 Hello, everyone. And welcome back to another edition of Wired for Hybrid, the January edition just past the holidays. And Mike enough, Mike and I have a lot of things to talk about. So stay tuned. Hey, Michael, how you doing? I am doing awesome, Pierre. It is a balmy one degree Fahrenheit here. Yeah, it's minus 20 Celsius here. I'm not quite sure what the Fahrenheit equivalent is, but it's probably not warm. Yeah, yeah, it definitely is not warm. But that is all all okay, because we have got some hot networking for you today. Oh, that's that's a bad pun. But I'll take it. I'll take it. It's 2024, we got to step up our game. Season two season two. Can you can you believe that we made it? We're one year one year. That's awesome. That is awesome. Awesome. Awesome. And thanks for all of you for, you know, hanging out with us and coming back and watching, you know, make sure you subscribe like, we love comments love hearing from you things that you like, want to hear about, you know, just reach out to us, let us know. So what do we got new today? So today, what we have is that coming in September of 2025, September 30th. So we got a little bit of lead time. Yep, definitely a little bit of lead time. But you know how things are, they come quickly. The last thing I knew was COVID and it was 2020 and my kid was coming home. Standard and high performance VPN gateway SKUs. So these are the old old school SKUs. When you deployed VPN gateway when you first got on Azure, are going to be retired. And so this goes along and is really in line with the announcement that came out in 2022, when the basic IP address SKUs, which are set to retire at the same time in September 30 of 2025. So September 30 of 2025 is a really big day. So like, you know, basic load balancer, basic public IP, bunch of basic stuff is leaving there. So what does that kind of tell you? If you're running on basic kind of stuff, chances are it might be time to be looking and moving to something else. So is there is there some guidance on what people need to do to prepare? Because that's a little over a year from now. Absolutely. So there's nothing you really need to do now. Out in the December timeframe of this year, we'll be sending out detailed migration steps. So if you don't do anything in August of next year, if you're running standard, you'll be moved to the VPN gateway one AZ. If you're running the high performance, I think you move to the VPN gateway one AZ two, I believe it is. Don't quote me on those. But we'll have a link to that. That'll have a reference for that. But they'll send out detailed information for that as far as a migration thing. So there's nothing you really need to do at this point for that. You just need to be aware of it so that you're not surprised when you get the notifications. Absolutely. Okay, absolutely. Perfect. What do you got for us? So you know about Azure data Explorer clusters. Typically in the past, you could deploy these in what they called Azure Virtual Network Injected ADX. So you would deploy that cluster into a virtual network so that it would have access to the data that you're trying to collect and analyze and so on. But it wouldn't be, they were still dependencies on public IP address. There was a problem with scaling and stuff like that. So now there's a migration away from Azure Virtual Network Injected Azure Data Explorer clusters. That's a mouthful to a private endpoint. I think we've talked about this in the last few shows where more and more services are leveraging the private endpoints way of doing things where in your virtual network, you have a private endpoint and you basically point your service to that. And it avoids the need to have public IP address and it makes things a lot more secure, a lot more robust. The migration process will be very simple and can be done in the portal, it could be done by ARM template, it could be done by many other ways, PowerShell as well, I believe. And all of the document or all of the migration steps will be documented in the link in the show notes below. And so that makes it a lot easier to manage load, a lot easier to manage growth, a lot easier to manage scale while keeping your ADX, your Azure Data Explorer cluster secure. So that was number one. It's like I said, it's not a big like brand new service. It's just we're taking existing things and making it easier for you to manage and easier to use. That's great. I love to see us continuing to more and more utilize private endpoints are such a great feature that if you're not using those in the services that have them, you should absolutely be checking them out. They're really a great way for you to be able to really tighten up the way your network works and to be able to utilize the Azure backbone and to really make a more secure Azure infrastructure. So we'll try to include some information as well, more about private endpoints as well. So I think you had something about Azure Front Door and Azure CDN, which we've talked about a lot on the show because they're important as well. Well, Azure Front Door and application gateway both utilize WAF, the web application firewall. Now it's basically two announcements and I'm kind of crunching them into one. But the announcement is really that CVE and I'm reading this now off my notes because I don't want to get the wrong number CVE 20 23 51 64, which is a vulnerability that has been reported and documented as now been integrated or deployed to the default rule set and the core rule set. And we've talked about this before and we've even when we did deep dives in WAF, the rule sets that are based in the web application firewall is managed. One is managed by us like Microsoft cybersecurity. We have what we call the default rule set and then you have the core rule set which is from OWASP or the open worldwide application security projects. And they have a set of rules and they're up to version 3.2. That covers all major in the wild kind of vulnerability and attack vectors that you should be looking at when you have an application that's exposed in the internet. So those rule sets are being maintained by either OWASP or Microsoft or both and then applied to your Windows application firewall. So you decide like which rule set you're going to be deploying into those. So this month we've actually taken some of those vulnerabilities that have been documented. And we've now rolled them into the rule set. So you just have to the only action that you need to do at your end is to ensure that you're using the latest rule set. Test it to make sure that that rule set doesn't break something that you're that you're running. And at the end of December, we updated all those rules. So they're already there. So by the time you see this this airs those rule set will be up running and ready to be utilized by you. So that's about it in terms of what I had for you. So three very small items but good to know for everyone that's either using data explorer clusters or using front door and application gateway. Very cool. And I think you know what I was thinking about was because I had on my mind I was thinking when I was thinking Azure front door and Azure CDN we had an update come out. We talked about this in the November show that we talked about we had were prohibiting domain fronting which we're not going to go in and talk about that again because we talked about it a number of times. Go watch the old joke. Yep. Just go ahead and watch the old joke. We'll have an update. Basically we had an update come out that January 8th. This was going to go into place and then we pushed it to January 22nd. So chances are by the time you're watching this it's already in the future. We're not going to Marty McFly this and go back to the future. And so just so you know, you should know that domain fronting is prohibited. And if you want more information, check out the show notes, check out our November show or go back to January. And that's that. But the other things we've got going on is that one thing that we do have is that if you use application gateway, chances are you know that you're terminating TLS, HTTP traffic at the gateway. Why are you going to do that? It takes your burden off of the back end. It centralizes all of that. But what does it also a lot easier to manage certificates as well? Yep. But it also creates a place where you got a lot of certificates you got to manage, right? Yeah. And that's challenging. And currently, we've had to do it using Azure PowerShell and Azure CLI, which can be for a lot of administrators that can be a bit of a challenge. So now we've simplified that management in public preview is the ability to do that through the Azure portal. Manage your TLS certificates for app gateway in the portal through the UI. So this is going to be able to, you're going to have things like a quick listing. So it'll basically have a list of all your certificates. You can go into each of the certificates and see the information about the certificates like when it's going to expire, all the information you need about them. You can do bulk operations for the certificates. You can upload certificates there. So you can have that management. So that's a really, really cool tool for those administrators that maybe you're not up on the Azure PowerShell and the Azure CLI or sometimes even if you do know those, some of the coders in the house are probably going to throw stuff at me. Sometimes it's just faster to do it in the portal. Well, I've always been kind of a lazy admin. If I have to do something once, I'll do it in the portal. If I have to do it 50 times or 500 times, then I'll look into automating it. But having the ability to do it in the portal when you need to do it in the portal, especially if you need to do it fast, you don't need, then that's actually a really good thing. And I can tell you as an old school exchange admin, I mean, I remember when Exchange 2007 came out because they were the first ones to use PowerShell for tooling and the only way to install certificates in Exchange 2007 was with PowerShell. I looked up the command every single time because to make sure it was right because if you, because that's what you did, you looked it up because it's something you messed up only once. Because certificates have always talked to anybody, I know certificates have always been the bane of my existence is, you know, for some reason, I just they've always came. Anyway, so that you definitely have that look forward to remember with public preview things, those do not fall under the typical, you know, your mileage may vary, you know, not standard support. They'll always have the, you know, look at the rules, you know, not don't use those in public and production environment. Don't use it in production that might change. Yep. Don't don't expect all the features to be there when it goes into generally available and so on and so forth. So the last thing that I have, this is super cool. I really like this and I'm excited because this is actually a product that I'm going to be writing the documentation with, with, with the team is public preview of private subnet. And this is pretty cool. So now what customers are going to be able to do is now you're going to be able to create a custom private subnet for your resources inside of Azure. Currently, what does that mean? What's what does that private subnet mean? So it means that your VMs have a private subnet. No, currently, what happened is that, let's say you've got a workload of virtual machines, you deploy those into Azure and you're not specifically saying, you're not specifically pointing them out to the internet, you're not giving them public IP addresses, what have you. By default, they're going to they're going to get assigned a default public IP address outbound. Okay, those implicit IP addresses aren't associated with your subscription with a subscription. Yep. They're hard to manage, tired to troubleshoot. They don't follow our secure by default model. So they're just not a really good best practice. Okay, one good thing is they are going to be going away in our favorite month, which is September 2025, which is when Mike is taking vacation. And so so what this is what this is really going to do is it's going to prevent, you know, really that insecure implicit connectivity for your newly created subnets. And then by setting that default outbound access parameter to false. So basically, no default access. Then you pick your preferred method for that explicit connectivity to the outbound. So then how do you set that up? So the important thing with this is you need to set it up when you create the subnet. So okay, when you create the subnet, that's when you do it. So you can you do that by utilizing the private subnet parameter. So you add the private subnet feature at creation. So I'm sure you could probably do that with Azure CLI, Azure PowerShell, there's also a little checkbox that's going to be part of the subnet create, create experience in the portal. You can add an explicit outbound connectivity method. So like you could use NAT gateway, standard LB, a standard public IP address, probably firewall and hub and spoke environment, whatever. Yeah. You could also let's say you're using virtual machine scale sets. You could use flexible orchestration mode to do that. So I think this is pretty cool. Because a private subnet on-prem, what is that? You're not routing it anywhere outside of the subnet that it's on. I think on-prem we used to call that an air gaps network, wasn't it? Like a network that's just not connected to anything. Yeah. Yeah. In this case, it's still connected, but you have to be very precise and prescriptive into how it's actually going to connect with anything else. Yeah. Okay. And you could probably still air gap it if you wanted to. That opens up a whole new can of worms that maybe we cover into a deep dive onto how you air gap a virtual network. Absolutely. We should try to get somebody to come in and once this goes GA to come in and do a deep dive on private subnets. And then we can ask those questions. That's perfect. Well, awesome. Lots of good stuff. Lots of good stuff. Yeah. So, rule updates, retiring stuff, mark September 2025 done on your calendar, book time off if you're anywhere, anything like Mike. Lots of good stuff this month. And as usual, all of the details are going to be in a blog post that's identified in the show notes. Please make sure to like and subscribe. Let us know what if there's anything that we mentioned today that you'd like us to take a deeper look into. And with that being said, thank you, Mike for helping me with this month's edition. And happy new year. Thank you to PR. Thanks, everybody. Happy new year, everybody. Cheers.