Everything You Need to Know About Azure Infrastructure – July 2018

This month, Microsoft held their annual partner conference, Inspire, in Las Vegas, Nevada. As expected, there was lots of talk about Microsoft 365 and Intelligent Cloud/Intelligent Edge. This is the month when Microsoft typically is at its most quiet publicly, and most active privately.

New Preview Networking Features

A couple of very interesting networking feature previews started in July. We have lots of ways to do “firewalls” in Azure:

  • The guest OS firewall
  • Network Security Groups (NSGs) offering free layer-4 (UDP/TCP transport layer) security
  • Web Application Gateway & Firewall adding layer-7 (HTTP/S application layer) security
  • Third-party network virtualization appliances, such as Checkpoint, Cisco, and such

But a new option has been added called Azure Firewall.

An illustration of Azure Firewall architecture [Image Credit: Microsoft]
An illustration of Azure Firewall architecture [Image Credit: Microsoft]
An illustration of Azure Firewall architecture [Image Credit: Microsoft]
The Azure firewall offers the following:

  • High-availability without the need to deploy load balancers. Note that a standard-tier public IP address is used with the appliance.
  • Cloud scalability with the firewall being able to handle your growing & shrinking bandwidth/flow requirements.
  • Outbound traffic can be filtered based on FQDNs; in other words, HTTP/S websites can only be reached if they are on the firewall’s whitelist.
  • You can filter outbound traffic based on IP address, port, and protocol with stateful inspection.
  • All outbound traffic from the virtual network is routed/translated through the public IP address of the firewall giving you SNAT (Source Network Address Translation).
  • All events appear in Azure Monitor and can be archived to a storage account, streamed to Event Hub for external consumption, or to Log Analytics (OMS).

With this first release, the Azure Firewall is focusing on outbound traffic – you cannot use it to NAT & protect inbound traffic from the Internet.
This preview is a very-early-days-release and is not suitable for production, but those who are interested in it should test the new service and give Microsoft feedback.
Another new service is Virtual WAN.

An illustration of Azure Virtual WAN [Image Credit: Microsoft]
An illustration of Azure Virtual WAN [Image Credit: Microsoft]
I’ll be honest; the public over text and announcement blog post for Virtual WAN do leave me with a lot of questions, which I hope will be answered at the Ignite conference in September. But despite that, we do know the basics.
We already have hybrid networking solutions in Azure:

  • Point-to-site VPN for end user connections
  • Site-to-site VPN to integrate 1-30 offices with an Azure network, or networks via VNet peering
  • ExpressRoute to add Azure to a corporate WAN

Virtual WAN is a software-defined WAN solution that is focused on working with third-party appliances such as those from Citrix and WAN without using the above solutions. Instead, a virtual hub is deployed in Azure, offering a new kind of scalable gateway instead of the older VPN/ExpressRoute gateway. Each office in the company will create active-active IKEv2 VPN connections to this hub to form a routed WAN, using Azure as the meeting point. You can then reach other virtual networks in Azure (the same region as the hub only at this time) via this WAN.
You can enrol in this preview today. You can use the supported partner devices but you are not limited to them as long as:

  • Your link is less than 1 Gbps
  • Can support IKEv2 IPsec VPN connections
  • Need up to 100 sites/locations to connect in

There is no SLA on this managed preview, so Azure WAN probably shouldn’t be used in production yet.
I think that, when ready, Azure WAN will be perfect for retail operations (or similar, such as smaller hotel chains) where the cost of an MPLS WAN for ExpressRoute could be excessive, enabling central offices to reach Azure-hosted services as well as those in a head office.

Azure NetApp Files Preview

“How many SANs are in The Cloud?” is commonly asked by presenters that are talking about cloud storage. It’s a trick question because the answer is zero; SAN is to expensive and not scalable enough for true cloud scalability and economics.
But watch out! Azure is launching a preview for a virtual SAN offering with NetApp called NetApp Files.
This preview is available in East US and will add West US 2 soon. It should not be used in production until general availability
Using this Azure-integrated solution, which is not based on the existing virtual machine appliances, you’ll be able to deploy NFS v2 volumes with ONTAP technology from NetApp.
These are truly weird and interesting times!

Other Announcements from Microsoft

Here are other Azure IaaS headlines from the past month:

My Azure Posts on Petri

Here are my Azure posts from the month of March:

And Now for Something Different

14th January 2020. That’s around 17 months away. And that’s how long you have to plan for the upgrade/migration from Windows Server 2008 and Windows Server 2008 R2 before the end of extended support. At that time, Microsoft will terminate all product support and hot/security fixes for the products. The only exceptions will be for those organizations that:

One might think that 17 months is a long time, but it’s not. If you’re running application workloads, you have to start considering application upgrades or replacement to use a new OS. If you’re using the older versions of Hyper-V then you might have to acquire new hardware and figure out how to migrate to Windows Server 2016 or even Windows Server 2019 when it arrives later this year. The time to start planning is now, not December 2019, because then, you’re already too late.
By the way, Windows Server 2012 and Windows Server 2012 R2 go into extended support (no new features) on the 9th of October this year. Those of you on Windows Server 2012 R2 Hyper-V can easily roll out Windows Server 2012 Hyper-V, even with clusters thanks to rolling cluster upgrade, and that might get easier again when moving from WS2012 R2 to Windows Server 2019.