Microsoft Azure went hog wild last week with releases of interest to .NET developers, so let’s get right to it!
Web application firewall in preview
One of the limitations of Azure App Services has been firewalling; that is, being strict about whom can access an App Service and defending it from common exploits.
True, there are plenty of add-ons out there and other means of defense; for example, I could spin up a virtual machine, install a firewall there, and route all traffic to my App Service through that.
But that’s expensive, wonky and creates the kind of bottleneck that App Services are supposed to surmount.
So it’s a welcome development to see the Application Gateway service, which provides many of the features necessary for a truly scalable application — such as load balancing, session affinity and URL routing — add in a new firewal feature, which is in preview.
The firewall is designed to identify and protect against common attacks such as SQL injection, cross site scripting, remote file inclusion, DDoS, HTTP forgeries and exploit scanners / bots. You can choose to have the firewall merely monitor and alert, or actively block.
You can bet I’ll be rolling this out ASAP to my Web Apps.
Storage blob encryption
Black-box encryption of page (i.e., VHD) and block (i.e., regular file) blob storage is generally available in all regions.
And using a Key Vault generally requires an Azure Active Directory application, which authenticates a user to have access to that Key Vault. That means if you don’t have an Azure AD tenant, you’ll need to create one.
These encryption options are a black box in the sense that you do not need to generate, store, validate or expire the actual keys; Azure automagically handles the behind-the-curtain stuff. You do need to manage secrets, however.
Further, the team working on these issues has taken a “we’ll fix it in the next sprint” approach (vs. issuing hotfixes), but the last sprint came out in June … so you’re probably going to have to stick with version 4.3 for a while.
I’m not certain these issues extend to working with Storage encryption, but I bet they do, so it’s something to keep in mind.
Service Fabric availability
I’m still of the mind that Microsoft may be too late to the container business, especially in the Linux space.
That said, Azure’s reliability has proven Service Fabric as a tough-as-nails containerization stack. While I don’t have enough experience to speak authoritatively about Docker / VMWare / Service Fabric pros and cons, it’s clear to me a strong case can be made for Service Fabric.
DocumentDB SDK improvements
Microsoft has released version 1.10.0 of the DocumentDB SDK.
Germany regions generally available
These two new regions follow on the heels of UK South (London) and UK West (Cardiff) and are a bit more fleshed out than those UK regions, with G-series VMs, Service Fabric, Notification Hubs, Machine Learning and Stretch Database all on hand.
This brings to six the number of European Azure regions. Microsoft is planning rollouts of two new DoD regions in the US and a second datacenter in Korea. The Korea Central (Seoul) datacenter is not generally available.
Azure DNS service
A quick look at the documentation looks like zone and record management tools are OK, plus there’s CLI and PowerShell support.
Unfortunately, Microsoft still wants no part of the DNS registrar business, which is an argument against using their DNS; so, too, is that some services, such as CloudFlare, requires authoritative access.
But if you’re able to use any DNS service you please, Azure DNS sure looks like a great choice.
Virtual networking peering
This greatly expands the flexibility of both pure-cloud and hybrid solutions, especially if you’re using a VPN to connect on-prem to Azure.
However, while you can chain many vnets together through peering, it’s important to note that peering is A/B only. In other words, if I have vnet A peered to vnet B, and vnet B peered to vnet C, that doesn’t mean vnet A and vnet C are peered.
Odds and ends
- There have been a number of improvements to Azure Security Center. In addition to the previously noted Web App firewall, additional intrusion detection features have been added, and metrics have been tuned to help you spot incidents.
- IP 6 addressing for virtual machines is generally available, except for Australia East, Australia Southeast, UK West, UK South, Germany Central, Germany Northeast, US Government Central, US Government East, China North and China East.
- Accelerated networking is in public preview for West Central US and West Europe. This feature, targeted toward high-performance computing / big data, Windows Server 2016 and SQL Server VMs, basically allows Azure to directly forward network traffic to a VM, where policies are applied by hardware. This bypasses all the software-managed network rules that are normally enforced in an Azure vnet, so traffic goes a lot faster.
- Premium Storage-based VMs (i.e., SSD VHDs) are generally available in all regions.
- A new class of high-performance VMs, the H series, has been rolled out to South Central US. Microsoft says these are “for high-end computational needs, like molecular modeling and computational fluid dynamics”, and available only through a support ticket. Pricing runs about $2,400 per month for a mid-range VM in this tier.
- North Central US now has Premium (SSD-based) blob Storage.
- There’s a new release of the Service Fabric SDK that includes metrics improvements as well as environment management upgrades.
- If you use Microsoft Operations Management Suite to control a hybrid environment, you can now orchestrate updates though a new Update Management tool.
- Large instances of SAP HANA are now supported. SAP HANA is basically an in-memory relational database solution.