Took a different approach today, spent the morning speaking to vendors and some Microsoft staff on various resources within Azure.
This followed by a couple of Microsoft Mechanic sessions, the first focusing on Azure data warehousing and how the newly announced Azure Synapse Analytics service can benefit this even further
Azure Synapse, combining data analytics & big data warehousing even further – taking it to the next level.
” Today, we are announcing Azure Synapse Analytics, a limitless analytics service, that brings together enterprise data warehousing and Big Data analytics. It gives you the freedom to query data on your terms, using either serverless on-demand or provisioned resources, at scale. Azure Synapse brings these two worlds together with a unified experience to ingest, prepare, manage, and serve data for immediate business intelligence and machine learning needs. “
Synapse Analytics consists of:-
- Limitless scale
- Powerful insights
- Unified experience
- Unmatched security
Next was an Azure ARC discussion and the main benefits it has with hybrid integration. Further details
Session: Tech for social impact: The road ahead
Speakers: Ryan Eckardt & Trisha McDonald
Microsoft is investing in purpose-built technology in Azure, modern workplace and business applications.
How are Microsoft assist with tech for social impact?
- Philanthropic partnerships, commercial, partner and technology resources in a single, dedicated team to support the end-to-end needs of nonprofits
- Relevant, affordable and innovative cloud solutions to help nonprofits of all sizes tackle the world’s biggest challenges
- Social investment model with incremental revenue going to social good cause like affordable housing, skills and employ-ability programs and technology donations.
- Digital capacity building programs to help nonprofits and their employees drive greater impact with the technology they have
Was a pretty cool session and heard real life stories to how Microsoft products are benefiting towards non-profit organisations
Session: Build and Manage distributed micro-perimeters with Azure Firewall
Speakers: Yair Tor
Using a Zero Trust approach is key to architecting security that spans on-premises and cloud. Identity plays a key role while network security remains very important in the way you implement it.
Protection services enabling zero trust
DDoS Protection – tuned to your application traffic patterns
Web Application Firewall – Centralised inbound web application protection from common exploits and vulnerabilities
Azure Firewall – Data ex-filtration protection using centralised outbound and inbound network application (L3-L7) filtering
Network Security Groups – Distributed inbound and outbound network (L3-L4) traffic filtering on VM, container or subnets
VNET Integration – Restrict access to Azure service resources (PaaS) to only your Virtual Network
The session then further focused on Azure Firewall. Not using Azure Firewall? It’s worth having a look, been using it for some time now – it’s great!
Azure Firewall Key Features
- FQDN Filtering
- FQDN Tags (e.g. Azure Backup)
- Default infrastructure rule collection
Fully stateful network rules
- Service Tags
- Default SNAT
Threat Intel (Now GA)
- Deny and Alert on known malicious IPs and domain
- Azure monitor logging
- Azure monitor metrics
Network Watcher Integration
Azure Firewall Updates
- Multiple public IPs now Generally Available (up to 100)
- Availability Zones now Generally Available (99.99% SLA)
- Threat Intelligence based filtering now Generally Available
- TDS (SQL) FQDN Filtering in Preview
- US Gov
Coming Soon (ETA H2 CY2019)
- FQDN filtering for all ports and protocols
- Native forced tunneling support
- IP Groups in Azure Firewall rules
Azure Firewall Manager
Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters.
Central network security policy and route management for globally distributed, software-defined perimeters
Central deployment and configuration
- Deploy and configure multiple Azure Firewall instances
- Optimised for DevOps with Hierarchical Policies
Easy attract traffic to your secured hub for filtering and logging using central routing configuration
Advanced security with 3rd party SECaaS
- Used best-in-breed third party Security as a Service partners
- Combine with Azure Firewall for private traffic
The session finished with a demo on Secured Virtual Hubs.
A virtual hub is a Microsoft-managed virtual network that enables connectivity from other resources. When a virtual hub is created from a Virtual WAN in the Azure portal, a virtual hub VNet and gateways (optional) are created as its components.
A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection.
Session: Advanced network best practices with Azure Express Route
Speakers: Charley Wen
The last session of the day, the session provided an update on new ExpressRoute capabilities and covers detailed architectural design considerations and best practices.
ExpressRoute features enhancements:-
FastPath for service provider circuits – Improve throughput, packets per second, connections per second , number of connections etc
BFD for Microsoft Peering – Reduce failover time to 2 seconds between primary and secondary connections
Multiple circuits from the same ER site to a single VNET – Main scenarios: redundancy and migrations
Resource Health in Azure Monitor – ARP incomplete, BGP Down
New circuit SKU – access Azure from nearby ER site
- Standard: access Azure Regions from same geo
- Premium: global
No egress data transfer charges
Available for all ER circuits 1G and above (New Circuits Only)
Satellite ground stations connected to ExpressRoute
Microsoft global network connecting you to Azure regions or your sites via Global Reach
Scenarios include aviation, cruise ships and remote farming
MACsec is point-to-point encryption
10G/100G ER Direct only
Customer BYOK, stores keys in Azure Key Vault, owns lifecycle management