This month, Azure portal updates include updates to Azure Security Center, the ability to use ephemeral OS disks on Azure VMs, and to send Windows diagnostics data to Azure Monitor.
Sign in to the Azure portal now and see for yourself everything that’s new. Download the Azure mobile app to stay connected to your Azure resources anytime, anywhere.
Here’s the list of June updates to the Azure portal:
Compute, Networking and Storage
Security
- Security Center recommendations and their corresponding policy names are aligned
- Adaptive Network Hardening in Security Center - now generally available
- Improved integration of Azure Security Center with Azure Advisor is now available
- Just-in-time access now supports Azure Firewall
Intune
Let’s look at each of these updates in greater detail.
Compute, Networking and Storage
Use ephemeral OS disks on Azure VMs
During the creation of a VM or VMSS in the Portal, you can now choose to use an ephemeral OS disk allowing for faster reimaging of VMs, reduced storage costs, and lower read/write latency to the OS disk. You can create these VMs with marketplace or custom images to fit your needs. If you have previously created a VM or VMSS with ephemeral OS disks via PowerShell or CLI, it will automatically show in the Portal.
Use ephemeral OS disk option
To try out ephemeral OS disks:
On virtual machines:
- Click Create a resource in the menu on the left
- Select either an image or Virtual machine
- Fill in the required fields on the Basics tab
- Click Next : Disks >
- In the Advanced menu, select Use ephemeral OS disk
- Make any other changes to the template and create the resource
On virtual machine scale sets:
- Click Create a resource in the menu on the left
- Search for virtual machine scale set and click create
- Fill in the required fields and any additional fields of your choice
- Select Use ephemeral OS disk in the Instances section
- Create the resource
To learn more about ephemeral OS disks for Azure VMs, visit the documentation page.
Send Windows Diagnostics data to Azure Monitor (Preview)
Azure Diagnostics is the capability within Azure that enables the collection of diagnostic data on a deployed application. You can use the diagnostics extension to collect diagnostic data like application logs or performance counters from an Azure virtual machine (VM) that is running Windows.
Traditionally, diagnostics data are stored in a storage account in your subscription. In this preview release, you can now send diagnostics data directly into Azure Monitor, a centralized, fully managed data store for monitoring, analyzing and visualizing all your operational telemetry. While in preview, this feature is available in specific Azure regions: East US, South Central US, West US 2 South East Asia, North Europe, West Europe
Send diagnostic data to Azure Monitor option
To try out sending Windows Diagnostics data to Azure Monitor:
- In the Azure Portal, navigate to a Windows VM in one of the supported regions
- In the Monitoring > Diagnostics settings menu, ensure that Guest-level monitoring is enabled. This will install the Diagnostics Extension for Windows into the virtual machine.
- Once the guest-level monitoring is up and running, navigate to the 'Sinks' tab and set "Send diagnostic data to Azure Monitor" to Enabled. You may need to add a Managed Identity to the virtual machine; the screen will provide a link to how you can enable a Managed Identity on the virtual machine
- Click the save button.
Security
Security Center recommendations and their corresponding policy names are aligned
To illustrate the connection between recommendations and their matching security policies, we have now changed the names to be the same. It is now easier to find the relevant policy referred to in a recommendation and enable/disable it. For example:
- Old Policy name: Audit external accounts with write permissions on a subscription
- Old Recommendation name: Remove external accounts with write permissions from your subscription
- Current Policy and Recommendation names: External accounts with write permissions should be removed from your subscription
This has no effect on the actual feature functionalities.
To explore your Azure Security Center recommendations:
- Type Security Center on the Global Search box and select Security Center under Services
- Under the Resource Security Hygiene section, select Recommendations
For more information about Azure Security Center recommendations, visit the documentation page.
Adaptive Network Hardening in Security Center now generally available
Some of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. You may find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.
Adaptive Network Hardening
To explore Adaptive Network Hardening:
- Type Security Center on the Global Search box and select Security Center under Services
- Under the Resource Security Hygiene section, select Networking and then Adaptive Network Hardening
For more information about network hardening, see Adaptive network hardening.
Improved integration of Azure Security Center with Azure Advisor is now available
You can now view a detailed summary of your security recommendations and a summary of your security alerts, from within Azure Advisor. In addition, you can now consume the security recommendations directly from the Azure Advisor API, and use Azure Advisor to generate PDF and CSV reports.
Detailed view of Security Center recommendations on Azure Advisor
To explore Security Center recommendations on Azure Advisor:
- Type Advisor on the Global Search box and select Advisor under Services
- Select the Security tile
Just-in-time access now supports Azure Firewall
Just-in-time (JIT) virtual machine (VM) access can now be used with Azure Firewall.
When just-in-time was enabled, Security Center created a just-in-time policy which locked down inbound traffic to your Azure VMs (on ports that you select) by creating a Network Security Groups (NSG) rule. Now, JIT is also available to VMs protected by Azure Firewall.
When a user requests access to a VM with a JIT policy, Security Center first checks that the user has Role-Based Access Control (RBAC) permissions to request access to a VM with a JIT policy. If the user has permissions and the request is approved, Security Center automatically configures the NSG and the Azure Firewall rules to allow inbound traffic with the following restrictions:
- To the specified VM ports
- From the requested source IP addresses or ranges
- For the specified amount of time
After the time expires, Security Center restores the NSGs and Azure Firewalls to their previous states. In addition, after a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
By using JIT access for VMs protected by Azure Firewall, you can now protect a wider range of resources and further limit exposure to attacks.
To configure JIT access on a virtual machine in Security Center:
- Open the Security Center
- In the left pane, select Just-in-time VM access.
- Select the Recommended
- Under Virtual Machine, click the VMs that you want to enable. This puts a checkmark next to a VM.
- Click Enable JIT on VMs. - This blade displays the default ports recommended by Azure Security Center.
- You can also configure custom ports:
- Click Add. The Add port configuration window opens.
- For each port you choose to configure, both default and custom, you can customize the following settings:
- Protocol type- The protocol that is allowed on this port when a request is approved.
- Allowed source IP addresses- The IP ranges that are allowed on this port when a request is approved.
- Maximum request time- The maximum time window during which a specific port can be opened.
- Click OK.
- Click Save.
To learn more, see Manage virtual machine access using just-in-time.
Intune
Updates to Microsoft Intune
The Microsoft Intune team has been hard at work on updates as well. You can find the full list of updates to Intune on the What's new in Microsoft Intune page, including changes that affect your experience using Intune.
Azure portal “how to” video series
Have you checked out our Azure portal “how to” video series yet? The videos highlight specific aspects of the portal so you can be more efficient and productive while deploying your cloud workloads from the portal. Recent videos include a demonstration of how to create a storage account and upload a blob and how to create an Azure Kubernetes Service cluster in the portal. Keep checking our playlist on YouTube for a new video each week.
Next steps
The Azure portal’s large team of engineers always wants to hear from you, so please keep providing us with your feedback in the comments section below or on Twitter @AzurePortal.
Don’t forget to sign in the Azure portal and download the Azure mobile app today to see everything that’s new. See you next month!