AZURE Cloud Monthly Newsletter – July 2024.

In the July 2024 edition of our monthly Azure Cloud updates newsletter, we are excited to bring you the latest happenings in Azure. I am working on curating the most important updates and improvements to keep you informed and empowered. I'd like to ensure you have a comprehensive overview of all the latest developments.

1. Azure Compute Services

1.1 Public Preview: Upgrade existing Azure Gen1/Gen2 VMSS to Gen2-Trusted launch

We are excited to announce?preview support for upgrading the VMSS Uniform resource to Gen2-Trusted launch to?enable Trusted launch on existing Azure Gen1/Gen2 Virtual Machine Scale Sets (VMSS) Uniform?.?

What is changing with this update? Azure Virtual Machine Scale Sets support enabling Trusted Launch on existing Uniform Scale sets VMs by upgrading to the Trusted Launch security type. This will help?improve the?foundational security of existing Azure VMSS resources. Trusted Launch VMs provide foundational compute security to Azure Generation 2 VMs by enabling Secure Boot and vTPM capabilities. These capabilities protect the OS against rootkits and boot kits and enable attestation by measuring the VM's boot chain.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/virtual-machines/trusted-launch-existing-vmss?tabs=template

1.2 Generally Available: Backup and restore of virtual machines with private endpoint-enabled disks

Backup and Restore of Azure virtual machines that use disks with private endpoints-enabled features is now generally available (GA).

What is changing with this update? This support is available for virtual machines using standard and enhanced backup policies and can be configured using standard Azure Backup experiences. Additionally, while initiating restores, you can specify the network access settings for restored disks- you can choose if you want the restored disks to use the same network configuration as the source disks, allow access from specific networks only, or allow public access from all networks.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#assign-network-access-settings-during-restore-preview

1.3 Generally Available: Azure Site Recovery support for Azure Trusted Launch VMs (Windows OS)

Azure announced the General Availability of Azure Site Recovery support for Azure Trusted Launch VMs. These VMs provide foundational compute security to Azure Generation 2 VMs by enabling Secure Boot and vTPM capabilities. This general availability is for Windows OS only.

What is changing with this update? Trusted launch protects against advanced and persistent attack techniques. It is composed of several coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/site-recovery/concepts-trusted-vm

1.4 Generally Available: Azure VM Regional to Zonal Move

This new feature allows you to move an existing VM in a regional configuration (deployed without any infrastructure redundancy) to a zonal configuration (deployed into a specific Azure availability zone) within the same region.

What is changing with this update? The capability to convert regional VMs to a zonal configuration within the same region is now generally available. This feature will help you achieve better application resiliency and availability by moving your application to a zonal configuration. When you migrate to availability zones, Azure recommends that you select multiple zones for your new VMs and Virtual Machine Scale Sets to ensure the high availability of your compute resources.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/reliability/migrate-vm?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json%22%20%5Cl%20%22migration-option-2-vm-regional-to-zonal-move

2. Azure Data and Storage Services

2.1 Public Preview: Convert to Azure Premium SSD v2 disks

Leverage this feature to confidently move your workloads to Pv2 and take advantage of the unparalleled balance of price and performance of Pv2 disks.

What is changing with this update? This feature allows you to migrate your existing Standard SSD, Standard HDD, or Premium SSD v1 disks to PV2 disks in a few clicks with minimal downtime. This process avoids disk destruction, eliminates the need to use snapshots as a staging resource, and doesn't require waiting for background data copying.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-convert-types?tabs=azure-powershell.

2.2 Public Preview: Azure NetApp Files large volume enhancement – increased throughput and maximum size limit of 2 PiB volume

Azure announced that large volumes of NetApp Files increased maximum throughput and size limits. This significant update brings an increased size limit to 1-PiB, available via Azure Feature Exposure Control (AFEC), allowing for more extensive and robust data management solutions for various workloads, including HPC, EDA, VDI, and more.

What is changing with this update? We are introducing a public preview of an even larger volume type, starting from 1-PiB up to 2-PiB, available upon request. This 2-PiB enhancement is subject to regional availability and capacity, ensuring we can meet your needs and requirements. This feature is currently in public preview.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/azure-netapp-files/large-volumes-requirements-considerations

2.3 Public Preview: Azure Data Box now supports select cross-region transfer

Azure Data Box cross-region data transfer capabilities, now in preview, support seamless ingest of on-premises data from a source country/region to select Azure destinations in a different country/region.

What is changing with this update? With this capability, you can now copy on-premises data from Singapore or India to the West US Azure destination region. Note that the Azure Data Box doesn't ship across commerce boundaries. Instit's it's transported from/to an Azure data Center within the originating country or region where the on-premises data resides. Data transfer to the destination Azure region occurs across the Azure network and incurs no additional fee.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/databox/

2.3 Generally Available: Soft delete for NFS Azure file shares

Soft delete protects Azure file shares from accidental deletion. The following feature has already been made available for SMB File share. Today, we are announcing the general availability of soft delete for NFS Azure file shares. The functionality will remain the same.

What is changing with this update? Azure Files offers soft delete, which allows you to recover your file share when an application or other storage account user mistakenly deletes it. Soft delete is like a recycle bin for your file shares. When an NFS file share is deleted, it transitions to a soft deleted state as a soft deleted snapshot. As part of the retention policy, you can configure how long the soft deleted data is recoverable before permanently erasing; by default, it's set to 7 days.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/storage/files/storage-files-prevent-file-share-deletion

3. Azure Network and Security Services:

3.1 Generally Available: ExpressRoute Traffic Collector support for provider circuits.

Azure ExpressRoute customers can now configure ExpressRoute Traffic Collector on their 1G+ provider circuits. This expands the existing service, which previously only supported ExpressRoute Direct circuits.

What is changing with this update? ExpressRoute Traffic Collector is a fully managed traffic monitoring solution built for ExpressRoute. It logs IPFIX flow records that can be queried to improve visibility into circuit traffic.

ExpressRoute Traffic Collector enables sampling of network flows sent over your ExpressRoute circuits. Flow logs get sent to a Log Analytics workspace where you can create your log queries for further analysis. You can also export the data to any visualization tool or SIEM (Security Information and Event Management) you choose. Flow logs can be enabled for private and Microsoft peering with ExpressRoute Traffic Collector.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/expressroute/traffic-collector

3.2 Generally Available: ExpressRoute FastPath Support for Vnet Peering & UDR

When FastPath is enabled, it enhances data path performance. Instead of routing through the gateway, FastPath sends network traffic directly to virtual machines within the virtual network, reducing the number of hops and potential bottlenecks. However, FastPath still requires a virtual network gateway to exchange routes between the virtual and on-premises networks.

What is changing with this update? This feature enhances data path performance between on-premises customer networks and Azure Virtual Networks. It also unlocked 100Gbps connectivity to VMs deployed in hub-and-spoke designs over ExpressRoute.

With Virtual Network Peering and User-Defined Routes?(UDR)?support, FastPath will send traffic directly to VMs deployed in spoke virtual networks (connected via?Virtual Network Peering) and honour any UDRs configured on the Gateway Subnet. However, FastPath support is only for virtual network peering, and UDRs are only supported for ExpressRoute Direct connections.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/expressroute/about-fastpath

3.3 Generally Available: Microsoft Entra Suite

The Microsoft Entra Suite delivers a complete cloud-based solution for workforce access. It combines identity and network access to secure employee access to any cloud or on-premises application and resource from any location, consistently enforce the least privilege access, and improve the employee experience.??

To learn more about this update, visit: https://www.microsoft.com/en-us/security/blog/2024/07/11/simplified-zero-trust-security-with-the-microsoft-entra-suite-and-unified-security-operations-platform-now-generally-available/

3.4 Generally Available: Microsoft Security Service Edge

Microsoft’s SSE solution is about helping you eliminate security gaps in your defenses, extending Conditional Access and continuous access evaluation to all your applications and resources, whether on-premises or in any cloud. Microsoft’s Security Service Edge (SSE) solution general availability, Microsoft Entra Private Access and Microsoft Entra Internet Access. These two products and our SaaS security-focused CASB—Microsoft Defender for Cloud apps—comprise Microsoft's Security Service Edge solution. This cloud-delivered, identity-centric networking model transforms how you secure access.

To learn more about this update, visit: https://www.microsoft.com/en-us/security/blog/2024/07/11/simplified-zero-trust-security-with-the-microsoft-entra-suite-and-unified-security-operations-platform-now-generally-available/

4 Azure Containers Services:

4.1 Public Preview: Managed identity support for scaling rules in Azure Container Apps

Azure Container Apps manages automatic horizontal scaling through declarative scaling rules. As a container app revision scales out, new instances of the revision are created on demand. These instances are known as replicas.

Adding or editing scaling rules creates a new revision of your container app. A revision is an immutable snapshot of your container app.

What is changing with this update? You can now use managed identities in your scale rules to authenticate with supported Azure services. This can be done using the Azure CLI or Azure Resource Manager (ARM.) Azure recommends using managed identity whenever possible to avoid storing secrets within the app.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/container-apps/scale-app?pivots=azure-cli

4.2 Generally Available: Azure Container Apps support for peer-to-peer encryption

Azure Container Apps support for environment-level peer-to-peer Transport Level Security (TLS) encryption is now generally available. By enabling the peer-to-peer encryption feature, all network traffic within the environment will be TLS encrypted with a valid private certificate within the scope of the Azure Container Apps environment.

What is changing with this update? Azure Container Apps supports peer-to-peer TLS encryption within the environment. Enabling this feature encrypts all network traffic within the environment with a valid private certificate within the scope of the Azure Container Apps environment. Azure Container Apps automatically manages these certificates.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#peer-to-peer-encryption

4.3 Generally Available: Support for Azure Key Vault certificates in Azure Container Apps

You can now use Azure Key Vault to store and manage your own TLS/SSL certificates for Azure Container Apps at the environment level. You can do that using the Azure portal and the Azure CLI.

What is changing with this update? This follows security best practices by leveraging managed identities and simplifies management tasks like auto-rotation. You can set up Azure Key Vault to manage your container app's certificates, handle updates and renewals, and monitor them. Without Key Vault, you are left managing your certificate manually, which means you can't manage certificates in a central location and can't take advantage of lifecycle automation or notifications.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/container-apps/key-vault-certificates-manage

4.4 General Available: Azure Container Storage

Azure Container Storage provides the best-in-class price performance for hosting stateful containers on cloud-based storage and delivering the lowest latency on locally attached storage.

What is changing with this update? Azure Container Storage is a cloud-based volume management, deployment, and orchestration service built natively for containers. It integrates with Kubernetes, allowing you to dynamically and automatically provision persistent volumes to store data for stateful applications running on Kubernetes clusters.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/storage/container-storage/container-storage-introduction

5. Azure PaaS Services:

5.1 General Available: Run Azure Load Testing on Azure Functions

We can now create and run load tests directly from Azure Functions in the Azure portal. Select the function and key to test your functions and specify request parameters and load configuration.

What is changing with this update? Azure Load Testing is a fully managed load-testing service that enables you to generate a high-scale load. You will automatically gain access to client-side and function metrics, which will help identify performance bottlenecks. You can also view the test run history to monitor your Function App performance continuously.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/load-testing/how-to-create-load-test-function-app

6. Other Azure Services:

6.1 Generally Available: Run load tests in debug mode on Azure Load Testing

Azure Load Testing now supports running low-scale test runs in Debug?mode, enabling?better debuggability with enhanced logging.?It provides debug logs for the test script and request and response data for every failed request during the test run.

What is changing with this update? Debuggability of test scripts during load testing is crucial for identifying and resolving issues early in the testing process. It allows you to validate the test configuration, understand the application behaviour under load, and troubleshoot any issues.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/load-testing/how-to-run-tests-in-debug-mode

6.2 Generally Available: Azure Monitor Log Enablement Policy Expansion

Azure Monitor enables customers to gain end-to-end observability into their applications, infrastructure, and network by collecting, analyzing, and acting on telemetry data from their cloud and hybrid environments. Diagnostic settings are a standard mechanism by which customers can enable the collection of platform logs that Azure makes available on the performance of their Azure resources.

What is changing with this update? The Azure Monitor team has recently released into general availability (GA) new built-in policies and initiatives for enabling diagnostic settings at scale for all log categories and updated initiatives for auditing customer interactions with service settings and service data via Azure Policy.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostics-settings-policies-deployifnotexists?tabs=portal

6.3 Generally Available: Encryption using Customer-Managed Keys for Backup Vaults

Azure Backup offers the ability to use your encryption keys to secure backup data. This capability is supported for Recovery Services Vaults and is extended to Backup Vaults. CMK for Backup Vaults?is now generally available in all Azure Public regions.

What is changing with this update? You can use Customer Managed Keys (CMK) when creating a new backup vault or updating the encryption settings for an existing vault to use CMK.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk-for-backup-vault?tabs=azure-portal

6.4 Public Preview: New Azure Monitor Auxiliary Logs Plan

Azure Monitor Logs is a solution for collecting, analyzing, and acting on telemetry data generated by Azure and non-Azure resources and applications.

Azure Monitor Logs introduces a new plan in our multi-tier strategy for optimal consumption and cost optimization: Auxiliary Logs. These logs are for verbose events and are designed to be inexpensive while providing you with capabilities to manage and consume your data.

What is changing with this update? Azure Monitor`s multi-tier strategy now supports three plans—Analytics, Basic, and the new Auxiliary plan. With a cost-effective pricing model, you can store all your logs in one place and retain different data types for as long or as little as you need.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/azure-monitor/logs/create-custom-table-auxiliary

6.5 Generally Available: New capabilities added to Azure Monitor Basic Logs plan

Customers have widely adopted the Azure Monitor Basic Logs plan, which is continuously growing. To meet increasing demand and customer needs, we are now extending Basic Logs with more capabilities that provide more significant customer benefits.

What is changing with this update? Today, Azure is introducing the following improvements to the Basic Logs plan:

• After extending the included interactive retention period from 8 to 30 days, interactive queries are supported for the entire period.
• Adjusting the supported query language capabilities on Basic Logs from reduced KQL to full KQL on a single table and lookup of additional data in Analytics tables.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/azure-monitor/logs/data-platform-logs#table-plans

6.6 Generally Available: Delete or Reset Azure Site Recovery replication appliance

Microsoft announces the General Availability of the Delete or Reset Azure Site Recovery replication appliance. If all the appliance components are healthy, you can reset the appliance to its factory state. If the appliance is in a critical state without connectivity, you can delete it from the Azure Portal.

What is changing with this update? The Azure Site Recovery replication appliance is a virtual machine that runs on-premises and replicates data from your servers to Azure for disaster recovery. When you no longer need it, you can delete it from the Azure portal.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/site-recovery/delete-appliance

7. Retirement Azure Services:

7.1 App Service Environment v1/v2 will be retired on August 31, 2024

After 31 August 2024, App Service Environment v1 and v2 and the applications running on them will be deleted, and any associated application data will be lost. You can access several migration resources, including Azure FastTrack Architects, to provide more guidance.

Required action: To avoid service disruption, please follow the?steps?to complete your migration to App Service Environment v3?before?31 August 2024.

7.2 Azure Lab Services is being retired on June 28, 2027

Azure Lab Services will be retired on June 28, 2027, because other Microsoft VDI services, such as Azure Virtual Desktop, Windows 365, Azure DevTest Labs, and Microsoft Dev Box, are available. If this server doesn’t meet your requirements, we suggest you review and choose one of the recommended partner solutions. Review the retirement guide for more details about the partner options.

If you are an existing customer of Azure Lab Services, you can continue to use the service until June 28, 2027. New customers, however, will not be allowed to sign up for the service starting July 15, 2024. We are committed to supporting you for the service until June 28, 2027. After this date, Azure Lab Services won’t be supported, and you will not have access to your lab accounts, plans, or labs.

To avoid service disruptions, you are strongly recommended to move to either one of the Microsoft above services or partner solutions by June 28, 2027.?

7.3 Retirement: Azure Cloud Services Guest OS Families 2, 3, and 4

In July 2024, Azure announced the upcoming retirement of Guest OS Families 2, 3, and 4 for Cloud Services and Cloud Services Extended Support. The end-of-life dates are as follows:

• Windows Server 2008 R2 will retire in December 2024,
• Windows Server 2012 and Windows Server 2012 R2 will retire in February 2025.

It's been asked for action: Customers using these OS families must take action to ensure their cloud services remain supported. For affected services, it is recommended that they migrate to one of the supported Guest OS Families, especially Guest OS family 7 (Windows Server 2022). Transitioning to a supported OS family will ensure continued functionality and support for your cloud services. If you need more help, you can visit the Microsoft Q&A page or contact Azure support.

To learn more about this, visit: https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-family-2-3-4-retirement

I appreciate you taking the time to read our newsletter. Your feedback is valuable to us, so please don't hesitate to share any suggestions you have for improving it.