 Hello, everyone, and welcome back to another edition of Wired for Hybrid. This is the December 2023 edition, so happy holidays to all of you. Today, we're going to talk about Azure Monitor Agent. We're going to talk about Express Route. We're going to talk about a whole bunch of stuff, so stay tuned. Hey, Michael. Hey, Pierre. How are you? I'm good. What happened last month? What happened? Where did we go? I can't even believe it's already December. This fall has been crazy. We had Ignite, and then in the U.S., we've got the Thanksgiving holiday. I took some time off, and I know you had time off. I was in Mexico on a beach. Yeah, very cool. We ended up just pushing this to the end to rush it. It actually works out pretty well because, as people may or may not know, it's not that nobody works in December. It's just towards the end of the year, we don't push anything to production in December. From a production standpoint, you're never going to see new features really released in December. That's not really going to happen unless it's a Black Swan event or something. We figured, let's just roll up everything for the rest of the year into the episode that we have for you today. Then when we come back in January, chances are, we may or may not have something new released, but Pierre and I have some ideas we've been talking about, so we'll definitely have some cool content for you going into the new year. Absolutely. Which one do you want to do first? Why don't we talk about one of my favorite services, Azure Virtual Network Manager. As many of you that listen and follow the show, you've probably seen the deep dive with Andrea. You've heard us talk about this on a number of occasions. At Ignite this year, Virtual Network Manager, the security admin rules, went generally available for a select set of regions. It's not fully, fully 100% GA everywhere that Virtual Network Manager is. We're still stepping into, we've got a number of regions, we've got a link to the documentation. When you go to all the Virtual Network Manager documentation, there'll be a note talking about what's still public preview, what's GA, and also tell you what regions it's available in. For just a quick recap, remember, with security admin rules and Virtual Network Manager, what that allows you to do is it allows you to centralize your security policies across your organization. It allows you to basically create network groups and then you can group your virtual networks and in one place, apply a policy. Let's say you want to block SSH in your entire organization. Try doing that with NSGs. That's a lot of work. You can absolutely do it and customers are doing it, but with Virtual Network Manager, you set it in one place, it applies across your organization, everything that you have covered by Virtual Network Manager. The beauty of it is when you bring new virtual networks in and they're managed by AVNM, which is the acronym for Virtual Network Manager. They will automatically be brought in. It really allows you to streamline. We're really excited that we're finally getting this out to some regions as GA. Hopefully, sometime this spring, we'll have Mesh, Topology, going GA as well. I'm expecting by summer that the full product, everything in it's going to be GA for most of the regions that it's currently in. The thing that I love the most about, I think, the admin rules is in a large footprint organization when you have different departments and different owners, there might be 100 different people that will deploy Virtual Networks for testing, for development, for campaigns or workloads that are short-lived and so on. What if one of those people want to spin up a new VM of a network and then they enable SSH and you've decided that it's not going to apply in our environment because of security concerns or whatever it may be? Well, now that rule applies to their network, but they can't change it even though they own the Virtual Network that they've just created. They may be the owner of that resource, but they can't change that resource, that NSG. To me, that's really good for central IT to maintain control over everything. Absolutely. Kind of related to it, but a little bit different is one of the things you can also do with security admin rules is, and this has been something we've heard from our customers that they weren't quite sure of, so we've made some changes in the documentation to hopefully highlight it, is the ability to create exceptions. Let's say we have that, we blanket SSH across the environment blocked. However, we have a set of virtual networks that is used by, say, an application team, and in order to manage their applications, they need to use SSH. Through priorities, we can create a rule there, and then what you can then do is you centralize your global policies with security admin rules, but then you can also still allow those groups at the NIC or the subnet level to be able to use NSGs to be able to manage their environment. But that's exception-based, so it's central IT still maintains control. Exactly. We are still maintaining control. Yep. No, I can't wait for this to be worldwide and everywhere. Yeah, it's a cool product. So what do you got for me? Yeah, so I'm going to start with one of the areas that I've been concentrating on lately, which is Azure Monitor. So now there is integration between Azure Monitor, the agents really, and Connection Monitor. So if we're looking at monitoring a virtual network, for everything else, we've said, hey, go to Azure Monitor, it's everything's there. And then Azure Monitor, down in the menu, there's like Network Watcher and Connection Troubleshooter and stuff like that, which takes you to the Network Watcher application. Now integration has been done, so that Connection Monitor will detect network connectivity performance, but in real time, and provide the packet loss latency to Azure Monitor to actually allow you to localize where the offending network or where the problem is. So that makes it that your time to resolve any networking issue is much, much shorter. Because it's now integrated with Azure Monitor, alerting is a lot easier. It applies to Arc-enabled, to Azure VMs, or Azure virtual networks, to on-prem machines or environments as destinations and sources and destination. And it also enhances your security through managed identity. So you can manage identity in terms of Azure AD tokens and stuff like that. And there are still more stuff on the roadmap that's going. So check out the announcement in the show notes below for what's coming in terms of integration. So they've done some of it, but there's more to come. The one thing that I'm super happy about is seeing that we're now kind of consolidating all of the monitoring functions under one umbrella, as opposed to having to go to Network Watcher for your network. You have to go to VM Insights for your VM. It's all going to be a visible and exposed single pane of glass in Azure Monitor. And everything that's in Azure Monitor as the reporting, alerting, and so on, dashboarding now can be basically brought up in one location. That's awesome. I mean, I can see a lot of people out there just being like, okay, thank you for finally bringing these things together. Because we hear that all the time is like, I got to go over here. I got to go over here. I got to go over here. That bringing this monitoring for networking is so critical. And it's not just for making sure your users get to their applications. Proper networking is necessary for your security as well. And basically, your business showing up. So all very cool stuff. And definitely look forward to continued integrations with all of these inside Azure Monitor. So if all of you out there looking for something new to spend some time on next year, Azure Monitor is probably a tool. If you haven't spent time with it, you probably need to skill up on that. So we'll make sure to, in the show notes, we'll make sure to leave some links to some good articles and some training guides on Microsoft Learn to get you started with Azure Monitor. Absolutely. Absolutely. All right. What's your second item? So my second item, I actually have two. And they're both related to Express Route. So the first one is with Express Route direct and circuit in different subscriptions. So this was announced at Ignite. So now with Express Route, Express Route direct customers are going to be able to manage your network costs by connecting across subscriptions so they can have one port, Express Route direct port for their connectivity, but then they can have multiple circuits going across their subscriptions. Previously, you had to have the circuit and the direct port within the same subscription. And then you did some funky stuff with authorizations and some other virtual networks and probably stood on your head and tapped your heels twice and made it happen. Now you have the ability to do that across subscriptions. So for those of you that just a quick recap, remember Express Route direct is that service that gets you directly into the Microsoft Cloud. So this is going to give you either 10 or 100 gigabit per second speed into Azure. So this is going to be for your really big workloads and where you're pushing a lot of data or you just have a lot of clients and things like that. For this, it does require and it's going to be pricier if you look at the price sheet. It is pretty pricey, but for the organizations that need this, it's probably worthwhile. It does require you to have an Express Route direct port and then the Express Route circuit that goes with it and that's going to be the premium, the Express Route premium circuit that goes with that. But then you can only have one and you can have multiple subscriptions as opposed to having one per subscription. So really, is it more expensive or is it just like, I don't know, I haven't done the math. Yeah, I haven't done the math either, but I would assume from a cost standpoint it's probably going to be better for you because there probably are people that have put out multiple because they needed them in multiple subscriptions or they couldn't figure out how to get them connected. But at least it's going to centralize, be able to centralize that so that you can manage the security of your Express Route direct port in a single place. So got some good articles for you that you can check out on that. And then the second, going along with this on Express Route, Express Route is now a trusted service in Azure. So what that means is that oftentimes there's times where the service is, you can't apply certain policies to them. There's just simply the way things work and are networking, you can't, some policies don't apply. So with trusted service, this allows you to store your secrets or Express Route connections into Azure in a Key Vault and have that locked down and not available publicly. But Express Route can still get to those and use the connection connectivity access keys and names to be able to make those connections, which I think is just very similar to what you were mentioning with Azure Monitor. This really continues. One of the things we talk about almost in every show is we continue to not just push out new products, is to continue to push out to you features that make it easier for you to connect your hybrid environment in a secure way. So this is just another one of those tools in your toolbox. If you're an Express Route customer, to be able to use that to maintain your secrets inside of Azure Key Vault. Yeah. Anytime you can put your password, certificate, secrets of any kind in a Key Vault, it's so much better than... I was reading an article not too long ago about secrets, scan of secrets in public repos. Not a great idea. Anyway, but this one is consolidating all of the secrets across all of Azure in the Key Vault. It's not complete yet. We're not consolidated everything, but we're working towards that. So that's fantastic. Very good. So what else you got on the horizon? Okay. I got a couple more, but let's go for one which is very short for a short and sweet. It's not a huge change, but it is one that will have significant impact, which is the using a common port for private and public listeners when you're using an application gateway. Because normally what you would have to do is if you had an application gateway, if you have the listeners, you have a port on the public side and a port on the private side, but you couldn't use the same one. So you'd end up using this standard port in one and then you did make up a high port and you'd kind of like a non-standard port for the outside. But anytime you're using non-standard stuff, you have to document it somewhere because somebody else is going to have to look at it. The people on the other end that are building the application have to know what port you're using. But so for now, GA this month or last month, you can now have that same port both internally and externally. So configuring the same port, public and private listeners for your application gateway, it gives you an easy single application gateway deployment method. So both internet facing and internal facing. So you don't need to use those standard or non-standard port for your back-end application. So not a huge change, but significant in terms of not having to manage non-standard stuff all over the place. Absolutely. That's awesome. That's good stuff. You don't continue to make people's lives easier. That's what you and I are here for, to make all of you out there the lives easier and all of you can make it easier by hitting the like button and letting us know what you want to hear. Yes, absolutely. And my last one is one of our regular, the web application firewall, the application gateway web application firewall. You now have a rate limiter. What that means is you can assign and configure a rate limit on your regional web application firewall, running on the application gateway, and it allows you to detect and block a type of traffic that's abnormally high. So you're not sure if it's like a DDoS attack or something like that, but the traffic is suddenly spiking and it's unusually high. So what you can do with that is now you apply a rate limit to that type of traffic. So now it just throttles it so that you can avoid and protect yourself for denial of service attacks, clients that have accidentally been misconfigured, whatever the case may be when they send a large volumes of requests in short periods for your front end or your back end. So you can now apply rate limits rules to your web application firewall. Again, not a huge thing, but one that will have significant impact on the way you manage your environment. Very cool. Great ads, great stuff, great show. Yeah. How about you? You were all, oh, that was it for you, for us. Because I did two for one. Oh, that's right, that's right. I thought that considering that we skipped last month that this show would be like significantly longer, but as you mentioned, since we don't have anything rolling out in December, or we don't have a lot rolling out in December because nobody rolls out in production on Friday at two o'clock in the afternoon when everybody's looking to leave at four. Yeah, we've all done this in the past in the IT lives where somebody makes a change of the last day on, last hour on Friday. Yep, yep, yep, yep. Well, cool. Anyway, make sure to check out the show notes or the blog on itops.itopstalk.com where we'll have all of the links and all of the information about the products and the new functionality we've discussed today. As Michael mentioned, please tell us in the comments what you would like. If there's any deep dives you'd like us to look at, is there, if you have any questions in regards to Azure networking, and we'll make sure to cover that, like and subscribe because it helps us, it helps the channel, and tells us whether or not we're hitting the mark with you. So Michael, happy holidays. Happy to holidays to you too, my friend, and you know, enjoy your, enjoy some time off, which I will be enjoying as well, and look forward to talking to you in the new year. Yes, and for all of you as well at home, happy holidays to you too. And we'll see you in 2024 already. Can't believe it. Yep. All right. See everyone. Bye.