Azure security announcements - November 11th 2022

This week, there are 16 announcements related to Azure Security.

Headlines:

• General availability of the Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) running on Azure Front Door
• Update release of Azure IoT Edge 1.4LTS for Linux on Windows
• IoT Hub Device Update has new functionality
• We are rolling out availability, reliability, and security improvements to the IoT Hub gateway
• You can now rotate SSH keys on existing AKS node pools and no longer require a node reimage
• You can now encrypt storage accounts with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant
• It is possible to create confidential VMs using Ephemeral OS disks
• On 30 September 2023, all Azure API Management API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail
• The resource providers for Azure API Management are zone redundant in each region
• With Static Web Apps, you can now configure Azure Pipelines to deploy your application to preview environments
• By using .NET 7 in Azure App Service you can leverage the latest language and runtime improvements in .NET
• By using Node 18 for your apps hosted on Azure App Service, you can leverage the latest language and runtime improvements in Node
• You can now build your serverless applications with .NET 7 runtime when running in the isolated process mode in Azure Functions v4
• Azure Automation now supports Azure Availability zones to provide improved resiliency and reliability to the service, runbooks and other automation assets
• Azure Automation now supports runbooks in the latest Runtime versions - PowerShell 7.2 and Python 3.10 in public preview
• Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests

All details below.

Azure Front Door

General Availability
We are announcing the general availability of the Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) running on Azure Front Door. This rule set is available on the Azure Front Door Premium tier.

DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team. As with previous DRS releases, DRS 2.1 rules are also tailored by Microsoft Threat Intelligence Center (MSTIC). The MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address those issues while also reducing false positives to our customers.

Announcement | Documentation

Azure IoT Edge

General Availability
This update release of Azure IoT Edge 1.4LTS for Linux on Windows contains the following improvements below:

• Automatic image clean-up of unused Docker images
• Ability to pass a custom JSON payload to DPS on provisioning
• Ability to require all modules in a deployment be downloaded before restart
• Use of the TCG TPM2 Software Stack which enables TPM hierarchy authorization values, specifying the TPM index at which to persist the DPS authentication key, and accommodating more TPM configurations
• CBL-Mariner 2.0 as the virtual machine base operating system
• USB passthrough using USB-Over-IP
• File/Folder sharing between Windows OS and the EFLOW VM

Announcement | Documentation

Azure IoT Hub

General Availability
Device Update has the following new functionality:

• Automatic group provisioning will automatically create groups of devices based on their compatibility properties and device tags, so you can easily deploy updates to your devices without the additional overhead.
• Improved troubleshooting features such as agent check and device sync help you troubleshoot and repair your devices with ease.
• Automatic rollback enables you to define a fallback version for your managed devices if they meet the rollback criteria that can be easily set from the cloud.
• Azure CLI Support enables you to create and manage Device Update resources, groups, and deployments using command line functions.
• Support for OS platforms such as Ubuntu 18.04 and Ubuntu 20.04.
• Support in all Azure Hero regions.

Announcement | Documentation

Updated Features
The architecture of your IoT Hub includes a cluster of front-end message processing servers and software we call the IoT Hub gateway. We are rolling out availability, reliability, and security improvements to this gateway between November 2022 and April 2023.

Potential impact The gateway upgrade will result in:

• A forced disconnect and reconnect for all devices.
• New static IP addresses for all IoT hubs.
• Device disconnects:
• Your devices will disconnect from IoT Hub while we upgrade the gateway nodes. The time it takes for your devices to reconnect depends on:
  • DNS update propagation: If your devices leverage DNS to resolve your IoT hub’s IP address, it will resolve the new IP address after the DNS updates propagate to the device’s DNS server(s) and any local DNS cache expires.
  • DPS reprovisioning: Reprovisioning is subject to DPS limits. Follow the recommended best practices to reprovision devices with DPS. Avoid reprovisioning unless IoT Hub returns an error other than 429 or 5xx.
  • Device connection retry logic: If your devices leverages the Azure IoT SDKs, they will attempt to reconnect according to their retry policy.
  • Device connection throttling: IoT Hub throttles device connections based on your selected tier.

Firewall rules and impact:

• If you followed our best practices to configure your IoT Hub by using Fully Qualified Domain Name (FQDN), then no action is required.
• If you implemented a range-based approach using IoT Hub service tags, no action is required.
• If you restrict access based on a specific IP address for your IoT Hub, follow our best practices and move away from a static IP address. The IP address of your IoT Hub might change at any time for any reason.
• If you cannot follow our best practices or have questions, reach out to your Azure IoT or Microsoft contacts.

Announcement | Documentation

Azure Kubernetes Service

Preview Features
Secure shell (SSH) is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure.

You can now rotate SSH keys on existing AKS node pools and no longer require a node reimage.

Announcement | Documentation

Azure Storage

General Availability
Today we are releasing the ability to encrypt storage accounts with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Announcement | Documentation

Azure Virtual Machines

New Features
As part of our commitment to delivering the best possible value for Azure confidential computing, we're announcing the support to create confidential VMs using Ephemeral OS disks. This enables customers using stateless workloads to benefit from the trusted execution environments (TEEs). Trusted execution environments protect data being processed from access outside the trusted execution environments.

Announcement | Documentation

Azure API Management

Retiring Features
On 30 September 2023, all API versions prior to 2021-08-01 will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.

Announcement | Documentation

Updated Features
On 30 September 2023 as part of our continuing work to increase the resiliency of API Management services, we're making the resource providers for Azure API Management zone redundant in each region. The IP address that the resource provider uses to communicate with your service will change if it's located in Switzerland North:

Old IP address: 51.107.0.91 New IP address: 51.107.246.176

This change will have no effect on the availability of your API Management service. However, you may have to take steps described below to configure your API Management service beyond 30 September 2023.

Announcement | Documentation

Azure App Service

General Availability
With Static Web Apps, you can now configure Azure Pipelines to deploy your application to preview environments. The Azure DevOps task for Azure Static Web Apps intelligently detects and builds your app’s frontend and API and deploys the entire application to Azure. You can fully automate the testing and delivery of your software in multiple stages all the way to production.

Azure Static Web Apps provides globally distributed content hosting and serverless APIs powered by Azure Functions. It also includes everything you need to run a full-stack web app, including support for custom domains, free SSL certificates, authentication/authorization, and preview environments.

This feature is now generally available.

Announcement | Documentation

General Availability
By using .NET 7 for your entire stack, you can leverage the latest language and runtime improvements in .NET, and you can seamlessly share code between your Blazor WebAssembly app, Azure Functions, and other .NET applications.

For your app’s frontend, Static Web Apps can now automatically build and deploy .NET 7.0 Blazor WebAssembly apps. For backend APIs, you can build and deploy .NET 7.0 Azure Functions with your static web apps.

Azure Static Web Apps support for .NET 7.0 follows the .NET 7.0 lifecycle.

Announcement | Documentation

Preview Features
By using Node 18 for your app, you can leverage the latest language and runtime improvements in Node. For using Node 18 in your Azure functions, please use Functions version 4.x.

Azure Static Web Apps support for Node 18 follows the Node 18 lifecycle.

Announcement | Documentation

Azure Functions

General Availability
You can now build your serverless applications with .NET 7 runtime when running in the isolated process mode in Azure Functions v4. Apps built using this capability follow the same patterns as previous .NET versions in an isolated worker model in Functions.

Announcement | Documentation

Azure Automation

New Features
Azure Automation now supports Azure Availability zones to provide improved resiliency and reliability to the service, runbooks and other automation assets. In the event when a zone is down, there's no action required by you to recover from a zone failure and the service would be accessible through the other available zones. The service detects that the zone is down and automatically distributes the traffic to the available zones as needed. Availability zone support for Automation accounts supports only Process Automation feature to provide an improved resiliency for runbook automation.

In addition to high availability, you must have a disaster recovery strategy to handle a region-wide service outage or a zone-wide failure to reduce the impact of unpredictable failure events in your environment. An important aspect of a disaster recovery plan is preparing to failover to the Automation account replica created in advance in the secondary region, if the Automation account in the primary region becomes unavailable. Follow the detailed guidance to set up disaster recovery for Automation accounts and use the PowerShell script to migrate assets from primary region to secondary region of your choice.

Announcement | Documentation

Preview Features
Azure Automation now supports runbooks in the latest Runtime versions - PowerShell 7.2 and Python 3.10 in public preview. This enables creation and execution of runbooks for orchestration of management tasks. These new runtimes are currently supported only for Cloud jobs in five regions - West Central US, East US, South Africa North, North Europe, Australia Southeast. We are actively working on adding more regions to this list.

Azure Portal experience to author and execute runbooks remains the same as previously available Runtime versions. PowerShell 7.2 and Python 3.10 can be easily selected through the dropdown menu during runbook creation.

Announcement | Documentation

Azure Azure Active Directory

Retiring Features
Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization.

Required action: To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service using the latest Migration Utility included in the most recent Azure MFA Server update.

Announcement | Documentation

• Azure security announcements - December 9th 2022

  December 12, 2022

• Azure security announcements - October 28th 2022

  November 04, 2022

• Azure security announcements - October 14th 2022

  October 18, 2022

• Azure security announcements - October 6th 2022

  October 12, 2022

• Azure Security Announcements - September 30th 2022

  October 05, 2022

• Azure Security Announcements - September 16th 2022

  September 20, 2022

• Azure Security Announcements - September 9th 2022

  September 12, 2022

Leave your comment