Microsoft Azure Infrastructure Weekly Update - 12th December 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome to this week's azure infrastructure update is the 12th of december so really not that long till christmas as always if this is useful please like subscribe comment and share and hit that bell icon to get notified of new content as always in the description i have the chapters for the new updates you can click on the bottom of the screen if you want to jump to a specific update new videos this week so i spent a lot of time researching and creating this deep dive all about azure active directory resiliency what does microsoft do to make azure id resilient and then what are some of the things we can do to increase that resiliency i don't often kind of say this but this is something everyone should watch whether you're an administrator an architect a developer this is critical knowledge to have so very very highly five star recommend watch that one then i also did an overview of the new native sftp capability in azure storage that i mentioned in last week's updates if you want a bit more detail and see that in action i kind of walk through that and some of the other considerations get to what's new this week so we have this new vm restore point in previews this gives me a point in time and really important multi-disk app consistent snapshot capability that can then help with backup and restore scenarios so previously we had from managed disk i could do a managed disk snapshot but that was just that single disk well if i have multiple disks for a virtual machine for it to really be useful i want snapshots on all of them at the same instant in time so i get consistency across them and i want it to be app consistent so at consistent means when i take this new vm restore point it's actually going to interact with the guest operating system it will use things like vss for windows to tell the applications running that have providers to flush out the changes to disk pause crease any changes then it can take that multi-disc snapshot and they can carry on running so it's not saving the memory of the vm as part of this but it doesn't need to because it's got the disks in that app consistent state the way it's actually working is you create a restore point collection and that restore point collection then has a particular vm restore point created inside it that consists of all of the various disk snapshots those restore points for all of the attached disks so it's going to store the configuration and all of those snapshots as part of it it is incremental after the first one so that first vm restore point will be the entire content of all of the disks then after that it's just the incrementals and it will use zrs if available in the region if not it will be lrs on the storage side so blob immutable storage with versioning has gone ga so the whole point of immutable storage is that whole hey i write once and i can read many but i can't delete or modify once i've put a lock on the blob that lock could be for time or it could be a legal hold now what this capability does it now applies to blob or previous versions but what i can now do is once i turn this on i can still write i can modify the blob i can't delete it i can't change the user metadata but i can change the block but what it will do is it will create a immutable version of the blob so i still save the state at the time that hold was actually applied so what i can actually do once i've got versioning turned on for the storage account what you would see is you have to obviously go to the data protection and go and turn on the versioning capability so if you kind of look in here i've got soft delete versioning for blobs etc but then when i go and create a container what you can now specify is this hey i want to do this version level immutability support so once i turn that on as it kind of says to you here hey blob overrides will still be allowed but azure will maintain the immutable versions by using those version capabilities so that's what this capability is going to give us it's going to let us now hey i can still actually modify it but keep that particular version because we're going to create a version of it azure storage attribute based access control using those azure ad custom security attributes i showed last week is now in preview now i demoed all of this last week so i'm not going to demo it again but it's basically the idea that hey i can have those custom attributes on for example my users and then i have my blob index tags and rather than having to have a whole set of different rules for access i can now have one rule if i could show you that one rule since i'm in this storage account anyway so if i actually go into images and i look at my access control if i look at my role assignments if i look at blob data reader i have a custom attribute on my account which is a primary project and then i can compare that to a project blob index tag so here based on the security principle hey i'm looking at this project attribute set and this primary project actually custom attribute then i want it to equal the blob index tag value that was within the key project and so i don't have to have a ton of different rules it's just hey my particular object has a particular project in this example it has to match the project to the blob index tag and now it's one rule and i have tons of different projects i can only see what is my project there's a ton of other combinations i can do with that but now the storage account preview can match that and azure storage service endpoints now improve you support any region so if we remember super quickly the whole point of a service endpoint is ordinarily we have for example a storage account that storage account has that firewall where i can control what is allowed to talk to it well with a regular virtual network it's an rfc 1918 ip address there's no way to really reference that so if we think about there's lots of subnets in here i can add a service endpoint for storage and now this particular subnet in this particular v-net now becomes identifiable i get an improved routing option but now also on the firewall i can say yes allow subnet one in vnet1 and before that was only allowed for storage account in the same region or the paired region but now with this enhancement it's going to support any region so it gives me a lot more flexibility actually for that miscellaneous so powershell az module version 7 has been released now this is actually quite a big release because it's making the switch to the microsoft graph what that might mean is if you have certain um security service principles you may need to go in and consent to certain scopes so just make sure you re-test things if you make that update because obviously the ms graph is all based around consent of scopes whereas we didn't have that before so just make sure you you go and check those things defender for cloud has a bunch of updates actually i think it was two main updates so if we go and look at this super quick so the new defender for containers plan has been released for general availability so that's a combination of some existing things there were talks about some onboarding some new alerts for storage publicly accessible storage containers and discovered and then unsuccessfully scanned and then some improvements to alerts around defender for storage access from a tor exit node unusual unauthenticated access and as usual i'll just have the link to this down in the description below if you want to actually go and check out that detail directly availability zones are now available in india central remember availability zones are those independent power calling communications per facility so it gives me a nice blast radius if there's a building level problem well my instance is in the other availability zones should not be impacted and then container insights for azure red hat openshift v4 is retiring end of may the point is really you want to shift and move to the azure arc so i can shift to the container insights for azure arc remember azure arc for containers works for any cncf compatible kubernetes so rather than having saying specific for the red hat open shift the better option is to use the azure arc for kubernetes and then use the container in size that sits on top of that and because red hat open shift is cncf compliant that will work with the azure art for kubernetes which means i can use the container insights which gives me automatic monitoring agent updates better metric based alerting better onboarding which is an all up improved experience so start thinking about moving away from that specific solution and instead going over to the azure art for kubernetes-based solution and that's it so i hope that was useful and i guess credit in the comments if you know what my favorite christmas movie is and until next week take care you

Info

Channel: John Savill's Technical Training

Views: 2,686

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, what's new, updates, new features, release

Id: OIzCKtFcF8o

Channel Id: undefined

Length: 10min 56sec (656 seconds)

Published: Sun Dec 12 2021