Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Azure App Service announces more ways to save on compute costs
Source: Apps on Azure
Author: Mayunk Jain
Publication Date: November 1, 2022
Content excerpt:
Think about your last web app development cycle—how much did your compute usage vary over time, and how did that impact your budget? When modernizing your apps, we know that compute usage can fluctuate and you want flexible compute pricing that can accommodate both planned and unplanned changes.
Azure App Service provides you with the best solutions to rapidly build, deploy, and manage secure apps at scale. If you’re running dynamic workloads, you will be excited to hear that Azure App Service users on our most popular service plans can save on select compute services through Azure savings plan for compute.
Title: Introducing more ways to deploy Azure Container Apps
Source: Apps on Azure
Author: Anthony Chu
Publication Date: November 17, 2022
Content excerpt:
Azure Container Apps is a fully managed serverless container service for building and deploying modern apps at scale. Today, we’re introducing new preview features to make it even easier to build and deploy container apps:
- A new GitHub action to build and deploy container apps
- A new Azure Pipelines task to build and deploy container apps
- Build container images without a Dockerfile
These features are currently in public preview. Try them out and let us know what you think!
Title: 3 reasons to optimize your workloads with Azure Advisor
Source: Azure Architecture
Author: Antonio Ortoll
Publication Date: November 10, 2022
Content excerpt:
As macro-economic uncertainty grows in today’s economy so do expectations to accelerate growth, drive revenue higher, and compete beyond the status quo. Early October, Azure launched a campaign to address this unprecedented situation by empowering businesses to “Do More with Less”. The campaign focuses on three value elements – migrating and saving, optimizing existing cloud investments, and reinvesting to drive growth. Read more about each of these topics here. All three highlight the importance of cost optimization in one way or another. Azure Advisor is at the front and center of making some of these objectives a reality. However, you may wonder how this product may help your business in this journey. If you are sitting nodding as you read this last sentence, you are in the right place. These are the three reasons why you need to start optimizing with Azure Advisor.
Title: Why you need a Cloud Adoption Framework (CAF), and probably a WAF too!
Source: Azure Architecture
Author: Stephen Thair
Publication Date: November 7, 2022
Content excerpt:
What are the Microsoft Cloud Adoption Framework for Azure (CAF) and the Microsoft Azure Well-Architected Framework (WAF)? Both are best practice guidance around how to transform your organization to be cloud-centric (CAF) and how to build and manage cloud-hosted applications securely, cost-effectively, etc. (WAF).
But why are they important, and why should you, and your organization, use them on your cloud transformation journey?
Title: Automated Key Rotation Generally Available on Azure Key Vault Managed HSM
Source: Azure Confidential Computing
Author: Nicholas Kondamudi
Publication Date: November 8, 2022
Content excerpt:
We are excited to announce the General Availability of automated key rotation in Azure Key Vault Managed HSM. The feature allows you to set up an auto-rotation policy that automatically generates a new key version of the customer-managed key (CMK) stored in the HSM at a specified frequency.
Title: The top 5 reasons why backup and recovery in the cloud goes wrong and how to avoid them
Source: Azure Governance and Management
Author: Harshitha Putta
Publication Date: November 16, 2022
Content excerpt:
If you have experience running workloads both in the cloud and on-premises, you will know that failures can occur for a variety of reasons. You will also know that in some cases the best thing to do is to restore your workload from an existing backup to meet your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements.
Many organizations have implemented processes to regularly create backups of their workloads, but - in a majority of the cases - we only see the recovery plan that is associated with these backups in action, when problems occur.
Title: General Availability: Azure Automation Hybrid Runbook Worker Extension
Source: Azure Governance and Management
Author: Nikita Bajaj
Publication Date: November 28, 2022
Content excerpt:
Infrastructure is increasingly becoming more complex as organizations operate across multiple cloud and on-premises environments. Businesses are looking for a secure and reliable management services that can consistently manage this hybrid estate. Azure Automation provides a unified platform for execution of customer provided scripts to manage Azure, Arc-enabled and multi-cloud workloads. User Hybrid Worker enables execution of these scripts directly on the machines for managing guest workloads or as a gateway to environments that are not accessible from Azure. Azure Automation announces General Availability of User Hybrid Worker extension, that is based on Virtual Machine extensions framework and provides a seamless and integrated installation experience.
Title: Azure portal October 2022 updates
Source: Azure Governance and Management
Author: Allison Cordle
Publication Date: November 30, 2022
Content excerpt:
Mobile > Azure Active Directory
Azure Kubernetes Service > Fleet Management
Databases > SQL servers
Mobile > Virtual Machines and Network Security Groups
Intune
Let’s look at each of these updates in greater detail.
Title: Azure VMware Solution Availability Design Considerations
Source: Azure Migration and Modernization
Author: rvandenbedem
Publication Date: November 28, 2022
Content excerpt:
A global enterprise wants to migrate thousands of VMware vSphere virtual machines (VMs) to Microsoft Azure as part of their application modernization strategy. Their first step is to exit their on-premises data centers and rapidly relocate their legacy application VMs to the Azure VMware Solution as a staging area for the first phase of their modernization strategy. What should the Azure VMware Solution look like?
Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure.
In this post, I will introduce the typical customer workload availability requirements, describe the Azure VMware Solution architectural components, and describe the availability design considerations for Azure VMware Solution private clouds.
Title: Exclude Public IP addresses in Azure DDOS network protection
Source: Azure Network Security
Author: Tobi Otolorin
Publication Date: November 14, 2022
Content excerpt:
Azure DDOS network protection provides security for services deployed in virtual networks against volumetric attacks by way of always-on traffic monitoring and adaptive real time tuning. This may be achieved by applying DDOS protection plans to the different virtual networks in the different architectural tiers such as the Hub and Spoke network, Windows N-tier and Paas Web App architectures.
Title: Azure Firewall Basic SKU is now Available in Public Preview
Source: Azure Network Security
Author: Gustavo Modena
Publication Date: November 16, 2022
Content excerpt:
Microsoft has recently released in public preview the new Azure Firewall Basic SKU as announced on October 4, 2022.
Azure Firewall Basic is a new SKU of Azure Firewall designed to meet the needs of SMBs by providing enterprise-grade protection of their cloud environment at an affordable price point. It is a cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all their traffic flows with essential capabilities at scale.
Title: Azure DDoS IP Protection is Now Available in Public Preview
Source: Azure Network Security
Author: Saleem Bseeu
Publication Date: November 21, 2022
Content excerpt:
IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.
Title: How to enable IPv4+IPv6 dual-stack feature on Service Fabric cluster
Source: Azure PaaS
Author: Jerry Zhang
Publication Date: November 1, 2022
Content excerpt:
As the IPv4 addresses are already exhausted, more and more service providers and website hosts start using the IPv6 address on their server. Although the IPv6 is a new version of IPv4, their packet headers and address format are completely different. Due to this reason, users can consider IPv6 as a different protocol from IPv4.
In order to be able to communicate with a server with IPv6 protocol only, we’ll need to enable the IPv6 protocol on Service Fabric cluster and its related resources. This blog will mainly talk about how to enable this feature on Service Fabric cluster by ARM template.
Title: How Azure Backup Soft Delete protects from Accidental deletes, Malicious and Ransomware threats
Source: Azure Storage
Author: Srinath Vasireddy
Publication Date: November 24, 2022
Content excerpt:
Azure Backup’s Soft Delete provides protection of backup data against accidental, malicious, or human-operated ransomware attacks deleting. It is enabled by default on newly created vaults. With Soft Delete enabled, the deleted backup data is retained for 14 additional days to recover with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. If you need to ensure that your Soft Delete should not be disabled, then you can further strengthen your backup security posture by turning Always-on setting making it irreversible.
Title: How Azure Backup Immutability help you protect against Ransomware threats
Source: Azure Storage
Author: Srinath Vasireddy
Publication Date: November 24, 2022
Content excerpt:
Ransomware attacks deliberately encrypt or erase data and systems to force your organization to pay money to attackers. These attacks target not just your data, but even your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your backup data - one such feature is Immutable Vault.
Immutable Vault (currently in preview) can help you protect your backup data by blocking any operations that could lead to loss of existing recovery points. Enabling this property helps you ensure that recovery points once created cannot be deleted before their intended expiry. While this helps prevent data loss, you would not be able to perform certain operations on this vault and its protected items.
Title: Azure Monitor: Calculating Chargeback to Split Monitoring Costs Across Projects
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: November 9, 2022
Content excerpt:
During my customers visits the very question I get is: I am using Azure Monitor to monitor my workloads; how can I split monitoring costs across projects?
Given the question, the answer is not too difficult but may vary depending on the architecture and the monitoring targets which are part of the scenario.
To better explain, chargeback, this is what we are talking about, can be easily done when all the resources are Azure resources and monitoring data is sent to specific separate workspaces. In this situation all you have to do is to use either Cost Analysis or Usage and Estimated Costs.
Title: Azure Monitor: Check and Assess Log Analytics Workspace, Application Insights and Dedicated Cluster
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: November 10, 2022
Content excerpt:
How many times have you found yourself in a situation in which plenty of Log Analytics Workspaces and Application insights were installed over time and you lost control?
Moreover, how can you make sure that you are eligible for an Azure Monitor Log Dedicated Cluster instance to enforce data security using Azure Monitor customer-managed key (CMK) and to save money? Unfortunately, you need to do queries and math’s to get the full picture. This was true until today.
Collecting needs from several customers, I created a workbook that allows you to retain control over your monitoring infrastructure.
Title: Flexible and Simple Solution to Start and Stop VMs
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: November 14, 2022
Content excerpt:
This post will be about a solution I recently deployed to a customer to Start/Stop VMs on a schedule. You may be asking yourself why we need another solution if two official solutions are already available for the same purpose. The answer is straightforward – the solution I propose is simple and flexible and, in my opinion, the existing solutions are not.
Title: How Do I Know If My AD Environment Is Impacted By The November 8th 2022 Patch?
Source: Core Infrastructure and Security
Author: Paul Harrison
Publication Date: November 18, 2022
Content excerpt:
Q: How can I determine if objects in my AD environment are impacted by the November 8th 2022 patch?
A: Use a couple of queries I wrote specifically for that purpose.
November 8th, 2022 brought us a patch that caused some clients extra headaches because when the patch is installed on Domain Controllers Kerberos authentication can break for AD objects. If you want details about the problem patches or the out of band patch to replace the problem patches check the links below. Now that a non-breaking patch has been released this extra investigation isn’t necessary but may help you develop useful techniques for the future. This is how I helped clients immediately investigate if their environments would be impacted by the patch by using a little PowerShell.
Title: Learning Op: Migrate Away From ADFS to Azure AD
Source: Core Infrastructure and Security
Author: Brandon Wilson
Publication Date: November 18, 2022
Content excerpt:
Brandon Wilson here today with a short post just to give our readers a heads up on an excellent learning opportunity that we thought it might be helpful for many of you.
Since there is already content out there, I won’t be going into depth on this, other than to say it will cost you a couple of hours, for a couple of days, and we anticipate the time will be well spent! Go forth and learn (and then pass the knowledge around)! The below content summary will take you to the page to see upcoming workshop dates/times, as well as provide you with the registration link.
Title: Private Endpoint DNS Resolution with Azure Private Resolver for Multi-Region
Source: Core Infrastructure and Security
Author: Andrew Coughlin
Publication Date: November 21, 2022
Content excerpt:
I frequently get asked questions about how to set up private endpoints from my customers that have presence in multi regions. In this blog I will talk about how to set up DNS resolution for a multi-site with a blob container within a storage account with private endpoints.
Title: Moving a Windows 365 Cloud PC From One DC Region to Another - MS Hosted Network
Source: Core Infrastructure and Security
Author: Atil Gurcan
Publication Date: November 24, 2022
Content excerpt:
From time to time, your employees may need to relocate from a location to another. Or more often, a new Microsoft Datacenter might pop on a location that is nearer to your employees. Those are some of the examples when you need to move your Windows 365 Cloud PC from one Microsoft Datacenter to another. In this blog post, we will take a look at the steps required to move your Cloud PC workload in a Microsoft Hosted Network configuration.
Title: Customer Offerings: Well-Architected Cost Optimization Assessment
Source: Core Infrastructure and Security
Author: Brandon Wilson
Publication Date: November 27, 2022
Content excerpt:
Hi everyone! Brandon Wilson (Cloud Solution Architect/Engineer) here to talk to you a little bit about a customer offering we have known as the Well-Architected Cost Optimization Assessment. I must admit, being a father of 6 children, I tend to gravitate towards cost savings where I can, so as a result, the Well-Architected cost pillar just fits the bill for me (no pun intended...or maybe there is). First, we’ll touch a little bit on the Azure Well Architected Framework (WAF), and then go over what we cover in one of the cost optimization assessments.
Title: Multiple Front Ends for the Same Scaleset
Source: FastTrack for Azure
Author: Michael C. Bazarewsky
Publication Date: November 10, 2022
Content excerpt:
I recently had a customer that was looking to consolidate two public services, with two public identities, on a single VM Scale Set while keeping distinct front-end IPs, allowing for cost efficiency on Azure resources while still giving front-end flexibility.
This post gets into some of the details of the implementation.
Title: Securing PaaS services with virtual networks and restricting public access
Source: FastTrack for Azure
Author: Laura Ghimpeteanu
Publication Date: November 23, 2022
Content excerpt:
This article describes simple steps to secure your application by isolating the PaaS services with virtual networks and making sure the communication between them is private.
It also addresses:
- How to protect your web application from known exploits and vulnerabilities
- How to securely build and deploy inside a virtual network.
Only network related concepts are covered, all the best practices to secure your PaaS deployments being available here.
Title: AKS Container Insights logging level and associated costs
Source: FastTrack for Azure
Author: Orestis Meikopoulos
Publication Date: November 25, 2022
Content excerpt:
When migrating your services to AKS, you could potentially run into an issue, which has to do with logging levels and the volume of data that is being sent to Container Insights. This is especially true when you need to run hundreds or even thousands of pods, as AKS clusters are pretty chatty and generate a ton of logs. You may notice a massive volume of metrics being pushed from the containers running inside the pods into container insights (mostly CPU and Memory metrics). By default, these are collected every minute for every container.
Title: Azure Kubernetes Service: RBAC options in practice
Source: FastTrack for Azure
Author: Andre Dewes
Publication Date: November 30, 2022
Content excerpt:
When you are building an AKS cluster for your team, one of the first questions you need to ask is: how are you going to manage access to the different groups or people? How to have something simple to manage but still secure?
Title: Embrace and Secure Multicloud with Entra Permissions Management
Source: Microsoft Entra (Azure AD)
Author: Sue Bohn
Publication Date: November 7, 2022
Content excerpt:
Today, we’ve seen the majority of organizations embrace a multicloud deployment strategy for their applications and workloads in the cloud. Consequently, the number of high-risk cloud permissions has exponentially multiplied, which expands the cloud attack surface. Security leaders and practitioners are faced with the significant task of reducing complexity in cloud environments while enforcing the principle of least privilege and managing countless human and workload identities. As a result, a new category of identity and access management solutions has emerged: Cloud Infrastructure Entitlement Management (CIEM). Entra Permissions Management, Microsoft’s CIEM solution, allows organizations to discover, remediate, and monitor identities and permissions by enforcing the principle of least privilege across multicloud environments. Entra Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions across AWS, Azure, and GCP from a single pane of glass.
Title: Utilizing Zero Trust architecture principles for External Identities
Source: Microsoft Entra (Azure AD)
Author: Robin Goldstein
Publication Date: November 15, 2022
Content excerpt:
As hybrid work environments become normal and we continue to collaborate, the importance of adopting zero-trust architecture principles is more vital than ever. Zero trust architecture puts emphasis on three key principles:
- Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
- Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Collaboration across organizations is a necessity for the successful operation of any business. Therefore, zero trust architecture effort will not be complete without encompassing external users. Azure AD External Identities already has many features that support zero trust principles to collaborate externally in a secure, flexible, and scalable manner. Below, let’s explore how these different capabilities help to implement each of the above-discussed zero trust principles.
Title: Microsoft Entra Workload Identities now generally available
Source: Microsoft Entra (Azure AD)
Author: Ilana Smith
Publication Date: November 28, 2022
Content excerpt:
As the growth of cloud continues, more workloads are moving to the cloud and new enterprise software solutions are being deployed natively in the cloud. This has resulted in massive growth in identities for workloads and an explosion of access permissions associated with these identities to sensitive data and resources. Organizations and security providers have been focused on human identity security so that access control or security capabilities to manage these emerging identities are limited. This is putting increased pressure on identity security professionals.
Zero Trust is all about ensuring that everyone (and everything) is continuously authenticated and authorized. As new entities like workloads enter organizations’ environments, those entities have to be factored into the Zero Trust strategy. This is why we’ve expanded the identity types we support into workloads as part of our mission to support everyone and everything.
Title: Microsoft Entra Change Announcements – November 2022 Train
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: November 30, 2022
Content excerpt:
Our change management announcements cover all changes across Microsoft Entra where we communicate product retirement news biannually and breaking/feature change announcements quarterly. In between these announcements, you will see specific blog posts for new product and feature launches. For example, since our Sept Change Announcements Blog, we launched the general availability of a new region in Japan.
Today, we're sharing our November train for feature and breaking changes. We also communicate these changes on release notes and via email. We also continue to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center.
Title: What’s new in Microsoft Intune – 2211 (November) edition
Source: Microsoft Intune
Author: Ramya Chitrakar
Publication Date: November 17, 2022
Content excerpt:
The Microsoft Intune November (2211) service release includes a new opportunity for user engagement, giving IT admins the ability to deliver key messages natively on Windows 11. Additionally, I know security is top of mind for customers, so we're adding an extra security option designed for admins to strengthen their security posture as part of their management solution. I hope you appreciate these enhancements as deployment wraps up for the month.
Title: Introducing Network HUD for Azure Stack HCI
Source: Networking
Author: Dan Cuomo
Publication Date: November 15, 2022
Content excerpt:
We’re excited to announce the release of Network HUD - A new feature that proactively identifies and remediates operational networking issues on Azure Stack HCI. Network HUD is available in the November update for both 21H2 and 22H2 Azure Stack HCI subscribers!
Title: Network HUD: November 2022 content update has arrived!
Source: Networking
Author: Dan Cuomo
Publication Date: November 15, 2022
Content excerpt:
In our first article we introduced Network HUD as a new feature that proactively identifies and remediates operational networking issues on Azure Stack HCI. We also discussed Network HUD’s unique on-premises cloud-service model which enables us to bring new features and capabilities (more than just bug fixes) rapidly through what we call, “content updates.”
Well, it’s official. The November content update has arrived! So, in this article, we’ll dive into the new capabilities that Network HUD gains with the November content update.
Title: Attestation: A necessity for Zero Trust
Source: Security, Compliance, and Identity
Author: Prakhar Srivastava
Publication Date: November 3, 2022
Content excerpt:
Ensuring that a platform is healthy and trustworthy is a fundamental vertical in today’s zero trust approach, and this has become one of the key focus areas of recent times. Pre-OS boot continues to remain a prime target for adversaries, which we have seen attacks due to supply chain trust brittleness. Firmware remains critical to any platform provider and often with minimal view and control. These programs control the flow of execution before the operating system takes control and can be used to bypass Anti-virus, monitoring, Host intrusion prevention systems, etc. In the recent Microsoft-commissioned study showing how attacks against firmware are outpacing investments targeted at stopping them, the August 2022 Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years.
Title: Service & repair for Surface devices
Source: Surface IT Pro
Author: John Kaiser
Publication Date: November 2, 2022
Content excerpt:
Thoughtfully designed with premium craftsmanship and high-quality hardware, the latest Surface devices are easier to repair and maintain, with more replaceable components and flexible choices in service.
Microsoft continues to innovate its serviceable designs to get the most out of Surface devices. Commercial customers can choose how to service their devices to solve issues quickly and minimize device downtime, whether through customer self-repair, trusted Microsoft in-region repair, or a growing Authorized Service Provider (ASP) network. For documentation about service options and replaceable components across all Surface devices, see Surface for Business service and repair.
Title: Multi-Key Total Memory Encryption on Windows 11 22H2
Source: Windows Kernel Internals
Author: Jin Lin
Publication Date: November 23, 2022
Content excerpt:
The security and privacy of customer data is a core priority for Azure and Windows. Encrypting data across different layers of device and transport is a universal technique to prevent exploits from accessing plaintext data. In Azure, we have a multitude of offerings to provide different levels of data confidentiality, encryption and isolation across workloads types (Azure Confidential Computing – Protect Data In Use | Microsoft Azure). One of such is VM memory encryption with Intel’s Total Memory Encryption – Multi Key (TME-MK), providing hardware accelerated encryption of DRAM. With the latest Intel 12th Gen Core CPUs (Alder Lake) offering this capability, we are delighted to extend support in Windows 11 22H2 for TME-MK.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)
Published Dec 01, 2022
Version 1.0BrandonWilson
Microsoft
Joined April 24, 2018
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity