Azure security announcements - October 28th 2022

November 04, 2022

This week, there are 20 announcements related to Azure Security.

Headlines:

  • Node 16 LTS support is ending on 11 September 2023
  • Any applications hosted on Azure App Service that are still using PHP 8.0 will not be supported after 26 November 2023
  • Automatic Extension upgrade is now generally available for Arc enabled Servers using eligible VM extensions
  • The option to store the backup of the workloads protected by Azure Backup in zone redundant vaults is generally available
  • Container Apps can now communicate over a custom TCP portand expose a TCP port externally
  • Azure Cosmos DB for MongoDB now offers a built-in role-based access control (RBAC)
  • Azure Data Explorer now supports ingestion of data from many receivers via the OpenTelemetry exporter
  • Azure DNS Private Resolver enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying virtual machine-based DNS servers
  • Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022
  • Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS)
  • AKS now supports Kubernetes version 1.25 in public preview
  • ASO makes it easy to manage database and connection
  • Image cleaner helps to detect and automatically remove all unused and vulnerable images cached on AKS nodes keeping the nodes cleaner and safer
  • Azure Load Testing now enables you to authenticate to application endpoints which require a client certificate for authentication
  • The HITRUST common security framework (CSF) provides organizations globally a comprehensive, flexible, and efficient approach to regulatory and standards compliance and risk management
  • With the latest release of Azure Monitor OpenTelemetry packages for .NET, Node.js, and Python, we continue to build on OpenTelemetry’s vendor-neutral APIs/SDKs, introducing new capabilities
  • Role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts are generally available
  • SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available
  • Azure Virtual WAN (vWAN) brings networking, security, and routing functionalities together to provide a single operational interface
  • The ability to bring your own public IP ranges is now available in all US Government regions

All details below.

Azure App Services

Retiring Features
Node 16 LTS support is ending on 11 September 2023. Any applications hosted on Azure App Service that are still using it won't be supported after this. After 11 September 2023, your applications will continue to run unchanged but won't receive any patches.

Announcement | Documentation

Retiring Features
Because PHP 8.0 extended support will end on 26 November 2023, any applications hosted on Azure App Service that are still using it will not be supported after 26 November 2023. Your applications will continue to run unchanged but won't receive any patches after 26 November 2023, since PHP will no longer be providing them for this version.

Announcement | Documentation

Azure ARC

Updated Features
Automatic Extension upgrade is now generally available for Arc enabled Servers using eligible VM extensions. With this release we are adding support for Azure Portal, PowerShell, CLI, and automatic rollback of failed upgrades. With auto rollback functionality, Azure Arc is able to minimize service impact from failed upgrade and provide high service availability. Azure Portal, PowerShell, CLI provides experience to view the extensions enabled for auto upgrade and options to opt-in/out as required. We have also fixed few bugs resulting in significant improvements to upgrade success rate which further improves service availability.

Announcement | Documentation

Azure Backup

General Availability
The option to store the backup of the workloads protected by Azure Backup in zone redundant vaults is generally available. When you configure the protection of a resource with the zone-redundant storage (ZRS) vault, the backups replicate synchronously across three availability zones in a region. It enables you to perform successful restores and recover your data even if a zone goes down. For organizations governed by the compliance requirement of data not crossing the regional boundary, zone-redundant storage is the right and preferred choice for backups. With the general availability of this feature, you have a broader set of redundancy or storage replication options to choose from for your backup data. Based on your data residency, data resiliency, and total cost of ownership (TCO) requirements, you can select either locally redundant storage (LRS), zone-redundant storage (ZRS), or geo-redundant storage (GRS).

Announcement | Documentation

Azure Container Apps

Preview Features
With this feature, currently in public preview, container apps can communicate over a custom TCP port. Additionally, a container app can expose a TCP port externally.

Announcement | Documentation

Azure CosmosDB

General Availability
Azure Cosmos DB for MongoDB now offers a built-in role-based access control (RBAC) that allows you to authorize your data requests with a fine-grained, role-based permission model. Users and roles residing within your database can be managed using the Azure CLI, Azure PowerShell, or Azure Resource Manager. With this feature, you can audit each of the user’s actions via the Azure Cosmos DB diagnostic logs. Using this RBAC allows you access with more options for control, security, and auditability of your database account data.

Announcement | Documentation

Azure Data Explorer

New Features
Azure Data Explorer now supports ingestion of data from many receivers via the OpenTelemetry exporter. OpenTelemetry (OTel) is a vendor-neutral open-source observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs.
We are releasing Azure Data Explorer OpenTelemetry exporter which supports ingestion of data from many receivers into Azure Data Explorer allowing you to instrument, generate, collect, and store data using a vendor-neutral open-source framework.

Announcement | Documentation

Azure DNS

General Availability
Azure DNS Private Resolver enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying virtual machine-based DNS servers. Azure DNS Private Resolver now provides a fully managed recursive resolution and conditional forwarding service for Azure virtual networks. Using this service, you will be able to resolve DNS names hosted in Azure DNS private zones from on-premises networks as well as DNS queries originating from Azure virtual networks that can be forwarded to a specified destination server to resolve them. This service will provide a highly available and resilient DNS infrastructure on Azure for a fraction of the price of running traditional IaaS VMs running DNS servers in virtual networks. You will be able to seamlessly integrate with Private DNS Zones and unlock key scenarios with minimal operational overhead.

Announcement | Documentation

Azure Functions

Retiring Features
Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022. Node 12 also reached the end of community support 30 April 2022.
As such, we recommend developers to update their functions apps to use Azure Functions host version 4 and Node 16. The Functions service will continue to run applications that are running Node 12 beyond 13 December 2022, but customers will be asked to upgrade to Node 16 if they need support.

Announcement | Documentation

Azure Kubernetes Service

Preview Features
Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS). Optimized for AKS, the Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes. The Mariner container host on AKS uses a native AKS image that provides one place to do all Linux development. Every package is built from source and is validated, ensuring your services run on proven components. Mariner is lightweight, only including the necessary set of packages needed to run container workloads. It provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. At Mariner's base layer, it has a Microsoft hardened kernel tuned for Azure.

Announcement | Documentation

Preview Features
AKS now supports Kubernetes version 1.25 in public preview. Kubernetes version 1.25 includes 40 enhancements as well as some major updates. These include the removal of PodSecurityPolicy and the graduation of Pod Security Admission to Stable.

Announcement | Documentation

Preview Features
ASO makes it easy to manage database and connection This integration makes it easy to create a database (for example CosmosDB), a managed identity, and use that managed identity for your service deployed in Kubernetes, all in a single YAML deployment. This eliminates the need for manual configuration such as retrieval of clientIds or objectIds. You can also easily scale to multiple identities with multiple ServiceAccounts if desired. There’s also no need to rollover credentials over time.

Announcement | Documentation

Preview Features
It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. This process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. With image cleaner, we can detect and automatically remove all unused and vulnerable images cached on AKS nodes keeping the nodes cleaner and safer.

Announcement | Documentation

Azure Load Testing

Preview Features
Azure Load Testing now enables you to authenticate to application endpoints which require a client certificate for authentication. You can use your certificate stored in Azure Key Vault along with your load tests.

Announcement | Documentation

Security Updates
We’re committed to help you meet your compliance obligations across regulated industries and markets worldwide. The HITRUST common security framework (CSF) provides organizations globally a comprehensive, flexible, and efficient approach to regulatory and standards compliance and risk management.

Announcement | Documentation

Azure Monitor

Preview Features
Azure Monitor Application Insights is a cloud native application monitoring offering which enables customers to observe failures, bottlenecks, and usage patterns to resolve incidents faster and reduce downtime. With the latest release of Azure Monitor OpenTelemetry packages for .NET, Node.js, and Python, we continue to build on OpenTelemetry’s vendor-neutral APIs/SDKs, introducing new capabilities in four areas:

  • Metrics
    OpenTelemetry-based metrics now flow to Application Insights. This includes metrics emitted by dozens of available OpenTelemetry Instrumentation Libraries or custom metrics you create using OpenTelemetry APIs. you can alert on user behavior that matters to your business, such as an “add to shopping cart” operation.
  • Sampling
    Sampling empowers you to better optimize cost. The custom sampler uses a sampling algorithm that populates an “itemCount” field that corrects for sampled out events. You can use it alongside existing Application Insights SDKs and traces will be preserved.
  • Exceptions
    Exception capture and correlation is available both when automatically collected by OpenTelemetry Instrumentation Libraries and when added manually to a span as a span event. For example, if your app calls out to database and fails, we capture the details and associate it to the relevant trace for end-to-end troubleshooting.
  • Resiliency
    Azure Monitor Exporters now include offline storage and automatic retries to minimize data loss in the event your service loses its connection with Application Insights, or the Application Insights service is temporarily unavailable.

Announcement | Documentation

Azure Storage

General Availability
Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, and requests. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This release makes generally available role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts.

Role-assignment conditions enable finer-grained access control for storage resources. They can also be used to simplify hundreds of role assignments for a storage resource. This release enables you to author conditions for storage DataActions and can be used with built-in or custom roles.

Note: Azure ABAC using request and resource attributes for premium storage accounts and principal attributes for standard and premium storage accounts remains in preview.

Announcement | Documentation

General Availability
SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available. Azure Blob Storage now supports SFTP, enabling you to leverage object storage economics and features for your SFTP workloads. With just one click, you can provision a fully managed, highly scalable SFTP endpoint for your storage account. This expands Blob Storage’s multi-protocol access capabilities and eliminates data silos – meaning you can run different applications, requiring different protocols, on a single storage platform with no code changes.

Announcement | Documentation

Azure Virtual Network

New Features
Today we are excited to make announcements in multiple areas of Azure Virtual WAN (vWAN), networking as a service that brings networking, security, and routing functionalities together to provide a single operational interface. As enterprises increasingly adopt the cloud while reducing their costs, IT teams looking to consolidate, accelerate, or even revamp their wide area network should consider Azure Virtual WAN. You don't need to have all these use cases to start using Virtual WAN—you can get started with just one. With ease of use and simplicity built in, vWAN is a one-stop shop to connect, protect, route traffic, and monitor your wide area network. The following areas have key announcements:

  • Remote user connectivity (also known as point-to-site VPN).
  • Routing.
  • Branch connectivity (also known as site-to-site VPN).
  • Private connectivity (also known as ExpressRoute).
  • Third-Party Network Virtual Appliance Integrations.

Announcement | Documentation

Region Updates
The ability to bring your own public IP ranges is now available in all US Government regions.

Additionally: You can now bring your own IPv6 ranges to Azure. These ranges must be a /48 size and can be split into multiple regional /64 ranges, of which a subset of IPs can be used as Public IP Prefixes. A regional commissioning feature now allows you to advertise a range internally within an Azure region prior to full global advertisement to the Internet, easing the migration process for a range that is already live outside of Azure.

Announcement | Documentation

Recommended content

Comments

Leave your comment