Azure security announcements - December 9th 2022

December 12, 2022

This week, there are 11 announcements related to Azure Security.

Headlines:

  • We announce the general availability of Cross Zonal Restore of Azure Virtual Machines for Azure Backup customers
  • Azure Backup now allows to backup confidential VMs using Platform Managed Keys
  • Azure Functions Proxies will no longer be supported after 30 September 2025
  • Azure Backup service is announcing private preview of AKS Backup
  • Azure Sphere Security Service now enables EU customers to process and store image files and device crash dump files within the EU
  • The Azure Sphere 22.11 feature release is now available
  • The new Predefined and CustomV2 policies for Azure Application Gateway are now generally available
  • Azure’s regional Web Application Firewall with Application Gateway now supports setting actions on a rule-by-rule basis
  • A new bot protection rule set is now generally available for Azure Web Application Firewall with Azure Application Gateway
  • Azure Resource Manager will be deprecating support for incoming requests coming over TLS 1.1 and other older security protocols
  • Now it is possible to encrypt managed disks with cross-tenant customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory tenant

All details below.

Azure Backup

General Availability
We are excited to announce the general availability of Cross Zonal Restore of Azure Virtual Machines for Azure Backup customers. Azure Backup leverages the power of ZRS (Zonal redundant storage) which stores three replicas of backup data across different Availability Zones, synchronously . This enables you to operate seamlessly even if the backup data in one of the Availability Zones is unavailable or unrecoverable, guaranteeing data to be within a region. With the introduction of this feature, Azure Backup will restore the recovery points which are stored in Recovery Services Vault with ZRS storage which holds backup data zonally.

You should consider Cross Zonal Restore option when:

  • zonal availability of the backup data is critical, and downtime of backup data is not acceptable. This enables you to restore Azure virtual machine / disks in any zone of your choice in the same region.
  • resiliency of backup data is required along with Data residency.

With the preview of Cross Zonal Restore of Azure VMs, Azure Backup offers a compelling set of durability options for your backup data including ZRS for intra-region high durability, locally-redundant storage (LRS) for low-cost single region durability, and geo-redundant storage (GRS) for high durability across region when primary region is unavailable by opting in for Cross Region Restore feature, you can also access the secondary region backup data from Azure Backup.

Announcement | Documentation

Preview Features
Azure Backup now allows to backup confidential VMs without confidential OS disk encryption and confidential VMs having confidential OS disk encryption using Platform Managed Keys.

Feature details:

  • Backup is supported in all regions where confidential VMs are currently available.
  • Backup of confidential VMs is only supported using Enhanced Policy.
  • Cross-region Restore and Item Level Restore are unsupported.
  • Backup of confidential VMs having confidential OS disk encryption using Customer Managed Key is currently unsupported.

Announcement | Documentation

Azure Functions

Retiring Features
Azure API Management is Microsoft’s solution to securely create and manage modern APIs at scale. It also provides advanced tools for building and maintaining APIs such as OpenAPI integration, rate limiting and exhaustive policy support.

Azure Functions Proxies are a very limited subset of these capabilities that will no longer be invested in to avoid duplication of functionality. Azure Functions Proxies will continue to remain in maintenance mode until 30 September 2025 after which they will no longer be supported.

To enable seamless upgrade of Function applications to runtime V4.x, we will be adding Proxy support back in Functions runtime V4.x by October 2022. However, migrating away from Proxies is strongly recommended.

Announcement | Documentation

Azure Kubernetes Service

Preview Features
Organizations are increasingly adopting Kubernetes which continues to gain momentum. Azure Kubernetes Service (AKS)is preferred by our customers to deploy and run their critical applications on Kubernetes. While enterprise adoption of Kubernetes is on the rise, IT leaders are still figuring out best practices to secure their mission critical containerized applications and data stored inside clusters.

With this intent, Azure Backup service is announcing private preview of AKS Backup. Using this feature you can:

  • Backup and Restore your containerized applications, both stateless and stateful, running on your AKS clusters and data stored within Persistent Volumes attached to the clusters.
  • Perform backup orchestration & utilize management capabilities of Azure Backup along with the single pane of glass view of Backup Centre.

Announcement | Documentation

Azure Sphere

Preview Features
In keeping with Microsoft’s mission to process and store EU data exclusively within the EU (see EU Data Boundary for the Microsoft Cloud), the Azure Sphere Security Service now enables EU customers to process and store image files and device crash dump files within the EU as desired. The new Regional Data Boundary setting is an optional parameter that can be used with the azsphere image and azsphere device-group commands.

Announcement | Documentation

Updated Features
The Azure Sphere 22.11 feature release is now available and includes the following components:

  • Update to the image signing keys used by Azure Sphere Security Service
  • Updated Azure Sphere OS
  • Updated Azure Sphere SDK for Windows and for Linux
  • Updated Azure Sphere extensions for Visual Studio and for Visual Studio Code

If your devices are connected to the internet, they will receive the updated OS from the cloud. You'll be prompted to install the updated SDK on next use.

Announcement | Documentation

Azure Application Gateway

General Availability
The new Predefined and CustomV2 policies are now generally available. The newer policies come with TLS 1.3 support, providing improved security and performance benefits, thus fulfilling the needs of your enterprise security policies. These are introduced keeping in mind hardened TLS configuration with v1.2 and ECDHE-based cipher suites at a minimum. You may use out-of-the-box Predefined policies or build your own by using the CustomV2 policy. Visit our documentation to find out more on the new policies, supported minimum protocol versions and the cipher suites. With these released, the default policy for new deployments will also be updated soon.

Announcement | Documentation

General Availability
Azure’s regional Web Application Firewall (WAF) with Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis. This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions.

The following per rule actions are supported:

  • Allow: The request passes through the WAF and is forwarded to the back end. No further lower priority rules can block this request.
  • Block: The request is blocked and WAF sends a response to the client without forwarding the request to the back end.
  • Log: Request is logged in the WAF logs and WAF continues evaluating lower priority rules.
  • Anomaly Scoring: This is the default action for the Core Rule Set where total anomaly score is incrementally increased when a rule with this action is matched.

Announcement | Documentation

General Availability
A new bot protection rule set (Microsoft_BotManagerRuleSet_1.0) is now generally available for Azure Web Application Firewall (WAF) with Azure Application Gateway. Added to this updated rule set are three bot categories - good, bad, and unknown. Bot signatures are managed and dynamically updated by Azure WAF. The default action for bad bot groups is set to Block, for the verified search engine crawlers group it’s set to Allow, and for the unknown bot category it’s set to Log. You may overwrite the default action with Allow, Block, or Log for any type of bot rule.

Announcement | Documentation

Azure Resource Manager

Retiring Features
To ensure that Azure can provide the best level of security for our customers’ data, Azure Resource Manager will be deprecating support for incoming requests coming over TLS 1.1 and other older security protocols by Fall 2023. As such, to avoid any interruptions in your connections with Azure, we highly recommend that you migrate to TLS 1.2 and remove any dependencies on older protocols in your operating systems and work environments.

Azure Resource Manager already supports TLS 1.2; customers currently using this version will be unaffected by this move. However, we will require HTTPS connections coming from all customers to use TLS 1.2, and we will no longer provide backwards compatibility to older security protocols.

To maintain your connections to Azure Resource Manager, please update your operating systems, development libraries, frameworks, and all other solutions to their latest versions to support TLS 1.2.

Announcement | Documentation

Azure Virtual Machines

General Availability
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.

Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.

Announcement | Documentation

Recommended content

Comments

Leave your comment