Bekker's Blog

Blog archive

Upcoming Azure Stack Change To Reduce Attack Surface

Microsoft is consolidating a number of ports for Azure Stack in a move that should significantly reduce the hybrid cloud platform's attack surface and simplify network integration.

Starting with a forthcoming release, Microsoft will collapse port requirements for various Azure services running on Azure Stack from 27 different ports to just one. The services will communicate via Port 443, the standard port for HTTP over TLS/SSL.

Microsoft positions Azure Stack as a key differentiator versus other major public cloud providers, in that customers can run an integrated hardware and software system that is supposed to offer the exact same platform as Microsoft's Azure public cloud, but in a private datacenter. The approach enables customers to use the same application code in the public cloud and on the private cloud.

Early demand for the technology includes edge environments, disconnected environments, customers with specialized security requirements and those with specific compliance concerns. Hardware partners currently offering the 4-12 node integrated systems include Cisco, Dell EMC, Hewlett Packard Enterprise, Huawei and Lenovo.

Because it runs the same underlying code as Azure in the public cloud, Azure Stack supports a number of Azure services. Up until now, Microsoft has added the functionality for each service to its Azure Stack portal via a portal extension using a separate network port.

In a blog post on Friday announcing the change, Thomas Roettinger, senior program manager for Azure Stack, acknowledged customer pushback for managing and securing multiple ports. "As the number of Azure services increases, so do the number of ports that must be opened on a firewall that supports Azure Stack," Roettinger said.

Following in Azure's footsteps, the Azure Stack will soon adopt a so-called Extension Host technology to funnel all the ports through Port 443. "In its first release, the User and Admin portal default extensions have moved to this model, thereby reducing the number of ports from 27 to one. Over time, additional services such as the SQL and MySQL providers will also be changed to use the Extension Host model," Roettinger said.

The change will be fully implemented with the 1810 update of the Azure Stack. In preparation, Azure Stack customers will need to import a pair of wild card SSL certificates, one for the admin portal and one for the tenant portal.

The current build, 1807, was only released a few days ago, and Roettinger suggested users have some time to prepare. New deployments of Azure Stack will require the wild card certificates sometime in September, he said.

Posted by Scott Bekker on 08/13/2018 at 12:15 PM


Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus