Azure security announcements - October 14th 2022

This week, there are 21 announcements related to Azure Security.

Headlines:

• We are expanding the Azure confidential computing portfolio to enable AMD-based confidential VM node pools in AKS
• Windows Server 2022 is now supported on AKS
• Azure CNI Overlay mode in AKS is a new CNI network plugin that allocates pod IPs from an overlay network space, rather than from the virtual network IP space
• Event Grid integration with AKS enables you to subscribe to Event Grid notifications and get important event notifications
• Once a container app is Dapr-enabled in Azure Container Apps, the Dapr sidecar can make use of the container app’s identity when establishing connections to backing Azure services
• Azure Container Apps now supports the Dapr secrets API
• With the new Azure Container Apps Azure Monitor integration, you can choose to send your logs to Azure Monitor
• Azure DDoS Protection let you enable DDoS protection on an individual public IP
• Azure DNS Private Resolver is a cloud-native, highly available, and DevOps-friendly service
• Azure Database for PostgreSQL Flexible Server allows you improve database security by delegating credential management and authentication to Azure AD
• Azure Stack HCI is the Microsoft Azure Arc-enabled infrastructure and now you can download the latest feature release for your infrastructure
• Azure Batch Certificates will be retired on 29 February 2024
• Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022.
• With immutable vaults, Azure Backup provides you an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time.
• Multi-user authorization for Azure Backup adds an additional layer of protection for critical operations on your Backup vaults
• Enhanced soft delete provides the ability to recover your Azure Backup data in scenarios of accidental or malicious deletion
• Azure Backup provides instant and continuous protection for the HANA System Replication setup with no need for any manual intervention
• With planned maintenance notifications for App Service Environment v3, you can get a notification 15 days ahead of planned automatic maintenance
• Azure App Service supports all the major Next.js features
• Extended support for .NET Core 3.1 in Azure Static Web Apps that use Azure Functions will end on 3 December 2022

All details below.

Azure Kubernetes Service

General Availability
Azure Kubernetes Service (AKS) provides the capability for organizations to deploy containers at scale. We are expanding the Azure confidential computing portfolio to enable AMD-based confidential VM node pools in AKS, adding defense-in-depth to Azure's already hardened security profile.

With the general availability of confidential virtual machines featuring AMD 3rd Gen EPYC™ processors, with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, organizations get VMs with isolated, encrypted memory, and genuine confidentiality attestation rooted to the hardware.

AKS is now equipped to have confidential and non-confidential node pools on a single cluster. This means that applications processing sensitive data can reside in a VM-level Trusted Execution Environment (TEE) node pool with memory encryption keys generated from the chipset itself.

Confidential node pools on AKS enable a seamless transition of Linux container workloads to Azure without the overhead of changing code.

Announcement | Documentation

General Availability
Windows Server 2022 provides new features and significant improvements compared to Windows Server 2019.

With this generally available feature, Windows Server 2022 is now supported on AKS. Among other improvements related to security, Windows Server 2022 also provides several platform improvements for Windows Containers and Kubernetes. Windows Server 2022 is available for Kubernetes v1.23 and higher.

Windows Server 2019 will remain default until Kubernetes v1.25.

Announcement | Documentation

Preview Features
Azure CNI Overlay mode is a new CNI network plugin that allocates pod IPs from an overlay network space, rather than from the virtual network IP space. This greatly reduces the IP utilization of Azure CNI as compared to the default mode. This CNI plugin functions like “kubenet” mode, but does not utilize route tables and thus is simpler to set up and much more scalable.

Announcement | Documentation

General Availability
Event Grid integration with AKS enables you to subscribe to Event Grid notifications and get important event notifications. First is the ‘K8s version available’ event, which helps you to subscribe and tap into the AKS Kubernetes new version available event seamlessly.

Announcement | Documentation

Azure Container Apps

New Features
Once a container app is Dapr-enabled, the Dapr sidecar can make use of the container app’s identity when establishing connections to backing Azure services. By using the Managed Identity approach, Dapr components for Azure services can be created without any secret values. Keep in mind, Dapr components can be shared by multiple apps in a container apps environment, therefore scopes should be used to prevent apps without proper permissions from attempting to load a component at runtime.

Announcement | Documentation

New Features
Azure Container Apps now supports the Dapr secrets API. The Dapr secrets management building block works with various pluggable secret store components and removes the need for Dapr-enabled Container Apps to take direct dependencies on secret store libraries.

Announcement | Documentation

Preview Features
By default, all logs are sent to Log Analytics. With the new Azure Container Apps Azure Monitor integration, you can choose to send your logs to Azure Monitor and then configure where to send the logs. Azure storage, Event Hubs, and partner solutions are all new destinations you can leverage.

Announcement | Documentation

Azure DDoS Protection

Preview Features
IP Protection is designed with SMBs in mind and delivers enterprise-grade, cost-effective DDoS protection.

Instead of enabling DDoS protection on a per virtual network basis, including all public IP resources associated with resources in those virtual networks, you now have the flexibility to enable DDoS protection on an individual public IP.

The existing standard SKU of Azure DDoS Protection will now be known as Network Protection.

IP Protection includes the same features as Network Protection, but Network Protection will have in the following value-added services: DDoS Rapid Response support, cost protection, integration with Azure Firewall Manager, and discounts on Azure Web Application Firewall.

Billing for IP Protection will be effective starting February 1, 2023.

Announcement | Documentation

Azure DNS

General Availability
Azure DNS Private Resolver is a cloud-native, highly available, and DevOps-friendly service. It provides a simple, zero- maintenance, reliable, and secure DNS service to resolve and conditionally forward DNS queries from a virtual network, on-premises, and to other target DNS servers without the need to create and manage a custom DNS solution. Resolve DNS names hosted in Azure Private DNS Zones from on-premises networks as well as DNS queries for your own domain names. This will make your DNS infrastructure work privately and seamlessly across on-premises networks and enable key hybrid networking scenarios.

Announcement | Documentation

Azure Database for PostgreSQL

Preview Features
Azure Active Directory authentication for Azure Database for PostgreSQL - Flexible Server allows you improve database security by delegating credential management and authentication to a centralized identity provider. Azure Active Directory supports advanced security features such as second factor authentication options, password lifecycle management, applications and managed identities and conditional access. Azure Active Directory for Azure Database for PostgreSQL – Flexible Server now provides full support for managed identities, improved group roles and support for invited users and Azure Active Directory-only authentication mode with ability to disable local user support.

Announcement | Documentation

Azure Azure Stack

General Availability
Azure Stack HCI is the Microsoft Azure Arc-enabled infrastructure. Now, customers who have an Azure Stack HCI subscription can download the latest feature release for their infrastructure. The benefits of this new feature release are multifaceted and deliver better security, versatility, and performance for customers Arc-enabled infrastructure. Some of the key new features include general availability of GPU-P, Network ATC v2, and SR w/Compression. Additionally, for Windows Server Datacenter, customers with Software Assurance (SA) can now get Azure Stack HCI at no additional cost.

Announcement | Documentation

Azure Batch

Retiring Features
As part of our efforts to modernize Batch to use the latest standard and secure Azure technologies and to improve composability with other offerings in the Azure ecosystem, we’ll retire Batch Certificates on 29 February 2024. Please transition to Azure Key Vault as soon as possible to more quickly realize the security and composability benefits.

Announcement | Documentation

Azure Functions

Retiring Features
Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022. Node 12 also reached the end of community support 30 April 2022.

As such, we recommend developers to update their functions apps to use Azure Functions host version 4 and Node 16. The Functions service will continue to run applications that are running Node 12 beyond 13 December 2022, but customers will be asked to upgrade to Node 16 if they need support.

Required action: To avoid potential service disruption and security vulnerabilities in your applications, update your Functions applications to use runtime version 4.x and Node 16 before 13 December 2022.

Announcement | Documentation

Azure Backup

Preview Features
With immutable vaults, Azure Backup provides you an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time. Azure Backup does this by preventing any operations which could lead to loss of backup data. Hence, this helps you protect your backups against threats like ransomware attacks and malicious actors by disallowing operations such as deleting backups or reducing retention in backup policies.

Immutable vaults is now in preview in selected regions and will be available in other regions in the coming weeks.

Announcement | Documentation

Preview Features
Multi-user authorization (MUA) for Backup adds an additional layer of protection for critical operations on your Backup vaults, providing greater security for your backups. To provide multi-user authorization, Backup uses a resource guard to ensure critical operations are performed with proper authorization, similar to how multi-user authorization currently works for Recovery Services vaults.

The backup administrator, who typically owns the Backup vault, needs to gain the contributor role on the resource guard to be able to perform the protected operations. This requires action from the owner of the resource guard to approve and grant the required access. You can also use Azure Active Directory Privileged Identity Management to manage just-in-time access on the resource guard. Additionally, you can create the resource guard in a subscription or a tenant different from the one that has the recovery services vault, to achieve maximum isolation.

Announcement | Documentation

Preview Features
Enhanced soft delete improves upon Azure Backup's existing soft delete capability to provide the ability to recover your backup data in scenarios of accidental or malicious deletion. With enhanced soft delete, you get the ability to make soft delete irreversible, which protects soft delete from being disabled by any malicious actors. Hence, enhanced soft delete provides better protection for your backups against various threats. Enhanced soft delete also allows you to provide a customizable soft delete retention period for which soft deleted data must be retained.

Enhanced soft delete is now in preview for recovery services vaults as well as Backup vaults in selected regions and will be available in other regions in the following weeks.

Announcement | Documentation

Preview Features
Azure Backup protects your HANA databases in Azure Virtual Machines with a backint certified, streaming database backup solution. Earlier, if your HANA database had HANA System Replication as it’s disaster recovery (DR) solution, then after every failover, manual intervention was required to enable backups. Now, with this new feature in preview, you get:

• Instant and continuous protection for the HANA System Replication setup with no need for any manual intervention.
• No mandatory full backups after every failover which decreases your backup storage cost.
• A single backup chain which makes recovery easier and cost effective.

Announcement | Documentation

Preview Features
Azure Backup protects your HANA databases in Azure Virtual Machines with a backint certified, streaming database backup solution. As databases grow in size, especially for large to very large databases (> 6 – 8 TB), a streaming solution alone may not be enough to meet your recovery time objective (RTO) requirements during backup and restore. Now, Azure Backup has upgraded the backint streaming solution with a HANA Instance consistent snapshot to provide you an integrated HANA backup solution with the fastest RTO.

Instant backup with HANA frozen for just few seconds. Instant restore with disks created from snapshot and attached to target VM. Cost efficient by leveraging managed disk incremental snapshots. A single solution which manages all components (HANA database, underlying file-system, managed disks) during backup and restores entire HANA Instance with point-in-time log restore over snapshots.

Announcement | Documentation

Azre App Services

Preview Features
With planned maintenance notifications for App Service Environment v3, you can get a notification 15 days ahead of planned automatic maintenance and start the maintenance when it is convenient for you. This feature allows you to reduce the potential for service interruptions by giving you notice and allowing you to prepare for and set when maintenance will occur.

Announcement | Documentation

Preview Features
We’re adding support for all the major Next.js features, including server-side rendering (SSR), incremental static regeneration (ISR), image optimization, API routes, and many more.

Next.js is a React framework for building fast and SEO-friendly web applications. It includes tooling and configuration needed for React and lets you build hybrid websites. With Next.js, you can render your content in different ways - pre-render some pages at build time with static site generation, render pages at request time with server-side rendering, and update or create content at runtime with incremental static regeneration.

Azure Static Web Apps provides globally distributed content hosting and serverless APIs powered by Azure Functions. It also includes everything you need to run a full-stack web app, including support for custom domains, free SSL certificates, authentication/authorization, and preview environments.

Announcement | Documentation

Retiring Features
.NET Core 3.1 will reach the end of support on 13 December 2022. As a result, extended support for .NET Core 3.1 in Azure Static Web Apps that use Azure Functions will end on 3 December 2022. After this date, your existing static web apps that use Azure Functions will continue to work, but security patches and customer service for .NET Core 3.1 will no longer be provided.

Azure Functions announced their end of support for .NET Core 3.1 in March 2022. Since the managed functions hosted by Azure Static Web Apps run on Azure Functions, we recommend you update your functions applications to runtime version 4.x, which uses .NET 6.

.NET 6 is the latest version with long-term support and provides these enhancements:

• A unified set of base libraries and an SDK that makes it easy to share code across any application type.
• Simplified development with new C# 10 features and minimal APIs.
• Hot reload that allows you to make code changes without explicit recompiling.

Announcement | Documentation

• Azure security announcements - December 9th 2022

  December 12, 2022

• Azure security announcements - November 11th 2022

  November 17, 2022

• Azure security announcements - October 28th 2022

  November 04, 2022

• Azure security announcements - October 6th 2022

  October 12, 2022

• Azure Security Announcements - September 30th 2022

  October 05, 2022

• Azure Security Announcements - September 16th 2022

  September 20, 2022

• Azure Security Announcements - September 9th 2022

  September 12, 2022

Leave your comment