We are seeing more developers building and running their applications in the public cloud. In fact, companies are using multiple public clouds to run their applications. Our customers tell us that they choose to build applications in Azure because it’s easy to get started and that they have peace of mind knowing the services that their applications rely on will be available, reliable, and secure. Today, we are going to discuss how Azure Security Center’s Just-in-Time VM Access can help you secure virtual machines that are running your applications and code.
Successful attacks on your virtual machines can create serious challenges for development. If a server is compromised, your source code could potentially be exposed, along with the proprietary algorithms or internal knowledge about the application. The pace of development can slow down because your team is focused on recovering from the attack instead of writing and reviewing code. Most importantly, an attack can affect your customers’ abilities to access your applications, impacting your brand and your business. Just-in-Time VM Access can help you reduce your exposure to attacks by limiting the amount of time management ports are open on the virtual machines running your code.
Just-in-Time VM Access
Last September, I had the privilege to publicly announce our Azure confidential computing efforts, where Microsoft Azure became the first cloud platform to enable new data security capabilities that protect customer data while in use. The Azure team, alongside Microsoft Research, Intel, Windows, and our Developer Tools group, have been working together to bring Trusted Execution Environments (TEEs) such as Intel SGX and Virtualization Based Security (VBS – previously known as Virtual Secure mode) to the cloud. TEEs protect data being processed from access outside the TEE. We’re ready to share more details about our confidential cloud vision and the work we’ve done since the announcement.
Many companies are moving their mission critical workloads and data to the cloud, and the security benefits that public clouds provide is in many cases accelerating that adoption. In their 2017 CloudView study, International Data Corporation (IDC) found that ‘improving security’ was one of the top drivers for companies to move to the cloud. However, security concerns still remain a commonly cited blocker for moving extremely sensitive IP and data scenarios to the cloud. Cloud Security Alliance (CSA) recently published the latest version of its Treacherous 12 Threats to Cloud Computing report. Not surprisingly,
Monitoring the health and performance of your Azure Kubernetes Service (AKS) cluster is important to ensure that your applications are up and running as expected. If you run applications on other Azure infrastructure, such as Virtual Machines, you have come to rely on Azure Monitor to provide near real-time, granular monitoring data. We are happy to announce that you can now rely on Azure Monitor to also track the health and performance of your AKS cluster. Let’s look at the new container health monitoring capability in Azure Monitor.
You can enable container monitoring from the Azure portal when you create an AKS cluster. You may notice the prompt for a Log Analytics workspace, and the reason for this will become clear throughout this post. For now, just know that you are providing a central location to store your container logs.
Now that you have gone through the wizard and setup AKS cluster with container health, let’s go through an example to see how you would use it. Start by clicking on Health in AKS. Let’s say, you believe there is a possible resource bottleneck somewhere in your Kubernetes cluster. Since you aren’t sure exactly what and where the issue
On February 8, 2017, we launched Managed Disks, Snapshots, and Images, which made it easy to provision and manage disks at scale on Azure. We’re now taking the next step and are excited to announce the Shared Image Gallery, which offers an easy but powerful set of tools to share VM images on Azure.
The Shared Image Gallery greatly simplifies image sharing at scale. It’s designed to make it easy for you to share your applications with others in your organization, within or across regions, enabling you to expedite regional expansion or DevOps processes, simplify your cross-region HA/DR setup and more. The Shared Image Gallery is now available in West US Central Azure and will soon expand to all Azure regions.
We will start sending invitations to join the limited public preview on the May 21, 2018. If you’re interested in joining the limited public preview, please submit this form to express your interest.
How do I use Shared Image Gallery?
The Shared Image Gallery lets you choose which images you want to share, which regions you want to make them available in, and whom you want to share them with. You can create multiple galleries so that you can
This blog was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking and Sumeet Mittal, Program Manager, Azure Networking.
Azure Cosmos DB is Microsoft’s globally distributed, multi-model database service for mission-critical applications. Azure Cosmos DB provides turnkey global distribution, elastic scaling of throughput and storage worldwide, single-digit millisecond latencies at the 99th percentile, five well-defined consistency models, and guaranteed high availability, all backed by industry-leading comprehensive SLAs. Azure Cosmos DB automatically indexes all your data without requiring you to deal with schema or index management. It is a multi-model service and supports document, key-value, graph, and column-family data models.
Improved security capabilities
We are excited to announce the general availability of Virtual Network Service Endpoints for Azure Cosmos DB. Azure Cosmos DB uses Virtual Network Service Endpoints to create network rules that allow traffic only from selected Virtual Network and subnets. This feature is now available in all regions of Azure public cloud.
Customers can combine existing authorization mechanisms like Firewall Access Control List (ACL) with the new network boundaries to provide an enhanced security for their data. Azure Cosmos DB is the first service to allow cross region access control support where customer can restrict access to globally distributed
In December 2017, we announced general availability of the Azure M-series virtual machines (VM). These VMs host on the most powerful cloud hardware that is available across all public cloud providers. They deliver configurations up to 128 vCPUs and 4TB RAM for a single VM! Over the past few months, we have seen customers adopt and utilize M-series VMs for high-end database workloads based on SQL Server, Oracle, and other DBMS systems, even already move entire SAP landscapes into Azure.
Microsoft, as a customer of SAP, led the early adoption path by completing our own migration of Microsoft’s SAP landscape into Azure, including our 14TB SAP ERP systems which runs Microsoft’s most critical business processes on the M-series M128s VM for this application’s SQL Server DB.
To accommodate even more demanding workloads Azure has invested into accelerating database system performance with optimizations for critical write I/O, exclusively on Azure M-series VMs. Azure Write Accelerator is functionality we recently released for M-series VMs. This has been proven to accelerate performance for critical, transactional log writes that require sub-millisecond latency.
We have been working with SAP over the last few months to leverage and certify Azure M-series VMs for their SAP HANA
We are thrilled to announce the public preview of low-priority virtual machines (VMs) on VM scale sets. Low-priority VMs allow users to run their workloads at a fraction of the price, enabling significant cost savings. This offering has been available through our Azure Batch service since May 2017, and because we have seen great customer success we are expanding it to VM scale sets. This is a great option for resilient, fault-tolerant applications as these VMs are allocated using our unutilized capacity and can, therefore, be evicted. Low-priority VMs are available through VM scale sets with up to an 80 percent discount.
What are low-priority VMs?
Low-priority VMs enable you to take advantage of our unutilized capacity. The amount of available unutilized capacity can vary based on size, region, time of day, and more. When deploying Low-priority VMs in VM scale sets, Azure will allocate the VMs if there is capacity available, but there are no SLA guarantees. At any point in time when Azure needs the capacity back, we will evict low-priority VMs. Therefore, the low-priority offering is great for flexible workloads, like large processing jobs, dev/test environments, demos, and proofs of concept.
Provisioning low-priority VMs
Low-priority VMs can
Today, I am thrilled to announce the general availability of Global VNet Peering in all Azure public regions, empowering you to take the ease, simplicity, and isolation of VNet peering to the next level.
Azure’s Virtual Network (VNet) is a logical isolation of Azure which enables you to securely connect Azure resources to each other. VNet lets you create your own private space in Azure – your own network bubble, as I like to call it.
With Global VNet Peering available, you can enable connectivity across all Azure public regions without additional bandwidth restrictions and as always keeping all your traffic on the Microsoft Backbone. Global VNet Peering provides you with the flexibility to scale and control how workloads connect across geographical boundaries, unlocking and applying global scale to a plethora of scenarios such as data replication, database failover, and disaster recovery through private IP addresses. You can also share resources across different business unit VNets, the hub-and-spoke model, as we refer to it, through a global peering connection. As your organization grows across geographic boundaries, you can continue to share resources like firewalls or other virtual appliances via peering.
We are excited to announce the general availability of a new feature for Azure virtual machines (VMs) called Write Accelerator! Write Accelerator is a new disk capability that offers customers sub-millisecond writes for their disks. Write Accelerator is initially supported on M-Series VMs with Azure Managed Disks and Premium Storage. Write Accelerator is recommended for workloads that require highly performant updates, such as database transaction log writes. Write Accelerator is an exclusive functionality for Azure M-series virtual machines in recognition of the performance sensitive workload that is run with these types of high-end VMs. Technical details on enablement and restrictions can be found in our documentation.
Low latency, high transaction workloads – Write Accelerator, in conjunction with M-Series VMs on Managed Disks, is targeted towards database platforms that benefit from highly performant, transactional updates like SQL Server, Oracle, and SAP HANA. Write Accelerator is ideally suited where log file updates are required to persist in disk in a highly performant manner for modern databases. Write Accelerator disks offer the same reliability as Azure Premium Disks. In tests, customers reported factors of higher speed for disk writes into the performance and scalability of critical transactions and redo logs of
Today, we are excited to announce the availability of the OS Disk Swap capability for VMs using Managed Disks. Until now, this capability was only available for Unmanaged Disks.
With this capability, it becomes very easy to restore a previous backup of the OS Disk or swap out the OS Disk for VM troubleshooting without having to delete the VM. To leverage this capability, the VM needs to be in stop deallocated state. After the VM is stop deallocated, the resource ID of the existing Managed OS Disk can be replaced with the resource ID of the new Managed OS Disk. You will need to specify the name of the new disk to swap. Please note that you cannot switch the OS Type of the VM i.e. Switch an OS Disk with Linux for an OS Disk with Windows
Here are the instructions on how to leverage this capability:
To read more about using Azure CLI, see Change the OS disk used by an Azure VM using the CLI.
For CLI, use the full resource ID of the new disk to the –osdisk parameter
NOTE: required Azure CLI version > 2.0.25
az vm update -g swaprg