You. Hello and welcome to let's Talk Azure. Podcast with your hosts, Sam Foote and Anne Armstrong.
If you're new here, we're a pair of Azure and Microsoft three, six, five focused it security professionals. It's episode five of season five. Alan and I had a discussion around the updates to Azure in January. Here are a few things that we covered. Security product updates, covering Defender, XDR defender for cloud apps and defender for identity, and many new updates to Azure from new public and private previews as well as general availability launches. We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Alan, how are you doing this week?
Hey, Sam. Not doing too bad. How are you? Yeah, good, thank you. I've got to make an apology for our last week's episode because I think unintentionally, I believe it was unintentionally, completely cut Alan's audio out of the podcast episode. So. Yeah, apologies for that, Alan. That's okay. I had a couple of people message me.
Yeah, exactly. Thank you. Anybody that did get in contact with us, I promise it was an accident. I uploaded the wrong file because we have two separate files, one with my audio in it, one with Alan's audio in it, and a combined one. And I uploaded my one. I must admit, last week's episode was recorded quite late because. Well, it was edited quite late because we had an issue with our recording provider. I had to get them to re export, I think it was my audio or your audio, I can't remember. One of ours didn't process properly, so I ended up actually editing the episode quite late at night. And, yeah, I must have just hit the wrong upload, basically. So, yeah, apologies. That shouldn't happen again.
That's all right. Considering what we are like 70, 80 episodes now, one small hiccup on an episode is not too bad, is it? Yeah. No, to be fair, actually, I was thinking my first thought was to like, what process can we change? How can we change it? And then I sort of thought, yeah, it's the first time I've clicked the wrong thing. Basically, we've done 81 episodes and we haven't generally had a problem. No, it's usually been around recording, hasn't it? Right, yeah.
I was going to say, not that the listeners would know about issues sort of thing.
Yeah, exactly. Yeah. Because most of them happen way before we get to editing the episode, that's for sure. So no touchwood. We're quite consistent now. So yeah, fingers crossed that continues on. Should we just jump into topics, Alan? Because I think we've got. It seems like Microsoft have been quite busy in January considering we also did a news sort of update up to, I think about the eigth or so, 7th or eigth of January. So in theory we've only got three weeks worth of updates, but it feels like they've awoken from their holidays and we've got a lot to talk about.
Yeah, definitely. I mean, if I sort of start on the ones I've got around the security products, these are really sort of general availability announcements around Defender XDR. So you've got the new, I say new, it's probably been there for quite some time now, but the unified role based access control across the whole of the XDR sort of solution. So Defender for identity, Defender for endpoint and the others, in effect bringing the r back out of the individual products and then bring it into the whole sort of suite so you can create roles across that span across multiple products there. That's pretty good. The other one which got announced, I think at ignite and it's already sort of GA now is getting Defender cloud alerts into Defender XDR. So just sort of hooking it up, doing a bit of a connection or permissions more than they think and then you can see them in one place. That's just again bringing everything into Defender for XDR. So some nice easy ones there. For Defender, for apps. Defender for apps. Defender for cloud apps, MDA, the SaaS, security posture management has had some upgrades in that. Now it has more applications. So it was only Google and Salesforce, I think it was, and maybe a few others. It's now things like in preview at least it's Dropbox, workplace, Zendesk and things like that. So there's a couple more in there. So that's really good. So now you can see your posture of those SaaS applications and that's really just been growing on itself. And any recommendations that are in there feed into your secure score. So if you do enable them, just be prepared for maybe a small drop in that score.
Communicating your secure score drop to your less technical stakeholders. Yes. Why has it dropped by 10%? It's because we've added more functionality or more points to get. Well, we see the true visibility, right. Not just covered up.
Yeah. Okay, so probably the next one for me is defender for identity. So not necessarily an upgrade to the product itself, but Microsoft and probably the wider community has brought out some powershell to help configure the environment. So this is not just to sort of, because there's some extra bits. Whilst defender identity just in effect needs an agent to then pull the data into the service. There's various other configuration to allow to get the right data to the agent and a few other configurations. So this is to kind of help that part of it to do some testing, make sure you can connect to the service, make sure your firewall rules are in place and things like that. So it's all well documented and I think it'll be very useful for very, not necessarily simple, but there's some very complex one, complex active directories out there. You still might need a bit more sort of guidance. It may be able to help with some parts, but I bet there's a lot of, I think it's going to be things with like cross forests and cross domain trusts and things like that is going to be the sticking point for some of that. And then finally from me as I whizz through these is defender cloud. And in effect one of the ones that, one thing they've brought in, it kind of ties into defender for endpoint actually is that they've brought agentless malware detection on azure virtual machines, AWS EC two s and GCP VM instances. That's part of the defender serve plan too. So this is kind of to complement defender endpoint agent being installed. But I guess one part of one not necessarily issue, but one concern to a lot of organizations is being able to set scans of the OS, file scans, things like that, and it causing a load on the compute, not being able to then maybe have disruptions in your services. So this is in effect taking that sort of pain away. In effect, I expect it's like the vulnerability scanning the agentless version. This might be where it takes a snapshot of the disk and then in effect scans it offline to see if there is any mail on there. Any alerts that get created go into defender cloud, but also into the defender XDR pool. So it's as if it was defender for endpoint. It will be still the engine of defender endpoint just being scanned offline. So I think that's a great win for those workloads or those services that are compute sensitive that you can do it all offline. You have to worry about a service going or being disrupted at least.
Yeah, and I think it shifts the ability for Infosec to apply certain controls with less involvement of infrastructure and owners of resources. Right. Because if it's completely outside of the resource and there is literally no impact to that resource then. And it's agentless. So there's not that configuration step that you've got to go through because that's some of the blockers that we sometimes bump into. Right. Organizations have the best intent and will to roll out different. I'll call it out like defender for endpoint on Linux servers as an example. Right. Or servers that are very performance sensitive. They're just two examples of many other examples of where an infosec control can be delayed by legitimate infrastructure and application related concerns about any type of x technology. Right. So if you can approach it in an agentless manner you've got a lot more power to sort of make those changes and make them a bit more efficiently.
Yeah, absolutely. And again it's not just Azure, it's AWS and GCP as well, which is great news especially for straight away kind of scenario because we know that Azure, Azure tends to be first because it's first party. But this seems like it's straight out the door to the other clouds as well, which is great. Will this all be an arc then based for those other clouds?
Yeah, for the other clouds. I don't think this covers on prem agent of scanning because that will be a bit of a. I don't know how that would work. It's an interesting one but. Yeah. So I guess if they were hypervisors maybe there could be a plugin for that sort of thing to make a snapshot. But obviously for physical that'd be a bit of an interesting how that works. Yeah, exactly.
Yeah, that's kind of a whistle stop tour of kind of the security stuff I've seen. The only other thing really to mention that was maybe last week or the week before, I can't remember. But was the Microsoft three six five copilot being the licensing restrictions being removed from the 250 minimum? We've seen a lot of customers ready just in effect just taking that on as soon as it got released that way. Yeah, that's probably it from me.
What about you? Well three six five copilot was like a massive investment, wasn't it? Up front basically because didn't it basically work out to about $100,000 I can't remember if it's 100,000 or $300,000 or something like that. Because it was it 300 seat minimum, 250 pound something like that. It was 250 because that was in effect where it goes into enterprise customer e series licensing. And it was $30, wasn't it? $75,000 or something. Let me just work it out. If I can actually calculate.
No pressure, Alan. 7500 a month dollars, that is minimum.
$80,000 a year, something like that. $85,000 a year, 90,000. Okay, there you go. So that's quite an investment to make in productivity. Right. For any organization. I think we really struggle to validate it because of that, because the use cases for that productivity are so unique to each organization, it's quite hard to get them know. I don't know of any incentives Microsoft had for people to try that. As far as I'm aware, there wasn't a trial or you had to sort of jump into it. I don't know if you could know there are any deals directly with Microsoft that weren't documented that ever happened. Obviously I'm not really aware of anything. So now you can just buy. I think you got to buy a year up front though, don't you? For each user you can't license it.
Yeah, I think it's got to be a year commit.
A year commit, but minimum of one. So you could just buy it for a handful of people. And that's what we've seen, haven't we, of people just getting people. Yeah. We should probably talk about Defender for cloud apps actually quickly, and organizations identifying other GPTs and LLMs being used in their organization. That gives them the visibility. But now they've also got a way to switch out those other third party systems to something that's a bit more closer to home.
Yeah, exactly. And I think I mentioned it in previous sort of episodes that they brought it in. But the cloud discovery, if you're using that, they've got the new generative AI categories or category. There's quite a few on that list. I can't remember the exact number. I feel like it's like 400 they've got in the list. Something like that. There's a significant number of them. Yeah. In the hundreds.
Yeah. You can just start seeing if your users are starting to consume that, which everyone we believe they are. And that might be okay for the organization, but it's just working out how much data as well is going there so you can understand if someone is doing it a lot and there's potential sensitive data. So it's one way to view it and then maybe it's, hey, stop using that. And here's a license.
Yeah. Because we don't want to block that AI productivity gain. Right. If people actually use it and they use it in their day to day. Let's make sure we embrace that productivity change. Let's just make sure it's done in the controlled way that we want to. And the fact that it also works on your own organization's data is hopefully going to even give you even more ability. And the integration is just generally better.
Yeah, and probably with that drop in, licensing has been really good as well because your ROI is better because at least you can work out how you control the access to the data and things like that because you only need a couple of licenses to try it out where beforehand. Exactly. Yeah, you'd have 250 and you probably only give it to three or four. It work out how to lock it down.
We're going to pilot internally for five people for three months to see how it goes, which is probably a fair thing to do, or insert your own time frames and numbers for whatever. But as far as I understand now, I could be wrong is that you had to commit to, as you say, 250 people to run your pilot for three months. So you've just got 200 or you just give it to everybody and chalks away. Thanks, guys. It's really good to see from Microsoft doing that. Cool. Yeah.
So what's yours then, Sam? What news have you got from Azure?
Okay, so on the Azure side, we have a new public preview of a new product called Azure API center. Now Azure API center is used to inventory and manage your organization's APIs. Now I know the question you're going to ask in a second, Alan, and I will get on to. So basically it allows you to, it's sort of platform agnostic, so it can be used with any APIs. And imagine this is just a centralized pace to store the schema and information about each of your APIs. Now this is a challenge with organizations that build microservices have lots of APIs internally. They might provide them for their customers. Just understanding what capability you've got in your organization and managing that documentation wise is a challenge. So this is what it's really aimed at. Now the question is, how is that any different to Azure API management? Because Azure API management has its own ability to, I suppose, document and inventory your APIs. But what API management does is it puts a layer in front of your APIs to effectively proxy those APIs you build backends which interface with your APIs. So API center doesn't have any of that, it just has a documentation part of it. So there is sort of a complementary overlap, so to speak. But it really is completely sort of segregated and standalone product. You don't have to use API management to use it.
This kind of sounds like an upgrade to the is it the developer portal in the API manager? Yes, exactly. That all makes sense. I haven't fired it up yet. I think we should definitely do an episode on it. But what they're describing is that it's basic metadata and information about your APIs. So like I assume just schemas XYZ. So yeah, be interesting to see that's in preview at the moment. I don't know, pricing. Be interesting to see what happens there. That's cool.
Yeah, the feedback is being taken on a git repo as well, which I thought was pretty interesting for that. So it's quite a few people testing that Azure container apps allows you to now expose accept TCP connections on multiple ports. So I believe before it was just like HTTP HTPS TCP, but apparently that's been expanded to more ports. So I assume that's for other load balancer type scenario settings. And I believe there's a big part about vnet integration as well. So I'm guessing it might be a microservice change as well. I don't know how big the engineering for that is, but that feels like quite a small change. But yeah, I don't want to call that out too much. Next one for me, which I think is pretty awesome, this one is there's an Azure SQL trigger for Azure functions now. So like you've been able to do in things like storage accounts, table storage X, Y or Z, you've been able to trigger on new rows of data being added. There is now a trigger in for Azure SQL. So it uses SQL tracking functionality, change tracking functionality, and whenever a row is created, updated or deleted you can have a function trigger basically. So yeah, that looks pretty cool. Currently in preview, which is good to see. Going back to APIs, Azure API management now has what's called a circuit breaker. A circuit breaker is a property that you add onto your backend resource. It's essentially to protect it from being overwhelmed by too many requests. So if you imagine you can define a condition which is a certain amount of requests hit your API over a certain time period, and what that could then do is it can trip that circuit breaker and then effectively for a certain amount of time it can return like a 503 service unavailable. So you've effectively got an anti, it's not DDoS but an anti sort of flood breaker inside that, as I sort of mentioned before API management is giving you sort of a reverse proxy front end to your APIs so you can sort of protect because your APIs that are sort of behind API management might be legacy APIs. They could be on Prem, they could be anything basically. So this gives you the ability to add some of that protection where you may have less. Because if your API management is in front of an Azure function or an Azure app service, a lot of that nowadays is very flexible in how much it can spin up scale and sort of retract. But if you're fronting like an IAS box or maybe an on prem resource with API management, you could potentially get overwhelmed because you might not have that scalability. So yeah, there are already rate limit and concurrency limits inside of API management. This just takes this basically to another level and gives you some ability to decide what happens when those are hit.
That's good because I guess as well, even though some of those other services can spin up resource, you may not want to incur too much of a cost. It might be a way of saying my Max is this kind of thing.
Yeah, it could be the start of some sort of denial of service attack. Let's say your average request are like 100, see 20,000 in a minute. It might be worth just saying whoa, let's hold on a minute and trigger that circuit breaker. So another update to Azure API management in January is what's called a load balanced pool. So what you can do here is you can create a pool which contains multiple backends for an API. So a backend is just literally a backend API that you're sort of fronting with API management. And now you can load balance requests across those backends. So it's effectively like having a load balancer within side of API management. And this is good for splitting load, obviously like a load balancer would. And that can also be used in conjunction with circuit breakers as well to make sure that you're not hitting a certain breaker circuit breaker on any one. You can distribute between two to sort of not trigger those, but also if you want to shift load from one back end resource to be able to deploy a new change to it. Let's say you've got a high availability API, maybe it's on two servers as an example, and you want to roll out a new version to it. You could migrate all traffic onto one of those boxes, do your upgrade, migrate all of your traffic over to that box that you've just upgraded and then do the same for the other box. So it allows you to sort of, in a more sophisticated way, do those upgrades. So yeah, both certificate breakers and load balance pools are both in preview as we speak. So it'd be interesting to see.
Yeah, the back end pool thing is quite interesting because it has really only ever been kind of tied to one. You could do some clever sort of API policy to try and say if this area is getting errors, then go back to the next one. But you couldn't really ever load balance not successfully or not very clean. I suppose the best way it did it.
Yeah. The only thing that kind of. I've got a bit of a. I don't know, concerned about is, I don't know what skew those things are going to be on. Right. Just calling it out there because if you're slumming it on the skus that we usually use, I'm not sure you're going to, but we'll see. I don't want to call it out. I can't call it out yet.
Well, this is an effect very enterprising. Well, yeah, and also technically if you could do this, you wouldn't necessarily need a local load balancer or a front door or TMG traffic manager or anything kind of ties it in. So you do feel it's going to be higher up.
Who knows? Yeah. So API management, I would say they're quite a good couple of upgrades to API management. Some extra flexibility. One for people that like to live on the edge is the ability to upgrade gen one virtual machines to gen two to take advantage of trusted launch. It really boils down to gen one vms use. Is it fair to say Bios firmware? Is that the right terminology? I think they use BIOS. BIOS, right. I really get confused with like, is UFi a Bios? It kind of is. I don't know. So they use what we refer to as BIOS as their firmware, how the machine is launched and managed. Gen two trusted launch requires UEFI virtual machines. So it's going to be very interesting to see what that upgrade process looks like. Because personally for me, I have never converted a machine that is a BIOS machine to UEFI. Conversely, for a long time I've only ever exclusively used UEFI. So I assume these workloads are relatively old or skus that require gen one.
I think gen two has only been, I say it's only been out for a year or maybe two years officially. I think there's still quite a load of workload that must been in that.
This seems like a big thing to me, because if you require trusted launch, if you want that level of certainty without having to rebuild your environments. Right? Because if we're talking about switching from BIOS to UEFI, to me that's a rebuild isn't not a, you press a button and you just convert across. So that's why I sort of prefaced it with people that like to live on the edge, because this one sounds scary, but awesome at the same time. If they can pull it off. It's interesting because they call it a private preview on the azure update list, and then it links to the form. Whenever you sign up to a private preview, there's always a Microsoft form that you've got to fill out, sort of opt into it, and they're linking from the public azure updates feed to a private preview. So to me it's not really that private because it's publicly available. But I assume they're going to. I don't know, maybe there's some motivated people out there, but they're going to struggle with getting the numbers of people to opt into this type of testing. Right, because it sounds scary to me, but I suppose it's non production anyway. You'd have to do all your dev environments.
Yeah, I mean, the announcement of it being private preview and telling you some information about it, everyone kind of probably understands what it's doing, but how is probably still in the non public. I think they've done that with the unified Defender XDR where you can integrate Sentinel. In fact, they've almost pretty much documented it, but you can't get it unless you join the private preview. But I think that's probably more of a mechanism for releasing it rather than actually releasing out to people to test sort of thing. I think it's more of that mechanism for that one.
Yeah, that's cool. I thought that seems like an interesting one to follow and see where that goes. I'd be curious to test that. I don't currently have any BIOS vms to test it with, but I could create some and join the private preview because it would be interesting to see how that's going to be handled. I think that's probably coming. So I think they're stopping gen ones, aren't they? I think that's why.
Oh, are they? Right. That makes sense. The last one that I've got is there is now an Azure Arc visual studio code extension for managing deployments of applications to arc enable workloads. I believe the first supported version is, let me just get the exact name connected. Kubernetes clusters. So I believe it's for application management and deployment to connected Kubernetes clusters. I just wanted to make sure I included the word connected because I don't know the difference between a connected and I assume disconnected Kubernetes cluster. I don't have any Kubernetes clusters to test this with, so it won't be one that I'm particularly looking at. But it's interesting because I know it's not the same thing. But I do use the Azure functions visual studio code extension because it makes it incredibly easy to deploy Azure function apps because you literally just see your function app, you right click on it and you go deploy and it packages it up, it puts it into Azure for you, it can stage it X, Y and Z. It is very slick. It's almost easier than actually running a pipeline to deploy them, which is wrong for me to say really, but it is just so easy because you just right click and go deploy. And I think you can do that with app service as well. So it's interesting to see.
Yeah, I wonder if they've mean because I don't know, I wonder if they've got for Azure Kubernetes whether you can do it from visual studio code and deploy your application to those clusters and this is adding it so you can do it on premise or into the AWS or. That's what I think, yeah, I think that's what they mean by connected Kubernetes clusters. It's interesting to me that it's a separate add on extension. Sorry. Why wouldn't it just be included with the Azure tools?
It might be because it's preview. So just doing it separately first and then.
No, that makes sense. That's going to be interesting to see what happens with that extension. Yeah, that's it for me. The only thing to call out with that extension, it seems like it's been there for a while. I don't know if it's been in like private, private, private preview and now it's public because the last update to it, the last version was in October. So I wonder if it's just actually gone like public preview now. Yeah, maybe so. Yeah, that's it from me.
Cool. Yeah, some of those were definitely interesting. So I'm definitely interested in that. Gen one to gen two. I'm never, probably ever going to need to use it, but I am. I'd be very intrigued to see how that goes. Yeah, exactly what the rollback strategy is. I would really want to be on those private preview calls of like when they're talking about the people asking questions. I just feel like alarm bells are going to pretty.
I'm pretty sure you got to change the bootloader part of the os. But then Microsoft technically managed that in the VM, so maybe it's just.
Yeah, that easy. Who knows? Who knows? It's probably worth just calling out, these are only our highlights. There are many, many more, and apologies if your workload wasn't covered. We just picked the things that we think are cool, basically, because there's just so much that you could potentially talk about. It's probably worth just calling out that we are going to do one of these news episodes every month. The reason being is that it's nice to have a way to sort of absorb new updates and get a snapshot of them on a sort of regular cadence. And it's also a way for Alan and I to discuss these updates together, which is the whole reason for this podcast, basically. It's a good way. So we're going to sort of dedicate one episode a month just to do a snapshot of the things that we feel are important.
Yeah, we're always talking about, aren't we, the things that have come out. We're like, oh, we better do an episode on that. And then by the time we scheduled it, it's like three or four weeks, five weeks away, isn't it? Or something? Yeah. Just worth getting sight of it, at least to get people looking into those new features, because a lot of time listeners, people don't know about any of it happening, because it's just so.
No, I don't. A lot of these things. I obviously check the Azure update list quite regularly because of the podcast, to be totally honest with you, I'm checking it. I've got a reminder to get me to check it every week to see what's happened each week, because before I talk about it, even if I'm not going to test it, I want to read through, understand each one of the topics as much as I can. But before that, I didn't used to really look at it. And you can, you can just be pigeonholed into whatever you're doing and there's been like three or four updates in a certain area, and then most of the time you're just missing out on functionality that you didn't even know existed or a new technology or a new solution to your problem. Right. So it's worth keeping on top of. But it can be pretty overwhelming because we're only really talking about Azure. There's many other different things that Microsoft updates on a daily basis, teams, things like that.
All the productivity stuff. I mean. We don't really. Well, yeah, loads of stuff. Operating systems X, Y and Z. So much stuff. Cool. Okay, so what's our next episode then, Sam?
So next episode is going to be Azure AI studio. It's currently in preview. I've been playing with it, so to speak, to see what the sort of hype is all about, to see what I can create with it. So yes, I'm going to take us through that and we're going to deep dive some of the functionality there to see if it's. The answer that I'm trying to get to is that what is the actual applicable value to actually using the studio and how it interfaces with other sort of model ecosystems as well.
Cool. Yeah, that sounds good. Sounds like it sort of integrates some of the. Integrates some of the copilot stuff you can do, but I guess we'll find out. We'll find out next week. Cool. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us to reach out to more people like you. If you have any specific feedback or suggestions, we'd like to hear them. There's a link in our show notes to get in contact with us.
Yeah. And if you've made it this far, thanks ever so much for listening and we'll catch you on the next one. Thanks. All.