Microsoft recently announced that from 1st September 2022, they will stop supporting Version 1 of Azure AD Connect.
Azure AD Connect is a tool provided by Microsoft to synchronise Windows Server Active Directory environments with Azure AD. All version 1 installations of Azure AD Connect will stop working 12 months from the date they are superseded by a newer version.
We are advising that all customers running Version 1, upgrade as soon as possible to avoid any potential disruption.
Is the upgrade essential?
If you do not upgrade and continue to run a retired version of Azure AD Connect, it may unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting diagnostics tools, and service enhancements.
Your options
Cobweb can complete the upgrade to Version 2 for you through our Professional Services team who will conduct a discovery to determine the upgrade path options and recommend a course of action.
Alternatively, you may choose to carry out the upgrade internally.
To ensure you are not impacted by this change, you should implement a plan to have your existing installation of Azure AD Connect upgraded to version 2 as soon as possible.
Perform an initial discovery of the existing Azure AD Connect version and configuration
Provide recommendations on the options available for delivery of Azure AD Connect version 2
Advise on new Windows Server hardware or software required to support Azure AD Connect version 2
Perform the upgrade with support from the appropriate IT or Support teams where required.
To find out more information, book an upgrade or for any other Azure-related enquiry please fill in our contact form.
Security is always high on the agenda for any IT Administrator. New vulnerabilities and threats are being identified every day, with Microsoft reporting a rapid rise in cyber crime in the past year.
With this in mind, it is important to keep your Azure environment secured to protect your business from threats, vulnerabilities, and data breaches. Microsoft consider security a shared responsibility between themselves and their Azure customers.
Microsoft is responsible for the physical security at their Azure Datacentres. Access is only granted if there is a valid business justification, and to the specific area of the datacentre required. The entire facility perimeter is comprised of a high steel or concrete wall, with a specific access point all staff and visitors must go through. Once inside, two factor authentication with biometrics must be completed to continue to move through each area of the building. Cameras and security staff are posted all around the building, inside and out, and full metal body scans must be completed when entering and exiting the building.
For your Azure platform, there is a joint responsibility and as such Microsoft provides the necessary tools to help secure your virtual infrastructure, with the primary being Microsoft Defender for Cloud.
Microsoft Defender for Cloud is designed to help you gain an understanding and improve the overall security posture of your environment.
The tool continuously scans every Azure resource you deploy to assess the resource configuration, identifying risks and providing security hardening recommendations such as the ones shown below.
You can drill down into each recommendation, which provides a detailed justification, a list of relevant resources associated, and the remediation steps. For many of the recommendations, the tool can automatically perform the remediation task for you.
The recommendations are organised into three colour coded categories, helping you identify the most severe and critical security issues in your environment.
There are some platform designs the tool cannot account for, so consideration needs to be made when following the recommendations to ensure they are appropriate for your individual needs.
These factors include the type of workload, are the resources being assessed running in a dev/test environment or are they running a mission critical workload, and whether there are any cost implications of configuring the recommended changes.
If implementation is not required, the recommendations can be overridden so you are no longer alerted about them.
Another important feature of Microsoft Defender for Cloud is the real time threat intelligence capability.
Microsoft’s dedicated Cyber Security teams, comprising of thousands of security experts located across 70 countries, leverage Artificial Intelligence (AI) to monitor billions of signals across the Azure ecosystem every day to identify vulnerabilities, detect threats, and prevent attacks. Microsoft Defender for Cloud taps into this telemetry to help protect your workloads and provide security alerts notifying you of any potential threats.
These alerts are arranged by severity, with the highest meaning there is a high probability your environment is compromised and must be investigated as a priority, and the lowest meaning there is potential suspicious activity.
Defender for Cloud Threat Intelligence also includes anomaly detection, which is specific to your deployment. Using machine learning, it creates a baseline of normal behavioral patterns in your environment, and any activity determined to be outside of these conditions will trigger a security alert.
Other features of Defender for Cloud include analysing your resources for compliance with industry and regulatory standards, such as ISO 27001, and Azure Firewall Manager to protect your infrastructure.
Ensuring your Azure platform is secure is a shared responsibility between Microsoft and you, with Microsoft giving you the necessary tools and information required to help achieve this.
To learn more, or if you would like assistance digesting and interpreting the information provided by Microsoft Defender for Cloud in your environment contact us (hello@cobweb.com) who will be happy to put you in touch with a member of the Cobweb Azure team.
To help you get to grips with all that Teams has to offer, we’ve created a how-to guide with steps and screenshots so that you can setup Teams successfully and easily.
What's inside?
Being able to communicate easily and still have access to all your files and data is absolutely vital to remote working successfully. Microsoft Teams has incredible functionality that allows you and your employees to work together through chat, online meetings, document collaboration, file sharing and phone calls — from any device.
In the guide, you'll discover:
An Introduction to Teams Phone - Get to know Microsoft's new telephony solution, built within Microsoft Teams
How Teams Phone supports a hybrid-working setup - Understand how you can make and take calls wherever you decide to work
The features you can expect - Get to know the calling and administration features you'll find within the platform
When creating a landing zone for your new Azure resources do you have to repeat the same set of configurations on your Azure subscriptions each time? For example:
Do you create the same Resource Groups and Azure resources (such as VNETs, Subnets, Recovery Service Vaults etc.)?
Do you have to apply the same Role Based Access Control (RBAC) permissions to the Subscription or Resource Groups?
Do you have to apply the same Azure Policies to each subscription to meet a regulatory compliance or company policy? For example, apply policies to restrict deployments to approved Azure regions, VM sizes etc.
Have you wondered if there was a better way to complete this repeatable configuration? There is and it’s called Azure Blueprints.
Azure Blueprints is a Microsoft governance tool which works with Azure Policy and Azure Resource Manager (ARM) templates to define a set of Azure configurations. An Azure Blueprint can be used to expedite the deployment and build of an environment to a particular set of standards, in a repeatable way.
With Azure Blueprint you can deploy the following artifacts:
Resource Groups.
Apply subscription permissions with Role Based Access Control (RBAC).
Launch Azure Resource Manager (ARM) templates to deploy Azure resources.
Apply Azure Policies and Initiatives to lock down the subscription.
Once a Blueprint has been built and tested it can be exported and redeployed to each new subscription(s) you have in your organisation.
At the time of writing Azure Blueprints is in Preview and is expected to be released into general availability shortly.
How do Blueprints work?
The Azure Blueprint package can be built from the Azure Portal and applied to a specific subscription or to Azure Management Groups, including multiple subscriptions. Each Azure Blueprint package contains a group of artifacts, an artifact defines the deployment parameters such as Policy, Role, ARM or Resource Group.
During the build process a Blueprint will go through the following stages:
Stage 1 – Draft
Once a Blueprint has been built or changed, the Blueprint is saved as a Draft version.
Stage 2 – Published
Once the Draft version is complete the Blueprint is Published. This requires a version number and change note to be added to the Blueprint. Azure always defaults to the latest version of the Blueprint.
Stage 3 – Assigned
Once the Blueprint has been published it is ready to be assigned to either a subscription or Management Group. During the assignment process, it is possible to apply a lock to the deployed resources. There are three possible locks for an assignment:
Don’t Lock – Deployed resources can be deleted.
Do Not Delete – Deployed resources cannot be deleted, even by subscription owners; they can be modified.
Read only – Deployed resources cannot be deleted or modified, even by subscription owners.
Once the Blueprint has deployed the specified resources, permissions, and policies the Assigned Blueprints section will show the latest version of the Blueprint.
If Azure Policies have been defined in the Blueprint, the specific policies are shown in the Azure Policy section of the Azure Portal. Using the Azure Policy portal, we can see which resources are compliant or not. Azure Policy will be discussed in a future blog.
Azure Blueprints will save you time when deploying your Azure landing zones and ensure your environment meets defined standards for a consistent approach when setting up Azure subscriptions.
If you would like more information on how to use Azure Blueprints for your deployments, please contact hello@cobweb.com for a demonstration and walk-through.
An orphaned resource is a resource that is not assigned to a parent resource. It can be left behind when its parent resource is deleted or it could have been created for a temporary purpose and then left behind, such as a disk snapshot. I often find random Public IP addresses and managed disks, but no VM that they belong to. These resources have a cost, so deleting them will save money. Sometimes they have been left intentionally, such as reserving the IP address for later use or keeping the disk as a backup in case data on it is needed later, but often they are just forgotten about.
Azure has recently taken steps to address this issue and now asks if you want to delete the associated resources when you delete a VM, but it’s still worth checking to see if you have any orphaned resources in your Azure subscription. Similar to orphaned resources are…
Unused Resources
Just as orphaned resources may be costing you money, so might unused resources. The number of times I have deployed something as a test or proof of concept and then moved on to the next task, forgetting the resource is running, is too many to count. Identifying unused resources and deleting them will save you money. Thankfully I tend to check my spending frequently and can delete these resources before they cost too much, but I’m sure not everyone is as disciplined. I’ve come across resources running in Azure and no one knows what they are, what they do, who deployed them (or even if they are still an employee) or why. The only thing they do know is they are costing money and that leads into…
Good Governance
In Azure, you can set tags on almost every resource. A tag is a name and value pair that can be anything you want. I’d recommend as a minimum you set tags for “Created by” and “Created on” and ensure these are filled in accurately. Other tags to consider are project codes, cost/department codes, delete by dates, etc. Tags can be updated, so can be used for auditing purposes, but it definitely helps to know the who, what, why and when several months later as you look at the resource and wonder why it’s there and running.
Azure policies can also be applied to subscriptions that can be used to limit the size of resources that can be created and the regions they can be created in – this can save money by stopping someone from accidentally deploying an expensive resource. Policies can also be used to enforce tags, stopping the resource from being deployed if the tag hasn’t been set.
OS and Data Disks
Azure managed disks are attached to Azure VMs to provide persistent storage to the VM. All VMs must have one OS disk and may optionally have one or more data disks. Managed disks are available in several tiers, including Standard HDD, Standard SSD and Premium SSD. Microsoft recommends Premium SSD for production workloads as they have better/more consistent performance characteristics, but these are the most expensive of the three. If the VM is turned off overnight or at the weekend, the disk continues to incur cost, even though it’s not using the Premium SSD’s premium performance. If your VM is going to be stopped for a while, you can save money by converting it to a Standard HDD (cheapest) while it’s off and then back to a Premium SSD again when the VM needs to be turned back on. You can do this manually each time, but far better to script it as part of the on/off automation.
Reduce Lab and PoC Costs
This one is a bit limited use, but if you’re deploying resources into a lab or running a PoC and the resources are only needed for short periods at a time, bear in mind that it’s not just VMs that can be turned off to save money, many other resources can be too, so it’s worth searching the Microsoft documentation for each resource type that you have deployed to see if there is a way to stop or de-allocate it. Just because there is no way to do so in the Portal, doesn’t necessarily mean it can’t be done via PowerShell or the Azure CLI.
Azure Cost Management
Azure Cost Management is a tool in the Portal that can be used to drill into your Azure costs and break them down by timeframe, region, resource group, resource type or even individual resources. While using it won’t save you money itself, it lets you visualise your spending in various ways and hunt for opportunities to save money. You can create custom views and then have them emailed to you each day, week or month. This saves you from having to regularly visit the Portal to view these reports, allows you to forward them to other people who may not have access to the Portal, and also include them in presentation or reports.
Conclusion
Azure offers many ways to save money and it’s definitely worth looking into each of them to see if you can benefit. However, it can take a fair bit of time and effort to get it right and that where Cobweb can assist. We can advise on the recommended resource SKUs and tiers for your needs, the best use of Reservations and CSP Software Subscription licensing, and our cost assessments can highlight other areas where you could save money in Azure.
Last time I wrote about how Reservations can be used to save money by trading the flexibility of Azure’s pay-as-you-go (PAYG) pricing model by committing to that resource being deployed and running for a fixed term. I focused on Reserved Instances (RIs), which can reduce the cost of the compute component of an Azure VM. This time I want to focus on Azure Hybrid Benefit as an additional way to save money in Azure.
When a VM gets deployed in Azure, depending on which Operating System (OS) is chosen, the VM may cause more than one PAYG meter to tick up. Windows VMs and some Linux VMs have chargeable licenses and if SQL Server is installed on the VM, that license is chargeable too. All of these licenses will cause the relevant PAYG meters to tick up.
Just as RIs can be applied to stop the compute meter, Azure Hybrid Benefit (AHB) can be enabled to stop the OS and SQL Server meters. Unlike RIs, Azure does not manage the assignment of licenses for you – AHB must be enabled on each specific VM and the license cannot readily move from one VM to another.
AHB requires you to have unused licenses available and that those licenses meet certain eligibility requirements, so do check to ensure your licenses are valid if you plan to use AHB. One way to ensure your licenses are eligible is to purchase them through Cobweb via CSP Software Subscriptions. Licenses can be purchased for a 1- or 3-year term and have the equivalent benefits of Software Assurance. While they can be used in Azure, they can also be used for your on-premises servers, and Microsoft even allows the same license to be used twice at the same time (once on-premises and once in Azure) for up to 180 days for the purposes of migrating servers into Azure.
There are several factors that determine how much you can save when using AHB, but in general, the best savings will be made against VMs that are running 24/7, because the license meters only tick up when the VM is running. A 3-year term offers bigger equivalent monthly savings over a 1-year term and the size and family of the Azure VM will also impact the savings that can be made.
Microsoft licensing can be complex and the rules around AHB are no exception, but I will try to simplify it. For Windows Server Standard, Microsoft stipulates a minimum of 16-cores must be licensed per physical on-premises server, but that covers two instances of Windows running as VMs on that physical server. When that 16-core license is instead used with AHB, Microsoft allows it to be assigned to a single Azure VM of up to 16 vCPUs or two Azure VMs of up to 8 vCPUs each.
This means that the Windows license cost when using AHB for an 8 vCPU VM in Azure is the same price as for a 1 vCPU VM. Contrast that with PAYG licensing which is charged per vCPU that the VM has and you’ll see that bigger savings can be made over PAYG with bigger VMs that have more vCPUs – two 8 vCPU VMs using 3-year term licenses may break even after just a few months!
Due to the way SQL Server is licensed, the rules are different. There are several editions to choose from and the biggest savings usually come from highly available deployments or where disaster recovery has been configured. SQL licenses aren’t just for VM-based SQL either, they can also be assigned to other SQL services in Azure, such as Single or Elastic SQL Databases or SQL Managed Instances.
In most cases using Software Subscriptions will save money over PAYG, but it’s worth checking how big those savings will be and Cobweb can assist you with this.
Next time I will be rounding out this series of articles by covering more of the ways to save money in Azure that don’t quite deserve their own article, but are still useful to know.
Join us as we take a deeper look into Power BI, and show how you can make informed, confident business decisions by putting data-driven insights into everyone’s hands.
What you’ll learn
An introduction to Power BI, and how it can help your teams create rich, interactive data visualisations from multiple data sources and share important business insights
Case studies on how T Mobile and Blackmores use Power BI to build and share insights across their organisations
Join us as we take a deeper look into Power Apps and show how you can turn ideas into organisational solutions by enabling everyone to build custom apps that solve business challenges.
What you’ll learn
An introduction to Power Apps, and how it enables your team to easily develop mobile and web apps for any business need – even if you have no technical or development experience
Case studies on how Toyota and Ernst & Young use Power Apps to build apps for their teams
Join us as we take a deeper look into Power Automate and show how you can boost business productivity to get more done by giving everyone the ability to automate organisational processes.
What we will cover
An Introduction to Power Automate, and how it can help you streamline repetitive tasks and paperless processes
How you can start automating common business processes immediately with thousands of prebuilt templates
Case studies on how Illimity and QuoteWizard use Power Automate to connect apps and automate repetitive tasks
Recent Comments