Monthly Azure news December 2021

In this issue of Monthly Azure news, we offer a brief retrospective of the most important updates from the cloud-native universe announced or published in December 2021. Make sure to share this post with your community and enjoy reading it. We wish you all the best in the new year and hope you will continue learning and growing with us 🌟🚀

Contents

AKS clusters can now be created without the need of local user accounts

Access to a Kubernetes-Cluster requires a local administrator account. But a local account may provide potential security risks regarding managing the accounts and access. Therefore, it is now possible to use Azure AD integration and deactivate local accounts in general. Azure AD authentication is provided to AKS clusters with OpenID Connect.

For more information visit this site.

AKS auto-certificate rotation now in GA

The Azure Kubernetes Service uses and generates different certificates. The certificates often need to be renewed after a defined period of time. For the non-CA certificates, this can now be handled with auto-certificate rotation, which is generally available and where they will be rotated automatically before expiring. Note that this feature is not available for non-RBAC clusters and is currently available for the following regions:

  • East US 2 Early Updates Access Program (EUAP)
  • Central US EUAP
  • West Central US
  • UK South
  • East US
  • Australia Central
  • Australia East

AKS node image auto-upgrade now in GA

Images for AKS nodes are frequently updated and patched by Microsoft. If a node is running, the upgrade needs to be initiated manually, otherwise, the patch is not applied. With the automatic upgrade, activated the nodes will be updated as soon as new GA versions are available. Keep in mind that there can be weekly updates. This also combines well with the planned maintenance feature and means less work and more flexibility. Check out the documentation on this site and go for the auto-upgrade section.

AKS configuration management with GitOps in Public preview

GitOps integration was previously only available for Azure Arc-enabled Kubernetes clusters (details here) but is now available for the Azure Kubernetes Service. With GitOps the state of a cluster can be declared via versioned files in the Git repository like Helm charts or YAML manifests using the Flux toolset. GitOps is enabled via the cluster extension Microsoft.KubernetesConfiguration/extensions/microsoft.flux and can be installed either automatically or manually. Visit this site for more details.

Diagram showing the installation of the Flux extension for Azure Kubernetes Service cluster.
Source: Microsoft

General availability: Wildcard listener on Application Gateways

Wildcards like an asterisk (*) and a question mark (?) can now be used for hostnames on a multi-site HTTP(S) listener. Multi-site listener can be used to forward requests based on the hostname or domain name for different backend pools and web applications on the same gateway. By using wildcards, it is possible to match multiple hostnames with one listener. Visit the page for more details.

Wildcard Listener
Source: Microsoft

Microsoft Defender for Containers with new capabilities for Kubernetes in Public preview

Microsoft Defender for Cloud (formally known as Azure Security Center and Azure Defender) provides a rich toolset for security enhancement and threat protection. Regarding Kubernetes, the capabilities of Azure Defender for Container and Kubernetes are merged and new functionality is added. This includes AKS Profiles, Multi-Cloud support, Runtime visibility of vulnerabilities, Advanced threat protection, Enhanced ACR vulnerability assessment, and continuous image scanning. For detailed information please visit the documentation on this site.

Understanding the core functionality of Microsoft Defender for Cloud.
Source: Microsoft

Attribute-based Access Control (ABAC) conditions with principal attributes now in public preview

While RBAC determines access according to the respective organizational role of a user, ABAC uses user and object attributes associated with security principles, resources, requests, and the environment for this purpose. Combining different conditions with RBAC (Role-based access control) this preview feature allows you to use custom security attributes for principals in role assignment conditions making managing your resources easier. For more details visit this site.

Azure Boards Ux Modernization in Public Preview

Azure DevOps provides a variety of functionality for project management, CI/CD, Testing, or working with repositories. The project management view is now updated and can be activated via the public preview feature “New boards Hubs” in the user settings. The functionality will stay the same but the optic of the backlog view is enhanced. We highlight that it is a preview feature and may contain a few issues as we can say from personal experience. Check out the announcement on this website.

Automated key rotation in Azure Key Vault is now in public preview

The Azure Key Vault auto key rotation allows setting up an auto-rotation policy that rotates their customer-managed key (CMK) after a specified period of time, so a new version of the key is generated during the process. The feature is free during the preview, so it is easy to test it during this period. Check the link out for more details.

Using Self-hosted gateways to expand the Azure API management

Expanding API Management the self-hosted gateway feature allows to securely manage APIs which are hosted on-premises and across clouds. You have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where the APIs are hosted. The API Management consists of three key parts: the Management plane, Gateway, and Developer portal. By default, all those components are running in Azure which leads to the fact that API traffic flows through Azure independently of the backend. Using self-hosted gateways can be deployed as a single point of management at the location of the backend API. This allows traffic to flow directly to the backend improving latency, optimizing transfer costs of data, and enabling additional compliance. Visit the link for more details.

We invite you to the upcoming Cloud Native Rosenheim meetup

We’d be very glad if you could join us on February 2 at 5:30 PM. Our experts Nico, Philip, and Dario will talk about the Kubernetes 1.23! Visit our meetup page for more details.