Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Modernizing Endpoint Management – Encryption (Part 1) | Modernizing Endpoint Management – Encryption (Part 2)
Source: Core Infrastructure and Security blog
Author: Paddy Damodharan
Publication Date: August 8, 2022 (Part 1) | August 15, 2022 (Part 2)
Content excerpt:
We understand the benefits of modernizing endpoint management using Microsoft Endpoint Manager (MEM) for both physical and virtual endpoints (W365). We see organizations of different types & sizes are in different phases in their cloud journey. There are businesses that move directly to a full cloud-based management and there are others with onprem dependencies or with complex requirement which requires leveraging onprem device management solution like Microsoft Endpoint Configuration Manager (ConfigMgr) in a hybrid fashion with Intune. For those companies one of the workloads, they will have to plan during migration is Endpoint Protection workload, more specifically encryption.
I felt there is not much discussion or blogs written around this topic. In this two-part blog series, we are going to see how we can use Intune portal to view Bitlocker status and recovery keys for devices that are either managed by purely ConfigMgr or Co-managed between ConfigMgr & Intune. Before we go into the technical details, let’s quickly look at some of the benefits of using MEM/Intune to manage devices.
Title: Right Size/Recommend Azure SQL Managed Instance
Source: Core Infrastructure and Security blog
Author: Werner Rall
Publication Date: August 22, 2022
Content excerpt:
When doing SQL Migrations we have some wonderful tools at Microsoft that will assist you with the migration from On-Premise to Azure. But What happens down the line when you need to decide if you made the correct choice from the start? Or has your use case changed? Maybe a service costs more than you thought and now you want to understand what the alternatives are?
In my case I created a SQL Managed Instance without any tools and need answers to two questions.
Did I make the right Choice?
Are there any tools that can provide recommendations or right sizing on my Database?
Title: Q: Who is adding a bunch of DNS records to my environment?
Source: Core Infrastructure and Security blog
Author: Paul Harrison
Publication Date: August 25, 2022
Content excerpt:
The other day a client asked everyone in operations who added some odd DNS records, everyone on the admin team denied making any changes, no one in engineering did it either. They determined the user that made the new record but then got curious, what if folks had added many other records but no one had noticed?
I decided to generate a list of who had created DNS records to cross-reference with the list of folks we expected.
Auditing is like backups, enabling it is a higher priority after a big mistake. Fortunately, with DNS we can figure out a few neat things without digging through auditing logs.
Title: Domain Join a Storage Account Leveraging Azure Automation
Source: Core Infrastructure and Security blog
Author: Darren Turchiarelli
Publication Date: August 29, 2022
Content excerpt:
Are you looking to take the next step in your cloud journey and pivot away from managing file servers? Why not look at Azure Files!
In short; Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol, Network File System (NFS) protocol, and Azure Files REST API. Azure file shares can be mounted concurrently by cloud or on-premises deployments. SMB Azure file shares are accessible from Windows, Linux, and macOS clients. NFS Azure file shares are accessible from Linux or macOS clients. Additionally, SMB Azure file shares can be cached on Windows servers with Azure File Sync for fast access near where the data is being used. The days of managing a fleet of virtual machines hosting hundreds of file shares are now in appearing in the review mirror. This means you don't have to apply software patches or swap out physical disks when they fail any longer.
Title: Using Microsoft Security APIs for Incident Response - Part 1
Source: Security, Compliance, and Identity Blog
Author: Troy Lainhoff
Publication Date: August 19, 2022
Content excerpt:
This blog is part one of a three-part series focused on facilitating programmatic data pulls from Microsoft APIs.
Data collection and analysis is one of the most important aspects of a reactive Incident Response investigation or a proactive threat hunt exercise. Often one of the major contributing factors to the success of these investigations is not only how comprehensive your data collection is, but how fast the data is collected, what data is highlighted, and how consistent the data collection is across different investigations.
This blog series highlights ways you can leverage an Azure AD application registration and OAuth authentication to allow API access to alerts, incidents, and data in Microsoft 365 Defender and Microsoft Defender for Endpoint. This API access can enable programmatic Advanced Hunting queries and data pulls to improve hunting consistency, efficiency, speed, and completeness. While we will provide examples for Microsoft 365 Defender APIs, Microsoft Defender for Endpoint APIs, and Microsoft Graph API endpoints, the general guidance is suitable for any service that have APIs exposed.
Title: Why WAF: Driving Technical Excellence in Delivery for your Organization
Source: Azure Architecture Blog
Author: Todd Fine
Publication Date: August 31, 2022
Content excerpt:
Reasons to adopt WAF as a key part of your overall technical delivery process.
This post provides a brief review of the Azure Well-Architected Framework and its cousin the Well-Architected Review and presents the case for adoption within your delivery organization. I will address this from several perspectives, including improvement of your organization's technical excellence, customer satisfaction, team upskilling, and alignment with Microsoft.
Having proceeded down the path as we integrated WAF into my own company’s processes, I wanted to share the benefits that have resulted, both internally and externally (with customers). Together, WAF and WAR provide a huge (and free!) set of resources for your team.
Title: Cost Optimisation In The Cloud – Practical Design Steps For Architects and Developers – Part 1 | Cost Optimisation In The Cloud – Practical Design Steps For Architects and Developers - Part 2
Source: Azure Architecture Blog
Author: Shane Baldacchino
Publication Date: July 17, 2022 (Part 1) | August 18, 2022 (Part 2)
Content excerpt:
Cloud and cost. It can be quite a polarising topic. Do it right, and you can run super lean, drive down the cost to serve and ride the cloud innovation train. But inversely do it wrong, treat public cloud like a datacentre then your costs could be significantly larger than on-premises.
In this multi-part blog series, I pass on my learnings (in a cloud agnostic way) and if you read(thank-you) and walk away with a meaningful cost-saving idea that you can actually execute in your environment, I’ll personally be exceptionally happy.
If you have found this post, I am going to assume you are a builder and resonate with the developer, architect persona.
It is you who I want to talk to, those who are constructing the "Lego" blocks or architecture, you have a great deal of influence in the efficiency of one's architecture.
Just like a car has an economy value, there are often tradeoffs. Have a low liters per (l/100km - high MPG for my non-Australian friends), it often goes hand in hand with low performance. A better analogy is stickers on an appliance for energy efficiency.
How can we increase the efficiency of their architecture, without compromising other facets such as reliability, performance and operational overhead.
This is what the aim of the game is
There is a lot to cover, so in this multi-part blog series I am going to cover quite a lot in a hurry, many different domains and the objective here is to give you things to take away, and if you read this series and come away with one or two meaningful cost-saving ideas that you can actually execute in your environment, I'll personally be exceptionally happy that you have driven cost out of your environment.
Title: Armchair Architects: The role of Simplicity in Architecture
Source: Azure Architecture Blog
Author: Ben Brauer
Publication Date: August 11, 2022
Content excerpt:
What are the tradeoffs between robust functionality, flexibility, simplicity, and ease of operation? How do our Armchair Architects design solutions that start as high as they want and go as low as they need? Uli, Eric, and David discuss these questions and more in a recent episode of the Azure Enablement Show.
Read below for highlights and watch the video.
What role does simplicity play when architecting solutions?
Simplicity is like a philosophy or a pervasive thread that you often have to revisit at every stage. From an architecture perspective you can visualize the way these solutions might fit together and then you ask yourself whether it's as simple as it needs to be or is it overly complex or can it be reduced further. Ask yourself if you are providing too many knobs and bells and whistles. Can I create a more coarse-grained API interface across my microservice architecture and that way I can make it easier on the people that have to consume it? It’s something that you visit and revisit critically all throughout the architect journey.
Simplicity is a question that you should ask from multiple dimensions. You have to also look at what happens if stuff breaks at 3am and the developer isn't available to debug the code. So how do you tell an operations person who has to deal with the system, and the more complex the system is the more difficult it is to bring it back online, or make sure the customers can successfully complete the operations. And if I have to update the solution, how many things do I have to touch to update the capabilities that I’m building. The more things I have to touch the more complex it is and therefore the likelihood of failure is much higher than if I keep it simple.
Title: RDP Shortpath for public networks in Azure Virtual Desktop
Source: Azure Virtual Desktop Blog
Author: Rinku Dalwani
Publication Date: August 23, 2022
Content excerpt:
We are pleased to announce that we will start deploying RDP Shortpath for public networks on September 6th. The feature will be delivered to validation host pools before going live in production host pools. RDP Shortpath improves the transport reliability of Azure Virtual Desktop connections by establishing a direct UDP data flow between the Remote Desktop client and session hosts. This feature will be enabled by default for all customers.
What is RDP Shortpath for public networks?
RDP Shortpath lets user sessions directly establish a User Datagram Protocol (UDP) flow between client and session host using the Simple Traversal Underneath NAT (STUN) and Interactive Connectivity Establishment (ICE) protocols. This will enhance transport reliability for Azure Virtual Desktop. For more information, check out Azure Virtual Desktop RDP Shortpath for public networks.
Title: Announcing General Availability of Autoscale for Pooled Host Pools on Azure Virtual Desktop
Source: Azure Virtual Desktop Blog
Author: Seneca Friend
Publication Date: August 4, 2022
Content excerpt:
We shared at Microsoft Inspire that one of our most anticipated features, Autoscale for pooled host pools, will soon be Generally Available on Azure Virtual Desktop. Today, we are happy to announce that Autoscale for pooled host pools is officially Generally Available!
Autoscale for Pooled Host Pools
Autoscale on Azure Virtual Desktop is a native automated scaling solution that automatically turns session host virtual machines on and off according to the schedule and capacity thresholds that you define to fit your workload. With Autoscale, you can save costs by shutting down idle session hosts during off-peak hours while ensuring there’s enough capacity to meet your users’ needs during peak hours.
Title: How Azure Monitor's implementation of Private Link differs from other services
Source: FastTrack for Azure
Author: mtbmsft
Publication Date: August 25, 2022
Content excerpt:
Azure Monitor implements Private Link DNS resolution differently from other Azure services. This article details the more common pattern for DNS resolution to support Private Endpoints, walks through an example from the client perspective using a Storage Account, then describes how Azure Monitor differs and how this may impact your Private Link architecture.
How most Azure services implement Private Link
For those Azure PaaS services where your resource has a globally-unique endpoint, such as Azure Storage, the platform adds a resourcename.privatelink.servicedomain… CNAME DNS record to your resource name when you enable a Private Endpoint on the resource.
From this point forward, if a client submits a DNS query for the resource FQDN, they will receive the resourcename.privatelink.servicedomain… CNAME in their response from Azure public DNS which their DNS server will attempt to resolve to an IP address.
Title: Use Azure tags in Azure Kubernetes Service (AKS)
Source: FastTrack for Azure
Author: Paolo Salvatori
Publication Date: August 29, 2022
Content excerpt:
As documented in Use Azure tags in Azure Kubernetes Service (AKS), you can use Azure tags on an AKS cluster to associate its related resources to a given workload or tenant. For some resources, such as a managed data disk created via a persistent volume claim or an Azure Public IP created by a public Kubernetes service, you can also use Kubernetes manifests to set Azure tags. Azure tags are a helpful mechanism to track resource usage and charge back their costs to separate tenants or business units within an organization. This article explains how to set Azure tags for AKS clusters and related resources.
Title: Moving to the cloud: Your guide on when to migrate and when to modernize
Source: Azure Migration and Modernization Blog
Author: Daniel Stocker
Publication Date: August 8, 2022
Content excerpt:
One key question that many IT leaders ask as their organizations prepare for their move to the cloud is whether they should migrate or modernize workloads. In this article we would like to dive deep into the concepts of “Migrate” and “Modernize”, explain what they mean to us, what they mean to customers, and what the tradeoffs between them are.
Read to the end for links to useful resources that can help support you in your choice of whether you should modernize or migrate parts of your application portfolio.
Title: Automatically allow traffic to Office 365 endpoints on Azure Firewall
Source: Azure Network Security Blog
Author: Lara Goldstein
Publication Date: August 31, 2022
Content excerpt:
Azure Firewall is Microsoft’s cloud-native, fully stateful firewall as a service that provides the best of breed threat protection for cloud workloads running in Azure. With any firewall solution, the most important factor is the ability to control outbound and inbound network access in any easy, automated method. One common use case we see is customers needing to easily allow traffic communication through Azure Firewall to Office 365 endpoints that their users rely on for their day-to-day productivity. To make the process easier to allow traffic to Office 365, we have created a deployment template (detailed in the Deployment section below) to automate this process for you.
Title: Public Preview: Leverage Azure Active Directory Kerberos with Azure Files for hybrid identities
Source: Azure Storage Blog
Author: Mine Tanrinian Demir
Publication Date: August 30, 2022
Content excerpt:
We are excited to announce Azure Files integration with Azure Active Directory (Azure AD) Kerberos for hybrid identities. With this release, identities in Azure AD can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller.
Until now, Azure Files supported identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). On-premises AD DS requires clients to have line-of-sight to the domain controller, while Azure AD DS requires deploying domain services onto Azure AD and domain joining to Azure AD DS. Azure AD Kerberos is a new addition to these identity-based authentication methods. Azure AD Kerberos allows Azure AD to issue Kerberos service tickets over HTTPS for service applications in Azure AD. This removes the need to setup and manage another domain service, while also removing the line-of-sight requirement to the domain controller when authenticating with Azure Files. For this experience, the clients connecting to Azure Files need to be Azure AD-joined clients (or hybrid Azure AD-joined), and the user identities must be hybrid identities, managed in Active Directory.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)