Kategorie: Microsoft Azure

Microsoft and AT&T demonstrate 5G-powered video analytics

In November 2021, Microsoft and AT&T announced the launch of Azure public MEC (multi-access edge compute) with a site in Atlanta, Georgia. The Azure public MEC solution enables low-latency applications at the edge of the mobile operator’s network, providing Azure compute services integrated with 5G connectivity. Azure public MEC is designed to run AI and machine learning workloads that require intensive compute and low latency network. The access to these resources is over high-quality 5G connections from phones, smart cameras, IoT devices, and other equipment. Enterprises and developers can build and run these low-latency applications and manage their workloads using the same tools they are using to run applications in the Azure public cloud. 

To light up new compelling applications with Azure public MEC that benefit from low latency 5G connectivity, we are making available a video analytics library under the umbrella of Edge Video Services.

Edge Video Services

Edge Video Services (EVS) is a Microsoft platform for developing video analytics solutions that can be deployed on Azure public MEC. For example, consider some smart city applications like our Vision Zero work with the City of Bellevue, which enabled a new generation of real-time traffic flows leading to substantial improvements in the day-to-day lives of commuters. Similarly, real-time video analytics can make cities safer by controlling traffic lights for situations such as allowing a person in a wheelchair to safely cross the street. A related application, which we demonstrated at Hannover Messe 2016, integrated an early version of EVS into traffic light cameras and those in self-driving cars to analyze videos to help reduce accidents and fatalities. Other new applications that are coming soon include improving transportation systems, monitoring air quality, street lighting, smart parking, crowd management, and emergency management. Beyond smart cities, EVS can provide modern smart enterprises with end-to-end experiences with video analytics for mixed reality as a natural component of 5G network solutions. Additional examples include managing machines and robots in connected factories, handling customer demands and services in retail stores and restaurants or tracking pedestrian traffic in sports arenas.

Figure 1: EVS architecture stack.

As shown in Figure 2 below, 5G compute infrastructure has a hierarchy of intelligent components including Azure Percept devices, Azure private MEC, and Azure public MEC. EVS integrates with all of these solutions and provides these features: 

Inter-edge orchestrator to manage network traffic involving multiple public MECs. It deploys application containers across the edge hierarchy for high availability and fault tolerance.   
Network monitoring and adaptation to continuously monitor the dynamic wireless and wired network connections, adapting application demands accordingly.  
Dynamic resource allocation for video machine learning containers. This adapts based on the load generated from the mobile network and the workloads deployed in the on-premises edge location.

Smart cities deployment at Azure public MEC with AT&T in Atlanta

Working with AT&T, Microsoft demonstrated the value of EVS on the Azure public MEC connected to the AT&T’s 5G network in Atlanta. The setup consisted of an on-premise edge device, managed by Azure IoT Hub and an Azure Kubernetes cluster as shown in the diagram below.

Figure 2: Azure public MEC and AT&T deployment.

The EVS orchestrator places the various containers across the on-premises edge and Azure public MEC. This split execution requires only lightweight compute power on-premises, and also removes the need to provision high bandwidth connectivity out of the on-premises edge. 

In our Atlanta deployment, we demonstrated EVS’s split architecture, with lightweight execution at the on-premises edge. It transferred 230MB of data over the 5G link out of the on-premise edge over 24 hours, by contrast, 9.5GB of data would have been sent if all the encoded video were transferred out. In other words, EVS reduced the network utilization by 42x. This network saving was obtained with a CPU-only edge on-premises with no loss in accuracy.  Our measurements also showed that network latencies to the Azure public MEC were about 6x lower at the median compared to the nearest Azure region, which translated to faster responses for the application. 

EVS is integrated with AT&T’s network APIs to obtain real-time information about the 5G network. As a result, EVS adapts the amount of traffic transferred between the edges, depending on any fluctuations to the latency and bandwidth of the 5G link. EVS uses Azure Traffic Manager to support automatic failover for the Azure public MEC to the nearest Azure region, thus ensuring no disruption to the video application. When failing over to the Azure region, EVS adapts to the changed and increased latency by adjusting the amount of traffic sent out of the on-premises edge via changes to the encoder and machine learning model parameters with minimal impact on application accuracy. EVS is also cognizant of other containers executing at the edges and can elastically scale up or down its compute requirements.

EVS on Azure public MEC: Try it out today

For your video scenarios, we encourage you to try out EVS on Azure public MEC with your own on-premises edge devices. The reference architecture and instructions are available in our GitHub repository. The repository also includes a sample video of cars entering a parking lot that you can use to test EVS for counting cars. To submit feedback about EVS, please email to evs-support@microsoft. Please note this is only for submitting feedback, you will not be contacted.
Quelle: Azure

Microsoft session highlights from SAP Sapphire 2022

It has been three years since SAP Sapphire last occurred in person, and I was thrilled to meet with our customers and partners again this week. As SAP Sapphire comes to a close, I am taking a moment to reflect on how the world has changed since the pandemic. Many organizations were not prepared for the impact such a change would have on their business, and they were forced to adjust in real-time—realizing that the digital transformation conversations of the past now needed to be put into action and accelerated.

Fast forward to SAP Sapphire 2022 and a new world, where in-person and hybrid experiences came together in Orlando, Florida and virtually across the globe. Microsoft and SAP are celebrating the one-year anniversary of RISE with SAP on the Microsoft Cloud, which helps organizations of all sizes modernize their SAP solutions in the cloud. We have made great progress on the various aspects of our product innovation, delivering new service offerings, frameworks, and tools, that have helped our customers and partners simplify and further accelerate their SAP modernization journey. We have summarized the most recent product announcements here: SAP on Azure Product Announcements Summary—SAP Sapphire 2022.

SAP Sapphire 2022 gave us an opportunity to reconnect with customers and partners—celebrating our joint success, discussing new business priorities, and identifying areas where Microsoft can further help accelerate their growth. We were honored to see many customers and colleagues at Microsoft on stage to share their experiences and best practices. It is most rewarding and humbling to see the level of trust that SAP, our customers, and partners place on our technology platform and to see its impact across various industries and customer scenarios. Below are several session highlights in case you missed them.

SAP Sapphire 2022 session highlights

Spur innovation like the NBA with RISE with SAP on Azure (session ERP159)

The National Basketball Association (NBA) wanted to eliminate limitations of its on-premises data centers and moved its SAP applications and other IT resources to the cloud. The NBA’s Puneet Toteja, AVP, Business Systems Lead, discussed how using RISE with SAP with the AI, data warehouse, and personalization capabilities of Microsoft Azure has enabled the NBA to merge business, game, and fan data to deliver enhanced fan experiences. Learn more about the NBA’s journey with Microsoft and SAP.

Get insights into how Walgreens set up a best practice-based platform (session SE111)

David Durdan, Senior Director, Global Enterprise Architecture for Walgreens Company shares how the pharmacy chain embarked on a retail and finance transformation to deliver benefits to both customers and employees, using the SAP S/4HANA Retail solution and other SAP solutions hosted on Microsoft Azure. Learn more about Walgreens’ journey with Microsoft and SAP.

Jump-start your journey to becoming a demand-driven enterprise (session SCM157)

Microsoft’s Dhaval Desai, Principal Lead, SAP Supply Chain Engineering shared how Microsoft embraced RISE with SAP on Microsoft Cloud to transform its supply chain to a collaborative, digitally connected network that helps it sense and respond to demand changes quickly. Results from this joint Microsoft and SAP initiative include reduced latency in information sharing, improved forecast accuracy, and increased supply chain visibility, including visibility of supplier commitments.

Explore PEPCO’s “Smart” approach to converting to SAP S/4HANA (session ERP137)

Exelon-owned Electric Power Company, PEPCO, provides electricity and gas to two million customers. In this session featuring Exelon’s Manager of Customer Projects and System Support Walter Stefy and Accenture Managing Director Muthu Maran, discover how they designed and executed a journey to cloud transformation and upgraded to SAP S/4HANA on Microsoft Azure in just eighteen months using Accenture’s Smart field approach.

Find out how your peers are optimizing their supply chains (session SCM125)

Microsoft’s Dhaval Desai, Principal Lead, SAP Supply Chain Engineering joined a panel of industry leaders from Blue Diamond Growers, Varidesk and SAP to share how their organizations have addressed diverse supply chain resiliency issues with SAP solutions, including the SAP Integrated Business Planning for Supply Chain solution.

Automate sales ordering to improve compliance and the customer experience (session CX156)

Merck and Co.’s Ann Wallach, Director of SAP Delivery will share how this global pharmaceutical company modernized and automated its vaccine ordering process, which was previously handled through fax and phone and required manual entry of sales orders. Merck was able to modernize by leveraging the scalability of SAP Commerce Cloud on Microsoft Azure to improve the customer experience and payment-card industry compliance.

Learn more

I hope you’ve enjoyed SAP Sapphire in-person or virtually as much as we did. To learn more, check out the SAP on Azure Product Announcements Summary. My team and I look forward to continuing our discussion and meeting many of you around the world as we hit the road with SAP visiting eight cities in the remaining 2022!
Quelle: Azure

Manage Red Hat workloads seamlessly on Azure

Every year, Red Hat Summit features inspirational and actionable content, industry-shaping news, and innovative practices from customers and partners. From hybrid cloud, containers, and cloud-native app platforms to management, automation, and more, speakers from around the world, across industries, and sectors join to share how they're using open tools to build better solutions for themselves and their customers. Microsoft is proud to sponsor and participate in Red Hat Summit 2022 which brings together communities who are passionate about open source in the enterprise.

Business is changing, and keeping up with fluctuations in markets and customer demands is not easy. Modernization is essential. Technologies like containers, Kubernetes, and hybrid cloud architectures are key components that provide the scalability, innovation, and flexibility you need to maintain a competitive edge, grow market share, and increase margins. Microsoft and Red Hat offer you the tools to reduce complexity and simplify your environment, innovate faster, deliver high-quality customer experiences, and expand and scale your infrastructure in any direction so you can be a disruptor in your industry.

Today, we’re announcing multiple enhancements to our Red Hat on Azure offerings that help customers accelerate their digital transformation with the power of the cloud. This includes the broad availability of our Red Hat Ansible Automation Platform on Azure and Red Hat Open Shift Support for Azure Arc-enabled SQL Managed Instance.

Detailed updates include:

Red Hat Ansible Automation Platform on Azure is now available to customers in North America with global availability coming soon. The Ansible Automation Platform 2.2 features are available for customers in the tech preview. Red Hat Ansible Automation Platform on Azure enables IT organizations to quickly automate and scale in the cloud, with the flexibility to deliver any application, anywhere, without additional overhead or complexity. Achieve zero to automation in minutes by deploying the managed application directly from the Azure Marketplace.

Azure Arc-enabled SQL Managed Instance is now supported on Red Hat OpenShift. For Red Hat Enterprise Linux customers who need to run their data workloads outside Azure in their own datacenters or multicloud environments, we bring trusted Azure SQL and open-source software database services to meet them where they are. This database service unifies management and delivers mission-critical performance, high availability/disaster recovery at scale. With an evergreen SQL that has no end-of-support, customers can realize the best of Azure SQL on OpenShift, in any environment. Customers can enjoy fully automated updates and patches to innovate faster and be more secure. 

"Red Hat has been a strategic partner in our Azure Arc partner ecosystem in lighting up the next-gen Azure data services to run anywhere. With this support, organizations can run Azure Arc-enabled SQL Managed Instance across any environment without worrying about the infrastructure underneath. The combination of RedHat OpenShift and Azure Arc-enabled SQL Managed Instance allows customers to use the platform they know and trust to accelerate innovation with faster time to market with enterprise-grade support."—Peter Carlin, CVP Azure Database Platform

Red Hat Enterprise Linux (RHEL) 9 will be available on Azure from May 24. With demand for edge computing continuing to grow, RHEL 9 incorporates key enhancements specifically designed to address evolving IT needs at the edge. Edge management helps teams more securely manage and scale Red Hat Enterprise Linux on distributed devices from a single interface. RHEL 9 will include support for Red Hat Update Infrastructure 4 allowing for automatic updates.
Azure Hybrid Benefit for Linux 3.0 will be broadly available from May 24. Through Azure Hybrid Benefit for Linux 3.0, customers can migrate their on-premises RHEL servers to Azure by bi-directionally converting existing RHEL pay-as-you-go (PAYG) VMs on Azure to bring-your-own-subscription (BYOS) billing, resulting in cost savings. In its latest iteration, support for custom images has been included. Read more about how Azure Hybrid Benefit for Linux for additional information.

Learn more

Visit the Microsoft Red Hat on Azure page to learn more about our offerings and join us at Red Hat Summit.
Quelle: Azure

Join us and the developer community to celebrate Azure Static Web Apps

Join us to celebrate the one-year anniversary of Azure Static Web Apps! Come connect with others in the developer community and increase your Azure Static Web Apps skills in a fun, collaborative way.

It's hard to believe that it was just under a year ago that we announced the general availability of Azure Static Web Apps.

Azure Static Web Apps service became generally available in May 2021, with support for many of the popular front-end frameworks and static site generators used for modern web app development.

A turnkey service for modern full-stack web apps with pre-built and pre-rendered static front-ends, and serverless API backends, Azure Static Web Apps focuses on making the developer experience—from build-to-deploy—effortless for modern web apps. Azure Static Web Apps is a power-packed solution to globally host websites, providing a seamless experience through features like continuous integration and continuous delivery (CI/CD), preview environments, global scalability, customizable authentication integrations, managed Azure edge, custom domains, and much more.

Fast forward a year and we are days away from the one-year anniversary (#SWAanniversary), making this a perfect time to reflect on the journey so far and get excited about what's coming up next.

So join us on May 19, 2022, and hear from keynote speakers like Scott Hanselman and Donovan Brown, along with our product team and Microsoft MVPs, in a one-and-a-half-hour event streaming live on Learn TV. If you’re unable to catch the live event, it will be available on-demand to stream anytime.

Visit the event page to check out the speaker lineup and add the event to your calendar.

Learn with #30DaysOfSWA

New to Azure Static Web Apps? Do you want to learn the core concepts, see usage examples, explore developer tools, and understand best practices for building richer user experiences with Azure Static Web Apps?

Check out the 30DaysOfSWA series and jumpstart your learning journey with a whole month of short articles that provide a curated tour of Azure Static Web Apps as we go from code to scale.

We've organized the journey into four stages, each building on the previous one in a way that mimics the developer experience with any new technology:

Week 1: Focus on core concepts, learning terminology, and getting setup.
Week 2: Focus on usage examples with quickstarts and front-end technologies.
Week 3: Focus on dev tools to develop, debug, test, and deploy, the Azure Static Web Apps.
Week 4: Focus on best practices, from services to end-to-end experiences.

It is said it takes 30 days to form a habit and we hope these daily activities with #30DaysOfSWA will help you on the journey to becoming a seasoned Azure Static Web Apps developer.

Learn more

Sign up now for the Azure Static Web Apps anniversary event.

Here are a few links to kickstart your Azure Static Web Apps journey:

Azure Static Web Apps documentation.
Azure Static Web Apps learning path.
Azure Static Web Apps gallery.

Quelle: Azure

Accelerating innovation in the diabetic foot market with Azure Health Data Services

This blog post has been co-authored by Sharlene Jerome, Manager of Marketing and Communications, Sensoria Health

This blog is part of a series in collaboration with our partners and customers leveraging the newly announced Azure Health Data Services. Azure Health Data Services, a platform as a service (PaaS) offering designed exclusively to support Protected Health Information (PHI) in the cloud, is a new way of working with unified data—providing care teams with a platform to support both transactional and analytical workloads from the same data store and enabling cloud computing to transform how we develop and deliver AI across the healthcare ecosystem.

According to the World Health Organization, over 422 million people suffer from diabetes. Diabetes is an emergency of epidemic proportions, and diabetic foot complications have one of the most painful effects—every 20 seconds, someone in the world loses a lower limb due to diabetes. The total worldwide cost of diabetic limb complications is estimated to be $46 billion, and in the US, direct costs associated with these complications exceed the cost of each of the five most expensive cancers.¹

From these staggering numbers, it is now obvious that connected footwear will play a major role in the future of diabetic care. As one of the most innovative applications of IoT in healthcare, remotely monitoring patients is essential to ensuring effective treatment, improving patient care, and reducing hospital readmission rates. This requires data to flow smoothly from patient to clinician, and from clinician to clinician. However, the currently siloed healthcare industry with data stored on-premises and lack of interoperability among these on-premises systems makes it difficult for clinicians to access data in a timely manner to proactively treat patients. And when diabetic foot ulcers can potentially cause the loss of limbs, the stakes are remarkably high for all parties involved.

Making real-world data accessible

To help better manage data in the cloud and enable healthcare organizations to access patient data in a timely and secure manner, Microsoft released Azure Health Data Services, a PaaS offering that is built on the global open standards Fast Healthcare Interoperability Resources (FHIR ®) and Digital Imaging Communications in Medicine (DICOM).

One of the biggest challenges in treating diabetic foot ulcers is the ability to monitor the patient’s progress when they are outside of the hospital. The inaccessibility of this data prevents clinicians from collaborating with patients to ensure they adhere to the clinical recommendations, thus reducing the effectiveness of treatment and care. With Azure Health Data Services, this data can now be accessed easily and in a timely manner by providers, giving patients the best chance to fight diabetic foot ulcers. Microsoft’s technology, alongside Sensoria’s innovative diabetic footwear, will enable the creation of a new category of solutions for podiatrists, which will not only provide valuable feedback to and from patients but also supply clinicians with the patient’s compliance and usage patterns for healing diabetic foot ulcers, supporting the goal of reducing the risk of occurrence.

As leaders in remote patient monitoring wearables and AI software solutions, Sensoria Health is already leveraging FHIR and Azure Health Data Services.

“There is no such thing as a "little" diabetes. Just like there is no such thing as a "little" cancer.”–Dr. David Armstrong, Professor of Surgery and Director, Southwestern Academic Limb Salvage Alliance (SALSA) at Keck School of Medicine, USC and Director, USC Center to Stream Healthcare in Place (#C2SHiP)

Sensoria’s diabetic footwear is a wonderful example of how Internet of Medical Things (IoMT) health data can be leveraged to improve clinical workflows and process valuable data to support both patient and clinician while making individualized care plans. Supported by Microsoft’s Azure Health Data Services, IoMT health data can be ingested from the Sensoria footwear and compiled to attain a valuable holistic view of a patient’s at-home care, knowledge of self-care, and care plan compliance. The IoMT health data coming from the footwear can be de-identified, compiled, and stored in Azure Health Data Services. Microsoft Azure Health Data Services is HITRUST CSF certified and helps organizations store PHI in accordance with HIPAA and GDPR requirements and meet Office for the National Coordinator for Health Information Technology (ONC) and US Centers for Medicare and Medicaid Services (CMS) mandates. Once stored in a standardized and interoperable format, the health data can be trended and tracked to visualize patterns and catch early warnings or allow for further analysis to support clinicians and treatment options. Sensoria Health leverages Azure IoT Central to connect the footwear and bring valuable IoMT data to the cloud—Azure Health Data Services helps manage IoMT data collected by the footwear to support the clinician for a more complete view of patient population, treatment compliance, daily treatment adherence scores, real-time behavioral feedback, and capture previous gaps in care and best practice.

Powered by Sensoria Core, a wearable sensor platform that is modular, self-contained, and fully integrated to provide highly accurate data, the Sensoria Diabetic Foot Ulcer Boot can measure adherence to whether the patient is wearing the boot, their level of activity, and adherence to the recommended clinician protocol. The clinician dashboard provided by the Sensoria Diabetic Foot Ulcer Boot offers a holistic view of their patient population. The dashboard is color-coded so that clinicians know which patients are at most risk due to non-adherence. In these cases, there is an escalation of care that can be identified, and the boot can be made irremovable.

Sensoria Health is excited to be a pioneer of this effort with global diabetic footwear partners such as Ossur, DARCO International, and Defender Operations.

“In the US, CMS is embracing remote patient monitoring and launching a new reimbursement model for remote therapeutic monitoring. Our partnership with Sensoria Health will place both of our companies in a leadership position for smart podiatry footwear products around the globe.”—Darrel Darby, CEO, DARCO International

“Combining Foot Defender® with the Sensoria ® Core is the marriage of modern manufacturing, advanced textiles, cutting edge engineering, and advanced electronics. Uniting these two leading-edge technologies produces a product that patients will want to wear and can assist them in monitoring activity and utilization, engaging patients in their care while empowering them to make changes in behavior.”—Dr. Jason Hanft, DPM, FACFAS, CEO and Founder, Defender

Do more with your data with Microsoft Cloud for Healthcare

Part of the Microsoft Cloud for Healthcare, Azure Health Data Services empowers health organizations to transform their patient experience, discover new insights with the power of machine learning and AI, and manage PHI data with confidence.

We look forward to being your partner as you build the future of health.

Learn more about Azure Health Data Services.
Learn more about Sensorial Health, or send a message to info@sensoriahealth.com.
Read our recent blog, “Microsoft launches Azure Health Data Services to unify health data and power AI in the cloud.”
Learn more about Microsoft Cloud for Healthcare.

®FHIR is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and are used with their permission.

¹ WHO Library Cataloguing-in-Publication Data Global report on diabetes. 1. Diabetes Mellitus – epidemiology. 2. Diabetes Mellitus – prevention and control. 3. Diabetes, Gestational. 4. Chronic Disease. 5. Public Health. I. World Health Organization. ISBN 978 92 4 156525 7 (NLM classification: WK 810) © World Health Organization 2016 9789241565257_eng.pdf;jsessionid=27AFE586B882A75AA68600E65BD3E049 (who.int)
Quelle: Azure

Streamline Azure workloads with ExpressRoute BGP community support

In today’s globalized world, customers have started to maintain and expand their presence in the cloud across different geographic regions. With these increased deployments across Azure regions comes the increased complexity of customers’ hybrid networks. Establishing connectivity is no longer as simple as exchanging IP addresses between one pair of Azure regions and on-premises locations. Connectivity now requires additional configuration and reconfiguration of IP prefixes and route filters over time as the number of regions and on-premises locations grows. The introduction of Border Gateway Protocol (BGP) community support for Azure ExpressRoute, now in preview, lifts this burden for customers who connect privately to Azure. The support of this feature will also help simplify and unlock new network designs.

A brief overview of ExpressRoute

ExpressRoute lets customers extend their on-premises networks into the Microsoft Cloud over a private connection. With ExpressRoute, customers can connect to services in the Microsoft Cloud, including Microsoft Azure and Microsoft 365, without going over the public internet. An ExpressRoute connection provides more reliability, lower latency, and higher security than a public internet connection.

Globalized hybrid networks with ExpressRoute

A common scenario for customers to use ExpressRoute is to access workloads deployed in their Azure virtual networks. ExpressRoute facilitates the exchange of Azure and on-premises private IP address ranges using a BGP session over a private connection, enabling a seamless extension of customers’ existing networks into the cloud.

When a customer begins using multiple ExpressRoute connections to multiple Azure regions, their traffic can take more than one path. The hybrid network architecture diagram below demonstrates the emergence of suboptimal routing when establishing a mesh network with multiple regions and ExpressRoute circuits:

To ensure that traffic to Region A takes the optimal path over ExpressRoute Circuit 1, the customer could configure a route filter on-premises to ensure that Region A routes are only learned at the customer edge from ExpressRoute circuit 1, and not learned at all by ExpressRoute circuit 2. This approach makes the customer maintain a comprehensive list of IP prefixes in each region and have to regularly update this list whenever new virtual networks are added and private IP address space is expanded in the cloud. As the customer continues to grow their presence in the cloud, this burden can become excessive.

Simplifying routing with BGP communities

With the introduction of BGP community support for ExpressRoute, customers can easily grow their multiregional hybrid networks without the tedious work of maintaining IP prefix lists. A BGP community is a group of IP prefixes that share a common property called a BGP community tag or value. In Azure, customers can now:

Set a custom BGP community value on each of their virtual networks.
Access a predefined regional BGP community value for all their virtual networks deployed in a region.

Once these values are configured on customers’ virtual networks, ExpressRoute will preserve them on the corresponding private IP prefixes shared with customers’ on-premises. When these prefixes are learned on-premises, they are learned along with the configured BGP community values. For example, a customer can set the custom value of 12076:10000 on a virtual network in East US and then start receiving the virtual network prefixes along with the values of 12076:1000 and 12076:50004 (the regional value) on-premises. Customers can then configure their route filters based on these community values instead of by specifying IP prefixes.

With the ability to make routing decisions on-premises based on BGP communities, customers no longer need to maintain IP prefix lists or update their route filters each time they expand their address space in an existing region. Instead, they can filter based on regional BGP community values and update their configurations when deploying workloads in a new region.

Understanding complex networks

Customers may expand their Azure workloads across regions over time, as described earlier, but may also continue to build more complex networks within each region. They may progress from simpler single-virtual network deployments to pursuing hub-and-spoke or mesh topologies containing hundreds of resources. If connectivity or performance issues arise for traffic sent from these resources to on-premises, the complexity of the cloud network can make troubleshooting more difficult. With custom BGP community values configured on each virtual network within a region, a customer can quickly find the specific virtual network that traffic is originating from in Azure and narrow down their investigation accordingly.

Take advantage of custom BGP communities with your Azure workloads

With the power to simplify cross-regional hybrid network designs and speed up troubleshooting, custom BGP communities are a great way for customers to enhance current ExpressRoute setups and prepare for future growth.

Learn more about how to configure custom BGP communities for your own hybrid networks.
Quelle: Azure

Intelligent application protection from edge to cloud with Azure Web Application Firewall

Threat intelligence at scale!

Changes to how we work and operate our businesses have driven every company to now be a digital company. This acceleration in digital transformation has also led to a rise in security risks. Cyberattacks are becoming more common and advanced with growing attack surfaces due to the proliferation of mobile and IoT devices and increasing cloud adoption. Basic protection measures are no longer sufficient as new attack vectors have emerged and attacks have become more sophisticated with automated and large-scale attacks. To help our customers address these security challenges, we have been evolving Azure Web Application Firewall (Azure WAF), our cloud-native, self-managed security service to protect your applications and APIs running in Azure or anywhere else—from the network edge to the cloud.

A quick primer on Azure WAF

We offer two options—global and regional—for deploying Azure WAF for your applications and APIs.

Global WAF: Azure WAF attaches to Azure Front Door, our native, modern cloud content delivery network (CDN), to provide global application acceleration and intelligent security at scale. Azure WAF stops the security attacks at the network edge closer to the source of attack with over hundreds of edge locations around the world.
Regional WAF: Azure WAF attaches to Azure Application Gateway, a highly scalable, web application regional load balancer running in a virtual network. It manages traffic for both internal and external websites and provides application protection in over 60 Azure regions worldwide.

What’s changed?

We are excited to share recent updates and announce many new features that will offer customers better security, improved scale, easier deployment, and better management of their applications.

Application and API protection

Improved security posture with new rulesets: On March 29, we announced the general availability of Managed Default Rule Set 2.0 (DRS 2.0) integrated with Azure Front Door Premium tier. DRS 2.0 includes the latest Microsoft proprietary rules authored by Microsoft Threat Intelligence. Today, on regional WAF attached to Azure Application Gateway, we are excited to announce the general availability of Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 3.2 (CRS 3.2). These updated rulesets provide increased coverage for web vulnerabilities, reduce false positives, and protect against specific vulnerabilities, like Log4J and SpringShell CVEs.
Anomaly scoring with reduced false positives: Like regional WAF, we also introduced anomaly scoring with DRS 2.0 on global WAF which drastically helps reduce false positives for customer applications. In anomaly scoring mode, when an incoming request violates WAF rule, it is assigned an anomaly score based on the severity of the rule, and an action is taken only when the anomaly score reaches a threshold.
Increased size limits: With CRS 3.2, regional WAF can now support request body size inspection up to 2MB and file upload size up to 4GB.
API security: With DRS 2.0, global WAF now also supports XML and JSON content types that allow request inspection to secure inbound traffic. Azure WAF on Azure Front Door and Azure Application Gateway seamlessly integrates with Azure API Management to provide advanced API management and security features.
Advanced customization with per rule exclusions: As in global WAF, today we are also introducing per rule exclusions with CRS 3.2 on regional WAF with Application Gateway.  Exclusions allow you to override WAF engine behavior by specifying certain request attributes to omit from rule evaluation. In addition, we now allow attribute exclusions definitions by name or value of header, cookies, and arguments. Exclusions can be applied to a rule, set of rules, rule group, or globally for the entire ruleset, providing increased flexibility to help reduce false positives and meet application-specific requirements. This feature is currently available via Azure Resource Manager, PowerShell, CLI, and SDK. Azure portal integration will be available soon.

Bot protection

Bots have become an essential part of our customer’s digital footprint, helping to automate and perform key functions. However, attackers are increasingly taking advantage of this by manipulating bots to carry out malicious tasks. We’re continuously improving our platform capabilities to better protect against bot attacks—bot protection with Bot Manager 1.0 ruleset is available through integration with the Azure Front Door Premium tier. Our bot detection and protection rules are based on Microsoft Threat Intelligence and support bot classification for good, bad, and unknown bots. Bad bots include bots from malicious IP addresses or bots that have falsified identities. The malicious IPs are provided by Microsoft’s Threat Intelligence feed, which is based on feeds from external providers and internal threat intel. For good bots, WAF uses reverse DNS lookups to validate if the user-agent and IP address range match what the agent claims it to be. Bot signatures are dynamically managed and automatically updated by WAF when new threat actors are detected.

Performance and scale with the next generation of WAF engine

We are excited to announce the general availability of our next-generation WAF engine on Azure Application Gateway. The new WAF engine, released with CRS 3.2, is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine.

Benefits of the new Azure WAF engine include:

Improved performance: In our test lab, the new engine resulted in significant reduction in WAF latencies when compared with the previous version of engine. We also observed significant reduction in P99 tail latencies with up to ~8 times in processing POST requests and ~4 times reduction processing GET requests.
Increased scale: Our next-gen engine can scale up to 8 times more RPS using the same compute power and has the ability to process 16 times larger request sizes (now up to 2MB request size), which was not possible earlier with the previous engine.
Better protection: New redesigned engine with efficient regex processing offers better protection against RegEx DoS attacks.
Richer feature set: The new engine is available with the CRS 3.2 version. New features and future enhancements will only be available through the new engine and the later versions of CRS. Customers are strongly encouraged to move to CRS 3.2 version. We are in the process of phasing out CRS 2.2.9 and will stop onboarding new customers on the older CRS 2.2.9 version. Existing customers on CRS 2.2.9 will continue to be supported.

To learn more about the new engine, see WAF engine documentation.

Management and monitoring

Native consistent experience with WAF policy: Application Gateways WAF v2 now natively utilizes regional WAF policy instead of config by default, removing the need for the legacy WAF config experience on Azure Application Gateway. All the latest features and future enhancements will be available via WAF policies. Application Gateway configuration continues to be supported for existing deployments of v1 and v2 SKUs, but customers are strongly encouraged to migrate to Application Gateway v2 with WAF policies that offer a richer feature set and improved experiences at no additional cost. Azure policies can be shared across multiple application gateway deployments, simplifying the management experience. With Azure policy, customers can easily automate deployment and provisioning of applications using DevOps and APIs friendly tools—Azure Resource Manager, REST API, PowerShell, CLI, and Terraform.
Advanced analytics capabilities: You can now access new Azure Monitor metrics on regional WAF for more effective monitoring, troubleshooting, and debugging. Azure Monitor logs and metrics for WAF can be streamed to a central log platform for advanced log analytics and are further consumed by Microsoft Sentinel and Microsoft Defender for Cloud for security monitoring and alerting. Microsoft Sentinel integration allows security analysts to analyze and correlate data from other sources, detect threats, and automate incidence response. For example, we recently released Sentinel hunting queries to detect and respond to zero-day critical vulnerabilities like—Log4J Sentinel hunting queries and SpringShell Sentinel hunting queries.
Built-in security reports: Security reports on Azure Front Door provide powerful visualization of WAF patterns, trends by action, and events by rule types and rule groups. Security threat analysts can view breakdown top events by different dimensions like IP, country, URL, hostname, and user-agent for threat analysis.

Improved manageability: Azure WAF integration with Azure Firewall Manager is coming soon. With this integration, customers will be able to manage WAF policies at scale for applications hosted on Azure Front Door and Azure Application Gateway platforms.

Get started and share your feedback

You can try Azure WAF with Azure Application Gateway and Azure Front Door today. Visit Azure WAF documentation to learn more. As we continue to enhance the Azure WAF offering, we would love to hear your feedback. Post your ideas and suggestions on the networking community page or email us at azurewaf@microsoft.com.

Stay safe!
Quelle: Azure

Customize your secure VM session experience with native client support on Azure Bastion

This blog post has been co-authored by Isabelle Morris, Program Manager, Azure Networking

As organizations move their mission-critical workloads to the cloud, connecting to virtual machines (VMs) directly over the public internet is becoming more of a security risk. The more public IP addresses a customer has attached to VMs in their virtual network, the larger their attack surface becomes and the more vulnerable they are to security threats. The more secure alternative is to deploy a managed jumpbox service that reduces the number of public entry points to a customer’s resources in the cloud. The ideal managed jumpbox service should prioritize both security and flexibility to choose how you connect to your resources. Azure Bastion, Azure’s managed jumpbox service, now provides customers with the ability to customize their connection experience to use a native client of their choice.

Azure Bastion overview

Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. Azure Bastion provides connectivity directly from the Azure portal using Transport Layer Security (TLS). With Azure Bastion, your VMs do not need a public IP address, protecting your virtual machines from exposing RDP and SSH ports to threats on the public internet, while still providing secure access using RDP and SSH. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.

More flexibility to choose how you connect to your VMs

The primary way to connect to your VMs using Azure Bastion is through a quick and simple experience in the Azure portal. Users and administrators can navigate to their Azure VM in the portal and then open a web-based VM session using Azure Bastion. This experience eliminates the need to download any clients, agents, or configure files prior to accessing the VM.

Some customers value integration with existing and familiar processes. With the support for native clients on Azure Bastion, these customers can use command-line based access and a native client of their choice to reach their target VMs. This allows them to use Azure Bastion with a more accessible or familiar user interface, and to integrate connectivity to VMs via the service into their existing scripts.

Native client support offers three Azure CLI commands: az network bastion rdp, az network bastion ssh, and az network bastion tunnel. The az network bastion rdp command and az network bastion ssh enable connectivity to the target VM directly and use the clients mstsc and az ssh respectively. Meanwhile, the az network bastion tunnel command allows more flexibility by establishing a tunnel to the target VM on a specific port, and then allowing the user to connect to the VM using a custom client and the specified port.

Customers now can choose how they connect to their VMs via Azure Bastion—a simple, quick web-based experience or an integrated and customizable experience using a native client.

Simplify your login experience with Azure AD-based authentication

Azure Bastion native client support also unlocks an additional authentication option for users. With the az network bastion rdp and az network bastion ssh commands, users can use their Azure Active Directory (Azure AD) account to access their VMs. Using Azure AD for authentication provides enhanced identity security in conjunction with Azure Bastion’s existing networking security by eliminating the need to manage local VM credentials. For SSH, the Azure AD authentication also simplifies the connect experience by using the credentials the user has already provided to log into Azure CLI and taking them directly to their VM session.

File upload and download to a VM using a native client

Azure Bastion now supports file transfer between your target VM and local computer using Azure Bastion and a native RDP or SSH client. To both upload and download files, users must use the Windows native client on a Windows machine and the az network bastion rdp command. With RDP, users can easily transfer files between their target VM and local Windows machine in just a few clicks. For customers using non-Windows native clients or SSH, the az network bastion tunnel command supports file upload from your local computer to target VM. Third-party clients may also support file download for these scenarios.

Take advantage of native client support for your VM sessions

To learn more about native client support on Azure Bastion, refer to the Connect to a VM using a native client and Azure Bastion documentation. You can also follow our step-by-step guide on transferring files in the Upload or download files using a native client connection documentation.
Quelle: Azure