This Inside Azure Management E-Book is a Must Have for All Azure Cloud Administrators! It’s made by Great Microsoft Most Valuable Professionals (MVP’s)
who are working always with Microsoft Azure Cloud Services.You can download this Awesome Inside Azure Management E-Book here.
This blogpost is about the Microsoft Azure Migrate tool in the Cloud doing Azure Migrate assessments to see if your on-premises Datacenter is ready for Azure Cloud Services. Before you migrate your workloads with Azure Migrate to the Microsoft Azure Cloud, you want to know the costs before the migration and what your options are in the transition. For example when you have hardware in your on-premises Datacenter which is too high qua hardware specs like Memory, CPU and storage and you can do with less Compute power, then the performance assessments are really interesting. From here you see a step-by-step guide for VMWare workload assessment(s) to Azure Cloud.
Azure Migrate preparation for VMware workload
When you search for ‘Azure Migrate’in your Azure Subscription and click on the services you will see the Azure Migrate Overview screen. When you don’t have a Microsoft Azure subscription yet, you can get one here
Click on Assess and Migrate Servers.
Before we go further with the server migration assessments for VMware, there are more Azure Migration tools available to do assessments and migrations like the following goals :
For Databases Microsoft Azure Migrate uses the Data Migration Assistant for the Assessment and the Data migration to Azure SQL Cloud.
The Data Migration Assistant (DMA) helps you upgrade to a modern data platform by detecting compatibility issues that can impact database functionality in your new version of SQL Server or Azure SQL Database. DMA recommends performance and reliability improvements for your target environment and allows you to move your schema, data, and uncontained objects from your source server to your target server.
To identify the right Azure SQL Database / Managed Instance SKU for your on-premises Database you can use the CLI with a Script :
When you have a Virtual Desktop Infrastructure on-premises and you want to migrate to Windows Virtual Desktop (WVD) you can use this Azure Migrate tool :
ISV Lakeside with SysTrack
You can vote for the tools or scenarios that you would like to be integrated with Azure Migrate via this Online form
When you are in the beginning of your Cloud Transition journey, what will go first to the Cloud?
On-premises mail to Microsoft Office 365
File Server Clusters to Office 365 into Teams, Onedrive for Business
From Apps On-premises to SaaS or Paas solutions
From On-premises Websites to Azure Cloud Solutions like Azure Web App.
From SQL Clusters On-Premises to Azure SQL Managed Instances in the Cloud
And at last Migrate Servers to Azure IaaS
Of course there are much more scenarios like Lift and Shift or modernize your workload in the Cloud like moving to Azure Kubernetes Servicesfor example instead of IaaS Virtual Machines.
So when you want to start moving your On-premises Website(s) or WebApp, Microsoft Azure Migrate Services has a tool for that too :
At last when you have to move a big enterprise On-premises Datacenter to the Azure Cloud with a lot of Servers for example 10.000, you can use Azure Data Box Migration The Microsoft Azure Data Box cloud solution lets you send terabytes of data into Azure in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device. Each storage device has a maximum usable storage capacity of 80 TB and is transported to your datacenter through a regional carrier. The device has a rugged casing to protect and secure data during the transit.
Microsoft Azure Migrate assessment for VMware platform
First we make the Azure Migrate Project ready in the Microsoft Azure Portal.
Select the right Azure Subscription and Resource group to collect the metadata reported by your On-premises environment. Give your Migrate project a name and select the geography.
Here you can select from different Assessment Tools Select Azure Migrate Server Assessment
Here you can select from different Migration Tools Select Azure Migrate Server Migration
Add your Tools in the Azure Portal.
Here you see both Microsoft Azure Migrate tools for the Assessment and the Migration as well.
We are going for the Assessment quick start, so click on discover
From here we select with VMware vShere Hypervisor, so you can download the Azure Migrate Appliance for VMware ( 12GB Ova file).
You can also work with an Import CSV file but that’s Preview.
When you have installed the Microsoft Azure Migrate Virtual Appliance for VMware successfully in your environment and has access to all the Virtual Machines then you can run the setup in the Appliance to make connectivity with your Azure subscription.
This will check all the prerequisites and get the updates.
Getting access to vCenter Server with the right permissions.
Now when your Azure Migrate Virtual Appliance for VMware is ready and collecting metadata, we see in the Microsoft Azure Portal the discovery running :
Discovery is in Progress.
After a view minutes we have discovered the Servers running on VMware platform On-premises.
Discovered Servers
Now we have the Servers in our metadata, we can do the Assessment(s) to get all the information we want for preparing to migrate to Azure Cloud Services. Click on Assess.
From here you give the Assessment a name and then you go to the properties of the assessment by clicking on View All
Here you can set the parameters for the assessment for example based on :
Reserved instances
Storage types
Sizing criterion like Performance-Based
Percentile Utilization
Azure VM series to use
Discount
VM Uptime
Offer pricing like Enterprise Agreement Support or Pay-As-You-Go
Hybrid Benefit offer.
Here I made different Azure Migrate Assessment groups with different parameters to see the difference in Costs.
Here you see for example Migrate As Is On-Premises and Performance-Based, but also an Azure Migrate Assessment without SQL Cluster Nodes. In this way you can make your own Azure Migrate Assessment with all your Servers or just a view Servers of your On-premises solution which you want to Migrate to Azure Cloud Services.
Overview of your Azure Migrate Assessment
Server is ready for migration
Server Ready but with conditions
Microsoft Azure Migrate gives you all the information to make the right decisions to migrate you workload from VMware to Microsoft Azure Cloud. When the Azure Migrate Assessment(s) are ready you can make a CSV export file to check the information before you migrate.
Overview of the Azure Migrate Assessment
Azure Migrate Assessment based on Performance for the VM
and there is a separated tab for Storage.
When your assessment is done, you can do the migration by replicating them to Microsoft Azure.
Microsoft Azure Migrate gives you insight information about your own On-Premises Datacenter by doing assessments to get the right migration information to move to Microsoft Azure Cloud. It gives you Azure Cloud costs before you do any migration at all, based on Total Cost of Owner (TCO) ship you can calculate if your solution in the Microsoft Azure Cloud is cheaper or not. Realize that’s it is not always about the money but also :
Innovations
Time to market
New Features
Flexibility
Scalability
Availability
Not owning hardware anymore
Less management (Hardware)
Hope this blog post helps you by your transition journey to Microsoft Azure Cloud
Microsoft Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.
In the following step-by-step guide you get a global overview of Azure Sentinel :
When you have your Azure Sentinel Solutions in place with alerting rules and telemetry and analytics is coming to your workspace, Hunting is the next Threat management tool :
Azure sentinel Hunting
Working with Tags and Collaborate with Teammates
Launch Investigations and Bookmark
Working with Azure Notebooks for Azure Sentinel
Welcome to the Azure Sentinel repository! This repository contains out of the box detections, exploration queries, hunting queries, dashboards and playbooks to help you get ramped up with Azure Sentinel and provide you security content to secure your environment and hunt for threats. You can also submit any issues or feature requests as you onboard to Azure Sentinel. For questions and feedback, please contact AzureSentinel@microsoft.com
Get started from here to Configure your Azure Sentinel Environment
Choose your Data Collections for Azure Sentinel Security
Lot of Choice already Build-in for you.
From here you can make your own Azure Sentinel Analytics Alert Rules.
Alert Rules
Create Alert rules with the right mappings, triggers, and scheduling, response automation.
Add your own playbooks for your Security
Unlock the power of AI for security with Machine Learning
Machine Learning in Azure Sentinel is built-in right from the beginning. We have thoughtfully designed the system with ML innovations aimed to make security analysts, security data scientists and engineers productive. One such innovation is Azure Sentinel Fusion built especially to reduce alert fatigue.
Building your Full Screen Dashboard for Monitoring
More information about Azure Sentinel Intelligent Security :
When you have your Hybrid Cloud Enterprise Design ready in a Microsoft HUB-Spoke model and your Security in place, you can do your optimize on your Azure workloads and keep up-to-date for your compliancy. Microsoft Azure Security Center can support you in Security and Compliancy (GDPR). Here you see my former blogposts about Microsoft Azure HUB-Spoke model architecture and Security by design :
Security in software is always on the move and changing in this world, when you think you are ready something has changed already. That’s why I love Microsoft Azure Security Center to keep you posted and giving you advise on Security but also on Compliancy.
From here you see a high-level overview of these new possibilities in Microsoft Azure Security Center :
Security Center Overview
Microsoft Azure Security Center is working with the following navigation menu’s on the left :
General
Policy & Compliance
Resource Security Hygiene
Advanced Cloud Defense
Threat Protection
Automation & Orchestration
Microsoft Azure Secure Score Dashboard
Microsoft Azure Security Center is working with Overall Secure Score. In my Test LAB we have some work to do 😉
The Azure secure score reviews your security recommendations and prioritizes them for you, so you know which recommendations to perform first. This helps you find the most serious security vulnerabilities so you can prioritize investigation. Secure score is a tool that helps you assess your workload security posture. Improve your secure score in Azure Security Center
Azure Security Center Recommendations
Microsoft Azure Security Center gives you advise to make your Security Score higher and you can improve immediately.
Open Subnet without NSG.
From here you can Enable a Network Security Group (NSG) on the Subnet and make your network more secure.
Creating NSG from Azure Security Center.
A subnet with NSG.
Azure Security Center Advise on Disk Encryption
Description on Applying Disk Encryption on your Virtual Machines
General Information, with Impact and Implementation Cost.
Threats, what can happen when you don’t implement the security.
Security is a on-going process 24 hours -365 days to monitor, analyze, and prevent security issues. Working on Compliancy for your Business and making your own Security policies is important. Microsoft Azure Security Center can support you in this journey. When you Optimize your Azure workloads or make new solutions in Azure, keep it secure with Microsoft Azure Security Center.
Create a Terraform configuration file
In this section, you create a file that contains resource definitions for your infrastructure.
Create a new file named main.tf.
Copy following sample resource definitions into the newly created main.tf file:
resource “azurerm_resource_group” “test” {
name = “acctestrg”
location = “West US 2”
}
Hybrid security – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyze security data from a variety of sources, including firewalls and other partner solutions. Advanced threat detection – Use advanced analytics and the Microsoft Intelligent Security Graph to get an edge over evolving cyber-attacks. Leverage built-in behavioral analytics and machine learning to identify attacks and zero-day exploits. Monitor networks, machines, and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence. Access and application controls – Block malware and other unwanted applications by applying whitelisting recommendations adapted to your specific workloads and powered by machine learning. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs, drastically reducing exposure to brute force and other network attacks.
To add On-premises Servers
When your workspace is added :
+ Add Computers
Download the right agent for Windows or Linux
When you installed the agent you need the workspace ID and the key to finish the connection.
When your Server doesn’t have a Internet connection you can work with the OMS Gateway.
When you have installed Microsoft Visual Studio Code which is Free and Open Source with Git integration, Debugging and lot of Extensions available,
You activate the Microsoft Azure App Service extension in VSC.
Azure App Service Extension
You can install really easy more Azure Extensions here.
On the Left you will see your Azure Subscription and by pushing the + you will create a new Azure WebApp.
After this it will install your Microsoft Azure Web App in the Cloud in a couple of seconds 🙂
When you open the Azure Portal you will see your App Service plan running.
From here you can configure your Azure Web App for Continues Delivery, and use different tools like VSC, Kudu or Azure App Service Editor.
Azure Web Apps enables you to build and host web applications in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Visual Studio Team Services, or any Git repo.
And to come back at Microsoft Visual Studio Code, you can manage and Build your Azure Web App from here too :
Azure Web App Services in VSC
Hope this first step by step Guide is useful for you to start with Microsoft Azure Web App and Visual Studio Code to make your Pipeline.
More Information at Visual Studio Code
SCVMM 1801 supports management of ARM-based VMs, Azure Active Directory (AD) based authentication that is created by using the new Azure portal and region-specific Azure subscriptions (namely, Germany, China, US Government Azure regions).
What is New in System Center Data Protection Manager version 1801 ?
The following features are either new to DPM, or are improved for DPM 2016.
Modern Backup Storage – Using Resilient File System (ReFS) block-cloning technology to store incremental backups, DPM 2016 dramatically improves storage utilization and performance. The storage consumed by backups grows and shrinks with the production data source, and there is no over-allocation of storage. Resilient change tracking (RCT) – DPM uses RCT (the native change tracking in Hyper-V), which removes the need for time-consuming consistency checks. RCT provides better resiliency than the change tracking provided by VSS snapshot-based backups. DPM also uses RCT for incremental backup. It identifies VHD changes for virtual machines, and transfers only those blocks that are indicated by the change tracker.
Continued protection during cluster aware updates – Windows Server 2016 comes with the cluster OS rolling update, where a cluster can be upgraded to Windows Server 2016 without bringing it down. DPM 2016 continues to protect VMs during the upgrade, maintaining the backup service level agreement (SLA). Shielded VM Backups – Shielded VMs in Windows Server 2016 help protect sensitive VMs from inspection, tampering, and data theft by malware and malicious administrators. DPM 2016 backups retain the protections provided by shielded VMs to ensure they can be recovered seamlessly and securely. Hyper-V with Storage Spaces Direct – DPM recognizes and protects Hyper-V VMs deployed on Storage Spaces Direct, delivering seamless backup and recovery of VMs in disaggregated and hyper-converged scenarios.
Hyper-V with ReFS SOFS Cluster – DPM 2016 can back up Hyper-V VMs deployed on ReFS-based SOFS clusters. Backup and recovery of RCT-based VMs and non-RCT VMs is supported. Upgrading a DPM production server to 2016 doesn’t require a reboot – When you upgrade to DPM 2016, you are not required to reboot the production server. To avoid rebooting the production server, upgrade to DPM 2016 and upgrade the DPM agent on the production servers. Backups continue and you reboot the production server when you want.
What is New in System Center Operations Manager version 1801 ?
Enter product key from the Operation Console
Linux monitoring
Improved HTML5 dashboarding experience
System Center Visual Studio Authoring Extension (VSAE) support for Visual Studio 2017
Enhanced SDK Client performance
Updates and recommendations for third-party Management Packs
Linux Kerberos support
Service Map integration
Microsoft Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. It automatically builds a common reference map of dependencies across your servers, processes, and third-party services. Integration between Service Map and System Center Operations Manager allows you to automatically create distributed application diagrams in Operations Manager that are based on the dynamic dependency maps in Service Map.
The Server Core container image has been further optimized for lift-and-shift scenarios where you can migrate existing code bases or applications into containers with minimal changes, and it’s also 60% smaller.
The Nano Server container image is nearly 80% smaller.
In the Windows Server Semi-Annual Channel, Nano Server as a container base OS image is decreased from 390 MB to 80 MB.
Check out Project Honolulu for a simplified, integrated, secure experience to help IT administrators manage core troubleshooting, configuration, and maintenance scenarios. Project Honolulu includes next generation tooling with a simplified, integrated, secure, and extensible interface. Project Honolulu includes an intuitive all-new management experience for managing PCs, Windows servers, Failover Clusters, as well as hyper-converged infrastructure based on Storage Spaces Direct, reducing operational costs.
Compute
Nano Container and Server Core Container: First and foremost, this release is about driving application innovation. Nano Server, or Nano as Host is deprecated and replaced by Nano Container, which is Nano running as a container image.
Server Core as a container (and infrastructure) host, provides better flexibility, density and performance for existing applications under a modernization process and brands new apps developed already using the cloud model.
VM Load Balancing is also improved with OS and Application awareness, ensuring optimal load balancing and application performance. Storage-class memory support for VMs enables NTFS-formatted direct access volumes to be created on non-volatile DIMMs and exposed to Hyper-V VMs. This enables Hyper-V VMs to leverage the low-latency performance benefits of storage-class memory devices.
Storage-class memory support for VMs enables NTFS-formatted direct access volumes to be created on non-volatile DIMMs and exposed to Hyper-V VMs. This enables Hyper-V VMs to leverage the low-latency performance benefits of storage-class memory devices. Virtualized Persistent Memory (vPMEM) is enabled by creating a VHD file (.vhdpmem) on a direct access volume on a host, adding a vPMEM Controller to a VM, and adding the created device (.vhdpmem) to a VM. Using vhdpmem files on direct access volumes on a host to back vPMEM enables allocation flexibility and leverages a familiar management model for adding disks to VMs.
Virtualized Persistent Memory (vPMEM) is enabled by creating a VHD file (.vhdpmem) on a direct access volume on a host, adding a vPMEM Controller to a VM, and adding the created device (.vhdpmem) to a VM. Using vhdpmem files on direct access volumes on a host to back vPMEM enables allocation flexibility and leverages a familiar management model for adding disks to VMs.
Container storage – persistent data volumes on cluster shared volumes (CSV). In Windows Server, version 1709 as well as Windows Server 2016 with the latest updates, we’ve added support for containers to access persistent data volumes located on CSVs, including CSVs on Storage Spaces Direct. This gives the application container persistent access to the volume no matter which cluster node the container instance is running on. For more info, see Container Storage Support with Cluster Shared Volumes (CSV), Storage Spaces Direct (S2D), SMB Global Mapping.
Container storage – persistent data volumes with SMB global mapping. In Windows Server, version 1709 we’ve added support for mapping an SMB file share to a drive letter inside a container – this is called SMB global mapping. This mapped drive is then accessible to all users on the local server so that container I/O on the data volume can go through the mounted drive to the underlying file share. For more info, see Container Storage Support with Cluster Shared Volumes (CSV), Storage Spaces Direct (S2D), SMB Global Mapping.
Security and Assurance
Windows security baselines have been updated for Windows Server and Windows 10. A security baselineis a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see Microsoft Security Compliance Toolkit 1.0.
Network encryption enables you to quickly encrypt network segments on software-defined networking infrastructure to meet security and compliance needs.
Host Guardian Service (HGS) as a shielded VM is enabled. Prior to this release, the recommendation was to deploy a 3-node physical cluster. While this ensures the HGS environment is not compromised by an administrator, it was often cost prohibitive.
Storage Replica: The disaster recovery protection added by Storage Replica in Windows Server 2016 is now expanded to include:
Test failover: the option to mount the destination storage is now possible through the test failover feature. You can mount a snapshot of the replicated storage on destination nodes temporarily for testing or backup purposes. For more information, see Frequently Asked Questions about Storage Replica.
Project Honolulu support: Support for graphical management of server to server replication is now available in Project Honolulu. This removes the requirement to use PowerShell to manage a common disaster protection workload.
SMB2/SMB3 security and compatibility: Additional options for security and application compatibility were added, including the ability to disable oplocks in SMB2 for legacy applications, as well as require signing or encryption on per-connection basis from a client. For more information, review the SMBShare PowerShell module help.
Data Deduplication:
Data Deduplication now supports ReFS: You no longer must choose between the advantages of a modern file system with ReFS and the Data Deduplication: now, you can enable Data Deduplication wherever you can enable ReFS. Increase storage efficiency by upwards of 95% with ReFS.
DataPort API for optimized ingress/egress to deduplicated volumes: Developers can now take advantage of the knowledge Data Deduplication has about how to store data efficiently to move data between volumes, servers, and clusters efficiently.
Remote Desktop Services (RDS)
RDS is integrated with Azure AD, so customers can leverage Conditional Access policies, Multifactor Authentication, Integrated authentication with other SaaS Apps using Azure AD, and many more. For more information, see Integrate Azure AD Domain Services with your RDS deployment.
Windows Networking at Parity with Linux for Kubernetes: Windows is now on par with Linux in terms of networking. Customers can deploy mixed-OS, Kubernetes clusters in any environment including Azure, on-premises, and on 3rd-party cloud stacks with the same network primitives and topologies supported on Linux without the need for any workarounds or switch extensions.
TCP Fast Open (TFO): Support for TFO has been added to optimize the TCP 3-way handshake process. TFO establishes a secure TFO cookie in the first connection using a standard 3-way handshake. Subsequent connections to the same server use the TFO cookie instead of a 3-way handshake to connect with zero round trip time.
CUBIC: Experimental Windows native implementation of CUBIC, a TCP congestion control algorithm is available. The following commands enable or disable CUBIC, respectively.
netsh int tcp set supplemental template=internet congestionprovider=cubic
netsh int tcp set supplemental template=internet congestionprovider=compound
Receive Window Autotuning: TCP autotuning logic computes the “receive window” parameter of a TCP connection. High speed and/or long delay connections need this algorithm to achieve good performance characteristics. In this release, the algorithm is modified to use a step function to converge on the maximum receive window value for a given connection.
TCP stats API: A new API is introduced called SIO_TCP_INFO. SIO_TCP_INFO allows developers to query rich information on individual TCP connections using a socket option.
IPv6: There are multiple improvements in IPv6 in this release.
RFC 6106 support: RFC 6106 which allows for DNS configuration through router advertisements (RAs). You can use the following command to enable or disable RFC 6106 support:
netsh int ipv6 set interface <ifindex> rabaseddnsconfig=<enabled | disabled>
Flow Labels: Beginning with the Creators Update, outbound TCP and UDP packets over IPv6 have this field set to a hash of the 5-tuple (Src IP, Dst IP, Src Port, Dst Port). This will make IPv6 only datacenters doing load balancing or flow classification more efficient. To enable flowlabels:
netsh int ipv6 set flowlabel=[disabled|enabled] (enabled by default)
netsh int ipv6 set global flowlabel=<enabled | disabled>
ISATAP and 6to4: As a step towards future deprecation, the Creators Update will have these technologies disabled by default.
Dead Gateway Detection (DGD): The DGD algorithm automatically transitions connections over to another gateway when the current gateway is unreachable. In this release, the algorithm is improved to periodically re-probe the network environment.
Test-NetConnection is a built-in cmdlet in Windows PowerShell that performs a variety of network diagnostics. In this release we have enhanced the cmdlet to provide detailed information about both route selection as well as source address selection.
Software Defined Networking
Virtual Network Encryption is a new feature that provides the ability for the virtual network traffic to be encrypted between Virtual Machines that communicate with each other within subnets that are marked as “Encryption Enabled”. This feature utilizes Datagram Transport Layer Security (DTLS) on the virtual subnet to encrypt the packets. DTLS provides protection against eavesdropping, tampering and forgery by anyone with access to the physical network.
Windows 10 VPN
Pre-Logon Infrastructure Tunnels. By default, Windows 10 VPN does not automatically create Infrastructure Tunnels when users are not logged on to their computer or device. You can configure Windows 10 VPN to automatically create Pre-Logon Infrastructure Tunnels by using the Device Tunnel (prelogon) feature in the VPN profile.
Management of Remote Computers and Devices. You can manage Windows 10 VPN clients by configuring the Device Tunnel (prelogon) feature in the VPN profile. In addition, you must configure the VPN connection to dynamically register the IP addresses that are assigned to the VPN interface with internal DNS services.
Specify Pre-Logon Gateways. You can specify Pre-Logon Gateways with the Device Tunnel (prelogon) feature in the VPN profile, combined with traffic filters to control which management systems on the corporate network are accessible via the device tunnel.
