Another new announcement during Microsoft Ignite (2018) was additional features being added to the DDoS standard tier (the paid tier).
Azure offers two levels of DDoS protection.
DDoS Basic protection built in at no cost.
DDoS standard protection, a paid tier with AI and fine tuning to your environment.
The newly added features to DDoS Standard are DDoS Attack Analytics & DDoS rapid response.
DDos Attack Analytics provides attack insights that can be used for compliance, security audits and post attack analysis to optimize defense strategies and security operations
DDoS rapid response enables customers to engage DDoS experts during an active attack for specialized support.
As part of the Attack Analytics customers will have Attack Mitigation reports. Once enabled the logs can be analyzed using Log Analytics or integrated with a SIEM such as Splunk & Stream Analytics. When under attack data will generated every 5 minutes and when the attack is over a post-mitigation report will be generated for the entire duration of the DDoS attack.
Both the incremental and post-attack Mitigation Reports include the following fields:
Reason for dropped packets
Top 10 source countries or regions
Top 10 source ASNs
The second feature of Attack Analytics is Attack Mitigation Flow Logs. The flow logs allow you to review dropped traffic and forwarded traffic in near real-time during a DDoS attack. Again this data can be ingested into SIEM systems.
Well it’s that time of the year again – That’s right Microsoft Ignite!
And the Azure announcements are coming out fast and thick.
One of them being the new Storage options. The fist thing to note is that current existing Standard HDD, Standard SSD and Premium SSD are being upgraded to 32TB capacity, the previous limit being 4TB.
As is the norm the larger SSD disks are also faster, in this case the 32TB disk providing 20,000 IOPS and 750 MB/s of throughput. However for the first time standard HDD disks are also receiving faster speeds with all previous sizes having 500 IOPS and 60 MB/s throughput the new 32TB HDD offers up to 2000 IOPS and up to 500 MB/s throughput.
Another announcement is a new disk type labeled Ultra SSD. This new disk type offers Sub-Millisecond Latency for your most intensive workloads, disk sizes will be up to 64TB with a single 64TB disk providing 160,000 IOPS & 20,000 MB/s throughput. You can of course chain disks together for faster speeds via the OS (software RAID, storage spaces…).
The last new offering is Azure Premium Files, an upgrade to the existing Azure files now based on premium SSD disks.
Also regarding Azure files is the new announcements that Azure file share can now support identity based access using Azure AD domain services, allowing you to have Windows servers joined to Azure AD and user Azure files with full access control and identity management. You can read the full announcement over here.
In my previous post I wrote about the new Azure Virtual WAN, in this post I’m going to talk about the new Azure Firewall. Also in the time between these posts both services have become GA.
So what is the New Azure Virtual Firewall and how does it differ from the existing NSG?
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
What this means is that unlike 3rd party marketplace firewalls, there is no requirement to manage infrastructure at any level including scaling an HA. The Firewall is a full service and will scale behind the scenes as required.
Unlike the existing NSG the firewall is a layer 3 device, meaning that it has a public IP and this IP can be used from both inbound and outbound NAT allowing external services to recognize your network based on IP (Previously this could be accomplished using a public load balancer).
The second thing achievable with the Firewall is FQDN tagging, allowing you to state FQDN’s (and not just IP’s) in your firewall rules.
All Firewall rules can of course be logged and viewed using either (or both) Azure monitor or Azure Log Analytics.
To wrap up, you can now configure an Azure Firewall to protect multiple Vnets (using Peering) and centrally manage all inbound/outbound access of all your Vnets including Nat rules.
Microsoft just announced at Ignite two new amazing network/security related features.
Azure Virtual Wan
In this post I’ll focus on the new Virtual WAN.
First off it’s important to note that this service is currently in preview. You actually have to sign up for this preview and during preview there is no SLA offered for the service.
So enough of that, what can we actually achieve with Azure Virtual WAN?
Basically Virtual Wan is a networking service that allows you to connect you branch office together via Azure.
Aswell as branch office you can of course also add Azure Vnets into the mix.
The idea being that instead of creating dedicated links between all your offices, or delegating you head/HQ office as a hub you utilize Azure as your hub for networking and routing between all of your offices.
Now why would you do this? Well to begin with Azure has over 130 PoPs (points of presence) around the globe meaning that you’ll be connecting to the PoP that is closet to you. Once connected all your traffic will flow over the Azure Global Network and terminate at the SD-WAN hub. This will allow you to take advantage of Azure’s global network to interconnect all your branch offices and of course you Azure Vnets.
To create connectivity you basically just create a Site To site VPN from your branch office to the closest PoP. Two active tunnels will always be created for redundancy. Once connected automated spoke setup is configured seamlessly for you. Allowing full connectivity between your branch offices while utilizing the Azure global network for lower routing hops resulting in lower latency and faster transfer speeds.
So Azure has a few different types of storage offerings. The main one being Blob storage (Block-level object storage). Object storage is accessed over https, making it a cloud-friendly protocol and by far the preferred method for storing files in the cloud. While you can use in Azure CIFS storage, AKA Azure file Share, you’re better off using blob and this is also by far the cheapest option.
In Azure blob storage is broken down into three tiers: Hot, Cool & Archive.
There are also three replication options: RA-GRS, GRS and LRS.
LRS guarantees that Microsoft will store 3 copies of your data in a single datacenter. GRS adds an additional 3 copies to a 2nd datacenter in a paired region and RA_GRS makes that second copy readable.
LRS comes with 12 9’s data redundancy guarantee while GRS & RA-GRS have 16 9’s of data redundancy guarantee.
Hot is aimed at production use. Offers a 99.9% SLA for LRS and %99.99 for RA-GRS.
Prices for Hot storage start at $18.85 per TB for LRS.
Cool is aimed for backup & archive use and offers a %99 SLA for LRS and %99.9 for RA-GRS.
Prices for Cool Storage start at $10.24 per TB for LRS.
Cool also has a data retrieval fee of $10.24 per TB that is free in the hot tier.
There are also write, list & read costs associated with both hot & cool that cost slightly more on the cool tier. SO don’t try and use the cool tier for production data as you may end up paying more.
Finally, there is the fairly new archive storage. This is priced at an extremely low price of $2.048 per TB. The main catch is that the data is inaccessible, so when you want to access your archived data you need to convert it to either Cool or Hot and then access it, the conversion time can take up to 15 hours.
Converting between tiers is simple and can be performed using the Azure portal, Powershell or the Azure CLI.
In the Gui, you simply select your blob (file) and choose the desired tier.
For full pricing details please see the Azure blob storage pricing site over here
Microsoft Just announced General Purpose Storage v2.
Until now we had general purpose storage that supported both: Blobs (page & blob), File Share, Que & Table storage.
We also had Blob storage that supported only, you guessed it, blobs.
So why not just use the general purpose. Well two reasons. The general purpose didn’t support cool blobs or Archive (lower tiers for backups, archives etc).
Also the use of blob storage via the general purpose account was slightly more expensive per GB though write operations were lower. Basically making it a mathematical nightmare to choose between general purpose storage account or blob storage account types.
The new GPv2 supports all storage types similar to GPv1. However it also supports both hot, cool and archive blobs. So basically all of the features of both of the previous storage account types are supported under the new GPv2. pricing per GB for blob is the same as with the blob storage account (cheaper that GPv1) however write operations are charged at the higher rates that were charged for GPv1.
All newly created storage accounts now default to GPv2 and Microsoft is recommending to create all new storage accounts using GPv2 and to convert existing storage accounts to GPv2.
The conversion process is very simple, simply click on the existing storage account, click on configuration and you will see a button labeled “Upgrade” you will be asked to confirm the storage account name and thats it.
I’ll explain in my next post the difference between Hot, Cool & Archive blobs and how to use them.