Azure security announcements - October 28th 2022
This week, there are 20 announcements related to Azure Security.
Headlines:
- Node 16 LTS support is ending on 11 September 2023
- Any applications hosted on Azure App Service that are still using PHP 8.0 will not be supported after 26 November 2023
- Automatic Extension upgrade is now generally available for Arc enabled Servers using eligible VM extensions
- The option to store the backup of the workloads protected by Azure Backup in zone redundant vaults is generally available
- Container Apps can now communicate over a custom TCP portand expose a TCP port externally
- Azure Cosmos DB for MongoDB now offers a built-in role-based access control (RBAC)
- Azure Data Explorer now supports ingestion of data from many receivers via the OpenTelemetry exporter
- Azure DNS Private Resolver enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying virtual machine-based DNS servers
- Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022
- Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS)
- AKS now supports Kubernetes version 1.25 in public preview
- ASO makes it easy to manage database and connection
- Image cleaner helps to detect and automatically remove all unused and vulnerable images cached on AKS nodes keeping the nodes cleaner and safer
- Azure Load Testing now enables you to authenticate to application endpoints which require a client certificate for authentication
- The HITRUST common security framework (CSF) provides organizations globally a comprehensive, flexible, and efficient approach to regulatory and standards compliance and risk management
- With the latest release of Azure Monitor OpenTelemetry packages for .NET, Node.js, and Python, we continue to build on OpenTelemetry’s vendor-neutral APIs/SDKs, introducing new capabilities
- Role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts are generally available
- SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available
- Azure Virtual WAN (vWAN) brings networking, security, and routing functionalities together to provide a single operational interface
- The ability to bring your own public IP ranges is now available in all US Government regions
All details below.
Azure App Services
Retiring Features
Node 16 LTS support is ending on 11 September 2023. Any applications hosted on Azure App Service that are still using it won't be supported after this. After 11 September 2023, your applications will continue to run unchanged but won't receive any patches.
Retiring Features
Because PHP 8.0 extended support will end on 26 November 2023, any applications hosted on Azure App Service that are still using it will not be supported after 26 November 2023.
Your applications will continue to run unchanged but won't receive any patches after 26 November 2023, since PHP will no longer be providing them for this version.
Azure ARC
Updated Features
Automatic Extension upgrade is now generally available for Arc enabled Servers using eligible VM extensions. With this release we are adding support for Azure Portal, PowerShell, CLI, and automatic rollback of failed upgrades. With auto rollback functionality, Azure Arc is able to minimize service impact from failed upgrade and provide high service availability. Azure Portal, PowerShell, CLI provides experience to view the extensions enabled for auto upgrade and options to opt-in/out as required. We have also fixed few bugs resulting in significant improvements to upgrade success rate which further improves service availability.
Azure Backup
General Availability
The option to store the backup of the workloads protected by Azure Backup in zone redundant vaults is generally available. When you configure the protection of a resource with the zone-redundant storage (ZRS) vault, the backups replicate synchronously across three availability zones in a region. It enables you to perform successful restores and recover your data even if a zone goes down. For organizations governed by the compliance requirement of data not crossing the regional boundary, zone-redundant storage is the right and preferred choice for backups.
With the general availability of this feature, you have a broader set of redundancy or storage replication options to choose from for your backup data. Based on your data residency, data resiliency, and total cost of ownership (TCO) requirements, you can select either locally redundant storage (LRS), zone-redundant storage (ZRS), or geo-redundant storage (GRS).
Azure Container Apps
Preview Features
With this feature, currently in public preview, container apps can communicate over a custom TCP port. Additionally, a container app can expose a TCP port externally.
Azure CosmosDB
General Availability
Azure Cosmos DB for MongoDB now offers a built-in role-based access control (RBAC) that allows you to authorize your data requests with a fine-grained, role-based permission model. Users and roles residing within your database can be managed using the Azure CLI, Azure PowerShell, or Azure Resource Manager. With this feature, you can audit each of the user’s actions via the Azure Cosmos DB diagnostic logs. Using this RBAC allows you access with more options for control, security, and auditability of your database account data.
Azure Data Explorer
New Features
Azure Data Explorer now supports ingestion of data from many receivers via the OpenTelemetry exporter.
OpenTelemetry (OTel) is a vendor-neutral open-source observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs.
We are releasing Azure Data Explorer OpenTelemetry exporter which supports ingestion of data from many receivers into Azure Data Explorer allowing you to instrument, generate, collect, and store data using a vendor-neutral open-source framework.
Azure DNS
General Availability
Azure DNS Private Resolver enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying virtual machine-based DNS servers. Azure DNS Private Resolver now provides a fully managed recursive resolution and conditional forwarding service for Azure virtual networks. Using this service, you will be able to resolve DNS names hosted in Azure DNS private zones from on-premises networks as well as DNS queries originating from Azure virtual networks that can be forwarded to a specified destination server to resolve them.
This service will provide a highly available and resilient DNS infrastructure on Azure for a fraction of the price of running traditional IaaS VMs running DNS servers in virtual networks. You will be able to seamlessly integrate with Private DNS Zones and unlock key scenarios with minimal operational overhead.
Azure Functions
Retiring Features
Node 12 is only supported by Azure Functions host version 3, which is ending support on 13 December 2022. Node 12 also reached the end of community support 30 April 2022.
As such, we recommend developers to update their functions apps to use Azure Functions host version 4 and Node 16. The Functions service will continue to run applications that are running Node 12 beyond 13 December 2022, but customers will be asked to upgrade to Node 16 if they need support.
Azure Kubernetes Service
Preview Features
Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS).
Optimized for AKS, the Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes.
The Mariner container host on AKS uses a native AKS image that provides one place to do all Linux development. Every package is built from source and is validated, ensuring your services run on proven components. Mariner is lightweight, only including the necessary set of packages needed to run container workloads. It provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. At Mariner's base layer, it has a Microsoft hardened kernel tuned for Azure.
Preview Features
AKS now supports Kubernetes version 1.25 in public preview. Kubernetes version 1.25 includes 40 enhancements as well as some major updates. These include the removal of PodSecurityPolicy and the graduation of Pod Security Admission to Stable.
Preview Features
ASO makes it easy to manage database and connection
This integration makes it easy to create a database (for example CosmosDB), a managed identity, and use that managed identity for your service deployed in Kubernetes, all in a single YAML deployment.
This eliminates the need for manual configuration such as retrieval of clientIds or objectIds. You can also easily scale to multiple identities with multiple ServiceAccounts if desired. There’s also no need to rollover credentials over time.
Preview Features
It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. This process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities.
With image cleaner, we can detect and automatically remove all unused and vulnerable images cached on AKS nodes keeping the nodes cleaner and safer.
Azure Load Testing
Preview Features
Azure Load Testing now enables you to authenticate to application endpoints which require a client certificate for authentication. You can use your certificate stored in Azure Key Vault along with your load tests.
Security Updates
We’re committed to help you meet your compliance obligations across regulated industries and markets worldwide. The HITRUST common security framework (CSF) provides organizations globally a comprehensive, flexible, and efficient approach to regulatory and standards compliance and risk management.
Azure Monitor
Preview Features
Azure Monitor Application Insights is a cloud native application monitoring offering which enables customers to observe failures, bottlenecks, and usage patterns to resolve incidents faster and reduce downtime.
With the latest release of Azure Monitor OpenTelemetry packages for .NET, Node.js, and Python, we continue to build on OpenTelemetry’s vendor-neutral APIs/SDKs, introducing new capabilities in four areas:
- Metrics
OpenTelemetry-based metrics now flow to Application Insights. This includes metrics emitted by dozens of available OpenTelemetry Instrumentation Libraries or custom metrics you create using OpenTelemetry APIs. you can alert on user behavior that matters to your business, such as an “add to shopping cart” operation. - Sampling
Sampling empowers you to better optimize cost. The custom sampler uses a sampling algorithm that populates an “itemCount” field that corrects for sampled out events. You can use it alongside existing Application Insights SDKs and traces will be preserved. - Exceptions
Exception capture and correlation is available both when automatically collected by OpenTelemetry Instrumentation Libraries and when added manually to a span as a span event. For example, if your app calls out to database and fails, we capture the details and associate it to the relevant trace for end-to-end troubleshooting. - Resiliency
Azure Monitor Exporters now include offline storage and automatic retries to minimize data loss in the event your service loses its connection with Application Insights, or the Application Insights service is temporarily unavailable.
Azure Storage
General Availability
Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, and requests. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This release makes generally available role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts.
Role-assignment conditions enable finer-grained access control for storage resources. They can also be used to simplify hundreds of role assignments for a storage resource. This release enables you to author conditions for storage DataActions and can be used with built-in or custom roles.
Note: Azure ABAC using request and resource attributes for premium storage accounts and principal attributes for standard and premium storage accounts remains in preview.
General Availability
SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available.
Azure Blob Storage now supports SFTP, enabling you to leverage object storage economics and features for your SFTP workloads. With just one click, you can provision a fully managed, highly scalable SFTP endpoint for your storage account. This expands Blob Storage’s multi-protocol access capabilities and eliminates data silos – meaning you can run different applications, requiring different protocols, on a single storage platform with no code changes.
Azure Virtual Network
New Features
Today we are excited to make announcements in multiple areas of Azure Virtual WAN (vWAN), networking as a service that brings networking, security, and routing functionalities together to provide a single operational interface. As enterprises increasingly adopt the cloud while reducing their costs, IT teams looking to consolidate, accelerate, or even revamp their wide area network should consider Azure Virtual WAN. You don't need to have all these use cases to start using Virtual WAN—you can get started with just one. With ease of use and simplicity built in, vWAN is a one-stop shop to connect, protect, route traffic, and monitor your wide area network.
The following areas have key announcements:
- Remote user connectivity (also known as point-to-site VPN).
- Routing.
- Branch connectivity (also known as site-to-site VPN).
- Private connectivity (also known as ExpressRoute).
- Third-Party Network Virtual Appliance Integrations.
Region Updates
The ability to bring your own public IP ranges is now available in all US Government regions.
Additionally: You can now bring your own IPv6 ranges to Azure. These ranges must be a /48 size and can be split into multiple regional /64 ranges, of which a subset of IPs can be used as Public IP Prefixes. A regional commissioning feature now allows you to advertise a range internally within an Azure region prior to full global advertisement to the Internet, easing the migration process for a range that is already live outside of Azure.
Recommended content
-
Azure security announcements - December 9th 2022
December 12, 2022
-
Azure security announcements - November 11th 2022
November 17, 2022
-
Azure security announcements - October 14th 2022
October 18, 2022
-
Azure security announcements - October 6th 2022
October 12, 2022
-
Azure Security Announcements - September 30th 2022
October 05, 2022
-
Azure Security Announcements - September 16th 2022
September 20, 2022
-
Azure Security Announcements - September 9th 2022
September 12, 2022