In this new series, Azure expert Xander Oortgiesen (@vworlddotnl) brings you up to speed on the latest and greatest updates from Microsoft Azure. On the docket in this blog: the new Azure Shared Image Gallery, Azure Monitor for VM Guest Health, and Azure Firewall Premium.
Hello, nice to meet you! My name is Xander Oortgiesen and I’ve been working in Microsoft Azure for many years. Currently, I’m a Lead Architect with Wortell, and I’m excited to share my first post about Azure for ShareGate.
ShareGate creates SaaS tools to help IT professionals succeed in Azure and Microsoft 365.
In this blog series, I’m going to update you about recent Azure updates and improvements that can have an impact on your efficiency in the cloud.
In this edition, I’ll discuss the updates to Azure Shared Image Gallery and Azure Monitor for Virtual Machine Guest Health, as well as the announcement of Azure Firewall Premium (and other Azure Firewall improvements).
Let’s dig into these Azure updates!
Learn essential public cloud concepts. Azure pro Jussi Roine explains why governance is so important to your success in Azure and offers practical advice to help you run an efficient Azure environment.
Learn how to create and implement an Azure governance strategy
New features: Azure Shared Image Gallery
Azure’s Shared Image Gallery is a service that helps you manage VM images and deploy them between different Azure subscriptions. It enables you to do versioning and grouping of images. Images stored in the Shared Image Gallery can be shared across subscriptions and even between Active Directories.
Recently, Microsoft announced new features for Azure Shared Image Gallery. You’ll now be able to:
- Create a Shared Image Gallery image version directly from a VM. Previously, creating Shared Image Gallery image versions was only supported for managed images and snapshots.
- Create a Shared Image Gallery image directly from a managed disk.
- Move image versions across Shared Image Galleries.
- Create a managed disk from an image version.
I decided to give you a quick example of how to use the new features in Shared Image Gallery by creating a VM, capturing an image of this VM, and exporting this image to different Shared Image Galleries.
Create and capture a VM
You can export an image to a Shared Image Gallery directly from the VM.
For example, let’s deploy a demo VM. The image of this VM will be used as the “golden image” for other deployments.
For this example, I’m going to install BgInfo from SysInternals and the latest Windows Updates.
After installing and restarting the VM, we must generalize this VM so that VM specific information (like the VM name, etc.) is not part of the image.
Open a command session and sysprep this machine using the following command:
sysprep.exe /oobe /shutdown /generalize /mode:VM
When sysprep is ready, the image will automatically shutdown. Now go to the VM pane and choose Capture.
You’ll notice several extra options after choosing Capture. At this point, you can upload the image directly to the Shared Image Gallery. Choose to upload the image and automatically delete the source VM (you can’t use this VM again anyway).
At this point, you typically have the following options:
- Create (or use an existing) Shared Image Gallery
- Create (or use an existing) Target image definition
- Specify the version (using the major.minor.patch format)
- Choose to replicate this image or not
It takes some time, but after a few minutes the image will be exported to the newly created Shared Image Gallery.
Create and copy images from disks
Using the Shared Image Gallery you can easily create a new image version from a disk.
In this example I’ve created the 1.0.1 (patch) version of the original image.
If you have multiple galleries in your organization, you can create images for images stored in other galleries. For example, you might have a production and test gallery. When they are ready to be used in production, you can copy them to a production gallery using this example. You can also create an image from an image in another gallery using the Azure CLI.
If needed, you can export the OS or a single data disk from an image version as a managed disk from an image version stored in a Shared Image Gallery.
Why this update matters
Making use of shared images can be useful when, for example, you need to deploy lots of VMs according to company (and security!) standards. Having shared images helps to make this process easier to replicate. It can also save you time when used together with Azure DevOps. All of which can help you take your Azure governance to the next level.
The new features, like directly capturing a new image version from a VM and the option to copy and share image versions between Shared Image Galleries, are major improvements.
My advice is to create two Shared Image Galleries: one for production and one for test/development. When a test image is ready for production, it can easily be moved to the production gallery.
New feature: Azure Monitor for VM guest health
Azure Monitor for VMs guest health is a new functionality for Azure Monitor. Microsoft announced this new feature and made it available in public preview and allows you to view the health of VMs based on a set of performance measurements that are sampled at regular intervals from the guest OS.
You can quickly check the health of a particular VM or be proactively notified when a virtual machine becomes unhealthy.
Enable VM guest health
There are several limitations to this feature that you should keep in mind when implementing it:
- Only Azure virtual machines are currently supported, no support for Azure Arc yet
- VMs must run one of the following OS:
- Ubuntu 16.04 LTS or later
- Windows Server 2012 or later
- VMs must be located in one of the following regions:
- Australia Southeast
- Central US
- East US, East US 2, East US EUAP
- North Europe
- Southeast Asia
- UK South
- West Europe
- West US, West US2
- Log Analytics workspace must be located in one of the following regions:
- East US, East US 2 EUAP
- West Europe
The following Azure resource providers should be enabled on your Azure subscription:
You can enable them by selecting your subscription, then going to Resource Provider and searching for the providers mentioned to choose and register them:
There are two ways to enable guest health for VMs. You can use the Azure portal or a template. For demo purposes, we’re going to use the Azure portal.
Open Azure monitor and select Virtual machines. You’ll see your VMs and the Upgrade option:
Choose to upgrade the agent. It’s a pretty straightforward process, and you can’t do anything wrong.
After you’ve upgraded the agent, you can see the Health tab in the VM pane of Azure Monitor. Notice the preview notification (guest health is currently in public preview).
Depending on your OS and your rules you should see something identical, or similar to, the screen above.
You can choose to change the default options by selecting the Configuration tab. It’s also a breeze to view the history (for example the history of the CPU utilization).
Add additional data using Data Collection Rules
You can easily extract more data using custom Data Collection Rules. To create a new Data Collection Rule, navigate to Create Data Collection Rule within Azure Monitor.
Depending on your source, select the data type you wish to extract. It takes some time for the data to be extracted. Once it’s done, you can use Log Analytics Workspace to view the extracted data.
There is no direct cost for the guest health feature, but there is a cost for ingestion and storage of health state data in the Log Analytics workspace. All data is stored in the HealthStateChangeEvent table.
See Manage usage and costs with Azure Monitor Logs for details on pricing models and costs. ShareGate also offers has some tips on how to avoid ingestion and storage cost surprises on your bill.
Why this update matters
Despite it only being in public preview, VM guest health has already proven to be a stable addition to Azure Monitor. It can save you a lot of time and effort, especially if your organization supports large amounts of IaaS VMs.
So, for all of you folks that support and manage the guest part of an IaaS VM, it’s a no brainer that this new functionally is super useful and can make your job much easier!
Also, in terms of compliance and governance, you now have a clear view of the status of the guest health of your IaaS VMs! For instance, you can choose to display their status on your Azure dashboard.
New features: Azure Firewall Premium
Microsoft recently announced and launched the Premium edition of Azure Firewall in public preview. With the new Azure Firewall Premium, you can now perform the following capabilities.
1. TLS Inspection
Azure Firewall Premium decrypts outbound traffic, performs the required value-added security functions, and re-encrypts the traffic that’s sent to the original location.
This new functionality provides the option to decrypt TLS traffic so that it can be inspected. Without this, unwanted traffic could pass through!
2. Intrusion detection and prevention systems
Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
This new functionality describes a suspected intrusion once it has taken place and signals an alarm. Also, attacks that originate within the network are monitored. This is achieved by examining network communications, identifying heuristics and patterns (also known as signatures), and taking action to alert operators.
3. Web Categories
This will let administrators allow or deny user access to the internet based on categories (e.g. social networking, search engines, gambling). The goal is to reduce the time spent on managing individual FQDNs and URLs.
So, website traffic will be allowed or blocked depending on the nature of the traffic. You won’t have to manually block specific IPs, which often aren’t complete or updated.
This type of capability is also available for Azure Firewall Standard, but it is based on FQDNs only.
4. URL Filtering
This feature will allow users to access specific URLs for both plain text and encrypted traffic, typically being used in conjunction with Web Categories.
Updates to Azure Firewall (standard)
In addition to the release of Azure Firewall Premium, Microsoft also announced the launch of new Azure Firewall standard capabilities.
The new capabilities include:
- Custom DNS: This allows you to configure Azure Firewall to use your own DNS server.
- DNS Proxy capability: This means you can enable your Azure Firewall to act as a proxy for your DNS traffic. This is crucial for reliable FQDN filtering in network rules and provides DNS security through integration.
- FQDN filtering in network rules: This can be used based on DNS resolutions from Custom DNS or Azure DNS. This is a major improvement and is recommended for protocols that are not supported with FQDN filtering in application rules today.
Why do these updates matter?
I think that this is a great improvement and that the Azure Firewall is becoming a full-featured product. With these additions, there is basically no need to opt in to another appliance (like Barracuda) currently in the Azure marketplace.
Although Microsoft hasn’t released any price information about Azure Firewall Premium, I think it’s going to be a great competitor for the firewalls in the marketplace.
Keep in mind that management of the Azure firewall can be done directly in the Azure portal as well as Azure CLI or Powershell, which is a huge bonus!
Thanks so much for reading my first ‘Azure updates explained’ blog. I’ll dive into more new Azure services and features in two weeks. See you then!
Are you running an efficient Azure environment? See how ShareGate Overcast can help you gain better visibility and lower costs in Azure.