Azure VMware Solution in Microsoft Azure Government streamlines migration efforts

Today we are pleased to announce the public preview of Azure VMware Solution in Microsoft Azure Government. 

With this release, we are combining VMware cloud technologies with world-class Azure infrastructure in Azure Government, which is designed, built, and supported by Microsoft to help meet the highest levels of government security and compliance. Azure Government delivers a dedicated cloud, enabling government agencies and their partners to streamline migrating mission-critical workloads to the cloud.

Azure VMware Solution is a fully managed service in Azure that customers can use to extend their on-premises VMware workloads more seamlessly to the cloud, while maintaining their existing skills and operational processes.

Azure VMware Solution is already available in Azure commercial for any customer, including public sector organizations. With this launch, we are extending the same benefits of Azure VMware Solution to Azure Government, where US Government customers and their partners can meet their security and compliance needs.

Continue reading to explore how to get started with Azure VMware Solution in Azure Government.

Accelerating the migration journey in Azure

Azure VMware Solution delivers a VMware vSphere-based, single-tenant, private cloud in Azure Government. VMware workloads run on bare metal hardware in Azure datacenters. Customers can stand up a VMware environment with enhanced speed in Azure and more quickly gain access to their VM resources while also accessing Azure services, such as Microsoft Defender for Cloud, Azure Monitor, or Log Analytics.

Microsoft operates and supports the Azure VMware Solution environment and all the necessary networking, storage, and management services, which includes benefits such as the following:

• Seamlessly modernize over time with Azure services: With Azure VMware Solution, you can leverage Azure services and further modernize workloads on your timeline, such as Azure App Service, Azure Kubernetes Service, Azure Traffic Manager, security, and analytics.
• Better streamline migration efforts with familiar tools and services: With a unified Azure experience via the Azure Government portal, customers can integrate their existing processes and tools “as-is” and run familiar VMware technology, including VMware vSphere, VMware HCX, VMware NSX-T, and VMware vSAN. HCX Enterprise edition is available at no additional cost, which enables you to streamline data and applications to help accelerate large-migration efforts and reduce time.
• Maintain business continuity and workloads more securely on Azure: Leverage Azure services on the public cloud for disaster recovery, backup, security, and more to safeguard your applications. Azure enables customers to integrate VMware workloads with best-in-class cloud security features, such as:
• Azure Virtual Network integration provides perimeter network controls using solutions such as network and application security groups and network security solutions for applications such as the Azure Application Gateway.
• Logging, monitoring, and alerting solutions, such as Azure’s security information and event management (SEIM) solution, Azure Sentinel, and threat detection using Defender for Cloud (formerly Azure Security Center).
• Customer-managed keys provides enhanced control over encrypted VMware vSAN data using HSM (hardware security model) backed Azure Key Vault and certificate authority integration for automated certificate management.
• End-to-end encryption safeguard data according to your company’s security and compliance needs with Azure Data Encryption at Rest with all Azure services.

Savings opportunities in Azure

Achieve savings in Azure with a managed infrastructure to expand or shrink your cloud environment on demand as your business needs change.

Savings opportunities on Windows Server and SQL Server with Azure Hybrid Benefit in Azure

Customers can leverage the value of existing on-premises Windows Server and SQL Server licenses when migrating or extending to Azure. As a core Azure service, Azure VMware Solution supports Azure Hybrid Benefit, allowing customers to bring their existing Microsoft workloads running on-premises to the cloud.

Get extended security updates for Windows Server and SQL

Azure VMware Solution customers are also eligible for three years of Extended Security Updates on 2008/2012 versions of Windows Server and SQL Server. These pricing benefits are only available in Azure and foster greater simplicity and cost efficiency for your journey to cloud.

Benefit from the Microsoft and VMware partnership

VMware and Microsoft have a long-standing partnership, and now more than ever it is important we come together and help customers create business resiliency, efficiency, and agility.

"As public sector customers accelerate their modernization efforts, they need the flexibility and choice to select the right cloud for each application,” said Jennifer Chronis, Vice President, public sector at VMware. “Together with Microsoft, we are delivering a modern, more consistent cloud service that will provide US government customers and partners with new options to migrate or extend their on-premises VMware environments to the cloud.”

Source: microsoft.com

Continue reading

Bringing commercial innovations in chip design to national security

Semiconductors and microelectronics are some of the most important components in building cutting-edge capabilities for our national security and defense technologies, from satellites and radar to vehicles and communications equipment. Ensuring these components are developed with the utmost regard for security is a critical, yet challenging task. Historically, the security requirements associated with developing microelectronics have limited the U.S. Department of Defense’s (DoD) ability to leverage the latest innovations.

Through a recent DoD-sponsored project, Rapid Assured Microelectronics Prototypes (RAMP) using Advanced Commercial Capabilities, the goal is to leverage commercial best practices to help accelerate the development process and bring reliable, secure state-of-the-art microelectronic design and manufacturing to national security and defense applications. The DoD recently announced it has selected Microsoft to support the second phase of this project.

This project builds on a 40-year history of collaboration between Microsoft and the U.S. DoD, to bring commercial innovation to the national security community. Microsoft previously led a coalition of partners in collaborating with the DoD on the first phase of this initiative: to develop design capabilities that achieve the department’s mission priorities. In this second phase, Microsoft and our partners will build on these successful designs and begin to develop custom integrated chips and System on a Chip (SoC) designs using a secure, collaborative design flow that provides access to advanced manufacturing processes. These new designs will achieve lower power consumption, improved performance, reduced physical size, and improved reliability for application in DoD systems.

Microsoft has engaged microelectronics industry leaders across the commercial and defense industrial base (DIB) to develop this phase of the RAMP project, collaborators include Ansys, Applied Materials, Inc., BAE Systems, Battelle Memorial Institute, Cadence Design Systems, Cliosoft, Inc., Flex Logix, GlobalFoundries, Intel Federal, Raytheon Intelligence and Space, Siemens EDA, Synopsys, Inc., Tortuga Logic, and Zero ASIC Corporation.

The RAMP solution will provide an advanced microelectronics development platform for mission-critical applications, with cloud, AI, and machine learning-enabled automation, security, and quantifiable assurance. This solution will be hosted in Azure Government, offering the broadest range of commercial innovation for governments with services available across all U.S. data classifications.

RAMP is a critical initiative that will enable the DoD to leverage a secure, scalable microelectronic supply chain, while also ensuring the design and manufacturing meets its stringent security and compliance requirements. By leveraging cloud-based secure design capabilities, RAMP will expand the number of foundries available to DoD, enhance resiliency, and foster growth of the domestic semiconductor supply chain. The success of RAMP will also enable the department to be more agile with technology developments, quickly adapt to evolving needs, and adopt the latest technological capabilities. We look forward to continuing our work with the DoD and our industry partners to deliver groundbreaking, transformative solutions to secure the microelectronic supply chain.

Source: microsoft.com

Continue reading

Genomics testing on the ISS with HPE Spaceborne Computer-2 and Azure

This morning Microsoft News published a story about the use of Azure, enabled by HPE’s Spaceborne Computer-2 on the International Space Station (ISS). The project was designed to overcome the limited bandwidth between ISS and Earth by validating the benefits of a computational workflow that spans edge and cloud. Under this workflow, examination of high-volume raw data is processed and performed on the ISS using the HPE Spaceborne Computer-2’s edge computing platform and a much smaller data set containing only “interesting bits” is sent to Earth, where cloud resources are used to perform compute-intensive analysis to determine what those interesting bits really mean.

The Azure Space team performed the software development needed for the entire experiment in just three days.

A brief background

The International Space Station (ISS), a microgravity and space environment research laboratory, has just observed 20 years of continuous human presence. New technology is delivered to it regularly, as needed to keep up with the research being performed. Computers used on the ISS have typically been custom-built with specialized hardware and programming models, needed to deliver the reliability needed in space. Unfortunately, the developer experience for targeting these custom spaceborne systems is complex, making programming slow and challenging compared to the commercial-off-the-shelf systems used by most developers today.

Installed in 2017, Spaceborne Computer-1, designed by HPE, validated that a modern, commercial-off-the-shelf computer could survive a launch into space, be installed by astronauts, and operate correctly on the ISS—without “flipping bits” due to increased radiation in space. Basically, it was a year-long test to see if the computer hardware used on Earth would function normally in space. Building on this success, HPE’s Spaceborne Computer-2, an edge computing platform with purposely designed features for harsh environments, was installed in April 2021 to deliver twice as much compute performance, and for the first time, artificial intelligence (AI) capabilities to advance space exploration and research by enabling the same programming models and developer experiences used on Earth.

In many ways, Spaceborne Computer-2, which is comprised of the HPE Edgeline EL4000 Converged Edge system and HPE ProLiant DL360 Gen10 server, is the ultimate edge computing device platform, putting a game-changing amount of compute at the edge of space. However, the real limiting factor is the bandwidth between the ISS and Earth. Although Spaceborne Computer-2 supports the maximum available network speeds, it only receives from NASA an allocation of two hours of communication bandwidth a week to transmit data to earth, with a maximum download speed of 250 kilobytes per second.

In some cases, working around limited bandwidth can be accomplished by HPE helping researchers to compress data on Spaceborne Computer-2 before sending it down to Earth. In other cases, the data can be fully analyzed in space without needing to use the slow downlink at all. But what about research that requires more compute or bandwidth than what Spaceborne Computer-2 can provide, or that can be allotted to a single experiment among many? To address such scenarios, HPE applied its vision for an “edge to cloud” experience, in which Spaceborne Computer-2 is used to perform preliminary analysis or filtering on large data sets, extract what’s interesting or unexpected, and then burst those results down to Earth and into the public cloud for full analysis.

The Azure Space experiment

The Azure Space team at Microsoft proposed an experiment that simulates how NASA might monitor astronaut health in the presence of increased radiation exposure, as exists outside of our protective atmosphere. Such exposure will only increase as astronauts venture beyond the ISS’s low-earth orbit into and beyond the Van Allen Belts.

The experiment assumes access to a gene sequencer onboard the ISS, which is used to regularly monitor blood samples from astronauts. However, gene sequencing can generate an incredible amount of data—far too much for a 2Mbps/sec downlink—and the output needs to be compared against a large clinical database that’s constantly being updated.

To overcome those limitations, the experiment uses HPE Spaceborne Computer-2 to perform the initial process of comparing extracted gene sequences against reference DNA segments and capture only the differences, or mutations, which are then downloaded to the HPE ground station.

On earth, the data is uploaded to Azure, where the Microsoft Genomics service does the computational “alignment” work—the process of matching the short base-pair gene sequence reads in the downloaded data (which are about 70 base pairs in length) against the full 3 giga-base-pair human genome, as required to determine where in the human genome each mutation is located and the type of change (deletion, addition, replication, or swap). Aligned reads are then checked against the National Institute for Health’s dbSNP database to determine what the health impacts of a given mutation might mean. Watch the video below to see Azure in action.

Development process and computational workflow

The entire experiment was coded by 10 volunteers from the Azure Space team and its parent organization, the Azure Special Capabilities, Infrastructure, and Innovation Team. All major software components (both ISS-based and Azure-based) were written in Python and bash using Visual Studio Code, GitHub, and the Python libraries for Azure Functions and Azure Blob Storage. David Weinstein, Principal Software Engineering Manager at Azure Space, led the three-day development effort—consisting of a one-day hackathon and two days of cleanup.

The following graphic shows the computational workflow. It starts on the ISS, on Spaceborne Computer-2, which runs Red Hat Linux 7.4.

In space

◉ A Linux container hosts a Python workload, which is packaged with data representing mutated DNA fragments and wild-type (meaning normal or non-mutated) human DNA segments. There are 80 lines of Python code, with a 30-line bash script to execute the experiment.

◉ The Python workload generates a configurable amount of DNA sequences (mimicking gene sequencer reads, about 70 nucleotides long) from the mutated DNA fragment.

◉ The Python workload uses awk and grep to compare generated reads against the wild-type human genome segments.

◉ If a perfect match cannot be found for a read, it’s assumed to be a potential mutation and is compressed into an output folder on the Spaceborne Computer-2 network-attached storage device.

◉ After the Python workload completes, the compressed output folder is sent to the HPE ground station on Earth via rsync.

On Earth

◉ The HPE ground station uploads the data it receives to Azure, writing it to Azure Blob Storage through azcopy.

◉ An event-driven, serverless function written in Python and hosted in Azure Functions monitors Blob Storage, retrieving newly received data and sending it to the Microsoft Genomics service via its REST API.

◉ The Microsoft Genomics service, hosted on Azure, invokes a gene sequencing pipeline to “align” each read and determine where, how well, and how unambiguously it matches the full reference human genome. (The Microsoft Genomics service is a cloud implementation of the open-source Burroughs-Wheeler Aligner and Genome Analysis Toolkit, which Microsoft tuned for the cloud.)

◉ Aligned reads are written back to Blob Storage in Variant Call Format (VCF), a standard for describing variations from a reference genome.

◉ A second serverless function hosted in Azure Functions retrieves the VCF records, using the determined location of each mutation to query the dbSNP database hosted by the National Institute of Health—as needed to determine the clinical significance of the mutation—and writes that information to a JSON file in Blob Storage.

◉ Power BI retrieves the data containing clinical significance of the mutated genes from Blob Storage and displays it in an easily explorable format.

The Aligner and Analyzer functions total about 220 lines of code, with the Azure services and SDKs handling all of the low-level “plumbing” for the experiment. The functions are automatically triggered by blob storage uploads and are configured to point to the right storage accounts—requiring just a small amount of code to parse the raw data and query Microsoft Genomics and the dbSNP database at runtime.

Develop and test

During development and test, developers didn’t have access to HPE Spaceborne Computer-2 or the HPE ground station, so they recreated those environments on Azure, relying on GitHub Codespaces to further increase their velocity. They packaged both the ISS and ground station environments into an Azure Resource Manager (ARM) template, which simulates the latency between the ISS and the ground station by deploying the Spaceborne Computer-2 environment to an Azure data center in Australia and the ground station environment to one in Virginia.

The results

On August 12, 2021, the 120MB payload containing the experiment developed by Azure Space was uploaded to the ISS and run on Spaceborne Computer-2. The experiment is configurable, so Azure Space was able to execute “test”, “small”, and “medium” scenarios, executed in that order.

Table 1 shows the results of the experiment in terms of processing times and data volumes:

	Test	Small	Medium
Raw data examined	500KB	6MB	150MB
Downloaded to Earth	4KB	40KB	900KB
Run time on ISS	20 seconds	2 minutes	1 hour
Download time from ISS	<1 second	2 seconds	17 seconds

The experiment’s successful completion—and the data collected through it—is proof of how an edge-to-cloud computing workflow can be used to support high-value use cases aboard the ISS that might otherwise be impossible due to compute and bandwidth constraints. Without preprocessing the simulated output of the gene sequencer on the ISS to filter out only the gene mutations, 150 times as much data would need to be downloaded to Earth. Thus, a 200GB raw full human genome read which would require over two years to download given bandwidth and downlink window constraints, could be filtered to 1.5GB—which can be transmitted in just over an hour. Microsoft expects planned tests to further increase this ratio.

Similarly, attempting to perform all of the processing that’s being done on Azure would require uploading a copy of the full reference human genome and a copy of the full dbSNP database. To complicate matters, the dbSNP database is constantly being updated and peer-reviewed by scientists across the globe, meaning that regular synchronization would be required to maintain a useful copy in space.

Build cloud applications productively, anywhere

From a software development perspective, the developer velocity with which Azure Space delivered the experiment is as impressive as its results—with all components delivered over a three-day period using serverless Azure Functions written in Python, and best-in-class developer tools such as Visual Studio Code and GitHub. To support the development of additional experiments by others, Weinstein’s team at Azure Space plans to publish the Resource Manager templates containing the simulated ISS and ground station environments they used for development and test.

Making such capabilities available to others is just one early step for Azure Space, a new vertical within Microsoft that was publicly announced about a year ago. Its twofold mission: to enable organizations who build, launch, and operate spacecraft and satellites and to “democratize the benefits of space” by enabling more opportunities for all actors, large and small, in much the same way that support for open source on Azure has helped democratize cloud computing. One such example is Azure Orbital, a ground station as-a-service that provides communication and control for satellite operators—including the ability to easily process satellite data at a cloud-scale.

Source: microsoft.com

Continue reading

Azure Government Top Secret now generally available for US national security missions

Today we’re announcing the general availability of Azure Government Top Secret, a significant milestone in our commitment to bringing unmatched commercial innovation to our government customers across all data classifications. This announcement, together with new services and functionality in Azure Government Secret, provides further evidence of Microsoft’s relentless commitment to the mission of national security, enabling customers and partners to realize the vision of a multi-cloud strategy and achieve greater agility, interoperability, cost savings, and speed to innovation.

We've worked in close collaboration with the US Government to build a cloud portfolio that serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to innovate securely wherever the mission requires and at all data classifications, with a continuum of technology from on-premises to cloud to the tactical edge.

Launching with more than 60 initial services and more coming soon, we’ve achieved the Authorization to Operate (ATO) of Azure Government Top Secret infrastructure in accordance with Intelligence Community Directive (ICD) 503 and facilities accredited to meet the ICD 705 standards. These new air-gapped regions of Azure will accelerate the delivery of national security workloads classified at the US Top Secret level. In addition, we now have 73 services in Azure Government Secret, and we continue to bring new services into the boundary aligned to mission priorities.

Whether in sea, land, air, space, or cyberspace, today’s mission leaders face a common set of challenges—how to make sense of an unprecedented influx of data from many disparate sources, how to modernize existing infrastructure to enable agility today and tomorrow, and how to protect data, assets, and people across a rapidly evolving global threat landscape.

In addition to the 95 percent of Fortune 500 companies that use Azure, mission leaders choose Azure to bring market-leading commercial innovation to government, enabling faster insights from data, greater agility and interoperability to meet the demands of the mission, and unified cybersecurity capabilities to protect the nation’s most critical data. Some examples in each of these areas are below.

Build a unified data strategy for mission—anywhere

Across data classifications, mission owners are working to make sense of massive volumes of data—reshaping how information is gathered, stored, processed, and shared to unlock the power of data to inform decision making. Azure’s data capabilities are limitless from ground to cloud, enabling customers to synthesize data no matter where that data is located and no matter where insights are needed, including data at the far edge, in disconnected or intermittent scenarios, or data fed in by satellite or submarine.

The new Azure regions for highly classified data expand the ability of our national security customers to harness data at speed and scale for operational advantage and increased efficiency, with solutions such as Azure Data Lake, Azure Cosmos DB, Azure HDInsight, Azure Cognitive Services, and more. Built into a unified data strategy, these services help human analysts more rapidly extract intelligence, identify trends and anomalies, broaden perspectives, and find new insights. With common data models and an open, interoperable platform that supports entirely new scenarios for data fusion, mission teams use Azure to derive deeper insights more rapidly, empowering tactical units with the information needed to stay ahead of adversaries.

Azure teams are also working shoulder-to-shoulder with our customers and partners to deliver purpose-built solutions on the Azure platform, including solutions to improve data insights. For example, to enable data fusion across a diverse range of data sources, we’ve built a solution accelerator called Multi-INT enabled discovery (MINTED) that leverages raw data and metadata as provided and enriches the data with machine learning techniques. These techniques are either pre-trained or unsupervised, providing a no-touch output as a catalyst for any analytic workflow. This becomes useful for many initial triage scenarios, such as forensics, where an analyst is given an enormous amount of data and few clues as to what’s important.

In addition, we’re continuing to deliver innovation to enable a diverse partner ecosystem from silicon to space, for example, enabling DoD to strengthen the US microelectronics supply chain through our work with the commercial and defense industrial base on the Rapid Assured Microelectronics Prototypes (RAMP) program. Today’s announcement also expands the options available for government agencies and partners to utilize Azure Space solutions from their native network environments to unlock new capabilities across any data classification. For example, with increased connectivity and ready access to data, mission owners can harness large-scale geospatial and space data for new scenarios such as machine learning, synthetics, visualization, emulation of space missions, and more.

Modernize mission systems for speed to innovation

Getting new mission capabilities into the hands of analysts and warfighters requires organizations to modernize existing systems and architect an interoperable enterprise. Azure provides a secure foundation for this innovation, with an open platform that enables developers to build with their choice of languages, tools, platforms, and frameworks, industry-leading tools for true cloud-native application development, and modern DevSecOps capabilities that can accelerate the path to Authority to Operate (ATO).

New services in Azure Government Top Secret such as Azure Kubernetes Service (AKS), Azure Functions, and Azure App Service enable mission owners working with highly sensitive data to deliver modern innovation such as containerized applications, serverless workloads with automated and flexible scaling, and web apps supported by built-in infrastructure maintenance and security patching.

“In our work supporting mission-critical customers who want to innovate faster, Azure provides several key advantages. It’s flexible, truly hybrid, and has the openness and extensibility that allows for developer choice. This enables customers to benefit from the latest commercial innovations to derive insights from their most sensitive data.”—Larry Katzman, Chief Executive Officer & President, Applied Information Sciences

With multiple geographically separate regions, Azure Government Top Secret provides customers with multiple options for data residency, continuity of operations, and resilience in support of national security workloads. Natively connected to classified networks, Azure Government Top Secret also offers private, high-bandwidth connectivity with Azure ExpressRoute. These new regions deliver a familiar experience and alignment with existing programs, enabling mission teams to build low and deploy high with consistency across governance, identity, development, and security.

Protect the nation’s data with connected cybersecurity

Protecting our nation from rapidly evolving threats is a critical priority. Microsoft brings together massive signal depth and diversity of over 8 trillion signals per day combined with cutting-edge AI, machine learning, and a global team of security experts to deliver unparalleled protection.

For example, we understand the complex nature of nation-state cyberthreats and mobilize all our security analyses and products to discover, track, and defend our customers against them. Our approach rests on a thorough understanding of the tactics and techniques these groups use, their targeting patterns, and the possible objectives driving their activity. These insights, along with the fidelity Microsoft signals provide, allow us to better spot emerging malicious campaigns, warn customers about the activity, and implement protections against them.

To develop a unified cybersecurity approach to protect the nation’s data, mission owners can utilize products informed by this threat intelligence, including Azure Security Center and Azure Sentinel to integrate multiple security point solutions and continually assess, visualize, and protect the security state of resources in Azure, on-premises, and in other clouds. Both are now available in Azure Government across all data classifications.

Azure Security Center scans your hybrid environment continuously, providing recommendations to help you harden your attack surface against threats. Azure Sentinel enables you to collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds; detect previously uncovered threats and minimize false positives; investigate threats and hunt suspicious activities at scale; and respond to incidents rapidly with built-in orchestration and automation of common tasks.

Source: microsoft.com

Continue reading

The broadest range of cloud innovation across US Government data classifications

Today, we are announcing the expansion of our mission-critical cloud for US Government with new capabilities in Azure Government, the expansion of Azure Government Secret, and the announcement of a new cloud to serve customers with Top Secret classified data—Azure Government Top Secret.

Announcing Azure Government Top Secret

We have recently completed the buildout of new Azure Government Top Secret regions, and we are working with the US Government on accreditation. As part of our ongoing commitment to commercial parity as driven by government mission requirements, Azure Government Top Secret regions are designed to provide the same capabilities as Azure (commercial), Azure Government, and Azure Government Secret, enabling a continuum of compute from mission cloud to tactical edge.

The broad range of services will meet the demand for greater agility in the classified space, including the need to gain deeper insights from data sourced from any location as well as the need to enable the rapid expansion of remote work. Additionally, mission owners will benefit from greater choice in modernizing legacy systems, with a secure cloud platform that works on open standards and open frameworks with tools that work across a wide range of skill levels, from business analysts to developers to data scientists.

Azure Government Secret new functionality

Azure Government Secret continues to help mission owners unlock new insights, enable secure innovation, achieve greater agility, and further the mission. Customers including those in the US DoD, law enforcement, and other agencies are using Azure Government Secret today. Azure Government Secret is authorized by both Department of Defense Impact Level 6 (IL6) and Intelligence Community Directive (ICD) 503.

“Microsoft is focused on mission enablement. Missions are enabled with workloads. Workloads live within enclaves that house varied levels of data. Microsoft is enabling seamless, secure, cost-contained agility across mission workloads at scale.

The consistency between Azure (commercial), Azure Government, and Azure Government Secret is also starting to change the game as software development may happen from anywhere, while the code itself can be promoted to enclaves with higher classification levels. There it can interact with data of higher classification levels. At the end of the day, this means doing more for the mission at a lower overall cost." —Carroll Moon, CTO of CloudFit Software. 

Today, we are announcing several new services in Azure Government Secret; for application developers, Azure Kubernetes Service (AKS), and Azure Container Instances help you deploy and manage containerized applications more easily. Intelligent security analytics services Azure Sentinel and Azure Security Center are also now available in Azure Government Secret, enabling unified security across your digital estate and integrated, proactive threat management. Together with Azure Monitor, these services help you collect, analyze, and act on telemetry data from your Azure and on-premises environments.

Azure Government Availability Zones, Windows Virtual Desktop availability, and expanded compliance

Events over the past year have highlighted the importance of securely maintaining critical government operations. We have designed and built our cloud platforms for high availability and resilience, and today, we are announcing Availability Zones in Azure Government, providing high availability for your most demanding mission-critical applications and data. Availability Zones are tolerant to datacenter failures through redundancy and logical isolation of services, assuring that critical customer services and workloads are available, anytime, and anywhere.

In addition to responding to unprecedented events, government agencies are rapidly responding to today’s imperative of remote work, and we’ve seen high demand for solutions that allow teams to work from anywhere while keeping relevant data within a securely managed environment. We recently announced the availability of Windows Virtual Desktop (WVD) in Azure Government with FedRAMP High accreditation, enabling agencies to adopt WVD for mission-critical workloads and empowering more secure and productive work-from-anywhere scenarios.

As new services are brought into each of our government-only cloud regions, we are working with our accreditors to ensure these services are authorized at the right level for your workloads. We now offer 137 Azure Government services at FedRAMP High and 97 services at Department of Defense Impact Level 5 (IL5) across all Azure Government regions.

Total flexibility at the tactical edge

Today, we are announcing updates to our tactical edge portfolio for US Government customers. Together, these new first-party edge devices help you to do more for the mission, whether that is pre-processing data for low latency response times, bringing AI and machine learning (ML) to the far edge, or harnessing satellite data more rapidly to enable decision-making in disconnected environments.

Modular Datacenter generally available at Impact Level 5 and 6 with high availability options

The recently announced Azure Modular Datacenter (MDC) provides datacenter scale compute and storage resources for areas in which adverse conditions, disrupted network availability, and limited access to specialized infrastructure would typically prohibit cloud computing. The MDC can run separate security enclaves, allowing mission users to operate workloads across multiple data classifications at the same time in a single unit, and like the other ruggedized devices, can operate in fully connected, occasionally connected, or fully disconnected scenarios. The MDC allows government customers to deploy a single piece of critical infrastructure to meet the needs of a wide variety of mission workloads at various levels of classification, all in a self-contained footprint that reduces logistics overhead.

Today we are announcing:

◉ The network high availability (HA) module for the MDC that provides network resiliency through multiple satellite communication partners in different orbits. Network resiliency is delivered via SATCOM links through our continuously growing ecosystem of SATCOM partners like SpaceX and SES, for continuity of operations (COOP) during fiber failover.

◉ The high availability power module, which adds resiliency where customers need it, providing an on-demand way to add additional power stability resources in a form factor that is as transportable as the MDC. For deployments with intermittent or unreliable power, transitioning between multiple power sources will keep MDC workloads up and running.

Azure Stack Hub Ruggedized

Azure Stack Hub Ruggedized from Microsoft is an Azure Hardware and Software solution that brings a cloud-consistent approach to operating environments while addressing limited or no network connectivity, harsh conditions requiring military specifications, and high security requirements with optional connectivity to any Azure cloud. Azure Stack Hub Ruggedized is now generally available for customers in Azure Government and Azure Government Secret.

Azure Stack Edge Pro R and Mini R

The Azure Stack Edge appliances Azure Stack Edge Pro R and Azure Stack Edge Mini R enable you to run applications and leverage hardware-accelerated AI and ML solutions to analyze, transform, and filter data at the edge, right where data is created and collected. You can then aggregate data in Azure for further analytics, with common app logic across both. The appliances also act as a cloud storage gateway, enabling eyes-off data transfers to Azure while retaining local access to files. Azure Stack Edge Pro R and Mini R are generally available for customers in Azure Government and Azure Government Secret.

Source: microsoft.com

Continue reading

Azure Modular Datacenter – Mission resiliency for the field

The need for mission-critical computing

Defense and national security missions often occur away from headquarters and in the field, where things happen quickly and rapid decision making can translate to success or failure.

With Azure Modular Datacenter (MDC), Microsoft has brought key aspects of the Azure cloud to the edge, ready to deliver enterprise-class compute, storage, and Azure services wherever the mission needs them.

Built for the field

Traditional methods of providing IT solutions in the field suffer from several challenges, including:

◉ Limited, intermittent, or non-existent network connections

◉ Hardware limitations and cost constraints

◉ Application integration, orchestration, and cloud service delivery across widely varying network conditions

The Azure Modular Datacenter solves traditional challenges for IT solutions in the field, as it can run fully disconnected or switch smoothly from connected to disconnected modes, facilitating deployment in any location regardless of network availability.

Additionally, the hardware configuration in the Azure MDC allows users to store data and connect to networks with up to three classification levels in a single module. This significantly reduces the amount of hardware and the costs required to set up multiple sets of infrastructure to support administrative, operational, and intelligence workloads.

Azure Modular Datacenter specifications

The Azure Modular Datacenter has the flexibility and performance to support a wide variety of government missions. It provides customers with several thousand cores of compute power and many petabytes (PB) of triple-redundant storage across multiple hardware racks. The racks can be configured to separate enclaves for different levels of data and workloads, and each enclave can run in disconnected mode, connect to the Azure cloud, or connect to customer local area networks.

The hardware is housed inside a rugged and portable 40-foot container that customers can deploy safely and easily wherever they need it most. Combining Azure software with a field-ready container makes the Azure MDC an enterprise-class datacenter solution unlike any other on the market for defense and national security missions.

Mission resiliency

The Azure MDC is a rugged, standalone datacenter that allows customers to run complex software workloads in offline or partially disconnected scenarios and to control and manage data for sovereignty purposes. Microsoft understands the criticality of system resilience in mission-critical computing.

To meet customer needs for high availability, Microsoft offers the network high availability (HA) module and the high availability module as add-on features to improve the resiliency of the Azure MDC.

Network high availability module

To help customers achieve and maintain their desired level of connectivity, the network high availability module provides network resiliency through a choice of satellite communication partners operating in several different orbits.

The network high availability module, an add-on feature to the Azure MDC, is an environmentally controlled and monitored outdoor enclosure supporting network and satellite communication (SATCOM) equipment. This allows the Azure MDC to ensure connectivity to data and compute assets in the Azure Hyperscale cloud, even in cases when there is not a terrestrial network available. Microsoft works with customers to determine the optimal integrated antenna solution from the ecosystem of satellite operators, providing comprehensive satellite connectivity solutions.

In fully-connected scenarios, a loss of communication to assets in the field can jeopardize critical operations. The network high availability module can provide network resiliency via SATCOM links through our continuously growing ecosystem of SATCOM partners like SpaceX and SES, for continuity of operations during fiber failover.

The network high availability module allows the Azure MDC to run fully disconnected in areas where terrestrial connectivity is not accessible or desired. This module can utilize SATCOM networks to serve as primary connectivity to resources in the Azure Hyperscale cloud such as utilizing cloud backup or refreshing machine learning models.

High availability (HA) module

The high availability module provides an on-demand way to add additional power stability resources in a form factor that is as transportable and deployable as the Azure MDC. The high availability module provides an uninterruptable power supply (UPS) that keeps the Azure MDC running in cases of power fluctuations or short outages and allows for a smooth transition to a generator or controlled shutdown of the unit in cases of longer outages.

The module is self-contained with cooling and internal power distribution and can include satellite connectivity equipment equivalent to the network high availability module, turning it into a power and communication resiliency module. The high availability module is designed to be deployed in tandem with the Azure MDC when intended for long term placement and can move with the Azure MDC in the event of a required relocation.

Continue reading

Accelerating Cybersecurity Maturity Model Certification (CMMC) compliance on Azure

As we deliver on our ongoing commitment to serving as the most secure and compliant cloud, we’re constantly adapting to the evolving landscape of cybersecurity to help our customers achieve compliance more rapidly. Our aim is to continue to provide our customers and partners with world-class cybersecurity technology, controls, and best practices, making compliance faster and easier with native capabilities in Azure and Azure Government, as well as Microsoft 365 and Dynamics 365.

In architecting solutions with customers, a foundational component of increasing importance is building more secure and reliable supply chains. For many customers, this is an area where new tools, automation, and process maturity can improve an organization’s security posture while reducing manual compliance work.

In preparing for the new Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD), many of our customers and partners have asked for more information on how to prepare for audits slated to start as early as the summer of 2020.

Designed to improve the security posture of the Defense Industrial Base (DIB), CMMC requires an evaluation of the contractor’s technical security controls, process maturity, documentation, policies, and the processes that are in place and continuously monitored. Importantly, CMMC also requires validation by an independent, certified third-party assessment organization (C3PAO) audit, in contrast to the historical precedent of self-attestation.

Expanding compliance coverage to meet CMMC requirements

Common questions we’ve heard from customers include: “when will Azure achieve CMMC accreditation?” and “what Microsoft cloud environments will be certified?”

While the details are still being finalized by the DoD and CMMC Accreditation Body (CMMC AB), we expect some degree of reciprocity with FedRAMP, NIST 800-53, and NIST CSF, as many of the CMMC security controls map directly to controls under these existing cybersecurity frameworks. Ultimately, Microsoft is confident in its cybersecurity posture and is closely following guidance from DoD and the CMMC AB to demonstrate compliance to the C3PAOs. We will move quickly to be evaluated once C3PAOs are accredited and approved to begin conducting assessments. 

Microsoft’s goal is to continue to strengthen cybersecurity across the DIB through world-class cybersecurity technology, controls, and best practices, and to put its cloud customers in a position to inherit Microsoft’s security controls and eventual CMMC certifications. Our intent is to achieve certification for Microsoft cloud services utilized by DIB customers.

Note: While commercial environments are intended to be certified as they are for FedRAMP High, CMMC by itself should not be the deciding factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of Controlled Unclassified Information (CUI).

New CMMC acceleration program for a faster path to certification

The Microsoft CMMC acceleration program is an end-to-end program designed to help customers and partners that serve as suppliers to the DoD improve their cybersecurity maturity, develop the cyber critical thinking skills essential to CMMC, and benefit from the compliance capabilities native to Azure and Azure Government.

The program will help you close compliance gaps and mitigate risks, evolve your cybersecurity toward a more agile and resilient defense posture, and help facilitate CMMC certification. Within this program, you’ll have access to a portfolio of learning resources, architectural references, and automated implementation tools custom-tailored to the certification journey.

Source: microsoft.com

Continue reading

Azure Government Secret accredited at DoD IL6, ICD 503 with IaaS and PaaS

Accelerate classified missions with unparalleled connectivity, high availability, and resiliency across three regions with more than 35 services

Azure Government Secret recently achieved Provisional Authorization (PA) at Department of Defense Impact Level 6 (IL6) and Intelligence Community Directive (ICD) 503 with facilities at ICD 705. We’re also announcing a third region to enable even higher availability for national security missions to stay ahead of their unique threats.

Built exclusively for the needs of US government and operated by cleared US citizens, Azure Government Secret delivers dedicated regions to maintain the security and integrity of classified Secret workloads while enabling reliable access to critical data. The first cloud natively connected to classified networks; Azure Government Secret enables customers to leverage options for private, resilient, high-bandwidth connectivity.

Protect national security production workloads with geodiversity across three regions

Azure Government Secret is designed for the unique requirements of critical national security workloads that cannot be served out of a single geographic location. To provide the geodiversity required, Azure Government Secret delivers across three dedicated regions for US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. These dedicated Azure regions are located over 500 miles apart to enable applications to stay running in the face of a disaster without a break in continuity of operations.

In addition, these regions provide greater choice when working across multiple locations and delivering cloud-to-edge scenarios. With comprehensive cloud services Azure Government Secret enables faster innovation for the mission from cloud to tactical edge meeting the critical availability needs of the warfighter.

Enabling classified missions at scale with more than 35 services

Designed and built for Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Marketplace solutions, Azure Government Secret provides a broad range of commercial innovation for classified workloads.­ Some of the services include: identity, analytics, security, and high performance computing to support advanced artificial intelligence (AI) and machine learning.

Operated by cleared US citizens, these new regions are part of Azure Government, delivering a familiar, consistent experience and alignment with existing resellers and programs. Eligible customers can also leverage cleared Microsoft cloud support for their workloads.

Gain speed by connecting directly or extending on-premises networks

With Azure Government Secret, customers can connect natively to classified networks or leverage options for private, resilient, high-bandwidth connectivity using ExpressRoute and ExpressRoute Direct:

◉ Native connection: Agencies with direct connections through US government classified networks can connect natively to Azure Government Secret.

◉ ExpressRoute: Extend on-premises networks into Azure Government Secret regions over a private connection facilitated by a connectivity provider with ExpressRoute.

◉ ExpressRoute Direct: Get the ability to connect directly into Azure Government Secret locations using ExpressRoute Direct.

Continued investments in commercial parity across data classifications

In addition to serving mission customers at DoD IL6 and ICD 503, we continue to invest in rapidly delivering new Azure Government capabilities to support mission needs across all data classifications for any US government customer. In the last six months we’ve continued our drive toward commercial parity, adding hundreds of features and launching 40+ new services and 101 total services in FedRAMP High, with more to come across Azure commercial, Azure Government and Azure Government Secret.

These continued investments enable customers across the full spectrum of government, including departments in every state, all the federal cabinet agencies, and each military branch, modernize their IT to better achieve their missions.

Continue reading

IRAP protected compliance from infra to SAP application layer on Azure

Australian government organizations are looking for cloud managed services providers capable of providing deployment of a platform as a service (PaaS) environment suitable for the processing, storage, and transmission of AU-PROTECTED government data that is compliant with the objectives of the Australian Government Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD).

One of Australia’s largest federal agencies that is responsible for improving and maintaining finances of the state was looking to implement the Information Security Registered Assessors Program (IRAP) which is critical to safeguard sensitive information and ensure security controls around transmission, storage, and retrieval.

The Information Security Registered Assessors Program is an Australian Signals Directorate initiative to provide high-quality information and communications technology (ICT) security assessment services to the government.

The Australian Signals Directorate endorses suitably-qualified information and communications technology professionals to provide relevant security services that aim to secure broader industry and Australian government information and associated systems.

Cloud4C took up this challenge to enable this federal client on the cloud delivery platforms. Cloud4C analyzed and assessed the stringent compliance requirements within the Information Security Registered Assessors Program guidelines.

Following internal baselining, Cloud4C divided the whole assessment into three distinct categories – physical, infrastructure, and managed services. The Information Security Registered Assessors Program has stringent security controls around these three specific areas.

Cloud4C realized that the best way to successfully meet this challenge was to partner and share responsibilities to achieve an improbable but successful and worthy assessment together. In April 2018, the Australian Cyber Security Center (ACSC) announced the certification of Azure and Office 365 at the PROTECTED classification. Microsoft became the first and only public cloud provider to achieve this level of certification. Cloud4C partnered with Microsoft to deploy the SAP applications and SAP HANA database on Azure and utilized all the Information Security Registered Assessors Program compliant infrastructure benefits to enable seamless integration of native and marketplace tools and technologies on Azure.

Cloud4C identified the right Azure data center in Australia, Australia Central and Australia Central 2, which had undergone a very stringent Information Security Registered Assessors Program assessment for physical security and information and communications equipment placements.

This compliance by Azure for infrastructure and disaster recovery gave Cloud4C a tremendous head-start as a managed service provider in focusing energies to address the majority of remaining controls that were focused solely for the cloud service provider.

The Information Security Registered Assessors Program assessment for Cloud4C involved meeting 412 high risks and 19 of the most critical security aspects distributed across 22 major categories, after taking out the controls that were addressed by Azure disaster recovery.

Solution overview

The scope of the engagement was to configure and manage the SAP landscape onto Azure with managed services up to the SAP basis layer while maintaining the Information Security Registered Assessors Program protected classification standards for the processing, storage, and retrieval of classified information. As the engagement model is PaaS, the responsibility matrix was up to the SAP basis layer and application managed services were outside the purview of this engagement.

Platform as a service with single service level agreement and Information Security Registered Assessors Program protected classification

The proposed solution included various SAP solutions including SAP ERP, SAP BW, SAP CRM, SAP GRC, SAP IDM, SAP Portal, SAP Solution Manager, Web Dispatcher, and Cloud Connector with a mix of databases including SAP HANA, SAP MaxDB, and former Sybase databases. Azure Australia Central, the primary disaster recovery, and Australia Central 2, the secondary disaster recovery region, were identified as the physical disaster recovery locations for building the Information Security Registered Assessors Program protected compliant environment. The proposed architecture encompassed certified virtual machine stock keeping units (SKUs) for SAP workloads, optimized storage and disks configuration, right network SKUs with adequate protection, a mechanism to achieve high availability, disaster recovery, backup, and monitoring, an adequate mix of native and external security tools, and most importantly, processes and guidelines around service delivery.

The following Azure services were considered as part of the proposed architecture:

◈ Azure Availability Sets
◈ Azure Active Directory
◈ Azure Privileged Identity Management
◈ Azure Multi-Factor Authentication
◈ Azure ExpressRoute gateway
◈ Azure application gateway with web application firewall
◈ Azure Load Balancer
◈ Azure Monitor
◈ Azure Resource Manager
◈ Azure Security Center
◈ Azure storage and disk encryption
◈ Azure DDoS Protection
◈ Azure Virtual Machines (Certified virtual machines for SAP applications and SAP HANA database)
◈ Azure Virtual Network
◈ Azure Network Watcher
◈ Network security groups

Information Security Registered Assessors Program compliance and assessment process

Cloud4C navigated through the accreditation framework with the help of the Information Security Registered Assessors Program assessor, who helped to understand and implement the Australian government security and build the technical feasibility of porting SAP applications and the SAP HANA database to the Information Security Registered Assessors Program protected setup on the Azure protected cloud.

The Information Security Registered Assessors Program assessor assessed the implementation, appropriateness, and effectiveness of the system's security controls. This was achieved through two security assessment stages, as dictated in the Australian Government Information Security Manual (ISM):

◈ Stage 1: Security assessment identifies security deficiencies that the system owner rectifies or mitigates
◈ Stage 2: Security assessment assesses residual compliance

Cloud4C has achieved successful assessment under all applicable information security manual controls, ensuring the zero risk environment and protection of the critical information systems with support from Microsoft.

The Microsoft team provided guidance around best practices on how to leverage Azure native tools to achieve compliance. The Microsoft solution architect and engineering team participated in the design discussions and brought an existing knowledge base around Azure native security tools, integration scenarios for third party security tools, and possible optimizations in the architecture.

During the assessment, Cloud4C and the Information Security Registered Assessors Program assessor performed the following activities:

◈ Designed the system architecture incorporating all components and stakeholders involved in the overall communication

◈ Mapped security compliance against the Australian government security policy

◈ Identified physical facilities, the Azure Data centers Australia Central and Australia Central 2, that are certified by the Information Security Registered Assessors Program

◈ Implemented Information Security Manual security controls

◈ Defined mitigation strategies for any non-compliance

◈ Identified risks to the system and defined the mitigation strategy

Steps to ensure automation and process improvement

◈ Quick deployment using Azure Resource Manager (ARM) templates combined with tools. This helped in the deployment of large landscapes comprising of more than 100 virtual machines and 10 SAP solutions in less than a month.

◈ Process automation using Robotic Process Automation (RPA) tools. This helped to identify the business as usual stage within the SAP eco-system deployed for the Information Security Registered Assessors Program environment and enhanced the process to ensure minimum disruption to actual business processes on top of automation that takes care of the infrastructure level ensuring the application availability.

Learnings and respective solutions that were implemented during the process

◈ The Azure Central and Azure Central 2 regions were connected to each other over fibre links offering less than sub-ms latency, with the SAP application and SAP HANA database replication in synchronous mode and zero recovery point objective (RPO) was achieved.

◈ Azure Active Directory Domain Services were not available in the Australia Central region, so the
Azure South-East region was leveraged to ensure seamless delivery.

◈ Azure Site Recovery was successfully used for replication of an SAP Max DB database.

◈ Traffic flowing over Azure ExpressRoute was not encrypted by default, it was encrypted using a network virtual appliance from a Microsoft security partner.

Complying with the Information Security Registered Assessors Program requires Australian Signals Directorate defined qualifications to be fulfilled and to pass through assessment phases. Cloud4C offered the following benefits:

◈ Reduced time to market - Cloud4C completed the assessment process in 9 months as compared to the industry achievement of nearly 1-2 years.

◈ Cloud4C’s experience and knowledge of delivering multiple regions and industry specific compliances for customers on Azure helped in mapping the right controls with Azure native and external security tools.

The partnership with Microsoft helped Cloud4C reach another milestone and take advantage of all the security features that Azure Hyperscaler has to offer to meet stringent regulatory and geographic compliances.

Cloud4C has matured in the use of many of the security solutions that are readily available from Azure Native, as well as Azure Marketplace to reduce time-to-market. Cloud4C utilized the Azure portfolio to its fullest in terms of securing the customer's infrastructure as well as encourage a secure culture in supporting their clients as an Azure Expert Managed Service Provider (MSP). The Azure security portfolio has been growing and so has Cloud4C's use of its solution offerings.

Cloud4C and Microsoft plan to take this partnership to even greater heights in terms of providing an unmatched cloud experience to customers in the marketplace across various geographies and industry verticals.

Continue reading

Announcing availability of Azure Managed Application in AzureGov

Azure Managed Applications enable Managed Service Provider (MSP), Independent Software Vendor (ISV) partners, and enterprise IT teams to deliver fully managed turnkey cloud solutions that can be made available through the enterprise Service Catalog of a specific end-customer. Customers can quickly deploy managed applications in their own subscription and rely on the partner or central IT team for maintenance operations and support across the lifecycle. 

It is the doorway through which enterprises consume Azure.

Organization Service Catalog as a distribution channel

Service Catalog allows organizations to create a catalog of approved applications and services that can be consumed by people in the organization. It can contain anything from customized virtual machine offers, servers, databases to complex in-house applications. Maintaining such a catalog of solutions is helpful especially for central IT teams in enterprises as it enables them to ensure compliance with certain organizational standards while providing great solutions for their organization. They can control, update, and maintain these applications. It allows employees in the organization to easily discover the rich set of applications that are recommended and approved by the IT department. The customers will only see the Service Catalog Managed Applications created by themselves or those that have been shared with them by other people in the organization.

Enterprise can control who gets to publish to the Service Catalog using Azure Role Based access control. This role translates to a Service Catalog Admin. And then there can be a separate role for consumers of Service Catalog.

Publishing

Publishing to the Service Catalog is simple can be performed using Azure Portal, CLI or PowerShell. The main components required are a) the template files, which describe the resources that will be provisioned, and b) the UI definition file, which describes how the required inputs for provisioning these resources will be displayed in the portal. The required files are packaged in a .zip file and uploaded through the Service Catalog blade in portal. Below is the screenshot from the publishing portal.

Pricing

There are no additional fees for partners publishing Managed Applications into customer Service Catalog.

Customers are billed for the consumption of the Azure resources which are part of the Managed Application, using their regular billing construct. For example, if as part of the Managed Application, a virtual machine gets provisioned in the customers subscription, the customer will be charged for the virtual machine usage. Similarly, the fees partners charge customers for lifecycle operations will show as a new line item in customer’s Azure invoice.

Authorizations

The resource group containing the resources which are part of the Managed Application is locked for the customer. The customer has read-only access to the resources in this resource group. As a result, the customer cannot accidently delete or update the resources which are part of the Managed application. The publisher can choose to publish an unlocked Managed Application as well which would then allow the customers to make changes or delete the underlying components.

The publisher of the managed application, however, gets either the required permissions which enables him to maintain, service, and upgrade the application in the customer’s tenant. These permissions are defined by the typical Azure RBAC roles.

Publishing at Customer’s Service Catalog

Below is a short summary to help in understanding the key capabilities when publishing to Service Catalog.

	Service Catalog Managed Application
Publishing Tool	Azure CLI Azure PowerShell (Create Service->Service Catalog Managed Application Definition) Azure Portal
Consumption Tool	Azure Portal (by navigating to More Services->Managed Applications), Azure CLI, Azure PowerShell
Pricing	No fees to publish for partners. Customers billed for Azure resources which get provisioned as part of the managed application.
Artifacts needed for package	mainTemplate.json createUIDefinition.json
Uses cases (customers)	Easy discoverability of approved IT services and applications Simple acquisition and deployment Abstract the end users from any underlying complexity of Azure resources.
Use cases (partners)	Deliver approved apps/services to developers and business units within an end-customer organization. Abstract the end users from any underlying complexity of Azure resources. Ensure managed apps deployed in customer tenants are free of tampering and unintended changes. Ensuring governance with corporate standards with the service catalog defined application.

Continue reading