Secure server access with VNet service endpoints for Azure Database for MariaDB

This blog post was co-authored by Sumeet Mittal, Senior Program Manager, Azure Networking.

Ensure security and limit access to your MariaDB server with the virtual network (VNet) service endpoints now generally available for Azure Database for MariaDB. VNet service endpoints enable you to isolate connectivity to your logical server from a given subnet within your virtual network. The traffic to Azure Database for MariaDB from your VNet always stays within the Azure network. Preference for this direct route is over any specific ones that route Internet traffic through virtual appliances or on-premises.

There is no additional billing for virtual network access through VNet service endpoints. The current pricing model for Azure Database for MariaDB applies as is.

Using firewall rules and VNet service endpoints together

Turning on VNet service endpoints does not override firewall rules that you have provisioned on your Azure Database for MariaDB, both remain applicable.

VNet service endpoints don’t extend to on-premises. To allow access from on-premises, you can use firewall rules to limit connectivity only to your public (NAT) IPs.

To learn more about VNet protection view our documentation, “Use Virtual Network service endpoints and rules for Azure Database for MariDB.”

Turning on service endpoints for servers with pre-existing firewall rules

When you connect to your server with service endpoints turned on, the source IP of database connections switches to the private IP space of your VNet. Configuration is via the “Microsoft.Sql” shared service tag for all Azure Databases including Azure Database for MariaDB, MySQL, PostgreSQL, Azure SQL Database and Managed Instance, and Azure SQL Data Warehouse. If at the present time your server or database firewall rules allow specific Azure public IPs, then the connectivity breaks until you allow the given VNet/subnet by specifying it in the VNet firewall rules. To ensure connectivity, you can preemptively specify VNet firewall rules before turning on service endpoints by using the IgnoreMissingServiceEndpoint flag.

Support for ASE

As part of general availability, we support service endpoints for App Service Environment (ASE) subnets deployed into your virtual networks.

Next steps

Get started with the service by creating your first Azure Database for MariaDB server using the Azure portal or Azure CLI.
Learn how to configure VNet service endpoints for MariaDB using the Azure portal or Azure CLI.
Reach us by emailing our team AskAzureDBforMariaDB@service.microsoft.com.
File feature requests on UserVoice.
Follow us on Twitter @AzureDBMariaDB to keep up with the latest features.

Quelle: Azure

Scaling out read workloads in Azure Database for MySQL

For read-heavy workloads that you are looking to scale out, you can use read replicas, which are now generally available to all Azure Database for MySQL users. Read replicas make it easy to horizontally scale out beyond a single database server. This is useful in workloads such as BI reporting and web applications, which tend to have more read operations than write.

The feature supports continuous asynchronous replication of data from one Azure Database for MySQL server (the “master” server) to up to five Azure Database for MySQL servers (the “read replica” servers) in the same region. Read-heavy workloads can be distributed across the replica servers according to your preference. Replica servers are read-only except for writes replicated from data changes on the master.

What’s supported with read replicas?

You can create or delete replica servers based on your workload’s needs. A master server can support up to five replica servers within the same Azure region. Stopping replication to any replica server makes it a standalone read-write server.

You can easily manage your replica servers using the Azure portal and Azure CLI.

From the Azure portal:

Use Azure Monitor to track replication with the “replication lag in seconds” metric:

From the Azure CLI:

az mysql server replica create -n mydemoreplica1 -g myresourcegroup -s mydemomaster

Below are some application patterns used by our customers and partners that leverage read replicas for scaling workloads.

BI reporting

Data from disparate data sources is processed every few minutes and loaded into the master server. The master server is dedicated for loads and processing, not directly exposing it to BI users for reporting or analytics to ensure predictable performance. The reporting workload is scaled out across multiple read replicas to manage high user concurrency with low latency.

Microservices

In this architecture pattern, the application is broken into multiple microservices, with data modification APIs connecting to the master server while reporting APIs connect to read replicas. The data modification APIs are prefixed with “Set-”, while reporting APIs are prefixed with “Get-“. The load balancer is used to route the traffic based on the API prefix.

Next steps

Get started with the service by creating your first Azure Database for MySQL server using the Azure portal or Azure CLI.
Learn more about read replicas and how to create them in the Azure portal or Azure CLI.
Reach us by emailing our team AskAzureDBforMySQL@service.microsoft.com.
File feature requests on UserVoice.
Follow us on Twitter @AzureDBMySQL to keep up with the latest features.

Quelle: Azure

Azure Marketplace and Cloud Solution Provider updates – March 2019

In February, Microsoft shared an ambitious vision to continue innovating as a technology provider and to improve the experience for solution developers and service providers when engaging with Microsoft. Our partners are delivering more innovation in AI, expanding their business through more co-selling opportunities, and leveraging distribution options through our commercial marketplaces such as Azure Marketplace and AppSource.

Today, we’re very excited to begin rolling out an initial set of platform changes which open new opportunities for our partners to go to market with Microsoft. This work sets the stage for more enhancements coming this winter and spring that continue to drive partner business acceleration. Get a sneak peek on our public marketplace roadmap.

Microsoft makes Azure Marketplace offers available to CSP channel partners

Microsoft’s Cloud Solution Provider (CSP) partner program is the largest channel program in the industry with more than 60,000 channel partners serving millions of Microsoft customers worldwide. Starting today, ISVs can choose to make their transactable Azure Marketplace offer available for distribution through the CSP channel. Partners in the CSP program will be able to sell, deploy, and bundle Azure services with Azure-optimized ISV software from the marketplace to better serve customers and grow their managed services business.

Within Partner Center’s new marketplace page, CSP partners can discover, evaluate, and learn about all the Azure Marketplace solutions available through the channel. Software-as-a-Service (SaaS) subscriptions can be established through the standard purchase workflow in Partner Center, and Azure resources such as VM or container images may be deployed and procured through the Azure management portal. All of the transactions will now be available on a consolidated invoice making legal, billing, and account support much simpler.

Publisher partners can learn how to create or update offerings for CSP channel availability.

CSP partners can also explore the marketplace page in Partner Center.

Screenshot of new marketplace discovery experience in Partner Center under the “Sell” navigation pane

Expanding the market opportunity for partners with new geographies and business models

As customer adoption for marketplaces continues to grow around the world, we expanded our global marketplace reach. We are pleased to share that Azure Marketplace has expanded coverage to 53 new countries, allowing partners now to sell into a total of 141 countries with 17 currencies.

Last year, we launched SaaS in Azure Marketplace with the ability to pay per month. As enterprise adoption of SaaS continues to grow, customers are looking for a variety of billing options. Today, we are pleased to highlight a new annual billing option for SaaS offers. We are also releasing a new set of tools to reduce procurement complexity for customers and ISV partners. For example, the new standard contract allows ISVs to leverage a unified and common set of terms and conditions for end customers.

Have questions or feedback? See the new or updated resources below. We also invite you to join us in the Microsoft Partner Community for discussion!

Publisher resources

Become a publisher
Publisher Guide for Partners
New: Publish Offerings for Resellers
New: Marketplace Roadmap
Azure Marketplace FAQs
Marketplace Support for Publishers

Cloud Solution Provider resources

Partner Center Documentation
New: Marketplace Offerings in Partner Center
Partner Center API Documentation
CSP Operations Guide

Quelle: Azure

Azure Communications is hosting an “Ask Me Anything” session!

Have you ever wondered where those service notifications in the Azure Portal and the Azure Status page come from? Curious why some messages appear to have more information than others? Interested in learning more about what goes into an outage statement? This is your chance to find out!

The Azure Communications team will be hosting a special "Ask Me Anything" (AMA) session on Reddit and Twitter. The Reddit session will be held on Monday, March 11th, from 10:00 AM to noon PST. Customers can participate by posting to the /r/Azure subreddit when the AMA is live. The Twitter session will follow soon after on Wednesday, March 13th, from 10:00 AM to noon PST. Be sure to follow @AzureSupport before March 13th and tweet us during the event using the hashtag #AzureCommsAMA.

Who are we?

We are among the first responders during times of crisis – the ones who draft, approve, and publish most customer-facing communications when outages happen. You've probably seen our messages on the Azure Service Health blade in the Portal, the Azure Status webpage, or even on the @AzureSupport Twitter handle. We'd like to think we bridge the gap between customers and the action happening behind the scenes.

What kind of communications do we provide?

Our communications are very crisis-oriented. When there is any kind of service interruption with the Azure platform, we are responsible for making sure our customers are provided with timely and accurate information. This includes information about outages, maintenance updates, and other good-to-know information for customers. We do not, however, manage any advertising or promotional communications.

Where do we communicate?

We have three primary channels for communicating with customers: Azure Service Health in the Portal, the Azure Status webpage, and @AzureSupport on Twitter.

Azure Service Health – Azure Service Health provides personalized guidance directly to customers when issues with the Azure platform affect their resources. Customers can review a personalized dashboard in the Portal, set up targeted notifications (email, SMS, webhook, etc.), receive support, and share details easily.

Azure Status webpage – This public-facing webpage (which does not require signing in) is only used to provide updates for major incidents or when there are known issues preventing access to Azure Service Health in the Portal. Customers should only refer to this page if they are not able to access Azure Service Health.

@AzureSupport on Twitter – In many ways, the @AzureSupport Twitter handle is a dynamic component of our communications process. Twitter allows engineering and support teams to gauge the pulse of the Azure platform through customer engagements on Twitter and act as a complementary resource to the Azure Status webpage. If necessary, @AzureSupport can even be used as a communications medium when Azure Service Health or the Azure Status webpage are not available.

Why are we hosting an AMA?

We’re going to be honest – we want there to be as little a disconnect as possible between customers and the action happening behind the scenes. An AMA provides us with an opportunity to connect with customers on a more intimate, informal level, and allows us to receive feedback directly from customers about some of the real-time decisions that are made during times of crisis. Hosting a multi-channel AMA through both Reddit and Twitter allows us to connect with a broad social community while providing customers with an experience based on transparency that is second to none.

Who will be there? How can I participate?

If you’re on Reddit, subscribe to the /r/Azure subreddit by Monday, March 11th, at 10:00 AM PST. Pochian Lee, Drey Zhuk, and others from the Azure Communications team will be answering questions on Reddit until noon. Just log in and post your questions to get started. If you’re on Twitter, be sure to follow @AzureSupport before Wednesday, March 13th. Starting at 10:00 AM PST, the team will be answering questions on Twitter until noon. Just tweet your questions to @AzureSupport during the event and be sure to include the #AzureCommsAMA hashtag so we don't miss you! While we will only be answering questions live during the event, customers are encouraged to post or tweet their questions any time starting at 10:00 AM on March 8th. This gives customers in different time zones an opportunity to participate.

Questions you may already have:

Why am I impacted and still see green on the Azure Status webpage?

The majority of our outages impact a limited subset of customers and we reach out to the impacted customers directly via the Azure Service Health blade. The Azure Status webpage provides information regarding any major impacting event that customers should be aware of on a broader scale.

Do I raise a support case during an outage?

If after looking in the Azure Service Health blade to see if you have been impacted by an outage, you find that your problem doesn’t match the impact that we’re observing, we would recommend that you create an Azure support case.

If you do not see a notification within the Azure Service Health blade and believe that there is an outage, please create an Azure support case.

If I don't see a notification in the Azure Service Health blade during an outage, should I raise a support ticket?

If you believe you are impacted by an outage, then yes!

How do I get notifications via email, SMS, etc. during an outage?

Customers can receive additional notifications via Azure Service Health and Azure Resource Health.

Azure Service Health – To get notifications during an outage, you would need to setup alerts within Azure Service Health to your preference (i.e you want to be notified for any outage affecting my virtual machines in the eastern US). Find additional information, and learn how to request notifications in this documentation.

Azure Resource Health – To get notifications based on the health of your individual resources (i.e. I want to be notified about issues for these two specific Virtual Machines), customers can configure Resource Health alerts by following the steps in this article.

If I have Service Health alerts set up, why have I not received a notification of an outage?

We try our best to inform impacted customers of an outage using our telemetry and are actively working on improving our telemetry to make sure we alert all customers that are impacted. We’ve made great progress for certain scenarios where our automated alerting is triggered from high-fidelity monitoring within our system. We’re looking to further develop this telemetry to ensure that the right customers are informed in a timely manner.

Where can I find Azure Service Health communications?

Communications can be seen within the Azure Service Health blade.

Why do I get communications so late in the Portal?

As soon as we’re able to validate customer impact and the services involved, we inform customers immediately. We’re actively working on improving our automation and telemetry to make sure customers are aware in real-time.

Why aren't these communications more visible when I log into the Portal?

We have heard this feedback before and are currently collaborating with partner teams to improve the visibility of the communications in the Azure Portal.

Be sure to subscribe to /r/Azure and follow @AzureSupport on Twitter before March 11th, 2019, in order to participate. We look forward to answering your questions live during the event!
Quelle: Azure

Service Fabric Processor in public preview

Microsoft clients for Azure Event Hubs have always had two levels of abstraction. There is the low-level client, which includes event sender and receiver classes which allow for maximum control by the application, but also force the application to understand the configuration of the Event Hub and maintain an event receiver connected to each partition. Built on top of that low-level client is a higher-level library, Event Processor Host, which hides most of those details for the receiving side. Event Processor Host automatically distributes ownership of Event Hub partitions across multiple host instances and delivers events to a processing method provided by the application.

Service Fabric is another Microsoft-provided library, which is a generalized framework for dividing an application into shards and distributing those shards across multiple compute nodes. Many customers are using Service Fabric for their applications, and some of those applications need to receive events from an Event Hub. It is possible to use Event Processor Host within a Service Fabric application, but it is also inelegant and redundant. The combination means that there are two separate layers attempting to distribute load across nodes, and neither one is aware of the other. It also introduces a dependency on Azure Storage, which is the method that Event Processor Host instances use to coordinate partition ownership, and the associated costs.

Service Fabric Processor is a new library for consuming events from an Event Hub that is directly integrated with Service Fabric, it uses Service Fabric's facilities for managing partitions, reliable storage, and for more sophisticated load balancing. At the same time it provides a simple programming interface that will be familiar to anyone who has worked with Event Processor Host. The only specific requirement that Service Fabric Processor imposes is that the Service Fabric application in which it runs must have the same number of partitions as the Event Hub from which it consumes. This allows a simple one on one mapping of Event Hub partitions to application partitions, and lets Service Fabric distribute the load most effectively.

Service Fabric Processor is currently in preview and available on NuGet at the “Microsoft.Azure.EventHubs.ServiceFabricProcessor” web page. The source code is on GitHub in our .NET Event Hubs client repository. You can also find a sample application available on GitHub.

From the developer's point of view, there are two major pieces to creating an application using Service Fabric Processor. The first piece is creating a class that implements the IEventProcessor interface. IEventProcessor specifies methods that are called when processing is starting up for a partition (OpenAsync), when processing is shutting down (CloseAsync), for handling notifications when an error has occurred (ProcessErrorAsync), and for processing events as they come in (ProcessEventsAsync). The last one is where the application's business logic goes and is the key part of most applications.

The second piece is integrating with Service Fabric by adding code to the application's RunAsync method, which is called by Service Fabric to run the application's functionality. The basic steps are:

Create an instance of EventProcessorOptions and set any options desired.

Create an instance of the IEventProcessor implementation. This is the instance that will be used to process events for this partition.

Create an instance of ServiceFabricProcessor, passing the options and processor objects to the constructor.

Call RunAsync on the ServiceFabricProcessor instance, which starts the processing of events.

Next steps

For more details follow our programming guide which is available on GitHub. Did you enjoy this blog post? Don't forget to leave your thoughts and feedback in the comment section below. You can also learn more about Event Hubs by visiting our product page.
Quelle: Azure

Announcing new capabilities in Azure Firewall

Today we are excited to launch two new key capabilities to Azure Firewall.

Threat intelligence based filtering
Service tags filtering

Azure Firewall is a cloud native firewall-as-a-service offering which enables customers to centrally govern all their traffic flows using a DevOps approach. The service supports both application (such as *.github.com), and network level filtering rules. It is highly available and auto scales as your traffic grows.

Threat intelligence based filtering (preview)

Microsoft has a rich signal of both internal threat intelligence data, as well as third party sourced data. Our vast team of data scientists and cybersecurity experts are constantly mining this data to create a high confidence list of known malicious IP addresses and domains. Azure firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. The Microsoft Intelligent Security Graph powers Microsoft Threat Intelligence and provides security in multiple Microsoft products and services, including Azure Security Center and Azure Sentinel.

Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior to alert and deny.

Figure 1 – Azure Firewall concept architecture

Managing your firewall

Logging analysis of threat data and actionable insights are all crucial and central themes to planning, building, and operating applications and infrastructure.

Azure Firewall provides full integration with Azure Monitor. Logs can be sent to Log Analytics, Storage, and Event Hubs.  Azure Log Analytics allows for the creation of rich dashboards and visualization. Along with custom data queries this powerful integration provides a common place for all your logging needs, with vast options to customize the way you consume your data. Customers can send data from Azure Monitor to SIEM systems such as Splunk, ArcSight and similar third party offerings.

Figure 2 – Azure Firewall detecting a compromised VM using threat intelligence and blocking these outbound connections

Figure 3 – Azure Firewall detecting port scan attempts using threat intelligence and blocking these inbound connections

Service tags filtering

Along with threat intelligent-based filtering, we are adding support for service tags which have also been a highly requested feature by our users. A service tag represents a group of IP address prefixes for specific Microsoft services such as SQL Azure, Azure Key Vault, and Azure Service Bus, to simplify network rule creation. Microsoft today supports service tagging for a rich set of Azure services which includes managing the address prefixes encompassed by the service tag, and automatically updating the service tag as addresses change. Azure Firewall service tags can be used in the network rules destination field. We will continue to add support for additional service tags over time.

Central management

Azure Firewall public REST APIs can be used by third party security policy management tools to provide a centralized management experience for Azure Firewalls, Network Security Groups, and network virtual appliances (NVAs). In September 2018, we announced the private preview for Barracuda’s new service, AlgoSec CloudFlow and Tufin. We are happy to announce that AlgoSec CloudFlow is now available as a public beta. Learn more and join at the Algosec website.

We want to thank all our customers for their amazing feedback since Azure Firewall became generally available in September 2018. We continue to be amazed by the adoption, interest, positive feedback, and the breadth of use cases customers are finding for our service. Please do keep your feedback coming and we look forward to continuing to advance the service to meet your needs.

Learn more

Azure Firewall Documentation
Azure Firewall Threat Intelligence
Azure Firewall Service Tags
Pricing

Quelle: Azure

Presenting the new IIC Security Maturity Model for IoT

Organizations deploying IoT solutions often ask similar questions as they address security—What is the risk my organization takes on as we adopt IoT? How much security do we need for our scenario? Where should we invest for the biggest impact? To answer those questions, Microsoft co-authored and edited the Industrial Internet Consortium (IIC) IoT Security Maturity Model (SMM) Practitioner’s Guide. The SMM leads organizations as they assess the security maturity state of their current organization or system, and as they set the target level of security maturity required for their IoT deployment. Once organizations set their target maturity, the SMM gives them an actionable roadmap that guides them from lower levels of security maturity to the state required for their deployment.

Because not all IoT scenarios require the same level of security maturity, the goal of the SMM is to allow organizations to meet their scenario needs without over-investing in security mechanisms. For example, a manufacturing or an oil and gas solution involving safety needs an especially high maturity state.

The SMM complements Microsoft’s body of existing research and standards for IoT security, such as the “Seven Properties of Highly Secure Devices.” While the research in the Seven Properties paper provides a comprehensive deep dive into device security, the SMM takes a broader view of IoT security. This comprehensive model is used in the IoT security space to assess the maturity of organizations’ systems including governance/process, technology, and system security management. Other models typically address IT but not IoT, or IoT but not security, or security but not IoT. The SMM covers all these aspects and leverages other models where appropriate.

Applying the SMM to your organization

While the SMM’s intended audience is owners of IoT systems, decision makers, and security leaders, we expect assessment companies, and assessments groups within organizations, to be the main practitioners of the model. The SMM allows decision makers and security leaders to understand and consistently apply assessments performed by different groups. It also provides flexibility for industry extensions (currently being explored with several industry groups and associations) and allows for different types of visualization of the model results.

The SMM is organized as a hierarchy and includes domains, subdomains, and practices. This hierarchical approach enables the maturity and gap analysis to be viewed at different levels of detail, making it easier for organizations to prioritize gaps.

The SMM also makes an important distinction between security levels and security maturity states, helping organizations to understand the differences between what their goals need to be and where they are in their security journey. In the SMM, a security level is a measure of how much security you have. The SMM does not dictate what the appropriate security level should be for your organization. Rather, it provides guidance and structure so organizations can identify considerations for different security maturity states appropriate for their industry and systems.

Security maturity, on the other hand, is a measure of how well your security technology, processes, and operations meet your organization’s specific needs. The SMM helps you determine how much security you need, based on cost, benefit, and risk. The model allows you to consider various factors such as the specific threats to your organization's industry vertical, regulatory, and compliance requirements, the unique risks present in the environments your IoT operates in, and your organization's threat profile.

As you begin working with the SMM, it guides you through each step of the assessment using the model. Your organization begins by establishing a target state or identifying a relevant industry profile you want to target. Your organization then conducts an assessment to capture a current maturity state. By comparing the target and current states, organizations identify gaps. Based on the gap analysis, business and technical stakeholders can establish a roadmap, take action, and measure the progress. Organizations improve their security state by making continued security assessments and improvements over time. No matter how far along you are with IoT security, the model will help you close gaps that bring you to your desired security maturity.

Assessing security details with the security maturity model

Once you begin working with the SMM, it guides you through a rigorous approach to defining how well your security state meets your needs. To help you identify actionable areas to improve and to avoid blind spots in your plan, the SMM introduces domains, subdomains, and practices. You can gauge how well your organization is doing in each domain, subdomain, and practice along two dimensions — comprehensiveness and scope. Comprehensiveness is a measure of the depth and with higher levels indicating higher degree of maturity of a process or technology. Scope allows for identifying general, industry, and system specific requirements, ensuring the SMM can be tailored to your industry and use case with more precision than previous models could achieve.

SMM Hierarchy

The domains in the SMM include governance, enablement, and hardening. These domains determine the priorities of security maturity enhancements at the strategic level.

Governance influences business process and includes program management, risk management, and supply chain and third-party management.
Enablement covers architecture considerations and security technology mechanisms and includes identity management, access control, and physical protection.
Hardening defines countermeasures to deal with incidents and includes monitoring, events detection, and remediation.

The subdomains reflect the means of obtaining the priorities at the planning level. The practices define typical activities associated with subdomains identified at the tactical level.

The SMM includes practice tables grouped by domains and subdomains. Each SMM practice includes a table describing what must be done to reach a given comprehensiveness level at the general scope. For each comprehensiveness level, the table describes the objective and general considerations, a description of the level, practices that should be in place to achieve that level, and indicators of accomplishment to help assessors determine if the organization has met the requirements of the level.

Of course, general guidelines are often difficult to apply to specific scenarios. For that reason, an example follows each table using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state. The guide also contains three case studies that show IoT stakeholders how to apply the process. The case studies include a smarter data-driven bottling line, an automotive gateway supporting Over the Air (OTA) updates, and consumer residential settings using security cameras. As our work on the SMM continues, we will work with industry organizations and associations to define industry profiles for the SMM.

Getting started with the SMM

If you want more information on exactly how the SMM works or how you can begin, the best spot to start is with the model itself: evaluate or improve your IoT security with the SMM today. To learn more about the SMM from its authors, watch our SMM introduction webinar.

For details on building your secure IoT solution on the trusted Azure IoT cloud services, see our Azure IoT Security Architecture for more information or start your free trial to get immediate hands on experience.
Quelle: Azure

Announcing new Azure Security Center capabilities at RSA 2019

This is an exciting week for us at Microsoft. At RSA Conference 2019, we are announcing new and exciting capabilities in Azure and Microsoft 365. With this blog post, we wanted to share with you what we have been working on for Azure Security Center. Azure Security Center now leverages machine learning to reduce the attack surface of internet facing virtual machines. Its adaptive application controls have been extended to Linux and on-premises servers, and extends the network map support to peered virtual network (VNet) configurations.

Leveraging machine learning to reduce attack surface

One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. Security Center can now learn the network traffic and connectivity patterns of your Azure workload and provide you with NSG rule recommendations for your internet facing virtual machines. This helps you better configure your network access policies and limit your exposure to attacks.

Azure Security Center uses machine learning to fully automate this process, including an automated enforcement mechanism, enabling its customers to better protect their internet facing virtual machines with only a few clicks. These recommendations also use Microsoft’s extensive threat intelligence reports to make sure that known bad actors are blocked.

Extending adaptive application controls

Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you control which applications can run on your VMs located in Azure, which, among other benefits, helps harden your VMs against malware. Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.

We are extending adaptive application controls in Azure Security Center to include Linux VMs and servers/VMs external to Azure (Windows and Linux) in audit mode. This means that Azure Security Center will identify applications running on your servers which are not in compliance with the Azure Security Center generated whitelisting rules and will audit those violations. This will enable you to  detect threats that might otherwise be missed by antimalware solutions; to comply with your organization's security policy that dictates the use of only licensed software and to audit unwanted software that is being used in your environment.

Network map support for VNet peering

Azure Security Center’s network map has added support for virtual network peering, a configuration in which traffic flows between Azure Virtual Networks through the Microsoft backbone, as if they were virtual machines in the same virtual network, through private IP addresses only. The support includes displaying allowed traffic flows between peered VNets and peering related information on Security Center’s network map.

With these additions, Azure Security Center strengthens its role as the unified security management and advanced threat protection solution for your hybrid cloud workloads. We encourage you to take advantage of these new capabilities for all your Internet-exposed Azure resources. If you have not started using Azure Security Center in your Azure subscription, get started today.
Quelle: Azure

Guardian modules: Bringing Azure Sphere security to brownfield IoT

When someone mentions the words “Internet of Things,” often the first picture that comes to mind is some sort of device with the Internet “built-in.” However, a built-in design involves months or years of design work and applies only to devices that have yet to come to market. How do businesses leverage IoT for the billions of devices already in the field without creating a large security risk? Within the Azure Sphere team, we have a term for those scenarios that is called “brownfield” deployments.  Josh Nash, our product planner, is guest blogging today to tell you more about brownfield IoT and how Azure Sphere can safely connect devices already deployed in the field.

Happy reading!

– Ed Nightingale

As a product planner, I have spent thousands of hours meeting with partners and customers to understand their needs to ensure that our product is not only secured, but also practical and useful. Our first focus is often on new devices, which are devices that have Azure Sphere deeply integrated into the product platform. We refer to these devices as “greenfield” scenarios. These scenarios shine as Azure Sphere’s value proposition resonates soundly, and the implementation is comparatively more straightforward due to the flexibility before a design is considered final. OEMs can focus on how to integrate Azure Sphere within a device’s internal design to meet power, performance, and functionality goals. Devices already in service without connectivity represent a “brownfield” opportunity to create meaningful, new connected experiences across a wide range of equipment. This blog post outlines the challenges of these brownfield devices and how Azure Sphere can help.

The problem

The act of connecting enterprise equipment represents an opportunity to enable markedly better outcomes by enabling scenarios and innovative business models for the enterprise such as preventive maintenance, just-in-time reporting, and even role-based access to equipment and data. But there are millions of devices in enterprises around the world that were either put into service before connectivity for non-IT devices was considered feasible or were intentionally not connected because they were deemed too mission critical to be subjected to the unsafe world of the Internet.

While connecting these unconnected devices creates positive outcomes and opportunities for the enterprise, in either case, there are risks associated with connecting these devices. Whether the devices predated connectivity or were deemed too important to connect, the outcome is the same – their lack of connectedness is their security model, a concept known as air-gap security.  However, as capabilities improve to solve optimization and other resourcing decisions with the cloud, the value of connectedness increases. At the same time, the risk of connecting air-gap devices is at least as high as before. Businesses need a mechanism to balance the equation, mitigating risk by infusing a new security model into the system design. As the value of connectedness increases, enterprises need a mechanism to securely connect these devices that are already in service.

Securing existing equipment and devices with a guardian module

Microsoft announced Azure Sphere at RSA last year to enable secure, connected, microcontroller- (MCU-) based devices. Azure Sphere unlocks IoT by establishing a foundation on which an enterprise can trust a device to run securely in any environment. Based on the Microsoft whitepaper, “The 7 Properties of Highly Secure Devices,” Azure Sphere delivers device security by combining hardware, operating system software, and cloud services that has been purpose-built for secure IoT applications. Azure Sphere is raising the bar for manufacturers and enterprises to enable secure connectivity in new devices by delivering the seven properties, but it can do more.

Azure Sphere can also deliver secured connectivity to established devices already in service. By utilizing existing ports on an unconnected device, Azure Sphere can be built into a “guardian module” that can be paired with existing equipment to enable secured connectivity that rebalances the opportunity versus risk debate in favor of device connectivity. The key to security in these scenarios is that Azure Sphere, not the device, communicates with the cloud. By separating the device from the network, a guardian module enabled by Azure Sphere can protect the equipment from attack, ensure data is only transmitted between trusted cloud and device communications partners, and ensure the software of the module and the equipment remains intact and secured.

With Azure Sphere in a guardian module, enterprises can enable a variety of secured operations between the device and the cloud. From a device health and security perspective, the device can utilize the Azure Sphere Security Service for certificate-based authentication, failure reporting, and over-the-air software updates. When a guardian module passes authentication, it receives a certificate signed by the Azure Sphere Security Service that can be used to identify the device as genuine in communicating with cloud services. These communications between the guardian module and the cloud could comprise of data coming off the device to signal events or inform decision-making, and they could also represent messages from the cloud to trigger activity from the device itself.

In both directions, applications running on Azure Sphere can be used to validate that messages are properly formed before they are passed to or from the brownfield device and Azure Sphere ensures that the guardian module can only communicate with trusted endpoints. The Azure Sphere Security Service can also be used as a distribution point for software updates not only to the Azure Sphere OS and guardian module manufacturer’s device software, but also for updates to the downstream, previously unconnected device’s software. In this situation, the enterprise can avoid costly truck rolls to update software on their equipment. With a guardian module enabled by Azure Sphere, these brownfield devices can reap most of the benefits of a device that integrated Azure Sphere into its design.

With an Azure Sphere-enabled device, enterprise customers can more confidently connect existing devices to the cloud and unlock scenarios related to preventive maintenance, optimizing utilization, and even role-based access control. When linking a multitude of devices together in the cloud, the possibilities are almost endless.

To start the discussion on how Azure Sphere can help your business, email us at nextinfo@microsoft.com.
Quelle: Azure

Azure.Source – Volume 72

Now in preview

Announcing Azure Spatial Anchors for collaborative, cross-platform mixed reality apps

Azure Spatial Anchors, a mixed reality service that enables you to build a new generation of mixed reality applications that are collaborative, cross-platform, and spatially aware, is now in public preview. Across industries, developers and businesses are using mixed reality in their daily workflows and giving us feedback on what they’d like to see next. When we look across all the mixed reality solutions that customers have built, two things stand out: they want to easily share their mixed reality experiences and place applications in the context of the real world. Learn about two application patterns gaining momentum across industries, and how Azure Spatial Anchors can help you deliver them with greater ease and speed.

Introducing Microsoft Azure Sentinel, intelligent security analytics for your entire enterprise

Microsoft Azure Sentinel is available in preview in the Azure portal. Security can be a never-ending saga—a chronicle of increasingly sophisticated attacks, volumes of alerts, and long resolution timeframes where today’s Security Information and Event Management (SIEM) products can’t keep pace. We’ve reimagined a new cloud-native SIEM tool called Microsoft Azure Sentinel to provide intelligent security analytics at cloud scale while making it easy to collect security data across your entire hybrid organization; from devices, to users, to apps, to servers on any cloud.

Announcing Azure Monitor AIOps Alerts with Dynamic Thresholds

Metric Alerts with Dynamic Thresholds is now available in public preview. Dynamic Thresholds significantly enhance Azure Monitor Metric Alerts so you no longer need to manually identify and set thresholds. The alert rule now leverages advanced machine learning (ML) capabilities to learn metrics' historical behavior while identifying patterns and anomalies that indicate possible service issues. Metric Alerts with Dynamic Threshold is currently available for free during the public preview.

Working with AZCopy 10 and Azure Storage Blob Access Tiers

AzCopy v10 is now available in public preview. Azure Blob Storage offers three different access tiers for saving money depending on storage requirements. Get high-performance, reliable data transfers that work with mixed access tiers inside an Azure storage account using the latest AzCopy, a console tool to help with uploading blobs to Azure Storage.

Announcing Azure Integration Service Environment for Logic Apps

Integrated Service Environment is now available in every region for which Logic Apps is currently available. In critical business scenarios, you need to have the confidence that your data is flowing between all the moving parts. The core Logic Apps offering is a multi-faceted service for integrating between data sources and services, but sometimes you also need to have a dedicated service to ensure that your integration processes are as performant as can be. That’s why we developed the Integration Service Environment (ISE), a fully isolated and dedicated environment for all enterprise-scale integration needs. Integration Service Environments are available in every region that Logic Apps is currently available in except for West Central US, Brazil South and Canada East.

Also available in preview

Public preview: Azure Log Analytics is available in new regions in Australia
Azure Container Registry firewall rules and Virtual Network (in preview)
Azure App Service – WildFly on Linux is in preview
Code-free data transformation at scale using Azure Data Factory
Data Migration Assistant support for Cassandra to Azure Cosmos DB assessment
Azure Maps events in Azure Event Grid
Azure SQL DB as reference data input
Machine learning-based anomaly detection functions in Azure Stream Analytics (preview)
Azure DevOps CLI preview and feature updates in Pipelines – Sprint 148 Update

Now generally available

 

Announcing the general availability of Java support in Azure Functions

Announcing the general availability of Java support in Azure Functions 2.0; enabling a wide range of options for you to build and run your Java apps in the 50+ regions offered by Azure around the world. Azure Functions provides a productive programming model based on triggers and bindings for accelerated development and serverless hosting of event-driven applications. It enables developers to build apps using the platform (Windows, Mac, or Linux), programming languages, and tools of their choice; with an end-to-end developer experience that spans from building and debugging locally, to deploying and monitoring in the cloud.

Announcing the general availability of Azure Lab Services

Announcing the general availability of Azure Lab Services – computer labs in the cloud. Provisioning and managing a lab’s underlying infrastructure makes preparing the right lab experience for your users difficult. With Azure Lab Services, you can easily set up and provide on-demand access to preconfigured virtual machines (VMs) to teach a class, train professionals, run hackathons or hands-on labs, and more. Azure Lab Services GA pricing goes into effect on May 1, 2019. Learn more about using Azure Lab Services in this post from the Premier Developer blog: Azure Lab services scheduling now Available.

Running Cognitive Services on Azure IoT Edge

Announcing support for running Azure Cognitive Services containers for Text Analytics and Language Understanding containers on edge devices with Azure IoT Edge so you can run workloads locally. Whether you don’t have a reliable internet connection, or want to save on bandwidth cost, have super low latency requirements, or are dealing with sensitive data that needs to be analyzed on-site, Azure IoT Edge with the Cognitive Services containers gives you consistency with the cloud. These container images are directly available to try as IoT Edge modules on the Azure Marketplace.

Also generally available

Azure Database for MySQL: Read replica now generally available
Virtual network service endpoints for Azure Database for MariaDB are now generally available
New features are now generally available in Event Grid

General availability: Azure Availability Zones in East US
General availability: Global VNet Peering in Azure Government regions

Events

MWC 2019: Azure IoT customers, partners accelerate innovation from cloud to edge

The Internet of Things (IoT) has expanded the world of computing far beyond mobile and PC, bringing a new and ever-growing class of cloud-connected devices that is on track to reach 20 billion devices by 2020. Announcing new IoT partnerships for global-scale IoT solutions with new devices and cloud services that further increase the strategic value of IoT.

Learn more in this post by Julia White, Corporate Vice President, Microsoft Azure on the Official Microsoft Blog: Microsoft at MWC Barcelona: Introducing Microsoft HoloLens 2.

News and updates

Instantly restore your Azure Virtual Machines using Azure Backup

Azure Backup Instant Restore capability for Azure Virtual Machines (VMs) is now available. If you use Azure Backup, Instant Restore helps you quickly recover VMs from the snapshots stored together with the disks. In addition, you get complete flexibility in configuring the retention range of snapshots at the backup policy level depending on the requirements and criticality of the virtual machines associated; giving users more granular control over their resources. We are enabling and rolling out this experience on a region-by-region basis.

Cognitive Services Speech SDK 1.3 – February update

Developers can now access the latest Cognitive Services Speech SDK which now supports: selection of the input microphone through the AudioConfig class, expanded support for Debian 9, Unity in C# (beta) on Windows x86 and x64 (desktop or Universal Windows Platform applications), and Android (ARM32/64, x86), and more. Read about all the updates made to the Cognitive Services Speech SDK made in February.

Improving the TypeScript support in Azure Functions

TypeScript is becoming increasingly popular in the JavaScript community. Announcing a set of tooling improvements for TypeScript support in Azure Functions so you can more easily develop with TypeScript when building your event-driven applications. With this set of changes to the Azure Functions Core Tools and the Azure Functions Extension for Visual Studio Code, Azure Functions now supports TypeScript out of the box. Included with these changes are a set of templates for TypeScript, type definitions, and npm scripts.

New device modeling experience in Azure IoT Central

Optimize your device workflow for easier management and clarity. Introducing a new “Device Templates” navigation tab that replaces the existing “Application Builder” tab, as well as updated patterns for viewing or editing device templates. We've begun a flighted rollout of a new the device modeling.

Azure Data Factory updates

Monitor Azure Data Factory pipelines by using Azure Monitor and Log Analytics

Azure Data Factory visual tools integrated with GitHub
Self-hosted IR sharing across multiple data factories
Parameterize connections to your data stores in Azure Data Factory
Linked Resource Manager template support available for CI/CD in your data factories
Azure Functions now supported as a step in Azure Data Factory pipelines
Create alerts to proactively monitor your data factory pipelines
Enhanced monitoring capabilities and tags/annotations in Azure Data Factory
Support for Enterprise Security Package–enabled HDInsight clusters in Azure Data Factory

Additional news and updates

FastTrack for Azure
Global VNet Peering now supports Standard Load Balancer
Database rename is now supported in Azure SQL Database Managed Instance
Remove Application Insights connections via PowerShell
Instantly provision GraphQL on Azure with Hasura and Azure Database for PostgreSQL
Azure Database for MySQL and PostgreSQL: New compute options are now available
Azure Policy non-compliance reasoning and change history features
Azure Blockchain: Updated Hyperledger Fabric template 1.3 now available
M-series virtual machines (VMs) are now available in the Korea South region
Azure Event Grid Availability in Azure US Gov regions

Technical content

Five tips for securing your IaaS workloads

Implementing IaaS security best practices is an essential step to securing your IaaS resources. Get specific recommendations for improving your IaaS security posture, focus on data protection, strengthen network security, and streamline security management including threat protection. Read the Azure Government Security documentation to understand features and variations for Azure Government.

Azure Stack laaS – part two

Every organization has a unique journey to the cloud, based on the organization’s history, business specifics, culture, and maybe most importantly, their starting point. Typically in your migration journey, you use a mixture of tools, so you need to understand the options available in order to select the right tool for the specific workloads. The Azure migration center provides a good model and helpful resources to get you started on your migration to the cloud and to make sure you can create the proper frame for your migration.

AZX.ms – A Collection of Azure CLI Recipes

Simplify your Azure development with a collection of Azure CLI scripts accessible right at your fingertips.

 

Latest enhancements now available for Cognitive Services' Computer Vision

With the latest enhancements to Cognitive Services’ Computer Vision service, you can extract insights, unlock new workflows, and easily customize and deploy your model without requiring machine-learning expertise.

Creating IoT applications with Azure Database for PostgreSQL

There are numerous IoT use cases in different industries with common categories like predictive maintenance, connected vehicles, anomaly detection, asset monitoring, and many others. Azure IoT is a complete stack of IoT solutions; a collection of Microsoft managed cloud services that connect, monitor, and control billions of IoT assets. See how to implement an end-to-end Azure IoT solution and use Azure Database for PostgreSQL to store IoT event data in the JSONB format.

3 Reasons To Add Deep Learning to Your Time-Series Toolkit

In this article, Francesca shares 3-5 lessons learned while building neural networks for time series (leading up to 2-day trainings at AI Conference NYC and Strata Data Conference in San Francisco). With clear explanations, standard Python libraries, readers discovers tips and tricks to develop deep learning models for their own time series forecasting projects.

Understanding routing in istio

This is the first in a series of blog posts that will go into depth on how to use popular OSS on top of Azure Kubernetes service.  In this post, Scott Coulton runs through how to install istio with Helm and how to deploy two versions of the same application and route traffic on weight (percentage). The post also contains all of the source code and a demo application so you can go and test the topic out for yourself.

How to Lock Azure Resources to Prevent Modification or Deletion

This article demonstrates how to configure Azure Resource Locking using Azure Role Based Access Control (RBAC) enables us to restrict access to resources and resource actions, which helps prevent inadvertent resource deletion and modification.

Running Micro Focus Enterprise Server 4.0 in a Docker Container in Azure

Running a Docker container in Micro Focus Enterprise Server 4.0 is new and provides portability, performance, agility, and isolation. See how to effectively run and manage a mainframe CICS application in a Docker Container using the Windows 2016 Datacenter and the Containers VM now available from the Azure Marketplace.

Exploring Feature Weights using R and Azure Machine Learning Studio

Suppose we have to design a black box that displays a “thumbs up” or “thumbs down” depending on hundreds of different combinations of inputs. This post describes how to conduct exploratory data analysis using R and Azure Machine Learning Studio to train a “black-box” model in a case when it is difficult to explain how the model characterizes the relationship between the features and the target variable.

Intro to Microsoft Azure Resource Manager Templates

Cloud Advocate, Jay Gordon gives you an introduction to Azure Resource Manager Templates and how to begin using them with Azure Cloud Shell. You'll see the number of options available to quickly create Azure resources.

Additional technical content

Introduction to DevOps for Dynamics 365 Customer Engagement using YAML Based Azure Pipelines
How to Lock Azure Resources to Prevent Modification or Deletion
Xamarin and Azure Office Hours Recap from December 2018 and January 2019
Azure Development Community – Same Great Blog… NEW HOME!
Lesson Learned #73: Azure Database for MySQL – CONVERT_TZ returns null

Azure shows

Episode 268 – ExpressRoute Roadmap | The Azure Podcast

Paresh Mundade, a Senior PM in the Azure ExpressRoute team, gives the guys an update on the service and a glimpse into the roadmap of planned features.

HTML5 audio not supported

Azure Cosmos DB update: SDKs, CORS, multi-region strong consistency, and more | Azure Friday

Learn about the new SDKs for Azure Cosmos DB with the JavaScript SDK used as an example as well as learn about CORS (Cross-Origin Resource Sharing) via a simple JavaScript app for demonstration. See a new, low-cost database offer in the Azure portal, watch an Azure DevOps build task setup, get some cost saving tips, and learn about support for multi-region strong consistency.

An intro to Azure Cosmos DB .NET SDK 3.0 | Azure Friday

Learn about the new improvements for Azure Cosmos DB SDKs, including the new, idiomatic .NET SDK with a friendlier, more intuitive programming model, better testability, better performance, .NET Standard 2.0 support. Plus, it is now open sourced.

Azure Maps – The Microsoft Azure Enterprise Location Platform | Internet of Things Show

Azure Maps is the de facto location intelligence platform natively hosted in the Microsoft Azure cloud. Chris Pendleton, PM Lead for the service, gives us an overview of what Azure Maps is, who uses Azure Maps, how Azure Maps is being used across our customer base, and how you can start using Azure Maps today.

How to get started with Azure Front Door | Azure Tips and Tricks

learn how to get started with Azure Front Door. Azure Front Door easily makes your applications globally available and secure.

How to create, share, and use Azure Portal dashboards | Azure Portal Series

In this video of the Azure Portal "How To" series, learn how to easily create, share, and use dashboards in the Azure Portal. Learn more about the series: Introducing the Azure portal “how to” video series

What is Identity Protection? | Azure Active Directory

In this video, get a high-level overview of Identity Protection, a feature of Azure Active Directory. You’ll learn about different types of detections, risks and risk policies that exist in Identity Protection. It explains the benefits of the risk policies, recent UX enhancements, powerful APIs, improved risk assessment and overall alignment along risky users and risky sign-ins. In addition, this series also videos on How to deploy Identity Protection & How to use Identity Protection.

Martin Woodward on Azure DevOps With GitHub – Episode 25 | Azure DevOps Podcast

In this episode, Martin Woodward and Jeffrey Palermo dive right into the topic of Azure DevOps with GitHub; discussing some of the changes since Microsoft acquired GitHub, whether you should choose to work with Azure Repos or GitHub, and how to use Azure DevOps Services with GitHub.

HTML5 audio not supported

Customers, partners, and industries

Microsoft and SAP extend partnership to Internet of Things

The Internet of Things (IoT) is becoming mainstream as companies see market-making benefits from IoT and deploying at scale – from transforming operations and logistics, remote monitoring, and predictive maintenance at the edge, to new consumer experiences powered by connected devices. In all of these solutions, IoT data and AI are producing powerful insights that lead to new opportunities. Microsoft and SAP have announced an expansion of their partnership to include physical devices and assets with a new collaboration in the IoT space. SAP Leonardo IoT will integrate with Azure IoT services, providing customers with the ability to contextualize and enrich their IoT data with SAP business data and to seamlessly extend their SAP solution-based business processes to the Azure IoT Edge platform.

Azure Marketplace new offers – Volume 32

The Azure Marketplace is the premier destination for all your software needs – certified and optimized to run on Azure. Find, try, purchase, and provision applications & services from hundreds of leading software providers. You can also connect with Gold and Silver Microsoft Cloud Competency partners to help your adoption of Azure. In the second half of January we published 70 new offers.

Azure This Week – 1 March 2019 | A Cloud Guru – Azure This Week

This time on Azure This Week, Lars talks with JT from Microsoft about the brand new HoloLens 2 and how it will be cloud connected, Azure DevOps Projects Kubernetes support gets new features, and you can now protect Azure VMs by using Storage Spaces Direct with Azure Site Recovery.

Quelle: Azure