Azure Security Announcements - August 26th 2022

August 29, 2022

This week, there are 17 announcements related to Azure Security.

Azure API Management

General Availability
Azure API Management support for the MSAL authorization library is now generally available. You can provide a more secure OAuth 2.0 authorization code flow using PKCE when implementing user sign-in and sign-up actions in the developer portal through Azure Active Directory and Azure Active Directory B2C.

Announcement | Documentation

Updated Features
Azure API Management now supports 11 Azure Policy definitions, improving security and reducing the need for you to develop and maintain custom policies.

New policy definitions are used to enforce configuration or monitor compliance across a fleet of Azure API Management services, and cover areas such as upstream and downstream API traffic security, management plane security, private networking, and more.

Announcement | Documentation

Azure Database for MySQL

New Features
Use server logs for Azure Database for MySQL - Flexible Server to enable logging for your server and save the results to a file. If you enable server logs and select the log type, you can download the logs from your server. Use the information in these logs to get detailed insights about the activities executed on your server, and then identify and troubleshoot potential issues.

Announcement | Documentation

Azure DevBox

Preview Features
Microsoft Dev Box is now in public preview. Microsoft Dev Box provides self-service access for developers to high-performance, cloud-based workstations preconfigured and ready-to-code for specific projects—all while maintaining security and corporate governance. With Microsoft Dev Box, organizations can:

  • Maximize dev productivity with ready-to-code, self-service Dev Boxes.
  • Centralize governance of workstations running anywhere to maintain greater security, compliance, and cost efficiency.
  • Customize dev boxes with everything developers need for their current projects.

Announcement | Documentation

Azure Event Hub

Preview Features
Process your real time data streams in Azure Event Hubs using Azure Stream Analytics. The no code editor allows you to easily develop a Stream Analytics job without writing a single line of code. Within minutes, you can develop and run a job that tackles many scenarios.

There are four new features which will help you build and monitor your jobs:

  • Managed identity: You can now use ‘managed identity’ as authentication mode in Event Hub streaming input, Cosmos DB streaming output and Azure Data Lake Storage Gen2. Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate because of password changes or user token expirations that occur every 90 days.
  • Azure Data Lake StorageGen2 reference data: You can now use Azure Data Lake Storage Gen2 as reference data in the query. Reference data is either static or changes slowly over time. It is typically used to enrich incoming streaming and do lookups in your job.
  • Metrics: You can now monitor the health of your job by viewing metrics within no code editor. The metrics shown are for the last one hour by default. You can select any time ranging from last 1 hour to 30 hours to view metrics for the job.
  • Save job: You can now save your job anytime while creating it. For starting the job, you have to configure the Event Hub, transformations, and streaming outputs for the job.

Announcement | Documentation

Azure Kubernetes Service

General Availability
AKS support for Kubernetes release 1.24 is now generally available. Kubernetes 1.24 delivers 46 enhancements. This release includes new changes such as the removal of Dockershim.

Announcement | Documentation

General Availability
Azure Dedicated Host is a service that provides physical servers, able to host one or more virtual machines, dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our data centers, provided as a resource.

You can provision dedicated hosts within a region, availability zone, and fault domain. Then, you can place AKS VMs directly into your provisioned hosts, in whatever configuration best meets your needs.

Using Azure Dedicated Hosts for nodes with your AKS cluster enables:

  • Hardware isolation at the physical server level. No other VMs will be placed on your hosts.
  • Control over maintenance events initiated by the Azure platform. With dedicated hosts, you can opt-in to a maintenance window to reduce the impact to your service.

Announcement | Documentation

New Features
AKS now supports key management system (KMS) plugin integration. This generally available capability enables encryption at rest of your Kubernetes data in etcd using Azure Key Vault. This means you can now store secrets in bring your own key (BYOK) encrypted etcd using KMS.

KMS plugin for Key Vault is the recommended choice for using a third-party tool for key management. KMS plugin simplifies key rotation, with a new data encryption key (DEK) generated for each encryption, and key encryption key (KEK) rotation controlled by the user.

Features:

  • Use a key in Key Vault for etcd encryption
  • Bring your own keys
  • Provide encryption at rest for secrets stored in etcd

Announcement | Documentation

Azure Load Testing

Preview Features
Azure Load Testing now supports load testing for private endpoints. You can create an Azure Load Testing resource and enable it to generate load from within your virtual network (VNET injection).

This functionality enables the following usage scenarios:

  • Generate load to an endpoint that is deployed in an Azure virtual network
  • Generate load to a public endpoint with access restrictions, such as restricting client IP addresses
  • Generate load to an on-premises service, not publicly accessible, that is connected to Azure via ExpressRoute

This functionality is available in the following Azure regions: Australia East, East US, East US 2, and North Europe. This will soon be available in South Central US and West US 2.

Announcement | Documentation

Azure Monitor

New Features
You can configure data export rules in Azure Monitor Logs and export data for application insights tables, storage accounts, and event hubs. When linking multiple applications insights components to a workspace, data export applies to data coming from all linked applications.

Announcement | Documentation

Preview Features
Container insights now supports integration with Azure Monitor agent for AKS clusters and Arc-enabled clusters. This integration is now generally available for Linux nodes in AKS and Arc-enabled clusters. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified log analytics workspace during deployment.

With the Azure Monitor agent, container insights also supports authentication using managed identity for AKS and Arc-enabled clusters. This is a secure and simplified authentication model where the monitoring agent uses the cluster’s managed identity to send data to Azure Monitor. It replaces the existing legacy certificate-based local authentication and removes the requirement of adding a monitoring metrics publisher role to the cluster. System-assigned identity and user-assigned identity are supported.

Announcement | Documentation

Azure NetApp Files

New Features
Disaster Recovery to cloud is a resilient and cost-effective way of protecting the workloads against site outages and data corruption events like ransomware. Leveraging the VMware VAIO framework, on-premise VMware workloads can be replicated to Azure Blob storage and recovered with minimal or close to no data loss and near-zero recovery time objective (RTO). JetStream Disaster Recovert (DR) can seamlessly recover workloads replicated from on-premises to Azure VMware Solution. JetStream DR enables cost-effective disaster recovery by consuming minimal resources at the disaster recovery site as well as using cost-effective cloud storage.

JetStream DR can also replicate and automate recovery to Azure NetApp Files datastores. It can recover independent VMs or groups of related VMs into the recovery site infrastructure according to runbook settings. It also provides point-in-time recovery for ransomware protection.

Announcement | Documentation

Azure SQL Database

General Availability
In mid-August 2022, the following updates and enhancements were made to Azure SQL:

  • Set up Windows Authentication for Azure SQL Managed Instance using Azure Active Directory and Kerberos.

Announcement | Documentation

Azure Virtual Network

General Availability
User-defined routes (UDRs) support for private endpoints is now generally available. This feature enhancement will remove the need to create a /32 address prefix when defining custom routes. You will now have the ability to use a wider address prefix in the user defined route tables for traffic destined to a private endpoint (PE) by way of a network virtual appliance (NVA). In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

This feature will be available in the following regions at this time:

  • US East, US West, US North, US South, US Central, US East 2, Europe North, Europe West, Asia East, Asia South East, Japan East, Japan West, Brazil South, Australia East, Australia South East, India Central, India South, Canada Central, Canada East, US West 2, US West Central, UK West, UK South, Korea South, Korea Central, France South, France Central, Australia Central, South Africa North, United Arab Emirates Central, United Arab Emirates North, Switzerland North, Switzerland West, Germany North, Germany West Central, Norway East, Norway West, US West 3, Jio India Central, Jio India West, Sweden South, Sweden Central, Qatar Central, US Central Early Updates Access Program, US East 2 Early Updates Access Program.

Announcement | Documentation

New Features
Network security groups (NSGs) support for private endpoints is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

At this time, Private Link network security group support is available in most public regions:

  • US East, US West, US North, US South, US Central, US East 2, Europe North, Europe West, Asia East, Asia South East, Japan East, Japan West, Brazil South, Australia East, Australia South East, India Central, India South, Canada Central, Canada East, US West 2, US West Central, UK West, UK South, Korea South, Korea Central, France South, France Central, Australia Central, South Africa North, United Arab Emirates Central, United Arab Emirates North, Switzerland North, Switzerland West, Germany North, Germany West Central, Norway East, Norway West, US West 3, Jio India Central, Jio India West, Sweden South, Sweden Central, Qatar Central, US Central Early Updates Access Program, US East 2 Early Updates Access Program

Announcement | Documentation

Azure VMWare Solution

New Features
Today, we are announcing the general availability for a new Public IP capability on Azure VMware Solution. Most customer applications running on Azure VMware Solution require internet access. These applications require both outbound and inbound internet connectivity. Azure VMware Solution Public IP is a simplified and scalable solution for running these applications. With this capability, we enable the following.

  • Direct inbound and outbound internet access for AVS to the NSX-T Edge.
  • The ability to receive up to 1000 or more Public IPs.
  • DDoS Security protection against network traffic in and out of the internet.
  • Enable support for VMware HCX (migration tool for VMware VMs) over the public internet.

Regional availability for this combined solution includes the following; Australia East, Australia South, Brazil South, Canada Central, Canada East, East Asia, East US, East US 2, Germany West, Japan East, North Central US, North Europe, South Africa, Sweden Central, UK South, UK West, West Central US, West US

With this capability, there are now three primary patterns for creating inbound and outbound internet access to resources on your Azure VMware Solution private cloud.

Announcement | Documentation

New Features
vRealize Log Insights Cloud with Azure VMware Solution support is now generally available to all customers.

vRLI-C delivers the following capabilities:

  • Centralized log management
  • Deep operational visibility
  • Intelligent analytics
  • Improved troubleshooting and security

vRealize Log Insight Cloud with Azure VMware Solution integration boosts IT organizations’ operational efficiency, mitigates costs arising from unplanned downtime, and reduces organizational risk by providing visibility into security-related events.

Logs have all the information a business might need for strategic decision making, real-time troubleshooting, auditing, and security. However, businesses might need to monitor thousands of objects in their environments, each generating thousands or even millions of logs. Trying to find the right data among that amount of data at scale is impossibly complex and time consuming.

The scale of machine-generated data is only increasing as enterprises span out infrastructure and scale applications across physical, virtual and multi-cloud environments. Enterprises are adopting the DevOps mindset for better collaboration, continuous integration and delivery (CI/CD) to disrupt the older and legacy methods of application development.

With vRealize Log Insights Cloud, you can get free-trial limit to 15GB/day log ingestion with 30-day data retention. Once the trial period has expired, there are multiple subscription options with variable data retention periods for index and non-index partitions to select from.

Announcement | Documentation

Recommended content

Comments

Leave your comment