

Version 21.01.26
Azure expert Xander Oortgiesen (@vworlddotnl) brings you up to speed on the latest and greatest updates for Microsoft Azure. On the docket in this blog: Upgrading public IP SKUs, encryption at rest using customer-managed keys with Azure Backup, and Azure managed disk backup in limited preview.
ShareGate’s easy-to-use SaaS tools enable organizations to achieve more than ever before with Azure and Microsoft 365. In our ongoing series, Xander Oortgiesen explains what the most impactful recent Azure updates are and how you can use them to make your infrastructure more efficient.
Hello everybody! I hope you enjoyed my last Azure updates explained article earlier this month. I spoke about the new ability to deploy what-if ARM templates, the new 99.99% uptime for Azure Active Directory, and the ability to use live logs for Containers in Azure Monitor.
Now let’s dive into some of the most impressive recent updates available in Azure!
Azure public IP addresses now support the ability to upgrade a Basic SKU to Standard.
Want more good news? This new functionality is available in all Azure regions.
Additionally, any public Azure load balancer can now be upgraded from a Basic SKU to a Standard public load balancer while retaining the same public IP address! This is important because a public IP address’s SKU must match the SKU of the load balancer with which it’s used.
You can use the migration script from the PowerShell Gallery to convert the SKU of the loadbalancer.
After downloading the PowerShell script, you can use the following command to execute it :
AzurePublicLBUpgrade.ps1 -oldRgname “ResourceGroup”-oldLBname “LoadBalancerName” -newLbname “LoadBalancerName”
Now, why would you want to upgrade from a Basic to a Standard SKU for public IP addresses? Let’s look at some of the differences between the two.
Standard public IP addresses:
Basic public IP addresses:
To demonstrate how it works, I’ve created a public IP address with a Basic SKU that we’re going to upgrade to a Standard SKU.
In this example, I’m using Azure CLI to migrate this Basic SKU to a Standard SKU, but you can use PowerShell, ARM templates, or API if you’d prefer.
The first step is defining the variables for this command:
## Variables for the command ##
$rg = ‘ShareGate’
$name = ‘demopipsg’
Because the Standard SKU public IP address always uses static allocation, we have to change our Basic SKU public IP address to static before upgrading it. You can use this command when you need to make the switch:
az network public-ip update –resource-group $rg –name $name –allocation-method Static
The next step is converting towards the Standard SKU using the following command:
az network public-ip update –resource-group $rg –name $name –sku Standard
Once you’ve done that, you’ll receive confirmation that the command has been executed successfully:
Now, let’s double check that it worked in the Azure portal:
Mission accomplished! Notice that the IP address remains the same. So, no need to change any external DNS entries of other dependencies.
The option to upgrade a public IP address from a Basic to a Standard SKU is a welcome improvement! Before this was available, we had to assign another IP address with a different public IP address and therefore had to change external DNS entries to the new IP address. Making these kinds of changes are often time consuming and open up the possibility for mistakes or omissions.
Now, there’s no need to change IP address references from external DNS registrars or source code. This can save you lots of time and headaches!
Azure Backup now allows you to encrypt your backup data using customer-managed keys (CMK) instead of using platform-managed keys (PMK), which Microsoft controls. PMKs are enabled by default, but now you can opt to use CMKs instead.
Note that it’s mandatory to store keys that are used for encrypting backup in Azure Key Vault.
The encryption key used for encrypting backups may be different from the disk encryption. The data is protected using an AES 256-based data encryption key (DEK), which, in turn, is protected using your keys (KEK).
To accomplish this, you need to go through the following steps:
Using the Azure Portal, go to your Recovery Services vault and choose Settings | Identity.
Change its status from Off to On.
At this point, an object ID is generated. Copy this object ID.
Using the Azure portal, go to Azure Key Vault and choose Settings | Access Policies.
Add an access policy for the Key Vault and select the Get, List, Unwrap Key, and Wrap Key operations.
Go to Select Principal and search for your vault. Once you’ve done this, select Add to add the new access policy.
Using the Azure Key Vault interface, enable both Soft delete and Purge protection:
Go to your Recovery Services vault | Properties:
Select Update under Encryption Settings.
Now choose to select the key from Azure Key Vault and select Save.
It can take some time to update these settings, so be patient.
This option to encrypt your backup data with your own keys has been a much-requested feature—especially by customers in the financial sector. Financial institutions often have special regulations for their Azure environment; one of them is protecting backup data with custom keys.
This allows those users to stick with Azure native services rather than turning to backup solutions, which come with additional costs!
Please keep in mind that in case of emergency—such as losing your key—Microsoft can’t help you recover the data. So, use it with caution!
Azure Backup is a simple, secure, and cost-effective Azure native backup solution that now allows you to configure protection for Azure managed disks in a few simple steps.
You can easily manage the disk snapshots with zero infrastructure costs, even when using incremental snapshots.
With Azure Backup for Azure managed disks, there’s support for multiple backups per day, and it doesn’t require an agent. It also has zero percent impact on the production application performance.
It supports both the backup and restoration of the operating system and the data disk (including shared disks!), regardless of whether or not they are currently attached to a running Azure virtual machine.
This update is still in limited preview, but if you want to try it out, you can fill out this form from Microsoft to sign-up.
Although in limited preview, this Azure Backup update can be useful in the following use-cases:
Thanks for tuning in for another Azure updates explained article. I’ll be back in a few weeks to explore more Azure updates and how to leverage them to make your infrastructure even more efficient.
Get full visibility into who’s shared what with whom, and automate external sharing reviews so they’re performed on an ongoing basis.