Joey on SQL Server

The Unheralded Announcements from Microsoft Ignite

While they might not have made Nadella's keynote, these upcoming enhancements to Azure and Microsoft security are worth paying attention to.

• By Joey D'Antoni
• 12/06/2024

Every year at Microsoft Ignite, big, high-profile announcements are the focus of keynote presentations and articles. At about the same time, there are also a bunch of significant product announcements and enhancements that don't make the front page. I wanted to write an article summarizing some of the recent improvements to Azure that I found interesting. These announcements run the gamut from data to infrastructure and networking.

The most exciting thing to me was the ability to resize managed disks V2 online. This change didn't warrant a blog entry but overcomes one of the biggest limitations of premium V2 managed disks in Azure. If you aren't neck deep in types of storage in Azure, premium storage was effectively the first viable storage for database workloads. But its performance and volume were intertwined. I often found myself deploying several terabytes of storage to meet the performance needs of a 500 GB database. The introduction of ultra disk addressed this, but at a four-times cost for the same volume and performance. Managed disk V2 and ultra disk use the same storage platform. It offers similar performance but at a price of about 30 percent less than the original managed disks and a much simpler configuration. Unfortunately, there were limitations around backup and online resizing -- now it appears that most of those are gone; you should start looking at moving your workloads off premium v1 storage.

Networking in the cloud has seen a consistent evolution since the very early days of the cloud, where everything had a public endpoint. Last week, Microsoft introduced the concept of a network security perimeter to improve the security of PaaS resources like Azure SQL Databases and Azure Storage accounts. Admins will be able to define a logical network boundary for PaaS resources deployed outside of virtual networks to secure their public connections. What does all that translate into in practice? Each of those PaaS resources currently has firewall controls, which admins must manage individually. With the introduction of network perimeter, you can group resources and define a single set of access rules for them in one place. This process also helps prevent data exfiltration by having a default block on outbound traffic. Most importantly, it provides one place to manage all your publicly facing PaaS resources, which helps with security and auditing.

Something I also do when analyzing service announcements is what they could mean later for other services. Sometimes, you'll see something groundbreaking that you can tell will drive other things down the road. The announcement I saw that made me think about is attribute-based VM selection for Azure Compute Fleets. Azure Compute Fleet is a preview feature that allows organizations to deploy massive amounts of VMs (up to 10,000) with a single API, with a mix of strategies for allocations. You and your org probably aren't deploying 10,000 VMs at a shot, but something in this solution stood out to me.

The new feature, announced at Ignite, allows for attribute-based VM selection, where you specify a memory, CPU and storage range. Azure can match those specs to suitable VM sizes. In the announcement, Microsoft specifically calls out, “this feature also allows you to seamlessly utilize newer VM generations as they become available…”. This concept has a tremendous amount of potential -- while you probably aren't deploying 1000s of VMs, you may have 100s of VMs under your watch, and something I recommend to clients is to check the available VM models every 6 months or so, as new VM models change, they can often improve performance through newer CPUs or higher storage bandwidth. I could envision a check box or tag allowing Microsoft to upgrade your VMs as newer generations emerge. I think this would also benefit Microsoft, as if customers opt-in, they could quickly get them off older hardware.

Security is always a hot topic, and the Entra team announced some new features and made some other products generally available. The Entra team has a concept called “Security Access Service Edge” (SASE), which aims to help organizations implement Zero Trust principles and unify access control across identity, network security, and endpoints. As part of this, Microsoft is trying to at least narrow the scope of the traditional VPN by implementing Entra Private Access and Entra Internet Access.

Microsoft introduced private DNS for the Private Access service to make it easier to identify applications. This feature allows admins to search network segments to find those applications, onboard them to enable segmented access, and simplify enabling the creation of Conditional Access policies for groups of apps based on their criticality to the business. The other Zero Trust aspect of this is Conditional Access policies now be applied to including legacy apps and non-web resources, such as RDP, SSH, SMB, SAP or any other TCP- or UDP-based private application, resource or network endpoint. Suppose you haven't worked with Conditional Access. In that case, it can block login based on a dynamically assessed login risk and is a key tool in the Entra stack for data protection.

The other long-awaited networking security feature announced was DNSSEC (Domain Name System Security Extensions) for Azure DNS. DNSSEC provides assurance that DNS requests come from a verified source and have not been tampered with during transmission. This feature has been in high demand in the enterprise, but Microsoft was slow to implement it. However, it is now available in a public preview.
 The other bit of data news is that Azure SQL Database Hyperscale increased its transaction log throughput to 100 to 150 MB/s, which may sound unimportant but is a significant benefit. If you have highly transactional databases on Azure SQL DB, you'd have to be on a very large, very expensive business-critical database to approach that level of throughput, which is a limiting factor for write-intensive workloads.

Every year at Ignite, I like to read beyond the headlines. While things like AI Foundry or SQL Server 2025 are very interesting, there are usually several key product and feature announcements that offer immediate benefits to admins everywhere. The changes mentioned above offer tangible benefits to operations, security, and performance and offer some potential glimpses into what could be coming to Azure in the future.