 Good morning Internet users, IT ops pros, and those just interested in new things about Azure. My name is Jay Gordon. Welcome back to AZ Update. I've got a brand new guest host this week, who's going to probably be on here a little bit more. Jillian, welcome. I really do appreciate you getting to talk to me. It sounds like someone else is going to talk to me as well in the background. Totally. There's always a background crowd. Yes, thank you so much, Jay. Yes, as you say, my name is Jay Linkerui. I'm based out in Kenya, East Africa. And I'm looking forward to the session and many more to come as well. Wonderful. So I know all of this is new and exciting. We'll talk a little bit about what you're up to on the team that our fearless leader, Rick Klaus, is our lead of. We really have a lot to talk about. But first, I know that you mentioned that you are in Nairobi, which is in Kenya, a wonderful, wonderful land on the eastern coast of Africa. I did a little bit of learning about Kenya while I was preparing for today's show. And so now you're going to judge me because I am going to say the motto of Kenya, the official motto, which is Harambe. OK. Is that right? Harambe? Harambe. Yes, Harambe. Though, actually, most people think of Hakuna Matata when they think of Africa. So Hakuna Matata, it's mainly used around Tanzania and Kenya. I remember when they were making the Lion King, that's when their quote became quite popular. So whenever they meet a Kenyan or an African, they're like Hakuna Matata. It means no worries. Exactly. Harambe means let us all pull together from what I read. And the other thing that I did some studying, I love learning about different wildlife preserves, things like that. And I found this really neat picture of all the different types of animals that you would find in Kenya. And I thought it was really neat. I personally, of that group, I think lions are pretty cool. I love big, giant cats. But we've all got to have our own personal favorites. Have you ever been able to spend some time around one of these beautiful animals? Definitely. So fun fact, Nairobi is the only city with a national park in the city. Oh, wow. If you do some research, you also see in the news headlines some lions that have escaped. And then you find some traffic, because there's a lion up ahead. So it's quite interesting. All the big five animals that you can think about, we have them here. We don't have kangaroos like in Australia. I'm looking forward to actually seeing a kangaroo. But all the others, I think we have. Wonderful, wonderful. And the other thing I learned, and you told me a little bit more about this, is while I know that the official language of Kenya is Swahili, you said that there's a number of mother tongues that different tribes have. Yes. So as of now, there are approximately 43 local tribes. And each tribe actually speaks their own language. So in fact, for me, I'm from the Kalinjin community. So we speak Kalinjin. And within the Kalinjin community as well, we have other sub-tribes as well. And then sometimes we don't also understand each other. It is some bit of difference within the sub-tribes as well. So apart from speaking English, Swahili also have our tribes. Well, we've got some of our regulars in the chat. I want to say hi to Paul, of course, Amy from our team. Hello, Andrew. And hi, Rabbit. Appreciate you all watching. And if you have any comments, please put them in the chat. We want to hear what you think. We want to hear what you know. And we want to hear the questions you may have as we go along the way. So we've got some stories to talk about today. But I just wanted to once again welcome you to the Hybrid Infrastructure Group. It's been really great to talk with you so far. And I know that you have a world of knowledge to share with everybody about security and how you can really bake it into your projects. But for now, we'll talk a little bit more about different security. But for now, why don't we get into this week's stories? What do you say? Awesome. Well, normally Pierre, who's probably off in the woods, galavanting at the moment, would be sharing these. But this is up to me this week, so please be kind. So let's get started. The first thing that I've got for you this week is we are going to look at a new service that's available, virtual machine level disc bursting supports, additional VM types. So disc level bursting, which means you're able to get higher performance on your disc for your virtual machines when you need it. It's now available for the M series, the MSV2 series, medium memory, and the medium memory VM families for the MDSV2 series, allowing your virtual machine to burst its disc IO and throughput performance for a short time daily. And so some of the use cases that we've got here is it'll help improve boot times. So your virtual machine and your disc will be able to burst coming fully stocked on a lot with bursting credits at the start. And your instance will be able to boot at a much faster rate than before. Handle batch jobs, some application workloads are cyclical in nature requiring a baseline performance in the majority of time, but a higher performance for a short period of time. So we go through those like waves of when we need more, we need less. And that's one of the big benefits of the cloud is being able to have these burstable services that'll help back your performance when you need it. And then preparing for traffic spikes. And that's always a big deal. Web servers and applications, they can surge from traffic from unforeseen circumstances. So there's a bunch of links that you can take a look at here. If you go to the page that's associated with this new update, head over to aka.msvmburstable. You can find some information here about managed disc bursting. You'll learn about like I said the common scenarios and then disc level bursting. There are two managed disc types that can burst premium SSDs and standard SSDs. So we have the on-demand model and the credit based models. And we've got all sorts of different scenarios here. So you can check out that documentation. And then if you wanna learn more about the different series of virtual machines, there's some documentation on that, specifically the M-Series, and the MSV2 and MDSV2 series media memory. So gentlemen, that was a big mouthful of new information about just how to improve via performance. Have you worked a bunch at all with virtual machines? Yes, yes I have. Very, very cool. And so you probably know as well as most others that performance of virtual machines is always big concern when people move into the cloud. And they wanna make sure that they have those resources available to them so that they're able to perform the best and add reliability, which ultimately, and I talk about this all the time on here, it helps just promote your reputation as if people know that they can come to you and your site will be performing or your applications will be performing. So Jalen, I know that we've got a story for you to talk about now. I know security is near and dear to your heart. And I am going to bring it up. Why don't you tell us a little bit about this new availability for Kubernetes? Yeah, so CIS for Kubernetes is now available on AKS. So that's quite impressive. So I don't know if you guys know what CIS is. So CIS is the Center for Internet Security. It releases benchmarks for best practice security recommendations. So not only does it provide for Kubernetes only we also have for Windows servers, we have for Linux, we have for databases as well. It gives quite detailed levels of benchmarks or recommendations to add a new infrastructure, to add a new applications as well. It's quite in depth. They've done a lot of research. So that's why I'm quite happy that at least we have CIS benchmark for Kubernetes right now. And as of now, Azure, AKS, Azure Kubernetes Service, it complies with the with SO, ISO, PCI DSS and also HIPAA standards. And right now they're also including security hardening to AKS based on Kubernetes CIS benchmark. And there is a real upside there about this. We've actually come from quite far. I remember when we were studying, okay, before I joined Microsoft when now we were working with Kubernetes and then we were wondering how to harden this Kubernetes environment at all. You have no knowledge whatsoever in that area. So the first point of reference was around was the CIS benchmark for Kubernetes. And guess what we used to do? So it's a whole document of almost a hundred pages. So you actually have to go page by page and do manual checks to make sure that you're actually secure. So there are actually some recommendations step by step. And so as per the CIS, normally there are two levels. So there's level one and level two. So level one recommends essential basic security requirements to configure on your system. And it has very little interruptions to your services. And level two has security settings for the environment which might have some functionality issues. So you have to be careful about deploying some of those recommendations for L2. So what we used to do was do step by step. It could take like three days manual checking. And now we can do it on the go on the AKS as well. So FunFact as well. Kubernetes by itself has some security components as well. So it has pod security standards and secrets while Azure also has some security components. So it has Active Directory, Microsoft Defender for containers, Azure policy, Azure Key Vault. I believe we'll be having, we have a LAN module as well for that, for AKS. We have network security groups. We have several components for AKS. And some of them are around authentication and authorization, both running the latest OS security updates and Kubernetes releases, securing pod traffic and access to sensitive credentials. So one thing now with this release of CIS benchmark in Kubernetes for AKS, you can now deploy the checks automatically and you can run and use the Azure documentation to confirm that the AKS needs specific CIS benchmark standards. So that's quite interesting. I don't know if others are interested as I am. Well, needing compliance is super, super important and using these types of services and these certifications, these types of rubber stamps that says, this is ready for production grade applications. It's always really important. We wanna meet the standards that people expect of us when it comes to doing whatever transactions and trusting us with their business. So if we have applications that are going to be taking in user data, if we have applications that are going to require some sort of authentication, we want all that done in an environment where we don't have to worry about any potential security issues. So getting just more tools around that. Super helpful. And there's already for AKS pod level security with Azure policy. You can also take a look. We've got our super security, hardened operating system that we can use for AKS. And there's all sorts of really great things that AKS gives to you. And not only that, but there are all these different common use cases around lift and shift, microservices, secure DevSecOS, which I know, Jolyne, that's big in your heart. And of course the bursting from AKS with Azure container instances. So when you need more outside of Kubernetes, you can use that. So why are we talking about so much Kubernetes today? Well, because there's another Kubernetes story that we're going to talk about. AKS now supports Kubernetes release 1.2.3 in public preview. And there are 47. That's right. 47 different types of enhancements that have come from using Kubernetes or they come from the release of Kubernetes 1.2.3. Capabilities such as IPv4, IPv6 dual stack networking, going GA. So the document leads you over here to the Kubernetes blog on the Kubernetes project website. And the release team always gives great information about all the different types of features that they're adding. So they're deprecating flex volume and K-Log specific flags. Another compliance for supply chain here, SLSA level one compliance. Maybe I can ask you a little bit more about what SLSA is if you know that. Dual stack networking, we've been talking about IPv6 now. It seems for like 15 years. But hey, we've got support for it for dual stack. Autoscaling, general ephemeral volume which is always useful to be able to store things temporarily. Skip volume, pod security, a great project. It went ahead and graduated to beta. Another big thing of all these different new features. I recommend you go and you take a look at them all. Kubernetes one, two, three, the next frontier. I am a Star Trek nerd and I absolutely love this little logo. I think it's super, super cool. Jolene, have you spent much time with Kubernetes? Yes, I've spent a lot of time around hardening and securing Kubernetes. Very cool. And would you be able to tell me anything about SLSA as far as that security framework? If not sure. Okay, no problem, well, let's take a look. It is about safeguarding artifact integrity across the software supply chain. Very, very important. We don't want supply chain based attacks to happen. To our applications, we want to be able to make sure that our end-to-end security is all handled. And so we've just got new features, new ways to do that. Kubernetes one, two, three. The team that builds Kubernetes just always is thinking about how that project can move forward, how that project can help people build more complex distributed applications. So I'm always really happy to see that. So we've got our next story which continues along the security line. I'm gonna bring it up. So Jolene, why don't you talk to me a little bit about it? Yeah, so as of now, HotPatch is now available for Windows Server's virtual VMs. So you might be wondering what HotPatching is. So HotPatching is a new way of installing updates on supported Windows Server's VMs that does not require reboot after installation. Isn't that cool? Yeah. So it works by patting the in-memory code of the running processes without the need to restart the process. So by having it like that, when you have a HotPatch on a Windows Server VM, there's high availability in terms of these fewer reboots and faster updates as well because smaller packages are installed and faster without the need of restarting processes. So this process results in the VM being always up to date and secure because as you know, like every Tuesday release, we have a patch Tuesday. So imagine now having your VMs being automatically secure because of the in-memory processes being hardened through the HotPatch, through HotPatching. So we also might be wondering if it's available for all regions. If you have the environment in different regions, yes, HotPatch is available in all regions. And as of now, it's supported on Windows Server 2022 data center and hoping that at least it will go and support more and more VMs with time. So it's a really cool thing. So in between the baseline patches, at least you'll have like two deployments of HotPatches in between. So it's regular and you have automatic security deployed. So think of it like automatic patch Tuesday but now in between. So it's more detailed, you have your VMs more secure and you have no reboots. But actually there's some instances where you'll need to reboot. So reboots are still required to install updates not including the HotPatch program. And they're required for period call after a baseline has been installed. So it's not necessarily that you wouldn't do reboots throughout, but yes, it will be fewer reboots, yeah. Very, very cool, yeah. I like this little graph here and I guess this is kind of the release history that's going to come from patching and these two different baselines. So there is the planned baseline which are released on a regular cadence with HotPatches releases in between. And then there's unplanned baselines where it will release when important updates such as a zero day fix is released. And that particular update can't be released as a HotPatch. And so I know one of the big things that we do deal with and that Microsoft has a huge commitment to rooting out and sharing with the world there's zero day attacks. If you're not aware of what a zero day is, Julin, you wanna tell everybody a little bit about zero days? Yes, zero days are, let me tell you, every single day you'll find a vulnerability that's released. So you'll wake up tomorrow morning and you'll find new vulnerabilities that is maybe doing a remote code execution like log4j. So these are what you call zero days attacks because they happen almost instantly, they happen on the go. So it's not something that's planned, it's something that it happens like instantaneously, it happens like tomorrow, it happens like today. So it's something that's released and published. So you'll find most of these vulnerabilities in export to TP as well, you'll find them. You'll find most of them also released responsibly through most of the bug bounty programs. So, and then now if a particular vendor knows that the product is vulnerable to zero day vulnerability, they have this possibility to tell their clients that they have this particular patch for that particular zero day. So that's what's up here. So I think log4j that recently, that really, really big security issue that went around the log4 show. I know that that was a zero day that got detected. I believe it really, really did have number on the internet across a lot of different providers and people who utilize it. And it definitely was a, it was a thing. And we live in a world now where zero day exploits, ransomware, things like that have become such huge parts of navigating the world of not just the cloud but in computing in general. And they don't just impact people who do work on servers per se. There are these types of exploits that can happen, like right with your iPhone. And it's why people are constantly making sure that they've got the latest patch fixes on their mobile devices because it contains personal identifying information, private information. You don't want the world to see for some of you who take pictures with your phone. I know you don't want everybody getting all your pictures by exploit on your phone. And so we think about that with our server applications with our actual individual bits of software. And of course, like I said, devices. So all real big stuff. And so Trilin, I know that you are going to be talking a little bit more about DevSecOps. And there's an upcoming event that you're doing. And I'd love to hear a little bit about it. Yes. For this, we'll be talking about shifting security left but not only to developers but also like the ops team as well. We also be covering around infrastructure as code, how you can integrate automated security checks from on the onset. So like for developers, how you can in build security checks from your end point, even if it's from visual studio code, how you can do automatic security checks when you're coding in real time. How you can secure your code when you've already pushed it. How you can check for dependencies. So another key example as well is that we learned from the log4j vulnerability is also around asset management. You need to know all your assets. So at least you understand which one's actually vulnerable to third party dependencies as well. So we'll be touching as well, compliance is called, security is called as well. It will be our whole range of discussion around DevSecOps. Gotcha, gotcha. Well, I am excited to check that out if you haven't already. Go to the link I just gave you, the DevSecOps meetup, sign up to attend. I think you'll learn a ton from Joelynn and you'll hear some interesting stuff from MVP David. So check that out. I think that'll be great. And then I also wanna remind you that there is a really great user group that was founded by Sarah Lean and Gregor study. It is the Glasgow Azure User Group. If you are in Scotland, this is a thing that I really recommend. You can go and find out about best practices, get answers, talk about ways that you can get more in deep with the community. You can meet with local peers. So I really recommend you go, you check out this. Sarah is an old friend and a part or a wool, she's no longer with us on our team, but she is a wonderful person. I am really happy for her over at Octopus. Hope you're doing great, Sarah. So we're just about at the end of it, Joelynn. And I wanted to remind everybody every week we get a different learn module that we want people to go and do. And this week we've got our introduction to Azure Kubernetes service. Have you done this one yet? Yeah, yes, I have. Have you? Yeah, look, matter of fact, you can see I've got my green check marks. I got my experience points, which means I am a wizard who has leveled up at using this service. And I think it's great. Azure Kubernetes service is super, super useful. It's very important for people who want to create big containerized applications that are distributed to check out this module because you get education, you get it for free. And I think you'll really like it. Well, we're just about at the end. I want to let everybody know this is probably my last one of these that I'm doing. I've got a new role that I'm gonna be sliding into and I am super, super excited about it. I'll talk about it a little bit more. But Joelyne, you've got your new role to roll into. And I think that you're really gonna enjoy being part of this team. I think you've got some great people to work alongside. And I know they'll learn a lot from you and you'll learn from them. Definitely, it's very sad that we'll be losing you to another team. I wish we would have had more time just to work together. I wish the same thing. All of our new team mates like Amy and Rod, they're all been great to spend time with and talk to. You know, there's always other opportunities. So we've all spent some time talking today. We got to learn about some new features with Azure and we're ready to close up. So why don't we give them a big wave goodbye, Dylan and let them all know that it's time for them to start enjoying their weekend. Have a good day. TGF, love. Yes, absolutely. Bye-bye.