• 11 min read

Azure.Source – Volume 60

Simplifying security for serverless and web apps with Azure Functions and App Service, Announcing Azure Dedicated HSM availability, Customers are using Azure Stack to unlock new hybrid cloud innovation, and so much more.

Now in preview

Simplifying security for serverless and web apps with Azure Functions and App Service

New security features for Azure App Service and Azure Functions reduce the amount of code you need to work with identities and secrets under management. Key Vault references for Application Settings, User-assigned managed identities, and Managed identities for App Service on Linux/Web App for Containers are available in public preview. In addition, ClaimsPrincipal binding data for Azure Functions and support for Access-Control-Allow-Credentials in CORS config are now available. In addition, we’re continuing to invest in the Azure Security Center as the primary hub for security across your Azure resources, as it offers a fantastic way to catch and resolve configuration vulnerabilities, limit your exposure to threats, or detect attacks so you can respond to them.

Screenshot of Key Vault references for Application Settings (now in public preview)

Python package (PyPI) support for Azure Artifacts now in preview

Python package functionality within Azure Artifacts for publishing and consuming Python packages using Azure DevOps Services is currently in public preview. Now you can create a feed(s) associated with your project to store your packages; upload Python packages to your feed using twine, flit support is being tested; pull packages from your feed using pip; integrate Python packages into your Azure Pipelines CI/CD using a task that simplifies the authentication for you; and include packages from the public index into your feed (Upstreams). A tutorial is available for using Azure Artifacts to consume and publish Python packages using Azure DevOps Services, including assigning licenses and setup.

Also in preview

Get the latest updates: In preview

Now generally available

General availability: Zone-redundant SQL databases and elastic pools in additional regions

Azure SQL Database Premium tier supports multiple redundant replicas for each database that are automatically provisioned in the same datacenter within a region. Zone-redundant SQL single databases and elastic pools, are now generally available in two additional regions: West Europe and South-East Asia. The full list of supported regions includes: France Central, Central US, West Europe, and South-East Asia. The zone-redundant configuration is available to SQL databases and elastic pools in the Premium and Business Critical service tiers.

News and updates

Announcing Azure Dedicated HSM availability

The Microsoft Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices with complete and exclusive control of the HSM appliance. The Azure Dedicated HSM service uses SafeNet Luna Network HSM 7 devices from Gemalto. This device offers the highest levels of performance and cryptographic integration options and makes it simple for you to migrate HSM-protected applications to Azure. The Azure Dedicated HSM is leased on a single-tenant basis.

Premium Block Blob Storage – a new level of performance

Premium Block Blob Storage, which is currently in limited public preview, unlocks a new level of performance in public cloud object storage. It uses a combination of solid-state drives in our storage clusters and enhancements to our blob storage software to provide high throughput and very fast response times. This blog post takes a closer look at some of these performance enhancements, such as low and consistent latency that was demonstrated to be up to 40 times better than Standard Blog Storage.

Chart comparing latency between Premium and Standard Blog Storage

SQL Server on Azure Virtual Machines resource provider

This post announced a new Resource Provider called Microsoft.SqlVirtualMachine, a management service running internally on Azure clusters to handle SQL Server-specific configurations and deployments on Azure VMs. SQL VM resource provider enables dynamic updates of SQL Server metadata and orchestrates multi-VM deployments required for SQL Server HADR architectures. SQL VM resource provider also enables SQL Server specific browse and monitoring experiences. The SQL VM resource provider introduces three new resource types: Microsoft.SqlVirtualMachine/SqlVirtualMachine, Microsoft.SqlVirtualMachine/SqlVirtualMachineGroup, and Microsoft.SqlVirtualMachine/Sql Virtual Machine Groups/Availability Group Listener.

Azure Hybrid Benefit for SQL Server on Azure Virtual Machines

Azure Hybrid Benefit (AHB) for SQL Server allows you to use on-premises licenses to run SQL Server on Azure Virtual Machines. If you have Software Assurance, you can use AHB when deploying a new SQL VM or activate SQL Server AHB for an existing SQL VM with a pay as you go (PAYG) license. Now you can activate SQL Server AHB on Azure VM with SQL VM Resource Provider described in the post above. With the new Microsoft. SqlVirtualMachine resource provider you can manage SQL server configurations on Azure VMs dynamically. Flexible SQL Server License type configuration is the first feature we are delivering with SQL VM resource provider, and it enables instant and significant cost savings for SQL VM.

The Green Team solves high-risk, systemic security issues for Microsoft Azure

The Assume Breach security strategy assumes security breaches will occur instead of focusing solely on preventing breaches. Since 2009, two groups within Microsoft, the Red Team (attackers) routinely attacks Azure to discover security holes and the Blue Team (defenders) sets up honey pots and works to detect any attack. The Green Team consists of dedicated resources focusing on remediation and solving classes of high-risk and systemic security vulnerabilities for the Azure platform. The Green Team works closely with the Red and Blue Teams to understand what high-risk, systemic security issues exist – specifically focusing in on those that enable or lead to breaches – and by performing root cause analysis identify and address these issues at scale. The team continuously implements the latest best practices to help secure the Azure platform and help protect customer data and workloads. Read this post to learn how the Green Team contributes to Microsoft’s Assume Breach evolution while striving for Simply Secure.

Additional news and updates

Azure shows

Episode 256 – Living in a Serverless world | The Azure Podcast

Cynthia, Cale and Evan have a stirring discussion on the use-cases for Serverless computing and Azure Functions. They dive into scenarios when it is a good idea to use them and when it is not.

Azure Container Registry Tasks: Build and deploy to Azure App Service | Azure Friday (500th episode!)

Steve Lasker joins Scott Hanselman to talk about Azure Container Registry (ACR) Tasks and how you can build your container images in Azure for the three phases of development: pre-commit, team commits, and post-development for OS & Framework Patching.

Track my Pizza Cat van with Azure IoT solution accelerators | Internet of Things Show

Oh no! Pizza cat is having a hard time knowing if his pizzas are being delivered purr-fectly. Customers have been complaining about cold pizzas being delivered to the wrong houses! Come see how Pizza Cat uses a Remote Monitoring solution to save his Pizza company.

SmartHotel 360, a demo powered by Azure Digital Twins | Internet of Things Show

Here is an example of a smart hotel solution built on Azure Digital Twins. In this episode of the IoT Show, Lyrana Hughes shows how the core spatial intelligence capabilities of Azure Digital Twins power the Smart Hotel 360 demo and shares where you can access the demo content on GitHub so you can start building your own solution.

Introducing the Azure Blockchain Development Kit | Block Talk

In this episode we introduce the Azure Blockchain Development Kit, highlighting new samples that show case three key themes – Connect – Connect users, organizations, and devices to blockchain solutions, highlighting IoT, SMS, and Bots; Integrate – Integrate to existing legacy systems and protocols, highlighting legacy (FTP, Flat File) and media; Deploy – DevOps for blockchain using Azure DevOps and OSS tools for Truffle. Highlighting dev, test, and build pipelines.

Getting started with Key Management Concepts | Block Talk

This video and demonstration provides a look at the core concepts around cryptographic key and key management, as well as how they apply to blockchain based technology. The topics covered include core key fundamentals (asymmetric) used by Ethereum and a demo showing the technical details around how they apply to blockchain.

Azure ML Data Prep GUI, It's Not Just About The Code | AI Show

While lots of people like to do their data prep in code some tasks are faster and more easily done in a GUI, what's even better is a set of capabilities where you can pick and choose when and how to work in code and when to work in a GUI that work together. This show will demonstrate how we make Seth's life easier and faster in terms of data prep, allowing him to focus his nerdiness on modelling.

How to build a home automation auto-away assist with Azure IoT Hub | Azure Makers Series

Get more out of your home automation setup with Azure IoT Hub and Azure Functions. See how you can let your smart thermostat know when you’re in another room (not truly away) using motion sensors, Particle.io, and Azure.

Thumbnail from How to build a home automation auto-away assist with Azure IoT Hub from the Azure Makers Series on YouTube

How to edit an existing API Connection with Azure Logic Apps | Azure Tips and Tricks

Learn how to modify an existing API Connection with Azure Logic Apps. If you want to edit an existing API connection, all you have to do is simply type “API Connections” and select the “API Connections” menu item to get started.

Thumbnail from How to edit an existing API Connection with Azure Logic Apps from Azure Tips and Tricks on YouTube

Henry Been on Security with DevOps – Episode 012 | The Azure DevOps Podcast

Jeffrey is discussing security in DevOps with his guest, Henry Been. Henry offers advice on how to implement security into your DevOps practice, makes recommendations on how to be more secure at each stage of the software development application lifecycle, highlights possible vulnerabilities that you might want to watch out for, and offers tools you can utilize to combat this and up your security in your DevOps environment.

Technical content

Running Cognitive Service containers

Recently, we announced a preview of Docker support for Microsoft Azure Cognitive Services with an initial set of containers ranging from Computer Vision and Face, to Text Analytics. This blog post focuses on trying things out, firing up a Cognitive Service container, and seeing what it can do using Docker Desktop. Later blog posts will explore using Azure Kubernetes Service and Azure Service Fabric.

Considering Azure Functions for a serverless data streaming scenario

An earlier blog post, A fast, serverless, big data pipeline powered by a single Azure Function, discussed a fraud detection solution delivered to a banking customer. This solution required complete processing of a streaming pipeline for telemetry data in real-time using a serverless architecture. This blog post describes the evaluation process and the decision to use Azure Functions, which is easy to configure and within minutes can be set up to consume massive volumes of telemetry data from Azure Event Hubs.

Diagram of the workflow that begins with data streaming into a single instance of Event Hubs, which is then consumed by a single Azure Function

Azure Cosmos DB and multi-tenant systems

Learn how to build a multi-tenant system on Azure Cosmos DB, which itself is a multi-tenant PaaS offering on Microsoft Azure. Building a multi-tenant system on another multi-tenant system can be challenging, but Azure provides us all the tools to make our task easy. A key actor in this solution is an Azure Managed Application, which enables you to offer cloud solutions that are easy for consumers to deploy and operate. In a managed application, the resources are provisioned in a resource group that is managed by the publisher of the app. The resource group is present in the consumer's subscription, but an identity in the publisher's tenant has access to the resource group in the customer subscription. The publisher application, which manages the customer data, is hosted in a different Azure Active Directory tenant and subscription, which is separate from that of the customer’s tenant and data.

Flow chart showing front-end service interaction with the customer subscription resources

Improving Azure Virtual Machine resiliency with predictive ML and live migration

Starting earlier this year, Azure has been using live migration in response to a variety of failure scenarios such as hardware faults, as well as regular fleet operations like rack maintenance and software/BIOS updates. Our initial use of live migration to handle failures gracefully allowed us to reduce the impact of failures on availability by 50 percent. We partnered with Microsoft Research (MSR) on building our ML models that predict failures with a high degree of accuracy before they occur. As a result, we’re able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. Read this post to learn more about how this means VMs running on Azure can be more reliable than the underlying hardware.

Time series analysis in Azure Data Explorer

Azure Data Explorer (ADX) is a lightning fast service optimized for data exploration. It supplies users with instant visibility into very large raw datasets in near real-time to analyze performance, identify trends and anomalies, and diagnose problems. This blog post describes the basics of time series analysis in Azure Data Explorer, which performs on-going collection of telemetry data from cloud services or IoT devices. This data can be analyzed for various insights such as monitoring service health, physical production processes, and usage trends. Analysis is done on time series of selected metrics to find a deviation in the pattern compared to its typical baseline pattern.

Screenshot of chart showing the Top 2 periodic decreasing web service traffic

Additional technical content

Events

Microsoft Connect(); 2018

Save the date to tune in online tomorrow, Tuesday, December 4, 2018 for Microsoft Connect – a full day of dev-focused delight—including updates on Azure and Visual Studio, keynotes, demos, and real-time coding with experts. Whether you’re just getting started or you’ve been around the blockchain, you’ll find your people here. And it all happens online. Get comfortable, and get inspired.

Save the date for Microsoft Connect(); 2018

Join us on November 28 for our next meetup: Adopting Emerging Tech in Government

At the last Microsoft Azure Government DC meetup, we discussed the leading edge of emerging technology in government, including how agencies are approaching strategy, challenges, use cases, and workforce readiness as they leverage emerging tech to innovate for their mission including blockchain, artificial intelligence, machine learning, and augmented reality. Check out the Microsoft Azure Government DC YouTube channel later this week for on-demand videos of this meetup and past ones.

Customers and partners

Customers are using Azure Stack to unlock new hybrid cloud innovation

We’re seeing high interest and adoption of Azure Stack across a number of industries – manufacturing, financial services, healthcare, and state & local governments. This makes perfect sense, as these industries have some of the most stringent regulatory requirements, often require operations in areas with limited or no internet connectivity, and typically have some legacy applications. This post looks at a few ways our customers in these industries are using Azure Stack today to address these real-world challenges. Customers across many industries are realizing the benefits of a truly consistent hybrid cloud with Azure Stack.

Three reasons why Windows Server and SQL Server customers continue to choose Azure

For the past 25 years, companies of every size have trusted Windows Server and SQL Server to run their business-critical workloads. As more customers use the cloud for innovation and digital transformation, the first step is often migrating existing Windows Server and SQL Server applications and data to the cloud. This post looks at the three main reasons we hear why customers choose to stay with Microsoft when they move to the cloud: Pay less with Azure, Azure delivers unmatched security and compliance, and Azure is the only consistent hybrid cloud.

Using AI and IoT for disaster management

Natural disasters caused by climate change, extreme weather, and aging and poorly designed infrastructure, among other risks, represent a significant risk to human life and communities. National, state, and local governments and organizations are also grappling with how to update disaster management practices to keep up. In this blog post, learn how the Internet of Things (IoT), artificial intelligence (AI), and machine learning can help. Not every crisis is avoidable, but we now have the technology to predict and prevent catastrophes such as oil spills or building collapses. When unpredictable natural disasters do strike, responders can gain access to real-time data that aims aid where it needs to be faster, reducing additional loss of life.


Azure This Week – 30 November 2018 | A Cloud Guru

This time on Azure This Week, Lars talks about Azure DevOps on-premises version now in Release Candidate. He also discusses the public preview of simplifying confidential computing in Azure IoT Edge, and gives details on how you can join the online Microsoft Connect(); event tomorrow.

Thumbnail from Azure This Week - 30 November 2018 by A Cloud Guru on YouTube