Azure expert Xander Oortgiesen (@vworlddotnl) brings you up to speed on the latest and greatest updates for Microsoft Azure. On the docket in this blog: Upgrading public IP SKUs, encryption at rest using customer-managed keys with Azure Backup, and Azure managed disk backup in limited preview.
ShareGate’s easy-to-use SaaS tools enable organizations to achieve more than ever before with Azure and Microsoft 365. In our ongoing series, Xander Oortgiesen explains what the most impactful recent Azure updates are and how you can use them to make your infrastructure more efficient.
Hello everybody! I hope you enjoyed my last Azure updates explained article earlier this month. I spoke about the new ability to deploy what-if ARM templates, the new 99.99% uptime for Azure Active Directory, and the ability to use live logs for Containers in Azure Monitor.
Now let’s dive into some of the most impressive recent updates available in Azure!
Upgrade public IP addresses from Basic to Standard SKU
Want more good news? This new functionality is available in all Azure regions.
Additionally, any public Azure load balancer can now be upgraded from a Basic SKU to a Standard public load balancer while retaining the same public IP address! This is important because a public IP address’s SKU must match the SKU of the load balancer with which it’s used.
You can use the migration script from the PowerShell Gallery to convert the SKU of the loadbalancer.
After downloading the PowerShell script, you can use the following command to execute it :
AzurePublicLBUpgrade.ps1 -oldRgname “ResourceGroup”-oldLBname “LoadBalancerName” -newLbname “LoadBalancerName”
What’s the difference between Azure Standard and Basic public IP addresses?
Now, why would you want to upgrade from a Basic to a Standard SKU for public IP addresses? Let’s look at some of the differences between the two.
Standard public IP addresses:
- Always use a static allocation method
- Are secure by default and closed to inbound traffic. You can create an allow list for inbound traffic using a network security group.
- Can be assigned to network interfaces, standard public load balancers, or Application Gateways. However, Standard SKUs can’t be used for VPN gateways.
- Can be zone-redundant or zonal, meaning they can be created guaranteed in a specific availability zone.
Basic public IP addresses:
- Can use a static or dynamic allocation method.
- Are open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
- Are assigned to any Azure resource that can be assigned a public IP address, for example:
- Network interfaces
- VPN Gateways
- Application Gateways
- Public load balancers
How to upgrade from Basic to Standard public IP address in Azure
To demonstrate how it works, I’ve created a public IP address with a Basic SKU that we’re going to upgrade to a Standard SKU.
In this example, I’m using Azure CLI to migrate this Basic SKU to a Standard SKU, but you can use PowerShell, ARM templates, or API if you’d prefer.
The first step is defining the variables for this command:
## Variables for the command ##
$rg = ‘ShareGate’
$name = ‘demopipsg’
Because the Standard SKU public IP address always uses static allocation, we have to change our Basic SKU public IP address to static before upgrading it. You can use this command when you need to make the switch:
az network public-ip update –resource-group $rg –name $name –allocation-method Static
The next step is converting towards the Standard SKU using the following command:
az network public-ip update –resource-group $rg –name $name –sku Standard
Once you’ve done that, you’ll receive confirmation that the command has been executed successfully:
Now, let’s double check that it worked in the Azure portal:
Mission accomplished! Notice that the IP address remains the same. So, no need to change any external DNS entries of other dependencies.
Why does this Azure update matter?
The option to upgrade a public IP address from a Basic to a Standard SKU is a welcome improvement! Before this was available, we had to assign another IP address with a different public IP address and therefore had to change external DNS entries to the new IP address. Making these kinds of changes are often time consuming and open up the possibility for mistakes or omissions.
Now, there’s no need to change IP address references from external DNS registrars or source code. This can save you lots of time and headaches!
Use customer-managed keys with Azure Backup
Azure Backup now allows you to encrypt your backup data using customer-managed keys (CMK) instead of using platform-managed keys (PMK), which Microsoft controls. PMKs are enabled by default, but now you can opt to use CMKs instead.
Note that it’s mandatory to store keys that are used for encrypting backup in Azure Key Vault.
The encryption key used for encrypting backups may be different from the disk encryption. The data is protected using an AES 256-based data encryption key (DEK), which, in turn, is protected using your keys (KEK).
To accomplish this, you need to go through the following steps:
- Enable Managed identity for your Recovery Services vault.
- Assign permissions to the vault to access the encryption key in the Azure Key Vault.
- Enable soft delete and purge protection in the Azure Key Vault.
- Assign the encryption key to the Recovery Services vault.
Step 1: Enable managed identity for your Recovery Services vault
Using the Azure Portal, go to your Recovery Services vault and choose Settings | Identity.
Change its status from Off to On.
At this point, an object ID is generated. Copy this object ID.
Step 2: Assign the permissions to the Recovery Services vault to access the encryption key
Using the Azure portal, go to Azure Key Vault and choose Settings | Access Policies.
Add an access policy for the Key Vault and select the Get, List, Unwrap Key, and Wrap Key operations.
Go to Select Principal and search for your vault. Once you’ve done this, select Add to add the new access policy.
Step 3: Enable soft delete and purge protection
Using the Azure Key Vault interface, enable both Soft delete and Purge protection:
Step 4: Assign the encryption key to the Recovery Services vault
Go to your Recovery Services vault | Properties:
Select Update under Encryption Settings.
Now choose to select the key from Azure Key Vault and select Save.
It can take some time to update these settings, so be patient.
Why does this Azure update matter?
This option to encrypt your backup data with your own keys has been a much-requested feature—especially by customers in the financial sector. Financial institutions often have special regulations for their Azure environment; one of them is protecting backup data with custom keys.
This allows those users to stick with Azure native services rather than turning to backup solutions, which come with additional costs!
Please keep in mind that in case of emergency—such as losing your key—Microsoft can’t help you recover the data. So, use it with caution!
Backup for Azure managed disk is in limited preview
Azure Backup is a simple, secure, and cost-effective Azure native backup solution that now allows you to configure protection for Azure managed disks in a few simple steps.
You can easily manage the disk snapshots with zero infrastructure costs, even when using incremental snapshots.
With Azure Backup for Azure managed disks, there’s support for multiple backups per day, and it doesn’t require an agent. It also has zero percent impact on the production application performance.
It supports both the backup and restoration of the operating system and the data disk (including shared disks!), regardless of whether or not they are currently attached to a running Azure virtual machine.
This update is still in limited preview, but if you want to try it out, you can fill out this form from Microsoft to sign-up.
Why does this Azure update matter?
Although in limited preview, this Azure Backup update can be useful in the following use-cases:
- Need for frequent backups per day without your application being quiescent.
- Apps running on cluster scenario—both Windows and Linux clusters that are writing to the same shared disk.
- Specific need for agentless backup due to security or performance concern on the application.
- Consistent backup of a virtual machine is not feasible as line of business applications don’t support Volume Shadow Copy Service (VSS).
Thanks for tuning in for another Azure updates explained article. I’ll be back in a few weeks to explore more Azure updates and how to leverage them to make your infrastructure even more efficient.