Azure Cost Management and Billing updates – January 2022

Whether you're a new student, a thriving startup, or the largest enterprise, you have financial constraints, and you need to know what you're spending, where you're spending it, and how to plan for the future. Nobody wants a surprise when it comes to the bill, and this is where Azure Cost Management and Billing comes in.

We're always looking for ways to learn more about your challenges and how Azure Cost Management and Billing can help you better understand where you're accruing costs in the cloud, identify and prevent bad spending patterns, and optimize costs to empower you to do more with less. Here are a few of the latest improvements and updates based on your feedback:

Cost Management is now available in the Microsoft 365 Admin Center.
Multitasking in the cost analysis preview.
Help shape the future of cost reporting.
What's new in Cost Management Labs.
New ways to save money with Azure.
New videos and learning opportunities.
Documentation updates.
Join the Azure Cost Management and Billing team.

Let's dig into the details.

 

Cost Management available in the Microsoft 365 Admin Center

In October, we added support for Microsoft 365, Dynamics 365, and other seat-based offers in Cost Management. While we started with a small set of offers available via the Cloud Solution Provider program, you can expect to see new offers and support for the broader Microsoft Customer Agreement audience added over time. The next phase began its rollout in January with new offers, as well as the addition of Cost Management to the Microsoft 365 Admin Center.

If you have any of the new seat-based offers, you’ll find a new Billing > Cost Management menu item in the Microsoft 365 Admin Center. This will give you a lightweight cost analysis experience with the ability to create budgets. This is only the beginning and there’s a lot more coming, but we’re excited to be able to give you a peek at things to come.

For those paying close attention, you may notice the similarities here with the cost analysis preview in the Azure portal. Expect to see full alignment across portals with an even broader scope of capabilities coming throughout the year. Please let us know what you’d like to see next.

 

Multitasking in the cost analysis preview

Starting a new year is always exciting. Starting a new year with an exciting usability update is even better! We’ve been testing a new tabbed experience in the cost analysis preview for a couple months. You may have seen it already. You start with a list of the built-in views and can open multiple tabs to explore different aspects of your costs simultaneously.

Here are the views available in the cost analysis preview:

Subscriptions is available for billing accounts and management groups to break costs down by subscription and resource group.
Resource groups gives you a breakdown of each resource group within your subscription, management group, or billing account, with nested resources.
Resources shows a list of all resources you have (or used to have, in the case of deleted resources). Some of you may be familiar with the Cost by resource view in classic cost analysis. Resources improves on that basic design with improved performance and a better grouping of related costs (such as Azure and Marketplace costs are grouped together in preview).
Services shows a list of the services and products you use. This view is similar to the Invoice details view in classic cost analysis. The main difference is that rows are grouped by service, making it simpler to see your total cost at a service level and also break it down by the individual products you're using within each service. This view is only available in preview but will be released to everyone soon.
Reservations provides a breakdown of your amortized reservation costs, allowing you to see which resources are consuming each reservation. This is something that isn't possible without a lot of adding and removing filters in classic cost analysis.

From the new tab, select the view you need, and you're back to the traditional preview experience you're used to. If you have a question and need to drill into some other data, simply open a new tab and go! It's that simple.

That's about it! If you're new to the cost analysis preview, here are some of the other things you'll see:

Simpler and more flexible custom date range selection with support for relative periods.
Customize the download to exclude nested details (such as resources without meters in the Resources view).
Smart insights to help you better understand your data, like subscription cost anomalies.
Quick access to help set up Power BI for your EA or MCA billing account or billing profile.
Additional troubleshooting details are available to help streamline your support experience.

There's still a lot in the backlog. Stay tuned for summarized totals, charts, filtering, and improved drill down. Let us know what you'd like to see next.

 

Help shape the future of cost reporting

Do you use Azure Cost Management and Billing to manage your cloud spending? Are you familiar with Azure cost analysis? We're exploring new and updated designs for the cost analysis tool and will be running a usability study to gather feedback on these changes to understand how they can better meet your needs and expectations.

If you or someone you know has experience with cost analysis, we would love to get your feedback. If you are interested in participating, please contact our research team.

 

What's new in Cost Management Labs

With Cost Management Labs, you get a sneak peek at what's coming in Azure Cost Management and can engage directly with us to share feedback and help us better understand how you use the service, so we can deliver more tuned and optimized experiences.

Here are a few features you can see in Cost Management Labs:

Update: Multitasking in the cost analysis preview—now available in the Azure portal

Introducing a new tabbed experience in the cost analysis preview. Start with a list of the built-in views and open multiple tabs to explore different aspects of your costs simultaneously. Let us know what you think. We're looking for explicit feedback here.

Subscription cost anomalies

Identify subscription cost anomalies with insights in the cost analysis preview. You can enable the cost anomaly preview using Try preview. If you don't see anomaly details in insights after enabling the preview, check back after 24 hours. Note that anomaly detection is only available when viewing cost for a subscription scope.

View cost for your resources

The cost for your resources is one click away from the resource overview in the preview portal. Just click View cost to quickly jump to the cost of that particular resource.

Change scope from the menu

Change scope from the menu for quicker navigation. You can opt-in using Try preview.

Of course, that's not all. Every change in Azure Cost Management is available in Cost Management Labs a week before it's in the full Azure portal. We're eager to hear your thoughts and understand what you'd like to see next. What are you waiting for? Try Cost Management Labs today.

 

New ways to save money with Azure

There have been lots of cost optimization improvements over the past couple of months! Here are seven new and updated offers you might be interested in:

Reduced price: DCsv2 and DCsv3 virtual machine pricing reduced by up to 33 percent, effective January 1, 2022.
General availability: Azure Database for PostgreSQL Flexible Server.
General availability: Microsoft Azure is available from the new cloud region in Sweden.
Preview: Stop your Azure Spring Cloud applications to reduce charges.
Preview: Windows Server guest licensing offer for Azure Stack HCI—free while in preview.
Preview: DCasv5 and ECasv5 confidential, hardware-encrypted virtual machines.
Preview: DCv3 virtual machines are now available in Europe West and Europe North.

 

New videos and learning opportunities

Here are a few videos you might be interested in:

Improve the price-performance of your apps with the latest Azure virtual machines (25 minutes).
10 things you can implement to save costs in your Azure environment (14 minutes).
Managing EA enrollments in the Azure portal (3 minutes).
Managing EA departments in the Azure portal (3 minutes).
Managing EA enrollment accounts in the Azure portal (3 minutes).
Managing EA enrollment account subscriptions in the Azure portal (2 minutes).

Follow the Azure Cost Management and Billing YouTube channel to stay in the loop with new videos as they’re released and let us know what you'd like to see next.

Want a more guided experience? Start with Control Azure spending and manage bills with Azure Cost Management and Billing.

 

Documentation updates

Here are a few documentation updates you might be interested in:

Get started with reporting.
Save and share customized views.
Simplified the cost analysis quickstart tutorial.
Added videos to the Azure portal administration for direct enterprise agreements.

Want to keep an eye on all of the documentation updates? Check out the Cost Management and Billing documentation change history in the azure-docs repository on GitHub. If you see something missing, select Edit at the top of the document and submit a quick pull request.

 

Join the Azure Cost Management and Billing team

Are you excited about helping customers and partners better manage and optimize costs? We're looking for passionate, dedicated, and exceptional people to help build best in class cloud platforms and experiences to enable exactly that. If you have experience with big data infrastructure, reliable and scalable APIs, or rich and engaging user experiences, you'll find no better challenge than serving every Microsoft customer and partner in one of the most critical areas for driving cloud success.

Join our team.

What's next?

These are just a few of the big updates from last month. Don't forget to check out the previous Azure Cost Management and Billing updates. We're always listening and making constant improvements based on your feedback, so please keep the feedback coming.

Follow @AzureCostMgmt on Twitter and subscribe to the YouTube channel for updates, tips, and tricks. You can also share ideas and vote up others in the Cost Management feedback forum or join the research panel to participate in a future study and help shape the future of Azure Cost Management and Billing.

We know these are trying times for everyone. Best wishes from the Azure Cost Management and Billing team. Stay safe and stay healthy.
Quelle: Azure

The intersection of edge computing, telecommunications networks, and the cloud

It’s been 12-plus years since we embarked on the paradigm-shifting edge computing story, which brings the cloud closer to the source of data generation and consumption. Nowadays, the cloud provides resource-rich compute and storage capabilities, remote management, and new applications and services as latency continues to be reduced. Edge computing has gone mainstream, as evidenced by numerous conferences and workshops; thousands of research papers, mainstream media articles, Ph.D. theses; and many products, including those from Microsoft.

Years ago, an article we wrote stated that the killer application for edge computing was video analytics. The article, as published by IEEE, envisioned cameras and video located everywhere, increased ability to understand these video streams, and improved ability to react appropriately, stemming from real-time video analysis at the edge. Microsoft continues to believe that edge video analytics will be the dominant service for edge computing, just as we noted many years ago. Since then, we have evolved to an edge fabric, enabling ubiquitous computing. Here, the computing fabric is all around us in many different settings—working for us, improving efficiency, protecting us from problems, and entertaining us.

In this article, we focus on what’s next, including the topic of edge computing for telecommunications, which has been evolving into the next wave of innovation, and one we must embrace. Microsoft believes the telecom edge is the catalyst creating a new world where the telecom and cloud industries join forces to eliminate duplication while creating a new era of latency-sensitive applications and services.

Enabling private 5G Networks with Azure private multi-access edge compute (MEC)

A private 5G network is a local-area mobile network; technically, it is the same as a public wide-area 5G network. This next-generation network enables advanced use cases not supported by current mainstream Wi-Fi technologies. For example, private 5G networks can unify connectivity and support a variety of enterprise-specific secure IoT services and applications.

In June 2021, Microsoft unveiled a new product category for the telecom industry when we announced our Azure private multi-access edge compute (Azure PMEC) managed solution. Azure private MEC is a solution for modernizing enterprise networks, comprised of Azure Stack Edge, Azure Network Function Manager, first and third-party network functions, and manageability via Azure Arc. With it, carriers and ecosystem partners can easily and rapidly deploy and manage network functions like 5G mobile cores, radio access networking (RAN) solutions, and Software-Defined Wide Area Network (SD-WAN) products directly from Azure Marketplace. Our open platform solution empowers operators and system integrators (SIs) to unlock the private 5G opportunity by delivering managed, curated solutions to enterprises with the flexibility of first and third-party offerings, including their choice of RAN and latency-sensitive applications.

Many of us in the IT and telecom industries accept edge computing as a game-changing architectural innovation, reducing the time needed to process the packet after it is generated at the source. All edge computing products that exist today provide this, but Azure private MEC enables even more. With the emergence of novel software-only 5G implementations, edge computing is evolving to become an exciting part of the packet creation infrastructure.

Conflation of Virtual Radio Access Networks and edge computing

The figure below illustrates the shift away from specialized, monolithic network infrastructure to programmable, virtualized Radio Access Network (vRAN) elements. Virtualized RAN offers a cost-efficient solution for running the 5G RAN as a virtualized network function (VNF) on commodity hardware. To implement vRAN, telcos need a low-latency connection between their signal acquisition and computing hardware, necessitating edge computing to make vRAN possible.

It is possible to implement vRAN over a hierarchy of edge installations. In 3GPP RAN parlance, the distributed units (DU) that implement the near-real-time functionality of the RAN, which include physical layer processing (often referred to as L1) and medium access control (often referred to as L2/L3), are implemented at the “Far Edge.” The rest of the RAN stack, along with the network core, is implemented at the “Near Edge.” We have been working on providing this edge infrastructure to operators as part of Microsoft’s core offering.

Figure 1: RAN architectural evolution and innovations in 5G networks.

Despite this evolution in 5G networks, there is still more to do. When implementing RAN functionality at the Far and Near Edges, one has to decide how many server cores are needed to support a given number of cell sites. This type of problem is easy to solve. Microsoft computer scientists are able to determine the number of cores needed to serve the client device, and have further invented and developed algorithms and techniques to allow scaling, energy management, fault tolerance, and feature deployment in running systems. Note that server cores can be provisioned to both assist with packet generation and running applications and services.

In ACM SIGCOMM 2021, we published a paper entitled, Concordia: Teaching the 5G vRAN to Share Compute. As noted in this publication, one reason why vRAN is more efficient than traditional RANs is because it multiplexes several base station workloads on the same computer hardware. Although this multiplexing provides efficiency gains, more than 50 percent of the CPU cycles in typical vRAN settings still remain unused.

Here, co-locating the vRAN functionality with general-purpose workloads not only improves CPU utilization, but it also allows us to service low-latency applications on the same hardware. This is important since vRAN tasks have sub-millisecond latency requirements that have to be met 99.999 percent of the time—difficult to accomplish with existing systems.

Microsoft has also built a user space deadline scheduling framework for the vRAN. Our system includes prediction models using quantile decision trees to outline worst-case execution times of vRAN signal processing tasks. Running every 20 microseconds, the ultra-fast scheduler delivers accurate prediction models, enabling the system to reserve a minimum number of cores required for vRAN tasks while leaving the rest for general-purpose workloads. Evaluated on a commercial-grade reference vRAN platform, our design meets the 99.999 percent reliability requirements and reclaims more than 70 percent of idle CPU cycles without affecting RAN performance.

Looking ahead

Edge computing was created jointly by Microsoft and our academic colleagues. Edge computing products have evolved, as we fine-tune solutions to new sets of problems we are solving. Beyond implementing 5G infrastructure on commodity hardware, our software takes advantage of the latest discoveries we’ve made in applying machine learning techniques to improve the performance of our edge nodes. We continue to work closely with our academic colleagues, and serve on the advisory board of two National Science Foundation (NSF)-funded Edge AI research centers (The Institute for Future Edge Networks and Distributed Intelligence and The Institute for Edge Computing Leveraging Next Generation Networks). Both research institutes focus on developing AI technologies as part of edge computing that leverages next-generation communications networks to provide previously impossible services.

The future is bright because we are on the right track with Azure private MEC. The architecture we are developing and the products we are delivering will make edge computing indispensable, as every packet in the mobile network will be processed by an edge node, leading to a large ubiquitous processing fabric, the likes of which we have never enjoyed before.

Learn more

To learn more about our Azure for Operators strategy, refer to the Azure for Operators e-book.
Quelle: Azure

Improve your security defenses for ransomware attacks with Azure Firewall

To ensure customers running on Azure are protected against ransomware attacks, Microsoft has invested heavily in Azure security and has provided customers with the security controls needed to protect their Azure cloud workloads.

A comprehensive overview of best practices and recommendations can be found in the "Azure Defenses for Ransomware Attack" e-book.

Here, we would like to zoom into network security and understand how Azure Firewall can assist you with protecting against ransomware.

Ransomware is basically a type of malicious software designed to block access to your computer system until a sum of money is paid. The attacker usually exploits an existing vulnerability in your system to penetrate your network and execute the malicious software on the target host.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Here Azure Firewall Premium comes into help. With its intrusion detection and prevention system (IDPS) capability, every packet will be inspected thoroughly, including all its headers and payload to identify malicious activity and to prevent it from penetrating your network. IDPS allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it.

The IDPS signatures are applicable for both application and network-level traffic (Layers 4-7), they are fully managed and contain more than 65,000 signatures in over 50 different categories to keep them up to date with the dynamic ever-changing attack landscape:

Azure Firewall is getting early access to vulnerability information from Microsoft Active Protections Program (MAPP) and Microsoft Security Response Center (MSRC).
Azure Firewall is releasing 30 to 50 new signatures each day.

Nowadays, modern encryption, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is used globally to secure internet traffic. Attackers are using encryption to carry their malicious software into the victim network. Therefore, customers must inspect their encrypted traffic just like any other traffic.

Azure Firewall Premium IDPS allows you to detect attacks in all ports and protocols for non-encrypted traffic. However, when HTTPS traffic needs to be inspected, Azure Firewall can use its TLS inspection capability to decrypt the traffic and accurately detect malicious activities.

After the ransomware is installed on the target machine, it may try to encrypt the machine’s data, therefore it requires using an encryption key and may use the Command and Control (C&C) to get the encryption key from the C&C server hosted by the attacker. CryptoLocker, WannaCry, TeslaCrypt, Cerber, and Locky are some of the ransomware using C&C to fetch the required encryption keys.

Azure Firewall Premium has hundreds of signatures that are designed to detect C&C connectivity and block it to prevent the attacker from encrypting customers’ data.

Figure 1: Firewall protection against ransomware attack using command and control channel

Taking a comprehensive approach to fend off ransomware attacks

Taking a holistic approach to fend off ransomware attacks is recommended. Azure Firewall operates in a default deny mode and will block access unless explicitly allowed by the administrator. Enabling Threat Intelligence (TI) feature in alert/deny mode will block access to known malicious IPs and domains. Microsoft Threat Intel feed is updated continuously based on new and emerging threats.

Firewall policy can be used for the centralized configuration of firewalls. This helps with responding to threats rapidly. Customers can enable Threat Intel and IDPS across multiple firewalls with just a few clicks. Web categories let administrators allow or deny user access to web categories such as gambling websites, social media websites, and others. URL filtering provides scoped access to external sites and can cut down risk even further. In other words, Azure Firewall has everything necessary for companies to defend comprehensively against malware and ransomware.

Detection is equally important as prevention. Azure Firewall solution for Microsoft Sentinel gets you both detection and prevention in the form of an easy-to-deploy solution. Combining prevention and detection allows you to ensure that you both prevent sophisticated threats when you can, while also maintaining an “assume breach mentality” to detect and quickly respond to cyberattacks.

Learn more about Azure Firewall Premium and ransomware protection

Learn more about Azure Firewall Premium features from Microsoft documentation.
Download our e-book, "Azure Defenses for Ransomware Attack."
Read more about how to optimize security with Azure Firewall solution for Microsoft Sentinel.

Quelle: Azure

New performance and logging capabilities in Azure Firewall

Organizations are speeding up workload migration to Azure to take advantage of the growing set of innovative cloud services, scale, and economic benefits of the public cloud. Applications migration to the cloud consequently increases the network traffic throughput demand. This puts pressure on network elements and more specifically on Azure Firewall which is in the critical path of most network traffic. Currently, Azure Firewall supports 30 Gbps which is sufficient to meet current throughput demands for many of our customers. However, we are seeing some organizations require even more throughput and towards this, we are announcing new Azure Firewall capabilities as well as updates for January 2022:

Azure Firewall network rule name logging.
Azure Firewall premium performance boost.
Performance whitepaper.

Azure Firewall network rule name logging

We have heard your feedback and are happy to announce the rule name availability in the Network logs. Like application rules, network rule name is now available in the logs.

Previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.

After enabling the feature, the following information will be provided for a network rule hit event in the logs:

Figure 1: Network rule event in the logs after enabling the “network rule name logging” feature.

Note: For Classic Firewalls (those not managed by an Azure Firewall policy), only the rule name will be visible.

To enable the network rule name logging feature, follow the instructions.

Azure Firewall Premium performance boost

As more applications are moved to the cloud, the performance of network elements might become a bottleneck. The firewall as the central piece of any network design needs to be able to support all those workloads. Hence, we are happy to announce that the Azure Firewall Premium performance boost functionality is going to preview to allow more scalability for those deployments.

This feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps). See the performance whitepaper section below for more details.

To enable the Azure Firewall Premium performance boost feature, follow the instructions.

*Make sure to also check out the comprehensive testing done by Andrew Myers for a detailed analysis and as a reference to build your own test environment.

Azure Firewall Performance whitepaper

Reliable firewall performance is essential to operate and protect your virtual networks in Azure. Not only should Azure Firewall handle the current traffic on a network, but it should also be ready for potential traffic growth. To provide customers with a better visibility into the expected performance of Azure Firewall, we are releasing the Azure Firewall Performance documentation.

As we are always working to improve the Azure Firewall service, the metrics highlighted in the document will be updated to reflect the latest performance results you could expect from the Azure Firewall. So, make sure to bookmark the page to stay up to date with the latest information.

Learn more about Azure Firewall

For more information on everything we covered above, see the following documentation:

Azure Firewall documentation
Azure Firewall performance documentation
Azure Firewall preview features
Azure Firewall logs and metrics
Azure Firewall FAQ

Quelle: Azure

Enabling Zero Trust with Azure network security services

This blog has been co-authored by Eliran Azulai, Principal Program Manager.

With the accelerated pace of digital transformation since the COVID-19 pandemic breakthrough, organizations continuously look to migrate their workloads to the cloud and to ensure their workloads are secure. Moreover, organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects applications and data regardless of where they are.

Microsoft’s Zero Trust Framework protects assets anywhere by adhering to three principles:

Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT and JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

In this blog, we will describe some Azure network security services that help organizations to address Zero Trust, focusing on the third principle—assume breach.

Network firewalling

Network firewalls are typically deployed at the edge networks, filtering traffic between trusted and untrusted zones. The Zero Trust approach extends this model and recommends filtering traffic between internal networks, hosts, and applications.

The Zero Trust approach assumes breach and accepts the reality that bad actors are everywhere. Rather than building a wall between trusted and untrusted zones, it recommends we verify all access attempts, limit user access to JIT and JEA, and harden the resources themselves. However, this doesn’t preclude us from maintaining security zones. In fact, network firewalling provides a type of checks and balances for network communications, by segmenting the network into smaller zones and controlling what traffic is allowed to flow between them. This security-in-depth practice forces us to consider whether a particular connection should cross a sensitive boundary.

Where should firewalling take place in Zero Trust networks? Since your network is vulnerable by nature, one should implement firewalling at the host level and outside of it. In Azure, we provide filtering and firewalling services that are deployed at different network locations: at the host and between virtual networks or subnets. Let’s discuss how Azure's firewalling services support Zero Trust.

Azure network security group (NSG)

You can use Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. NSG is implemented at the host level, outside of the virtual machines (VMs). In terms of user configuration, NSG can be associated with a subnet or VM NIC. Associating an NSG with a subnet is a form of perimeter filtering that we’ll discuss later. The more relevant application of NSG in the context of Zero Trust networks is associated with a specific VM (such as by means of assigning an NSG to a VM NIC). It supports filtering policy per VM, making the VM a participant in its own security. It serves the goal of ensuring that every VM filters its own network traffic, rather than delegating all firewalling to a centralized firewall.

While host firewalling can be implemented at the guest OS level, Azure NSG safeguards against a VM that becomes compromised. An attacker who gains access to the VM and elevates its privilege could remove the on-host firewall. NSG is implemented outside of the VM, isolating host-level filtering, which provides strong guarantees against attacks on the firewalling system.

Inbound and outbound filtering

NSG provides for both inbound filtering (regulate traffic entering a VM) and outbound filtering (regulate traffic leaving a VM). Outbound filtering, especially between resources in the vnet has an important role in Zero Trust networks to further harden the workloads. For example, a misconfiguration in inbound NSG rules can result in a loss of this important inbound filtering layer of defense that is very difficult to discover. Pervasive NSG outbound filtering protects subnets even when such critical misconfiguration takes place.

Simplify NSG configuration with Azure application security groups

Azure application security groups (ASGs) simplify the configuration and management of NSGs, by configuring network security as an extension of an application’s structure. ASGs allow you to group VMs and define network security policies based on these groups. Using ASGs you can reuse network security at scale without manual maintenance of explicit IP addresses. In the simplified example below, we apply an NSG1 on a subnet level and associate two VMs with a WebASG (web application tier ASG), and another VM with a LogicASG (business logic application tier ASG).

We can apply security rules to ASGs instead of each of the VMs individually. For example, the below rule allows HTTP traffic from the Internet (TCP port 80) to VM1 and VM2 in the web application tier, by specifying WebASG as the destination, instead of creating a separate rule for each VM.

Priority

Source

Source ports

Destination

Destination ports

Protocol

Access

100

Internet

*

WebASG

80

TCP

Allow

Azure Firewall

While host-level filtering is ideal in creating micro perimeters, firewalling at the virtual network or subnet level adds another important layer of protection. It protects as much infrastructure as possible against unauthorized traffic and potential attacks from the internet. It also serves to protect east-west traffic to minimize blast radius in case of attacks.

Azure Firewall is a native network security service for firewalling. Implemented alongside NSG, these two services provide important checks and balances in Zero Trust networks. Azure Firewall implements global rules and coarse-grained host policy while NSG sets fine-grained policy. This separation of perimeter versus host filtering can simplify the administration of the firewalling policy.

Zero Trust model best practice is to always encrypt data in transit to achieve end-to-end encryption. However, from an operational perspective, customers would often wish to have visibility into their data as well as to apply additional security services on the unencrypted data.

Azure Firewall Premium with its transport layer security (TLS) inspection can perform full decryption and encryption of the traffic, giving the ability to utilize intrusion detection and prevention systems (IDPS), as well as providing customers with visibility into the data itself.

DDoS Protection

Zero Trust strives to authenticate and authorize just about everything on the network, but it does not provide good mitigation against DDoS attacks, particularly against volumetric attacks. Any system that can receive packets is vulnerable to DDoS attacks, even those employing a Zero Trust architecture. Consequently, it’s imperative that any Zero Trust implementation is fully protected against DDoS attacks.

Azure DDoS Protection Standard provides DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect any internet-facing resource in a virtual network. Protection is simple to enable on any new or existing virtual network and requires no application or resources changes.

Optimize SecOps with Azure Firewall Manager

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

In addition to Azure Firewall policy management, Azure Firewall Manager now allows you to associate your virtual networks with a DDoS protection plan. Under a single-tenant, DDoS protection plans can be applied to virtual networks across multiple subscriptions. You can use the Virtual Networks dashboard to list all virtual networks that don’t have a DDoS Protection Plan and assign new or available protection plans to them.

Moreover, Azure Firewall Manager allows you to use your familiar, best-of-breed, third-party security as a service (SECaaS) offerings to protect Internet access for your users.

By seamlessly integrating with Azure core security services, such as Microsoft Defender for Cloud, Microsoft Sentinel, and Azure Log Analytics, you can further optimize your SecOps with a one-stop-shop providing you best-of-breed networking security services, posture management, and workload protection—as well as SIEM and data analytics.

What’s next

Zero Trust is imperative for organizations working to protect everything as it is. It’s an ongoing journey for security professionals but getting started begins with some first steps and continuous iterative improvements. In this blog, we described several Azure security services and how they enable the Zero Trust journey for all organizations.

To learn more about these services, see the following resources:

Zero Trust Framework.
Azure network security groups.
Azure application security groups.
Azure Firewall.
Azure Firewall Manager.
Azure DDoS Protection Standard.

Quelle: Azure

7 reasons to attend Azure Open Source Day

To show you the latest capabilities of using Linux and Azure—and share some exciting announcements—we will be hosting Azure Open Source Day on Tuesday, February 15, 2022, from 9:00 AM to 10:30 AM Pacific Time.

Push your apps and data to the next level by using Azure, open source, and Linux together. Join this free digital event to learn how to natively run your open-source workloads on Azure, expand their capabilities, and innovate in new ways using Azure services.

At this event, you’ll learn how Microsoft is committed to open source and works with the open source community to develop new technologies. Hear about the latest trends and capabilities of using Linux and Azure together—direct from Microsoft insiders. Whether you’re new to Azure or are already using it, you’ll discover how to turbocharge your apps and data with open source and hybrid cloud technologies.

Here are seven reasons to attend the event

Get the inside scoop on CBL-Mariner, the Linux distribution built by Microsoft to host Azure open source services.
Find out how to better automate and manage Linux investments on Azure using Azure Hybrid Benefit and Project Bicep.
Discover tools for every developer, including Visual Studio Code, GitHub Codespaces, and Azure managed database and AI services.
Learn about application modernization best practices using containers and Azure Kubernetes Service (AKS).
Hear from Microsoft insiders and Linux industry leaders like Red Hat and SUSE.
Ask the experts your questions during the live chat Q and A.
Plus, be among the first to hear Microsoft CEO, Satya Nadella, share a special announcement on the 30th anniversary for Linux.

We look forward to seeing you there!

Register today for the Azure Open Source Day

Azure Open Source Day
Tuesday, February 15, 2022,
9:00 AM to 10:30 AM Pacific Time.

Delivered in partnership with AMD.
Quelle: Azure

Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends

This blog post was co-authored by Anupam Vij, Principal PM Manager, and Syed Pasha, Principal Network Engineer, Azure Networking

In the second half of 2021, the world experienced an unprecedented level of Distributed Denial-of-Service (DDoS) activity in both complexity and frequency. The gaming industry was perhaps the hardest hit, with DDoS attacks disrupting gameplay of Blizzard games1, Titanfall2, Escape from Tarkov3, Dead by Daylight4, and Final Fantasy 145 among many others. Voice over IP (VoIP) service providers such as Bandwidth.com6, VoIP Unlimited7, and VoIP.ms8 suffered outages following ransom DDoS attacks. In India, we saw a 30-fold increase of DDoS attacks during the nation’s festive season in October9 with multiple broadband providers targeted, which shows that the holidays are indeed an attractive time for cybercriminals. As we highlighted in the 2021 Microsoft Digital Defense Report, the availability of DDoS for-hire services as well as the cheap costs—at only approximately $300 USD per month—make it extremely easy for anyone to conduct targeted DDoS attacks.

At Microsoft, despite the evolving challenges in the cyber landscape, the Azure DDoS Protection team was able to successfully mitigate some of the largest DDoS attacks ever, both in Azure and in the course of history. In this review, we share trends and insights into DDoS attacks we observed and mitigated throughout the second half of 2021.

August recorded the highest number of attacks

Microsoft mitigated an average of 1,955 attacks per day, a 40 percent increase from the first half of 2021. The maximum number of attacks in a day recorded was 4,296 attacks on August 10, 2021. In total, we mitigated upwards of 359,713 unique attacks against our global infrastructure during the second half of 2021, a 43 percent increase from the first half of 2021.

Interestingly, there was not as much of a concentration of attacks during the end-of-year holiday season compared to previous years. We saw more attacks in Q3 than in Q4, with the most occurring in August, which may indicate a shift towards attackers acting all year round—no longer is holiday season the proverbial DDoS season! This highlights the importance of DDoS protection all year round, and not just during peak traffic seasons.

Microsoft mitigated a 3.47 Tbps attack, and two more attacks above 2.5 Tbps

Last October, Microsoft reported on a 2.4 terabit per second (Tbps) DDoS attack in Azure that we successfully mitigated. Since then, we have mitigated three larger attacks.

In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history.

This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak, and the overall attack lasted approximately 15 minutes.

In December, we mitigated two more attacks that surpassed 2.5 Tbps, both of which were again in Asia. One was a 3.25 Tbps UDP attack in Asia on ports 80 and 443, spanning more than 15 minutes with four main peaks, the first at 3.25 Tbps, the second at 2.54 Tbps, the third at 0.59 Tbps, and the fourth at 1.25 Tbps. The other attack was a 2.55 Tbps UDP flood on port 443 with one single peak, and the overall attack lasted just a bit over five minutes.

In these cases, our customers do not have to worry about how to protect their workloads in Azure, as opposed to running them on-premises. Azure’s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can scale enormously to absorb the highest volume of DDoS attacks, providing our customers the level of protection they need. The service employs fast detection and mitigation of large attacks by continuously monitoring our infrastructure at many points across the Microsoft global network. Traffic is scrubbed at the Azure network edge before it can impact the availability of services. If we identify that the attack volume is significant, we leverage the global scale of Azure to defend the attack from where it is originating.

Short burst and multi-vector attacks remain prevalent, although more attacks are lasting longer

As with the first half of 2021, most attacks were short-lived, although, in the second half of 2021, the proportion of attacks that were 30 minutes or less dropped from 74 percent to 57 percent. We saw a rise in attacks that lasted longer than an hour, with the composition more than doubling from 13 percent to 27 percent. Multi-vector attacks continue to remain prevalent.

It’s important to note that for longer attacks, each attack is typically experienced by customers as a sequence of multiple short, repeated burst attacks. One such example would be the 3.25 Tbps attack mitigated, which was the aggregation of four consecutive short-lived bursts that each ramped up in seconds to terabit volumes.

UDP spoof floods dominated, targeting the gaming industry

UDP attacks rose to the top vector in the second half of 2021, comprising 55 percent of all attacks, a 16 percent increase from the first half of 2021. Meanwhile, TCP attacks decreased from 54 percent to just 19 percent. UDP spoof floods was the most common attack type (55 percent), followed by TCP ACK floods (14 percent) and DNS amplification (6 percent).

Gaming continues to be the hardest hit industry. The gaming industry has always been rife with DDoS attacks because players often go to great lengths to win. Nevertheless, we see that a wider range of industries are just as susceptible, as we have observed an increase in attacks in other industries such as financial institutions, media, internet service providers (ISPs), retail, and supply chain. Particularly during the holidays, ISPs provide critical services that power internet phone services, online gaming, and media streaming, which make them an attractive target for attackers.

UDP is commonly used in gaming and streaming applications. The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP.

Workloads that are highly sensitive to latency, such as multiplayer game servers, cannot tolerate such short burst UDP attacks. Outages of just a couple seconds can impact competitive matches, and outages lasting more than 10 seconds typically will end a match. For this scenario, Azure recently released the preview of inline DDoS protection, offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer. This solution can be tuned to the specific shape of the traffic and can mitigate attacks instantaneously without impacting the availability or performance of highly latency-sensitive applications.

Huge increase in DDoS attacks in India, East Asia remains popular with attackers

The United States remains the top attacked destination (54 percent). We saw a sharp uptick in attacks in India, from just 2 percent of all attacks in the first half of 2021 to taking the second position at twenty-three percent of all attacks in the second half of 2021. East Asia (Hong Kong) remains a popular hotspot for attackers (8 percent). Interestingly, relative to other regions, we saw a decrease in DDoS activity in Europe, dropping from 19 percent in the first half of 2021 to 6 percent in the second half.

The concentration of attacks in Asia can be largely explained by the huge gaming footprint10, especially in China, Japan, South Korea, Hong Kong, and India, which will continue to grow as the increasing smartphone penetration drives the popularity of mobile gaming in Asia. In India, another driving factor may be that the acceleration of digital transformation, for example, the “Digital India” initiative11, has increased the region’s overall exposure to cyber risks.

Defended against new attack vectors

During the October-to-December holiday season, we defended against new TCP PUSH-ACK flood attacks that were dominant in the East Asia region, namely in Hong Kong, South Korea, and Japan. We observed a new TCP option manipulation technique used by attackers to dump large payloads, whereby in this attack variation, the TCP option length is longer than the option header itself.

This attack was automatically mitigated by our platform’s advanced packet anomaly detection and mitigation logic, with no intervention required and no customer impact at all.

Protect your workloads from DDoS attacks with Microsoft

As the world moves towards a new era of digitalization with the expansion of 5G and IoT, and with more industries embracing online strategies, the increased online global footprint means that the threat of cyberattacks will continue to grow. As we have witnessed that DDoS attacks are now rampant even during non-festive periods, it is crucial for businesses to develop a robust DDoS response strategy all year round, and not just during the holiday season.

At Microsoft, the Azure DDoS Protection team protects every property in Microsoft and the entire Azure infrastructure. Our vision is to protect all internet-facing workloads in Azure, against all known DDoS attacks across all levels of the network stack.

Combine DDoS Protection Standard with Application Gateway Web Application Firewall for comprehensive protection

When combined with DDoS Protection Standard, Application Gateway web application firewall (WAF), or a third-party web application firewall deployed in a virtual network with a public IP, provides comprehensive protection for L3-L7 attacks on web and API assets. This also works if you are using Azure Front Door alongside Application Gateway WAF, or if your backend resources are in your on-premises environment.

If you have PaaS web application services running on Azure App Service or Azure SQL Database, you can host your application behind an Application Gateway and WAF and enable DDoS Protection Standard on the virtual network which contains the Application Gateway and WAF. In this scenario, the web application itself is not directly exposed to the public Internet and is protected by Application Gateway WAF and DDoS Protection Standard. To minimize any potential attack surface area, you should also configure the web application to accept only traffic from the Application Gateway public IP address and block unwanted ports.

Use inline DDoS protection for latency-sensitive workloads

If you have workloads that are highly sensitive to latency and cannot tolerate short burst DDoS attacks, we recently released the preview of inline DDoS protection, offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer. Inline DDoS protection mitigates even short-burst low-volume DDoS attacks instantaneously without impacting the availability or performance of highly latency-sensitive applications.

Optimize SecOps with Azure Firewall Manager

DDoS Protection Standard is automatically tuned to protect all public IP addresses in virtual networks, such as those attached to an IaaS virtual machine, Load Balancer (Classic and Standard Load Balancers), Application Gateway, and Azure Firewall Manager. In addition to Azure Firewall policy management, Azure Firewall Manager, a network security management service, now supports managing DDoS Protection Standard for your virtual networks. Enabling DDoS Protection Standard on a virtual network will protect the Azure Firewall and any publicly exposed endpoints that reside within the virtual network.

Learn more about Azure DDoS Protection Standard

•    Azure DDoS Protection Standard product page.
•    Azure DDoS Protection Standard documentation.
•    Azure DDoS Protection Standard reference architectures.
•    DDoS Protection best practices.
•    Azure DDoS Rapid Response.
•    DDoS Protection Standard pricing and SLA.

1Overwatch, World of Warcraft Go Down After DDoS | Digital Trends

2After years of struggling against DDoS attacks, Titanfall is being removed from sale | PC Gamer

3'Escape From Tarkov' suffers sustained server issues in possible DDoS attacks (nme.com)

4Dead by Daylight streamers are being DDoS attacked

5'Final Fantasy 14' EU servers affected by DDoS attack (nme.com)

6Bandwidth CEO confirms outages caused by DDoS attack | ZDNet

7DDoS Attack Hits VoIP and Internet Provider VoIP Unlimited Again UPDATE2 – ISPreview UK

8VoIP company battles massive ransom DDoS attack | ZDNet

930-fold increase in DDoS cyber attacks in India in festive season (ahmedabadmirror.com)

10Gaming industry in Asia Pacific – statistics and facts | Statista

11Di-Initiatives | Digital India Programme | Ministry of Electronics and Information Technology (MeitY) Government of India
Quelle: Azure

Rightsize to maximize your cloud investment with Microsoft Azure

If you are running on-premises servers, chances are that you utilize a fraction of your overall server cores most of the time but are forced to over-provision to handle peak loads. Moving those workloads to the cloud can greatly reduce cost by “rightsizing” server capacity as needed.

Rightsizing is one of the key levers you have for controlling costs and optimizing resources. By understanding cloud economics, and using what Azure provides, you can identify the smallest virtual server instances that support your requirements and realize immediate savings by eliminating unused capacity.

Many industries experience spikes in server usage. When you rightsize with Azure, you are no longer compelled to buy and provision capacity based on peak demand, which results in excess capacity and excess spending.

For instance, H&R Block found that its servers got used most at specific times of the year—namely, tax season, and maintaining expensive on-premises infrastructure throughout the year was driving up costs. Once the tax preparer migrated the first 20 percent of its apps and platforms to Azure, it became very clear how the variable cost model of the cloud contrasted with the fixed model of the on-premises datacenters and revaluated its architecture.

Rightsizing in the cloud will mean different things to different organizations. One of the first questions to ask is how much of your environment is elastic versus static to get an idea of savings based on the reduction in footprint. In the example below, static usage never went above 30 percent of capacity, indicating a huge opportunity for savings.

What does rightsizing look like for you?

Turning off workloads can obviously have an immediate impact on your budget. But how aggressively should you look to trim? Do you always know what is driving the consumption? Are there situations where you can not immediately rightsize? For workloads still needed, what can be done to optimize those resources?

That optimization can take several forms:

Resizing virtual machines: Business and applications requirements evolve, so committing to a specific virtual machine size ahead of time can be limiting.
Shutting down underutilized instances: With workloads in the cloud, use Azure Advisor to find underutilized resources and get recommendations for resource optimization. This tool also can help determine the cost savings from rightsizing or shutting down central processing units (CPUs).
Interrupting workloads with Azure Spot Virtual Machines: You can get deep discounts for interruptible workloads that do not need to be completed within a specific timeframe.
Identify workloads that need extra capacity: With Azure, it is easier to meet consumption demands. In fact, the process can be largely automated.

When migrating workloads to Azure, do not consider it a one-to-one migration of server cores. The cloud is infinitely more flexible, allowing for unpredictable workloads and paying only for the resources needed. Plan for the peak but know that you do not have to hold on to that capacity. Under consistently high usage, consumption-based pricing can be less efficient for estimating baseline costs when compared to the equivalent provisioned pricing.

Be sure to consider tradeoffs between cost optimization and other aspects of the design, such as security, scalability, resilience, and operability. When using tools like Azure Advisor, understand that they can only give a snapshot of usage during their discovery period. If your organization experiences large seasonal fluctuations, you can save on provisioning your base workloads, typically your line-of-business applications, by reserving virtual machine instances and capacity with a discount. And when those seasonal patterns and occasional bursts drive up usage, pay-as-you-go pricing kicks in.

Those consistent workloads, like a batch process that runs every day using the same resources, you can get reduced pricing by taking advantage of Azure Reservations and receive discounts up to 72 percent by reserving your resources in advance.

And speaking of cost optimization tools, use the Azure Well-Architected Framework to optimize the quality of your Azure workloads. Read the overview of cost optimization to dive deeper into the tools and processes for creating cost-effective workloads. These tools really can help. According to an IDC assessment, Azure customer enablement tools can lower the three-year cost of operations by 24 percent.

Planning for growth no longer means overprovisioning for fear of hitting capacity. When you understand cloud economics and follow the key financial and technical guidance from Azure, your workloads will be much more cost-effective in Azure.

Learn more

Read the cost optimization documentation.
Review the cost optimization checklist.
Understand Azure Cost Management and Billing.

Quelle: Azure

Save big by using your on-premises licenses on Azure

Are you still hesitating to move some or all your workloads to the cloud due to the added cost? One of the easiest ways to significantly lower your cost of ownership is by using a special licensing offer called Azure Hybrid Benefit.

When migrating Windows Server or SQL Server on-premises workloads to Microsoft Azure, Azure Hybrid Benefit allows you to use your existing licenses covered by Software Assurance (SA) or other subscriptions in Azure. By bringing both Windows and SQL Server licenses with SA to Azure, you can save up to 85 percent compared to pay-as-you-go pricing.

Don’t pay double

Server migration cost concerns take several shapes, including paying double for the cloud and on-premises licenses while migrating, and the added infrastructure and security costs. During migrations, Azure Hybrid Benefit helps reduce risk by allowing 180 days to run Azure and on-premises workloads simultaneously at no additional cost. Or you can keep both licenses permanently to continue running a hybrid infrastructure.

When using cloud services from other providers, organizations are required to pay for both the infrastructure and the licenses. With Azure Hybrid Benefit, you pay only for additional infrastructure. You will need to repurchase your Windows Server license on other providers’ clouds. And only Azure offers free extended security updates. When you move a Windows or SQL Server workload to Azure, the extended security updates provide three years of free security updates after the end of support, reducing risk and cost.

Moreover, Azure Hybrid Benefit applies to active and unused on-premises Red Hat or SUSE Linux subscriptions, allowing you to use your existing Linux workloads on Azure and pay only for your virtual machine infrastructure costs.

Windows Server savings

Only Azure Hybrid Benefit enables Windows Server license assignment in the cloud. The benefit is applicable to customers with an active SA or subscription license, such as EAS, SCE, or Open Value subscription on Windows Server (both Standard and Datacenter editions of Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019). It is supported in all Azure regions and on virtual machines that are running SQL or third-party marketplace software.

Only Azure Hybrid Benefit offers unlimited virtualization for dedicated hosts. For a breakdown of the number of virtual cores allocated for those licenses, their requirements, and how to apply for benefits, check out Azure Hybrid Benefit for Windows Server.

Below is a snapshot of how much Azure Hybrid Benefit can save when moving Windows Server workloads.

SQL Server savings

The Hybrid Benefit for SQL Server on Azure Virtual Machines allows customers with Software Assurance to use their on-premises licenses when they run SQL Server on Azure Virtual Machines. With Software Assurance, you can use the benefit when deploying a new SQL virtual machine or activate SQL Server Azure Hybrid Benefit for an existing SQL virtual machine with a pay-as-you-go license.

And know that only with Azure Hybrid Benefit can you leverage your existing SQL Server licenses in both IaaS and PaaS environments. And only Azure Hybrid Benefit applies to SQL Server DBaaS and gives you four virtual CPUs for one core of SQL Server Enterprise in the exchange.

You can centrally manage your Azure Hybrid Benefit for SQL Server across the scope of an entire Azure subscription or overall billing account. In the Azure portal, you can now centrally manage your Azure Hybrid Benefit for SQL Server by assigning licenses to the scope of an entire Azure subscription or overall billing account.

Here is an example of the benefit applied to SQL Server:

Azure Hybrid Benefit helps you to significantly reduce the costs of running your workloads in the cloud. See the benefit description and rules for more on the licensing structure and use cases.

More ways to save

Even more savings can be found by purchasing Azure reserved instances, which provides discounts on Azure services when purchasing predicted capacity in advance. It gives us visibility into your one-year or three-year resource needs, which allows us to be more efficient and these savings are passed on to you as discounts of up to 72 percent. Together with Azure Hybrid Benefit, these reservations can provide more than 80 percent savings over the standard pay-as-you-go rate. Your actual savings may vary so use the Azure Hybrid Benefit Savings Calculator to estimate your savings range.

Learn more

Get more financial and technical guidance from Azure by visiting cloud economics.
Find out more special offers at Azure benefits and incentives.

Quelle: Azure

Microsoft launches landing zone accelerator for Azure Arc-enabled servers

We continue to innovate and add new capabilities to Azure Arc to enable new scenarios in hybrid and multicloud. We also want to provide our customers with the right guidance and best practices to adopt hybrid and multicloud technologies to meet their business needs. Today we’re launching the Azure Arc-enabled servers landing zone accelerator within the Azure Cloud Adoption Framework. The landing zone accelerator provides best practices, guidance, and automated reference implementations so that customers can get started with their deployments quickly and easily.

Azure Arc-enabled servers landing zone accelerator makes it easier for customers to increase security, governance, and compliance posture on servers that are deployed outside of Azure. Along with Azure Arc, services such as Microsoft Defender for Cloud, Azure Sentinel, Azure Monitor, Azure Log Analytics, Azure Policy, and many others are included in the reference implementations that can then be extended to production environments.

Design areas within the landing zone accelerator

The Azure Arc-enabled servers landing zone accelerator enables customers’ cloud adoption journey with considerations, recommendations, and architecture patterns most important to customers. For deploying Azure Arc-enabled servers in the most recommended way, we created a set of seven critical design areas. Each of these specific areas, walks customers through a set of design considerations, recommendations, architectures, and next steps:

Identity and access management
Network topology and connectivity
Resource organization
Governance and security disciplines
Management disciplines
Cost governance
Automation disciplines

Automation for landing zone accelerator

Azure Arc landing zone accelerator uses the sandbox automation powered by Azure Arc Jumpstart, for reference implementations. Since launching 18 months ago, Azure Arc Jumpstart has grown tremendously, with more than 90 automated scenarios, thousands of visitors a month, and a vivid open-source community sharing their learnings on Azure Arc. As part of Jumpstart, we developed ArcBox, an automated sandbox environment for all-things Azure Arc, deployed in customers’ Azure subscriptions.

Here’s what Kevin Booth, Principal Cloud Architect at Insight, a technology provider, had to say about Jumpstart—“The Azure Arc Jumpstarts have proven invaluable to us at Insight in familiarizing our people and our clients with Azure Arc’s use cases, feature set, and capabilities. We at Insight have taken the Jumpstart scenarios and integrated them into our own IP to help accelerate implementation to more rapidly onboard customers, in a best practice manner.”

For the Azure Arc-enabled servers landing zone accelerator, we developed the new ArcBox for IT Pros, which will act as the sandbox automation solution for Azure Arc-enabled servers with services like Azure Policy, Azure Monitor, Microsoft Defender for Cloud, Microsoft Sentinel, and more.

This provides customers with a comprehensive experience that can just be deployed and have a fully operational Azure Arc-enabled servers environment.

The sandbox automation supports Bicep, Terraform, and ARM templates, so customers can choose what makes sense to them and their organizations’ automation practices. This is also part of our new ArcBox 2.0 release.

Getting started

Hop over to the Hybrid and multicloud Cloud Adoption Framework page and explore the Azure Arc-enabled servers landing zone accelerator, the critical design areas, and sandbox automation.
Quelle: Azure