Azure Security Announcements - September 16th 2022

This week, there are 10 announcements related to Azure Security.

Headlines:

• Built-in Azure Monitor Alerts for Azure Backup is now generally available
• Restore artifacts you may have deleted by mistake using the Azure Container Registry (ACR) soft delete feature
• Data encryption with customer-managed keys (CMK) for Azure Database for MySQL
• The major version upgrade feature allows you to perform in-place upgrades of existing instances of Azure Database for MySQL
• Azure Database for PostgreSQL – Flexible Server performs automatic snapshot backups and allows you to restore to any point in time within the retention period
• An AKS cluster with API Server VNet Integration configured the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed
• Security rules from Kubernetes Network Policy resources can now be enforced on all pod traffic across Linux and Windows Server 2022 nodes
• Azure Monitor metric alert rules that monitor custom metrics can now be saved in the European regions
• Standard network features for Azure NetApp Files volumes provide you with an enhanced, and consistent virtual networking experience along with security posture
• Encrypting Azure Virtual Machines managed disks with cross-tenant customer-managed keys (CMK)

All details below.

Azure Backup

General Availability
Built-in Azure Monitor Alerts for Azure Backup is now generally available. With this solution, users receive default alerts for critical scenarios related to backup security and job failures, that are integrated with Azure Monitor. You can monitor these alerts at scale via either the Azure Monitor dashboard or via Backup center, and route these alerts to various notification channels of choice.

Below are the main benefits of using built-in Azure Monitor alerts for backup:

• Ability to configure notifications to a wide range of notification channels supported by Azure Monitor
• Ability to select which scenarios to get notified for
• Ability to have a consistent alerts management experience for multiple Azure services including backup, with at-scale management capabilities

Announcement | Documentation

Azure Container Registry

Preview Features
Restore artifacts you may have deleted by mistake using the Azure Container Registry (ACR) soft delete feature.

After the feature is enabled and an artifact is deleted, the deleted artifact is stored in a recycle bin for a number of days (user configurable setting). You can restore the artifact while it is still available in the recycle bin and build containers from it right away. Once an artifact hits the configured recycle days limit, it is purged from the Azure Container Registry permanently.

Announcement | Documentation

Azure Database for MySQL

General Availability
Data encryption with customer-managed keys (CMK) for Azure Database for MySQL – Flexible Server allows you to bring your own key (BYOK) for data protection at rest. You can use this feature to implement separation of duties for managing keys and data. Additionally, you can centrally manage and organize keys using Azure Key Vault. With customer-managed encryption, you're responsible for, and in full control of, a key's lifecycle, key usage permissions, and auditing operations on keys.

Announcement | Documentation

Preview Features
The major version upgrade feature allows you to perform in-place upgrades of existing instances of Azure Database for MySQL - Flexible Server from MySQL 5.7 to MySQL 8.0 with the click of button, without any data movement or the need to make any application connection string changes. Take advantage of this functionality to efficiently perform major version upgrades on your instances of Azure Database for MySQL - Flexible Server and so that you can leverage the latest that MySQL 8.0 has to offer.

Announcement | Documentation

Azure Database for PostgreSQL

General Availability
Azure Database for PostgreSQL – Flexible Server performs automatic snapshot backups and allows you to restore to any point in time within the retention period. The overall time to restore and recover may take several minutes depending on the amount of recovery to perform from the previous backup.

In use cases like testing, development, and data verifications at backup that don’t require the latest data but need to spin up a server quickly, Azure Database for PostgreSQL – Flexible Server now supports the fastest restore feature to address these use cases. This feature lists all the available automatic backups and you can choose a specific backup to restore. This feature then provisions a new server and restores the backup from the snapshot. Since no recovery is involved, this feature provides a fast and predictable restore experience.

Announcement | Documentation

Azure Kubernetes Service

Preview Features
An Azure Kubernetes Service (AKS) cluster with API Server VNet Integration configured projects the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed. This enables network communication between the API server and the cluster nodes without any required private link or tunnel. The API server will be available behind an Internal Load Balancer VIP in the delegated subnet, which the nodes will be configured to utilize.

Announcement | Documentation

Preview Features
We are extending Azure Network Policy Manager (NPM) to Windows server 2022 for AKS.

Security rules from Kubernetes Network Policy resources can now be enforced on all pod traffic across Linux and Windows Server 2022 nodes, for a cluster created with --network-policy=azure.

Network Policy Manager continues to be a managed solution, configurable at cluster creation.

Announcement | Documentation

Azure Monitor

Region Updates
Metric alert rules that monitor custom metrics can now be saved in the following European regions (in addition to the default “global” region which is still available):

• North Europe
• West Europe
• Sweden Central
• Germany West Central

This capability is available when defining a metric alert rule that monitors a custom metric of a resource that resides in one of the four European regions. Saving an alert rule in a region ensures that the alert rule metadata and its processing stays within Europe.

In addition, action groups can now also be saved in EU regions. This means combining an EU-based metric alert rule with an EU-based action group will ensure an end-to-end experience within Europe, encompassing alert evaluation and actions.

Announcement | Documentation

Azure NetApp Files

General Availability
We are announcing the general availability of standard network features for Azure NetApp Files volumes. Standard network features provide you with an enhanced, and consistent virtual networking experience along with security posture for Azure NetApp Files.

You are now able to choose between standard or basic network features while creating a new Azure NetApp Files volume:

Basic provide the current functionality, limited scale, and features.

Standard provides the following new features for Azure NetApp Files volumes or delegated subnets:

• Increased IP limits for Vnets with Azure NetApp Files volumes. This is at par with VMs to enable you to provision Azure NetApp File volumes in your existing topologies or architectures. This eliminates the need to rearchitect network topologies to use Azure NetApp Files for workloads like VDI, AVD, or AKS.
• Enhanced network security with support for network security groups (NSG) on the Azure NetApp Files delegated subnet.
• Enhanced network control with support for user-defined routes (UDR) to and from Azure NetApp Files delegated subnets. You can now direct traffic to and from Azure NetApp Files via your choice of network virtual appliances for traffic inspection.
• Connectivity over active or active VPN gateway setup for highly available connectivity to Azure NetApp Files from on-premises network.
• ExpressRoute FastPath connectivity to Azure NetApp Files. FastPath improves the data path performance between on-premises network and Azure Virtual Network.

Announcement | Documentation

Azure Virtual Machines

Preview Features
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with cross-tenant customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.

Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.

Announcement | Documentation

• Azure security announcements - December 9th 2022

  December 12, 2022

• Azure security announcements - November 11th 2022

  November 17, 2022

• Azure security announcements - October 28th 2022

  November 04, 2022

• Azure security announcements - October 14th 2022

  October 18, 2022

• Azure security announcements - October 6th 2022

  October 12, 2022

• Azure Security Announcements - September 30th 2022

  October 05, 2022

• Azure Security Announcements - September 9th 2022

  September 12, 2022

Leave your comment