News from Microsoft Ignite 2016

CoreAzure at Microsoft Ignite

CoreAzure at Microsoft Ignite (click for full size image)

This week a few of us at CoreAzure have been stateside in Atlanta, Georgia for the Microsoft Ignite conference.

Microsoft Ignite brings together thousands of IT Decision Makers, IT Professionals, and Enterprise Developers from all over the world to attend sessions run by Microsoft technical and business leaders in order to get a greater in-depth understanding of the Microsoft technology stack. The great and the good from Microsoft are here starting with a Keynote from Satya Nadella, Scott Guthrie, and Brad Anderson to deep-dive hands on technical sessions from the likes of Mark Russinovich and Gurdeep Singh Pall.

The week has been packed full of product and service announcements (so much so it’s been difficult to keep up), so I thought it may be helpful to list just a few of our favourites: –

Windows Server 2016

On Monday (26th September) during the Keynote speech Microsoft announced the General Availability of Windows Server 2016. Windows Server 2016 is the next generation of their cloud-ready enterprise server operating system featuring innovations such as Windows Server and Hyper-V Containers, Nano Server, and Software Defined Networking (SDN).

Windows Server 2016 features: –

 Extended security: Windows Server 2016 introduces new layers of security to harden the platform to address emerging threats, control privileged access, and protect virtual machines (shielded VM’s in Hyper-V)

 Resilient compute: Simplified virtualisation upgrades, new instalment options, and increased resilience helping ensure the stability of the infrastructure without limiting agility

 Reduced cost storage: Expanded capabilities in software defined storage with an emphasis on resilience, reduced costs, and increased control

 Simplified networking: New networking stack brings the core networking capabilities and SDN architecture directly from Azure

 Application efficiency and agility: Windows Server 2016 delivers new ways to package, configure, deploy, run, test, and secure your applications running on-premises or in the cloud using new capabilities such as Windows containers and the new Nano Server lightweight OS deployment option

To learn more about Windows Server 2016 head over to the official Microsoft Windows Server 2016 product site here.

Storage Spaces Direct

Microsoft Storage Spaces Direct is a feature of Windows Server 2016 that pools storage to build a highly available and scalable software defined storage system for Hyper-V VMs.

Storage Spaces Direct makes two copies of data to other nodes in the cluster. Each node runs as a fault domain and data is spread across the fault domains to prevent data loss if a disk fails. If a disk fails, data will be replicated to another disk in the cluster so three copies of data are present at all times.

By adding more nodes to the cluster Storage Spaces Direct will automatically pool the storage into the cluster (up to 240 disks and 12 nodes can be added to a cluster).

Storage Spaces Direct uses Server Message Block (SMB) 3.0 for communication between storage nodes.

Storage Spaces Direct can be deployed two ways. In the hyper-converged deployment, the Hyper-V clusters and storage are on the same hardware; this model is more appropriate for smaller scale-out deployments. In the private cloud storage deployment, the Hyper-V clusters and storage resources are separate; this model is for larger scale-out deployments.

By separating the Hyper-V clusters and storage in the private cloud deployment, administrators can scale and manage the storage and compute resources independently.

System Center 2016

At the same time as announcing the general availability of Windows Server 2016, Microsoft also announced general availability of System Center 2016.

System Center Configuration Manager 2016 provides a plethora of tools and features to manage your Windows client environments (especially Windows 10), as well as those non-Windows clients such as Linux and OS-X. SCCM 2016 also integrates with Microsoft InTune to enable management of all devices within your organisation from fixed desktops to mobile devices including Android, iOS, and Windows.

System Center 2016 provides easy discoverability of management packs, alert tuning, scheduled maintenance windows to reduce alert noise, support for Windows Server 2016 security capabilities such as Shielded Virtual Machines (preventing illicit virtual machine copying) and Host Guardian service (providing key management to support Shielded VMs).

System Center 2016 also supports handling rolling upgrades to cluster nodes without the need to stop workloads. Additionally, it can manage the lifecycle of Windows Server 2016 Nano Server – the minimal footprint server deployment of Windows Server 2016 which is 20 times smaller than Server Core deployment in Windows Server 2012 R2.

For ease of management across a hybrid cloud System Center 2016 integrates with Operations Management Suite.

Operations Management Suite

The cloud based management suite gained several improvements with insights and analytics, security and compliance, and protection and recovery. Here are just a few of the new features of OMS: –

 New application and service monitoring capabilities for Azure SQL, MySQL, and VMware Hosts
 Connector for Application Insights enabling integrated application and workload analytics
 Azure activity log search
 New ingestion API’s for expanded data and log collection
 Enhanced Update Management features including insights into time estimates as well as update sequencing (keeping Windows Server and Linux system up to date)
 Enhanced change tracking with granular file-based tracking to support Windows Server and Linux
 Azure Security Center
 Expanded security data ingestion using Common Event Format (including Cisco ASA)
 Behavioural analytics to detect insider threats and attempts within a compromised system
 Expanded Linux and VMware backup and recovery support
 Integrated monitoring with Log Analytics including Site Recovery capacity planning

New licensing options for hybrid cloud environments have also been announced. Microsoft are now offering two new subscription options: –

 Operations Management Suite E1: Insight & Analytics and Automation & Control
 Operations Management Suite E2: Includes everything in E1 and adds both Security & Compliance, and Protection & Recovery services

Both E1 and E2 also includes subscription rights to System Center 2016.

Increased Performance in Azure

Microsoft have announced a number of advancements including new server categories, network bandwidth improvement (resulting in an increase of bandwidth of up to 50%), and increased IOPS performance of Azure Storage combined with newly developed storage specific offloads.

Virtual Network Peering

Microsoft officially announced the general availability of Virtual Network Peering. VNet Peering connects two virtual networks in the same region through the Azure backbone. Once peered the two virtual networks appear as one for all connectivity purposes. Although they are managed as separate resources, virtual machines in the virtual networks can communicate with each other directly using private IP addresses.

Traffic between VMs within the peered virtual networks is routed through Azure much like traffic is routed between VMs in the same virtual network.

Some of the benefits of using VNet Peering are:

 Low latency, high bandwidth connectivity between resources in different virtual networks

 Ability to use resources such as Network Appliances and VPN Gateways as transit points in a peered virtual network

 Ability to connect a virtual network using Azure Resource Manager to a virtual network that uses the classic deployment model enabling full connectivity between resources in those virtual networks

Requirements of Virtual Network Peering are:

 Networks that are peered must be in the same Azure region

 Peered networks must have non overlapping IP address spaces

 VNet Peering is between two virtual networks with no derived transitive relationship. For example, if virtual network A is peered with virtual network B, and if virtual network B is peered with virtual network C, then virtual network A is not peered with virtual network C.

 Peering can be established between virtual networks in two different subscriptions as long as a privileged user of both subscriptions authorises the peering, and the subscriptions are associated to the same Active Directory tenant

 A virtual network using ARM (Azure Resource Manager) can be peered with a virtual network using either ARM or the classic deployment model. But two virtual networks both using the classic deployment model cannot be peered with each other

 Although communication between VM’s in peered virtual networks has no additional bandwidth restrictions, bandwidth caps based on VM size still applies

Azure Native IPv6 Support

Internet facing load balancers can now be deployed with an IPv6 address thereby providing the following capabilities:

 Native end-to-end IPv6 connectivity between public Internet clients and Azure VM’s through the load balancer

 Native end-to-end IPv6 outbound connectivity between VM’s and public Internet IPv6-enabled clients

This means that an IPv4 or IPv6 enabled Internet client can communicate with the public IPv5 or IPv6 address (or hostname) of the Azure Internet facing Load Balancer. The load balancer routes the IPv6 packets to the private IPv6 addresses of the VM’s using NAT (the IPv6 Internet client cannot communicate directly with the IPv6 address of the VM’s).

Native IPv6 support for VM’s deployed via ARM provides:

 Load balanced IPv6 services of IPv6 clients on the Internet
 Native IPv6 and IPv4 endpoints on VM’s (known as “dual-stacked”)
 Inbound and outbound initiated IPv6 connections
 Supported protocols including TCP, UDP, and HTTP(s) enabling the full range of service architectures

This level of functionality enables the following benefits:

 Compliance: Regulatory requirements insisting that application be accessible to IPv6 only clients
 IOT: Allows developers to use dual-stacked (IPv4 & IPv6) Azure VMs to address the massively growing number of mobile & IOT requirements

There are however some limitations you need to be aware of:

 IPv6 load balancing rules can only be created through the template, CLI, or PowerShell (i.e. they cannot be created through the Azure Portal)

 Existing VMs cannot use IPv6 addresses – you must deploy new VM’s

 Public IPv6 addresses cannot be assigned to a VM – they can only be assigned to a load balancer

 VMs with IPv6 addresses cannot be members of an Azure Cloud Service (they can be connected to a VNet and communicate with each other over their respective IPv4 addresses)

 Private IPv6 addresses can be deployed on individual VM’s in a Resource Group but cannot be deployed into a Resource Group via Scale Sets

 NSG protection for IPv4 is supported in dual-stacked deployments. NSG’s do not apply to the IPv6 endpoints

 Changing the IdleTimeout for IPv6 is not currently supported – the default if 4 minutes

Active-Active VPN Gateway

You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:

VPN Gateway

In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. Note that both VPN tunnels are actually part of the same connection. You will still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses.

Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. Note though the same TCP or UDP flow will always traverse the same tunnel or path, unless a maintenance event happens on one of the instances.

When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active instance.

Azure DNS

Microsoft announced the general availability of Azure DNS. Customers can now host domains in Azure DNS and manage DNS records using the same credentials, APIs, tools, billing, and support as other Azure services.

Microsoft Certifications

Microsoft is streamlining its technical certifications, aligning to industry recognised areas of competence while providing flexibility to showcase your specific skills in Microsoft products and services.

Five new MCSE and MCSD specialities have been released and aligned to Centres of Excellence used by the Microsoft Partner Network to identify technical competencies that are widely recognisable by both Microsoft Partners and customers.

The five new certifications are: –

 MCSE: Cloud Platform and Infrastructure – focusing on skills validation for Windows Server and Microsoft Azure

 MCSE: Mobility – focusing on skills validation for Windows Client and Enterprise Mobility Suite

 MCSE: Data Management and Analysis – focusing on skills validation for both on-premises and cloud-based Microsoft data products and services

 MCSE: Productivity – focusing on skills validation for Office 365, SharePoint, Exchange, and Skype for Business

 MCSD: App Builder – focusing on skills validation for Web and Mobile app development

To earn each of these certifications you must first earn a qualifying MCSA certification and then pass a single additional exam from a list of electives associated with the corresponding Center of Excellence.

Microsoft Certification Paths

Microsoft Certification Paths (click for full size image)

Microsoft Azure available from UK data centres

We at CoreAzure are delighted at Microsoft’s announcement in relation to the general availability of their UK data centres enabling businesses and government bodies to be able to secure information in the UK.

Notable first customers of these UK cloud services include; the Ministry of Defence, whose 230,000 employees will use Office 365 and Azure, and the South London and Maudsley NHS Foundation Trust, the largest mental health trust in the UK to name just a few.

Microsoft’s announcement to move its services to UK data centres will in our opinion enable many organisations to review their current business and IT strategies in relation to public cloud adoption in the UK.

The new facilities in Cardiff, Durham and London will host Microsoft’s Azure cloud platform and Office 365 productivity suite. Dynamics CRM Online will be added in the first half of 2017. Not every Azure service is generally available yet within the UK, but it is worth reviewing at what Microsoft Azure can offer your organisation.

The CoreAzure team pride themselves as being specialists in Microsoft Azure with an ability to maximise your existing investment in Microsoft technologies whilst realising your vision to adopt cloud.  If you are thinking of moving to Microsoft Azure, let us help you in that journey.