da Agency

Microsoft’s open approach to networking

At Microsoft, we’re focused on enabling our customers by supporting all the technologies they depend on, and collaborating across organizational and industrial boundaries to bring the best possible experience to the cloud. Microsoft embraces open source and partner ecosystems to scale our own development efforts and accelerate innovation. Products that include Visual Studio Code, .NET, and ASP.NET are being publicly developed on GitHub with contributions from both Microsoft and non-Microsoft developers. These products are targeting Windows, Mac, and Linux. Microsoft is a contributing member of open source communities, including the Apache Software Foundation, Linux Foundation, R Consortium, and Node.js Foundation.

For the Azure cloud platform, we serve customers on a vast worldwide scale, and they bring a wide range of technology needs with them. We must provide solutions with the unique flexibility to operate seamlessly across on-premises, hybrid, and cloud infrastructure, in an operating system–agnostic environment. Today, Linux virtual machines (VMs) comprise over 33 percent of all VMs running in Azure. Many partners in the Azure Marketplace run their workloads in Linux. Our HDInsight MapReduce service is built on Apache Hadoop and supports Spark, Hive, Apache Kafka, and Apache Storm. Meanwhile, the Azure Container Service (ACS) adopts open source container technologies like Docker, Apache Mesos, and Kubernetes to run both Linux and Windows containers. By doing this, ACS provides container orchestration that’s completely portable, while also being optimized for Azure.

In this blog, I will talk about how Azure network services is extending this commitment to open technologies in containers, switching, and partner ecosystems.

Open source software in Azure Network Services

Azure network services actively look for opportunities to contribute to existing open source projects, as well as open source Azure Networking services. Considering the importance of networking to fully realize the potential of containers, we just announced Microsoft Azure VNet for Containers.

Azure VNet for Containers

Azure VNet for Containers provides the best networking experience for containers that are running in Azure. It‘s an open source project in GitHub that links together open source container orchestrator engines and the Azure network services platform. The code, written in the Go programming language, works for both Linux and Windows. We’re eager to collaborate with developers across the world to improve and advance its capabilities.

Azure VNet for Containers connects the container to your Azure Virtual Network (VNet), thereby making available the rich Azure SDN stack to containers enabling direct connectivity between containers, VMs and other resources in the VNet. Azure networking features such as Network Security Groups, route tables, load balancing, on-premises connectivity etc. are now available to containers. The solution can be plugged into the Azure Container Service for a single click use or deployed manually in individual virtual machines.

The Azure VNet for Containers is composed of a network plug-in that provides the network interface for the containers and an IPAM (IP address management) plug-in that manages the IP addresses from the VNet. There are currently two popular plug-in models for containers: the Container Network Interface (CNI) model, adopted by Kubernetes, Apache Mesos, and others, and the Container Network Model (CNM) model, used by Docker and others. The Azure container network plug-in is implemented for both models. This is also designed to be integrated directly into the open source acs-engine.

Figure 1. Azure network services support for containers

With the availability of this plug-in, the power and features of Azure network services are natively available to all the major container platforms in an open and portable fashion.
SONiC

Software for Open Networking in the Cloud (SONiC) and Switch Abstraction Interface (SAI) are two contributions that we made to the Open Compute Project (OCP) that focuses on open source datacenter technologies. Like Azure VNet for Containers, SONiC also uses containerization for fast evolution.

SONiC source code, test cases, test bed setup, and builds are fully available on GitHub. SONiC consists of core services developed by Microsoft and the community. It builds on existing open source technologies such as Docker for containers, Redis for key-value database, protocols like Quagga BGP and LLDPD, and Ansible for deployment. We used the best work in the industry to build SONiC. It evolves quickly because we’re building it with existing open source projects. We contributed SONiC back to the community to propel the advance of open networking software in a wonderful, virtuous cycle.

Figure 2. SONiC is open sourced and is built on open source technologies

SAI provides a simple, consistent, and salable interface across different ASIC chips. With the support from major silicon vendors, the SAI community grew to 77 contributors from 9 companies. Community members actively engage in weekly discussions and workshops. In two years, we had seven releases. Six switch networking stacks(network operating systems), including SONiC, OS10, OPX, FlexSwitch and others, are built on top of SAI, which is starting to become the ASIC API standard.

Learn more by viewing our OCP Summit 2017 talks about SONiC and SAI. You also can learn more about our SAI and SONiC innovations in an earlier blog in this series, SONiC: The networking switch software that powers the Microsoft Global Cloud.

Rich partner ecosystem

Network virtual appliances (NVAs) in Azure support network functionality and services in the form of VMs. NVAs include web application firewall (WAF), firewalls, gateways/routers, application delivery controllers, IDS/IPS, WAN optimizers, SD-WAN solutions, and other network functions. Customers can deploy these NVAs through the Azure Marketplace into their VNets and deployments. Examples of open sourced NVAs include NGINX and pfSense. Over 90 percent of NVAs are based on Linux or FreeBSD.

We also use open source technologies in our own NVAs. We just announced the general availability of Azure Application Gateway WAF to protect applications from the most common web vulnerabilities, as identified by Open Web Application Security Project (OWASP) Top 10 vulnerabilities. Application Gateway WAF uses the OWASP ModSecurity Core Rule Set. These rules, managed and maintained by the open source community, conform to rigorous standards.

Optics

Typically, you don’t think of optical technologies in the context of openness. However, we’ve also innovated at the optical network layer. Microsoft has incorporated new optical technologies into the Azure network. Findings from ACG Research show that the Microsoft metro network solution will result in over 65 percent reduction in total cost of ownership and power savings of over 70 percent over five years. We’ve worked with several of our partners to make available to everyone the building blocks of the Microsoft implementation of open optical systems. Microsoft is working with our partners to bring even more integration, miniaturization, and power savings into future 400 Gbps interconnects that will power our network and benefit the entire industry.

Academic publications

Many of the underlying technical innovations in Azure Networking have their roots in Microsoft Research. We published in top peer reviewed academic forums the internal designs and algorithms of the Azure Networking SDN stack (SIGCOMM 2015), programmable virtual switching (NSDI 2017) , software load balancing (SIGCOMM 2013), network virtualization (SIGCOMM 2009), and innovative diagnostics and monitoring mechanisms. Our Azure networking services team has a deep passion for tackling the hardest networking scale problems in the world. We will continue to share our innovations in academic papers to receive critical feedback about our ideas, as well as to help the network community further advance, which in turn pushes us to be better.

Summary

Over the past few years, Microsoft has embraced, and is fully committed to, open source. Our motivation is simple. We want the best technologies in the world to be available and performant in Azure. We cherish opportunities to contribute to the open source community and to incorporate the communities’ advancements into our services. Considering the scale of the issues that we face daily running one of the world’s largest networks, we are very passionate about advancing state-of-the-art networking. By sharing code via open source projects and ideas via academic forums, we accelerate innovation. We’re a different Microsoft from years past. The cloud and open source are changing the world. This is an exciting time for all of us in networking as we all strive to help customers adapt and take full advantage of the cloud.

Read more

To read more posts from this series please visit:

Networking innovations that drive the cloud disruption
SONiC: The networking switch software that powers the Microsoft Global Cloud
How Microsoft builds its fast and reliable global network
Lighting up network innovation
Azure Network Security

Quelle: Azure

da Agency

Price reductions on L Series and announcing next generation Hyper-threaded virtual machines

For Microsoft Azure, we have a long standing promise of making our prices comparable with AWS on commodity services such as compute, storage, and bandwidth. In keeping with this commitment, we are happy to announce price reductions of up to 69% on our storage-optimized virtual machines, L Series. We are also excited to share more about our next generation of Hyper-Threaded virtual machines for general purpose and memory optimized workloads that are up to 28% lower in prices than the current generation.

Price reductions on L Series

We are reducing prices by 60% to 69% on our newly-launched L Series virtual machines, effective April 1st to match recent price changes from AWS. These VMs are storage optimized sizes, best suited for low latency workloads such as NoSQL databases including Cassandra and MongoDB. L Series offers virtual machines from 4 to 32 vCPUs, based on Intel® Xeon® processor E5 v3 family with 32 to 256 GiB memory, and from 678 GB to 5.6TB of SSD disk. 

New Hyper-Threaded VMs and Dv2 limited time promotion

In the next few months, Microsoft will be introducing a new generation of Hyper-Threading Technology virtual machines for general purpose workloads, Dv3, and a new family for memory optimized workloads, Ev3. This shift from physical cores to virtual cores is a key architectural change in our VMs that enables us to unlock the full potential of the latest processors. This new generation will introduce sizes with 64 vCPUs on Intel® Broadwell E5-2673 v4 2.3 processor and with 432 GiB of memory on the largest Ev3 sizes. By unlocking more power from the underlying hardware, we are able to harness better performance and efficiency, resulting in cost savings that we are passing on to our customers.

As our new Hyper-Threaded VMs become generally available in the coming months, we would like to give our customers the opportunity to take advantage of these savings early. These new Hyper-Threaded VMs will be priced up to 28% lower than Dv2 Series VMs, matching the comparable AWS instance prices. Starting today, you can provision a Dv2 Promo VM on our current generation hardware at the lower Dv3 and Ev3 VM prices, allowing you to take advantage of these cost savings now.

This promotion will be available until the launch of the Dv3 and Ev3 VMs later this year. We encourage you to deploy the Dv2 Promo VMs using Azure Resource Manager to simplify migration to the new VMs in the future.
Quelle: Azure

da Agency

Upcoming changes to the Microsoft Access Control Service

What is the Access Control Service?

The Microsoft Azure Access Control Service (or ACS) is a cloud-based service that provides a way of authenticating and authorizing users to gain access to web applications and services.

Changes to How Access Control Service Namespaces are Created

New ACS namespace creation will be restricted starting June 30th, 2017. If you need to create an ACS namespace beyond this date, you will need to call Azure customer support.

Azure Active Directory (Azure AD) and Azure AD B2C

ACS functionality is fully supported for existing namespaces. However, the future of ACS is Azure Active Directory. We are committed to improving and updating Azure Active Directory to natively support many of the scenarios enabled by ACS. We encourage you to explore the offerings that Azure AD B2C can provide today.

Contact Us

If you have questions or feedback about these changes or ACS in general, please do not hesitate to contact us at acsfeedback@microsoft.com.
Quelle: Azure

da Agency

Scalable Telemetry Based Multiclass Predictive Maintenance Model

I recently presented Building a Scalable Telemetry Based Multiclass Predictive Maintenance Model in R at the ICDSE conference. This conference was inter-disciplinary where the attendees were primarily from academia and shared their scholarly research and innovation. Due to the nature of the conference, the focus was on the methodology used to solve their domain-specific problem rather than the tooling needed to solve a large-scale problem.     

My talk at the conference was focused on outlining how a user or an organization would build a Scalable Telemetry based Predictive Maintenance Model. To set the context, I described how we routinely come across IoT devices with sensors embedded all around us, which collect a lot of telemetry data over time. Then the natural next question was on how this data can be used to address business questions like, "When is my device going to fail?" Some tips on how the raw sensor data can be enhanced with additional machine related data and how to formulate and build a reasonable ML model were briefly discussed during the talk.

Finally, typical scenarios for an on-premise and cloud based solution was outlined with focus on SQL Server R Services and Azure Machine Learning Studio, as well as jupyter notebooks as example tools to develop and operationalize these models. To accompany my oral presentation, I wrote a short paper which describes the methodology in more detail. The audience was intrigued with the solution and hoped to use such a similar technique for the healthcare domain.  
Quelle: Azure

da Agency

Azure making IoT compliance easy

I am excited to announce the release of a whitepaper which emphasizes Microsoft’s leadership in customer advocacy, privacy protection, and unique data residency commitments.  Moreover, the heart of this whitepaper is compliance in relationship to the Internet of Things (IoT); an exploding industry and ever-present technology in our society.

At Microsoft, developing secure software is part of our DNA, rooted in decades of experience in developing secure software. This new whitepaper brings that experience to bear on how to think of an IoT solution. Compliance and privacy officers can download this paper (Microsoft Azure and Data Compliance in the context of the Internet of Things (IoT)) for guidance on how to use the capabilities built into the Azure IoT platform to achieve their governance goals. The paper describes how Microsoft addresses key security, privacy, and compliance principles in Azure, breaks down Azure’s IoT features, and provides recommendations for how customers can achieve a high level of security and data compliance in their IoT environment.

Microsoft’s IoT offering (a.k.a. Azure IoT Suite) is an enterprise-grade set of services that enable customers to build and deploy an IoT solution quickly.  Advanced topics include data residency, encryption, and auditing.

Producing high quality guidance like this is part of our drive to ensure we are providing the best cloud technology for customers, while ensuring that it’s easy to use by both technologists and business stakeholders alike. 

You can find this Azure whitepaper as well as other useful guidance on the Microsoft Trust Center.
Quelle: Azure

da Agency

Announcing the general availability of Azure Monitor

Today we are excited to announce the general availability of Azure Monitor, Microsoft’s built-in platform monitoring service for Azure.

As you create your workloads in Azure the essential monitoring capabilities are available without any need for manual configuration or purchase of additional tools, enabling a seamless movement to the cloud. Azure Monitor provides you all the vital monitoring telemetry including platform- and service-level metrics and logs, gives you the ability to configure alerts to take intelligent actions on that data, and empowers you to unlock deeper insights and analytics on top of the telemetry through seamless integration with your preferred advanced monitoring solutions. Azure monitor comes with REST APIs, Resource Manager templates, PowerShell cmdlets and Azure CLI support, enabling flexibility in how you consume and configure monitoring capabilities.

We are excited to see the growth and adoption of Azure Monitor among customers and partners alike since preview. We want to take a moment to acknowledge your continued support and feedback and share stories about how our customers and partners are responding to the service.

Built-in support for alerts and notifications

New Zealand based Theta Systems Ltd is a premier consulting service that provides Azure-based solutions to many of their clients. The DevOps team at Theta uses Azure Monitor as their first line of defense for everything related to monitoring.

“At Theta, we have a customer in the utilities sector with an implementation of multiple Logic Apps in production for which we provide 24/7 support. Azure Monitor is a crucial part of our support strategy and gives us all the necessary features to stay on top of issues,” said Wagner Silveira, Principal Integration Architect at Theta. “Using Azure dashboards we have a good overview of the status of the integration environment – we track successful runs and failed runs, in the last 3 hours, for each one of the logic apps in the solution. Our service desk has a one stop shop to see the current health of the system and drill down to specific information when and where required. We use email alerts to get notified of issues before the client notices it, allowing us to be proactive in our support of the solution. Understanding the patterns of alert triggers via Activity Logs helps us proactively identify, prioritize and fix issues, avoiding future errors.”

Wagner continued, “Having many such built-in features in Azure was a very positive aspect for both the client and our support team. It is definitely a feature loved by them. Although no one wants to see errors in their solution, it is reassuring that when it happens, we have the tools to help us to act swiftly on it.”

Theta Systems seeks to maintain highly available services on the Azure cloud, which requires them to get immediate notification of any incident whether the source is poor performance of an individual resource, a change to an Azure subscription, or even a service health incident from Azure.

New Activity Log alerts with SMS, webhook and email notifications

While our existing metric-based alerts have allowed you to become aware of issues in your infrastructure and take automated action using email and webhooks, many of you wanted to create alerts on Activity Log events to do the same for events such as VM reboot, deployment failure, or user permission change. Today we are excited to announce two new features, also now generally available, that help you with just that: Reusable “Action Groups” for managing lists of alert “receivers” and Activity Log Alerts. These flexible new tools enable a wide range of options for alerting, including the ability to have your operations team receive an SMS when events such as an Azure service health incident, a deployment failure, or an autoscale event occur. To learn more about these new features, please visit our documentation.

 

Fig 1. A pre-populated view of an Activity Log alert with Action Group and Action Types.

Unlocking deeper insights and integrated end-to-end monitoring

Rackspace’s Microsoft Cloud team provides Fanatical Support for Azure, delivering expert-level monitoring and management support for their customers’ workloads on Azure. The support team at Rackspace leverages resource- and platform-level telemetry from Azure Monitor in conjunction with rich operational insights from Azure Log Analytics, available as part of Microsoft Operations Management Suite, to perform end-to-end monitoring and troubleshooting for their customers.

“To have a holistic view of your environment, you need to have insights into many things including: the health of the cloud platform, IaaS VM telemetry, application logs, as well as PaaS metrics. At Rackspace we have harnessed the power of Azure Log Analytics to provide a leading Azure support experience for our customers”, quoted Dugan Sheehan – Principal Product Architect – Azure Cloud, Rackspace. “Azure Log Analytics and Azure Monitor offer very strong capabilities out of the box, and the extensible nature of these services allowed us to very quickly develop our production monitoring offering. Through automation (using ARM Template) we can fully onboard a new customer environment in a matter of minutes. Our standard workspace deployment includes things such as Windows/Linux performance counters and events, Azure Activity Logs, Azure PaaS metrics and logs among other telemetry data from applications. Now, let’s say that you receive an availability alert for your web site, and you want to perform root cause analysis. Upon logging into Azure Portal you could instantly check a number of things related to your application: Query Activity log for platform-level events or errors in App Services, query the metrics for performance and health of the web site or search for errors from components in the application.”

Dugan added, “It would take a monumental amount of time, money and effort to recreate the comprehensive services provided by Azure Log Analytics and Azure Monitor. Leveraging these services allows Rackspace the time to focus on other unique and leading customer centric support features and drive significant value to our customers.”

As you continue to grow your footprint in Azure, you need scalable monitoring solutions to gain deep insights and take intelligent actions promptly. With platform-level telemetry from Azure Monitor, application-level telemetry from Application Insights and the ability to seamlessly analyze, search and alert across all that data in Azure Log Analytics, customers can unlock a holistic end-to-end monitoring and management experience all within the Azure portal.

A growing ecosystem

Azure Monitor also goes beyond completing Microsoft’s holistic monitoring experience to provide simple and powerful integration points for a growing number of partner tools. Azure customers use a variety of services to meet their individual needs, and we work closely with many of them to enable high-quality experience for Azure in their solutions.

Datadog Inc is one such partner offering a single pane of glass for monitoring infrastructure and has been continuously boosting their Azure integration & support using Azure Monitor.

"The Azure Monitor API allows our customers to gain insights across the various Azure services they are running. Once their Azure telemetry arrives in Datadog, customers take advantage of interactive dashboards, alerts, collaborative troubleshooting and integrated application monitoring experiences among other capabilities," said Amit Agarwal, Chief Product Officer at Datadog. " We've seen the tremendous adoption of the Azure platform amongst our enterprise customers over the past year."

Our full list of partners integrating with Azure Monitor today is available here. We’re committed to building an open ecosystem of partners to deliver the best monitoring experiences for Azure customers, so we invite you to give us feedback on the tools most important to have integrated with Azure Monitor using this brief survey.

Wrapping up

We are excited to see the tremendous adoption of Azure Monitor. In the coming months, you will see additional services emitting data through Azure Monitor. Based on your feedback, many service teams are considering enriching their telemetry by adding more metrics and logs. You can also expect to see richer alerting, auto scaling and log routing experiences become available.

Before we sign-off, here is a quick overview of Azure Monitor.

To learn more, please refer to Azure Monitor overview and continue to voice your feedback. 
Quelle: Azure

da Agency

Announcing Azure Advisor, Monitor, and resource health general availability

We are excited to announce that Azure Advisor, Monitor, and resource health are generally available to you today, providing you with robust monitoring & alerting capabilities, and customized recommendations based on best practices. Your feedback during the preview release helped us prioritize the right set of capabilities that are now generally available.

We have been using these services internally for quite some time to run and monitor Azure at scale, and starting today, you can leverage them to monitor, receive alerts and notifications when your Azure resources aren’t performing according to your plan. Furthermore, they provide recommendations when resources can be optimized. All this can be done via the Azure portal and/or programmatically via APIs.

If you are running your virtual machines on Azure or using other Azure services, you can benefit from these capabilities today. You can, for example, access a wide range of metrics for your VMs with Azure Monitor, create alerts and get deeper insights with Log Analytics. If your VMs are underutilized, Azure Advisor will provide recommendations that can save you money. Let’s take a look at each of these in more detail.

Azure Advisor provides personalized recommendations, and guides you through the best practices to optimize your Azure resources. By analyzing your resource configuration and usage, Azure Advisor provides guidance that helps you to improve the availability, security, performance, and cost effectiveness of your Azure resources.

Visit the Advisor webpage and if you’re already an Azure customer take a look at your Advisor recommendations right now.

Azure Monitor is the built-in platform monitoring service that provides a single pipeline for monitoring and diagnostics data across all Azure resource types, enabling you to easily monitor, diagnose, alert, and notify of problems in your cloud infrastructure. It provides platform metrics with one minute granularity by default.  Azure Monitor now includes improved alerting and notifications such as SMS, email, and webhook. While Azure Monitor provides platform-level telemetry, you can gain deeper visibility into application telemetry and operational insights from Azure Application Insights and Azure Log Analytics respectively. Collectively these services help you unlock a comprehensive monitoring and management experience across your platform, apps, and workloads, all within the Azure portal.

To learn more about Azure Monitor, read the blog post and visit the Azure Monitor webpage.

Azure resource health helps you diagnose and get support when an Azure issue impacts your resources. It informs you about the current and past health status of your resources and helps you mitigate issues. Resource health provides technical support when you need help with Azure service issues.

To learn more about resource health, explore the documentation and if you’re an existing Azure customer review resource health page in your Azure portal.

All of these new capabilities are available today without needing to install any additional agents or configuration. 

As mentioned, many customers are already experiencing the combined power of these Azure services going into general availability today. For instance, “Azure Log Analytics and Azure Monitor offer very strong capabilities out of the box, and the extensible nature of these services allowed us to very quickly develop our production monitoring offering,” says Dugan Sheehan, Principal Product Architect – Azure Cloud at Rackspace. “Leveraging these services allows Rackspace the time to focus on other unique and leading customer centric support features and drive significant value to our customers”.

We’re proud to launch these new capabilities and it’s great to hear the feedback and excitement from you too.  Log-in to the Azure portal now and let us know how you like it.
Quelle: Azure

da Agency

Syscoin joins the Azure Ecosystem

I’m excited to announce that Syscoin and its parent company, Blockchain Foundry, have recently launched three blockchain products which are now LIVE on Azure.

Developers can now deploy:

A full Syscoin node through Azure.
Stand up and configure customized exchange rates for use in Syscoin’s distributed marketplace via Syscoin’s Price Peg Server.
Access Syscoin’s entire suite of blockchain-based services and smart contracts via the Syscoin API.

Through Syscoin’s API product, developers can create blockchain-enabled applications using Syscoin’s suite of decentralized business services, including digital certificates, secure messaging, marketplace offers, payments and escrow transactions. 

Syscoin and Blockchain Foundry are important partners on Azure. We are proud to welcome them to the platform and we look forward to an ongoing partnership with the team.  

Syscoin’s suite of blockchain products can be deployed here: Syscoin Product Suite.
Quelle: Azure

da Agency

Azure Network Security

In Azure, security is built in at every step—design, code development, monitoring, operations, threat intelligence, and response. We understand that the breadth and scale of the cloud demands a deep commitment to security technology and processes that few individual organizations can provide. Decades of building enterprise software and running the world’s largest online services such as Microsoft Azure, Bing, Dynamics 365, Office 365, OneDrive, and Xbox Live have formed Microsoft’s unique perspective on security. Using threat intelligence developed from trillions of signals and billions of sources, Microsoft annually invests more than $1 billion into our security capabilities to provide a comprehensive approach called Microsoft Secure. For more information, see the Microsoft Secure blog.

We’ve applied our vast operational experience to create a secure platform and provide services to help build secure applications. The Microsoft promise is that you can use Azure to secure your applications, data, and identities. We back this promise with a broad set of Azure compliance certifications, making us the leader among cloud service providers. You can learn more about compliance and privacy at the Microsoft Trust Center.

In this blog, I will focus on security from a network perspective and describe how you can use Azure network capabilities to build highly secure cloud services. Four distinct areas highlight how we provide a secure network to customers:

The foundation is Azure Virtual Network to provide a secure network fabric that provides an isolation boundary for customer networks.
Virtual Network configuration and policies protect cloud applications.
Active monitoring systems and tools provide security validation.
An underlying physical network infrastructure with built-in advanced security hardening protects the entire global network. 

Isolating customer networks in single shared physical network

To support the tremendous growth of our cloud services and maintain a great networking experience, Microsoft owns and operates one of the largest dark fiber backbones in the world—it connects our datacenters and customers. In Azure, we run logical overlay networks on top of the shared physical network to provide isolated private networks for customers.

Figure 2. Isolated customer virtual networks run on the same physical network

The overlay networks are implemented by Azure’s software defined networking (SDN) stack. Each overlay network is specifically created on demand for a customer via an API invocation. All configuration for building such networks is performed in software—this is why Azure can scale up to create thousands of overlay networks in seconds. Each overlay network is its own Layer 3 routing domain that comprises the customer’s Virtual Network (VNet).

Azure Virtual Network

Azure Virtual Network is a secure, logical network that provides network isolation and security controls that you treat like your on-premises network. Each customer creates their own structure by using: subnets—they use their own private IP address range, configure route tables, network security groups, access control lists (ACLs), gateways, and virtual appliances to run their workloads in the cloud. 

Figure 3 shows an example of two customer virtual networks. Customer 1’s VNet has connectivity to an on premises corporate network, while Customer 2’s VNet can be accessed only via Remote Desktop Protocol (RDP). Network traffic from the Internet to virtual machines (VMs) goes through the Azure load balancer and then to the Windows Server host that’s running the VM. Host and guest firewalls implement network port blocking and ACL rules.

Figure 3. Customer isolation provided by Azure Virtual Network

The VMs deployed into the VNet can communicate with one another using private IP addresses. You control the IP address blocks, DNS settings, security policies, and routing tables. Benefits include:

Isolation: VNets can be isolated from one another, so you can create separate networks for development, testing, and production. You can also allow your VNets to communicate with each other.
Security: By using network security groups, you can control the traffic entering and exiting the subnets and VMs.
Connectivity: All resources within the VNet are connected. You can use VNet peering to connect with other Virtual Networks in the same region. You can use virtual private network (VPN) gateways to enable IPsec connectivity to VNets via the Internet from on-premises sites and to VNets in other regions. ExpressRoute provides private network connectivity to VNets that bypasses the Internet.
High availability: Load balancing is a key part of delivering high availability and network performance to customer applications. All traffic to a VM goes through the Azure Load Balancer.

Securing your applications

A December 2016 survey of security professionals showed that their biggest year-over-year drop in confidence was in “the security of web applications, [which was] down 18 points from 80 percent to 62 percent.” Microsoft addresses potential vulnerabilities by building security into our applications and providing features and services to help customers enhance the security of their cloud-hosted applications from the development phase all the way to controlling access to the service.

Azure has a rich set of networking mechanisms that customers can use to secure their applications. Here are some examples.

Network ACLs can be configured to restrict access on public endpoint IP addresses. ACLs on the endpoint further restrict the traffic to only specific sources IP addresses.

Network Security Groups (NSGs) control network access to VMs in your VNet. This collection of network ACLs allows a full five-tuple (source IP address, source port, destination IP address, destination port, protocol) set of rules to be applied to all traffic that enters or exits a subnet or a VM’s network interface. The NSGs, associated to a subnet or VM, are enforced by the SDN stack.

Network virtual appliances (NVAs) bolster VNet security and network functions, and they’re available from numerous vendors via the Azure Marketplace. NVAs can be deployed for highly available firewalls, intrusion prevention, intrusion detection, web application firewalls (WAFs), WAN optimization, routing, load balancing, VPN, certificate management, Active Directory, and multifactor authentication.

Many enterprises have strict security and compliance requirements that require on-premises inspection of all network packets to enforce specific polices. Azure provides a mechanism called forced tunneling that routes traffic from the VMs to on premises by creating a custom route or by Border Gateway Protocol (BGP) advertisements through ExpressRoute or VPN.

Figure 4 shows an example of using NSG rules on segregated subnets and an NVA to protect the front end subnet. 

Figure 4. A perimeter network architecture built using Network Security Groups

Azure Application Gateway, our Layer 7 load balancer, also provides Web Application Firewall (WAF) functionality to protect against the most common web vulnerabilities.

Securely connecting from on-premises to Azure can be achieved via the Internet using IPsec to access our VPN Gateway service or with a private network connection using ExpressRoute. Figure 4 illustrates a perimeter network–style enhanced security design where Virtual Network access can be restricted using NSGs with different rules for the front end (Internet-facing) web server and the back-end application servers.

Figure 5. A secured VNet connected to an Internet front-end and back-end connected to on-premises

For more examples and best practices, see Microsoft cloud services and network security.

Security validation

Azure offers many tools to monitor, prevent, detect, and respond to security events. Customers have access to the Azure Security Center, which gives you visibility and control over the security of your Azure resources. It provides integrated security monitoring and policy management, helps detect threats, and works with a broad ecosystem of security solutions.

We also provide Network Watcher to monitor, diagnose, and gain insights into your Azure network. With diagnostic and visualization tools to monitor your network’s security and performance, you can identify and resolve network issues. For example, to view information about traffic coming into and going out of an NSG, Network Watcher provides NSG flow logs. You can verify that the NSGs are properly deployed, and see which unauthorized IPs are attempting to access your resources.

Figure 6. Capture NSG Flow Logs using Network Watcher

Figure 7. Analyze NSG Flow Logs using Power BI

Network infrastructure security hardening

According to a 2015 Ponemon study, for businesses, the average cost per security breach is $15 million. To help protect your organization’s assets, Microsoft Cloud datacenters are protected by layers of defense-in-depth security, including perimeter fencing, video cameras, security personnel, secure entrances, real-time communications networks, and all physical servers are monitored. These regularly audited security measures help Azure achieve our strong portfolio of compliance certifications. 

For many years, we’ve used encryption in our products and services to protect our customers from online criminals and hackers. We don’t want to take any chances with customer data being breached and are addressing this issue head on. We have a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services. This effort will provide protection across the full lifecycle of customer-created content.

Azure traffic between our datacenters stays on our global network and does not flow over the Internet. This includes all traffic between Microsoft Azure public cloud services anywhere in the world. For example, within Azure, traffic between VMs, storage, and SQL stays on the Microsoft network, regardless of the source and destination region. Intra-region VNet-to-VNet, as well as cross-region VNet-to-VNet traffic, stays on the Microsoft network.

Distributed denial of service (DDoS) attacks are a continually rising threat. Protecting against the growing scale and complexity of such attacks requires significant infrastructure deployed at global scale. Azure has a built-in DDoS protection system to shield all Microsoft cloud services. Therefore, all Azure public IPs fall under this protection deployed across all Azure datacenters. Our DDoS system uses dynamic threat detection algorithms to prevent common DDoS volumetric attacks (such as UDP floods, SYN-ACK attacks, or reflection attacks). We monitor hundreds of daily mitigated attack attempts and continually expand our protection.

Azure itself is also protected through active monitoring and intelligence gathering across the Internet. We continuously perform threat intelligence research into the dark web to identify and mitigate potential risks and attacks. This knowledge is applied to our protection techniques and mitigations. The Microsoft Cyber Defense Operations Center, highlighting our commitment, responds to security incidents.

Putting these investments together, we provide a layered security model, as shown in Figure 8 to protect your services running in Azure.

Figure 8. A layered approach to securing Azure

Secure Azure Networking

Azure has made significant investments in security. Customers can use Virtual Networks and our other security features and services to design, configure, and monitor their cloud applications. We aggressively monitor and continually harden our global infrastructure to address the ever-changing landscape of new cyber threats.

Microsoft continues to be a leader in the prevention of network security attacks. With our global footprint and experience running the most popular cloud services, we have both scale and a breadth of inputs to secure our network and help you secure your services. We will continue to invest in network security technologies so that you can safely—and in a compliant manner—build, deploy, monitor, and run your services in Azure. We are your partner to securely run your business.

Read more

To read more posts from this series please visit:

Networking innovations that drive the cloud disruption
SONiC: The networking switch software that powers the Microsoft Global Cloud
How Microsoft builds its fast and reliable global network
Lighting up network innovation

Quelle: Azure

da Agency

Azure Backup’s cloud-first approach and why it matters

Backup is all about how quickly you can be back up from a disaster or data loss situation. ​On this World Backup Day, this blog post is dedicated to explaining Azure Backup's cloud-first approach and how it helps you be back up quickly and securely. 

Backup is a deeply entrenched market and companies generally tend to stick with their backup solution unless there are major shifts in the IT infrastructure. When such a shift occurs, companies are open to evaluating alternate backup solutions that offer significant value tied to that infrastructure shift. Virtualization was a hardware infrastructure inflection that happened in the 2000s that allowed companies to significantly reduce their IT costs with the consolidation and portability benefits offered by virtualization. It also allowed new backup players to emerge and the ones that delivered significant value tied to virtualization became successful. The infrastructure inflection currently underway is the shift to the public cloud and Azure Backup has taken a cloud-first approach to deliver maximum value for backup scenarios in a cloud-transformed IT environment. 

Cloud-first value propositions

These are the benefits customers would likely expect in backup scenarios as they augment the public cloud to their IT infrastructure:

Consistent management experience for Hybrid IT: Companies will be in a hybrid model where in addition to the on-premise IT, they will have a cloud foot print that has IaaS (“lift-and-shift applications”) that possibly extends to PaaS (“born-in-the-cloud applications”) and SaaS (O365). It is important to have a consistent experience to manage backups across the IT assets in this hybrid model.
Agility: Business owners are seeking more agility offered by the public cloud where they can deploy solutions from the marketplace to meet their business needs. From a backup perspective, an application admin should be able to sign up for backup and do self-service restores without having to go through a central IT process to provision compute/storage in the cloud to enable backup.
Reduce TCO (Total Cost of Ownership): A subscription based model (PAYG) is an obvious benefit of the public cloud, but it is also important to consider overall IT cost for backup. For example, if you need to deploy additional infrastructure in the cloud (compute and storage) for backups your overall costs would be higher.
Freedom from infrastructure: This is one of the fundamental benefits companies seek when they move their IT to the cloud and since backup has a significant infrastructure footprint in on-premises IT (storage, compute, licenses, etc), an infrastructure-less backup solution would be a natural expectation for customers.

There are 3 possible approaches backup solutions can take to leverage the cloud inflection and it is important to consider how well they deliver on the above promises in each approach:

Cloud as storage: In this model, the backup solution leverages the public cloud as a storage target for backup either for the second backup copy or to replace tape backups. The customer still needs to manage storage in the cloud, pay for any egress costs for restores, and manage bulk of backup infrastructure that is still on premises.    
Cloud as infrastructure: This is the next level where the customer can run the backup application in an IaaS VM, which can protect applications deployed in IaaS. While it does offer a similar experience, it can only protect IaaS VMs and not the other cloud assets (PaaS, SaaS) and has TCO implications. For example, a single IaaS VM only supports 32 TB of total addressable storage, which is far too small for a backup application so to back up at scale, customers need to deploy additional IaaS VMs, configure scale sets for availability and provision/manage backup storage, all of which adds to the overall TCO for backup. Also, as the name implies, it does not free the customer from infrastructure management which is a fundamental promise of moving to the cloud.
Cloud as platform: Backup can be built in a PaaS model to deliver backup as a service and architected to provide a consistent management experience to both on premises infrastructure as well as backup for born-in-the-cloud applications (IaaS, PaaS, and SaaS). Since all the service infrastructure is owned and managed by the service, there would be no additional costs for the backup and there is complete freedom from managing infrastructure associated with backup. 

Azure Backup is architected from the ground-up as a first-class PaaS service in Azure as described in approach 3 and delivers on the cloud promises customers expect as they cloud transform their IT infrastructure. In addition, since it is a first-party service in Azure, it can also leverage other services in Azure to deliver value beyond backup scenarios. For example, rich monitoring and reporting using PowerBI or the capability to do advanced analytics on backup data in Azure.

Compelling backup scenarios enabled by the cloud first architecture

The cloud-first approach of Azure Backup provides unique benefits to customers which are either difficult or not possible in traditional approaches.

Native Backup for IaaS/PaaS: Azure Backup seamlessly integrates with IaaS VM by providing an enable-backup experience in the VM blade itself. A VM extension is deployed when the customer chooses to enable backup and with a few clicks, the IaaS VM is configured for backup. Backup can also be enabled via ARM templates and it supports all the features of IaaS VMs such as disk encryption, premium disks etc. This capability will be extended for SQL Azure, Azure Files, and other Azure PaaS assets like WebApps and Service Fabric for a first-class backup experience in Azure.
Restore as a service: One of the key concerns customers have when they store their backups in the cloud is the restore experience. There are egress costs, the time it takes to restore data back on premises and handling encryption requirements. Restore operation typically requires all the data has to be restored on premises or a restore appliance needs to be hydrated in the cloud to browse items from the cloud restore points. Azure Backup, restore-as-a-service feature uses a unique approach to mount a cloud recovery point as a volume and browse it to enable item-level-restore. The customer does not need to provision any infrastructure and the egress from Azure is free which are both unique value propositions of Azure Backup. This feature is currently available for IaaS VMS (Windows and Linux) and on premise Windows servers. The same capability for System Center Data Protection Manager and Microsoft Azure Backup Server will be available over the next few months.

Secure Cloud Backups: Azure Backup leverages Azure authentication services to provide multiple layers of security to secure cloud backups against malware attacks such as ransomware. While the predominant ransomware attacks are limited to infecting on-premises data, some of the more evolved ransomware attacks also target backup copies of the data. Typical infections include reducing backup retention, re-encrypting data, and deleting backup schedule/copies that are initiated from compromised machines.  Azure backup has several layers of protection to prevent and alert against such attacks.

Related links and additional content

Need help? Reach out to Azure Backup forum for support or browse Azure Backup documentation
Tell us how we can improve Azure Backup by contributing new ideas and voting up existing ones
Follow us on Twitter @AzureBackup for the latest news and updates
New to Azure Backup, sign up for a free Azure trial subscription
Connect with us at the Azure Tech Community

Quelle: Azure