Microsoft Azure Weekly Update - 7th November 2021 - IGNITE FALL 2021 Edition

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome to this week's azure infrastructure update it is the 7th of november and it's the week after ignite so this week i'm going to try and cover all of the key ignite announcements related a lot around the azure infrastructure kind of space there is the ignite book of news that goes into all of the details and links to fantastic blogs so i've got that in the description below as always this is useful a like subscribe comment and share really is appreciated and please hit that bell icon to get notified of new updates now before i get into that i wanted to just say thank you because we hit 80 000 subscribers so that's obviously a huge thing and i really really appreciate all the support um for helping me kind of get to that number i'm gonna do another ask me anything session that's gonna be on the 10th for november at 8 00 a.m so again if you're subscribed you can kind of go and see that and again the links here so you can go and join me um bring your questions just have some fun as always i've got the chapters to all the different updates we're going to cover kind of you can click on them right below there or they're in the description as well these are just kind of the high level ones because i just can't fit them all on the screen but again if there's particular things you're interested in you can jump to that you don't have to go and sit through the whole video so new videos uh i did a near four hour a z 104 the azure administrator exam cram so i already go through all of the different content and to go with that i created a playlist that's built off of my azure master class but also added in some other videos to really fill out and give you as much information to help you take that certification so let's get to the new content so from a virtual machine perspective they announced some new v5 skus so this is both the dv5 and the ev5 so these are based on the latest generation intel z on the third gen and it's about a 15 increase on performance um up to 96 virtual cpus there's also a kind of d a and an e a which is built on the amd kind of epic processes again the third gen for both of those they have kind of um versions with and without um temporary storage remember the d series is kind of general purpose so a pretty even balance of cpu and memory the e is a more memory intensive so a bigger ratio of memory to those virtual cpus e is very good flight databases for example now when i think about databases they also announce this eb [Music] v5 and what's happening here is these new skews they're in preview so they're built on the same kind of third gen xeon processors but these are actually going to deliver kind of like a 300 increase of storage performance over kind of the ev4 so if you think ordinarily um about how we get different types of resource so ordinarily i could think hey if i had the idea of kind of cpu and memory and then storage iops and throughput that the line kind of goes like that what they're doing for these kind of eb series is the storage is going up much much bigger because if i have kind of database workloads hey sure i might need the e series for the higher memory to cpu but i actually need more storage throughput and iops than i get even with the e series so the whole point of these eb versions is they're going to have much higher iops and throughput you might say well there's the l series why don't you use that well the l series remember also has that local nvme storage maybe i don't want that i just want higher iops and throughput so the biggest eb5 is actually going to be able to go all the way up to like 88 000 iops and um i think is it two and a half thousand megabytes per second but that was i think the e32 they talked about but i think the very biggest size they're making available they've talked about 120 000 iops and 4 000 megabytes per second so just a single vm will be able to go up to that which actually is going to match the new ultradisc maximum throughput so huge huge iops and performance possible there they also announced the dc um v3 series so remember the d series is all about that confidential computing it has that intel sgx the software guard extensions that lets me write applications to hook into that secure enclave and the big deal with these v3 versions is that enclave page cache the epc is actually 1500 times bigger now so i can have applications with much bigger amounts of that secure enclave memory i think they're like 12 times the amount of regular memory up to 48 cores things like azure kubernetes service will also be able to leverage this there's a new vm selector so the vm selector is all about an experience where hey i can actually go in there's so many different vm skus well what one should i be using so now you can kind of go in and say okay i want to do it by workload type by os and software based on certain regions and then it's just going to ask you different questions you're going to go through this experience and it will help you pick the right type of virtual machine also so we now have the vmss flex has gone ga so remember the point about this is a virtual machine scale set is always about before it was uniform so the point of vmss is hey i have this virtual machine scale set and with the uniform option which is kind of what we were used to we had some kind of template we had some configuration and we could have kind of manual or auto scale and it would just kind of stamp those out well with the new flexibility this flex option what we now have is kind of some of the benefits of availability sets availability zones but i just go and create this flex and then what i can do is i then go and add vms into it now the benefit here is with the uniform model those vms are all the same the same skew the same template everything else with the flex model i can mix and match i could mix windows i can mix linux i could mix pay as you go i could mix spot virtual machines and because it's regular vms i can still get direct access to those individual vms i add into the flex but again i get some of those benefits around hey availability set maximizing over fault domains even long-term availability zones if i want this idea within of stamping out instances i can actually within my flex so i can mix it i can still create a vm profile so a vm profile can still be hey some template some configuration and it can then go and stamp those out as well combined with the vms i'm just kind of manually adding into it so this vmss flex option is really cool i'm now kind of getting some of the benefits and the best of both worlds so that is now generally available i go and pick the option i want hey do i want the uniform model we used to but they're all the same or i can now do the flex model where i can add vms into this set but still also i can have that profile if i want to automatic guest patching has gone ga so this is for windows and linux and it's built around critical and security classified patches it runs every couple of days it follows the normal availability first principles so if i've got paired regions it's not going to do it at the same time if i have availability zones it's a z by a z and based on the region it's going to try and do it in off hours checking success rates etc etc but now if those windows and linux i can get a very easy guest patching experience and then trusted launch has gone generally available so if i think about windows i have that idea of hey measured boot signed boot etc well now it's bringing this to my azure virtual machines as well from the bootloader to the os kernel to drivers is kind of checking the signatures of all of those components now because i'm using that idea like measured boot that hooks into hardware it has to have a virtual tpm so i have to do this in a generation two azure virtual machine that gives me that uefi base and that virtual tpm but then at time of creation i can turn on trusted launch and get that validation of that entire process again this is i was talking about windows hey secure boot and measured boot but it does also apply to linux virtual machines and here it talks about the vms that are supported for this and the operating systems that are supported as well and i think it probably does talk about the virtual tpm and the gen 2. so there we go it mentions the whole idea of hey i have to have that gen 2 vm for this to work which is why it's only certain virtual machine skus kind of the newer ones that have that uefi base option so we can actually leverage it so trusted launch now ga and azure auto manage has a number of improvements so this is that idea that hey it's iaz but i almost want that paz like experience in terms of me having to do things to the operating system so what they're really building is there's all these different services in azure like the patching like backup light configuration so it's really building on those so i have now things like hey for those virtual machines and auto manager on azure hot patch that ability now to reduce the number of times i have to reboot i can just apply the patches and hop patchy into the os so i can apply them quicker because i don't have to find a time i can reboot things like for secure file access is smb over quick quic so quick provides an alternative to tcp it basically creates this encrypted tunnel over udp 443 which is very nice over the internet so now i can do smb over untrusted networks there was things like um preserve on-premises ip address this uses kind of these windows server 2019 instances on-prem and in the azure v-net that creates this bi-directional vxlan tunnel that now lets me take my p addresses and have that same space defined in a virtual network and i can kind of bridge that gap so a whole bunch of nice improvements there aks now has nat gateway integration remember that gateway is all about that outbound traffic and doing that snapping it has lots of ip address we don't get pull exhaustion well now as part of my aks provisioning i can also provision and configure nat gateway that can really be useful if i was using like a standard load balancer for my ingress well by default if i don't do outbound rules i can't get to the internet well now i could use a standard load balancer for my ingress and define a nat gateway for that internet based egress saves me having to configure it manually azure service operator v2 has gone ga so when we think about pay azure resources aks is obviously kubernetes it's great for having my deployment yaml file to deploy things into my kubernetes environment but often there are azure things as well i want to complete the solution so what this azure service operator does is let me actually create azure resources via my yaml deployment file that i send to kubernetes so it gives me a really nice seamless provisioning experience so what this v2 has it has improvements around faster support of new resource types that get added to arm i can view the state of resources in azure i get a nicer view of the resource state new dedicated storage versions and a bunch of other stuff but really this is all about letting me create azure resources through the deployment yaml files i send to aks also when i talk about this azure service operator it's now super simple to deploy via vs code there's essentially now this extension that i can use in bs code i give it the service principle and i can get that deployed out i can now stop and start node pools so aks has had that ability to stop and start the cluster now i can actually do it for individual node pulls in the past what we would do with node pools is i would scale it to zero but then i've kind of lost the configuration i had like how many instances there were with this i can stop it and then when i start that node pull again it's back to where it was before i performed the stop so i'm not losing any kind of configuration or status and this is by the az aks node pull stop start command today dapper extensions are in preview so i'm actually going to talk about more about daphra in a second so dakota is this super interesting thing really when i'm designing microservices and when i design microservices there are things i want um secrets a stateful store service discovery network features traffic splitting there's all these different things that maybe as the app developer i don't really that's not my expertise so dapper brings this great portability and abstraction for me i can have different parts of my micro service written in different languages it abstracts it all the way to a set of standard http grpc remote procedure calls but a new modern very high performant version dapper does all that for me so now through this extension i can get that provisioned onto my aks cluster super simply so now my developers can start building on top of dapper which is just runs as a side car on aks so it's another container in my pod and i can start using those standard means i don't have to worry about all the little implementation details and then the secret store csi driver has gone ga so that's the container storage interface to which i can create many many different types of interaction with this now my secrets my keys my certificates in azure key vault can be exposed to my kubernetes environment just like it's part the file system so again it abstracts me having to know about aks or how i interact i'm just viewing it like any other part of the file system which greatly simplifies all of my interactions open service mesh add-on went ga so open service mesh is built on kind of that cncf envoy solution so again that's another sidecar in my pods and actually dapper hooks into this as well and what i get is a lot of very powerful capabilities around my networking again if i think about microservices in my environment and needs i have i might want to encrypt the traffic between them i might want to change routing for a subset of the traffic maybe kind of like blue green or a b splitting i might want rate limiting i might want to allow traffic block traffic mirror traffic well i get all of that with this open service mesh in addition to great telemetry and actual insight into it so this gives me again another really easy way to get that deployed into my aks environment there were also updates around sort of j2e java enterprise edition on aks weblogic websphere liberty so you can go and check those things out as well so on to more general compute so cosmos db has a new connector for logic caps so with these connectors it makes it very very easy to do things like triggering so hey the cosmos db change log has something written to it i can go and trigger a logic app in addition to binding so i can perform other types of operation against it all of these are super super high performance and then they announced azure container apps so actually container apps is kind of a super interesting and this kind of brings a lot of that kind of dapper and other things together and i'm just going to talk about this in a little bit more detail than maybe some of the other things so if i was to think today about containers in azure so remember we have some idea of a registry so we have a container registry and we have some image now obviously i need to run that in something so at a very simple end we have things like azure container instances so i can create multiple azure container images that are going to run that image because an azure container instance is a instance of a container it's running in kind of this hidden managed vm it's kernel level abstraction but it's kind of dealing with them one at a time i could trade for them but i'm doing all of those actions kind of manually at the other end of the scale we have things like azure kubernetes service so we have this very powerful azure kubernetes service it has kind of that management control plane that's just done for us it has things like the api server and then what we have is a whole bunch of nodes so we have a whole bunch of nodes it has things like the cubelet that talks to that api server there's certain amounts of management and understanding i have to have with that now we get great features like the horizontal pod auto scaler so as pods maybe there's different types of triggers hey i can scale those things out i can also do a cluster auto scaler so i can modify the actual number of nodes i have but there's a certain amount of knowledge i need to have hey i can even actually use aci for a virtual cubelet but if i'm designing like microservices and i want like a serverless a true serverless but with some additional functionality well this is where this brand new we'll use the universe pen you know i say that for special occasions we have this new idea of these container apps oh that was weird let's get back to that so this new idea of my container applications so this is now all about hey i just have these micro service deployments i want so what i actually do with container apps is i have the idea of an environment now that environment deploys to a virtual network it has its own log analytics workspace and then within that i could absolutely just create regular containers i could absolutely just have the idea of hey i have some app revision and it has a certain number of instances of that container it has built in things like peta sakida is all about that hey i want to do these kind of auto scale type capabilities so i can think i've lost my board again so i can think about okay i want to do this event driven auto scaling it could be it's based on maybe a number of requests coming in i could think about it's an endpoint type service maybe it's an event driven service so hey i want to do it based on some kind of cue depth maybe it's just performing some background processing so it's based on some kind of resource so there's different ways i can scale but i can scale from zero i is it can scale to zero it's a true serverless option up to some maximum i specify so i could just take a container i can run it in this thing i could use cada it's optional for the scaling but if i think about hey i'm really creating this micro services solution remember i talked about all those challenges we faced so what we also get with container apps in addition to cada that kubernetes event driven auto scaling is we get dapper this distributed application runtime and that's what adds all these features like the publish subscribe the secret store the persistent state management binding to other types of service storage out there help service to service communication i might have another part of my service kind of this app too that has its sets of things that are scaling independently well dapper makes it easy to talk between them to discover it will automatically encrypt between them i can do the traffic splitting and again i just have these standard http grpc based methods of communication that's just part of container apps it's built on kubernetes behind the scenes there's kubernetes but it's completely hidden it's abstracted away this is just now providing me this fantastic experience i'm just going to deploy revisions so i can have multiple revisions on different versions of the image maybe offering a change to my api spec multiple revisions running within here and i don't worry about kubernetes it's a complete serverless solution that has the great things like heder and dapper and on envoy just natively available to it so that is now obviously in preview you can go and start playing with that but i think this is going to be a huge thing and they did a really good article and i've got it linked below that kind of talk about hey aci versus container apps versus aks versus app service and kind of the benefits and where they really play and where i might want to use one and potentially over another so you can go and check that out but i think this is going to be huge when we think about all the micro service stuff we actually have uh happening right now um acr connected registry for iot edge so if you think about the azure container registry i just drew about images well iot is obviously really powerful that i have things maybe an on-premises somewhere else and i have things in that container registry yes they can be container images but there's other types of oci artifacts that i might have in there as well so this connected registry i can essentially synchronize down to a local registry so some ed registry that i can then use through the things in my edge environment so it's a great way to on some schedule to synchronize the objects that can then be used by my local iot edge resources for their deployments azure app service now has regular diagnostic settings so just like other services now app services i can easily send different types of log to storage accounts event hub log analytics etc acev3 now supports windows containers remember ace v3 is that dedicated deployment of an app service there's no shared components it goes into your virtual network the great thing about the v3s it's kind of this magical hidden network we don't see but it uses that for all of its management purposes so i can't break it anymore by adding udrs or nsgs the only thing going through my v-net is the actual application trafficking it performs faster they got rid of the stamp fee and now we have windows containers as well and then logic app enhancement so there are a whole bunch of changes there's an improved kind of design experience the flow the arrows have got kind of better information sql server is now a standard storage provider and there's a whole bunch of other features that you've probably seen across a variety of workloads where you kind of see this option to do a task if i quickly just jump over so if we just look at one of these things for a second uh if i just really pick anything if i look at i want to find a storage account actually if i quickly look at a storage account and i can't remember what the icon for storage account looks like getting old there we go storage account if i just go and look at a storage account for a second and that's taking its time to load then my other subscription will be faster so there's a storage account so often what you'll see is these tasks so you kind of see this tasks automation now the exact tasks gonna vary depending on the type of resource but this is essentially a logic app i don't know what's going on everything's going slow all of a sudden but for example here i could have things like hey delete old blobs and that's going to go and create that logic app for me so there's these built-in things now for logic apps to actually go and leverage let's see if one of these loads a bit quicker of course i'm trying to demo so if it's going super super slow but ordinarily you would see tasks i don't know what is happening there but it enables me to now go and easily create those kind of logic apps we actually have so you go i can do add task and it would show me the different types for those different types of resource but i'm not going sit and wait for that i have zero clue what's actually happening today knows i'm doing a demo so it's gonna try and mess me up completely thank you oh there we go so i can select a template and it would kind of carry on moving on um azure stack obviously azure stack has got a whole family of things you've got azure stack hub kind of the big turnkey appliances azure stack edge those kind of single unit things that have different characteristics some have gpus fpgas but it brings certain azure services to the edge it's on my premises hci where it's multiple boxes running special versions of windows server and hyper-v windows admin center storage space is direct so it's hyper converged using local storage and then hooked into a lot of azure services and then arc obviously bringing azure outside of azure so azure stack hci now has azure virtual desktop support in preview so now if i have my hci deployment i can actually get windows 10 windows 11 based azure virtual desktop running on that environment and remember one of the unique things about azure virtual desktop is multi-session for the client os multiple people connecting to the same client instance i get that on this solution and then they announced kind of vsphere and azure stack hci arc integration for vm and i've got create delete but it's actually a lot more than that so i kind of talked about what brings azure outside azure so if i think for a second we talk about azure i'm going to use my universe pen for that if i think about azure what is azure well azure is really capacity and then on top of that capacity we bring various types of service that could be a vm it could be kubernetes it could be databases it could be machine learning it could be app services kind of the list goes on and when we think about azure well it has kind of that azure resource manager as that control plane and then what azure also brings is a whole set of kind of management capabilities i obviously get things like tagging i get inventory i get policy the list goes on backup config etc etc security services well now i could think well actually you mentioned the word capacity i have capacity on premises and maybe in there i've got vm so i've got os instances that's windows or linux or maybe i even have some other cloud and aws or google and it has capacity so the whole point of arc is well you have this idea of arc enabled kind of infrastructure so i can think about hey we have arc now that brings these capabilities hey into os instances also i could have some cncf compatible kubernetes or i can bring arc on top of that as well then i start bringing these azure capabilities like policy like the security service like the inventory like the tagging that single control plane now extends to my resources on premises in other clouds i get things like git ops hey i can point this to a git repo and as i make commits to yaml files it will pull it down and apply them but then what arc does is once i've got this kubernetes layer then we get arc enabled services so again this could be in other clouds it could be on-prem now i can get things like the database services machine learning app services layered on top of that again in any of these kind of locations so that's arc but what they're now adding is kind of this arc enabled virtualization so now i could think about the idea well actually i have that capacity is actually kind of v sphere or it's azure stack hci and what now arc is actually going to do is basically have this deployment into those environments talk to those apis so now it can actually talk to the hypervisors that virtualization layer and through azure these environments will show up as custom regions i will add so i can say hey in azure deploy a vm to vsphere in wherever my location is and that'll actually go and create the vm stop the vm start the vm delete the vm change the configuration of the vm that's now being brought actually to our environment in preview so that's kind of that big announcement there um arc kubernetes container insights is now ga so again bringing those curated sets of views around performance of the hosts the pods nodes all of those different things is now ga so i can bring all those great insights and visualizations and query capabilities to it and then hci arc enabled by default so i could think about hey if i have my azure stack hci arc is just now going to be enabled by default on my environment and arc machine learning inferencing is available so again all these great services on the networking side so announce this kind of gateway load balancer and i was like if you follow me at all you know i love the networking stuff so this is a super interesting solution to a problem that's been there for a really long time so if i think about network virtual appliances so we had this challenge so we had this idea that hey i have some workload that sat behind a load balancer and it's maybe my application well actually i want it to go via some virtual appliance so i would have my kind of nva and we want multiple of them so we're resilient well we would give that kind of the exterior facing but it would also need an interior load balancer to get return traffic and we had a lot of problems we got a lot of problems because it was different load balancers getting symmetric traffic flow iv traffic comes in well i can't have it going this way in and then that way out if they're stateful it wouldn't know it so we often had to kind of run this ugly active passive thing after a whole bunch of user-defined routes it was really not a pleasant experience so what they've done is now i have my load balancer with my app behind it just as we did before this can be external and what we're now going to actually do and i'm going to use my universe pen we're going to say we like this thing i create this new thing so this is now my gateway load balancer and behind that i'm going to have my nvas now i could have n number of these these can all be kind of active active active this could be built on vm scale sets it really doesn't matter i could think about this could be in a different subscription even a different tenant this is kind of the consumer of the service this is my provider of the service and what i'm going to do i'm going to chain this to this load balancer now i'm drawing this as a load balancer it could also be a public ip directly to some kind of vm but i'm performing a chain so now what's actually going to happen is really cool there's no udr's just this chain action the traffic is going to come in and this is kind of a true bump in the wire so this will send the traffic these mvas just have to understand vxlan so it's encapsulating it's doing a vxlan tunnel it's encapsulating the traffic this just has to decapsulate it to look at the original source and destination ips do whatever it's going to do maybe it's inspecting it it might drop packets doesn't have to do anything else traffic will then just go back automatically there's no routing i'm doing and then it will go to some targets guaranteed symmetric flow and that's all i have to do there's nothing else like there's no udr i don't even have to have a peering this could be completely different v-net there's no peering between these virtual networks required it's all just going to be done by the chain so this is super super cool stuff and it's completely transparent like the source and the destination do not know this was in the network path it's a true bump in the wire so this solves all those challenges we had with network virtual appliances trying to make them highly available i did a whole video on highly available network virtual appliances this gateway load balancer is really a game changer and there's like 11 launch partners for this but you're not restricted to those you can absolutely as long as you have some appliance that understands vxlan go nuts that's really all that is required um network insights for vpn gateways and azure firewall went gas if i go to network insights i now get improved visibility into kind of um the flow of the resource topology there's pre-built workbooks there's direct links to documentation and troubleshooting just things to help you express route fast path has some improvements remember fast path is all about the idea that hey if i have express route gateway normally ingress goes via that gateway egress never goes by the gateway just goes straight to the microsoft enterprise edge at the meet me ingress goes by this gateway so it adds a little bit of latency so fast path bypasses that gateway so what's new is now traffic to peered networks also supports fastpath so even if the destination is in some spoke network i can still bypass the gateway now so i still get those improvements i talked about ipv6 private peering last week so i've already talked about that there's new ciphers and functionalities for mac sec from using direct port for that over the air at the meet me kind of encryption so there's some things around that as well express route private peering bgp community support so remember um a community is just a custom collection of ip addresses so what i can now do is i can create a custom community that represents my virtual network so i have these groupings of ip addresses i'm creating a community for the ip addressing of my virtual network and what's now going to happen is through the private peering to my on-premises my on-premises will now see that custom bgp community that i've specified for the v-net so we could use that for routing maybe for other types of filtering decisions there'll also be a regional um community added automatically based on the region of the virtual network but i can now specify when i create the v-net or to an existing a custom community and it will now be seen from the on-premises gateway and they can make various decisions on that bastion standard went ga this lets me do manual scaling i think from two to fifty um other things it gives you is an administration panel um i can enable disable certain features it supports rdp for linux it supports ssh for windows i can do custom inbound ports so there's some additional functionalities added there and azure virtual network manager has gone into preview so if i think about virtual networks with a virtual network often we talked about the idea i have multiple virtual networks well today i have to manually create peers between them i might have to have network security groups ie sets of rules to control the flow of traffic so what this new network manager does is actually a couple of different things for example i can now pick a connection topology so i have the idea let's say hey i have a whole bunch of virtual networks so what i can actually now do is it gives me the ability to create a network group so that network group could be based on i am manually adding them in or maybe it's based on some value of a tag some attribute so i can kind of create kind of a network group and i can target that network group i might say hey i want to deploy a mesh architecture so it would create peerings between every single one of them or i might say hey i want to deploy a hub spoke so it would kind of create those peerings i can even say hey i want a hub spoke and i want to be able to use the gateway so hey allow gateway transit use remote gateway but i also want to enable direct connectivity for these peers so they would actually go and create a kind of mesh relationship for those as well in addition to that we actually get the idea of admin rules so i can also create admin rules now these look a lot like network security groups so i could still have local kind of nsgs on these things but i can also now define these admin rules and apply them to that network group and these kind of apply first it's not an override but think of a a filter so these get applied first so if i was blocking traffic here or it's going to block it it won't go through but if i was for example blocking traffic at the nsg if i allow it at the admin voice still going to get blocked at the nsg so this is kind of a filter first and then it hits the filter of kind of the local nsgs so i could maybe have some admin rules set up high level don't allow offering port 80 out to the internet for example the other nice thing as well is so regular nsgs let me say like tcp and udp these admin rules also let me say ah and esp so there's some additional protocol options i actually get with these admin rules but then again i can create these admin rules centrally and then target network groups so it's security and it's kind of helping me create all those peering relationships as well so that's the idea around the azure virtual network manager so that's in preview and you can go and try that out on the storage side so on demand disk bursting for large premium ssds amazon ga so smaller premium and standard ssgs have kind of a credit based bursting if i'm running below my provisioned iops and throughput i start to accrue credit that i can use for up to 30 minutes well now the discs that are larger than that let's say one terabyte and above i can pay a cost to turn on on-demand disk bursting and then i just pay for basically number of transactions i do beyond what's standard on the disk so i can use as much as i want because i'm going to pay for it i'm not time bombed it's not 30 minutes but it's not free i can now go and actually turn that on remember ultra disk i have dynamic ios throughput anyway so i don't need that also remember if it's going to be like a maybe a shorter term window with premium ssds i can also change the performance tier of the disk um separate from the capacity so we we actually have a number of different options now around our kind of iops and throughput that overall storage performance managed disks now have a live resize capability so now for a data disk i can actually make it bigger while it's connected to a vm and it's running now remember once i change the size of a disk i have to go into the os and then increase the size of the volume on that disk but hey i can add dynamically resize upwards you can't shrink disks i can only make them bigger cross region disk snapshot copy is now in preview so managed disks well they're lrs or zos they live within a certain region i can't do grs managed disks i an asynchronous replica to a paired region and snapshots live on the same storage as the disk so still not giving me a solution to get some sort of cross region capability what i can now do is i can create a job that will do a copy of a snapshot be an incremental snapshot it's only copying the changes to essentially a region of my choice so i pick the region and it's going to go and do that copy to that other region it does it as a copy start job and it's per snapshot so every time i create a snapshot i'd have to go and kick off this copy process i could write an automation to hey i see this has happened and let's go and trigger off a new copy start job to copy that to the other region but now i can get that kind of regional resiliency for my disc snapshots disk pool for abs has gone into preview i'm pretty sure i've talked about this before i don't think this really is new but this is the idea that i have my managed disks i have my azure vmware environment so remember that's running vsphere private clouds but in microsoft data centers well now i can take my managed disks i can expose them to those vmware environments what i essentially do is i group my disks into a pool there's now what is in previewer kind of these changes is i can have a higher availability iscsi target so the way vsphere uses this is it connects over iscsi which is exposed by the ball it's now support standard ssds before it was premium ssds and ultra only and there's a new pricing model as a new excuse me end-to-end portal experience essential key management for disks so if i was a bring your own key for the encryption of my managed disks well now i can actually have those keys in a central subscription a different subscription from the disks themselves so that's going to let me have a centralized subscription ease the management improve the security of the keys for those various disks i still have to have the key vault and the disk encryption set remember we apply the custom key to disk encryption set and then put disks in the disk encryption set start to be in the same region i i can't cross region for those things and it has to be the same azure ad tenant ultradiscs have a new 4000 megabyte per second um throughput ceiling so remember i talked about that new eb series vm the eb5 and its biggest sets of skus will support 4 000 megabytes per second well ultra discs can match it so i can now actually pump through 4 000 megabytes per second with those eb5s and the new ultradisc limit cosmos db indexing metrics so in addition to the existing query metrics i can now actually use these indexing metrics to optimize the performance so i could see both hey what indexes are being utilized but also i could see how these indexes are recommended so i could say hey this is how i can actually go and improve my performance i can now apply throughput spending limits so we have this whole idea of this provision throughput for cosmos db well now at time of creation or afterwards i can actually set a limit on what i want that throughput to actually be so if i was to jump over super quick if i go and look let's see if the performance improves for me here but if i just go home for a second and if i go look at my cosmos db and look at my little cosmos db here well one of the options we have remember is kind of cost management and what we'll now see is total throughput limit setting so we can actually say hey i want to limit it to a certain amount i can do no limit or hey what i'm actually doing is limiting it up to the three i'm using the free cosmos db account you get per subscription so you select that and that's what applied that 1000. it's basically the same thing so it's limiting me now so i can really control what my possible spend could be so that's a really nice feature to control my spending it now has a partial document update if you think about cosmos db is consists of documents and ordinarily in the past if i was to update some part it would do a complete write of the entire document which obviously has a certain amount of time and overhead now if i'm only changing a certain part of the document well that's the only part that's specified in the update request it reduces my network throughput reduces the overall amount of work being done server side cassandra api retry so again we have the idea that i have a certain amount of provision throughput those request units well if i'm exceeding that what would happen in the past is it would just return a to nine hey you've exceeded it would fail what i can now do is on the server side instead of failing it'll wait a little bit of time and then retry the operation for me so now i don't have to do so much work it's essentially doing that retry for me rather than me kind of doing that in my code and there's now cost saving recommendations so as part of cosmos db it's going to look at different things like hey based on my usage patterns in the past it will recommend hey maybe enable auto scale if i'm using kind of just a provision throughput if i'm using auto scale hey maybe i should go to manual throughput instead because you pay different amounts for provision versus the auto scale so if i was super super consistent hey auto scale is probably not the best option just have this provision throughput instead regular database azure sql managed instance now has this link capability if i think about sql 2019 and sql 2022 i can actually now link it very easily to azure sql managed instance and what that gives me when i do that link it gives me this near synchronous replication and that goes into this kind of bi-directional replication capability and i did announce sql server 2022 as well but this link is super super powerful just for the replication but also for failover um capabilities azure sqmi has some performance boosts so it can use the new premium series hardware that third gen intel xeon i can get new memory per v core as a memory optimized solution for the hosting it supports 16 terabyte storage capacity now and i can also do windows authentication via azure ad integration so it gives me cloud support value to change my actual code azure managed instance for apache cassandra went ga so as the name suggests this is just a managed instance of um cassandra one of the nice things about this is it's running on top of vm scale sets it runs into my azure virtual network but if i have an existing cassandra ring i can actually add this to it to get a nice hybrid solution and flexible um my sequel should have wrote my there went ga so remember flexible these are the managed offerings that manage open source offerings in azure so before it was single server which is based on kind of this specialized container technology well flexible is actually built off of virtual machines it lets me use things like the b series so it can be burstable i can stop and start them it supports availability zones i can optionally had added high availability options so it has kind of an ongoing replica for an automated failover so really adds a lot of great capability there so now for my sql ga not postgresql yet azure backup it now has some metrics and metric alerts and metrics around backup successes metrics around backup failures and then obviously i can trigger alerts off of those by the standard kind of action groups we have with alerting but this multi-user authorization is super interesting this is really powerful if we think about ransomware hey we have backups well the bad actor comes in and stops our backup or deletes our backups so what we can now do with this is we create the concept of a resource guard now that resource guard can live somewhere else and it's going to have a completely different people who actually have rights over that resource guard so under no circumstance would my backup admins also own the resource guard but i'll create this resource card object um completely isolated different subscription it can even be a different tenant from where my backups are i'll give the backup admins read access to that resource guard and in the resource guard we can actually see this in the resource guide i can configure to what types of actions it will actually apply to so if i go in here super quickly and if i search for resource guard notice it's in preview so i could go and create a resource card and after i create that resource guard i can go and specify different things about exact actions it would apply to but once i've actually gone ahead and created it if i go and look at my recovery services vaults if i just pick one of these if i go to the properties if i could see it we actually have this option now of multi-user authorization and we can then link it to i don't have any but i could say hey i want to protect your resource guard and specify it so now what would happen if someone some bad actor came in and they managed to get a backup admins credential they couldn't stop the backup they couldn't delete the backup because they're protected by the resource guard to actually perform those types of operations i would have to get contributor rights to the resource guard so i might use privileged identity management but the owner of the resource guard would have to grant me that and then revoke it after i've done that action so it's the ability now to really protect my backups from some bad actor who compromises the backup admin but again it's completely useless if you make your backup admins own the resource guard should be a separate set of people put it in a separate subscription and have a good process to actually grant that only when those different types of actions actually have to be performed miscellaneous so azure monitor action groups remember an action group is the thing i can call to some kind of event that happens a web hook an azure function a logic app email sms whatever well now i can also talk to event hub so pub sub other things might use that azure monitor now has a log analytics workspace data export in the portal so if we think about the whole point of that data export i can get this continuous data export a table level so there's no filtering it's just going to send everything and i can send that hourly to a storage account or near real time to an event hub well now through the portal i can actually see those different rules and gives me insight i can create edit whatever i want to do log analytics workspace insights went generally available so this is kind of insight into my insights so if i look for example at one of my log analytics workspaces just quickly kind of look at this so let's look at my workspaces so if i just pick i think easter s would be a good one if i scroll down i get my insights and what i get for the insights is you can see well great information about the workspace the volume ingestion over time what's actually happening who's using it and the different types of health the agents that it's talking to i apologize for my dog all of this kind of great information is now just available to me so that's there and available and that's ga open id connect azure ad and github action is in preview so before github actions is all about kind of hey i'm doing some things could be part of a pipeline but i can really trigger off many many things beyond just some commit action well if it wants to go and perform actions against azure resource manager i create things or modify things in azure before i'd actually have to have an azure credential stored as a secret in my github what this actually now lets me do is using the open id connect i can actually as the github i can create an azure ad app registration that represents the github actions and i don't have to store any credential so it gets rid of that secret i have to store in github but now i can go and integrate with azure resources through my github actions and azure automation manage identity went ga so about azure automation i can run powershell runbooks python we used to have the whole idea of these kind of run as accounts well now i can use managed identities if it's a cloud run book cloud job i can use both system assigned and user assigned if it's kind of a hybrid then i can only use a system assign managed identity but now within those run books i can say hey give me the identity and it can use that to go and talk to other things also powershell 7.1 latest and greatest is in preview for those runbooks um azure security center and azure defender have now been renamed microsoft defender for cloud there's a whole bunch of i think renames around this but now you'll kind of see that defender for the cloud and one of the big things they announced was this native aws support so now that whole cloud posture security management extends to aws i don't need agents it's going to use the aws native api to go and communicate there's like 160 out of the box recommendations across is and paths and different regulatory standards for aws so that will actually give me recommendations on that aws environment and things like the aws eks the aks equivalent um defender for servers i get all of those kind of capabilities available as well azure virtual desktop auto scale is in preview i definitely have talked about this in previous weeks but basically i can create this concept of a scaling plan the scaling plan consists of one or more schedules so different days of the week times i can have kind of a an off peak a ramp up peak ramp down behavior am i deploying things kind of brett fill them up or i want to kind of maximize usage of individual hosts i can set all of those different schedules as part of the scaling plan then link the scaling plan to a host group so that host pool will then get those schedules and apply them so again i can optimize my kind of resource spend for windows 365 remember that's that additional offerings just give me a cloud pc there's kind of the business for smaller environments and enterprises a whole video about this so the web client got enhanced faster load times higher performance i can bookmark cloud pcs local resource settings edit a whole bunch of different things enterprise now has native azure ad join so initially it had to be able to integrate virtual network and it had to be able to talk to domain controllers now i can just do azure id i don't require the virtual network i don't require domain controls i don't require kind of that azure stuff business had some updates as well um i can be a user a standard user or a local admin i can be windows 10 i can be windows 11 i can purchase and assign licenses and provision them all from kind of an end user portal and then obviously when i do use windows 11 i get all the windows 11 enhanced security the virtual tpm the secure boot the uefi there's a bunch of windows 11 marketplace images so all of that is there and there's a huge azure ad blog it's linked below i i cannot cover it all but the big thing was about resiliency so azure ad obviously they increased their sla to four nines they have this whole cell based architecture so azure id is now made up of 107 cells even the biggest cell only accounts for less than two percent of all azure ad traffic so with some failure it should only impact a very small amount of azure ad so that cell is rolled out it's there also backup authentication is being expanded so think of backup authentication as kind of the generate a backup generator for azure ad separate infrastructure it basically has stored some long-lived tokens so if azure id is down it can give out these long live tokens that it pre-caches by talking to azure id periodically and it was really based around sharepoint and exchange but they're extending it to things like webex so it's going to be able to use that backup authentication there were new conditional access features like device filters so i could target particular devices there were app filters so instead of having to specify apps in my rules i could tag an application and then if it has this tag apply these particular conditional access policies workload identities so i can actually now have conditional access for particular applications continual access evaluation continues to evolve that ability to not just pay a token's good for an hour there's nothing i can do i could actually say hey i want to register so if the user is d provisioned if their password changes tell me and i'll stop allowing that token if the user location changes hey i can kind of check in and know and not respect that token anymore so ability to make what it lets me do longer term is have longer-lived tokens so i have to talk to azure ad less normally but still react to things if they happen there were new identity protection checks things like hey token theft and non anomalous tokens and session cookies and i can export all those risk things by diagnostic settings and there are a whole bunch of other token changes and samoa supports and kind of checked the blogger article about that but that was it i know a lot of stuff uh trying to cover it kind of briefly as i can but still kind of make it useful what it's there for huge amount of work does go into kind of preparing these so please please um like and subscribe that's appreciated from me hope to see you at the ask me anything and until next time take care you

Info

Channel: John Savill's Technical Training

Views: 9,191

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, new features, what's new, updates, ignite

Id: U9mJUyOihUc

Channel Id: undefined

Length: 63min 44sec (3824 seconds)

Published: Sun Nov 07 2021