Kategorie: Microsoft Azure

Enabling and securing ubiquitous compute from intelligent cloud to intelligent edge

Enterprises are embracing the cloud to run their mission-critical workloads. The number of connected devices on and off-premises, and the data they generate continue to increase requiring new enterprise network edge architectures. We call this the intelligent edge – compute closer to the data sources and users to reduce latency. The intelligent cloud, with its massive compute power, storage and variety of services works in concert with the intelligent edge using similar programming models to enable innovative scenarios and ubiquitous compute. Networking is the crucial enabler integrating the intelligent cloud with the intelligent edge.

The Azure Networking mission is to provide the most secure, reliable, and performant network for your workloads, delivered and managed from the intelligent cloud to the intelligent edge. We continue to innovate to help your services connect and extend to the cloud and the edge, be protected, delivered with optimal performance and provide insightful monitoring.

Microsoft global network

Microsoft runs one of the world’s largest Wide Area Network (WAN) that serves all Microsoft cloud services including Azure, Dynamics 365, Microsoft 365, LinkedIn, Xbox, and Bing. The WAN connects all Microsoft datacenters running our cloud services together and to our customers and partners through edge sites. These edge sites are strategically located around the world. This is where we exchange traffic with internet service providers for internet traffic and ExpressRoute partners for private connectivity traffic. We also use the Azure Front Door and Azure Content Delivery Network services at our edge sites to enhance and accelerate the experience of our own services, such as Microsoft 365. To provide global coverage the WAN has over 130,000 miles of subsea, terrestrial, and metro optical fiber and is fully managed by Microsoft using internal software defined networking (SDN) technologies to provide the best networking experience. Industry leaders such as Thousand Eyes have reported on the performance of our global network and in a 2018 study found it to be the most robust and most consistent. One fundamental principle in providing a great experience is to get the traffic onto the Microsoft network as close to the customer as possible and keep it on Microsoft’s network as long as possible. All traffic between Microsoft services and datacenters remains fully in Microsoft’s network and does not traverse the internet.

Figure 1. Core pillars of Azure Networking

Connect and extend

To get the best internet experience, data should enter and exit the Microsoft network as close as possible to you or your users. With over 160 edge sites today, we have an aggressive plan to increase the number of sites, which you can read more about in our edge site expansion blog. We are also increasing the number of ExpressRoute meet-me sites, providing greater flexibility to privately connect to your Azure workloads.

Staying connected to access and ingest data in today's highly distributed application environments is paramount for any enterprise. Many businesses need to operate in and across highly unpredictable and challenging conditions. For example, energy, farming, mining, and shipping often operate in remote, rural, or other isolated locations with poor network connectivity. ExpressRoute for Satellites is now generally available, enabling access to Microsoft cloud services using satellite connectivity. With commercial satellite constellations becoming widely available, new solution architectures offer improved and affordable performance to access Microsoft.

MACsec, an industry encryption standard for point to point connections, is now supported on ExpressRoute Direct as a preview ability. ExpressRoute Direct customers can ensure data confidentiality and integrity between physical connections to the ExpressRoute routers to meet security and compliance requirements. Customers fully own and manage the lifecycle of the MACsec keys using Azure Key Vault.

We have invested in optical technologies to greatly reduce the cost of metro networks. We are passing these savings to you with a new ExpressRoute circuit type called ExpressRoute Local, available via ExpressRoute partners. If you select an ExpressRoute site near our datacenters and only access data from that datacenter then egress prices are included in the ExpressRoute Local circuit price. For connectivity to regions in the same geo you can use ExpressRoute Standard, and to get anywhere in the world you can use ExpressRoute Premium.

The new peering service for the Microsoft cloud, now in preview, enables enterprise-grade internet connectivity to access Azure, Dynamics 365, and Microsoft 365, via partnerships with internet providers and internet exchange providers. Peering service also provides internet latency telemetry, route monitoring, and alerting against hijacks, leaks, and other border gateway protocol misconfigurations.

Figure 2. Launch partners supporting the new Peering Service

We have enhanced our VPN service to support up to 10 Gbps of aggregate encrypted bandwidth, IKE v1 on all our VPN gateway SKUs, and packet capture to help debug configuration issues. We have also enhanced our point-to-site VPN service to support Azure Active Directory and multifactor authentication. We also are making available an OpenVPN client that you can download and run to access your Vnet from anywhere.

Azure Virtual WAN brings together our Azure connectivity services into a single operational interface with major SD-WAN partners. Azure Virtual WAN enables a global transit network architecture by providing ubiquitous connectivity between globally distributed sets of spokes such as VNets, sites, applications, and users. Significant enhancements include the preview of hub-to-hub and any-to-any connectivity. Virtual WAN users can connect multiple hubs for full mesh connectivity to further simplify their network architecture. Additionally, ExpressRoute and point-to-site are now generally available with Virtual WAN.

Figure 3. Azure Virtual WAN full topology overview across customers sites and clients connecting to Azure

We have been working closely with industry leaders to expand the ecosystem support for Virtual WAN. Today, we are announcing that Cisco and Microsoft are partnering to modernize the network for the cloud. Cisco, one of our largest global and strategic partners, is working with Microsoft to integrate Cisco SD-WAN technology with both Azure Virtual WAN and Office 365 to enable seamless, distributed and optimal branch office connectivity to Azure and Office 365.

“At Cisco, we’re helping customers deliver security and application experience as they expand into the cloud. Collaborating with Microsoft to expand the value of Azure Virtual WAN with Cisco SD-WAN, we are creating new opportunities for our mutual customers to accelerate their hybrid cloud strategy.”

Sachin Gupta, SVP, Product Management for Cisco Enterprise Networking Business

Additionally, other partners including Cloudgenix, Fortinet, Nokia-Nuage, and Silver Peak, have finalized their integrations with Virtual WAN and are immediately available.

IPv6

Dual stack (IPv4 + IPv6) VNet will be generally available later this month. As a first in the cloud, Azure will enable customers to bring their own IPv6 private space into the VNet thereby avoiding any need for routing changes. IPv6 enables customers to address IPv4 depletion, meet regulatory requirements, and expand into the growing mobile and IoT markets with their Azure-based applications.

Figure 4. Architectural diagram of an Azure VNet routing with IPv6 between VMs, subnet and Load Balancer

Protect

Achieving Zero Trust networking

Cloud applications and the mobile workforce have redefined the security perimeter. The new perimeter isn’t defined by the physical location(s) of the organization, it now extends to every access point that hosts, stores, or accesses corporate resources and services.

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”

Azure Networking services provide critical controls to enhance visibility and help prevent bad actors from moving laterally across the network. Networks should be segmented, including deeper software-defined micro-segmentation, and real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.

Azure Private Link – extended to all Azure regions

Azure Private Link brings Azure services into your private virtual network. Supported Azure services such as Storage, SQL Database, and Azure Synapse Analytics can be consumed over a private IP address thereby not opening the access control lists (ACLs) to public internet. The traffic going through Private Link will always be in the Microsoft backbone network and never entering the public internet. The platform as a service (PaaS) resources can also be accessed privately from on-premises through VPN or ExpressRoute private peering thereby keeping the ACLs simple. Starting today, Private Link will be available in all Azure public regions.

Figure 5. Architectural diagram of Private Link deployed cross-premises

Using Azure Private Link, Azure is the first cloud to provide data governance and compliance by implementing built-in data exfiltration protection. This brings us one step closer to our goal for zero trust networking wherein malicious actors within the trusted network can’t exfiltrate data to non-secure accounts, since individual PaaS instances instead of service frontends are mapped as private endpoints. Private Link also empowers software as a service (SaaS) providers in Azure to extend the same capability to their customers. Snowflake is an early adopter to the program, with more partner services to follow.

Azure Firewall Manager is a new security management service that provides central security policy and route management for cloud-based security perimeters. Azure is currently the only cloud provider to offer traffic governance, routing control, and third party integrated security through Azure Firewall and Firewall Manager. Global admins can centrally create hub and spoke architecture and associate security or routing policies with such a hub, referred to as a secured virtual hub.

Figure 6. Diagram of Azure Firewall Manager deployed inside Secured Virtual WAN Hubs

With trusted security partners, you can use your familiar, industry-leading, third-party security as a service (SECaaS) offerings to protect internet access for your users. We are very pleased to announce our partnership with ZScaler, iboss, and Checkpoint (coming soon) as the trusted security partners.

Azure Firewall threat intelligence-based filtering now general available

Using threat intelligence-based filtering, Azure firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft threat intelligence feed.

We also extended our web application firewall (WAF) with three new features, WAF bot protection, WAF per-site policies, and geo filtering. Azure managed bot protection rule set in Azure Front Door detects different categories of bots and allows customers to set actions accordingly. Customers can block malicious bots at the network edge, allowing good bots to reach application backends, and log or redirect unknown bots to an alternative site. Azure managed bot protection rule set is also offered as a preview on Azure Application Gateway v2 SKU. WAF per site policy with Application Gateway enables customers to specify WAF policies for different web applications hosted on a single Application Gateway. This allows for finer grained security policy and eliminates the need to create additional deployments per site. Azure Application Gateway is introducing geo filters with existing custom rules in preview on v2 SKU. This capability allows you to extend existing IP/IP range based custom rules to also include countries as a matching criterion and take actions accordingly. This allows you to restrict traffic from a given country or only allow traffic from a set of countries.

We recently announced the general availability of Azure Bastion. The Azure Bastion service is provisioned directly in your Virtual Network, enabling seamless remote desktop (RDP) and secure shell (SSH) access to all virtual machines in the VNet without needing a public IP address. Seamless integration and easy one-time setup of ACLs across your subnets eliminates subsequent and continuous management.

Figure 7. Azure Bastion architecture showing SSL access to VNet resources through the Azure portal

Deliver

Today we are also announcing a new feature, the Content Delivery Network Rules Engine, which allows the Azure Content Delivery Network to enable customers to customize how http requests are handled. Rules Engine enables very powerful match conditions like device detection, HTTP protocol, and header values and trigger appropriate actions. All the http rules run at our edge sites near end users which gives significant performance benefits compared to running rules at customer origins.

The Application Gateway Ingress Controller allows Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS.) The ingress controller runs as a pod within the AKS cluster. It consumes Kubernetes Ingress Resources and converts them to an Azure Application Gateway configuration which allows the gateway to load-balance traffic to Kubernetes pods. Using Application Gateway Ingress Controller enables customers to expose a single internet accessible endpoint to communicate with their AKS clusters. Application Gateway directly interacts with pods using private addresses which eliminates the necessity of additional DNAT incurred by Kube-proxy, thus providing more efficient and performant traffic routing to pods. Application Gateway Ingress Controller provides support for all features of Application Gateway including WAF capabilities to secure access to the AKS cluster.

Figure 8. App Gateway Ingress controller explained relative to AKS

Azure Key Vault is a platform managed service to safeguard cryptographic keys and other secrets used by cloud apps and services. Azure Application Gateway v2 now supports direct integration of Key Vault stored TLS certificates for its HTTPS-enabled listeners. This enables better TLS certificate security by having a clear separation of certificate management process from Application Gateway and backend web application management. Application Gateway polls the Key Vault every few hours for newer version of transport layer security (TLS) certificate, thus enabling automatic renewal of certificates.

Monitor

Azure Internet Analyzer is a new client-side measurement service now available in preview. Internet Analyzer enables A/B testing of networking infrastructures and their impact on your customers’ performance experience. Whether you’re migrating apps and content from on-premises to Azure or evaluating a new Azure service, Internet Analyzer allows you to learn from your users’ data and Microsoft’s rich analytics to better understand and optimize your network architecture with Azure before you migrate. Internet Analyzer is designed to address performance-related questions for cloud migration, deploying to new or additional Azure regions, or testing new application and content delivery platforms in Azure, such as Azure Front Door and Content Delivery Network.

Azure Monitor for Network service is now available in preview. Azure Monitor for Network enables customers to monitor key metrics and health of their network resources, discover issues and get troubleshooting help. Azure Monitor for Network is on by default and doesn’t require any custom setup. Whether it’s about monitoring and troubleshooting the cloud or hybrid networks, Azure Monitor for Network helps you to setup alerts, get resource-specific diagnostics, and visualize the structure and functional dependencies between resources.

Figure 9. Screenshot of Azure Monitor for Network illustrating App Gateway metrics and diagnostics

Multi-access Edge Computing (MEC) in preview

Multi-access Edge Computing offers application developers cloud-computing capabilities at the customer premises. This environment is characterized by very low latency and high bandwidth as well as real-time access to radio networks such as Private LTE and 5G. By integrating MEC capabilities with Azure, we will be offering a continuum of compute and network capabilities from the intelligent cloud to the edge. New critical and immersive scenarios such as smart factory and mixed reality require reliable low-latency and high bandwidth connectivity combined with local compute.

Figure 10. Concept draft of Multi-access and network edge compute with Azure

To address these needs, we are introducing a technology preview of Multi-access Edge Compute based on Azure Stack Edge deployed at the customer’s premises for the best possible latency. Key characteristics of the MEC are:

Enables developers to use GitHub and Azure dev ops CI/CD toolset to write and run container-based applications at the customer’s premises. With a consistent programming-model it is straightforward to develop applications in Azure and then move them to Azure Stack Edge.
Wireless technology integration, including Private Long-Term Evolution (LTE), LTE-based Citizens Broadband Radio Service (CBRS), and forthcoming 5G technologies. As part of our MEC platform, we have partnered with technology innovators to provide mobile virtual network functions (Evolved Packet Core), device integration, SIM management, and radio access networks.
MEC is managed from Azure. Curated virtual network function (VNF) images are downloaded from Azure to simplify deploying and running a private mobile network. The platform also provides support for lifecycle management of the VNFs, such as patching, configuration, and monitoring.
A partner ecosystem including managed service providers to deploy end to end solutions in your network.

For those interested in the early technical preview and options with MEC integration, please reach out to MEC-Networking@microsoft.com.

Figure 11. Overview of Azure Multi-edge Compute (MEC) partner ecosystem

Looking Forward

We are fully committed to helping you connect to Azure, by protecting your workloads, delivering a great networking experience, and providing extensive monitoring to simplify your deployment and operational costs while helping you better support your customers. At Microsoft Ignite we will add more details about our announcements, and you can learn more by viewing our technical sessions. We’ll continue providing innovative networking services and guidance to help you take full advantage of the cloud. We’re excited to learn about your new scenarios enabled by our networking services. As always, we welcome your feedback.

Azure. Invent with purpose.
Quelle: Azure

Azure infrastructure as a service (IaaS) for every workload

This week at Microsoft Ignite, we announced several important additions to our Azure infrastructure as a service (IaaS) portfolio.

Many companies, including GEICO, H&R Block, and CONA Services, rely on Azure to run a very diverse set of business-critical workloads, often requiring dynamic and scalable infrastructure that delivers unparalleled performance.

In order to meet the needs of this diverse and growing set of mission-critical workloads that call Azure home, our infrastructure services continue to evolve to optimize the experience of running these workloads.

Comprehensive infrastructure solutions: Flexibility and choice

We announced several new offerings that expand our portfolio of available virtual machine (VM) instance sizes for general purpose, memory-intensive, and remote visualization scenarios, including the ability to run VMware environments natively and enhancements to the platform that make it even easier to migrate your workloads to Azure.

Ea v4, Eas v4, Da v4, and Das v4 series Microsoft Azure Virtual Machines now available

After being the first global cloud provider to announce the preview of Azure Virtual Machines based on the AMD EPYC™ 7452 processor, we’ve been working together with our technology partners, including AMD, to continue bringing the latest innovation to enterprises. 

This week we’re announcing the availability of the Da v4 and Das v4 Azure Virtual Machine series for general purpose Linux and Windows applications, and the Ea v4 and Eas v4 Azure Virtual Machine series for memory-intensive Linux and Windows workloads.

These new Azure Virtual Machines feature the latest AMD EPYC™ 7452 processor and up to 96 vCPUs, 672 GiBs of RAM, and 2,400 GiBs of SSD-based temporary storage. The Das-series and the Eas-series Virtual Machines support Azure Premium SSDs and will include Ultra Disk support in the near future.

New NVv4 series Azure Virtual Machines preview available

We are also enhancing our compute portfolio for Windows Virtual Desktops and high-performance computing (HPC) workloads with the preview of NVv4. These new Azure Virtual Machines feature the latest AMD EPYC™ 7742 processor and will be the first visualization-optimized Azure Virtual Machine to offer AMD RADEON INSTINCT™ MI25 GPUs. NVv4 (currently in preview) offers enhanced GPU resourcing flexibility, giving customers more choice by offering partitioned GPUs built using industry-standard SR-IOV technology. Customers can select the right size of GPU Virtual Machines with as little as 2GB of dedicated GPU frame buffer for an entry-level desktop in the cloud, and up to the whole GPU with 16GB of frame buffer to provide powerful engineering workstations. This makes entry-level and low-intensity GPU workloads more cost-effective while still giving customers the option to scale up to full-GPU processing power delivered by AMD RADEON INSTINCT™ MI25 GPUs.

Azure VMware Solutions now available in West Europe

We’re also announcing the availability of Azure VMware Solutions in the West Europe Azure region. If you are currently managing an on-premises VMware environment, Azure VMware Solutions delivers the ability to run your VMware environment natively on Azure. This gives you the option to leverage your existing VMware skills and investments while taking full advantage of the scale and automation Azure offers. Azure VMware Solutions is now supported in East US, West US, and West Europe regions.

New Azure Migrate features to streamline migration

Azure Migrate is a central hub for all your migration needs and now delivers new capabilities to accelerate the migration of physical servers and virtual machines. We have also made enhancements to the Server Assessment capabilities that reduce friction through agentless discovery options. And to ensure you have the information you need for migration; we now provide deeper application dependency analysis. Refer to the documentation for more details.

A dynamic and scalable infrastructure for uncompromised performance

One of the most valuable promises of cloud infrastructure is the ability to meet evolving business and IT requirements. In our mission to continuously improve customers’ access to dynamic and scalable infrastructure, we’ve made a couple of important additions to our portfolio.

Azure generation 2 virtual machines now generally available

Generation 2 virtual machines are now generally available on Azure. Generation 2 VMs provide support for Intel Software Guard Extensions (Intel SGX), UEFI boot architecture, and the ability to provision large VMs (up to 12TB) and OS Disks sizes that exceed 2TB.  

Generation 2 VMs are fully supported in the portal, CLI, and PowerShell interfaces, and customers can opt to use them during the provisioning and deployment process, depending on their needs. Please refer to the Windows and Linux documentation for more information.

New Azure Virtual Machine Scale Sets features now in preview

We’re also introducing the preview of new features for Azure Virtual Machine Scale Sets that will greatly simplify the experience of running virtual machines at scale, as well as improve the runtime capabilities and performance of these workloads. 

In addition to supporting a homogeneous set of VMs for a scalable app layer, you can now create an empty virtual machine scale set and add various VMs (even those belonging to different VM series) later during the VM creation process. This will allow you to achieve high availability, for example, by deploying a set of virtual machines to a single availability zone or across different fault domains in an availability zone. You can now use a Virtual Machine Scale Set to deploy a SQL high availability (HA) cluster with high availability in a zone. This will provide the high availability of SQL primary, secondary, and witness VMs in unique fault domains while maintaining the lower inter-VM network latency that is seen within an availability zone.

You can now also provision VMs with custom images using the Azure Shared Image Gallery, which provides a quick, easy and scalable way to share images across different VMs and also accelerates provisioning times.

You can also specify a scale-in policy that gives you control over the order in which VMs should be de-provisioned. Termination notifications now give customers up to 15 minutes to perform any clean-up or other pre-shutdown tasks before VMs are deprovisioned, and you can now use instance protection from scale-in to designate VMs that should not be deprovisioned during a scale-in action. 

All these new features will help you get your applications up and running quickly while giving you additional control over how your applications can scale to meet your requirements. 

HBv2 Azure Virtual Machines for HPC workloads coming soon

HBv2 VMs are designed to deliver supercomputer-class performance, message passing interface (MPI) scalability, and cost efficiency for a variety of real-world HPC workloads. HBv2 Virtual Machines support up to 80,000 cores for single MPI jobs to deliver performance that rivals some of the world’s largest and most powerful bare metal supercomputers.

Updated NDv2 Azure Virtual Machines preview

The NDv2-series Virtual Machines, currently in preview, are the latest, fastest, and most powerful addition to the GPU family, specifically designed for the cutting edge demands of distributed HPC, AI, and machine learning workloads. These VMs feature 8 NVIDIA Tesla V100 NVLINK interconnected GPUs with 32 GB of memory each, 40 non-hyperthreaded Intel Xeon Platinum 8168 processor cores, and 672 GiB of system memory. The NDv2-series Virtual Machines (currently in preview) also feature 100 Gb/sec EDR InfiniBand with support for standard Mellanox OFED drivers and all MPI types and versions. With total of 256 GB of GPU memory and 100 Gb/sec InfiniBand interconnect NDv2-series Virtual Machines are ready for the most demanding machine learning models and distributed AI training workloads utilizing CUDA, TensorFlow, Pytorch, Caffe, and other frameworks.

Proximity placement groups now generally available

A proximity placement group is a logical grouping capability for Azure Virtual Machines that you can use to decrease the network latency between a set of virtual machines. When you assign your virtual machines to a proximity placement group, their placement is optimized to deliver lower latency for your latency-sensitive workloads. We’ve seen robust customer adoption of this new feature during the preview over the last few months, and we’re pleased to now make Proximity Placement Groups generally available in most Azure regions. Please check the documentation for more information.

Azure Spot Virtual Machines

Finally, Azure Spot Virtual Machines, which give you access to unused Azure compute capacity at deep discounts, will be available soon. Spot Virtual Machines will be ideal for workloads that can be interrupted, providing scalability while reducing costs. You will be able to take advantage of Spot Virtual Machine pricing for Azure Virtual Machines or Virtual Machine Scale Sets (VMSS) to deploy opportunistic workloads of all sizes. We expect to preview this by early 2020.

In conclusion, there has never been a better time to run your workloads on, or to migrate to, Azure. We hope you enjoy Microsoft Ignite!

Additional Resources

Da series Azure Virtual Machines Linux and Windows documentation

Ea series Azure Virtual Machines Linux and Windows documentation

Azure Virtual Machine Scale Sets documentation

Azure generation 2 Virtual Machines documentation (Windows and Linux)

Azure webinar series: The Total Economic Impact™ of Azure IaaS

Azure webinar series: Five Critical Areas When Migrating Your Workloads to the Cloud

Computing options for every workload on Microsoft Azure – Video

Azure Virtual Machines webpages

Azure VMware Solutions webpages
Azure Migrate webpages

Azure. Invent with purpose.

Quelle: Azure

Bring Azure data services to your infrastructure with Azure Arc

With the exponential growth in data, organizations find themselves in increasingly heterogenous data estates, full of data sprawl and silos, spreading across on-premises data centers, the edge, and multiple public clouds. It has been a balancing act for organizations trying to bring about innovation faster while maintaining consistent security and governance. The lack of a unified view of all their data assets across their environments poses extra complexity for best practices in data management.

As Satya announced in his vision keynote at Microsoft Ignite, we are redefining hybrid by bringing innovation anywhere with Azure. We are introducing Azure Arc, which brings Azure services and management to any infrastructure. This enables Azure data services to run on any infrastructure using Kubernetes. Azure SQL Database and Azure Database for PostgreSQL Hyperscale are both available in preview on Azure Arc, and we will bring more data services to Azure Arc over time.

For customers who need to maintain data workloads in on-premises datacenters due to regulations, data sovereignty, latency, and so on, Azure Arc can bring the latest Azure innovation, cloud benefits like elastic scale and automation, unified management, and unmatched security on-premises. 

Always current

A top pain point we continue to hear from customers is the amount of work involved in patching and updating their on-premises databases. It requires constant diligence from corporate IT to ensure all databases are updated in a timely fashion. A fully managed database service, such as Azure SQL Database, removes the burden of patching and upgrades for customers who have migrated their databases to Azure.

Azure Arc helps to fully automate the patching and update process for databases running on-premises. Updates from the Microsoft Container Registry are automatically delivered to customers, and deployment cadences are set by customers in accordance with their policies. This way, on-premises databases can stay up to date while ensuring customers maintain control.

Azure Arc also enables on-premises customers to access the latest innovations such as the evergreen SQL through Azure SQL Database, which means customers will no longer face end-of-support for their databases. Moreover, a unique hyper-scale deployment option of Azure Database for PostgreSQL is made available on Azure Arc. This capability gives on-premises data workloads an additional boost on capacity optimization, using unique scale-out across reads and writes without application downtime.

Elastic scale

Cloud elasticity on-premises is another unique capability Azure Arc offers customers. The capability enables customers to scale their databases up or down dynamically in the same way as they do in Azure, based on the available capacity of their infrastructure. This can satisfy burst scenarios that have volatile needs, including scenarios that require ingesting and querying data in real-time, at any scale, with sub-second response time. In addition, customers can also scale-out database instances by setting up read replicas across multiple data centers or from their own data center into any public cloud.

Azure Arc also brings other cloud benefits such as fast deployment and automation at scale. Thanks to Kubernetes-based execution, customers can deploy a database in seconds, setting up high availability, backup, point-in-time-restore with a few clicks. Compare this to the time and resource-consuming manual work that is currently required to do the same on-premises, these new capabilities will greatly improve productivity of database administration and enable faster continuous integration and continuous delivery, so the IT team can be more agile to unlock business innovation.

Unified management

Using familiar tools such as the Azure portal, Azure Data Studio, and the Azure CLI, customers can now gain a unified view of all their data assets deployed with Azure Arc. Customers are able to not only view and manage a variety of relational databases across their environment and Azure, but also get logs and telemetry from Kubernetes APIs to analyze the underlying infrastructure capacity and health. Besides having localized log analytics and performance monitoring, customers can now leverage Azure Monitor on-premises for comprehensive operational insights across their entire estate. Moreover, Azure Backup can be easily connected to provide long-term, off-site backup retention and disaster recovery. Best of all, customers can now use cloud billing models for their on-premises data workloads to manage their costs efficiently.

See a full suite of management capabilities provided by Azure Arc (Azure Arc data controller) from the below diagram.

Unmatched security

Security is a top priority for corporate IT. Yet it has been challenging to keep up the security posture and maintain consistent governance on data workloads across different customer teams, functions, and infrastructure environments. With Azure Arc, for the first time, customers can access Azure’s unique security capabilities from the Azure Security Center for their on-premises data workloads. They can protect databases with features like advanced threat protection and vulnerability assessment, in the same way as they do in Azure.

Azure Arc also extends governance controls from Azure so that customers can use capabilities such as Azure Policy and Azure role-based access control across hybrid infrastructure. This consistency and well-defined boundaries at scale can bring peace of mind to IT regardless of where the data is.

Learn more about the unique benefits with Azure Arc for data workloads.

Azure. Invent with purpose.
Quelle: Azure

Azure Arc: Extending Azure management to any infrastructure

If you are like many of our customers, you run a mix of applications in your on-premises datacenters, in the cloud and at the edge. We have been on a journey over the last few years to bring you hybrid innovations to meet you where you are. We have invested in individual connected management services such as Azure Monitor and Azure Backup. We have also delivered a consistent platform through Azure Stack Hub, ensuring that investments made in Azure can be used in disconnected environments.

Many enterprises still face a sprawl of resources spread across multiple datacenters, clouds, and edge locations. Our customers tell us that they are looking for a cloud-native control plane to inventory, organize, and enforce policies for their IT resources wherever they are, from a central place.

At Microsoft Ignite this week, we're taking another major step forward with our hybrid technology. We are announcing Azure Arc, a set of technologies that extends the control plane of Azure out to on-premises, multi-cloud environments and edge. Azure Arc enables customers to have a central, unified, and self-service approach to manage their Windows and Linux Servers, Kubernetes clusters, and Azure data services wherever they are. Azure Arc also extends adoption of cloud practices like DevOps and Azure security across on-premises, multi-cloud, and edge. In addition to extending the control plane for management, Azure Arc enables customers to run Azure data services anywhere.

Extend Azure management across your environments

Hundreds of millions of Azure resources are organized, governed, and secured daily by customers using Azure Resource Manager. Azure Resource Manager is the control plane in Azure that provides robust deployment, management, and governance capabilities with Azure Cloud Shell, Azure portal, API, role-based access control (RBAC) and Azure Policy for all Azure resources.

A key aspect of Azure Arc is the work we’ve done to extend Azure Resource Manager beyond Azure so that customers have a central and unified approach to manage Windows and Linux Servers, Kubernetes clusters and Azure data services at scale across on-premises, multi-cloud, and edge.

Azure Arc extends Azure management across on-premises, multi-cloud, and edge

Using Azure Arc to govern across environments

To illustrate the above scenarios of Azure Arc, let's take a look at a large financial organization that has sprawling server-based IT systems and Kubernetes clusters deployed in datacenters, private, and public clouds. The sprawl creates difficulty to have visibility across their environment and makes it harder to manage, govern and meet compliance requirements.

With Azure Arc, they can manage servers and Kubernetes clusters to get the following benefits:

Asset organization and inventory of Windows and Linux Servers, Kubernetes clusters and Azure services with a unified view in the Azure portal and API
Universal governance of customer resources through Azure Policy
Standardized role-based access control (RBAC) across systems and different types of resources
Enable application owners to apply and audit their applications to meet compliance requirements
Ability to measure and remediate compliance at scale and down to the individual application, server, or cluster

Adopting cloud practices on-premises

Azure provides cloud DevOps and cloud-native configuration management at scale for all Azure resources. Such cloud practices are optimized for developers that need immediate and programmatic access to resources to create new cloud-native applications. Azure Arc extends these capabilities to any infrastructure across on-premises, multi-cloud, and edge environments. Developers can build containerized apps with the tools of their choice and IT teams can use configuration as code to ensure that the apps are deployed, configured, and governed uniformly using GitOps-based configuration management across on-premises, multi-cloud, and edge.

Adopt cloud practices like config management at scale

Deploy to and manage multiple locations at scale

To illustrate the above scenario of Azure Arc, let's take a look at a retailer with 100s of stores that would like to move all in-store applications to containers running on a Kubernetes clusters. They are faced with the challenge of how to uniformly deploy, configure, and manage their containerized applications across multiple locations.

With Azure Arc, IT and development teams can manage the app in existing stores, and quickly light up a new location by automating error-prone and procedural tasks. Additionally, they get the following benefits:

At scale configuration and deployment based on Azure subscriptions, resource groups, and tags
GitOps-based model for deploying configuration-as-code to one or many clusters
Application deployment and update at scale
Source control based safe deployment practices when rolling out new applications and configurations
Freedom for developers to use the tools they are familiar with

Implement Azure security anywhere

We know the importance of security and compliance to businesses, so we brought our leadership in cloud security to on-premises, multi-cloud and edge with Azure Arc. We built Azure Arc to bring capabilities and practices such as RBAC, Azure activity log for auditing actions, Azure Lighthouse for secure delegated management and enforcement of security policies through Azure Policy.

Get started

We will be sharing more updates on Azure Arc at Microsoft Ignite this week. To learn more about Azure Arc, visit the Azure Arc page.

If you're at Microsoft Ignite this week, please attend the following sessions to learn more:
BRK 2208 Introduction to Azure Arc on Tuesday, Nov 05 at 11:45 am ET
BRK 3327 Azure Arc: Extend Management and Governance on Wednesday, Nov 06 at 1:00 PM ET

You can get started right away by previewing management of Windows and Linux servers across on-premises, multi-cloud, and edge right away. Join the preview to get started with managing Windows and Linux Servers anywhere using Azure Arc.

Sign up for more information on Azure data services anywhere enabled by Azure Arc, and management of Kubernetes clusters by Azure Arc.

Azure. Invent with purpose.
Quelle: Azure

Azure Machine Learning—ML for all skill levels

Enterprises today are adopting artificial intelligence (AI) at a rapid pace to stay ahead of their competition, deliver innovation, improve customer experiences, and grow revenue. AI and machine learning applications are ushering in a new era of transformation across industries from skill sets to scale, efficiency, operations, and governance.

Microsoft Azure Machine Learning provides enterprise-grade capabilities to accelerate the machine learning lifecycle and empowers developers and data scientists of all skill levels to build, train, deploy, and manage models responsibly and at scale. At Microsoft Ignite, we’re announcing a number of major advances to Azure Machine Learning across the following areas:

New studio web experience that boosts machine learning productivity for developers and data scientists of all skill levels, with flexible authoring options from no-code drag-and-drop and automated machine learning, to code-first development.
New industry-leading Machine Learning Operations (MLOps) capabilities to manage the machine learning lifecycle, enabling data science and IT teams to deliver innovation faster.
New open and interoperable capabilities that provide choice and flexibility with support for R, Azure Synapse Analytics, Azure Open Datasets, ONNX, and other popular frameworks, languages, and tools.
New security and governance features including role-based access control (RBAC), Azure Virtual Network (VNet), capacity management, and state-of-the-art responsible AI interpretability and fairness capabilities.

Let’s dive into these announcements in detail to see how Azure Machine Learning is helping individuals, teams, and organizations meet and exceed business goals.

Access machine learning for all skill levels and boost productivity

“By improving forecasting using Azure Machine Learning automated ML, we can reduce waste and ensure pizzas are ready for our customers. This will reduce the guesswork for our operators and allow them to spend more time focusing on other aspects of store operations. Rather than guessing how many pizzas to have ready, store operators are focusing on making sure every customer experience is an excellent one.” – Anita Klopfenstein, CEO, Little Caesars Pizza.

The new studio web experience (currently in preview) enables data scientists and data engineers of all skill levels to complete end-to-end machine learning tasks, including data preparation, model training, deployment, and management in a seamless manner. Choose from three different authoring options based on your skill and preference—no-code drag-and-drop designer, automated machine learning, or a code-first notebooks experience. Access Azure Machine Learning assets (including datasets and models) and rich capabilities (including data drift, monitoring, labeling and more) all from a single location.

 

Studio web experience

Designer (currently in preview) provides drag-and-drop workflows to simplify the process of building, testing, and deploying machine learning models using a visual experience. Customers currently using the classic version of Azure Machine Learning Studio are encouraged to try Designer so they can benefit from the scale and security of Azure Machine Learning.

Automated machine learning user interface (currently in preview) helps data scientists build models without writing a single line of code. Automate the time-intensive tasks of feature engineering, algorithm selection, and hyperparameter sweeping, then operationalize your model with a few clicks of a button.

Notebooks (currently in preview) are a fully managed solution for developers and data scientists to easily get started with machine learning, with pre-configured custom environments that eliminate setup time, while providing management and enterprise readiness capabilities for IT administrators.

New data labeling (currently in preview). High quality labeled data is vital to creating high accuracy models for supervised learning. Teams can now manage data labeling projects seamlessly from within the studio web experience to get labels against data, speeding up the time-intensive process of manual labeling. Labeling tasks supported include object detection, multi-class image classification, and multi-label image classification.

Operationalize at scale with industry-leading MLOps

Azure Machine Learning features built-in MLOps capabilities for enterprise-grade machine learning lifecycle management, that enables data science and IT teams to collaborate and increase the pace of model development and deployment.

“TransLink was able to leverage MLOps in Azure Machine Learning to build and manage models and deploy them in production. This created greater efficiencies and transparency as we moved over 16,000 machine learning models from pilot to production. Ultimately, TransLink customers benefited with improvement between predicted and actual bus departure times of 74%, so they can better plan their journey on TransLink's bus network.” – Sze-Wan Ng, Director Analytics & Development, Translink.

New updates to build reproducible models and achieve machine learning governance and control

Datasets help data scientists and machine learning engineers easily access data from a number of Azure storage services, apply datasets rapidly, reuse them efficiently across tasks, and track data lineage automatically. Rich dataset and model registries help track assets and information to effectively operationalize models and simplify workflows from training to inferencing. Version control helps track and manage assets providing enhanced traceability and supporting the creation of reproducible pipelines for consistent model delivery. Audit trail capabilities ensure asset integrity and provide control logs to help meet regulatory requirements.

New updates to easily deploy models and efficiently manage the machine learning lifecycle

Batch inference helps increase productivity and decrease cost by generating predictions on terabytes of structured or unstructured data. Controlled roll-out enables the deployment of different model versions under a common scoring endpoint in order to implement a sophisticated deployment pipeline and release models with confidence. Data drift monitoring helps maintain model accuracy by detecting model performance issues from changes to model input data over time. Drift analysis includes magnitude of drift, contribution by feature, and other insights so that appropriate action can be taken, including retraining the model.

 

Data drift monitoring

Innovate using open and interoperable capabilities

With Azure Machine Learning, developers and data scientists can access built-in support for open source tools and frameworks like PyTorch, TensorFlow, and scikit-learn, or the open and interoperable ONNX format. We now support Open Neural Network Exchange (ONNX), the open standard for representing machine learning. With the new v1.0 release, ONNX Runtime offers stable Python APIs that can be used in Azure Machine Learning on both CPU and GPU.

New R-based capabilities enable data scientists to run R jobs on Azure Machine Learning and then manage and deploy R models as web services. Data scientists can choose their development environment of choice—one-click access to the browser integrated development (IDE) of RStudio Server (open source edition) or Jupyter with R.

Azure Synapse Analytics is now deeply integrated with Azure Machine Learning to greatly expand the discovery of insights from all your data and apply machine learning models to your intelligent apps.

Azure Open Datasets are now generally available and provide curated datasets, hosted on Azure, and easily accessible from Azure Machine Learning workspaces to accelerate model training. Over 25 datasets are now available, including socio-economic data, satellite imagery, and more. New datasets are continuously being added, and you can nominate additional datasets to Azure.

Build on a secure foundation

“With Azure Machine Learning our data scientist teams can work in an environment supported with industry standard trust and compliance. Enterprise readiness capabilities like RBAC VNet, Key Vault ensure that we have granular control over our resources and deliver innovation on  a secure platform that enhances productivity so that teams can focus on machine learning tasks rather than infrastructure and setup.”-  Cary Goltermann, Manager, Ignition Tax, KPMG LLP.

Security and enterprise readiness updates

Workspace capacity management (currently in preview) helps administrators review compute usage across workspaces and clusters within a subscription for efficient resource distribution. Capacity limits can be set to reallocate resources for capacity management and governance. Role Based Access Control, or RBAC, (in preview) helps define custom roles for granular access control and supports advanced security scenarios. Virtual network, or VNet, (in preview) provides a security boundary to isolate compute resources used to train and deploy models when running experiments through inferencing.

Fairness: In addition to model interpretability in Azure Machine Learning, which supports transparency and model understanding, data scientists and developers can now leverage Fairlearn, the new open source fairness assessment and mitigation tool. This tool assists organizations with uncovering insights about fairness in their model predictions through an intuitive and configurable set of visualizations.

 

Fairness feature insights

Start building today

We are excited to bring you these capabilities to help accelerate the machine learning lifecycle, from new productivity experiences that make machine learning accessible to all skill levels, to robust MLOps and enterprise-grade security, built on an open and trusted platform. We are committed to continued investments in machine learning to support your business and applications and help you drive business transformation with AI.

Get started with a free trial of Azure Machine Learning.
Learn more using new samples and tutorials.
Read all the Azure AI news from Microsoft Ignite.

Azure. Invent with purpose.
Quelle: Azure