da Agency

Streamline Azure workloads with ExpressRoute BGP community support

In today’s globalized world, customers have started to maintain and expand their presence in the cloud across different geographic regions. With these increased deployments across Azure regions comes the increased complexity of customers’ hybrid networks. Establishing connectivity is no longer as simple as exchanging IP addresses between one pair of Azure regions and on-premises locations. Connectivity now requires additional configuration and reconfiguration of IP prefixes and route filters over time as the number of regions and on-premises locations grows. The introduction of Border Gateway Protocol (BGP) community support for Azure ExpressRoute, now in preview, lifts this burden for customers who connect privately to Azure. The support of this feature will also help simplify and unlock new network designs.

A brief overview of ExpressRoute

ExpressRoute lets customers extend their on-premises networks into the Microsoft Cloud over a private connection. With ExpressRoute, customers can connect to services in the Microsoft Cloud, including Microsoft Azure and Microsoft 365, without going over the public internet. An ExpressRoute connection provides more reliability, lower latency, and higher security than a public internet connection.

Globalized hybrid networks with ExpressRoute

A common scenario for customers to use ExpressRoute is to access workloads deployed in their Azure virtual networks. ExpressRoute facilitates the exchange of Azure and on-premises private IP address ranges using a BGP session over a private connection, enabling a seamless extension of customers’ existing networks into the cloud.

When a customer begins using multiple ExpressRoute connections to multiple Azure regions, their traffic can take more than one path. The hybrid network architecture diagram below demonstrates the emergence of suboptimal routing when establishing a mesh network with multiple regions and ExpressRoute circuits:

To ensure that traffic to Region A takes the optimal path over ExpressRoute Circuit 1, the customer could configure a route filter on-premises to ensure that Region A routes are only learned at the customer edge from ExpressRoute circuit 1, and not learned at all by ExpressRoute circuit 2. This approach makes the customer maintain a comprehensive list of IP prefixes in each region and have to regularly update this list whenever new virtual networks are added and private IP address space is expanded in the cloud. As the customer continues to grow their presence in the cloud, this burden can become excessive.

Simplifying routing with BGP communities

With the introduction of BGP community support for ExpressRoute, customers can easily grow their multiregional hybrid networks without the tedious work of maintaining IP prefix lists. A BGP community is a group of IP prefixes that share a common property called a BGP community tag or value. In Azure, customers can now:

Set a custom BGP community value on each of their virtual networks.
Access a predefined regional BGP community value for all their virtual networks deployed in a region.

Once these values are configured on customers’ virtual networks, ExpressRoute will preserve them on the corresponding private IP prefixes shared with customers’ on-premises. When these prefixes are learned on-premises, they are learned along with the configured BGP community values. For example, a customer can set the custom value of 12076:10000 on a virtual network in East US and then start receiving the virtual network prefixes along with the values of 12076:1000 and 12076:50004 (the regional value) on-premises. Customers can then configure their route filters based on these community values instead of by specifying IP prefixes.

With the ability to make routing decisions on-premises based on BGP communities, customers no longer need to maintain IP prefix lists or update their route filters each time they expand their address space in an existing region. Instead, they can filter based on regional BGP community values and update their configurations when deploying workloads in a new region.

Understanding complex networks

Customers may expand their Azure workloads across regions over time, as described earlier, but may also continue to build more complex networks within each region. They may progress from simpler single-virtual network deployments to pursuing hub-and-spoke or mesh topologies containing hundreds of resources. If connectivity or performance issues arise for traffic sent from these resources to on-premises, the complexity of the cloud network can make troubleshooting more difficult. With custom BGP community values configured on each virtual network within a region, a customer can quickly find the specific virtual network that traffic is originating from in Azure and narrow down their investigation accordingly.

Take advantage of custom BGP communities with your Azure workloads

With the power to simplify cross-regional hybrid network designs and speed up troubleshooting, custom BGP communities are a great way for customers to enhance current ExpressRoute setups and prepare for future growth.

Learn more about how to configure custom BGP communities for your own hybrid networks.
Quelle: Azure

da Agency

Intelligent application protection from edge to cloud with Azure Web Application Firewall

Threat intelligence at scale!

Changes to how we work and operate our businesses have driven every company to now be a digital company. This acceleration in digital transformation has also led to a rise in security risks. Cyberattacks are becoming more common and advanced with growing attack surfaces due to the proliferation of mobile and IoT devices and increasing cloud adoption. Basic protection measures are no longer sufficient as new attack vectors have emerged and attacks have become more sophisticated with automated and large-scale attacks. To help our customers address these security challenges, we have been evolving Azure Web Application Firewall (Azure WAF), our cloud-native, self-managed security service to protect your applications and APIs running in Azure or anywhere else—from the network edge to the cloud.

A quick primer on Azure WAF

We offer two options—global and regional—for deploying Azure WAF for your applications and APIs.

Global WAF: Azure WAF attaches to Azure Front Door, our native, modern cloud content delivery network (CDN), to provide global application acceleration and intelligent security at scale. Azure WAF stops the security attacks at the network edge closer to the source of attack with over hundreds of edge locations around the world.
Regional WAF: Azure WAF attaches to Azure Application Gateway, a highly scalable, web application regional load balancer running in a virtual network. It manages traffic for both internal and external websites and provides application protection in over 60 Azure regions worldwide.

What’s changed?

We are excited to share recent updates and announce many new features that will offer customers better security, improved scale, easier deployment, and better management of their applications.

Application and API protection

Improved security posture with new rulesets: On March 29, we announced the general availability of Managed Default Rule Set 2.0 (DRS 2.0) integrated with Azure Front Door Premium tier. DRS 2.0 includes the latest Microsoft proprietary rules authored by Microsoft Threat Intelligence. Today, on regional WAF attached to Azure Application Gateway, we are excited to announce the general availability of Open Web Application Security Project (OWASP) ModSecurity Core Rule Set 3.2 (CRS 3.2). These updated rulesets provide increased coverage for web vulnerabilities, reduce false positives, and protect against specific vulnerabilities, like Log4J and SpringShell CVEs.
Anomaly scoring with reduced false positives: Like regional WAF, we also introduced anomaly scoring with DRS 2.0 on global WAF which drastically helps reduce false positives for customer applications. In anomaly scoring mode, when an incoming request violates WAF rule, it is assigned an anomaly score based on the severity of the rule, and an action is taken only when the anomaly score reaches a threshold.
Increased size limits: With CRS 3.2, regional WAF can now support request body size inspection up to 2MB and file upload size up to 4GB.
API security: With DRS 2.0, global WAF now also supports XML and JSON content types that allow request inspection to secure inbound traffic. Azure WAF on Azure Front Door and Azure Application Gateway seamlessly integrates with Azure API Management to provide advanced API management and security features.
Advanced customization with per rule exclusions: As in global WAF, today we are also introducing per rule exclusions with CRS 3.2 on regional WAF with Application Gateway.  Exclusions allow you to override WAF engine behavior by specifying certain request attributes to omit from rule evaluation. In addition, we now allow attribute exclusions definitions by name or value of header, cookies, and arguments. Exclusions can be applied to a rule, set of rules, rule group, or globally for the entire ruleset, providing increased flexibility to help reduce false positives and meet application-specific requirements. This feature is currently available via Azure Resource Manager, PowerShell, CLI, and SDK. Azure portal integration will be available soon.

Bot protection

Bots have become an essential part of our customer’s digital footprint, helping to automate and perform key functions. However, attackers are increasingly taking advantage of this by manipulating bots to carry out malicious tasks. We’re continuously improving our platform capabilities to better protect against bot attacks—bot protection with Bot Manager 1.0 ruleset is available through integration with the Azure Front Door Premium tier. Our bot detection and protection rules are based on Microsoft Threat Intelligence and support bot classification for good, bad, and unknown bots. Bad bots include bots from malicious IP addresses or bots that have falsified identities. The malicious IPs are provided by Microsoft’s Threat Intelligence feed, which is based on feeds from external providers and internal threat intel. For good bots, WAF uses reverse DNS lookups to validate if the user-agent and IP address range match what the agent claims it to be. Bot signatures are dynamically managed and automatically updated by WAF when new threat actors are detected.

Performance and scale with the next generation of WAF engine

We are excited to announce the general availability of our next-generation WAF engine on Azure Application Gateway. The new WAF engine, released with CRS 3.2, is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine.

Benefits of the new Azure WAF engine include:

Improved performance: In our test lab, the new engine resulted in significant reduction in WAF latencies when compared with the previous version of engine. We also observed significant reduction in P99 tail latencies with up to ~8 times in processing POST requests and ~4 times reduction processing GET requests.
Increased scale: Our next-gen engine can scale up to 8 times more RPS using the same compute power and has the ability to process 16 times larger request sizes (now up to 2MB request size), which was not possible earlier with the previous engine.
Better protection: New redesigned engine with efficient regex processing offers better protection against RegEx DoS attacks.
Richer feature set: The new engine is available with the CRS 3.2 version. New features and future enhancements will only be available through the new engine and the later versions of CRS. Customers are strongly encouraged to move to CRS 3.2 version. We are in the process of phasing out CRS 2.2.9 and will stop onboarding new customers on the older CRS 2.2.9 version. Existing customers on CRS 2.2.9 will continue to be supported.

To learn more about the new engine, see WAF engine documentation.

Management and monitoring

Native consistent experience with WAF policy: Application Gateways WAF v2 now natively utilizes regional WAF policy instead of config by default, removing the need for the legacy WAF config experience on Azure Application Gateway. All the latest features and future enhancements will be available via WAF policies. Application Gateway configuration continues to be supported for existing deployments of v1 and v2 SKUs, but customers are strongly encouraged to migrate to Application Gateway v2 with WAF policies that offer a richer feature set and improved experiences at no additional cost. Azure policies can be shared across multiple application gateway deployments, simplifying the management experience. With Azure policy, customers can easily automate deployment and provisioning of applications using DevOps and APIs friendly tools—Azure Resource Manager, REST API, PowerShell, CLI, and Terraform.
Advanced analytics capabilities: You can now access new Azure Monitor metrics on regional WAF for more effective monitoring, troubleshooting, and debugging. Azure Monitor logs and metrics for WAF can be streamed to a central log platform for advanced log analytics and are further consumed by Microsoft Sentinel and Microsoft Defender for Cloud for security monitoring and alerting. Microsoft Sentinel integration allows security analysts to analyze and correlate data from other sources, detect threats, and automate incidence response. For example, we recently released Sentinel hunting queries to detect and respond to zero-day critical vulnerabilities like—Log4J Sentinel hunting queries and SpringShell Sentinel hunting queries.
Built-in security reports: Security reports on Azure Front Door provide powerful visualization of WAF patterns, trends by action, and events by rule types and rule groups. Security threat analysts can view breakdown top events by different dimensions like IP, country, URL, hostname, and user-agent for threat analysis.

Improved manageability: Azure WAF integration with Azure Firewall Manager is coming soon. With this integration, customers will be able to manage WAF policies at scale for applications hosted on Azure Front Door and Azure Application Gateway platforms.

Get started and share your feedback

You can try Azure WAF with Azure Application Gateway and Azure Front Door today. Visit Azure WAF documentation to learn more. As we continue to enhance the Azure WAF offering, we would love to hear your feedback. Post your ideas and suggestions on the networking community page or email us at azurewaf@microsoft.com.

Stay safe!
Quelle: Azure

da Agency

Customize your secure VM session experience with native client support on Azure Bastion

This blog post has been co-authored by Isabelle Morris, Program Manager, Azure Networking

As organizations move their mission-critical workloads to the cloud, connecting to virtual machines (VMs) directly over the public internet is becoming more of a security risk. The more public IP addresses a customer has attached to VMs in their virtual network, the larger their attack surface becomes and the more vulnerable they are to security threats. The more secure alternative is to deploy a managed jumpbox service that reduces the number of public entry points to a customer’s resources in the cloud. The ideal managed jumpbox service should prioritize both security and flexibility to choose how you connect to your resources. Azure Bastion, Azure’s managed jumpbox service, now provides customers with the ability to customize their connection experience to use a native client of their choice.

Azure Bastion overview

Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. Azure Bastion provides connectivity directly from the Azure portal using Transport Layer Security (TLS). With Azure Bastion, your VMs do not need a public IP address, protecting your virtual machines from exposing RDP and SSH ports to threats on the public internet, while still providing secure access using RDP and SSH. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.

More flexibility to choose how you connect to your VMs

The primary way to connect to your VMs using Azure Bastion is through a quick and simple experience in the Azure portal. Users and administrators can navigate to their Azure VM in the portal and then open a web-based VM session using Azure Bastion. This experience eliminates the need to download any clients, agents, or configure files prior to accessing the VM.

Some customers value integration with existing and familiar processes. With the support for native clients on Azure Bastion, these customers can use command-line based access and a native client of their choice to reach their target VMs. This allows them to use Azure Bastion with a more accessible or familiar user interface, and to integrate connectivity to VMs via the service into their existing scripts.

Native client support offers three Azure CLI commands: az network bastion rdp, az network bastion ssh, and az network bastion tunnel. The az network bastion rdp command and az network bastion ssh enable connectivity to the target VM directly and use the clients mstsc and az ssh respectively. Meanwhile, the az network bastion tunnel command allows more flexibility by establishing a tunnel to the target VM on a specific port, and then allowing the user to connect to the VM using a custom client and the specified port.

Customers now can choose how they connect to their VMs via Azure Bastion—a simple, quick web-based experience or an integrated and customizable experience using a native client.

Simplify your login experience with Azure AD-based authentication

Azure Bastion native client support also unlocks an additional authentication option for users. With the az network bastion rdp and az network bastion ssh commands, users can use their Azure Active Directory (Azure AD) account to access their VMs. Using Azure AD for authentication provides enhanced identity security in conjunction with Azure Bastion’s existing networking security by eliminating the need to manage local VM credentials. For SSH, the Azure AD authentication also simplifies the connect experience by using the credentials the user has already provided to log into Azure CLI and taking them directly to their VM session.

File upload and download to a VM using a native client

Azure Bastion now supports file transfer between your target VM and local computer using Azure Bastion and a native RDP or SSH client. To both upload and download files, users must use the Windows native client on a Windows machine and the az network bastion rdp command. With RDP, users can easily transfer files between their target VM and local Windows machine in just a few clicks. For customers using non-Windows native clients or SSH, the az network bastion tunnel command supports file upload from your local computer to target VM. Third-party clients may also support file download for these scenarios.

Take advantage of native client support for your VM sessions

To learn more about native client support on Azure Bastion, refer to the Connect to a VM using a native client and Azure Bastion documentation. You can also follow our step-by-step guide on transferring files in the Upload or download files using a native client connection documentation.
Quelle: Azure

da Agency

Announcing new investments to help accelerate your move to Azure

As businesses adapt to new ways of operating, IT leaders are presented with increasing challenges to achieving sustainable growth. Ensuring your business continues to run without interruptions while adapting and transforming can be paramount. If your company is looking for options to migrate your server estate to the cloud, we have news for you.

Outstanding offers

Extended Security Updates and Azure Migration and Modernization Program support to larger migration projects.

Microsoft has great offers for Windows Server and SQL Server customers looking to move to the cloud. Azure offers free Extended Security Updates for SQL Server 2012 and Windows Server 2012/2012 R2, giving you more time to modernize supported applications for three additional years beyond the 10 years granted by Microsoft Support. Microsoft also allows customers to save significantly when running their workloads in Azure Virtual Machines with Azure Hybrid Benefit, which combined with reserved instances can enable up to 85 percent savings when compared to other cloud services.

To help support your migration and modernization to the cloud, mitigating potential unforeseen risks and costs, Microsoft is expanding the Azure Migration and Modernization Program (AMMP). In the past years, AMMP has helped thousands of customers like Jotun unlock the value of the cloud, bringing together the right mix of resources and best practices at every stage of their journey. We’re now investing significantly more to support your largest Windows/SQL Server migration and modernization projects—up to 2.5 times larger based on project eligibility. This investment will help with your migration in two ways: partner assistance with planning and moving your workloads, and Azure credits that offset transition costs during your move to Azure SQL Managed Instance and Azure SQL Database.

Unparalleled innovation

Unlock your SQL Server and Windows Server’s greatest potential in Azure, with unique capabilities and more options for true hybrid cloud flexibility. With Microsoft you can choose the option that aligns best to your business needs, migrating and modernizing servers with solutions like Windows Server and SQL Server running in virtual machines (VMs), Azure SQL managed databases, and hybrid management through Azure Arc.

When you have your VMs in Azure, management becomes simplified with dedicated solutions such as Azure Automanage and Windows Admin Center in the Azure portal. Azure SQL allows you to spend more time innovating and less time patching, updating, and backing up your databases, as Azure is the only cloud with evergreen SQL that automatically applies the latest updates and patches so that your databases are always up to date, eliminating end-of-support hassles. Azure SQL also features built-in AI that automatically tunes databases ensuring peak performance for every database, delivering leading price-performance.

Unmatched security

Security is foundational for Azure. If your company is running SQL Server 2012 and Windows Server 2012/2012 R2, this is the time to consider assessing those environments as they reach the end of support on July 12, 2022 and October 10, 2023 respectively. Not having support means the end of security updates, which may leave your business exposed to security risks and compliance concerns. Azure offers three years of extended security updates. You can learn more here.

Multilayered security is provided across physical datacenters, infrastructure, and operations with cyber security experts actively monitoring to protect your Windows Server and SQL Server, including in hybrid deployments with Azure Arc. Microsoft has more than 3,500 cybersecurity professionals and spends $1 billion annually on security to help protect, detect, and respond to threats, so you can grow a safe and secure business. The Azure platform is a leader in compliance coverage with 90 plus compliance offers that allow you to proactively safeguard your data and streamline compliance. Our commitment to privacy is uncompromising. Our core privacy principle is, you own your data. We will never use it for marketing or advertising purposes, in turn providing you confidence around data storage and security. 

Get started

Learn more about your end of support options for SQL Server 2012 and Windows Server 2012/R2.

Get started with the Azure Migration and Modernization Program (AMMP). Talk to your Microsoft representative to understand eligibility requirements and submit your Windows Server and SQL Server project today.
Quelle: Azure

da Agency

Azure Cost Management and Billing updates – April 2022

Whether you're a new student, a thriving startup, or the largest enterprise, you have financial constraints, and you need to know what you're spending, where, and how to plan for the future. Nobody wants a surprise when it comes to the bill, and this is where Azure Cost Management and Billing comes in.

We're always looking for ways to learn more about your challenges and how Azure Cost Management and Billing can help you better understand where you're accruing costs in the cloud, identify and prevent bad spending patterns, and optimize costs to empower you to do more with less. Here are a few of the latest improvements and updates based on your feedback:

Summarized totals in the cost analysis preview
Download your Azure prices as a ZIP file
Unlock cloud savings on the fly with autoscale on Azure
What's new in Cost Management Labs
New ways to save money with Azure
New videos and learning opportunities
Documentation updates
Join the Azure Cost Management and Billing team

Let's dig into the details.

Summarized totals in the cost analysis preview

I’ve talked about how the cost analysis preview is the future of analytics and insights in Cost Management. While what we have today is a solid foundation that most prefer over classic cost analysis, there’s still a lot left before we can fully replace the classic experience. This month’s update is one small step in that direction with the addition of the Total, Average, and Budget key performance indicators (KPIs) at the top of cost analysis.

The Total KPI shows the summarized total across all rows. If you have charges in multiple currencies, cost is normalized to USD to show an overall total. Most views default to show actual, billed charges. The Reservations view shows amortized costs to break down and allocate your reservation purchases to the resources that received the prepurchase benefit. As a reminder, if you’d like to switch to amortized cost from another view, you can select the Customize command at the top to switch. Learn more about amortization, see View amortized reservation costs.

The Average KPI shows the average daily cost for the period. If your period includes the current day, the average is calculated up to and including yesterday, but does not include partial cost from the current day since the data for the day is not complete. Keep in mind every service submits usage at different timelines which will impact the average calculation. Learn more about data latency and refresh processing at Understand Cost Management data.

The Budget KPI shows the monthly budget you have configured with a quick link to edit the budget. If you don’t have a budget yet, you’ll see a link to create a new budget. Budgets created from the cost analysis preview are preconfigured with alerts when your cost exceeds 50 percent, 80 percent, and 95 percent of your cost or 100 percent of your forecast for the month. You can add additional recipients or update alerts from the Budgets page.

You may have seen these rolling out over the past few months, but they are now available to everyone. If you’re interested in what’s coming next, check out What’s new in Cost Management Labs below. Labs includes additional previews you might be interested in, like charts and grouping related resources. Check out the latest updates in cost analysis preview and let us know what you’d like to see next.

 

Download your Azure prices as a ZIP file

One important aspect of optimizing cost is comparing prices across different resource SKUs and regions. This can be cumbersome when using the portal or Azure pricing calculator but is a perfect scenario for automation with the Cost Management Price Sheets API. Now you can download your Azure prices as a ZIP file with multiple, smaller CSV files to make parsing the file easier. This helps avoid issues where the file can grow too big to be opened in tools like Microsoft Excel.

Learn more about the Price Sheets API and update your scripts today.

Unlock cloud savings on the fly with autoscale on Azure

Unused cloud resources can put an unnecessary drain on your computing budget, and unlike legacy on-premises architectures, there is no need to over-provision compute resources for times of heavy usage.

Autoscaling is one of the value levers that can help unlock cost savings for your Azure workloads by automatically scaling up and down the resources in use to better align capacity to demand. This practice can greatly reduce wasted spend for those dynamic workloads with inherently “peaky” demand.

To learn more, read Unlock cloud savings on the fly with autoscale on Azure.

What's new in Cost Management Labs

With Cost Management Labs, you get a sneak peek at what's coming in Azure Cost Management and can engage directly with us to share feedback and help us better understand how you use the service, so we can deliver more tuned and optimized experiences. Here are a few features you can see in Cost Management Labs:

New: Cost Management tutorials
Whether you’re just getting started or looking to learn more about specific features, tutorials are now a click away from the Cost Management overview in Cost Management Labs.
Update: Access preview views from classic cost analysis – Now available in the public portal
Get one-click access to the new preview views from classic cost analysis in the View menu. You can see this in classic cost analysis in Cost Management Labs.
Update: Average cost in the cost analysis preview – Now available in the public portal
See your average daily cost at the top of the cost analysis preview. You can opt in using Try Preview.
Update: Budgets in the cost analysis preview – Now available in the public portal
Quickly create and edit budgets directly from the cost analysis preview. If you don’t have a budget yet, you’ll see a suggested budget based on your forecast. You can opt in using Try Preview.
Update: Anomaly detection alerts – Now enabled by default in Labs
Subscribe to automatic email alerts when a new anomaly has been detected. Anomaly detection is only available for subscriptions in the cost analysis preview. You can opt into this preview using Try Preview and then configure anomaly alerts from the Alerts page.
Update: Grouping SQL databases and elastic pools – Now enabled by default in Labs
Get an at-a-glance view of your total SQL costs by grouping SQL databases and elastic pools under their parent server in the cost analysis preview. You can opt in using Try Preview.
Charts in the cost analysis preview
View your daily or monthly cost over time in the cost analysis preview. You can opt in using Try Preview.
View cost for your resources
The cost for your resources is one click away from the resource overview in the preview portal. Just click View cost to quickly jump to the cost of that particular resource.
Change scope from the menu
Change scope from the menu for quicker navigation. You can opt-in using Try Preview.

Of course, that's not all. Every change in Azure Cost Management is available in Cost Management Labs a week before it's in the full Azure portal. We're eager to hear your thoughts and understand what you'd like to see next. What are you waiting for? Try Cost Management Labs today.

New ways to save money with Azure

Lots of cost optimization improvements over the last month! Here are some of the generally available offers you might be interested in:

On-demand capacity reservations for virtual machines.
Ebsv5 virtual machines increase remote storage performance.
Azure HBv3 virtual machines for HPC now upgraded.
Cosmos DB autoscale RU/s entry point is 4x lower.
Azure Database for PostgreSQL – Flexible Server now supports more high availability regions and US Gov Virginia and US Gov Arizona for Azure Government.
Azure Database for MySQL – Flexible Server in China East 2 and China North 2.
Azure Batch supports Spot Virtual Machines.
IBM WebSphere on Azure with evaluation licensing.
Azure Stream Analytics in 10 new regions.

And here are some of the new previews:

Capacity reservation support in AKS.
Azure Dedicated Host support in AKS.
Arm64-based virtual machines can deliver up to 50% better price-performance.
NC A100 v4 virtual machines accelerate AI applications.
Virtual machines with Ampere Altra Arm-based processors.
DCsv3 virtual machines available in Switzerland and West US.
Azure SignalR Service Premium tier.

New videos and learning opportunities

Here are a couple new videos you might be interested in:

Reduce your costs with Azure Spot Virtual Machines (18 minutes).
Announcing Microsoft Azure FX Series Virtual Machine General Availability (2 minutes).

Follow the Azure Cost Management and Billing YouTube channel to stay in the loop with new videos as they’re released and let us know what you'd like to see next.

Want a more guided experience? Start with Control Azure spending and manage bills with Azure Cost Management and Billing.

Documentation updates

Here are a few documentation updates you might be interested in:

New: Prepay for Virtual machine software reservations.
New: View amortized reservation costs.
Identify anomalies and unexpected changes in cost now covers anomaly detection.
Analyze Azure costs with the Power BI App includes details about how cost may differ from the EA portal.
Save and share customized views includes a note about how many views you can save.

Want to keep an eye on all of the documentation updates? Check out the Cost Management and Billing documentation change history in the azure-docs repository on GitHub. If you see something missing, select Edit at the top of the document and submit a quick pull request.

Join the Azure Cost Management and Billing team

Are you excited about helping customers and partners better manage and optimize costs? We're looking for passionate, dedicated, and exceptional people to help build best in class cloud platforms and experiences to enable exactly that. If you have experience with big data infrastructure, reliable and scalable APIs, or rich and engaging user experiences, you'll find no better challenge than serving every Microsoft customer and partner in one of the most critical areas for driving cloud success.

Watch the video below to learn more about the Azure Cost Management and Billing team:

Join our team.

What's next?

These are just a few of the big updates from last month. Don't forget to check out the previous Azure Cost Management and Billing updates. We're always listening and making constant improvements based on your feedback, so please keep the feedback coming.

Follow @AzureCostMgmt on Twitter and subscribe to the YouTube channel for updates, tips, and tricks. You can also share ideas and vote up others in the Cost Management feedback forum or join the research panel to participate in a future study and help shape the future of Azure Cost Management and Billing.

We know these are trying times for everyone. Best wishes from the Azure Cost Management and Billing team. Stay safe and stay healthy.
Quelle: Azure

da Agency

Enhance your classroom experience with Azure Lab Services—April 2022 update

Azure Lab Services offers classroom labs for higher education, K-12 institutions, and commercial organizations that don't want to use the on-premises hardware but rather want to harness the power of the cloud to host labs for students or users. We are excited to announce major updates to Azure Lab Services including enhanced lab creation and improved backend reliability, access performance, extended virtual network support, easier labs administration via new roles, improved cost tracking via Azure Cost Management service, availability of PowerShell module, and .NET API SDK for advanced automation and customization, and integration with Canvas learning management system. Learn more about the new update and how to use it.

Along with making significant reliability enhancements to the backend, labs creation, and access performance improvements, this major update is bringing a whole slew of additional features for the IT departments and administrators, educators, and the students, who are the three key personas that use this service.

IT and administrators

For the IT and administrators, we have now introduced the concept of a lab plan instead of a lab account to provide more control over the creation, configuration, and management of the labs. For ease of administration of the lab, new roles have been created to provide granular control for different people managing labs for a large organization.

Creating a large number of labs with many virtual machines requires additional vCPUs which you have to request from us. With this new update, there is an improved vCPU capacity management for your subscription and you don't share the vCPU capacity with others using the service. We have also now made it easier for you to track costs for your lab resources in Azure Cost Management. We have replaced virtual network peering with virtual network injection. With Virtual Network Injection you have more control over the network for lab virtual machines. In your own subscription, create a virtual network in the same region as the lab, delegate a subnet to Azure Lab Services, and you’re off and running.

For advanced automation, deployment, configuration, and management we have the PowerShell module and .NET API SDK. The Azure Lab Services PowerShell will now be integrated with the Azure PowerShell module and will release early February. In alignment with all the global compliance and regulatory laws around data residency, we are also saving the customer data in the regions where the labs are set up.

Educators

For all the educators and instructors using the service, we have added new functionality to improve their experience. Azure Lab Services can now be integrated within Canvas, a popular learning management system. Educators can use Canvas to create and configure labs for the students. Students can connect to the virtual machine from inside their course in Canvas. We have improved the auto-shutdown feature of the virtual machine. Auto-shutdown settings are now available for all operating systems. In addition, we have improved idle detection based on resource usage. For more flexibility, an instructor or IT Administrator can choose to skip the virtual machine template creation process if they already have an image ready to use or want to quickly deploy virtual machines for their lab.

Students

Student experiences have also improved. Students can now redeploy their virtual machine without losing data if they are having issues accessing or using the virtual machine. If the lab is set up to use AAD group sync, there is no longer a need to send an invitation email so students can access their virtual machine—one is assigned to the student automatically.

Learn more

We are eager to have you use our new and improved service to realize your educational, learning, and training scenarios no matter what industry you work in. Contact us directly or get started today to use the enhanced experience!
Quelle: Azure

da Agency

How Microsoft measures datacenter water and energy use to improve Azure Cloud sustainability

One of the biggest topics of discussion at COP26, the global climate conference held in November 2021, was how a lack of reliable and consistent measurement hampers progress on the path to Net Zero. I have been reflecting on this issue and, on this Earth Day, I would like to provide an update on how we are measuring energy and water use at our datacenters to improve sustainability across the Azure Cloud.

Today, we’re sharing an important update on how Microsoft, and our datacenters, are helping to solve our part of this measurement challenge.

While the environmental goals are similar, each industry has unique challenges in measuring its carbon emissions to build its sustainability strategy. It’s one of the key reasons we, together with ClimateWorks Foundation and 20 other leading organizations, launched the Carbon Call. It’s also why we developed Microsoft Cloud for Sustainability, an Azure-based platform that allows organizations to combine disparate data sources into one place and help provide insights into how to improve their sustainability approaches.

You’ve told us just how important measuring energy and water consumption from our datacenters is in taking sustainability into account for commercial decisions. Below you will see, for the first time, our datacenter PUE (Power Usage Effectiveness) and WUE (Water Usage Effectiveness) metrics. To address these capabilities, we set design goals—our theoretical estimates of the most efficient we can operate our datacenters—and ensure we have measurements of our actual efficiencies. These targets can vary between datacenter generations and usage; for instance, newer datacenter generations as well as datacenters operating at peak utilization are more efficient. We track these statistics at a global level and by our operating geographies—Americas, Asia Pacific, and EMEA (Europe, Middle East, Africa).

Understanding Power Usage Effectiveness (PUE)

PUE is an industry metric that measures how efficiently a datacenter consumes and uses the energy that powers the datacenter, including the operation of systems like powering, cooling, and operating the servers, data networks and lights. The closer the PUE number is to “1,” the more efficient the use of energy.

While local environment and infrastructure can affect how PUE is calculated, there are also slight variations across providers. Here’s the simplest way to think about PUE.

We design and build our datacenters toward the optimum PUE figure. We can also predict, with a high degree of accuracy, that optimum PUE figure. As we constantly innovate, we factor these changes into our datacenter designs to get as close to “1” as feasible. Our newest generation of datacenters have a design PUE of 1.12 and, with each new generation, we strive to become even more efficient. In the chart below, the blue bars show our estimated, or designed, PUE figures, while the grey bars indicate our actual PUE figures. As you can see, in Asia Pacific our actual PUE is higher; that’s due in part to higher ambient temperatures in the region which necessitates additional cooling.

In almost every region, our actual operating PUE is more efficient than our designs.

Understanding Water Usage Effectiveness (WUE)

Water Usage Effectiveness (WUE) is another key metric relating to the efficient and sustainable operations of our datacenters and is a crucial aspect as we work towards our commitment to be water positive by 2030.

WUE is calculated by dividing the number of liters of water used for humidification and cooling by the total annual amount of power (measured in kWh) needed to operate our datacenter IT equipment.

Like PUE, there are variables that can impact WUE—many of which relate to the location of the datacenter. Humid locations often have more atmospheric water, while arid locations have very little. Datacenters in colder parts of the world, like Sweden and Finland operate in naturally cooler environments so require less water for cooling. Our datacenter designs minimize water use. The chart below shows (in blue) our estimated or designed WUE figure, and in grey, our actual WUE figure. Again, Asia Pacific is higher due to higher ambient temperatures and as a result the need in some places for water-cooled chillers.

We continue to integrate our standards in water reduction technologies such as those in our Phoenix, Arizona datacenter where we use direct outside air most of the year to cool servers. We otherwise cool through direct evaporation that requires a fraction of the water compared to other, conventional water-based cooling systems such as water-cooled chillers.

Furthermore, by powering our datacenter with power from the Sun Streams 2 Solar Project owned by local partner, Longroad Energy, we’re displacing the water needed in the traditional electricity generation process and expect to save 356 million liters of water annually.

Scope 3 and supply chain

As we shared in March with our annual sustainability report, we made good progress on a number of our goals. Across the company’s operations, we saw an overall reduction in our Scope 1 and Scope 2 emissions of about 17 percent year over year, through our purchasing of renewable energy. At the same time, we also saw a rise in our Scope 3 emissions, which increased about 23 percent year over year.

We know that Scope 3 emissions (representing the total emissions across a company’s entire value chain) are the most difficult to control and reduce, because we can often only influence change. We know this is a long-term effort and this year we have increased our focus on operational discipline that is rooted in reliable data. We’ve also been working with partners across the industry, including Infrastructure Masons on carbon transparency within the datacenter supply chain, and will have exciting news to share at the Datacloud Global Congress on April 25 to 27.

Learn more

We know just how crucial data transparency and consistency are in helping our customers make the correct choices for their business, and hope that today’s announcement on our PUE and WUE data will be an important step forward in informing decisions about their sustainability strategies.

To learn more about our datacenter operations and commitments in action today, you can visit:

Microsoft sustainability
Azure sustainability
Microsoft Azure's global infrastructure
Take a virtual tour of Microsoft’s datacenters

Quelle: Azure

da Agency

Microsoft announces new collaboration with Red Button for attack simulation testing

As we highlighted in our latest attack trends report, Distributed Denial-of-Service (DDoS) attacks are one of the biggest security concerns today. Whether in the cloud or on-premises, DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Planning and preparing for a DDoS attack is crucial to a well-vetted incident management response plan.

Today, Microsoft is excited to announce a new collaboration with Red Button, offering our customers an additional DDoS attack simulation testing provider to choose from. With Red Button’s DDoS Testing service suite, you will be able to work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment. Simulation testing allows you to assess your current state of readiness, identify gaps in your incident response procedures, and guide you in developing a proper DDoS response strategy.

Red Button DDoS Testing

Red Button’s DDoS Testing service suite includes three stages:

1. Planning session

Red Button experts meet with your team to understand your network architecture, assemble technical details, and define clear goals and testing schedules. This includes planning the DDoS test scope and targets, attack vectors, and attack rates. The joint planning effort is detailed in a test plan document.

2. Controlled DDoS attack

Based on the defined goals, the Red Button team launches a combination of multi-vector DDoS attacks. The test typically lasts between three to six hours. Attacks are securely executed using dedicated servers and are controlled and monitored using Red Button’s management console.

3. Summary and recommendations

The Red Button team provides you with a written DDoS Test Report outlining the effectiveness of DDoS mitigation. The report includes an executive summary of the test results, a complete log of the simulation, a list of vulnerabilities within your infrastructure, and recommendations on how to correct them.

Here is an example of a DDoS Test Report from Red Button:

In addition, Red Button offers two other service suites that can complement the DDoS Testing service suite:

DDoS 360 is an “all included” annual service that includes the DDoS Testing, DDoS Hardening, DDoS team skills development, and DDoS Incident Response services. The program consists of multiple year-round activities carried out by Red Button’s top DDoS experts, which includes extensive pre-attack activities to strengthen your technological infrastructure and improve the skills of your teams as well as a dedicated incident response expert team in the event of an attack.
DDoS Incident Response (IR) is a 30-day incident response service that consists of three phases: when under a DDoS attack or DDoS threat (for example, DDoS ransom threat), Red Button DDoS experts are immediately assigned and work closely with your security and IT teams to analyze the attack and apply the appropriate mitigations. Once the attack has been fully mitigated, Red Button audits your network architecture and DDoS protection system configuration, including running a DDoS test and provides detailed recommendations for hardening and optimization to prevent future attacks. Lastly, Red Button conducts DDoS training for your teams to increase your skills and readiness, and helps you build a DDoS Playbook that provides detailed procedures and activities to prepare for any future attack.

Azure DDoS simulation testing policy

Red Button’s simulation environment is built within Azure. You can only simulate attacks against Azure-hosted public IP addresses that belong to an Azure subscription of your own, which will be validated by Azure Active Directory (Azure AD) before testing. Additionally, these target public IP addresses must be protected under Azure DDoS Protection.

You may only simulate attacks using our approved testing partners:

Red Button.
BreakingPoint Cloud.

Learn more

Red Button: DDoS Services—Protection Consulting and Testing.
Azure DDoS Protection simulation testing partners: Azure DDoS Protection simulation testing documentation.
Microsoft penetration testing guidelines: Penetration testing documentation.
Azure DDoS Protection Standard product page.
Azure DDoS Protection Standard documentation.
DDoS Protection best practices.

Quelle: Azure

da Agency

Azure Purview is now Microsoft Purview

In September of 2021, we announced the highly anticipated general availability of Azure Purview—a cloud-native data governance solution to enable organizations of all sizes to manage and govern their on-premises, multicloud, and software as a service (SaaS) data. Since Azure Purview was brought onto the market, thousands of organizations including London Heathrow Airport, Grundfos, and illimity have collectively discovered tens of billions of data assets as well as served up millions of searches every month to empower knowledge workers to find valuable enterprise data quickly and easily. 

Organizations that use Azure Purview have a more holistic understanding of their hybrid data estate, which is always kept up to date with automated data discovery and sensitive data classification. In addition to empowering knowledge workers, this understanding, along with insights from sensitivity, business context, and relationships between data assets is also being used by teams working under the Chief Data Officers (CDO), the Chief Information and Security Officers (CIO and CISO) and the Chief Risk and Compliance Officers (CRO and CCO) to govern, protect, and manage data more effectively.

Traditional data management solutions rely on multiple unconnected, duplicative business processes, and a patchwork of software products augmented with custom code and point-wise integrations. Dozens of products are sometimes used together to address fragments of the data governance and compliance landscape, forcing Chief Data, Security, Compliance, and Legal Officers to stitch together solutions that don’t work together, expose infrastructure gaps, and are costly and complex to manage. A survey of US-based decision-makers showed that to meet their compliance and data-protection needs, almost 80 percent had purchased multiple products, and a majority had purchased three or more.¹ The result is increased operations costs, ineffective data governance, poor security outcomes, failed compliance audits, and damage to brand reputation. Additionally, as the threat landscape continues to evolve, the types of risks organizations face inevitably expand and extend well beyond the traditional cybersecurity risks. This means that risk roles within the organization are blurring, requiring a collaborative and cohesive approach across data, compliance, and risk officers, as each drives an integral part of an effective data strategy. We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data.

In the past, we have shared how Azure Purview and Microsoft 365 Compliance are used together to ensure consistent, automated application of sensitivity labels to data assets across the data estate to simplify how organizations understand their sensitive data.

Today, we are excited to introduce Microsoft Purview—a comprehensive set of solutions from Microsoft to help you govern, protect, and manage your entire data estate. By bringing together the former Azure Purview and the former Microsoft 365 Compliance portfolio under one brand and over time, a more unified platform, Microsoft Purview can help you understand and govern the data across your estate, safeguard that data wherever it lives, and improve your risk and compliance posture in a much simpler way than traditional solutions on the market today.

Microsoft Purview

Helps you gain visibility into assets across your entire data estate.
Leverages that visibility to manage end-to-end data risks and regulatory compliance.
Governs, protects, and manages data in a new, more comprehensive, and simpler way. 

Customers of the Azure Purview portal can now use the Microsoft Purview governance portal. For customers of Microsoft 365 E5 or Microsoft E5 Compliance, check out the Microsoft Purview compliance portal to see what’s new!

Get started with Microsoft Purview today

Watch a video introducing the new Microsoft Purview.
Get started quickly and easily with a new Microsoft Purview account to try the Microsoft Purview Data Map and Microsoft Purview Data Catalog.

1February 2022 survey of 200 US compliance decision-makers (n=100 599-999 employees, n=100 1000 plus employees) commissioned by Microsoft with MDC Research. 
Quelle: Azure

da Agency

Enhance your data visualizations with Azure Managed Grafana—now in preview

This blog has been co-authored by Ye Gu, Principal Program Manager.

Organizations are transforming their digital environments to increase agility and to operate more efficiently. We see this transformation in how customers migrate to the cloud and adopt cloud-native technologies and practices in their own environments. As their digital estates become increasingly more complex and critical to their business operations, it becomes even more important to effectively manage and monitor their applications and infrastructure.      

Grafana is a popular open-source analytics visualization tool that allows users to bring together logs, traces, metrics, and other disparate data from across an organization, regardless of where they are stored. Last year, we announced our strategic partnership with Grafana Labs to develop a Microsoft Azure managed service that lets customers run Grafana natively within the Azure cloud platform. Today, we are announcing that Azure Managed Grafana is available in preview. With Azure Managed Grafana, the Grafana dashboards our customers are familiar with are now integrated seamlessly with the services and security of Azure.

Seamless connection across Azure data sources and beyond

The Grafana application lets users easily visualize all their telemetry data in a single user interface. With Grafana's extensible architecture, users can visualize and correlate multiple data sources across on-premises, Azure, and multi-cloud environments. Azure Managed Grafana particularly optimizes this experience for Azure-native data stores such as Azure Monitor and Data Explorer thus making it easy for customers to connect to any resource in their subscription and view all resulting telemetry in a familiar Grafana dashboard.

Customers can preserve existing charts in the Azure portal that are used for monitoring. Through service-to-service integration, our customers can bring any chart in the Azure portal over to their Azure Managed Grafana instance with a one-click “pin to” operation thus automating the entire migration process. 

Azure Managed Grafana also provides a rich set of built-in dashboards for various Azure Monitor features to help customers easily build new visualizations. For example, some features with built-in dashboards include Azure Monitor application insights, Azure Monitor container insights, Azure Monitor virtual machines insights, and Azure Monitor alerts.

Secured access and sharing of Grafana dashboards with Azure Active Directory

In Azure Managed Grafana, customers can customize user permissions with specific roles and assignments stored in Azure Active Directory. These definitions are mapped transparently to Grafana’s internal roles, which enforces the actual access control. This integration enables both simplicity and consistency by allowing customers to manage users in their teams and authorize their use of a Grafana instance centrally through Azure Active Directory.

On the backend, Azure Managed Grafana can be configured to access Azure Monitor through a managed identity that was set up as part of the Grafana instance creation. Using this option, customers do not need to deal with another credential separately—though that is still possible if preferred.

Get started with Azure Managed Grafana

Try it free for the first 30 days from the Azure portal today.

Go to the Azure Managed Grafana product page.
Read the technical documentation.
Share feedback on Microsoft Q&A.
Join the Azure Observability Tech Community for detailed blogs and discussions.
Read the Grafana integrations with Azure Monitor blog.

Quelle: Azure