Blog Post

Core Infrastructure and Security Blog
13 MIN READ

Check This Out! (CTO!) Guide (September 2023)

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
Oct 15, 2023

 

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.

These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.

From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!

 

 

 

Title: Announcing the general availability of new Azure burstable virtual machines

Source: Azure Compute

Author: Arpita Chatterjee

Publication Date: September 12, 2023

Content excerpt:

Today, we are announcing the general availability of the latest generations of Azure Burstable virtual machine (VM) series – the new Bsv2, Basv2, and Bpsv2 VMs based on the Intel® Xeon® Platinum 8370C, AMD EPYC™ 7763v, and Ampere® Altra® Arm-based processors respectively. 

The new generation of Azure burstable B-series v2 VMs are the lowest priced amongst general purpose VMs in Azure and now include native support for Arm-based workloads with the Bpsv2 series. B-series v2 VMs offer up to 15% better price-performance, up to 5x higher network bandwidth, and 10x higher remote storage throughput compared to the previous generation B-series VMs.

 

 

 

Title: Azure savings plan for compute: How the benefit is applied

Source: Azure Compute

Author: Kyle Ikeda

Publication Date: September 19, 2023

Content excerpt:

Organizations are benefiting from Azure savings plan for compute to save up to 65% on select compute services – and you could too. By committing to spending a fixed hourly amount for either one year or three years, you can save on plans tailored to your budget needs. But you may wonder how Azure applies this benefit.

 

 

 

Title: Breaking Change for VM & VMSS PowerShell/CLI Customers

Source: Azure Compute

Author: Ajay Kundnani

Publication Date: September 26, 2023

Content excerpt:

We would like to inform you the upcoming default security type change to Trusted Launch that will affect new virtual machines (VMs), virtual machine scale sets (VMSS), and OS Disk resource deployment in Azure. The change will set OS image to Trusted Launch (TL) compatible image and set security type as Trusted Launch by default. This change is a result of our ongoing efforts to improve the foundational security of our cloud computing platform.

This change will take effect in Azure PowerShell (PS) & command-line interface (CLI) with the November 2023 release, and will affect all new Azure VMs, VMSS and Managed OS Disks deployments.

 

 

 

Title: Azure Update Manager Generally Available

Source: Azure Governance and Management

Author: Shashban

Publication Date: September 18, 2023

Content excerpt:

With the evolution of the IT landscape, there is a growing demand for seamless management of resources across the cloud and edge. We are pleased to announce that Azure Update Manager, previously known as Update Management Center, is now generally available.

 

 

 

Title: Generally available: Secure critical infrastructure from accidental deletions at scale with Policy

Source: Azure Governance and Management

Author: Akanksha Agrawal

Publication Date: September 27, 2023

Content excerpt:

We are thrilled to announce the general availability of DenyAction, a new effect in Azure Policy! With the introduction of Deny Action, policy enforcement now expands into blocking request based on actions to the resource. These deny action policy assignments can safeguard critical infrastructure by blocking unwarranted delete calls.

 

 

 

Title: Azure WAF Post Deployment Check - Best Practices

Source: Azure Network Security

Author: David Frazee

Publication Date: September 20, 2023

Content excerpt:

Customers using Azure Web Application Firewall (WAF) are often interested in post-deployment steps to ensure they have the best security practices in place in their environment. Although deploying a WAF will protect your web applications from common attacks and improve performance by filtering out malicious traffic, it is recommended to take post-deployment actions to ensure the security and reliability of your web applications. As a post-deployment check, you can ensure the following steps are performed for your web application within your application delivery platform, Azure Application Gateway or Azure. Here are recommended measures for enhancing the security posture of the application situated at the backend of your application delivery platform through the utilization of Azure WAF.

 

 

 

Title: Enforcing and Managing Azure DDoS Protection with Azure Policy

Source: Azure Network Security

Author: Saleem Bseeu

Publication Date: September 20, 2023

Content excerpt:

In today's interconnected digital landscape, Distributed Denial of Service (DDoS) attacks have become a persistent threat to organizations of all sizes. These attacks can disrupt services, compromise sensitive data, and lead to financial losses. To counter this threat, Microsoft Azure offers robust DDoS protection capabilities. In this blog post, we will explore how organizations can leverage Azure Policy to enforce and manage Azure DDoS Protection, enhancing their security posture and ensuring uninterrupted services.

The main objective of this post is to equip you with the knowledge to effectively utilize the built-in policies for Azure DDoS protection within your environment. This includes enabling automated scaling without the need for manual intervention and ensuring that DDoS protection is enabled across your public endpoints.

 

 

 

Title: Optimizing Azure Firewall logging costs

Source: Azure Network Security

Author: George Bittencourt

Publication Date: September 26, 2023

Content excerpt:

In this post I will dive deep and show the expected cost optimization of this new structured logging, and what is causing this saving. I will use a sample record of a network rule log to explain it. Please note that this saving applies only if the sink is Log Analytics.

 

 

 

Title: Securing Network Egress in Azure Container Apps

Source: Azure PaaS

Author: Simon Kurtz

Publication Date: September 8, 2023

Content excerpt:

Since its inception nearly two years ago, Azure Container Apps (ACA) has added significant features to make it a relevant container hosting platform. Built atop Kubernetes, Azure Container Apps is a fully managed Platform-as-a-Service that empowers Azure container workloads to focus on the business value they provide, not be mired in infrastructure management. Many of my colleagues and I believe that Azure Container Apps has grown into a viable alternative for hosting many different containers compared to other, more specialized hosting platforms in Azure. No longer must customers learn the ins and outs of Kubernetes, cluster management, Kubernetes versions, etc. The gap to Azure Kubernetes Service (AKS) has been reduced significantly, and while the two products are not intended to compete, comparisons of the two are commonplace.

 

 

 

Title: Multi-Region Active-Active Configurations for Azure Blob Storage

Source: Azure Storage

Author: Umesh Panwar

Publication Date: September 22, 2023

Content excerpt:

In today’s post, I’m excited to shed light on a creative solution I devised to meet a unique client requirement. Azure Blob storage, in its native form, doesn’t inherently support multi-region active-active architectures. However, as every cloud architect knows, challenges often pave the way for innovative solutions.

 

 

 

Title: Announcing general availability of Azure Virtual Desktop Custom Image Templates

Source: Azure Virtual Desktop

Author: Eva Seydl

Publication Date: September 19, 2023

Content excerpt:

We are excited to announce that Azure Virtual Desktop Custom image templates is now general available in Azure Public Cloud and entering public preview in Azure Government Cloud and China. 

Custom image templates allow admins to build a custom “golden image” using the Azure Virtual Desktop management user interface. Leverage a variety of built-in customizations or add your own customization scripts to install applications or configurations.

Below is an example that showcases a selection of customizations that admins can choose from. These customizations cover common configurations used in golden images. Admins won't need to write their own scripts. They can also select install language packs, FSLogix agents or Teams as well as configure popular features like time zone redirection, screen capture protection or RDP Shortpath.

 

 

 

Title: Azure Virtual Desktop Insights Powered by the Azure Monitor Agent

Source: Azure Virtual Desktop

Author: Ben Murphy

Publication Date: September 27, 2023

Content excerpt:

We’re excited to announce that Azure Virtual Desktop Insights (AVDI) using the Azure Monitor Agent (AMA) is now generally available. The original version of Azure Virtual Desktop Insights utilizes the Log Analytics Agent, which is scheduled to reach end of life in August of 2024. In anticipation of that, the new default AVD Insights experience for reporting at the host pool level is now powered by the AMA.

 

 

 

Title: Automating Azure VM Deployment: The Power of PowerApps, SharePoint, Flow and Azure DevOps Pipe

Source: Core Infrastructure and Security

Author: Werner Rall

Publication Date: September 4, 2023

Content excerpt:

Many of our customers are trying to balance the productivity vs security scale at this point in time. On the one end you can provide access to the Azure Portal but that could provide certain risks and requires an understanding of the portal. On the other hand, if you do not give access to the portal your Operational Teams will not only have to deal with their original workloads of building infrastructure on premises but also creating infrastructure in multiple online clouds. That leads us to think that maybe automation is the answer. During this article I will showcase a recent scenario where we ran into an issue and how we managed to solve that to achieve our final goal. 

 

 

 

Title: AKS Egress Traffic Demystified

Source: Core Infrastructure and Security

Author: Houssem Dellai

Publication Date: September 11, 2023

Content excerpt:

Welcome to this lab where we will explore the different outbound types in Azure Kubernetes Service (AKS). Outbound traffic refers to the network traffic that originates from a pod or node in a cluster and is destined for external destinations. Outbound traffic will leave the cluster through one of the supported load balancing solutions for egress. These solutions are the outbound types in AKS.

 

 

 

Title: Windows 365 Enterprise – Points of Clarification and PoC Proven Practices

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: September 14, 2023

Content excerpt:

Hi folks – Mike Hildebrand here, coming to you live from sunny St. Louis, MO.  Summer is winding down here; it’s mid-September and the dog and I once again have the house to ourselves.  I guess something about the peace and quiet activates the ‘time for a blog’ part of my brain.  Today, I’ll chat with you all a bit about the popular Windows 365 Enterprise (W365) service and the Cloud PC (CPC).

 

 

 

Title: Another Way To Personalize Multiple Thresholds in Log Analytics Alerts

Source: Core Infrastructure and Security

Author: Edoardo Zonca

Publication Date: September 17, 2023

Content excerpt:

This article has been created for a customer that wants to be able to create an alert for customized thresholds for each existing server and performance counter.  If there is no specific server, the alert need to use a generic threshold.

The are some ways that you can take to achieve this goal. This allows you to put all the logic in the Kusto query. 

 

 

 

Title: Active Directory Hardening Series - Part 1 – Disabling NTLMv1

Source: Core Infrastructure and Security

Author: Jerry Devore

Publication Date: September 21, 2023

Content excerpt:

For the first topic in this series, I would like to address is the enforcement of NTLMv2.  NTLMv2 has been around since Windows NT 4.0 SP4 and we have been talking about enforcing its use for well over 10 years now.  There has been plenty written on how NTLM works and why NTLMv1 is no longer secure.  Rather than recreating that content I will just stress these key concepts.

 

 

 

Title: Infrastructure as Code Testing with Azure Policy

Source: Core Infrastructure and Security

Author: Anthony Watherston

Publication Date: September 25, 2023

Content excerpt:

Have you ever wanted to test an ARM template or Bicep template against Azure Policy deployed in your environment – so that you could determine if the resource was going to be compliant or non-compliant? Or develop some tests against deployed policy to ensure that the policies themselves were working? Until now this would require long testing cycles where resources would be deployed, you would trigger a policy scan and then wait until a result was returned before deciding if the test was successful.

 

 

 

Title: Azure Firewall Tips from the Field

Source: Core Infrastructure and Security

Author: Felipe Binotto

Publication Date: September 27, 2023

Content excerpt:

Hi folks! My name is Felipe Binotto, Cloud Solution Architect, based in Australia. 

In this post, I will provide some tips and clarifications about Azure Firewall based on my experience from the field. 

 

 

 

Title: From Blobs to Insights: Your Guide to Smart Storage Lifecycle Policies

Source: FastTrack for Azure

Author: Yoav Dobrin

Publication Date: September 11, 2023

Content excerpt:

Navigating the world of blob lifecycle policies can be daunting, especially when you aim to base them on genuine usage patterns. To simplify this journey, we're introducing our insightful exploratory notebook. While it's not a direct plug-and-play solution for production, this notebook lays out the essential steps and queries to decode how your storage account interacts with data. Think of this as your compass, pointing you towards a more in-depth analysis and exploration.

 

 

 

Title: Taking the leap - Unleashing the power of Azure CLI

Source: FastTrack for Azure

Author: Nadav Ben Haim

Publication Date: September 20, 2023

Content excerpt:

In my previous article, I explained the benefits of Azure CLI and some methods to tailor it to your needs. In this article, I want to explore how to use Azure CLI efficiently to retrieve the data you want, in a quick and reliable manner. In addition, I will share some useful advice to improve your experience with the command-line interface.

 

 

 

Title: Optimizing your Azure VMs – 3 Simple Steps to Cloud Efficiency

Source: ITOps Talk

Author: Amy Colyer

Publication Date: September 26, 2023

Content excerpt:

Virtual machines are arguably still one of the most fundamental core infrastructure components when it comes to cloud computing. Whether you are hosting databases, custom apps, runner jobs, or leveraging them as nodes for your container hosts, VMs are core to your arsenal of options. At the same time, given they are designed to host operating systems, and come in all shapes and sizes, they are one of the core areas of Azure compute you should aim to optimize as quickly as possible as part of your FinOps: Cloud Efficiency initiatives. 

 

 

 

Title: Conditional Access Overview and Templates are now Generally Available!

Source: Microsoft Entra (Azure AD)

Author: Nitika Gupta

Publication Date: September 6, 2023

Content excerpt:

Today, we are excited to announce the general availability of Conditional Access overview dashboard and templates. Conditional Access protects thousands of organizations across the globe daily and customers often ask us about best practices and how to improve security coverage. Conditional Access overview dashboard and templates empower Microsoft Entra ID customers to gain insights into their security posture, assess the impact of individual policies, and simplify deployment of Microsoft’s recommendations.

 

 

 

Title: How Tenant Restrictions v2 Can be Used to Prevent Data Exfiltration

Source: Microsoft Entra (Azure AD)

Author: Anna Barhudarian

Publication Date: September 13, 2023

Content excerpt:

In a previous blog, we introduced Continuous Access Evaluation(CAE) - a product that brings Zero Trust principles to session management. Today we would like to discuss securing cross-tenant access with a focus on preventing data exfiltration. 

 

 

 

Title: Microsoft Entra Internet Access: An Identity-Centric Secure Web Gateway Solution

Source: Microsoft Entra (Azure AD)

Author: anupmas

Publication Date: September 18, 2023

Content excerpt:

In our previous blog, we introduced Microsoft’s identity-centric security service edge (SSE) solution and two new services: Microsoft Entra Private Access and Microsoft Entra Internet Access. This blog continues the series around Microsoft’s new SSE solution, where we’ll take a deeper look into the Microsoft Entra Internet Access, currently in public preview for Microsoft 365 scenarios, and soon-to-be available in public preview for all internet traffic.

 

 

 

Title: Azure AD Rename Rollout and Resources

Source: Microsoft Entra (Azure AD)

Author: Irina Nechaeva

Publication Date: September 19, 2023

Content excerpt:

The rename of Azure Active Directory (Azure AD) to Microsoft Entra ID is now rolling across content and product experiences from Microsoft, as per the implementation timeline outlined in the Azure AD rename announcement on July 11th. We expect the majority of text updates to be completed by mid-November of this year, and updates for on-premises software to be completed in 2024. Partners, analysts, and influencers have also started using the Microsoft Entra ID name in place of Azure AD.

 

 

 

Title: Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes

Source: Microsoft Entra (Azure AD)

Author: Alex Weinert

Publication Date: September 28, 2023

Content excerpt:

A Zero Trust breach prevention strategy based on user risk is critical for organizations in today's digital landscape. However, managing user risks in hybrid environments has posed several challenges. Today, we’re making it easier to manage user risk in hybrid environments in Microsoft Entra ID Protection (formerly Azure AD Identity Protection) – on-premises password change can now automatically remediate user risk! This feature is now in public preview. 

 

 

 

Title: Skilling snack: Group Policy migration

Source: Windows IT Pro

Author: Joe Lurie

Publication Date: September 7, 2023

Content excerpt:

If you've managed Windows on premises, you've likely used Group Policy Objects (GPOs) to define settings centrally and deploy them across your organization. Microsoft Intune has many of the same settings to help you on your journey to modern device management. We've given you a taste for modernizing your environment in our skilling snack on From on premises to the cloud. Now, dig into this week's serving to migrate your existing on-premises policies to the cloud.

 

 

 

Title: Copilot in Windows and new Cloud PC experiences coming to Windows 11

Source: Windows IT Pro

Author: Harjit Dhaliwal

Publication Date: September 21, 2023

Content excerpt:

Integrating artificial intelligence (AI) capabilities into the Windows 11 experience can unlock a new era of productivity for the people across your organization. Today we are offering insights to help you plan better for managing AI capabilities across your Windows estate.

 

 

 

Title: Enhancing Windows 11 security, accessibility, and management for enterprises

Source: Windows IT Pro

Author: Harjit Dhaliwal

Publication Date: September 26, 2023

Content excerpt:

Today, new innovations for Windows 11 will start to become available. Most of these new features will be enabled by default in the October 2023 optional non-security preview release for all editions of Windows 11, version 22H2 while others may roll out gradually. If you'd like the IT-managed devices in your organization to receive the latest features right away, you can enable optional updates using policy.

Now let's take a closer look at a few of these innovations and how they can benefit your organization...

 

 

 

 

Previous CTO! Guides:

 

Additional resources:

Updated Oct 15, 2023
Version 3.0
No CommentsBe the first to comment