Blog Post

Azure Governance and Management Blog
6 MIN READ

Azure portal July 2019 update

Peri Rocha's avatar
Peri Rocha
Icon for Microsoft rankMicrosoft
Jul 16, 2019

This month, Azure portal updates include updates to Azure Security Center, the ability to use ephemeral OS disks on Azure VMs, and to send Windows diagnostics data to Azure Monitor.

 

Sign in to the Azure portal now and see for yourself everything that’s new. Download the Azure mobile app to stay connected to your Azure resources anytime, anywhere.

 

Here’s the list of June updates to the Azure portal:

 

Compute, Networking and Storage

Security

Intune

 

Let’s look at each of these updates in greater detail.

 

Compute, Networking and Storage

 

Use ephemeral OS disks on Azure VMs

During the creation of a VM or VMSS in the Portal, you can now choose to use an ephemeral OS disk allowing for faster reimaging of VMs, reduced storage costs, and lower read/write latency to the OS disk. You can create these VMs with marketplace or custom images to fit your needs. If you have previously created a VM or VMSS with ephemeral OS disks via PowerShell or CLI, it will automatically show in the Portal.

Use ephemeral OS disk option

 

To try out ephemeral OS disks:

On virtual machines:

  1. Click Create a resource in the menu on the left
  2. Select either an image or Virtual machine
  3. Fill in the required fields on the Basics tab
  4. Click Next : Disks >
  5. In the Advanced menu, select Use ephemeral OS disk
  6. Make any other changes to the template and create the resource

 

On virtual machine scale sets:

  1. Click Create a resource in the menu on the left
  2. Search for virtual machine scale set and click create
  3. Fill in the required fields and any additional fields of your choice
  4. Select Use ephemeral OS disk in the Instances section
  5. Create the resource

 

To learn more about ephemeral OS disks for Azure VMs, visit the documentation page.  

 

Send Windows Diagnostics data to Azure Monitor (Preview)

Azure Diagnostics is the capability within Azure that enables the collection of diagnostic data on a deployed application. You can use the diagnostics extension to collect diagnostic data like application logs or performance counters from an Azure virtual machine (VM) that is running Windows.

 

Traditionally, diagnostics data are stored in a storage account in your subscription. In this preview release, you can now send diagnostics data directly into Azure Monitor, a centralized, fully managed data store for monitoring, analyzing and visualizing all your operational telemetry. While in preview, this feature is available in specific Azure regions: East US, South Central US, West US 2 South East Asia, North Europe, West Europe

Send diagnostic data to Azure Monitor option

 

To try out sending Windows Diagnostics data to Azure Monitor:

  1. In the Azure Portal, navigate to a Windows VM in one of the supported regions
  2. In the Monitoring > Diagnostics settings menu, ensure that Guest-level monitoring is enabled. This will install the Diagnostics Extension for Windows into the virtual machine.
  3. Once the guest-level monitoring is up and running, navigate to the 'Sinks' tab and set "Send diagnostic data to Azure Monitor" to Enabled. You may need to add a Managed Identity to the virtual machine; the screen will provide a link to how you can enable a Managed Identity on the virtual machine
  4. Click the save button.

 

Security

 

Security Center recommendations and their corresponding policy names are aligned

To illustrate the connection between recommendations and their matching security policies, we have now changed the names to be the same. It is now easier to find the relevant policy referred to in a recommendation and enable/disable it. For example:

 

  • Old Policy name: Audit external accounts with write permissions on a subscription
  • Old Recommendation name: Remove external accounts with write permissions from your subscription
  • Current Policy and Recommendation names: External accounts with write permissions should be removed from your subscription

 

This has no effect on the actual feature functionalities.

 

To explore your Azure Security Center recommendations:

  1. Type Security Center on the Global Search box and select Security Center under Services
  2. Under the Resource Security Hygiene section, select Recommendations

For more information about Azure Security Center recommendations, visit the documentation page.

 

Adaptive Network Hardening in Security Center now generally available

Some of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. You may find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.

Adaptive Network Hardening

 

To explore Adaptive Network Hardening:

  1. Type Security Center on the Global Search box and select Security Center under Services
  2. Under the Resource Security Hygiene section, select Networking and then Adaptive Network Hardening

 

For more information about network hardening, see Adaptive network hardening.

 

Improved integration of Azure Security Center with Azure Advisor is now available

You can now view a detailed summary of your security recommendations and a summary of your security alerts, from within Azure Advisor. In addition, you can now consume the security recommendations directly from the Azure Advisor API, and use Azure Advisor to generate PDF and CSV reports.

Detailed view of Security Center recommendations on Azure Advisor

 

To explore Security Center recommendations on Azure Advisor:

  1. Type Advisor on the Global Search box and select Advisor under Services
  2. Select the Security tile

 

Just-in-time access now supports Azure Firewall

Just-in-time (JIT) virtual machine (VM) access can now be used with Azure Firewall.

 

When just-in-time was enabled, Security Center created a just-in-time policy which locked down inbound traffic to your Azure VMs  (on ports that you select) by creating a Network Security Groups (NSG) rule. Now, JIT is also available to VMs protected by Azure Firewall.


When a user requests access to a VM with a JIT policy, Security Center first checks that the user has Role-Based Access Control (RBAC) permissions to request access to a VM with a JIT policy. If the user has permissions and the request is approved, Security Center automatically configures the NSG and the Azure Firewall rules to allow inbound traffic with the following restrictions:

  • To the specified VM ports
  • From the requested source IP addresses or ranges
  • For the specified amount of time

After the time expires, Security Center restores the NSGs and Azure Firewalls to their previous states. In addition, after a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.

 

By using JIT access for VMs protected by Azure Firewall, you can now protect a wider range of resources and further limit exposure to attacks.

 

To configure JIT access on a virtual machine in Security Center:

  1. Open the Security Center
  2. In the left pane, select Just-in-time VM access.
  3. Select the Recommended
  4. Under Virtual Machine, click the VMs that you want to enable. This puts a checkmark next to a VM.
  5. Click Enable JIT on VMs. - This blade displays the default ports recommended by Azure Security Center.
  6. You can also configure custom ports:
    • Click Add. The Add port configuration window opens.
    • For each port you choose to configure, both default and custom, you can customize the following settings:
      • Protocol type- The protocol that is allowed on this port when a request is approved.
      • Allowed source IP addresses- The IP ranges that are allowed on this port when a request is approved.
      • Maximum request time- The maximum time window during which a specific port can be opened.
    • Click OK.
  7. Click Save.

To learn more, see Manage virtual machine access using just-in-time.

 

Intune

 

Updates to Microsoft Intune

The Microsoft Intune team has been hard at work on updates as well. You can find the full list of updates to Intune on the What's new in Microsoft Intune page, including changes that affect your experience using Intune.

 

Azure portal “how to” video series

Have you checked out our Azure portal “how to” video series yet? The videos highlight specific aspects of the portal so you can be more efficient and productive while deploying your cloud workloads from the portal. Recent videos include a demonstration of how to create a storage account and upload a blob and how to create an Azure Kubernetes Service cluster in the portal. Keep checking our playlist on YouTube for a new video each week.

 

Next steps

The Azure portal’s large team of engineers always wants to hear from you, so please keep providing us with your feedback in the comments section below or on Twitter @AzurePortal.

Don’t forget to sign in the Azure portal and download the Azure mobile app today to see everything that’s new. See you next month!

Updated Jul 15, 2019
Version 1.0
No CommentsBe the first to comment