North East Azure User Group February 2023
Azure Virtual Desktop - Jim Moyle
What's new with Azure Virtual Desktop? Recent updates and what's generally available and what's in public preview.
Generally Available
Availability Zones for Azure Virtual Desktop with three zones you can select these when creating host pools for Azure Virtual Desktop available in the GUI. There is also new Global Infrastructure so you can keep information in certain territories and have more regions than any other cloud.
RDP Shortpath for public networks
Have an express route into Azure using STUN/ICE protocols which will use the shortest possible path between your location and the VM.
Single sign-one and Passwordless Authentication for Azure Virtual Desktop
Supports Windows Hello and can log into a VM straight through first time every time and just need to enable this in the Microsoft Azure Portal.
FXLogix profiles disk compaction
Dynamically expanding VHDX will expand but they don't contract and these disks will stay at the highest amount they were at the maximum amount of data so having to pay for storage space were not using, this disk compaction feature could use a community script which compact these but for larger disks it needed a maintenance window but now at log off the disk is being compacted at that point and is scalable across hundreds of VMs. This feature saved even more space than the community scripts did, this does mean people are paying less for storage in Azure. If you trust Microsoft to do the right thing then customers are more likely to put more trust in Azure.
Azure Virtual Desktop for Azure Stack HCI
If have an app that you need to be close to the VM. For on prem you can have database and client close to each other to reduce latency but need a way to put Azure Virtual Desktop VMs right next to the data, it extends Azure into your datacentre and can have VMs in your datacentre.
Public Preview
FSLogix profiles on Azure AD-joined VMs for Hybrid Users
People don't want a triad-AD they just want Azure AD, or want to set up Azure AD in the cloud with their on-prem. SMV needs UNC path. They are doing Kerberos ticketing and SMV with a cloud identity only.
Confidential VMs for Confidential VMs
Supports TPMv2 and other features such as encrypted memory and can live encrypt data for high security environments.
Azure Virtual Desktop Insights Update
There are more analytics available and get app attach data into log analytics.
User Policy support Intune for Multi-session
If have on-prem multi-session environment it is on-server. In-tune only works on a client OS and multi session works but only on Azure but there has been work done in Intune to make it work in this environment. Can use Intune to manage both virtual and physical assets with integration with Azure Virtual Desktop.
Roadmap
Azure Virtual Desktop integration with Private Link
Nothing is exposed on the internet but is only available in the subscription to help keep everything within the network with a private endpoint available and don't need to hit any public IP address to make a connection.
New Web Client
Looks like the Windows App and want the look-and-feel and features to be as close as possible on all the platforms but may not release all features at the same time on all clients.
Watermarking
Can put QR codes on the screenshot so can find out the connection id of any sessions, can change how big they are and how transparent they are and can see from any screenshots where they came from. Will work for Desktop but will work for Remote App in the future.
Custom Image Templates
Azure Image Builder has been integrated with Azure Virtual Desktop so can create a custom image template with things like a language, time zone etc and can have your own custom scripts and based on Packer.
Teams
Teams 2.0 will be half as resources and support multiple identities and support multiple desktop identities, old version is built on Electron and new version is written in React using the Edge browser.
VMware workloads on Azure - Toby Brown
The cloud journey has many different endpoints. Cloud migration strategies which help accelerate migration and mitigate risk, meet the customers where they are. Redeploy as-is to cloud with Rehosting which is the least risky move to migrating existing applications. These are private and not exposed to the general internet, it is all about network and how you connect these private networks together with own datacentres where needed.
Azure VMware Solution
Gives you feature parity with an on-prem VMware stack, is essentially a VMware stack running as a first-party solution built by Microsoft and gives you the same look-and-feel as VMware workloads and use the Azure backbone to get in there. You can host your VMware workloads and puts you closer to Azure services and can deliver less than 1ms latency to those services.
Don't have to adopt a new set of skills to manage this, you can use the same VMware tools and can continue to use VMware and services such as vSphere Client, vRealise Suite, VMware Tanzu Standard Edition and VMware SRM are being cloud-enabled by VMware.
Management via Azure Portal
Scale up and down via the Azure Portal and CLI and can simplify policy creation, drive VM performance and reduce complexity and administration and coming soon is the ability to reduce the number of cores on a host.
SKUs and Software
AV36, AV36P (Refresh SKU) and AV52 (Heavy SKU) and there are not many workloads that AVS that it won't take and runs on industry standard Dell hardware. It isn't the latest software but is as recent as possible and this is looked after by Microsoft and the hosts are updated with version 7.0 being supported and version 8 coming soon. There is not support for GPU but this may change in the future.
Networking
Microsoft have AVS runs in Azure Network it does need express route but can do site-to-site VPNs but using this in production is not recommended. Can also enable public IP of the NSX edge to pick own IPs in the components of AVS.
Storage
vSAN is used which is quite capable and can stretch a cluster of vSAN clusters over two separate availability zones so if have customers with need of high availability with stretch clusters but then may need to double up capacity. If need to add storage you add another node and this will give you extra capacity and can use Azure NetApp files which is a highly scalable solution.
Security
Certified datacentres, hardware and cloud environment along with network edge security and DDoS protection. VMware security such as data encryption at rest. vSANs can have customer data protected with encryption at rest and can bring and manage own master encryption being managed via Azure Key Vault.
Migration
VMware has a tool called HCX which provides true workload mobility and can do bulk and live migration to move workloads from on-prem to Azure with no downtime. Once VM is migrated the network is extended but keep the same IP addresses so VMs can talk to each other and can migrate and shutdown on-prem and users would be unaware of this.
Disaster Recovery
Support on-prem to AVS and AVS to AVS providing cloud disaster recovery and AVS to Azure Services for advanced cloud disaster recovery options.
Hybrid and Changes
Can have front-end of apps in Azure to be nearer database tier if there or can consolidate or retire datacentres plus can have app modernisation where can use Azure functionality where needed and could provide additional capacity for an application in Azure if need extra load for your datacentre which can also be worldwide if needed. Can also transition from VDI on AVS to Azure Virtual Desktop. Hardware end-of-life then can move into Azure and can pay as you go and get rid of outdated hardware.
Benefits
Get predictable pricing or can lock in pricing for 1 or 3 years, can have workloads on-prem and IVS don't need extra licences as long as transition within 90 days and can take advantage of the Azure Hybrid Benefit along with free security updates for three years and can use # existing VMware licenses to save on Azure VMware Solution.
Defender for IoT - Dean Ellerby
Security is a serious topic!
Don't let your elevator take you down!
What is IoT?
Internet of Things. Network of physical devices that exchange data such as Smart Home Devices. Smart Wearable Devices.
Operational Technology
Hardware or software which the purpose is to monitor the performance of physical devices. We rely on OT. It isn't necessarily connected to the internet but can talk to each other.
What is the risk?
Could try a ransomware attack on an elevator but it hasn't happened yet. Case of a spear phishing attack for a Steel Mill and caused a shutdown of the blast furnace and caused massive damage. There was also a target of Bowman Dam which was small and offline at the time. There was also a ransomware of pipeline but were able to disconnect. Water System where Sodium Hydroxide levels were 100x higher than normal.
Microsoft Defender for IoT
Want to be alerted to devices talking where they shouldn't be talking. Defender for IoT for OT is agentless. Can use Deep Packet Inspection from data being routed using SPAN port for Passive Monitoring (Network Traffic Analysis) and OT-aware behavioural analytics which can learn what it does so can let you know when stuff has changed. To monitor assets, you need capable hardware such as C5600 with 16 CPUs and 32GB RAM and 5.6TB storage but can't use L60 as this does not work.
Can select the Monitor interfaces with an IoT sensor to receive traffic and other settings then via the IP address you can log in, you can get some information about the environment along with traffic monitoring. It can identity devices based on packets going through the network and can also do alerts such as Firmware changes but can also say that these things are okay so when something different happens it will alert you.
Microsoft Defender for IoT in Azure
You can go into the Azure portal and can see the information there more easily and amalgamate IoT sensors into one. You don't need to go to the Sensor and can publish the information to Azure and grant access to this information. You pay $140 per month per 100 monitored devices or $1680 per year per 100 monitored devices but this pricing will probability change.
IoT/OT Risk Assessment
You can play PCAP files of up to 2GB and upload a capture of the network to a server that is nowhere near and can play this in the environment and can also generate a risk assessment and this contains CVEs. Everything is alerted out of the box and learning mode is 2-6 weeks and know what happens in the environment and you can get event timelines with general analytics but the local sensor will have more information about timelines with the Event timeline to show when events took place.