259 stories

Why is software licensing so complicated?

1 Comment
Something happened.

I’ve worked around Microsoft licensing for almost 7 years at my current employer, but even when I was doing Web development back in the 1990’s, Microsoft’s licensing —particularly for SQL Server—was infamous for its complexity, or at least for how hard it was for someone new to the realm to wrap their head around.

The more things change, the more they stay the same; Microsoft is still (in)famous for the complexity of their enterprise software licensing rules. I compiled a list of 10… excuses? that can explain, or perhaps at least clarify why licensing is still so complicated. This is far from exhaustive and applies first and foremost to Microsoft. But it can be used to explain most of what we all must live with in terms of the rules, and many are applicable to other vendors besides Microsoft, at least to some degree.

The 10 excuses, in some semblance of order are:

  1. Licensing doesn’t sit still
  2. The rules aren’t a secret
  3. You cannot be a casual licensing expert
  4. Casual licensing experts are everywhere
  5. Licensing dominoes are everywhere
  6. Product licensing and technology (features and editions) are fatally intertwined
  7. Product licensing and programs (how you bought it) are fatally intertwined
  8. Subscription-based software is making things easier
  9. Subscription-based software is making things harder
  10. Licensing dominoes are everywhere
  11. Don’t stop moving unless you want to get out of the pool

1: Licensing doesn’t sit still

The rules for licensing Microsoft’s software are evergreen. Really. Once per month, in a very uniform and predictable manner, Microsoft posts the Product Terms (in the form of a Word document) to their website. There are other documents enterprise customers need to be aware of, but the Product Terms is the core of Microsoft enterprise licensing rules, and although Microsoft’s direct motivations for a specific change aren’t always visible, they’re intrinsically there. Organizations usually have their own set of rules, based on the program they are licensing through, but this document defines how the products and services align with those programs.

Over time, you can learn to see changes that were made to increase revenue, drive adoption, address a competitive threat or market stall, and sometimes, once in a while, to simplify things. Realistically, nothing in the Product Terms ever changes just because somebody felt like it.

Over time, All of the following cause changes within the document:

  1. New, changed, or discontinued products or services
  2. New, changed, or discontinued suites of products or services
  3. Changes to how a product, service or suite are licensed
  4. Changes to how these are acquired, like which programs include them
  5. Expansion or contraction of the locales where they are available
  6. Similar adjustments to what Microsoft has available for licensing beginning that month.

The Product Terms is a monstrously huge Word document. But it’s not insurmountable. It’s organized in a reasonably logical manner and includes a table of contents and (misleadingly) simplistic “what’s changed” section. There is also some appendices at the end that can be easily missed, but are often quite important.

The more you read the Product Terms (PT), the more sense it will… should… is likely to? make. Unfortunately, the document is so large and complex that even Word will give you an error telling you it can’t proofread the document. It’s also lightly obfuscated so that you cannot (easily) compare this month’s PT with the document from last month. Which is important, because–outside of certain circumstances–today’s rules are the rules that matter.

A key thing to remember if you really want to understand the product terms is to not trivialize the terms used in the licensing document. For example, I still often see people still interchange version and edition. They’re never interchangeable. A version is a specific release of something (5.1.2600, for example), and an edition is specific packaging of a product that defines the technology it contains (ex: only Windows Pro includes inbound Remote Desktop connectivity) and what license rights it has (ex: only Windows Enterprise lets you run it on a virtual desktop infrastructure – but this is not technically enforced).

Similarly, I like to avoid the use of terms like “purchase”, “buy”, or “own”, because those usually aren’t accurate. Instead, use “license”, and “have rights to”. It’s Microsoft’s software. You’ve just paid for the rights to use it.

2: The rules aren’t a secret

As I noted above, the rules aren’t a secret. They live in a publicly visible Word doc that is updated with a degree of precision on the first of each month. Contrary to popular opinion, you don’t even need a decoder ring to read or apply them, either. But you do need to take time and learn to process how they apply to each product – a task which is different for almost every Microsoft product (each team has different business objectives, so implements things—especially transitions between mighty morphing license models—differently).

If anything, the biggest problem is that for Microsoft’s largest customers, living within the rules effectively means that while the rules change every month, these customers usually get a stay until their next agreement renewal. This often means an opportunity to save money, but it also means understanding the set of rules your organization is living under can become quite complex, because you’re spelunking through old copies of the Product Terms (which Microsoft does provide archives of) to figure out what the rules for SQL Server were several years ago, based on software deployed a decade ago, instead of what’s on today’s Product Terms.

3: You cannot be a casual licensing expert

Looking at the first section, you can begin to understand the risks posed by a “casual licensing expert”. Anyone can open the Product Terms and, immediately, have a spark of a perspective of how to answer a licensing question. But the devil lies in the details. To answer a question about how to license a product, you usually need to understand or know how to/where to go to interpret all of the following:

  1. What version and edition of software the customer has deployed, how it is used, and what licensing program it was licensed through
  2. What rules and editions were in place when the product they’re running shipped
  3. How they they licensed the software
  4. What rules and editions are in place when the product they’re running shipped
  5. How to map “what was” to “what is” using those last two pieces of data

That last one is always the ouch moment. When my Licensing Boot Camp co-conspirator and I write about or present about licensing, it’s pretty easy to explain how the rules used to work, or how they work today – what we refer to as “Greenfield” licensing, since there’s only one semi-clean set of rules to explain at a time. Sometimes you’ll hear a Microsoft employee describe the new model for something as simple. But that’s because once they ship that new version and a new Product Terms, most people in Redmond get to wash their hands of the old licensing model. For customers, that’s when the complexity starts, and it doesn’t ever get easier.

But the most complex aspect of licensing to understand is mapping what was (what a customer usually believes they bought and own) to what they deployed, and aligning that with what the rules are today, and what they actually have rights to, due to the way Software Assurance works in concert with their license agreement(s). Learning to transpose an organization’s current software estate into current licensing terms, especially when most data you’re offered from the customer is quite likely out of date, is like learning to drive. I’m not talking not slow, casual residential practice driving. The risk of asking someone—even someone who works at Redmond and has a blue badge—a licensing question if they’re just a casual expert is that they may not know all of your data they need in order to interpolate the current rules into a reliable answer. I sometimes make mistakes while analyzing or writing about this too – and it’s been a huge part of what I do for over six years.

4: Casual licensing experts are everywhere

If you ask someone who isn’t your lawyer for legal advice, and they’re a good lawyer, they’ll most likely tell you that they can’t (or shouldn’t) provide you legal advice. The same should usually be true of licensing as well. Unfortunately, lots of people with the best of intentions will offer you licensing advice.

I’m inclined to recall a meeting we had on campus at Microsoft, where an FTE (full-time Microsoft employee) disagreed with my colleague about the way licensing worked for a part of their product. The employee stood firm. They were wrong, mind you, but they had strength in their convictions. At the end of the day, we were unable to convince him, even with information from the Product Terms. When things like this happen, I worry for customers.

One of the biggest dangers with casual licensing advice is the use of the expression, “I think I can see how it would work that way” when a customer new to the field or this product asks for validation of their interpretation. You never want to hear that. You want to hear, “It works like this. There are exceptions for X or Y, and I see why you would want, or might think, it works that way. Unfortunately, it doesn’t.”

My colleague and I often joke about the use of the expression “it depends” in our boot camps to explain away the squishy parts (actually the hard parts) of licensing. While initially amusing, the expression is often worse than useless. You see, it rarely depends. Once you have all the customer data and the rules, an interpretation is usually pretty reliable. You don’t want squishy licensing interpretations.

Auditors and attorneys never want squishy licensing interpretations.

5: Licensing dominoes are everywhere

My colleague and I often use the term “licensing dominoes” to describe interdependencies. Usually it’s how you need to license two technologies, where one relies on the other. The best example is SQL Server. To understand how to license your SQL Server estate (until 2017, when SQL also started supporting Linux), you needed to understand how to license SQL Server. And while Windows Server and SQL Server both have licensing that is (Windows Server) or can be (SQL Server) based on the processor cores in your host hardware, the reality is that if you know how to license SQL Server per-core, you don’t know diddly about how to license Windows Server (which is always licensed on a totally different per-core/client access license (CAL) basis.

To license (or to understand the licensing of a long-deployed setup of Microsoft software, you’ve got to understand the rules that define the whole stack. To license just the server side of Project Server, for example, this means you need to understand:

  • Windows Server
  • SQL Server
  • SharePoint Server
  • Project Server

That’s not even taking the client side into account.

6: Product licensing and technology (features and editions) are fatally intertwined

Once you understand all the dominoes you need to define, then you have to understand the edition(s) of those products that you care about. This is one of the more complex problems with licensing, because you again need to care about what was: “What was the edition mix in 2010, when this infrastructure was licensed and deployed?” versus what is: “What’s the edition mix of the version that Microsoft just released in October?”

For example, if you licensed Windows Server Enterprise edition in 2008, and kept Software Assurance on it until now, what edition of Windows Server do you actually have rights to now, and what licensing rules are you obligated to live under?

Given the regular shifts in client and server pricing, and regular feature packaging shifts within Windows Server and Microsoft server applications, this is one of the hardest pieces of knowledge you must get your head around to license something correctly.

7: Product licensing and programs (how you bought it) are fatally intertwined

Just like versions and editions, how you license software determines what you can actually do with the software. If you license Windows 10 through an Enterprise Agreement (EA), there are usually things you can do with it that you can’t if you licensed it through a Cloud Solution Provider (CSP) – and sometimes, vice versa.

So now you need to hold multiple multidimensional cubes in your head. For each licensing domino, you need to understand the current rules for the:

  1. Program you licensed the software through
  2. Current version of the software
  3. Applicable edition of the software.

Then do it again so you understand what the rules were when it was deployed, if you want to transmogrify what the organization initially licensed into something that you can claim is legit to license it today.

8: Subscription-based software is making things easier

When Microsoft initially shipped Office 365, my colleague and I were all excited that non-compliance would be a thing of the past, that Microsoft would build enforcement into their own services, to reassure customers that they were, in fact, properly licensed… that it would not be possible to get out of compliance to the point where you might have significant license surprises down the road. And for certain parts of Office 356, the Enterprise Mobility + Security (EMS) suite, and Windows 10 when activated using Azure Active Directory (AAD), that’s the case… but unfortunately…

9: Subscription-based software is making things harder

Because of the way Microsoft has been adding new editions (tiers, etc.) of service to Office 365 and EMS in particular, and because some of the features of these—some of the most important features of these—are only off or on at an entire Office 365 or AAD tenancy level, compliance is stuck on a slider somewhere between intractable and impossible for customers that want to do the right thing. We’ve written at length about this at Directions on Microsoft, and my colleague recently did a Webinar on it as well. The hope is that over the coming years, Microsoft will fix this, so customers can take advantage of features in top-shelf editions of Microsoft’s online services, without fearing significant financial surprises down the line.

10: Don’t stop moving unless you want to get out of the pool

If licensing is part of your job description, it will be a part of your job description until you leave that position. I’ve seen people jump about, excitedly proclaiming about how the cloud will simplify software licensing, to the point that we’ll no longer need software asset management (SAM).


Licensing complexity can neither be created nor destroyed, only transformed.

With new complexities introduced by cloud-based services, sometimes intermingled with how things are licensed on-premises, being license compliant – and ensuring you’re getting the correct savings for your existing on-premises estate, as Microsoft offers with their Azure Hybrid Benefits for Windows Server and SQL Server – just means a new set of SAM processes that work differently than SAM as we knew it for the last 20 years.

With this post, I initially set out to create a work that described how licensing isn’t really that complicated. But the reality is that this is not simple, and this is just describing Microsoft. A lot of our members and licensing boot camp attendees have to parse rule sets from multiple vendors – including vendors some of you wouldn’t remember.

Understanding licensing to the point where you can describe how to license something accurately and succinctly given limited data is hard. But it is possible, if you’re willing to put the time into it and ensure that you understand all of the angles first.

Read the whole story
5 days ago
Microsoft licensing is one of the most complicated things to figure out. When I worked outside of Microsoft, this was one of my primary jobs. Having worked at Microsoft actually hurt me because I side Microsoft, we did not have to pay for our licensing of Microsoft products. Having spent that time outside, I spent time in the Product Terms and Product Use Rights. I started to understand licensing more and more. I spent time every month looking at the changes and actually spoke with Wes on Twitter and in person about the changes. Unfortunately, my return to Microsoft has made that skill set shrivel due to not using it. Please consider what Wes says in this article and how to look at Microsoft licensing.
Seattle, WA
Share this story

What You Need to Know about RPO and RTO

1 Comment
With clear RPO and RTO--as well as a solid plan that is tested, hardened and extensively redundant--you’ll be prepared to recover from most incidents you face.

Read the whole story
8 days ago
RPO and RTO are things that every IT Pro should know about for Business Continuity and Disaster Recovery. These objectives are critical to get sign-off from business and IT at the same time.
Seattle, WA
Share this story

Making HIPAA and HITRUST compliance easier

1 Comment and 2 Shares

Many healthcare organizations are starting to adopt artificial intelligence (AI) systems to gain deeper insight into operations, patient care, diagnostic imaging, cost savings and so on. However, it can sometimes be daunting to even know where to get started. Many times, you need a clear lighted path to start your journey and embrace AI and machine learning (ML) capabilities rapidly.


One method is using an Azure Healthcare AI blueprint. It’s a shortcut to using Microsoft Azure at low cost and without deep knowledge of cloud computing. Blueprints include resources such as example code, test data, security, and compliance support. The largest advantage of using a blueprint is explicit advice and clear instructions on keeping your solution in compliance. We’re trying to eliminate the mystery, so you don’t have to research it yourself.

Three core areas where the blueprint can help with compliance are cloud provider and client responsibilities, security threats, and regulatory compliance. These three areas can get overlooked at the beginning of any technology project, yet they are important parts of creating healthcare systems. Applying formal discipline to these areas is made easier by using the blueprint to create an AI/ML experiment installation.

Helpful artifacts

The blueprint includes a script to create an AI/ML system, complete with a sample experiment. It also includes several documents to help system implementers keep their installations secure and compliant. These include worksheets, whitepapers, and spreadsheets that will help you ensure system compliance with healthcare regulations and certifications. The artifacts are easily re-purposed for other healthcare-based systems implemented on Azure.

Clarifying responsibilities

When creating any system on a cloud platform, there are two possible owners for any part of the solution, the cloud provider and the customer. It is important to know who is responsible for specific actions, services, and other operational details. Without a clear understanding of this delineation, customers or vendors may find themselves in a difficult situation if an issue arises, like service outages or security breaches. Therefore, it is in everyone’s interest to be clear about the responsibilities of design and operations.

Preventing misunderstandings and setting clear expectations of responsibilities is the goal of the Shared Responsibilities for Cloud Computing document. If you are trying to meet HITRUST certification standards, the HITRUST Customer Responsibilities Matrix spreadsheet identifies exactly what Microsoft and the customer are respectively responsible for managing.

Planning for security threats

Before creating complex systems, it is always advisable to perform a threat assessment. It is a best practice to create a threat assessment model. It helps you to visualize the system and find the points of vulnerability in the proposed architecture. This leads to conversations about where the system may be improved and hardened against attacks.

Microsoft provides a Threat Model Tool enabling architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. The blueprint includes a model to be used with the tool. This comprehensive threat model provides insights into the potential risks of the architecture and how they may be mitigated.

A standard approach to security threat analysis involves identifying the surface area of your system, creating a model of that surface area, identifying potential threats, mitigating them and validating each mitigation, updating the threat model as you proceed. The following diagram highlights the major phases this process.

The figure below shows four stages: diagram, identify, mitigate, and validate.


Figure 1: Security cycle

This process flow provides an iterative and collaborative approach to threat analysis that ultimately helps create a more robust and secure system architecture.

Regulatory compliance

Healthcare systems need to meet regulatory compliance standards. At installation, the blueprint complies with HIPAA and HITRUST requirements. Whitepapers are included to help you understand how to continue to meet these requirements. Let’s examine the whitepapers and other provided artifacts to see how they might help.

HITRUST certification

The Common Security Framework (CSF) from HITRUST is a security standard for healthcare systems. The HITRUST compliance review whitepaper was published to aid in ensuring the healthcare blueprint meets CSF regulations. The whitepaper states:

“This whitepaper constitutes a review of the Blueprint architecture and functionality with respect to HITRUST-certified customer environments, examining how specifically it can satisfy HITRUST CSF security requirements.”

The whitepaper helps organizations plan their cloud implementation and understand how to meet HITRUST CSF compliance.

HIPAA compliance built into the blueprint

Compliance with HIPAA standards is fundamental to any healthcare organization. The blueprint was created with HIPAA in mind, and includes a whitepaper covering the topic in detail.

The HIPAA compliance review whitepaper is similar to the HITRUST whitepaper in its intent, to help organizations reach regulatory compliance. This document guides readers through the architecture, a shared responsibility model and deployment considerations for your solution. Protected healthcare information (PHI), a fundamental practice in well-designed system architectures, is also included in the whitepaper.

Recommended next steps

Use the supporting collateral below to prepare for your installation of the blueprint. The artifacts demonstrate how responsibilities, compliance, and security are established and how you can maintain them going forward.

Prepare for installation and ongoing maintenance with the following documents.


What other artifacts or considerations do you think would be helpful when putting healthcare systems into production? Your comments and recommendations are welcome below. I regularly post on technology in healthcare topics. Reach out and connect with me on LinkedIn or Twitter.

Read the whole story
8 days ago
This is good to understand the roles of the Cloud Host and the Customer when it comes to Public Cloud usage in Healthcare. I remember working with vendors around this sort of clarity when I was Director of IT with a medical practice and I am glad to see Microsoft's commitment to make this clear.
Seattle, WA
Share this story

Azure Advisor has new recommendations for you

1 Comment

Azure Advisor is your free, personalized guide to Azure best practices. It analyzes your Azure usage and configurations and helps you optimize your resources for high availability, security, performance, and cost. We’re constantly adding more to Advisor and are excited to share a bundle of new recommendations and integrations so you can get more out of Azure.

blog-image-1 (1)

Create or update table statistics in your SQL Data Warehouse tables

Table statistics are important for ensuring optimal query performance. The SQL Data Warehouse query optimizer uses up-to-date statistics to estimate the cardinality or number of rows in the query result, which generates a higher-quality query plan for faster performance.

Advisor now has recommendations to help you boost your SQL Data Warehouse query performance. It will identify tables with outdated or missing table statistics and recommend that you create or update them.

Remove data skew on your SQL Data Warehouse table

Data skew occurs when one distribution has more data than others and can cause unnecessary data movement or resource bottlenecks when running your workload, slowing your performance. Advisor will detect distribution data skew greater than 15 percent and recommend that you redistribute your data, and revisit your table distribution key selections.

Enable soft delete on your Azure Storage blobs

Enable soft delete on your storage account so that deleted Azure Storage blobs transition to a soft deleted state instead of being permanently deleted. When data is overwritten, a soft deleted snapshot is generated to save the state of the overwritten data. This allows you to recover in the event of accidental deletion or overwrites. Advisor now identifies Azure Storage accounts that don’t have soft delete enabled and suggests you enable it.

Migrate your Azure Storage account to Azure Resource Manager

Azure Resource Manager (ARM) is the most up-to-date way to manage Azure resources, with template deployments, additional security options, and the ability to upgrade to a GPv2 account for utilization of Azure Storage’s latest features. Azure will identify any stand-alone Storage accounts that are using the classic deployment model and recommend migrating to the ARM deployment model.

Create additional Azure ExpressRoute circuits for customers using Microsoft Peering for Office 365

Customers using Microsoft Peering for Office 365 should have at least two ExpressRoute circuits at different locations to avoid having a single point of failure. Advisor will identify when there is only one ExpressRoute circuit and recommend creating another.

Azure Advisor is now integrated into the Azure Virtual Machines (VMs) experience

When you are viewing your VM resources, you will now see a notification if you have Azure Advisor recommendations that are related to that resource. There will be a blue notification at the top of the experience that indicates the number of Advisor recommendations you have and the description of one of those recommendations. Clicking on the notification will take you to the full Advisor experience where you can see all the recommendations for that resource.



Azure Advisor recommendations are available in Azure Cost Management

Azure Advisor recommendations are now integrated in the new Azure Cost Management experience that is in public preview for Enterprise Agreement (EA) enrollments. Clicking on Advisor recommendations on the left menu will open Advisor to the cost tab. Integrating Advisor with Azure Cost Management creates a single location for cost recommendations. This allows you to have the same experience whether you are coming from Azure Cost Management or looking at cost recommendations directly from Azure Advisor.


Review your Azure Advisor recommendations

Learn more about Azure Advisor and review your Advisor recommendations in the Azure portal today to start optimizing your Azure resources for high availability, security, performance, and cost. For help getting started, visit the Advisor documentation.

Read the whole story
8 days ago
Azure Advisor is one of the cornerstone tools in Azure to improve your experience and potentially save money. It is a free service to look through your subscriptions. Some of the recommendations may cost additional money but many save you money. I encourage you to check it out today.
Seattle, WA
Share this story

Top Ways Businesses are Using the Hybrid Cloud

1 Comment

Today, the hybrid cloud has become the new norm for many businesses. The hybrid cloud can help businesses modernize their infrastructure and processes as well as cut costs and improve efficiencies; hybrid cloud uses compute or storage resources from your on-premises network and combines them with cloud resources. Microsoft identifies four essential elements for successfully implementing hybrid cloud scenarios.

  • Networking – Forming the basis for all hybrid cloud scenarios networking connects your local and cloud resources.
  • Identity – Azure AD can act as a common identity provider enabling both local and cloud identity management. Azure AD can be synchronized with your on-premises Active Directory or federated with other identity providers.
  • Security — Providing protection for identities, data, administrative accounts as well as internal and external threats is especially for hybrid cloud implementations as the attack surface spans both on-premise and cloud resources.
  • Management –The ability to monitor the health of your hybrid cloud components as well as maintain settings, accounts, policies, and permissions are all vital to successful hybrid cloud scenarios.

The combination of these essential elements enables businesses to use the hybrid cloud for a number of useful functions. Let’s look at the top ways that businesses today are using the hybrid cloud.

Office 365

There’s no doubt that Office 365 is one of the biggest cloud drivers for Microsoft. Office 365 delivers all of the different office productivity applications as a Software-As-a-Service package as well as 1TB of cloud storage. After it’s downloaded from the cloud, Office 365 runs locally on your system and can access both cloud and local resources including on-premises deployments of Exchange, SharePoint, SQL Server and Skype for Business. You can use OneDrive to share and collaborate with other people using the various office documents.


Using the cloud for backup is the next most common way that businesses are using the hybrid cloud today. Several third-party backup solutions are cloud enabled. The hybrid cloud makes a lot of sense for backups and it can help you deal with the massive data growth that almost all organizations are experiencing. Hybrid cloud backup can enable you to move your backups off high-cost local storage to low-cost highly reliable cloud storage. Using hybrid cloud backup enables you to implement the 3-2-1 rule for backups where you have three copies of your data, stored on two different types of media, with one copy of the data offsite. Hybrid cloud backup can also enable you to eliminate the costs for off-site data archival services that are often used with tape backups.

Disaster Recovery

Using the cloud for disaster recovery (DR) is another popular way that businesses today are implementing hybrid cloud solutions. The cloud provides a highly reliable DR target that can free you from the expense of buying and maintaining your own physical DR sites. Many of Microsoft’s mission-critical server applications like Windows Server and SQL Server provide integrated cloud DR capabilities. Hyper-V Replica is included in Windows Server 2016 and it’s able to replicate on-premise VMs to the cloud for rapid DR recovery. Likewise, SQL Server 2016’s AlwaysOn Availability Groups (AG) are able to support secondary databases that are cloud-based in the same AG that has local secondaries.

DevOps Application Development

Moving development and testing to the cloud was one of the first ways that businesses began adopting the cloud. Now many businesses are embracing DevOps and agile development methodologies to speed up and improve the application development process. A key component of DevOps is the ability to rapidly create development environments compressing the development, test and release cycle. The cloud enables you to rapidly provision, use and dispose of development resources like VMs and databases. Many companies use the cloud for initial development and testing and then when the applications are ready to deploy in production they will move them back to their on-premise data centers.

A hybrid cloud is a cost-effective option that is being used by all types of organization to provide new solutions to a number of today’s important business issues.

The post Top Ways Businesses are Using the Hybrid Cloud appeared first on Petri.

Read the whole story
9 days ago
Great viewpoint of modern engineering practices with Hybrid Infrastructure. Look it over and see how your team is looking at Hybrid environments.
Seattle, WA
Share this story

Azure Networking Fall 2018 update

1 Comment

Announcing: 100 Gbps, fastest connectivity in public cloud and availability of branch connectivity, new cloud native security capabilities and application performance services

As enterprises move ever more demanding mission-critical workloads to the cloud, we strive to provide comprehensive networking services that are easy to deploy, manage, scale, and monitor. Customers continue to ask for better ways to connect to the cloud, better protection of their cloud workloads, optimal application performance delivery, and more comprehensive monitoring services.

In terms of how to Connect, customers have asked for significantly higher bandwidth solutions as they struggle to transit massive amounts of data into the cloud to take advantage of advanced analytics and machine learning. Software Defined Wide Area Networking (SDWAN) holds tremendous promise to reduce costs by intelligently routing more traffic onto the Internet and helping customers better manage connectivity to their branch offices. The concept of the virtual datacenter has taken hold but building such solutions on a global scale remain a challenge. With 54+ Azure regions and more on the way our global network continues to expand to new locations while we increase its overall capacity. Customers have asked us for new ways to take advantage of our global WAN. We are announcing ExpressRoute 100Gbps Direct, ExpressRoute Global Reach, and the general availability of Azure Virtual WAN along with enhancements to Virtual Networks and DNS.

Security is always top of mind as enterprises must Protect their mission-critical workloads. Protecting applications from malicious intent is critical and having full access control for all resources is critical. The cloud can help you embrace a zero-trust security posture as well as a DevOps model for managing security. Scaling, managing and understanding security polices becomes much easier with cloud native solutions. We are announcing general availability of Azure Firewall GA along with enhancements to DDoS protection and Web Application Firewall.

Application performance, availability, and resiliency are also critical to Deliver both global and regional workloads. The cloud was fundamentally designed to address application scalability to dynamically handle different types of traffic patterns. Azure combined with our global network naturally allows us not only to accelerate Microsoft services such as Bing, Office 365, and Xbox, we can also help accelerate your applications. We are announcing Azure Front Door Preview, general availability of Azure CDN along with enhancements to Application Gateway and Traffic Manager.

The DevOps model requires your team to Monitor the health and performance of your applications. The cloud can provide even better insights into your services allowing you to measure, troubleshoot, alert, and act. In running Azure 24x7x365 we have tremendous operational experience and fully understand the pressures placed on your own operations teams and the monitoring requirements to deliver world-class experiences. We are announcing preview of Virtual Network TAP along with enhancements to Network Watcher.

Here is a summary of our new networking services and enhancements to existing services to help you connect to the cloud, protect your workloads, deliver optimal performance, and monitor your service.

Networking enhancement diagram

Azure helps you Connect, Protect, Deliver and Monitor your services


10X faster – ExpressRoute Direct 100Gbps connectivity

Azure is breaking the speed barrier in cloud connectivity. ExpressRoute Direct provides 100G connectivity for customers with extreme bandwidth needs. This is 10x faster than other clouds. Enterprise customers come to us with massive data ingestion scenarios such as telemedicine, content distribution, and IoT. With ExpressRoute Direct you can send 100 Gbps of network traffic to Azure services such as Azure Storage and Azure Virtual Networks. All your traffic can be on a single 100G ExpressRoute Circuit or you subdivide 100G among your business units in any combination of 40G, 10G, 5G, 2G, and 1G ExpressRoute circuits. By default, these circuits are ExpressRoute standard circuits providing connectivity to any Azure region in the same geographic region (e.g. North America, Europe, Australia, Japan, etc.). You can also designate any of the circuits as ExpressRoute Premium circuits providing global connectivity. This flexibility allows you to address the requirements of specific business units. For example, one business unit may require high bandwidth to access services within the local Azure region using a 40G ExpressRoute Standard circuit. Another business unit may require 2G global connectivity so would use a 2G ExpressRoute Premium circuit. You decide. Because ExpressRoute is for mission-critical workloads ExpressRoute Direct, like ExpressRoute, provides physical connectivity via two physical routers in an active-active configuration. Learn more about ExpressRoute Direct.

ExpressRoute Global Reach – Privately connecting your sites

ExpressRoute Global Reach allows you to connect two ExpressRoute circuits together. Your sites that are already connected to ExpressRoute can now privately exchange data via their ExpressRoute circuits. For example, a multinational company with datacenters in London and Tokyo each with an ExpressRoute circuit can enable ExpressRoute Global Reach so these sites can privately send traffic to each other using their local ExpressRoute circuits and Microsoft’s global network. ExpressRoute Global Reach can be enabled on both ExpressRoute Standard and ExpressRoute Premium circuits. ExpressRoute Global Reach is available in the following locations: Hong Kong, Ireland, Japan, Netherlands, United Kingdom, and United States with Korea and Singapore coming soon. More locations will be available later this year. Learn more about ExpressRoute Global Reach.

Virtual WAN generally available

20 Gbps S2S connectivity, new capabilities and a growing partner ecosystem

It’s quite challenging to manage 50 or 100 branch office devices connecting into a VPN service. This summer we introduced Azure Virtual WAN that simplifies large scale branch connectivity for branch to Azure and branch to branch scenarios over the Internet. We designed Virtual WAN for enterprises including large retail, medical, manufacturing, oil and gas customers looking to take advantage of SDWAN to connect their branch offices to Azure and to each other. By using SDWAN and VPN devices provided by our Virtual WAN ecosystem you get automated provisioning, configuration, scalability and high throughput. Virtual WAN supports up to 20 Gbps branch connectivity. This is a 20x improvement to our VPN gateways. Branch connectivity now becomes manageable. Virtual WAN is now generally available.

Microsoft recommends that Office 365 customers use local Internet breakouts to get onto Microsoft’s global network as quickly as possible and take advantage of Office 365 distributed edge node ecosystem. The primary goal of the customer network design should be to optimize latency to the nearest Office 365 front door and minimize hair pining of Office 365 requests across customer’s private network. Instead of backhauling to a central location or routing connections through another cloud service offering traffic Internet scanning, key Office 365 traffic should be allowed to egress using the Internet as locally to the user locations (branches) as possible and directly into Microsoft network. Such approach is called local and direct Internet break out and is often done by customers for selected applications, specified by policy. Customers can implement local and direct Internet breakout for Office 365 services by automating their branch routing policies by using a web service or by using an SD-WAN solution from a qualified partner. Azure Virtual WAN customers can configure their Office 365 Internet breakout policies in Azure portal and have that policy pushed to supported SD-WAN devices in the branch. This ensures local and direct Internet escape of key Office 365 flows providing an optimal end user experience.

Our Virtual WAN ecosystem continues to grow. In addition to Citrix and Riverbed, Virtual WAN solutions are now available from 128 Technology, Barracuda, Check Point, NetFoundry, and Palo Alto. Coming soon Virtual WAN solutions will be available from CloudGenix, Nuage Networks, Silver Peak, Versa Networks, and VeloCloud.

VeloCloud quote

Azure Virtual WAN ecosystem

Azure Virtual WAN ecosystem

New Virtual WAN preview capabilities include P2S VPN and ExpressRoute. With P2S VPN you can use an OpenVPN client to connect to your Virtual WAN. This enables mobile workers to securely access resources via the Virtual WAN from laptops and mobile devices while they travel or work from home. Azure P2S VPN is available in Azure Virtual WAN and can support up to 10,0000 concurrent remote users per Virtual WAN hub with a throughput of 2.5 Gbps.

With ExpressRoute as part of your Virtual WAN your branches can securely use the Internet to access the Virtual WAN and then have that traffic privately go to your datacenter connected to ExpressRoute.

Azure Virtual WAN simplifies all your connectivity

Azure Virtual WAN simplifies all your connectivity

Learn more about Virtual WAN.

Zone-Redundant VPN and ExpressRoute Virtual Network Gateways

Many customers use VPNs and ExpressRoute to access their Virtual Networks. To improve the resiliency, scalability and availability of gateways, we now have new Zone Redundant VPN and ExpressRoute Gateways that bring support for Azure Availability Zones. With these new Zone-Redundant/Zonal Gateways, you will be able to deploy Azure VPN and Azure ExpressRoute gateways in Azure Availability Zones, thus making them physically and logically separate within a region to protect your on-premises network connectivity to Azure from zone-level failures. We have also reduced the deployment time for these gateways. For more information on Zone Redundant gateways please refer to our documentation.

Zone redundant gateways provide better resiliency

Zone redundant gateways provide better resiliency

Public IP Prefix

A Public IP Prefix is a contiguous range of IP addresses for your Azure public endpoints that enables you to associate your Azure resources with public IP addresses from a known fixed range. This significantly reduces management overhead by eliminating the need to change firewall rules as you assign IP addresses to new resources. Get started with the preview and learn more about Public IP Prefix.

Load Balancer – Outbound Rules and TCP Reset on Idle

Outbound rules make it simple to configure public Load Balancer's pool-based outbound network address translation (NAT). You can use declarative configuration to scale and tune your outbound configuration to your specific needs.

Simple load balancer configuration

Simple load balancer configuration

Outbound rules describe which pool of virtual machines should be translated to which public IP addresses, how many outbound SNAT ports to allocate, and change outbound idle timeout.  You can simplify whitelisting by using outbound rules with public IP prefix. Review Outbound Rules for details.

You can optimize application performance by enabling TCP Resets on Idle on any rule for clean connection releases with changing the application. When enabled, TCP Reset packets are sent to both client and server endpoints at idle timeout. Review Load Balancer with TCP Reset on idle timeout for details.

Virtual Network for Containers

The Azure Container Networking Interface (CNI) plugin attaches containers to a VNet. It brings the rich set of Azure Networking capabilities to containers by utilizing the same SDN stack that powers Azure VMs. Containers can now connect to peered VNets and to on-premises over ExpressRoute or site-to-site VPN and access services such as Storage and SQL protected by VNet Service Endpoint. Network Security Group (NSG) and User Defined Routing (UDR) rules can be applied directly to containers.

Azure CNI is utilized by the Azure Kubernetes Service. It is also integrated into the Azure Container Instance Service and Azure WebApps for App Services which utilize an improved SDN stack for fast and secure injection of containers into customer VNets.        

Alias (Reference) Record support for Azure DNS

Azure DNS customers sometimes face problems keeping track of the lifecycle of Azure resources from within their DNS zones. For example, when the Public IP resource associated with an application gets deleted, the customer needed to manually update their DNS zone to prevent a dangling reference that could potentially blackhole their traffic. We are announcing support for Alias records for DNS zones. This allows customers to reference other Azure resources from within their DNS zones such that the DNS records get updated automatically when there is a lifecycle event on the referenced Azure resources. We support Alias record references to two Azure resources – Public IP and Azure Traffic Manager – with more resources planned in the future. For more details on the Alias Record support within Azure DNS, please see this blog post.


Azure Firewall – General availability, new capabilities

Azure Firewall, now GA, offers fully stateful network and application level traffic filtering for VNet resources, with built-in high availability and cloud scalability delivered as a service. Customers can protect their VNets by filtering Outbound, Inbound, Spoke-Spoke, VPN and ExpressRoute traffic. Connectivity policy enforcement is supported across multiple VNets and Azure subscriptions. Centralized logging using Azure Monitor, allows you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics or your SIEM of choice. Azure Firewall supports FQDN Tags to allow traffic to well-known Microsoft Services (e.g. ASE, Azure Backup and Windows Update) and Destination NAT configuration.

For more information, please refer to Azure Firewall documentation.

ABN AMRO quote

We are working with our partner ecosystem to provide SaaS based security policy management capabilities using the Azure Firewall public REST APIs. Solutions will be available in preview later this year including central management with Barracuda and AlgoSec AlgoSaaS, and Security policy management for containers Azure Kubernetes Service (AKS) using Tufin Orca.

Azure Firewall ecosystem

Growing Azure Firewall ecosystem

DDoS Protection Attack Analytics

The sophistication and frequency of DDoS attacks continue to increase, hitting nearly two in five businesses. DDoS attacks cause service outages. With the proliferation of compromised IoT devices that are weaponized as botnets to launch mega DDoS attacks, hackers are well equipped to achieve their nefarious goals. Azure DDoS Protection provides countermeasures against sophisticated DDoS threats.

We are announcing general availability of three new features for Azure DDoS Protection: Attack Mitigation Reports, Attack Mitigation Flow Logs and DDoS Rapid Response. Customers protecting their virtual networks against DDoS attacks with Azure DDoS Protection get detailed visibility into attack traffic and actions taken to mitigate the attack via diagnostic settings in Azure Monitor. DDoS Rapid Response will enable customers to engage DDoS experts during an active attack for specialized support.

Attack Mitigation Reports provide near-real time information about an attack and comprehensive reports summarizing the attack after it’s been mitigated. Attack Mitigation Flow Logs provide network level 5-tuple packet data (protocol, source/destination port, source/destination IP) and action taken during an active DDoS attack. This data can be integrated with Security information and Event Management (SIEM) systems via Event Hub for near-real time monitoring. Both Mitigation Reports and Flow logs can be integrated with Azure Analytics for data visualization.

DDoS Attach Mitigation Reports

DDoS Attack Mitigation Reports

Customers now have access to the DDoS Rapid Response (DRR) team for specialized support during an active attack. The DRR team helps with attack investigations, custom mitigations during an attack and post attack analysis. For more details, please refer to this blog post and product documentation.

Azure Virtual Network Service Endpoint Policies

Azure VNet service endpoint policies enable you to prevent unauthorized access to Azure service resources from your virtual network. Endpoint policies provide more granular control over the Network Security Group (NSG) service tags. You can allow access to only specific Azure service resources (e.g. Azure Storage accounts), using service endpoint policies. The feature is available in preview for Azure Storage. For more information, please refer to service endpoint policies documentation.


Azure Front Door Service – Global HTTP load balancing

Azure Front Door Service (AFD), is a global, scalable entry-point that utilizes our intelligent network edge so you can create fast, secure and massively scalable web applications.  Built to support Microsoft’s biggest web workloads including Bing, Office 365, Xbox Live, MSN, and Azure DevOps, AFD offers web-scale reliability and scalability.

Azure Front Door Service diagram

Azure Front Door Service accelerates your applications

Currently located in 33 countries at Microsoft network edge locations connected by our global WAN, AFD improves your application’s performance through application acceleration, SSL offload, allows routes your global HTTP traffic to your closest available backend, and enables enterprise-grade reliability with automated instant failover.

Using AFD’s path aware routing, inline caching, rate limiting and application layer security, you can build modern, global applications in Azure.  A central control plane and dashboard enables you to manage and monitor service traffic and global microservice backends inside or outside of Azure. 

AFD’s integration with Azure Web Apps, Azure Monitor and Log Analytics enables you to easily accelerate and deliver your applications with lower latency, higher reliability and deeper global traffic insights. Refer to AFD documentation to explore how to accelerate your application.

Azure CDN from Microsoft general availability

Cloud services require reliability, scale, agility and performance. Azure CDN delivers an easy to setup and use CDN platform to distribute your videos, files, web sites and other HTTP content to the world. With CDN services from Verizon, Akamai and now Microsoft, Azure CDN is built from the ground up to deliver best in class CDN services through our multi-CDN ecosystem for your Azure applications.

Azure CDN’s multi-CDN ecosystem enables you to manage CDN as an Azure resource through an on-demand API driven model.  This flexibility along with three strong CDN infrastructures enables you to easily add multi-CDN as part of your content delivery strategy.  Using these CDN solutions on their own, side-by-side in a multi-CDN solution or tiering them to maximize reliability, offload and performance, you can focus on optimizing your delivery to suit your business needs. See the Azure CDN documentation to learn more. 

Application Gateway autoscaling, 5x better performance, zone redundancy and analytics

Application Gateway and Web Application Firewall (WAF) provides Application Delivery Controller as a service.  We are announcing preview of a new elastic autoscaling option enabling deployments that automatically scales up or down based on the application’s traffic pattern. Management is greatly simplified since customers do not need to pre-provision for anticipated peak traffic volumes. Autoscaling also supports Azure Zones for zonal failure resiliency. A single Application Gateway or WAF deployment can now span multiple Availability Zones that are physically and logically separate and can route traffic to backend servers in any zone. The autoscaled Application Gateway also provides better performance, reduced provisioning time and support for Static VIPs. SSL offload performance is now 5X better. Please refer to documentation for additional details and tutorials.

Zone Redundant Web Application Firewall

Zone Redundant Web Application Firewall

We are announcing preview of Application Gateway integration with Azure Kubernetes Service (AKS) Ingress Controller. The Application Gateway Ingress controller runs as a pod within the AKS cluster and allows Application Gateway to act as ingress for an AKS cluster. It listens to Kubernetes Ingress Resources from the Kubernetes API server and converts them to Azure Application Gateway configuration and updates the Application Gateway through Azure Resource Manager (ARM). For more details please refer to our documentation.

Web Application Firewall (WAF) is previewing enhanced configurability so customers can control request body and file upload size. Customers can enable/disable request body payload inspection. Web Application Firewall provides the ability to exclude request’s headers, cookies or query string from rule evaluation via exclusion lists. This allows customers to reduce false positives by whitelisting known safe parameters such as bearer tokens from WAF rules. For additional details and tutorials please refer to documentation.

More routing and endpoint monitoring options in Azure Traffic Manager

Customers can now add their endpoints to a Traffic Manager profile using IPv4 or IPv6 addresses and get A / AAAA type responses for DNS queries made against that profile. This option, currently limited to external type endpoints, enables endpoints without DNS names associated with them to be part of any Traffic Manager routing method and get the benefits of high availability and low latency connections for end users. Associated with that is a new routing method, Multi-Value routing, allowing you to specify how many healthy endpoints to be returned as part of a single DNS query response. This capability increases the reliability of your application by giving the callers multiple options to retry before querying again for a healthy endpoint.

Traffic Manager now supports multi-tenant endpoints by letting you specify headers (including host headers) in the health checks that are initiated by Traffic Manager. This allows accurate health checking of those multi-tenant endpoints and routing traffic appropriately towards them. To learn more about these new capabilities in Traffic manager please visit the endpoint monitoring documentation.


Virtual Network TAP – Visibility for monitoring, security, and performance

We are announcing preview of the first native distributed network TAP available in any public cloud. Azure Virtual Network TAP provides continuous mirroring of virtual machine network traffic to a packet collector without using agents. 

Azure Virtual Network diagram

Azure Virtual Network TAP enables out of band monitoring

Out of band monitoring, security, and performance solutions can now be deployed in your Virtual Network. Solutions are available from Big Switch Networks, ExtraHop, Fidelis, Flowmon, Gigamon, Ixia, Netscout, Nubeva, RSA and Vectra.

Azure Virtual Network TAP ecosystem

Azure Virtual Network TAP ecosystem

For more information, please refer to Azure Virtual Network TAP documentation.


We are fully committed to helping you connect to Azure, protect your workloads, deliver a great networking experience and provide extensive monitoring to simplify your deployment and operational costs while helping you better support your customers. At Ignite 2018 we will add more details about our announcements. Here is a list of our technical sessions. We’ll continue providing innovative networking services and guidance to help you take full advantage of the cloud. We’re excited to learn about your new scenarios enabled by our networking services. As always, we welcome your feedback.

Read the whole story
10 days ago
Azure Networking is one of the cornerstone's of the Azure offering. Check out some of the updates that are hitting GA for customers in all the different aspects of networking including connection, protection and monitoring.
Seattle, WA
Share this story
Next Page of Stories