This month, Microsoft held their annual partner conference, Inspire, in Las Vegas, Nevada. As expected, there was lots of talk about Microsoft 365 and Intelligent Cloud/Intelligent Edge. This is the month when Microsoft typically is at its most quiet publicly, and most active privately.
New Preview Networking Features
A couple of very interesting networking feature previews started in July. We have lots of ways to do “firewalls” in Azure:
- The guest OS firewall
- Network Security Groups (NSGs) offering free layer-4 (UDP/TCP transport layer) security
- Web Application Gateway & Firewall adding layer-7 (HTTP/S application layer) security
- Third-party network virtualization appliances, such as Checkpoint, Cisco, and such
But a new option has been added called Azure Firewall.
An illustration of Azure Firewall architecture [Image Credit: Microsoft]
The Azure firewall offers the following:
- High-availability without the need to deploy load balancers. Note that a standard-tier public IP address is used with the appliance.
- Cloud scalability with the firewall being able to handle your growing & shrinking bandwidth/flow requirements.
- Outbound traffic can be filtered based on FQDNs; in other words, HTTP/S websites can only be reached if they are on the firewall’s whitelist.
- You can filter outbound traffic based on IP address, port, and protocol with stateful inspection.
- All outbound traffic from the virtual network is routed/translated through the public IP address of the firewall giving you SNAT (Source Network Address Translation).
- All events appear in Azure Monitor and can be archived to a storage account, streamed to Event Hub for external consumption, or to Log Analytics (OMS).
With this first release, the Azure Firewall is focusing on outbound traffic – you cannot use it to NAT & protect inbound traffic from the Internet.
This preview is a very-early-days-release and is not suitable for production, but those who are interested in it should test the new service and give Microsoft feedback.
Another new service is Virtual WAN.
I’ll be honest; the public over text and announcement blog post for Virtual WAN do leave me with a lot of questions, which I hope will be answered at the Ignite conference in September. But despite that, we do know the basics.
We already have hybrid networking solutions in Azure:
- Point-to-site VPN for end user connections
- Site-to-site VPN to integrate 1-30 offices with an Azure network, or networks via VNet peering
- ExpressRoute to add Azure to a corporate WAN
Virtual WAN is a software-defined WAN solution that is focused on working with third-party appliances such as those from Citrix and WAN without using the above solutions. Instead, a virtual hub is deployed in Azure, offering a new kind of scalable gateway instead of the older VPN/ExpressRoute gateway. Each office in the company will create active-active IKEv2 VPN connections to this hub to form a routed WAN, using Azure as the meeting point. You can then reach other virtual networks in Azure (the same region as the hub only at this time) via this WAN.
- Your link is less than 1 Gbps
- Can support IKEv2 IPsec VPN connections
- Need up to 100 sites/locations to connect in
There is no SLA on this managed preview, so Azure WAN probably shouldn’t be used in production yet.
I think that, when ready, Azure WAN will be perfect for retail operations (or similar, such as smaller hotel chains) where the cost of an MPLS WAN for ExpressRoute could be excessive, enabling central offices to reach Azure-hosted services as well as those in a head office.
Azure NetApp Files Preview
“How many SANs are in The Cloud?” is commonly asked by presenters that are talking about cloud storage. It’s a trick question because the answer is zero; SAN is to expensive and not scalable enough for true cloud scalability and economics.
But watch out! Azure is launching a preview for a virtual SAN offering with NetApp called NetApp Files.
This preview is available in East US and will add West US 2 soon. It should not be used in production until general availability
Using this Azure-integrated solution, which is not based on the existing virtual machine appliances, you’ll be able to deploy NFS v2 volumes with ONTAP technology from NetApp.
These are truly weird and interesting times!
Other Announcements from Microsoft
Here are other Azure IaaS headlines from the past month:
- Static website hosting for Azure Storage now in public preview
- Microsoft Azure launches tamper-proof Azure Immutable Blob Storage for financial services
- Welcome our newest family member – Data Box Disk
- Latest updates to Azure Database for PostgreSQL
- Latest updates to Azure Database for MySQL
- Azure Security Center is now integrated into the subscription experience
- Azure AD Managed Service Identity updates
- Announcing the Azure Cloud Shell editor in collaboration with Visual Studio Code
- Score one for the IT Pro: Azure File Sync is now generally available!
- New recommendations in Azure Advisor
- Azure App Service now supports Java SE on Linux
- Security Center’s adaptive application controls are generally available
- Azure DNS SLA: Updated to 100%
- Azure Security Center update July 22
- A new way to manage roles and administrators in Azure AD
My Azure Posts on Petri
Here are my Azure posts from the month of March:
- Happy 10th Birthday Hyper-V!
- Preview of WORM Storage Added To Azure
- Storage Explorer Preview in the Azure Portal
- Standard SSD Disks Preview for Azure VMs
- How Hybrid Use Benefit Reduces Azure VM Costs
- Copy An Azure VM Using Managed Disk Snapshots
- Azure Blob Storage Soft Delete
- Preview of Azure Blob Storage Lifecycle Management
- Aidan’s Essential Azure Toolkit (July 2018)
- What is Azure Firewall?
And Now for Something Different
14th January 2020. That’s around 17 months away. And that’s how long you have to plan for the upgrade/migration from Windows Server 2008 and Windows Server 2008 R2 before the end of extended support. At that time, Microsoft will terminate all product support and hot/security fixes for the products. The only exceptions will be for those organizations that:
- Sign up for support contracts that are priced to discourage prospective customers!
- Those that migrate to Azure and get another 3 years of security patches.
One might think that 17 months is a long time, but it’s not. If you’re running application workloads, you have to start considering application upgrades or replacement to use a new OS. If you’re using the older versions of Hyper-V then you might have to acquire new hardware and figure out how to migrate to Windows Server 2016 or even Windows Server 2019 when it arrives later this year. The time to start planning is now, not December 2019, because then, you’re already too late.
By the way, Windows Server 2012 and Windows Server 2012 R2 go into extended support (no new features) on the 9th of October this year. Those of you on Windows Server 2012 R2 Hyper-V can easily roll out Windows Server 2012 Hyper-V, even with clusters thanks to rolling cluster upgrade, and that might get easier again when moving from WS2012 R2 to Windows Server 2019.