In-Depth

New and Improved Services in Microsoft Azure

Your transition to Microsoft Azure will be easier with added and improved services announced at Ignite 2018.

• By Paul Schnackenburg
• 11/05/2018

Over the last few months I've looked at running virtual machines (VMs) in Microsoft Azure (July 2018, August 2018, September 2018) and how to use Azure in other ways than just a virtualization host, through Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) services. With Microsoft's recent Ignite conference wrapping a few weeks ago I thought it would be useful to look at new and improved services that were released that could help with your transition to Azure.

I'll put these in a few buckets: Security, Data, IoT & Edge Computing, AI, and Compute & Networking.

Security
I briefly mentioned Azure Security Center in my August 2018 article, but a lot of work has gone into it recently. Office 365 -- and more recently Microsoft 365 -- has had the concept of a Secure Score, which gamifies security. It looks at all the available security settings for a tenant and which ones are enabled and then gives you a score that you can compare to other tenants of the same size in the same industry (that's the gamification -- my score is higher than yours!). And it offers links and explanations for each security control and tracks your score over time, so you can see how the overall security posture of your tenant is improving.

The same concept is now being ported to Azure where it's Secure Score gives you points (along with  many other controls) for installing the monitoring agent in VMs, applying Just-In-Time network access, using disk encryption, limiting access to Storage accounts, keeping your systems patched, using the Web Application Firewall (WAF), installing endpoint protection in VMs and enabling auditing for your SQL databases. Your score is divided among Compute & Apps, Networking, Data & Storage, and Identity & Access.

There's also a new network topology map that shows issues, as well as traces NSG rules and their impact on communication (see Figure 1). For those of you who have to operate under regulations a new dashboard shows you recommendations for how to be compliant with CIS, PCI, SOC and ISO. The security state of VMs running Docker containers, along with other Linux VMs, can now be tracked. For those who are moving to Windows Defender Advanced Threat Protection (WDATP -- say that fast three times) Security Center will centralize Server Endpoint Detection and Response (EDR) in Azure Security Center. There are many other enhancements in Azure Security Center.  

Last year at Ignite Mark Russinovich, CTO of Azure, spoke about Azure confidential computing, but this year it was released in public preview. This allows you to run your code in special enclaves (called Trusted Execution Environments, or TEE), based on Intel's SGX technology, which ensures that your data is protected, not only at rest and in transit but also when it's being processed. Early use cases are Confidential Consortium Blockchain Frameworks where the parties don't necessarily trust each other, but they trust the code running in the cloud because it can be attested to be unaltered.

Data
SQL Managed Instances, essentially SQL Servers that Microsoft manages and maintains (and patches) for you, is now Generally Available. If on the other hand you have really big SQL databases (up to 100TB) that you want to migrate to the cloud but the Azure SQL Database limit of 1TB to 4TB didn't quite cut it, the new Azure SQL Database Hyperscale (currently in preview) could be just the ticket. Backups and restores are lightning fast, even for huge datasets because they're based on snapshots -- also, both scaling out or up is easy.

Cosmos DB now offers multi-master support (you can write to multiple locations of the database on the planet, not just read from them) and adds Cassandra API (in addition to the SQL/Document DB, Gremlin and MongoDB APIs already available). You can also save money with the Reserved Capacity feature.

Moving your bytes to Azure is now easier, with Azure Data Box (a 50-pound device with 100TB of storage) generally available. This appliance is shipped to you, you plug it in to your datacenter and copy all the data you need in Azure to it and ship it back. If that's not big enough maybe Azure Data Box Heavy at 1PB (preview) will work for you. On the other hand, if you need something smaller Azure Data Box Disk (preview) scales from 8TB to 40TB. If you have the pipe you can use the Azure Data Box Gateway (preview) virtual appliance on Hyper-V or VMware to shift your data to the cloud. Finally, also in preview, is a physical appliance called Azure Data Box Edge that uses AI to analyze, transform and process on-premises data before moving it to Azure. You can check out the entire  Data Box family.

IoT & Edge Computing
Early adopters of IoT have had to build their own implementation of Digital Twins -- where physical devices, locations, people or buildings are represented by digital replicas for modeling and management. A practical example could be where a conference room is aware that someone has just started a presentation through the projector and thus dims the lights in the room. Azure now offers Digital Twins to help organizations build their models.

Edge computing, where some processing of data happens on the devices or in the location before the data is sent to the cloud, is also growing with third-party solutions, as well as Azure Blob Storage on the Edge.

And Azure Sphere, Microsoft's Linux-based microcontroller, is now publicly available -- get your development kit here.

Artificial Intelligence
Cortana (having largely failed in the consumer space) is now a platform for enterprises to build their custom skills/bots and agents on.

Perhaps the reveal at Ignite that didn't receive the recognition it deserves is Microsoft Search. A unified Search experience across Windows, Office.com, Office apps, SharePoint, OneDrive and third-party ecosystems surfaces relevant, personalized results. If this works as Microsoft promises I think it'll be a huge productivity win.

Compute & Networking
Standard SSD Managed Disks (same IOPS and throughput as HDDs but more even performance) became generally available, managed disks are larger (8TB, 16TB and 32TB), Serial Console is generally available and there are new N series VMs with newer Nvidia GPUs.

A select number of Azure VM sizes can now use the new Ultra SSD option (preview), which scales up to 2GB/s throughput and 160,000 IOPS with sub millisecond latency. It starts at 4GB in size and goes all the way up 64TB. And that's for a single disk -- the big difference with today's Premium SSD-based storage is that to get very high IOPS and throughput figures you must create many Premium disks and then stripe them together, which adds management overhead. With Ultra SSD you pay based on the provisioned disk size, provisioned IOPS and provisioned throughput, giving you a more predictable bill at the end of the month. You can also change the values on the fly, so if you know you have a busy time coming up for a few days you can provision more performance for the disk (without rebooting your VM) and then dial it down afterward. Typical use cases for Ultra SSD will be large databases, SAP Hana and other transaction-intensive workloads. And, yes, if you're curious, both Premium and Ultra SSD are based on NVMe storage.

The first part of the performance monitor chart in Figure 2 shows SQL Server being tested with HammerDB on 16 1TB Premium disks striped together and connected to a VM, the second part shows exactly the same workload on a single 1TB Ultra SSD disk, in this case reaching just under 75,000 IOPS.

Virtual WAN also became generally available -- it's a way to use Microsoft's worldwide network as a WAN backbone, along with Azure Firewall, a platform service for full firewall protection. If you really need a fast connection to Azure, ExpressRoute now comes in a Direct flavor, offering 100 Gbps connectivity.

Back in April I looked at Azure Stack -- it's now been expanded from 12 to 16 nodes and blockchain, Kubernetes, as well as Event Hubs can be run (in preview) on it.

There were many more announcements at Ignite but this article covers the important Azure-related ones.