Microsoft Ignite – Day 3 Roundup

Took a different approach today, spent the morning speaking to vendors and some Microsoft staff on various resources within Azure.

This followed by a couple of Microsoft Mechanic sessions, the first focusing on Azure data warehousing and how the newly announced Azure Synapse Analytics service can benefit this even further


Azure Synapse, combining data analytics & big data warehousing even further – taking it to the next level.

” Today, we are announcing Azure Synapse Analytics, a limitless analytics service, that brings together enterprise data warehousing and Big Data analytics. It gives you the freedom to query data on your terms, using either serverless on-demand or provisioned resources, at scale. Azure Synapse brings these two worlds together with a unified experience to ingest, prepare, manage, and serve data for immediate business intelligence and machine learning needs. “

Synapse Analytics consists of:-

  • Limitless scale
  • Powerful insights
  • Unified experience
  • Unmatched security

Next was an Azure ARC discussion and the main benefits it has with hybrid integration. Further details

Session: Tech for social impact: The road ahead

Speakers: Ryan Eckardt & Trisha McDonald

Microsoft is investing in purpose-built technology in Azure, modern workplace and business applications.

How are Microsoft assist with tech for social impact?

  • Philanthropic partnerships, commercial, partner and technology resources in a single, dedicated team to support the end-to-end needs of nonprofits
  • Relevant, affordable and innovative cloud solutions to help nonprofits of all sizes tackle the world’s biggest challenges
  • Social investment model with incremental revenue going to social good cause like affordable housing, skills and employ-ability programs and technology donations.
  • Digital capacity building programs to help nonprofits and their employees drive greater impact with the technology they have

Was a pretty cool session and heard real life stories to how Microsoft products are benefiting towards non-profit organisations

Session: Build and Manage distributed micro-perimeters with Azure Firewall

Speakers: Yair Tor

Using a Zero Trust approach is key to architecting security that spans on-premises and cloud. Identity plays a key role while network security remains very important in the way you implement it.

Protection services enabling zero trust

DDoS Protection – tuned to your application traffic patterns

Web Application Firewall – Centralised inbound web application protection from common exploits and vulnerabilities

Azure Firewall – Data ex-filtration protection using centralised outbound and inbound network application (L3-L7) filtering

Network Security Groups – Distributed inbound and outbound network (L3-L4) traffic filtering on VM, container or subnets

VNET Integration – Restrict access to Azure service resources (PaaS) to only your Virtual Network

The session then further focused on Azure Firewall. Not using Azure Firewall? It’s worth having a look, been using it for some time now – it’s great!


Azure Firewall Key Features

Application Rules

  • FQDN Filtering
  • FQDN Tags (e.g. Azure Backup)
  • Default infrastructure rule collection

Fully stateful network rules

  • Service Tags

NAT Support

  • Default SNAT
  • DNAT

Threat Intel (Now GA)

  • Deny and Alert on known malicious IPs and domain


  • Azure monitor logging
  • Azure monitor metrics

Network Watcher Integration

Announcement: Azure Firewall Threat Intelligence

Azure Firewall Updates

Recently released

  • Multiple public IPs now Generally Available (up to 100)
  • Availability Zones now Generally Available (99.99% SLA)
  • Threat Intelligence based filtering now Generally Available
  • TDS (SQL) FQDN Filtering in Preview

Sovereign Clouds

  • US Gov
  • China

Coming Soon (ETA H2 CY2019)

  • FQDN filtering for all ports and protocols
  • Native forced tunneling support
  • IP Groups in Azure Firewall rules

Azure Firewall Manager

Announcement: Azure Firewall Manager

Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters.

Central network security policy and route management for globally distributed, software-defined perimeters

Central deployment and configuration

  • Deploy and configure multiple Azure Firewall instances
  • Optimised for DevOps with Hierarchical Policies

Automated routing

Easy attract traffic to your secured hub for filtering and logging using central routing configuration

Advanced security with 3rd party SECaaS

  • Used best-in-breed third party Security as a Service partners
  • Combine with Azure Firewall for private traffic

The session finished with a demo on Secured Virtual Hubs.

A virtual hub is a Microsoft-managed virtual network that enables connectivity from other resources. When a virtual hub is created from a Virtual WAN in the Azure portal, a virtual hub VNet and gateways (optional) are created as its components.

secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection.


Session: Advanced network best practices with Azure Express Route

Speakers: Charley Wen

The last session of the day, the session provided an update on new ExpressRoute capabilities and covers detailed architectural design considerations and best practices.

ExpressRoute features enhancements:-

FastPath for service provider circuits – Improve throughput, packets per second, connections per second , number of connections etc

BFD for Microsoft Peering – Reduce failover time to 2 seconds between primary and secondary connections

Multiple circuits from the same ER site to a single VNET – Main scenarios: redundancy and migrations

Resource Health in Azure Monitor – ARP incomplete, BGP Down

Announcement:- Express Route Local

New circuit SKU – access Azure from nearby ER site

  • Standard: access Azure Regions from same geo
  • Premium: global

No egress data transfer charges

Available for all ER circuits 1G and above (New Circuits Only)

Announcement: ExpressRoute for satellite users

Satellite ground stations connected to ExpressRoute

Microsoft global network connecting you to Azure regions or your sites via Global Reach

Scenarios include aviation, cruise ships and remote farming

Announcement: MACsec encryption

MACsec is point-to-point encryption

10G/100G ER Direct only

Customer BYOK, stores keys in Azure Key Vault, owns lifecycle management


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s