addresses in your on-premises network
New ExpressRoute Gateway metrics are now available for preview. These metrics allow you to monitor the:
- Counts of routes learned and routes advertised
- Number of VMs in your virtual network
- Frequency of routes changed for their ExpressRoute gateways
You can also set up alerts to manage capacity accordingly.
Now generally available, the new ExpressRoute Portal gives you a more comprehensive peering and Global Reach configuration experience in the Azure Portal.
Azure Virtual WAN
Azure Virtual WAN now offers integration with VMware SD-WAN in preview. It lets you connect all branch offices and remote locations to Azure through VMware SD-WAN.
You can manage last-mile connectivity and dynamic path optimisation through VMware SD-WAN. And for a complete secure access service edge solution, you can leverage global connectivity by routing intelligence and security through Azure Virtual WAN.
Virtual WAN remote user VPN
Virtual WAN remote user VPN features are now available in preview.
The new features enable 100,000 remote users, an increase from the previous limit of 10,000, to connect to a Virtual WAN hub in a region. The Virtual WAN also:
- Allows remote users to authenticate using any combination of Certificates, Azure Active Directory and Radius Servers
- Offers custom IPsec parameters for remote user VPN
- Connects multiple Radius servers to a single Virtual WAN Hub for remote-user authentication
Scalable Bastion Gateway
Scalable Bastion Gateway became available in preview in March 2021.
You can increase the Bastion Gateway’s size to support as many as 500 concurrent sessions and decrease when usage demand drops.
Bastion will support native Azure Active Directory (Azure AD) authentication integration for Linux VMs deployed on Azure.
Advanced VPN diagnostics
In March 2021, advanced VPN diagnostics, including Packet Capture, the BGP dashboard, and VPN connection features, were released in preview.
Given the volume of IaaS-related announcements, Microsoft is building on current offerings by bringing more features, capability and scalability.
Community feedback allows for rapid feature gap discovery and an agile supplier response. Much of this is driven by the Azure Connect forum, with regular pulse taking and feedback channels informing Microsoft’s Azure roadmap.
Windows Server 2022
Windows Server 2022, now available in preview mode, enables you to run existing and new business-critical applications with confidence on Azure, on-premises and at the edge.
Windows Server 2022 introduces the following:
- Advanced multi-layer security
- Hybrid capabilities with Azure and a flexible application platform
- Improved hybrid server management, an enhanced event viewer and several other new Windows Admin Centre capabilities
- Improvements to Windows containers, like smaller image sizes for faster download, simplified network policy implementation and containerisation tools for .NET applications
As part of this release, Windows Server is getting secured-core capabilities to secure systems that will run workloads on Windows Server 2022.
Secured-core server builds on technologies such as Windows Defender System Guard and virtualisation-based security to minimise risks from firmware vulnerabilities and advanced malware.
No flashy new name, but it’s here at last. As well as improved security and running containers, I’m excited about improved native integration with Azure, wherever you use it.
We can expect significant time savings and disruption-reducing advances in hot patch (update) management. I sense many more time-saving elements are on their way, which will help with day-to-day management and governance. Further details here.
Windows Virtual Desktop (WVD)
Picking up EU metadata, smartcard authentication and Azure Monitor.
EU metadata storage
Public preview of the Europe (EU) geography as a storage option for service metadata in Windows Virtual Desktop is now available.
You can choose between West or North Europe when creating your service objects. The service objects and metadata for the WVD host pools will be stored in the Azure geography associated with each region, rather than just the East US region.
You can now use smartcard authentication, available in public preview mode, with the Windows client from outside your corporate network without requiring line-of-sight to the domain controller.
Azure Monitor for Windows Virtual Desktop
Azure Monitor for Windows Virtual Desktop will be generally available in the next few weeks. It provides a centralised view with all the monitoring insights and visualisations necessary for debugging, troubleshooting and operating at scale.
With the latest updates, you can perform the following functions:
- View a summary of host pool status and health
- Find and troubleshoot problems in a deployment
- Address user feedback
- Understand resource utilisation and make scaling and cost management decisions
New metadata locations is a long-awaited feature and further announcements on regional availability will be greatly anticipated.
The more passwordless options for desktops, the better – which is moving at pace. And monitoring WVD was always a challenge without third-party solutions. If Azure Monitor for WVD provides suitable tools for minor problems, it’s a win.
Addressing confidential computing, Azure Security Centre and Azure Defender.
Azure Confidential Computing and Key Vault
Azure Key Vault Managed Hardware Security Module (HSM) – a fully managed, highly available, single-tenant management service with FIPS 140-2 Level 3 validated hardware security modules (HSMs) – is available in preview mode.
Sectors like finance require HSMs to store cryptographic keys used for cryptographic functionality, e.g., Transport Layer security, data encryption, public key infrastructure, digital rights management and signing documents.
Always encrypted with secure enclaves are protected regions of memory that enable confidential queries, is now available in preview mode for SQL Server 2019 and Azure SQL Database.
Trusted Launch, which protects against boot kits, rootkits and kernel-level malware, is now available for both confidential and non-confidential VMs (virtual machines).
For overviews, see Confidential computing on Azure and Trusted launch for Azure virtual machines (preview).
In a fast-evolving threat landscape, extra and improved security controls and options are to be welcomed.
Azure Security Centre (ASC) and Azure Defender
Windows Server 2019 in Azure Defender has enhanced security alerts and Endpoint detection and response (EDR) support.
The Azure Security Centre also has improved network security integration and new reporting capabilities.
The alerts experience includes the following:
- Better triaging experiences
- Enhanced performance for larger alert lists
- Alignment with Azure Sentinel’s incident experience
- Additional alerts from the Azure Resource Graph
EDR support for Windows 2019 has been added to Microsoft Defender for Endpoint, which is included in Azure Defender.
The security status of Azure Firewalls is now available in the Azure Security Centre dashboard through integration with the Azure Firewall Manager.
New reporting capabilities, in preview mode, in the Azure Security Centre enable you to create quick reports on top of security data. You can use out-of-the-box reports or write custom reports with Azure Workbooks.
By improving integration, monitoring and alerting while continuing to extend coverage in and outside of Azure, there is a move to make ASC one of the best cloud workload protection platforms.
On top of modern workplace, data compliance and Sentinel advancements, Microsoft is driving demand for in-house and outsourced SOC services.
Specialists in Azure and Office 365 security are highly sought after. An external cyber security operations centre addresses the challenges related to the current skills deficit in this industry and can allow businesses to put cyber security measures in place affordably.
Windows Server 2022 Secured-core
Windows Server 2022, in preview mode, supports the latest security innovations.
This release brings Secured-core to Windows Server, helping secure systems that will run workloads on Windows Server 2022.
Secured-core builds on technologies like System Guard and Windows Server Virtualisation-based security, minimising the risks from firmware vulnerabilities and advanced malware.
The new release also provides secured connectivity enabled by industry-standard AES 256 encryption.
For organisations that still require on-premises Windows server workloads, this is an excellent enhancement for hybrid cloud environments.
Training and certifications: Windows Virtual Desktop
A new certification is launching for developers and IT administrators working on Windows Virtual Desktop.
The beta exam for the Microsoft Certified: Windows Virtual Desktop Specialty is now available.
Once these beta exams are scored, the exam will be generally available. Those who pass will earn the new Microsoft Certification.
It appears the trend is towards more, not fewer, specialisations, which is good as some knowledge is just too broad and high-level.
This is a welcome improvement in terms of specialist certification. Designing and delivering presentation solutions was often just a short chapter in any Windows Server training course, leaving many engineers to develop best practice through experience.