Saturday 28 May 2022

Code, test, and ship your next app quickly and securely with Microsoft developer tools

Microsoft, Microsoft Career, Microsoft Skills, Microsoft Tutorial and Materials, Microsoft Guides, Microsoft Preparation, Microsoft Career, Microsoft Skills Exam, Microsoft Jobs, Microsoft

Welcome to Microsoft Build, the event that’s all about celebrating the developer community! The work you do has the power to transform entire industries and keep critical businesses and services running through innovative solutions and applications. I couldn’t be more honored to champion this entire dev community as you create the future.

Microsoft was founded as a developer company and almost 50 years later, nothing has changed in that regard. From our earliest products to the powerful developer tools available now through Visual Studio, GitHub, and Azure, we keep development teams top of mind. Today our full Microsoft Cloud stack brings an incredible platform for developers to use and build apps and solutions. I like to say, we’re the platform and you bring the innovation.

I take great inspiration from the innovative things you’re already building with our platform and tools. Development teams at companies big and small are choosing Microsoft to code and modernize. Gjensidige, the largest insurance company in Norway, is just one great example—they chose Azure and the combined capabilities of GitHub to modernize applications at enterprise scale. And I’m always amazed by the creativity and ingenuity that student developers are bringing to the platform.

The developer experience today

Whenever I talk to customers and my colleagues who code, a few themes emerge about what development teams need to be successful and how it’s evolved—especially in the last couple of years.

Security shifts left. The world’s reliance on technology continues to grow and so does the importance of security. With cyberattacks on the rise, we want to equip developers with the tools to shift security left, into code, so problems and concerns can be identified and fixed before a security breach even happens.

Collaboration, anywhere. In the age of hybrid work, it matters less where you sit and work. It could be in a home or traditional office setting or even in your local coffee shop. With dispersed development teams using different languages, devices, and networks, developers need to interact and connect with their teams—and have confidence they can deliver their best work from anywhere and that it will be secure.

Agility and productivity. With a hybrid work environment, teams need to stay agile and onboard new team members quickly and efficiently. Ideally, developers can focus on code instead of spending time setting up dev environments and managing infrastructure.

Today, I’m proud to share some news and updates designed to address these needs and improve the overall developer experience even further with our beloved tools and the Microsoft Cloud platform—all designed to help you quickly code and ship from anywhere with confidence.

Modern solutions and apps for hybrid teams

Through GitHub, we’re already delivering the developer environment of the future. GitHub Copilot is an AI programmer that empowers you to write code faster and with less work. Another way the development experience is changing is work moving to the cloud. GitHub Codespaces is a cloud development environment that works great for web app, cloud-native applications, APIs, or backend development. But what if you’re working on a different workload, like desktop, mobile, embedded, or game development? Or if you’re using a different version control system other than GitHub?

Enter Microsoft Dev Box. Microsoft Dev Box is a cloud solution that provides developers with self-service access to high-performance workstations preconfigured and ready-to-code for specific projects. Developers can get started coding quickly, without worrying about security, compliance, or cost control. It is tailored to meet the needs of today’s developers and integrated with Windows 365 so IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager. Microsoft Dev Box will soon be in preview.

With Microsoft Dev Box, leads can quickly create projects, configure images, and assign team members so they can get straight to code in seconds, from anywhere. No matter where in the world you’re working, the onboarding process for a new team has never been easier.

Start secure, stay secure

How we all work has forever changed after the last several years. Security is essential in a world of increasing cyberattacks, global uncertainty, and with distributed teams sitting in different locations using different platforms, languages, and devices.

As I mentioned, I’ve heard from many of my developer colleagues about the need to identify and fix problems before they result in a security breach. The push protection feature in GitHub Advanced Security proactively protects against secret leaks. For another layer of security and added peace of mind, today we’re announcing the general availability of GitHub OpenID Connect (OIDC) with Azure AD workload identity federation to minimize the need for storing and accessing secrets. With this integration, developers can manage all cloud resource access securely in Azure.

Increase your app resilience

As you build apps, you need to know the app can handle traffic and scale before it launches. We recently launched a preview of Azure Load Testing, an Azure service to help teams test and meet scale and performance goals with confidence. And since launch, we’ve seen customers of all sizes using the service to simulate high-scale load for apps running anywhere and catch performance bottlenecks early. We’ve heard you loud and clear about some additional features you’d like to see—testing private endpoints, using custom plugins, and more Azure regions. These features and more will be coming soon so be sure to visit Azure Updates frequently.

Start with Microsoft for an ideal developer experience

When you’re ready to take your next idea from code to the cloud, we want you to start with us. The session Rapidly code, test, and ship from secure cloud development environments is where you can learn more about these announcements and how we’re delivering a great developer experience to you—no matter where you’re working from or what you’re using to build. I also encourage you to view the session about Scaling cloud-native apps and accelerating app modernization to learn about what’s new to help you build cloud-native apps.

There’s no shortage of great content throughout the Microsoft Build experience this week; new innovations, technical demos, learning opportunities, and plenty of fun with our After Hours sessions. I encourage you to take it all in and keep sharing with us so we can deliver an even better experience for you.

On behalf of the Azure team here at Microsoft, thanks for inspiring us with what you build.

Source: microsoft.com

Thursday 26 May 2022

Introducing the Microsoft Intelligent Data Platform

Microsoft Intelligent, Data Platform, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft News, Microsoft Process, Microsoft Dynamic, Microsoft Development

We are moving to a world where every application needs to be intelligent and adaptive to real-time model learning. As businesses build modern data capabilities, they must make decisions at the speed of human thought. Developers are challenged by this, given the huge silos that exist between databases and analytic products, and the complexity of a fragmented data estate can hamper the speed of agility and innovation. Data engineers, data scientists, and business analysts struggle with the complexity of making data integration, data warehousing, machine learning operations (MLOps), and business intelligence (BI) work together. What is needed is a consistent data ecosystem.

To help address the fragmentation that exists today between databases, analytics and governance, and enable organizations to unlock these new capabilities, we shared several exciting announcements today at Microsoft Build that demonstrate our continued innovation and investment in the data products our customers have come to know and trust, which will enable our customers to achieve the kind of sustained agility that allows them to pivot and adapt in real-time, add layers of intelligence to their applications, unlock fast and predictive insights, and govern their data—wherever it resides.

Accelerate innovation

Today, we unveiled the new Microsoft Intelligent Data Platform, the leading cloud data platform that fully integrates databases, analytics, and governance. This seamless data platform empowers organizations to invest more time creating value rather than integrating and managing their data estate.

Furthering our mission of integration, Azure Synapse Link for SQL removes data movement barriers, providing a seamless data pipeline to Azure Synapse Analytics, and enables near-real-time analytics for SQL Server 2022 and Azure SQL Database. Once Azure Synapse Link transfers data to Azure Synapse Analytics, data can be used for advanced analytics with no performance impact on transactional workloads. Over 10 million Azure SQL databases globally can now leverage this capability.

Achieve agility

Through continued investments in databases and analytics, we are empowering customers to achieve agility in new ways.

Now in preview SQL Server 2022 is our most Azure-enabled release yet, with continued innovation across performance, security, and availability. By connecting SQL server to Azure through seamless disaster recovery to Azure SQL Managed Instance, SQL Server 2022 provides true resilience. The latest Azure Arc innovation is here with the Business Critical tier of Azure Arc-enabled SQL Managed Instance now generally available—helping customers run the most demanding mission-critical workloads in hybrid and multicloud environments. We continue to invest in bringing the best developer experience in any cloud with Azure SQL Database releasing new features to help simplify and expedite application development and reduce time to market for developers. In addition, the ledger feature in Azure SQL Database, now generally available, eliminates the additional cost and complexity of decentralized blockchain technology while providing the benefits of blockchain in a fully managed and familiar SQL environment.

New innovation in cloud-native NoSQL and open-source databases give developers the freedom to build on their terms. Azure Cosmos DB has an enhanced 30-day trial experience now generally available and has introduced new burst capacity and elasticity features in preview. Application traffic spikes don’t have to equal spikes in costs. New burst capacity and elasticity features ensure applications deliver high performance during peak times while still remaining cost-effective. The Azure Database for MySQL Flexible Server Memory-Optimized service tier is now the improved "Business Critical" tier for high performance transactional or analytical applications with a 1.5x performance improvement over Single Server with faster failover time to standby.

When it comes to analytics, Azure Synapse is simply unmatched with more meaningful integrations that enable existing Synapse customers to get even more value from their Microsoft 365 data. Microsoft Graph Data Connect empowers customers to securely export their Microsoft 365 data estate, and it’s only available on Microsoft Azure. This enables every customer to unlock new actionable business insights with the employee and customer collaboration data that comes from Microsoft 365.

Customers like KPMG use Microsoft Intelligent Data Platform integrations to power their KPMG Digital Gateway bringing together a wealth of tools to help customers tackle regulatory change, turn data into value, and streamline compliance and planning while enabling effective collaboration across tax, legal, and finance departments. KPMG Digital Gateway puts its investments in machine learning, data analytics, powerful visualizations, and AI technologies all in one place. Client data is provided once and leveraged across applications, saving time and money.

To continue creating simple frictionless experiences, we announced the preview of datamart in Power BI, a new Power BI Premium self-service capability that enables users to uncover actionable insights through their own data sets. This out-of-the-box feature empowers developers and business analysts to build a datamart that can be centrally governed and managed for workloads up to half a terabyte—accelerating time to insight while alleviating demands on IT. This new feature brings the power of data warehousing and puts it in the hands of individual Power BI developers and analysts, helping you uncover more insights and drive digital transformation at every level of a business.

Build on a trusted platform

Meeting data privacy and governance standards cannot be an afterthought. When governance is not deeply integrated where data lives, it is nearly impossible to meet regulatory requirements. 

Data governance has become top of mind for almost every organization where data is fluidly moving across hybrid and multicloud environments. This makes it increasingly important to map the lineage of data. Dynamic Lineage for Azure SQL Databases in Microsoft Purview is currently in preview to further enrich the Microsoft Purview Data Map with details from actual runs of SQL stored procedures in Azure SQL Databases for customers to govern their data across hybrid and multicloud environments. We are also excited to announce that the Microsoft Purview Data Estate Insights will be generally available in the coming months.

As we look beyond the horizon, machine learning and AI capabilities will be pivotal in harnessing the power of data in new ways. Azure Machine Learning now offers a Responsible AI dashboard in preview, making it possible for customers to implement it more easily by debugging machine learning models and making informed data-driven decisions. The dashboard brings together capabilities such as data explorer, model interpretability, error analysis, counterfactual, and causal inference analysis in a single view. In addition, Azure Machine Learning now offers a Responsible AI scorecard in preview to summarize model performance and insights so that all stakeholders can easily participate in compliance reviews.

The opportunity to accelerate innovation in your business and achieve agility across all your data is substantial. Now is the time to realize its limitless potential. We look forward to seeing what you can do with it.

Source: microsoft.com

Tuesday 24 May 2022

Microsoft and AT&T demonstrate 5G-powered video analytics

In November 2021, Microsoft and AT&T announced the launch of Azure public MEC (multi-access edge compute) with a site in Atlanta, Georgia. The Azure public MEC solution enables low-latency applications at the edge of the mobile operator’s network, providing Azure compute services integrated with 5G connectivity. Azure public MEC is designed to run AI and machine learning workloads that require intensive compute and low latency network. The access to these resources is over high-quality 5G connections from phones, smart cameras, IoT devices, and other equipment. Enterprises and developers can build and run these low-latency applications and manage their workloads using the same tools they are using to run applications in the Azure public cloud. 

To light up new compelling applications with Azure public MEC that benefit from low latency 5G connectivity, we are making available a video analytics library under the umbrella of Edge Video Services.

Edge Video Services

Edge Video Services (EVS) is a Microsoft platform for developing video analytics solutions that can be deployed on Azure public MEC. For example, consider some smart city applications like our Vision Zero work with the City of Bellevue, which enabled a new generation of real-time traffic flows leading to substantial improvements in the day-to-day lives of commuters. Similarly, real-time video analytics can make cities safer by controlling traffic lights for situations such as allowing a person in a wheelchair to safely cross the street. A related application, which we demonstrated at Hannover Messe 2016, integrated an early version of EVS into traffic light cameras and those in self-driving cars to analyze videos to help reduce accidents and fatalities. Other new applications that are coming soon include improving transportation systems, monitoring air quality, street lighting, smart parking, crowd management, and emergency management. Beyond smart cities, EVS can provide modern smart enterprises with end-to-end experiences with video analytics for mixed reality as a natural component of 5G network solutions. Additional examples include managing machines and robots in connected factories, handling customer demands and services in retail stores and restaurants or tracking pedestrian traffic in sports arenas.

Figure 1: EVS architecture stack.

As shown in Figure 2 below, 5G compute infrastructure has a hierarchy of intelligent components including Azure Percept devices, Azure private MEC, and Azure public MEC. EVS integrates with all of these solutions and provides these features: 

◉ Inter-edge orchestrator to manage network traffic involving multiple public MECs. It deploys application containers across the edge hierarchy for high availability and fault tolerance.   

◉ Network monitoring and adaptation to continuously monitor the dynamic wireless and wired network connections, adapting application demands accordingly.  

◉ Dynamic resource allocation for video machine learning containers. This adapts based on the load generated from the mobile network and the workloads deployed in the on-premises edge location.

Smart cities deployment at Azure public MEC with AT&T in Atlanta


Working with AT&T, Microsoft demonstrated the value of EVS on the Azure public MEC connected to the AT&T’s 5G network in Atlanta. The setup consisted of an on-premise edge device, managed by Azure IoT Hub and an Azure Kubernetes cluster as shown in the diagram below.

Figure 2: Azure public MEC and AT&T deployment.

The EVS orchestrator places the various containers across the on-premises edge and Azure public MEC. This split execution requires only lightweight compute power on-premises, and also removes the need to provision high bandwidth connectivity out of the on-premises edge. 

In our Atlanta deployment, we demonstrated EVS’s split architecture, with lightweight execution at the on-premises edge. It transferred 230MB of data over the 5G link out of the on-premise edge over 24 hours, by contrast, 9.5GB of data would have been sent if all the encoded video were transferred out. In other words, EVS reduced the network utilization by 42x. This network saving was obtained with a CPU-only edge on-premises with no loss in accuracy.  Our measurements also showed that network latencies to the Azure public MEC were about 6x lower at the median compared to the nearest Azure region, which translated to faster responses for the application. 

EVS is integrated with AT&T’s network APIs to obtain real-time information about the 5G network. As a result, EVS adapts the amount of traffic transferred between the edges, depending on any fluctuations to the latency and bandwidth of the 5G link. EVS uses Azure Traffic Manager to support automatic failover for the Azure public MEC to the nearest Azure region, thus ensuring no disruption to the video application. When failing over to the Azure region, EVS adapts to the changed and increased latency by adjusting the amount of traffic sent out of the on-premises edge via changes to the encoder and machine learning model parameters with minimal impact on application accuracy. EVS is also cognizant of other containers executing at the edges and can elastically scale up or down its compute requirements.

EVS on Azure public MEC: Try it out today


For your video scenarios, we encourage you to try out EVS on Azure public MEC with your own on-premises edge devices. The reference architecture and instructions are available in our GitHub repository. The repository also includes a sample video of cars entering a parking lot that you can use to test EVS for counting cars.

Source: microsoft.com

Saturday 21 May 2022

Announcing Azure DNS Private Resolver: Now in preview

A quick overview of Azure DNS

We offer two types of Azure DNS Zones—private and public—for hosting your private DNS and public DNS records.

Azure DNS Private Resolver, Azure Exam Prep, Azure Career, Azure Learning, Azure Career, Azure Skills, Azure Jobs, Azure Guides

Azure Private DNS: Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain names in the virtual network without the need to configure a custom DNS solution. By using private DNS zones, you can use your own custom domain name instead of the Azure-provided names during deployment.

◉ Azure Public DNS: DNS domains in Azure DNS are hosted on Azure's global network of DNS name servers. Azure DNS uses anycast networking. Each DNS query is answered by the closest available DNS server to provide fast performance and high availability for your domain.

What is being announced today?


Azure Private DNS Resolver enables you to query Azure Private DNS Zones from an on-premises environment and vice versa without provisioning IaaS-based DNS solutions.

Azure DNS Private Resolver preview is being announced to all customers and will have regional availability in the following regions:

◉ Australia East
◉ UK South
◉ North Europe
◉ South Central US
◉ West US 3
◉ East US
◉ North Central US
◉ Central US EUAP
◉ East US 2 EUAP
◉ West Central US
◉ East US 2
◉ West Europe

All of these regions support Availability Zones and will help with the regional and global resiliency story of customer workloads!

What will customers be able to do today that they couldn’t do before?


Customers will no longer need to provision IaaS-based solutions on their virtual networks to resolve names registered on Azure Private DNS Zones and will be able to do conditional forwarding of domains back to on-premises, across multicloud providers, and public DNS servers.

Azure DNS Private Resolver, Azure Exam Prep, Azure Career, Azure Learning, Azure Career, Azure Skills, Azure Jobs, Azure Guides
This solution will also work with your existing Azure ExpressRoute, Azure VPN or Azure Bastion setup in a seamless way.

Customers will also be able to manage their DNS settings at a Virtual Network level in a very simplified way by linking rules to each of their Virtual Networks and enabling conditional forwarding at scale.

Private access to your Private DNS Zones

Conditionally forward from your virtual networks to any reachable DNS server and from on-premises to Azure Private DNS Zones.

Plus, the following benefits

◉ Zero Maintenance: Fully managed service which does not require you to patch or plan for any downtime of your service.

◉ Cost Reduction: Run at a fraction of traditional IaaS solutions which typically would require planning for high availability, resiliency, and backup of configurations.

◉ Highly Available: Built-in high availability, zone redundancy. You will no longer need to plan for availability zones awareness nor how many instances to provision per region Azure availability zones are physically separate locations within each Azure region that are tolerant to local failures and are connected by a high-performance network with a round-trip latency of less than 2ms.

◉ DevOps Friendly: Build your pipelines with Terraform, Azure Resource Manager, REST API support, Go, Typescript/Javascript. This will allow you to keep a consistent configuration and experience across regions and different instances of your service.

Source: microsoft.com

Tuesday 17 May 2022

Azure confidential computing with NVIDIA GPUs for trustworthy AI

Virtual Machines, Security, Artificial Intelligence, Azure Exam Prep, Azure Certification, Azure Career, Azure Skills, Azure Jobs

Many industries such as healthcare, finance, transport, and retail are going through a major AI-led disruption. The exponential growth of datasets has resulted in growing scrutiny of how data is exposed—both from a consumer data privacy and compliance perspective. For example, the use of AI in healthcare has grown rapidly, with hospitals and pharmaceutical companies using AI to improve diagnostics and improve drug discovery and development. In transport, the interaction between humans and vehicles is being re-imagined thanks to AI-powered autonomous driving. However, broader democratization of AI is limited by concerns regarding sharing and use of personal data. For example, banks are often unable to collaborate on tasks such as fraud and money laundering detection due to concerns regarding security and privacy of transaction data.

Professor Bryan Williams, Director of Research at University College of London Hospitals acknowledges this challenge; “UCLH and the NHS want to be at the forefront of using AI to transform healthcare. A major obstacle to testing AI algorithms with various partners has been concerned about ensuring the privacy of patient data. Technological solutions that enable the secure sharing of data while protecting patient privacy are a potential game-changer to accelerate the evaluation and adoption of AI in health care.”

Virtual Machines, Security, Artificial Intelligence, Azure Exam Prep, Azure Certification, Azure Career, Azure Skills, Azure Jobs

In this context, confidential computing becomes an important tool to help organizations meet their privacy and security needs. Confidential computing protects data in use and allows the data to be processed only after the cloud environment is verified to be a trusted execution environment. In this way, confidential computing helps protect data from being accessed by cloud operators, malicious admins, and privileged software such as the hypervisor. It helps keep data protected throughout its lifecycle—in addition to existing solutions of protecting data at rest and in transit, data is now protected while in use.

Microsoft partners with NVIDIA to bring GPU-accelerated confidential computing to Azure


Today, we are excited to announce the next chapter in this journey as NVIDIA and Microsoft are combining the power of GPU-accelerated computing with confidential computing for state-of-the-art AI workloads. This collaboration is the first step towards a shared vision to empower individuals and organizations to share and collaborate to derive new insights from data using GPU-accelerated computing without sacrificing security or privacy. With support for Ampere Protected Memory (APM) in NVIDIA A100 Tensor Core GPUs and hardware-protected VMs, enterprises will be able to use sensitive datasets to train and deploy more accurate models with state-of-the-art performance and an added layer of security that their data remain protected. 

APM encrypts data when it is transferred to or from the CPU to a GPU over the PCIe bus with keys that are securely exchanged between NVIDIA’s device driver and the GPU. The only place where data is decrypted is within a hardware-protected, isolated environment or enclave within the GPU where it can be processed to train AI models or deliver AI inference results. Much like other Azure confidential computing solutions, the APM feature in NVIDIA A100 GPUs supports cryptographic attestation based on a unique GPU identity provisioned by NVIDIA during manufacturing. Using remote attestation, organizations can independently verify the GPU’s security state and ensure that their data is only processed within the confidential enclave in the GPUs.

Private preview sign up for Azure confidential GPU VMs


Over the past year, we worked closely with NVIDIA to introduce NVIDIA A100 GPUs with APM into the Azure confidential computing ecosystem. Today we are excited to invite you to sign up for the private preview of Azure confidential GPU VMs. In the private preview, Azure confidential computing powered by NVIDIA GPU VMs will bring together the security of trusted VMs with secure boot and vTPM coupled with up to four NVIDIA A100 Tensor Core GPUs. Here, you can set up a secure environment in the Azure cloud and run your machine learning workloads utilizing your favorite machine learning frameworks, with an added layer of security that your VM boots and runs within a trusted environment. As a result, you know that the confidentiality of your data remains encrypted while you leverage the performance of the GPU for your workloads.

Confidential computing across industries


We are already partnering with several organizations to accelerate their journey towards confidential computing with NVIDIA GPUs.

Bosch sees confidential computing as a key instrument to help protect data and meet compliance requirements. Dr. Sven Trieflinger, Senior Research Project Manager at Bosch, mentions, “With ever-decreasing cost and performance overheads, confidential computing techniques will be widely adopted in cloud workloads. The new level of security they offer will be instrumental in addressing challenges in the areas of legal compliance, IP protection, and customer trust”.

Virtual Machines, Security, Artificial Intelligence, Azure Exam Prep, Azure Certification, Azure Career, Azure Skills, Azure Jobs

The impact of confidential computing extends to financial services too, where the Royal Bank of Canada (RBC) is already leveraging Azure confidential computing solutions to innovate. Eddy Ortiz, VP of Solution Acceleration and Innovation at RBC, says, “The confidential computing capabilities available in Azure have enabled us to unlock new business capabilities and materially advance existing product offerings by leveraging data in ways that only a few years ago was impossible. We’ve been able to craft novel applications which satisfy and exceed the Bank's most stringent cybersecurity demands. Through these technological advancements we are well-positioned to continue to offer unique and highly personalized experiences to our clients.”

Virtual Machines, Security, Artificial Intelligence, Azure Exam Prep, Azure Certification, Azure Career, Azure Skills, Azure Jobs

At Microsoft, we remain committed to the vision of a confidential cloud, where organizations can share data and derive insights with strong technical data protection and an added layer of security. Along with NVIDIA, we will continue to innovate and advance AI trustworthiness through confidential computing.

Source: microsoft.com

Saturday 14 May 2022

Customize your secure VM session experience with native client support on Azure Bastion

As organizations move their mission-critical workloads to the cloud, connecting to virtual machines (VMs) directly over the public internet is becoming more of a security risk. The more public IP addresses a customer has attached to VMs in their virtual network, the larger their attack surface becomes and the more vulnerable they are to security threats. The more secure alternative is to deploy a managed jumpbox service that reduces the number of public entry points to a customer’s resources in the cloud. The ideal managed jumpbox service should prioritize both security and flexibility to choose how you connect to your resources. Azure Bastion, Azure’s managed jumpbox service, now provides customers with the ability to customize their connection experience to use a native client of their choice.

Azure Bastion overview


Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. Azure Bastion provides connectivity directly from the Azure portal using Transport Layer Security (TLS). With Azure Bastion, your VMs do not need a public IP address, protecting your virtual machines from exposing RDP and SSH ports to threats on the public internet, while still providing secure access using RDP and SSH. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.

Azure Bastion, Microsoft, Microsoft Exam, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft Preparation

More flexibility to choose how you connect to your VMs


The primary way to connect to your VMs using Azure Bastion is through a quick and simple experience in the Azure portal. Users and administrators can navigate to their Azure VM in the portal and then open a web-based VM session using Azure Bastion. This experience eliminates the need to download any clients, agents, or configure files prior to accessing the VM.

Some customers value integration with existing and familiar processes. With the support for native clients on Azure Bastion, these customers can use command-line based access and a native client of their choice to reach their target VMs. This allows them to use Azure Bastion with a more accessible or familiar user interface, and to integrate connectivity to VMs via the service into their existing scripts.

Native client support offers three Azure CLI commands: az network bastion rdp, az network bastion ssh, and az network bastion tunnel. The az network bastion rdp command and az network bastion ssh enable connectivity to the target VM directly and use the clients mstsc and az ssh respectively. Meanwhile, the az network bastion tunnel command allows more flexibility by establishing a tunnel to the target VM on a specific port, and then allowing the user to connect to the VM using a custom client and the specified port.

Customers now can choose how they connect to their VMs via Azure Bastion—a simple, quick web-based experience or an integrated and customizable experience using a native client.

Simplify your login experience with Azure AD-based authentication


Azure Bastion, Microsoft, Microsoft Exam, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft Preparation
Azure Bastion native client support also unlocks an additional authentication option for users. With the az network bastion rdp and az network bastion ssh commands, users can use their Azure Active Directory (Azure AD) account to access their VMs. Using Azure AD for authentication provides enhanced identity security in conjunction with Azure Bastion’s existing networking security by eliminating the need to manage local VM credentials. For SSH, the Azure AD authentication also simplifies the connect experience by using the credentials the user has already provided to log into Azure CLI and taking them directly to their VM session.

File upload and download to a VM using a native client


Azure Bastion now supports file transfer between your target VM and local computer using Azure Bastion and a native RDP or SSH client. To both upload and download files, users must use the Windows native client on a Windows machine and the az network bastion rdp command. With RDP, users can easily transfer files between their target VM and local Windows machine in just a few clicks. For customers using non-Windows native clients or SSH, the az network bastion tunnel command supports file upload from your local computer to target VM. Third-party clients may also support file download for these scenarios.

Source: microsoft.com

Thursday 12 May 2022

Manage Red Hat workloads seamlessly on Azure

Azure, Azure Exam Prep, Azure Certification, Azure Learning, Azure Tutorial and Material, Azure Career, Azure Skills, Azure Jobs

Every year, Red Hat Summit features inspirational and actionable content, industry-shaping news, and innovative practices from customers and partners. From hybrid cloud, containers, and cloud-native app platforms to management, automation, and more, speakers from around the world, across industries, and sectors join to share how they're using open tools to build better solutions for themselves and their customers. Microsoft is proud to sponsor and participate in Red Hat Summit 2022 which brings together communities who are passionate about open source in the enterprise.

Business is changing, and keeping up with fluctuations in markets and customer demands is not easy. Modernization is essential. Technologies like containers, Kubernetes, and hybrid cloud architectures are key components that provide the scalability, innovation, and flexibility you need to maintain a competitive edge, grow market share, and increase margins. Microsoft and Red Hat offer you the tools to reduce complexity and simplify your environment, innovate faster, deliver high-quality customer experiences, and expand and scale your infrastructure in any direction so you can be a disruptor in your industry.

Today, we’re announcing multiple enhancements to our Red Hat on Azure offerings that help customers accelerate their digital transformation with the power of the cloud. This includes the broad availability of our Red Hat Ansible Automation Platform on Azure and Red Hat Open Shift Support for Azure Arc-enabled SQL Managed Instance.

Detailed updates include:

◉ Red Hat Ansible Automation Platform on Azure is now available to customers in North America with global availability coming soon. The Ansible Automation Platform 2.2 features are available for customers in the tech preview. Red Hat Ansible Automation Platform on Azure enables IT organizations to quickly automate and scale in the cloud, with the flexibility to deliver any application, anywhere, without additional overhead or complexity. Achieve zero to automation in minutes by deploying the managed application directly from the Azure Marketplace.

Azure, Azure Exam Prep, Azure Certification, Azure Learning, Azure Tutorial and Material, Azure Career, Azure Skills, Azure Jobs

Azure Arc-enabled SQL Managed Instance is now supported on Red Hat OpenShift. For Red Hat Enterprise Linux customers who need to run their data workloads outside Azure in their own datacenters or multicloud environments, we bring trusted Azure SQL and open-source software database services to meet them where they are. This database service unifies management and delivers mission-critical performance, high availability/disaster recovery at scale. With an evergreen SQL that has no end-of-support, customers can realize the best of Azure SQL on OpenShift, in any environment. Customers can enjoy fully automated updates and patches to innovate faster and be more secure. 

"Red Hat has been a strategic partner in our Azure Arc partner ecosystem in lighting up the next-gen Azure data services to run anywhere. With this support, organizations can run Azure Arc-enabled SQL Managed Instance across any environment without worrying about the infrastructure underneath. The combination of RedHat OpenShift and Azure Arc-enabled SQL Managed Instance allows customers to use the platform they know and trust to accelerate innovation with faster time to market with enterprise-grade support."—Peter Carlin, CVP Azure Database Platform

◉ Red Hat Enterprise Linux (RHEL) 9 will be available on Azure from May 24. With demand for edge computing continuing to grow, RHEL 9 incorporates key enhancements specifically designed to address evolving IT needs at the edge. Edge management helps teams more securely manage and scale Red Hat Enterprise Linux on distributed devices from a single interface. RHEL 9 will include support for Red Hat Update Infrastructure 4 allowing for automatic updates.

◉ Azure Hybrid Benefit for Linux 3.0 will be broadly available from May 24. Through Azure Hybrid Benefit for Linux 3.0, customers can migrate their on-premises RHEL servers to Azure by bi-directionally converting existing RHEL pay-as-you-go (PAYG) VMs on Azure to bring-your-own-subscription (BYOS) billing, resulting in cost savings. In its latest iteration, support for custom images has been included.

Source: microsoft.com

Tuesday 10 May 2022

Streamline Azure workloads with ExpressRoute BGP community support

In today’s globalized world, customers have started to maintain and expand their presence in the cloud across different geographic regions. With these increased deployments across Azure regions comes the increased complexity of customers’ hybrid networks. Establishing connectivity is no longer as simple as exchanging IP addresses between one pair of Azure regions and on-premises locations. Connectivity now requires additional configuration and reconfiguration of IP prefixes and route filters over time as the number of regions and on-premises locations grows. The introduction of Border Gateway Protocol (BGP) community support for Azure ExpressRoute, now in preview, lifts this burden for customers who connect privately to Azure. The support of this feature will also help simplify and unlock new network designs.

A brief overview of ExpressRoute

ExpressRoute lets customers extend their on-premises networks into the Microsoft Cloud over a private connection. With ExpressRoute, customers can connect to services in the Microsoft Cloud, including Microsoft Azure and Microsoft 365, without going over the public internet. An ExpressRoute connection provides more reliability, lower latency, and higher security than a public internet connection.

Globalized hybrid networks with ExpressRoute

A common scenario for customers to use ExpressRoute is to access workloads deployed in their Azure virtual networks. ExpressRoute facilitates the exchange of Azure and on-premises private IP address ranges using a BGP session over a private connection, enabling a seamless extension of customers’ existing networks into the cloud.

When a customer begins using multiple ExpressRoute connections to multiple Azure regions, their traffic can take more than one path. The hybrid network architecture diagram below demonstrates the emergence of suboptimal routing when establishing a mesh network with multiple regions and ExpressRoute circuits:

Azure Workloads, Azure Exam Prep, Azure Certification, Azure Preparation, Azure Skills, Azure Jobs

To ensure that traffic to Region A takes the optimal path over ExpressRoute circuit 1, the customer could configure a route filter on-premises to ensure that Region A routes are only learned at the customer edge from ExpressRoute circuit 1, and not learned at all by ExpressRoute circuit 2. This approach makes the customer maintain a comprehensive list of IP prefixes in each region and have to regularly update this list whenever new virtual networks are added and private IP address space is expanded in the cloud. As the customer continues to grow their presence in the cloud, this burden can become excessive.

Simplifying routing with BGP communities


With the introduction of BGP community support for ExpressRoute, customers can easily grow their multiregional hybrid networks without the tedious work of maintaining IP prefix lists. A BGP community is a group of IP prefixes that share a common property called a BGP community tag or value. In Azure, customers can now:

◉ Set a custom BGP community value on each of their virtual networks.

◉ Access a predefined regional BGP community value for all their virtual networks deployed in a region.

Once these values are configured on customers’ virtual networks, ExpressRoute will preserve them on the corresponding private IP prefixes shared with customers’ on-premises. When these prefixes are learned on-premises, they are learned along with the configured BGP community values. For example, a customer can set the custom value of 12076:10000 on a virtual network in East US and then start receiving the virtual network prefixes along with the values of 12076:1000 and 12076:50004 (the regional value) on-premises. Customers can then configure their route filters based on these community values instead of by specifying IP prefixes.

Azure Workloads, Azure Exam Prep, Azure Certification, Azure Preparation, Azure Skills, Azure Jobs
With the ability to make routing decisions on-premises based on BGP communities, customers no longer need to maintain IP prefix lists or update their route filters each time they expand their address space in an existing region. Instead, they can filter based on regional BGP community values and update their configurations when deploying workloads in a new region.

Understanding complex networks


Customers may expand their Azure workloads across regions over time, as described earlier, but may also continue to build more complex networks within each region. They may progress from simpler single-virtual network deployments to pursuing hub-and-spoke or mesh topologies containing hundreds of resources. If connectivity or performance issues arise for traffic sent from these resources to on-premises, the complexity of the cloud network can make troubleshooting more difficult. With custom BGP community values configured on each virtual network within a region, a customer can quickly find the specific virtual network that traffic is originating from in Azure and narrow down their investigation accordingly.

Take advantage of custom BGP communities with your Azure workloads


With the power to simplify cross-regional hybrid network designs and speed up troubleshooting, custom BGP communities are a great way for customers to enhance current ExpressRoute setups and prepare for future growth.

Source: microsoft.com

Saturday 7 May 2022

Azure Health Data Services: Engineering product for partners

Azure Health Data Services, Azure Exam Prep, Azure Certification, Azure Tutoria and Material, Azure Career, Azure Skills, Azure Jobs

The healthcare industry has come a long way from putting pen to paper on a pharmacy script or clinical SOAP note to now, being able to deliver primary care in the emerging hospital at home. My career in the healthcare and life sciences (HLS) industry has spanned different roles including: a military clinician, life science entrepreneur, clinical research application scientist, and business leader. Currently, I head the Partner Alliances team for Microsoft’s global health and Life sciences Cloud and Data engineering and product group. Today, I consider myself an HLS generalist bridging the gap between engineering and the application of it in the wild. I look forward to continuing to listen to the needs, implement solutions, and partner with others to bring forward meaningful change in healthcare.

Last month, we launched Azure Health Data Services, a platform as a service (PaaS) offering designed exclusively to support Protected Health Information (PHI) in the cloud, built on the global open standards Fast Healthcare Interoperability Resources (FHIR)® and Digital Imaging Communications in Medicine (DICOM). Watching the team work to develop this product, I feel compelled to share how intentional our product team is at building healthcare technologies for an industry that is currently experiencing historically unprecedented transformation. We are deploying technology that can ingest, transform, and persist data, allowing our customers to use their data to span workflows from discovery research to clinical end points. The underlying technology enables our customers to engage in activities ranging from novel biomarker identification to virtual clinical decision support. For example, today our customers can combine cellular assay data, pathology data, molecular imaging, genomics, handwritten, voice, and text derived notes. With so much data, the goal is to enable our customers to derive insights from a single system of record, so that they can optimize the user experience for patient,  research and clinical workflows so that adherence to treatment increases, scientists gain faster contextual evidence to support their early discoveries and clinicians can spend more time focused on delivering healthcare without experiencing burnout and information overload. The bottom line is, when you can bring these data sets together in a meaningful way, you inherently increase your signal to noise ratio since you are no longer looking for a needle in a haystack; you are looking for a book in a library.

Five years ago, under the leadership of Peter Lee, Microsoft made a purposeful decision that enabled us to lead the way in cloud, data, AI, and innovation. In 2020, Microsoft won the Frost and Sullivan Best Practice Award for our commitment to global AI for healthcare IT growth, and our innovation and leadership in the industry. The Microsoft executive health leadership team realized that we needed a common standards-based platform for healthcare and life sciences data and a secure compliant environment for the industry to build on. To accomplish this, we would need to contribute to the interoperability momentum for FHIR® standard. We also knew we had to lead with partners that know the space better than we do.  We are now focused on building the most trusted, health data platform designed with security and compliance in mind, that is ready to ingest a variety of data types and standards, workflow accelerators, and scenario-specific features. Our hope is that this will enable our ecosystem of partners to push the last mile of innovation for our shared customers in provider, pharmaceutical, payor, and life sciences.

With our partners as the foundation of our business, we will maintain competitive velocity in such transformational times.

Our approach to building Azure Health Data Services has been to support our partners by building and managing the underlying cloud technology so they can remain focused on the front-line industry scenarios. We appreciate the intimate business propriety required to remain innovative and competitive. For this model to work, we must begin and end with the question “are we going to build, buy, or partner for this given product, feature, or capability?” These decisions are rigorous and informed by key industry opinion leaders, the partner ecosystem, and our leadership teams.

Taking inspiration from industry leaders

To support this thesis, we built Health Data Services Partner Alliances team. Our charter is to listen to industry leaders like Tom Arneman at EPAM, BJ Moore at Providence, and the broader trusted advisors across the Microsoft health and life sciences partnership ecosystem. This industry driven feedback challenged us to deliver interoperable, FHIR enabled services and partner led solutions. Partners like Redox, Onyx, 3Cloud, EPAM, SAS, Efferent, Teladoc and ZS Services have been instrumental in providing direct user feedback.

These solutions are coming to life with our mutual customers across the provider, payer and pharma industries. Together we are delivering diversified solutions across the HLS continuum that includes users like translational oncology clinical trial coordinators to care providers remotely accessing their patients. We have worked closely to evolve features with early movers that have deep expertise in multi-modal interoperability deployments, FHIR resource creation, MedTech eventing features for remote patient monitoring, and DICOM for imaging. Now we are scaling these managed services with global partners, their large enterprise HLS practices and industry leading ISV solutions. We are deploying a breadth motion and application toolset that will make it simpler for our partners to build new transactional and analytic SMART on FHIR and other applications on top of Azure Health Data Services.

These partners are the cornerstone of building solutions for the greatest challenges we see today and foresee in years to come. At Microsoft we focus on aligning with them on a defined customer and business opportunity, we then commit resources and appropriate enablement to deliver timely and measurable business value. When we execute in this way, our likelihood of optimized collaboration, product; market fit, market adoption, and long-term partnership is much greater.

Azure Health Data Services is built with the goal of enabling our customers to be able to do more with their health data. We want our partners to be able to provide them solutions to do so—solutions optimized for Azure, Microsoft Cloud for Healthcare and Azure Health Data Services which can help them transform patient experience, discover new insights, and accelerate innovation.

Source: microsoft.com

Tuesday 3 May 2022

Announcing new investments to help accelerate your move to Azure

Azure Exam Prep, Azure Tutorial and Materials, Azure Preparation, Azure Career, Azure Skills, Azure Preparation Exam

As businesses adapt to new ways of operating, IT leaders are presented with increasing challenges to achieving sustainable growth. Ensuring your business continues to run without interruptions while adapting and transforming can be paramount. If your company is looking for options to migrate your server estate to the cloud, we have news for you.

Outstanding offers

Extended Security Updates and Azure Migration and Modernization Program support to larger migration projects.

Microsoft has great offers for Windows Server and SQL Server customers looking to move to the cloud. Azure offers free Extended Security Updates for SQL Server 2012 and Windows Server 2012/2012 R2, giving you more time to modernize supported applications for three additional years beyond the 10 years granted by Microsoft Support. Microsoft also allows customers to save significantly when running their workloads in Azure Virtual Machines with Azure Hybrid Benefit, which combined with reserved instances can enable up to 85 percent savings when compared to other cloud services.

To help support your migration and modernization to the cloud, mitigating potential unforeseen risks and costs, Microsoft is expanding the Azure Migration and Modernization Program (AMMP). In the past years, AMMP has helped thousands of customers like Jotun unlock the value of the cloud, bringing together the right mix of resources and best practices at every stage of their journey. We’re now investing significantly more to support your largest Windows/SQL Server migration and modernization projects—up to 2.5 times larger based on project eligibility. This investment will help with your migration in two ways: partner assistance with planning and moving your workloads, and Azure credits that offset transition costs during your move to Azure SQL Managed Instance and Azure SQL Database.

Unparalleled innovation

Unlock your SQL Server and Windows Server’s greatest potential in Azure, with unique capabilities and more options for true hybrid cloud flexibility. With Microsoft you can choose the option that aligns best to your business needs, migrating and modernizing servers with solutions like Windows Server and SQL Server running in virtual machines (VMs), Azure SQL managed databases, and hybrid management through Azure Arc.

When you have your VMs in Azure, management becomes simplified with dedicated solutions such as Azure Automanage and Windows Admin Center in the Azure portal. Azure SQL allows you to spend more time innovating and less time patching, updating, and backing up your databases, as Azure is the only cloud with evergreen SQL that automatically applies the latest updates and patches so that your databases are always up to date, eliminating end-of-support hassles. Azure SQL also features built-in AI that automatically tunes databases ensuring peak performance for every database, delivering leading price-performance.

Unmatched security

Security is foundational for Azure. If your company is running SQL Server 2012 and Windows Server 2012/2012 R2, this is the time to consider assessing those environments as they reach the end of support on July 12, 2022 and October 10, 2023 respectively. Not having support means the end of security updates, which may leave your business exposed to security risks and compliance concerns. Azure offers three years of extended security updates.

Multilayered security is provided across physical datacenters, infrastructure, and operations with cyber security experts actively monitoring to protect your Windows Server and SQL Server, including in hybrid deployments with Azure Arc. Microsoft has more than 3,500 cybersecurity professionals and spends $1 billion annually on security to help protect, detect, and respond to threats, so you can grow a safe and secure business. The Azure platform is a leader in compliance coverage with 90 plus compliance offers that allow you to proactively safeguard your data and streamline compliance. Our commitment to privacy is uncompromising. Our core privacy principle is, you own your data. We will never use it for marketing or advertising purposes, in turn providing you confidence around data storage and security. 

Source: microsoft.com

Sunday 1 May 2022

Meet PCI compliance with credit card tokenization

In building and running a business, the safety and security of your and your customers' sensitive information and data is a top priority, especially when storing financial information and processing payments are concerned. The Payment Card Industry Data Security Standard (PCI DSS) defines a set of regulations put forth by the largest credit card companies to help reduce costly consumer and bank data breaches.

Azure PCI DSS, Microsoft Exam Prep, Microsoft Certification, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft Preparation

In this context, PCI compliance refers to meeting the PCI DSS’ requirements for organizations and sellers to help safely and securely accept, store, process, and transmit cardholder data during credit card transactions, to prevent fraud and theft.

Towards confidential computing

In June 2021, the Monetary Authority of Singapore (MAS) issued an advisory circular on addressing the technology and cyber security risks associated with public cloud adoption. The paper describes a set of risk management principles and best practice standards to guide financial institutions in implementing appropriate data security measures to help protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration data-at-rest, data-in-motion, and data-in-use where applicable. Specifically, at section 21, reported below, for data that is being used or processed in the public cloud, financial institutes (FIs) may implement confidential computing solutions if available from the cloud service provider. Confidential computing solutions protect data by isolating sensitive data in a protected, hardware-based computing enclave.

Data security and cryptographic key management

FIs should implement appropriate data security measures to protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration data-at-rest, data-in-motion and data-in-use where applicable.

◉ For data-at-rest, that is, data in cloud storage, FIs may implement additional measures e.g. data object encryption, file encryption or tokenization in addition to the encryption provided at the platform level.

◉ For data-in-motion, that is, data that traverses to and from, and within the public cloud, FIs may implement session encryption or data object encryption in addition to the encryption provided at the platform level.

◉ For data-in-use, that is, data that is being used or processed in the public cloud, FIs may implement confidential computing solutions if available from the CSPs. Confidential computing solutions protect data by isolating sensitive data in a protected, hardware-based computing enclave during processing.

Confidential virtual machines

On these premises, FIs can leverage Azure confidential computing for building an end-to-end data and code protection solution on the latest technology for hardware-based memory encryption. The solution presented in this article for processing credit card payments makes use of confidential virtual machines (CVMs) running on AMD Secure Encrypted Virtualization (SEV)—Secure Nested Paging (SNP) technology.

AMD introduced SEV to isolate virtual machines from the hypervisor. Hypervisors are typically considered trusted components in the virtualization security model, and many customers have requested a VM trust model which reduces the exposure to vulnerabilities in the infrastructure. With SEV, individual VMs are assigned a unique encryption key wired in the CPU, used for automatically encrypting the memory allocated by the hypervisor to run a VM.

The latest generation of SEV technology includes SNP capability. SNP adds new hardware-based security by providing strong memory integrity protection from potential attacks to the hypervisor, including data replay and memory re-mapping.

Azure confidential computing offers confidential VMs based on AMD processors with SEV-SNP technology. Confidential VMs are for tenants with high security and confidentiality requirements. You can use confidential VMs for migrations without making changes to your code, with the platform help protect your VM’s state from being read or modified. Benefits of confidential VMs include:

◉ Robust hardware-based isolation between virtual machines, hypervisor, and host management code.

◉ Attestation policies to ensure the host’s compliance before deployment.

◉ Cloud-based full-disk encryption before the first boot.

◉ VM encryption keys that the platform or the customer (optionally) owns and manages.

◉ Secure key release with cryptographic binding between the platform’s successful attestation and the VM’s encryption keys.

◉ Dedicated virtual Trusted Platform Module (TPM) instance for attestation and protection of keys and secrets in the virtual machine.

The provisioning of a confidential VM in Azure is as simple as any other regular virtual machine, using your preferred tool, either manually via the Azure Portal, or by scripting with Azure command-line interface (CLI). Figure 2 shows the process of creating a virtual machine in the Azure Portal, with specific attention to the “Security type” attribute. For provisioning a confidential VM based on AMD SEV-SNP technology, you have to select that specific entry in the dropdown list. At the time of writing (March 2022), confidential VMs are in preview in Azure, and thus limited in availability across regions. As this service enters general availability, more regions will be available for deployment.

Azure PCI DSS, Microsoft Exam Prep, Microsoft Certification, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft Preparation
Figure 1: Confidential Virtual Machine in Azure Portal.

Credit card tokenization


In the scenario above in Figure 2, the process of tokenization is a random oracle, which is a process that, given an input, generates a non-predictable output. The random output always varies even if the same input is provided. For example, when a customer makes a second payment using the same credit card used in a previous transaction, the token generated will be different. Lastly, when providing that random output back to the service, the tokenization interface fetches the original input.

Not by coincidence that I used the term “interface” for describing this tokenization service. Indeed, the technical implementation of such random generator is a Web API running in the .NET 6 runtime. Figure 3 describes the reference architecture for the solution.

Azure PCI DSS, Microsoft Exam Prep, Microsoft Certification, Microsoft Career, Microsoft Skills, Microsoft Jobs, Microsoft Preparation
Figure 2: Credit card tokenization architecture reference.

1. A payment transaction is initiated by the customer and payment data is transferred to the .NET Web API. This API is running on a confidential VM.

2. The random token is generated by the API based on the input data. Tokenization includes also encryption of such data, with a symmetric cryptographic algorithm (AES specifically).

3. The encryption key is stored in Azure Key Vault running on a managed Hardware Secure Module (HSM). This is a critical component of the confidential solution, as the encryption key is preserved inside the HSM. The HSM helps protecting keys from the cloud provider or any other rogue administrator. Only the Web API app is authorized to access the secret key.

The following code snippets show the implementation of the key retrieval from AKV inside the Get method of the Web API.

[HttpGet(Name = "GetToken")]
public async Task<TokenTuple> Get(CreditCard card)
{
        // Retrieve the AES encryption key from AKV
        string akvName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
        var akvUri = $"https://{akvName}.vault.azure.net";
        var akvClient = new SecretClient(new Uri(akvUri), new Azure.Identity.DefaultAzureCredential());
        var secret = await akvClient.GetSecretAsync("AesEncryptionKey");
        EncryptionKey key = JsonSerializer.Deserialize<EncryptionKey>(secret.Value.Value);

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.

The service is highly available and zone resilient (where availability zones are supported): Each HSM cluster consists of multiple HSM partitions that span across at least two availability zones. If the hardware fails, member partitions for your HSM cluster will be automatically migrated to healthy nodes.

Each Managed HSM instance is dedicated to a single customer and consists of a cluster of multiple HSM partitions. Each HSM cluster uses a separate customer-specific security domain that cryptographically isolates each customer's HSM cluster.

The HSM is FIPS 140-2 Level 3 validated, which means that it meets compliance requirements with Federal Information Protection Standard 140-2 Level 3.

AKV Managed Hardware Security Module (MHSM) also assists with data residency as it doesn't store and process customer data outside the region the customer deploys the HSM instance in.

Lastly, with AKV MHSM, customers can generate HSM-protected keys in their own on-premises HSM and import them securely into Azure.

4. The obtained encryption key is then used to encrypt the payment data with a symmetric cipher. The encrypted value is associated with a newly generated token and added as a message to the queue. In the code snippet below, the pair token and encrypted data is stored in a tuple object and then enqueued.

// Encrypt the credit card information
string json = JsonSerializer.Serialize(card);
string encrypted = SymmetricCipher.EncryptToString(json, key);

// Generate token
Token token = Token.CreateNew();

// Add the token tuple to the queue
TokenTuple tuple = new (token, encrypted);
QueueManager.Instance.Enqueue(tuple);

5. The generated token is added to an in-memory queue. There is no persistence of data in the solution. The token expires after a configurable amount of time, typically a few seconds, that allows the payment gateway to process the payment information from the queue. The combination of running this solution on a confidential infrastructure, as well as the volatility of data in the queue, helps customers make their system PCI compliant: no sensitive payment data is stored and processed in clear text.

6. The queue mechanism can be implemented with any highly reliable queue engine, such as RabbitMQ. By running in a confidential VM, confidentiality of data in the queue is retained also during in-memory processing utilizing a third-party application such as RabbitMQ or similar with no code changes.

7. The payment gateway implements the Publish-Subscribe pattern (Pub-Sub) for retrieving messages from the queue, using a webhook for registering the endpoint to invoke and de-queue a message.

[HttpGet(Name = "ResolveToken")]
        public async Task Post(string subscriberUri)
        {
            TokenTuple tuple = QueueManager.Instance.Dequeue();
            await HttpClientFactory.PostAsync(subscriberUri, tuple);
        }

Source: microsoft.com