Archivi categoria: Azure Local – 2025-2026

Azure IaaS and Azure Local: announcements and updates (August 2025 – Weeks: 33 and 34)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Microsoft recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Cloud-Native Application Platforms

Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Cloud-Native Application Platforms for the second consecutive year, positioned furthest to the right for Completeness of Vision. The recognition reflects Microsoft’s continued product innovation, cohesive developer experience, and leadership in AI—enabling customers to build cloud-native applications and AI agents across web apps, APIs, event-driven workloads, serverless functions, and containers, backed by global scale and deep enterprise expertise. Microsoft reiterates its commitment to helping organizations innovate with AI while maintaining scalable, cost-efficient operations.

Microsoft Azure now available from cloud region in Austria

Microsoft announced the opening of its cloud region in Austria to accelerate digital transformation and AI innovation. The new region enables enterprises and public sector organizations in Austria to store and process data locally and securely, in compliance with data protection regulations. To help customers adopt the new region and its Availability Zones, Azure supports region portability for many resource types via Azure Resource Mover, easing migrations and minimizing disruption.

Compute

DCesv6 and ECesv6 confidential VMs with Intel® TDX (preview)

Azure introduced the DCesv6 (general purpose) and ECesv6 (memory-optimized) series as its next generation of Confidential VMs, powered by 5th Gen Intel® Xeon® processors (“Emerald Rapids”) with Intel® Trust Domain Extensions (TDX). In private preview, these VMs are designed for tenants with stringent security and confidentiality requirements, providing a strong, hardware-enforced boundary so data and applications remain private and encrypted in memory while in use. They are intended to run confidential workloads without requiring application code changes and include in-guest attestation, enabling customers to verify the integrity of their environments before processing sensitive data.

Networking

Application Gateway adds MaxSurge support for zero-capacity-impact upgrades

Azure Application Gateway now supports MaxSurge, allowing new instances to be provisioned during rolling upgrades without taking existing ones offline. With this capability, customers can move to newer gateway versions while maintaining full traffic handling and reducing deployment risk. The enhancement strengthens resiliency and reliability for mission-critical applications that require consistent performance during infrastructure updates.

Private Application Gateway on Azure Application Gateway v2

Azure introduced Private Application Gateway on the Application Gateway v2 SKU, enabling fully private Layer-7 load balancing with a private frontend IP. This capability helps organizations publish internal web applications without exposing public endpoints, align with zero-trust network patterns, and simplify routing inside virtual networks and peered environments. By leveraging the v2 platform, customers also benefit from autoscaling, zone redundancy, and WAF integration for enhanced resilience and security.

Inbound IPv6 support on public multi-tenant App Service

Inbound IPv6 support for public multi-tenant Azure App Service is now generally available across all public Azure regions. The capability spans multi-tenant apps on Basic, Standard, and Premium SKUs, as well as Functions Consumption, Functions Elastic Premium, and Logic Apps Standard. With native IPv6 ingress, customers can meet dual-stack requirements, improve addressability, and align with regulatory and enterprise mandates while keeping existing deployment workflows unchanged.

Azure Bastion connectivity to private AKS clusters via tunneling (preview)

In public preview, Azure Bastion enables a secure tunnel from a user’s local machine—through Bastion—directly to an AKS API server using standard Kubernetes tooling. This capability provides seamless access to private AKS clusters, as well as to public clusters configured with API server authorized IP ranges, eliminating the need for complex VPNs, jump boxes, or exposing public endpoints. The result is simplified, consistent, and secure access for developers, operators, and partners working with private AKS environments.

Storage

Azure NetApp Files file access logs

The Azure NetApp Files file access logs feature is now generally available, delivering enterprise-grade visibility into file-level operations across SMB, NFSv4.1, and dual-protocol volumes. By capturing detailed telemetry—including user identity, operation type, and timestamps—the feature helps organizations bolster security, streamline operations, and meet compliance requirements in alignment with Azure’s Well-Architected Framework security best practices. File access logs are currently available in select regions, with broader regional support planned.

Azure Blob Storage Archive tier now in Malaysia West

The Archive access tier for Azure Blob Storage is now generally available in the Malaysia West region. This expansion lets customers in Malaysia store infrequently accessed data cost-effectively while meeting local data residency and compliance needs. Archive remains ideal for long-term backup, compliance, and archival scenarios and can be managed via the Azure portal, CLI, PowerShell, or REST API. With this addition, Malaysia West supports the full tier lineup: Hot, Cool, Cold, and Archive.

Azure Files provisioned v2 billing model for SSD (premium)

Azure Files now supports the provisioned v2 billing model on the SSD (premium) tier, allowing independent provisioning of storage, IOPS, and throughput so shares can be right-sized to precise performance and capacity targets. The model also increases the share size range from 32 GiB up to 256 TiB. Provisioned v2 for both SSD and HDD is generally available in all public cloud regions, giving customers consistent deployment options globally.

Azure NetApp Files Flexible service level: cool access support (preview)

Azure NetApp Files now extends its Flexible service level with cool access in public preview, allowing customers to independently configure capacity and throughput while automatically tiering cold data from volumes in Flexible service level capacity pools to Azure storage accounts. This helps optimize cost and performance across diverse workloads—supporting scenarios that require high capacity with low throughput or vice versa—while maintaining seamless access for active data. Cool access also supports cross-region replication for destination-only volumes, enhancing data protection without affecting source latency, and is available in all Azure NetApp Files regions.

Azure Local

Veeam support for Azure Local 24H2 (version 26100.x)

Veeam has added support for Azure Local 24H2 (version 26100.x). The minimum required release is Veeam Backup & Replication 12.3.2 (build 12.3.2.3617). The update excludes Azure Arc VM management; however, Arc-enabled VMs in a “Running” state can be backed up. On restore, these VMs are converted to standard Hyper-V workloads, and if the original VM no longer exists, the Azure Arc connection is expected to persist when the VM is restored to the same cluster within the Azure Arc reconnection window (typically up to 45 days).

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (August 2025 – Weeks: 31 and 32)

Azure

Compute

Azure 128 & 192 vCPU sizes for the Esv6 and Edsv6 series VMs

Microsoft has introduced new VM sizes in the Esv6 and Edsv6 series, offering configurations with up to 192 vCPUs and 1832 GiB of RAM. These high-capacity virtual machines are designed for enterprise-scale workloads, including in-memory analytics, large relational databases, and in-memory cache scenarios. Equipped with Intel® Total Memory Encryption (Intel TME) and NVMe-enabled local and remote storage, these VMs deliver both robust performance and enhanced data security. Key advantages include up to 400K IOPS and 12 GB/s remote storage throughput with 200 Gbps network bandwidth, three times the local storage IOPS thanks to the NVMe interface, and strong memory protection capabilities provided by Intel TME.

Networking

Network Security Perimeter

Microsoft has introduced Network Security Perimeter, a feature that allows organizations to define a logical network isolation boundary for PaaS resources, such as Azure Storage accounts and SQL Database servers, deployed outside their virtual networks. This capability restricts public network access to PaaS resources within the perimeter, with exceptions managed through explicit inbound and outbound access rules. Key benefits include secure resource-to-resource communication within perimeter members to prevent data exfiltration, centralized management of external public access, detailed access logs for audit and compliance, and a unified experience across supported PaaS resources.

Customer-controlled maintenance

Microsoft has announced that customers can now define configurable maintenance windows for the Point-to-Site (P2S) VPN Gateway in the Virtual WAN service, which has reached general availability. This capability allows greater control over planned updates and enhances operational predictability. With this release, maintenance window configuration is now supported across multiple gateway resources in Azure networking services, including: Virtual Network Gateway in ExpressRoute, Virtual Network Gateway in VPN Gateway, Site-to-Site VPN Gateway in Virtual WAN, Point-to-Site VPN Gateway in Virtual WAN, and ExpressRoute Gateway in Virtual WAN. This improvement ensures that organizations can align gateway maintenance with their operational and compliance requirements.

Azure DNS Public Zones DNS Security Extensions (DNSSEC) in US Gov and China regions

Microsoft has announced the general availability of Domain Name System Security Extensions (DNSSEC) for Azure DNS Public Zones in US Gov and China regions. This enhancement enables cryptographic authentication of DNS data, providing protection against threats such as cache poisoning and man-in-the-middle attacks. Administrators can enable DNSSEC for both new and existing DNS zones via the Azure Portal, CLI, PowerShell, or API. Azure manages all key operations, simplifying deployment and maintenance while ensuring high availability and performance through its global infrastructure.

Azure Virtual Network Manager mesh now supports 5,000 virtual networks (preview)

Azure Virtual Network Manager now supports grouping up to 5,000 virtual networks in a mesh connectivity configuration, available in public preview for supported regions. A mesh topology establishes bi-directional connectivity between every virtual network in the group, removing the need for manual peerings, reducing network hops, and ensuring low-latency traffic flows under a unified control plane. This approach is particularly beneficial in hub-and-spoke environments, where spokes can communicate directly without routing through the hub, lowering latency while retaining security oversight via Azure Virtual Network Manager security admin rules, NSGs, and comprehensive traffic monitoring through flow logs.

Storage

Log or block shared access signature (SAS) tokens for Azure Storage based on expiration policy

Azure Storage now supports enhanced enforcement options for Shared Access Signature (SAS) token expiration policies. Administrators have long been able to define the validity interval for SAS tokens using a storage account’s expiration policy. However, it was previously possible to override this with a longer signed expiry date on the SAS token itself. With the new SAS expiration action capability, administrators can now choose to either log or block requests that violate the configured expiration policy. The ‘Log’ action provides visibility into out-of-policy usage without disrupting service, making it ideal for auditing and trend analysis. Conversely, the ‘Block’ action enforces strict compliance by denying access to expired tokens. Microsoft recommends beginning with the ‘Log’ action to monitor access patterns, followed by implementing ‘Block’ to secure environments against unauthorized or outdated token usage.

Azure Data Box Next Gen is now generally available in additional regions

Azure Data Box Next Gen is now generally available in new regions, including Australia, Japan, Singapore, Brazil, Hong Kong, UAE, Switzerland, and Norway. This expansion complements the existing availability of both the 120 TB and 525 TB models in the US, UK, Canada, EU, US Government, Australia, Japan, and Singapore. Additionally, the 120 TB model is now available in Brazil, UAE, Hong Kong, Switzerland, and Norway. These next-generation NVMe-based devices have already facilitated the ingestion of several petabytes of data across various industries, delivering up to 10× faster transfer speeds. Customers value their reliability and efficiency for large-scale migration projects, making them a preferred choice for secure and high-speed data movement.

Azure Storage Actions now in 22 more regions

Azure Storage Actions is now available in 22 additional Azure regions, expanding its global reach and providing customers with more options for data residency and compliance. This broader availability enhances the ability to automate data management tasks across a wider range of geographic locations, supporting diverse operational and regulatory requirements.

Azure Storage Discovery (preview)

Microsoft has announced the public preview of Azure Storage Discovery, a fully managed service providing enterprise-wide visibility into Azure Blob Storage estates. This solution offers deep insights into capacity usage, activity trends, cost optimization opportunities, and security enhancements, all accessible directly within the Azure Portal. Azure Storage Discovery integrates with Azure Copilot, enabling users to obtain actionable insights through natural language queries without needing to learn a query language or write code.
Organizations can analyze trends over time, drill down into top storage accounts, and filter reports by configuration details such as region, redundancy, performance type, and encryption. The service supports analysis of up to one million storage accounts across multiple subscriptions and resource groups in a single workspace. Key benefits include automated aggregation of metrics, interactive reporting, 30 days of historical data upon deployment, and retention of insights for up to 18 months. The Standard tier is free to use until September 30, after which charges will apply, while the Free tier offers basic insights at no cost.

Conclusion

Microsoft Strengthens Digital Sovereignty in Europe: A Balance Between Regulation and Innovation

The growing focus on digital sovereignty in Europe has prompted major cloud service providers, including Microsoft, to develop solutions specifically designed to meet the regulatory and operational needs of European organizations. U.S. regulations such as the CLOUD Act and FISA 702 pose significant risks to the confidentiality of data handled by American companies, even when that data is physically stored within the European Union.

Microsoft has responded with a comprehensive strategy that combines compliance with European laws and advanced technical tools for data control and protection. The Microsoft Sovereign Cloud initiative is structured around three models — Public, Private, and National Partner Cloud — to ensure maximum flexibility and security.

This article explores the regulatory landscape, the associated risks, the solutions offered by Microsoft, and provides practical scenarios to better understand the real-world implications for European businesses.

Introducing the Current Landscape

In recent years, digital sovereignty has become a critical issue for businesses, public institutions, and European citizens alike. Rising geopolitical tensions, the rapid expansion of global cloud platforms, and increasing awareness around personal data processing have fueled the need for trustworthy, compliant, and transparent solutions. Regulatory authorities across Europe, guided by increasingly stringent frameworks such as the GDPR, are demanding stronger guarantees from digital service providers in terms of data traceability, localization, and protection.

In parallel, governments and civil society organizations are applying growing pressure to ensure that the data of European citizens is genuinely safeguarded against unauthorized access — even when managed by cloud providers headquartered outside the European Union.

This is not merely a technical matter; it is deeply political and economic. Controlling data now means controlling value, innovation, and critical infrastructure. Digital sovereignty is therefore no longer seen as a luxury or an option, but as a strategic necessity to secure Europe’s safety, competitiveness, and self-determination in the digital age.

This complex and evolving challenge has brought increased scrutiny on the role of major U.S.-based cloud providers — such as Microsoft, Amazon, and Google — which dominate the European market but remain subject to extraterritorial regulations like the CLOUD Act and FISA 702.

In response, Microsoft has launched a new strategy focused on European digital sovereignty, introducing a comprehensive portfolio of sovereign cloud solutions. These offerings not only address regulatory demands but also support the operational needs of customers, delivering a blend of security, compliance, and flexibility.

Designed to give European customers greater control over their data, transparency around access, operational autonomy, and strong alignment with EU laws and values, Microsoft’s objective is twofold: to empower digital innovation in Europe, while ensuring that such innovation respects the principles of sovereignty, accountability, and the protection of fundamental rights.

The Regulatory Framework: CLOUD Act, FISA, and the Conflict with the GDPR

The CLOUD Act is a U.S. law enacted in 2018 that requires American companies to provide data to U.S. authorities upon request — even if that data is stored in datacenters located outside the United States. This principle of “extended jurisdiction” conflicts with European regulations, which condition international data transfers on strict requirements of legality, transparency, and proportionality.

In parallel, Section 702 of the Foreign Intelligence Surveillance Act (FISA) authorizes U.S. intelligence agencies to surveil foreign individuals using digital services operated by American companies, even without a traditional judicial warrant. As a result, data stored and processed within the EU can still be subject to extra-European access, often without the data subject’s knowledge or consent.

The Court of Justice of the European Union acknowledged these risks in the landmark “Schrems II” ruling, which in 2020 invalidated the Privacy Shield agreement, concluding that U.S. safeguards were insufficient to protect the fundamental rights of EU citizens.

Aspect	GDPR (EU)	CLOUD Act (US)	FISA 702 (US)
Jurisdiction	European Union	United States – applies to U.S. companies worldwide	United States – applies to global communications involving non-U.S. persons
Scope	Personal data protection	Access to data held by U.S.-based companies	Intelligence data collection
Authorization	Requires consent or valid legal basis	U.S. legal orders (e.g., subpoena, warrant)	Authorized by secret court (FISC), no traditional warrant
Extraterritorial Reach	No	Yes – includes data stored in the EU	Yes – interception on global networks
GDPR Compatibility	–	Potentially conflicting due to extraterritorial access	Deemed non-compliant by EU Court (Schrems II ruling)

Table 1 – Comparison of GDPR, CLOUD Act, and FISA 702

The legal conflict is more relevant than ever and calls for concrete technical and organizational solutions.

Known Cases Involving the CLOUD Act or FISA Applied to EU Citizens or Companies

To date, there are no publicly confirmed cases where the CLOUD Act or Section 702 of FISA has been directly applied to data physically stored in EU datacenters. However, there are indirect signals, legal precedents, and official positions that clearly highlight the real possibility of such scenarios:

Microsoft Ireland (2013–2018): The U.S. government requested that Microsoft hand over emails stored in Ireland. Microsoft contested the order, but the case was rendered moot by the enactment of the CLOUD Act, which made such cross-border data requests legally valid.
Schrems II and European DPAs: In its landmark ruling, the Court of Justice of the European Union explicitly cited FISA 702 as a reason for invalidating the Privacy Shield agreement. Several European data protection authorities (including those in France, Germany, and the Netherlands) have reiterated that U.S. surveillance laws are incompatible with the GDPR’s protections.
Transparency Reports: Microsoft reports receiving over 10,000 data requests annually from U.S. authorities. While the company does not specify whether these requests include data stored in the EU, the sheer volume illustrates the frequency of governmental access attempts.
Snowden Revelations (2013): Documents leaked by Edward Snowden revealed that the NSA had systematic access to data hosted outside the United States, enabled through cooperation with major U.S. technology firms.

Although the lack of specific public cases limits direct evidence, these examples clearly underscore the regulatory tension and the need for European organizations to adopt robust technical and legal safeguards.

Microsoft’s Strategy: Where and Why It Is Evolving

In light of this context, Microsoft has introduced a comprehensive strategy to strengthen European digital sovereignty through three main models:

Sovereign Public Cloud: Available across all Azure regions in Europe, this model ensures that data remains within the EU, is subject exclusively to European law, and that access is limited to Microsoft personnel who are EU residents.
Sovereign Private Cloud: Designed for highly regulated scenarios, it enables the execution of critical workloads in fully isolated environments (on-premises, air-gapped, or hybrid), providing full operational continuity and maximum data protection.
National Partner Clouds: Delivered in partnership with local providers (such as Bleu in France and Delos Cloud in Germany), these infrastructures are entirely managed under national control and aligned with local standards like SecNumCloud and specific government requirements in countries like Germany.

Feature	Sovereign Public Cloud	Sovereign Private Cloud	National Partner Clouds
Data Location	Within the EU, in existing Azure regions	At local or on-premises facilities	Local infrastructure managed by partners (e.g., Bleu, Delos Cloud)
Operational Access	Controlled by Microsoft staff residing in the EU	Managed by the customer or a trusted partner	Operated by an independent legal entity within the target country
Included Services	Azure, Microsoft 365, Power Platform	Azure Local, Microsoft 365 Local	Azure + Microsoft 365 in compliance with national regulatory standards
Ideal For	Public and private organizations requiring compliance	Private entities with physical isolation or high resilience needs	Governments, healthcare, defense, and critical infrastructure sectors ⚠️
Main Benefit	No migration required, full compliance	Full operational control and local management	Guarantees independence from Microsoft and full national sovereignty

Table 2 – Comparison of Microsoft’s Sovereign Cloud Models

⚠️ Note for the public sector in Italy
The considerations outlined in this table primarily apply to private entities and public administrations in other European countries. In Italy, cloud sovereignty for the public sector is already regulated by the guidelines of the National Cybersecurity Agency (ACN) and the National Strategic Hub (PSN) model, which ensure requirements for data residency, security, and digital autonomy for critical public data.

This structured approach enables Microsoft to address a wide range of needs — from private enterprises to public institutions — by offering flexible models tailored to different levels of data sensitivity.

Sovereignty and Compliance Tools Introduced

To enable these solutions, Microsoft has introduced a suite of tools specifically designed for governance, transparency, and encryption:

Data Guardian: Ensures that every remote access to data is monitored, supervised by EU-based personnel, and logged in a tamper-proof system. All support interventions are subject to real-time controls.
External Key Management: Allows organizations to use encryption keys hosted in external HSMs (Hardware Security Modules), either owned by the organization or provided by trusted European third parties (e.g., Thales, Futurex, Utimaco), following a HYOK (Hold Your Own Key) model.
Regulated Environment Management: A centralized platform for configuring, monitoring, and governing cloud environments in line with regulatory policies, featuring auditable access and granular control capabilities.
Microsoft 365 Local: Enables services like Exchange, SharePoint, and Teams to run within customer-controlled or on-premises environments, while maintaining full functionality equivalent to public cloud versions.

Together, these tools enhance the ability of organizations to meet sovereignty and compliance requirements — even in the most sensitive sectors.

How Microsoft’s Approach Addresses Legal Risks

Microsoft’s strategy responds to the complex regulatory landscape through a multi-layered model:

Legal Isolation: Access and operations are restricted to personnel and infrastructure under European jurisdiction.
Advanced Encryption: The use of HYOK and external HSMs prevents forced access, even in the event of legal orders from non-EU authorities.
Audit and Oversight: Tools like Data Guardian ensure full visibility and traceability of remote access operations.
GDPR Alignment: Architectures and processes are designed to meet key principles of accountability and risk minimization required by the GDPR.

However, only the adoption of HYOK models and HSMs that are fully located and managed within Europe — and outside the control of entities subject to U.S. jurisdiction — can truly eliminate the risk of access by foreign governments.

Practical Use Case: Private Entity with Continuity and Sovereignty Requirements

Imagine a private organization aiming to digitize its processes while maintaining full control over its data. Subject to strict regulations such as the GDPR and operational constraints regarding data availability and localization, this organization may soon adopt the Sovereign Private Cloud solution based on Azure Local and Microsoft 365 Local.

With Azure Local, the organization can host cloud infrastructure directly within its own datacenter, leveraging Azure’s compute, storage, and networking capabilities under complete local control. By integrating Microsoft 365 Local, it can run productivity applications such as Exchange, SharePoint, and Teams in an isolated environment, ensuring that no data leaves its jurisdiction and that every access is auditable.

This approach allows the organization to combine operational efficiency, service continuity, and compliance with European regulations, while providing a tangible response to the risks posed by extraterritorial U.S. legislation.

Conclusion

Data protection has become a cornerstone of European digital sovereignty. It is no longer merely a technical concern, but a strategic challenge tied to national security, economic competitiveness, and the protection of citizens’ rights. In this complex landscape, Microsoft offers Sovereign Cloud as a concrete, flexible, and regulation-compliant response tailored to the needs of the European Union.

Through its three-model framework — Public Cloud, Private Cloud, and National Partner Cloud — and tools like Data Guardian, External Key Management, and Microsoft 365 Local, Microsoft empowers European organizations to adopt modern, secure, and locally controlled cloud infrastructures. These solutions not only mitigate risks posed by extraterritorial U.S. laws, but also actively support Europe’s digital autonomy.

In a global context where control over information equates to power, one essential question must be asked: are European enterprises truly ready to embrace technologies that protect their digital sovereignty — or will they continue to rely on infrastructures that may expose their data to foreign jurisdictions? Now is the time for a paradigm shift. Both private companies and public administrations in Europe must begin to strategically assess where and how their data is managed.

This is not solely about regulatory compliance — it is about ensuring that strategic data remains inaccessible to foreign powers, that technology choices do not compromise the confidentiality of sensitive information, and that decision-making authority stays within Europe’s legal boundaries. In this light, solutions such as Azure Local and Microsoft 365 Local, even when hosted within private European datacenters, represent a balanced path forward — combining innovation, performance, and true sovereignty.

Azure IaaS and Azure Local: announcements and updates (July 2025 – Weeks: 29 and 30)

Azure

General

CISPE Secures Landmark Licensing Reform in Agreement with Microsoft

CISPE (Cloud Infrastructure Services Providers in Europe) has reached a landmark agreement with Microsoft that introduces significant licensing reforms for Microsoft software running on CISPE member infrastructure. As part of this agreement, Microsoft will allow qualified CISPE members to offer Microsoft software—such as Windows Server and SQL Server—on a pay-as-you-go basis through the CSP-Hoster (CSP-H) program, aligning pricing more closely with that of Microsoft Azure.

This agreement delivers multiple benefits. CISPE members gain access to competitive Pay-As-You-Go licensing models, enhancing flexibility and cost-effectiveness for customers. It also supports digital sovereignty by enabling deployment of Microsoft 365 Local on European cloud infrastructure—pending general availability within Microsoft’s Cloud Solution Program. A major privacy improvement allows CISPE members to host Microsoft workloads without disclosing customer data to Microsoft, addressing long-standing concerns about data sovereignty and vendor neutrality.

The agreement applies to current CISPE members and is also open to eligible European cloud providers that join CISPE in the near future. Microsoft has committed to reviewing the program after one year, with a view to expanding access further—excluding hyperscale cloud providers designated as “Listed Providers” in order to protect competition and support innovation in the European cloud ecosystem.

Microsoft Azure Cloud HSM

Azure Cloud HSM is now generally available, offering a FIPS 140-3 Level 3 certified, highly available, single-tenant Hardware Security Module (HSM) service. Designed to meet the highest security and compliance standards, Azure Cloud HSM gives customers full administrative control over their HSMs, enabling secure cryptographic key management and operations within dedicated Cloud HSM clusters. It supports key cryptographic libraries such as PKCS#11, OpenSSL, and JCE, making it ideal for workloads like Apache/Nginx SSL offload, SQL Server or Oracle TDE, and ADCS hosted on Azure VMs. The solution also supports certificate storage with private keys via PKCS#11 and allows for secure document and code signing. As the successor to Azure Dedicated HSM, this new service provides improved support for general-purpose scenarios requiring isolated and secure key management. Microsoft plans to expand availability across Public, US Gov, and Sovereign Clouds.

Modernizing Azure Resource Manager Throttling for Sovereign Clouds (preview)

Microsoft has announced the public preview of its updated throttling model for Azure Resource Manager (ARM) in sovereign clouds. This update is part of a broader modernization effort aimed at achieving parity between public and sovereign cloud environments by the end of 2026. The revised throttling model brings consistent limits and architecture across all Azure deployments, enhancing operational reliability and simplifying cross-environment workloads. As previously communicated in 2024, the new throttling configuration delivers substantial improvements, including a 30x increase in write limits, a 2.4x increase for deletes, and a 7.5x increase in read operations, greatly improving performance and scalability for ARM users.

Networking

Azure Firewall now supports ingestion-time transformation in Log Analytics

Azure Firewall has introduced support for ingestion-time transformation in Log Analytics, a feature now generally available. This capability allows organizations to filter and transform logs before they are ingested into Log Analytics, offering a flexible and cost-effective logging strategy. The benefits are substantial: security teams can log only suspicious or critical traffic for more effective threat detection; storage costs are reduced by avoiding unnecessary log ingestion; compliance requirements can be met by routing logs through Data Collection Rules (DCRs); and incident response is accelerated through streamlined access to relevant logs. Additionally, users can create customized dashboards and alerts in Azure Monitor, enhancing visibility and control over network activity.

ExpressRoute – Auto-assigned Public IP for ExpressRoute Gateways

Microsoft has introduced a simplification in the deployment of ExpressRoute Virtual Network Gateways: all newly created gateways will now use auto-assigned Public IP addresses. This change eliminates the need for customers to manually assign Public IPs during configuration, streamlining the setup process and reducing operational overhead. The new model enhances deployment consistency across different gateway types. It’s important to note that existing ExpressRoute gateways will remain unaffected by this update.

Web Application Firewall on Application Gateway for Containers (preview)

Azure has introduced Web Application Firewall (WAF) support for Application Gateway for Containers in public preview. Application Gateway for Containers is the next-generation layer 7 load balancing solution for workloads running in Kubernetes clusters, combining the capabilities of Application Gateway and Application Gateway Ingress Controller. With WAF integration, users can now protect their containerized applications from common web vulnerabilities such as SQL injection, cross-site scripting, and protocol anomalies. The solution includes Azure-managed Default Rulesets (DRS), offering protection based on OWASP standards and Microsoft’s Threat Intelligence Center (MSTIC). Additional features include bot protection through bot manager rulesets and rate-limiting custom rules to mitigate DDoS attacks, delivering enterprise-grade security for modern containerized environments.

Storage

AZNFS (3.0) for BlobNFS with FUSE for superior performance (preview)

Microsoft has released the public preview of AZNFS (3.0) for BlobNFS, offering a major upgrade for customers utilizing Azure Blob Storage with native NFSv3 access. The new version leverages the libfuse3 library—also used by BlobFuse—to bring substantial performance and scalability improvements. With this update, users benefit from higher throughput, support for larger files, enhanced metadata performance, and the removal of user group limits. These enhancements make AZNFS (3.0) particularly well-suited for performance-intensive, POSIX-compliant workloads on Linux systems that require consistent and reliable access to Blob Storage using the NFS protocol.

Azure Local

Version 2507 Release: Security Updates and Fixes

Microsoft has released version 2507 of Azure Local, delivering two targeted security updates tied to specific OS builds. The release also addresses several key issues reported in earlier builds. Fixes include resolution of a solution update failure caused by an exception in the ComposedImageUpdate role, and clarification for Azure Government cloud users where the upgrade banner is shown but the environment checker incorrectly flags lack of support. Another critical fix resolves an issue where, during VM deployment, the absence of a specified storage path would cause all resources to be placed on the first available path—potentially leading to disk space exhaustion and deployment failures over time.

End of Support Reminder: Azure Stack HCI Version 23H2

Microsoft has announced that Azure Stack HCI version 23H2 will reach end of support on October 31, 2025. Currently, Azure Local supports two active OS versions: 25398.xxx and 26100.xxx. With update 2510, systems running the 25398.x OS will automatically be upgraded to the latest 26100.x build. For deployments already based on 26100.x, the update will be applied as a feature upgrade. Organizations using Azure Local should plan accordingly to ensure ongoing support, security, and access to new features beyond the 23H2 lifecycle.

Software Defined Networking (SDN) enabled by Azure Arc on Azure Local (preview)

Microsoft has announced the public preview of Software Defined Networking (SDN) enabled by Azure Arc, now available starting with Azure Local version 2506. This release brings native Azure-style network security and control to on-premises infrastructure through Azure Arc integration. Customers can now define and manage Logical Networks, Network Interfaces, and Network Security Groups (NSGs) from the Azure control plane using the Azure Portal, CLI, or ARM templates.

Key capabilities include the ability to deploy VLAN-backed logical networks, assign static or dynamic IP addresses to virtual machines, and enforce granular traffic control policies via NSGs. NSGs can be applied both at the VLAN level and directly to VM network interfaces, using complete 5-tuple rules (source/destination IP, port, and protocol). Default network policies can also be applied during VM creation to secure workloads with predefined rules for inbound and outbound traffic.

This SDN solution is powered by the Network Controller running on Azure Local infrastructure and eliminates the need for dedicated SDN controller VMs by running as a Failover Cluster service. While advanced features such as virtual networks (vNETs), Software Load Balancers (SLBs), and Gateways are not yet supported in this preview, customers can continue to rely on traditional SDN management tools—like SDN Express and Windows Admin Center—if they require those functionalities. Notably, only one SDN management model (Azure Arc or on-premises tools) can be used per environment.

Microsoft 365 Local: New Sovereign Offering with Azure Local Foundation

Microsoft has unveiled a new sovereign solution for regulated and high-compliance environments: Microsoft 365 Local, a “Private Cloud” variant built on Azure Local infrastructure. This solution enables customers to deploy Microsoft productivity workloads such as Exchange Server and SharePoint Server directly in their own datacenters or sovereign cloud regions. With full control over security, compliance, and governance, Microsoft 365 Local extends trusted productivity experiences to environments where data residency and isolation are essential. While specific technical details are still forthcoming, this initiative marks a significant step forward in supporting sovereign cloud strategies globally.

Conclusion

Azure IaaS and Azure Local: announcements and updates (July 2025 – Weeks: 27 and 28)

Azure

General

Two-Way Forest Trusts for Microsoft Entra Domain Services

Microsoft has announced the general availability of Two-Way Forest Trusts for Microsoft Entra Domain Services. This enhancement enables organizations to establish bi-directional forest trusts between Microsoft Entra Domain Services and on-premises Active Directory Domain Services (AD DS). Previously, only one-way outbound trusts were supported, which allowed users in the on-premises environment to access resources in the managed domain. Now, administrators can configure one-way inbound, one-way outbound, or two-way forest trusts, granting users from either domain reciprocal access to resources. This added flexibility allows enterprises to better align their hybrid identity strategies, with support for more granular control over trust relationships. An Enterprise or Premium SKU license is required to configure these trusts.

Compute

Enable Trusted Launch on Existing Virtual Machine Uniform Scale Set

Microsoft has announced the general availability of the ability to enable Trusted Launch on existing Virtual Machine Uniform Scale Sets by upgrading these resources to Gen2-Trusted Launch. This enhancement allows organizations to bolster the foundational security of their existing infrastructure without needing to redeploy. Trusted Launch VMs support Secure Boot and virtual Trusted Platform Module (vTPM), protecting the guest operating system from bootkits, rootkits, and other low-level threats. Additionally, attestation capabilities measure the integrity of the VM’s boot process, further strengthening security posture.

Trusted Launch Default for New Gen2 VMs & Scale Sets (preview)

A new public preview introduces Trusted Launch as default (TLaD) for newly deployed Generation 2 Virtual Machines, Virtual Machine Scale Sets, and Azure Compute Gallery resources. This default behavior enables foundational security features, including Secure Boot and vTPM, without requiring any changes to deployment templates or automation scripts (e.g., SDKs, Bicep, ARM templates, Terraform). With Trusted Launch enabled by default, new deployments gain enhanced protection against rootkits and bootkits, while also enabling attestation to verify the VM’s boot process integrity, simplifying secure adoption of Generation 2 resources.

Networking

Azure DNS Security Policy

Azure DNS Security Policy is now generally available, offering comprehensive control and visibility over DNS traffic at the virtual network level. This new capability allows administrators to filter DNS queries by allowing, alerting, or blocking name resolutions based on domain lists, helping to protect against access to known malicious or undesired domains. Security policies can be applied to virtual networks within the same region and can be linked to multiple VNets. Organizations can gain deep visibility into DNS traffic by sending detailed logs to a storage account, Log Analytics workspace, or Event Hubs. The feature also supports granular DNS traffic rules and location-based domain lists, providing a powerful mechanism to enhance DNS security and compliance across Azure environments.

FQDN Filtering in DNAT Rules in Azure Firewall

Azure Firewall now supports Fully Qualified Domain Name (FQDN) filtering in Destination Network Address Translation (DNAT) rules, which is now generally available. This feature allows administrators to define backend resources using domain names instead of static IP addresses for inbound traffic routing. It is particularly beneficial in environments where backend IPs are dynamic or managed via DNS. With FQDN-based targeting, organizations gain improved flexibility and easier backend management. Additionally, administrators can monitor DNAT activity through AZFWNatRule logs to ensure proper policy enforcement and troubleshooting.

Customer Controlled Maintenance for Azure Firewall

Azure Firewall now supports customer-controlled maintenance windows, offering greater flexibility and operational control. With this update, users can define a recurring daily maintenance window of at least five hours during which updates and upgrades to the firewall will be applied. Firewalls that are configured with such a maintenance policy will not undergo upgrades outside the specified window, reducing the likelihood of unexpected downtime and allowing organizations to align updates with their internal change management processes. This enhancement helps ensure service continuity and better aligns with enterprise maintenance practices.

Storage

Granular Role-Based Access Control (RBAC) for Azure File Sync

Azure File Sync now includes two new built-in RBAC roles: Azure File Sync Administrator and Azure File Sync Reader. These roles are designed to improve security and streamline operations by offering more granular access control than traditional roles such as Owner or Contributor. With these purpose-built roles, organizations can better enforce the principle of least privilege when assigning permissions related to Azure File Sync. Users can create and manage essential components such as Storage Sync Services, Sync Groups, Server Endpoints, and Cloud Endpoints, as well as register servers, all while avoiding broader permissions like VM management. This update removes the need to define custom roles for common administrative tasks, supporting compliance and operational efficiency by limiting access only to what is required.

Encryption in Transit for Azure Files NFS Shares

Encryption in Transit (EiT) for Azure Files NFS shares is now generally available, providing secure data transmission over the network by using TLS 1.3. This enhancement ensures the confidentiality, integrity, and authenticity of all NFS traffic. It supports a wide range of environments, including all major Linux distributions, Azure Linux virtual machines, and on-premises Linux servers. To simplify deployment, Microsoft offers the open-source AZNFS mount helper, which automates the TLS tunneling and volume mount process. This added security layer helps organizations meet compliance requirements while preserving performance and usability in enterprise-scale file sharing scenarios.

Azure Storage Mover Adds Free, Direct AWS S3-to-Azure Blob Migration (preview)

Azure Storage Mover has introduced a new public preview feature that enables free, direct migration of data from Amazon S3 to Azure Blob Storage. Designed for organizations with multi-cloud strategies or planning a complete transition to Azure, this Cloud-to-Cloud migration capability supports secure, petabyte-scale data transfers without disrupting ongoing operations. In addition to this new path, Azure Storage Mover already supports migrating on-premises SMB shares to Azure File and transferring both SMB and NFS data to Azure Blob Storage. The integration of Azure Arc streamlines authentication when connecting to AWS, ensuring secure and seamless operations. As a fully managed and cost-free service, Azure Storage Mover helps businesses modernize their storage architectures more efficiently and with minimal complexity.

Azure Local

Updates in the 2506 Release

The 2506 release of Azure Local delivers a comprehensive set of updates across operating system support, security, networking, and deployment processes. New deployments now use OS version 26100.4349, with driver compatibility required for this version or Windows Server 2025. Existing deployments remain on version 25398.1665. The release also integrates improved deployment validation through updated environment checkers for Microsoft On-premises Cloud and Azure Resource Bridge. On the security front, a new baseline expands to 407 evaluated rules, improving alignment with CIS and DISA STIG standards, and introduces enhanced Microsoft Defender Antivirus configurations. Administrators can now fine-tune drift control settings instead of disabling them globally, and the minimum password length has been raised to 14 characters to meet NIST 2 compliance. In preview, Software-Defined Networking (SDN) enabled by Azure Arc allows the creation and assignment of Network Security Groups (NSGs) and security rules for a consistent cloud-to-edge networking model. Additional features include an overprovisioning alert to warn of insufficient compute capacity before updates, .NET 8.0.17 runtime support, and the archival of Azure Local version 22H2 documentation. Notably, this release is not supported for Azure Local instances deployed in Azure Government cloud.

Conclusion

Azure IaaS and Azure Local: announcements and updates (June 2025 – Weeks: 25 and 26)

Azure

General

Microsoft announces comprehensive sovereign solutions for European organizations (preview)

Microsoft has introduced a broad expansion of its sovereign cloud offerings with the goal of empowering European organizations with enhanced data privacy, operational autonomy, and digital resilience. Building on its longstanding presence in Europe, the new Microsoft Sovereign Cloud initiative spans public cloud, private cloud infrastructure, and national partner environments. Among the new capabilities announced are Data Guardian, which ensures only European personnel oversee remote system access; External Key Management, allowing customers to control encryption with their own HSMs; and Regulated Environment Management, a centralized portal for configuring and monitoring sovereign workloads.

The Sovereign Public Cloud—an evolution of the Microsoft Cloud for Sovereignty—supports Microsoft Azure, Microsoft 365, Security, and Power Platform services across all European datacenter regions, guaranteeing data stays within the EU and is operated under European law by local staff. Additionally, Sovereign Private Cloud (preview), powered by Azure Local and the newly announced Microsoft 365 Local, enables deployment of productivity and cloud services in customer-controlled environments, supporting high levels of compliance and business continuity.

Microsoft is also expanding support for National Partner Clouds through collaborations such as Bleu in France and Delos Cloud in Germany, offering independently operated sovereign environments. These initiatives aim to deliver the most comprehensive sovereignty solutions in the industry, allowing European customers to operate confidently and in full compliance with evolving regulations—without sacrificing access to innovation or requiring data migration.

Microsoft Azure now available from new cloud region in Chile

Microsoft has announced the general availability of its first cloud region in Chile, further expanding its global infrastructure footprint. The new Chile Central region offers Azure Availability Zones and provides scalable, highly available, and resilient cloud services to customers across Latin America and beyond. This launch reinforces Microsoft’s commitment to accelerating digital transformation and innovation in Chile, while ensuring high standards of security, privacy, and regulatory compliance for data residency. Organizations in the region can now benefit from low-latency access to trusted Microsoft Cloud services hosted within the country.

Compute

Azure FXv2-series Virtual Machines

Microsoft has announced the General Availability of Azure FXv2-series Virtual Machines (VMs), powered by the 5th Generation Intel® Xeon® Platinum 8573C processor. These VMs deliver substantial enhancements in CPU performance, memory capacity, and storage throughput, making them ideal for compute-intensive workloads such as databases and data analytics. The FXv2-series VMs provide up to 50% better CPU performance compared to the previous generation, with sizes supporting up to 96 vCPUs and 1,832 GiB of memory. NVMe support ensures high-performance remote storage, with up to 400K IOPS and 11.25 GBps throughput. Designed for high-demand scenarios, such as SQL Server and electronic design automation (EDA), the FXv2-series offers enhanced memory configurations and improved I/O bandwidth.

Networking

Azure WAF integration in Microsoft Security Copilot

The integration of Azure Web Application Firewall (WAF) with Microsoft Copilot for Security has reached general availability. This integration spans both Azure Front Door WAF and Azure Application Gateway WAF, enabling organizations to enhance their threat detection and response capabilities through AI-powered insights. The solution provides automated analysis of SQL Injection (SQLi) and Cross-Site Scripting (XSS) attacks, delivering summaries and justifications for WAF actions. It also includes advanced diagnostics such as tracking attack trends, identifying top offending IPs, and analyzing frequently triggered WAF rules. These features help security teams streamline investigations and proactively adjust their defenses based on real-time intelligence.

Azure Virtual Network Manager IP address management

The IP address management capability in Azure Virtual Network Manager is now generally available, offering centralized tools to enhance IP planning and allocation across complex network environments. This feature allows automatic assignment of non-overlapping IP addresses, supports IP reservations for specific workloads, and prevents conflicts across Azure, on-premises, and multi-cloud environments. Integrated with Azure Policy, it also enforces network creation using designated IP pools, ensuring consistency and compliance. The feature provides clear visibility into IP usage across network resources, helping organizations maintain efficient and conflict-free IP address spaces.

Draft & Deploy on Azure Firewall (preview)

The new Draft & Deploy feature for Azure Firewall Policy introduces a more efficient, two-phase approach to managing firewall configurations, now available in public preview. Previously, any change to a policy would initiate a full deployment of both the policy and associated firewall, resulting in delays of 2–4 minutes per update. With this feature, users can create a draft version cloned from the current policy, allowing collaborative edits without impacting the live environment. Once all changes are finalized, the updated policy can be deployed in a single operation, streamlining the update process and reducing operational disruption.

Azure Front Door supports managed certificate for wildcard domains (preview)

Azure Front Door Standard and Premium profiles now support managed certificates for wildcard domains, a feature previously limited to Bring Your Own Certificate (BYOC) configurations. This enhancement allows customers to secure multiple subdomains using a single managed certificate, which is especially beneficial for SaaS providers and organizations operating large-scale, multi-tenant applications. The new capability simplifies operations by eliminating the need to manage certificates per subdomain, improves scalability by reducing configuration overhead, and enhances security through automated certificate renewals.

Storage

Transition existing platform-managed keys to customer-managed keys for Azure NetApp Files volumes

Customers can now seamlessly transition Azure NetApp Files volumes from platform-managed keys (PMK) to customer-managed keys (CMK), without requiring data migration. This capability is now generally available across all Azure NetApp Files supported regions. Using CMK provides enhanced security and control, allowing organizations to manage their own encryption key lifecycle, including renewals and rotations. It also aligns with stringent regulatory and compliance requirements typical in industries such as finance, healthcare, and government. Importantly, there is no performance impact when using CMK, as the feature simply secures the account encryption key with Azure Key Vault, offering protection against unauthorized access and insider threats.

Conclusion

Azure IaaS and Azure Local: announcements and updates (June 2025 – Weeks: 23 and 24)

Azure

Compute

New Storage Optimized Laosv4, Lasv4, and Lsv4 Azure VM Series

Azure has announced the general availability of the Laosv4, Lasv4, and Lsv4 storage-optimized virtual machine series. The Laosv4 and Lasv4 VMs are powered by 4th Gen AMD EPYC™ (Genoa) processors, while the Lsv4 series uses 5th Gen Intel® Xeon® (Emerald Rapids) CPUs. These VMs offer sizes ranging from 2 to 96 vCPUs, with 8GB of memory and substantial local NVMe disk capacity per vCPU. In particular, the largest VMs offer up to 23TB of local storage. All three VM series come with Azure Boost and Azure Boost SSDs, support NVMe local SSD disk encryption by default, and feature an NVMe remote storage interface with premium storage caching, enhancing remote storage performance. These VMs are ideal for storage-intensive, distributed workloads such as big data analytics, Elasticsearch, distributed file systems, and data warehousing, delivering the high performance and flexibility needed for modern enterprise applications.

Networking

Profile and Route WAF Policies on Azure Front Door (private preview)

Azure has introduced a private preview of profile and route-based Web Application Firewall (WAF) policies for Azure Front Door. Previously, WAF policies could only be associated with a Front Door instance via frontends or custom domains. With this update, WAF policies can now also be applied at the Front Door profile level and at the individual route level within a domain. This new flexibility allows administrators to define a global policy at the profile level to cover all associated domains, while also enabling more granular security through route-specific policies. For instance, more sensitive routes—such as login or payment pages—can have stricter rules applied. The policy hierarchy ensures that more specific policies override broader ones: route-level policies take precedence over domain-level policies, which in turn override profile-level policies. This enhancement empowers organizations to implement targeted protection strategies within a unified WAF framework.

Azure Virtual Network Manager in Azure China

Azure Virtual Network Manager is now generally available in Azure China, bringing centralized control over connectivity, security rules, and routing configurations across subscriptions at scale. This service simplifies network topology management using hub-and-spoke or mesh configurations, helping administrators ensure consistent connectivity and policy enforcement throughout complex environments. The security admin rules feature allows organizations to define security policies that take precedence over traditional Network Security Group (NSG) rules, helping to avoid misconfigurations and maintain compliance across environments. Additionally, flow logs offer visibility and diagnostics for traffic governed by these rules. Routing configurations can also be standardized and applied automatically to multiple subnets or virtual networks, supporting scenarios like routing spoke traffic through Azure Firewall or enabling cross-hub connections, further simplifying enterprise network architecture.

Storage

Archive Access Tier Now Available in Italy North

The Archive access tier for Azure Blob Storage is now generally available in the Italy North region. This development enables customers to store infrequently accessed data in a highly cost-effective manner while ensuring data residency and compliance with Italian regulations. Ideal for long-term data retention, backup, and compliance scenarios, the Archive tier supports comprehensive data lifecycle management. Users can manage data in the Archive tier through the Azure portal, CLI, PowerShell, or REST API. With this release, the Italy North region now supports the full spectrum of Azure Blob Storage tiers—Hot, Cool, Cold, and Archive—aligning it with other fully featured Azure regions.

Azure Storage Mover support for SMB source to Azure Blob target

Azure Storage Mover has expanded its capabilities to support the migration of SMB shares directly to Azure Blob containers. This fully managed migration service enables seamless and secure transfer of on-premises files and folders to Azure Storage, minimizing downtime during migration processes. With integration features like just-in-time permission setting and Azure Key Vault support, organizations can perform secure migrations end-to-end. This enhancement complements the existing support for migrations from NFS shares to Azure Blob and from SMB sources to Azure File shares.

NFS Azure Files volume mount support in Azure Container Apps (preview)

Azure Container Apps now support mounting Network File System (NFS) Azure Files volumes to containerized applications. This enhancement allows developers to leverage a scalable and high-performance file system that can be shared across multiple containers within an application. The use of NFS Azure Files volumes also ensures data persistence across container restarts, making it ideal for stateful workloads or data-intensive jobs running in container environments.

Encrypt Premium SSD v2 and Ultra Disks with Cross-Tenant Customer Managed Keys (preview)

Microsoft has introduced a public preview for encrypting Premium SSD v2 and Ultra Disks using Cross-Tenant Customer Managed Keys (CMK) in select regions. This feature enables encryption of managed disks using a CMK that resides in an Azure Key Vault located in a different Microsoft Entra tenant from the disk itself. This advancement is particularly beneficial for service providers building Software as a Service (SaaS) solutions on Azure, as it allows their customers to manage their own encryption keys independently. Customers can now host and control their CMKs in their own tenant, granting them full sovereignty over their data and encryption practices.

Conclusion

RAG on Azure Local: the evolution of generative AI in hybrid environments

In the era of Artificial Intelligence, companies are required to combine computational power with distributed data management, as data is increasingly located across cloud environments, on-premises infrastructures, and edge settings. In this context, Azure Local emerges as a strategic solution, capable of extending the benefits of cloud computing directly into local data centers—where the most sensitive and critical workloads reside. After exploring this topic in the previous article, “AI from Cloud to Edge: Innovation Enabled by Azure Local and Azure Arc,” this new piece focuses on a particularly significant evolution: the adoption of RAG Capabilities (Retrieval-Augmented Generation) within Azure Local environments. Thanks to Microsoft’s adaptive cloud approach, it is now possible to design, deploy, and scale AI solutions consistently and in a controlled manner, even in hybrid and multicloud scenarios. Azure Local thus becomes the enabler of a tangible transformation, bringing generative AI capabilities closer to the data, with clear benefits: reduced latency, preservation of data sovereignty, and greater accuracy and relevance of the generated results.

A Consistent AI Ecosystem from Cloud to Edge

Microsoft is building a consistent and distributed Artificial Intelligence ecosystem, designed to enable the development, deployment, and management of AI models wherever they are needed: in the cloud, on-premises environments, or at the edge.

This approach is structured into four key layers, each designed to address specific needs:

Application Development: With Azure AI Studio, developers can easily design and build intelligent agents and conversational assistants using pre-trained models and customizable modules. The development environment offers integrated tools and a modern interface, simplifying the entire AI application lifecycle.
AI Services: Azure offers a wide range of advanced AI services — including language models (based on OpenAI), machine translation, computer vision, and semantic search — which, until now, were limited to the cloud environment. With the introduction of RAG in Azure Local, these capabilities can now also be executed directly in local environments.
Machine Learning and MLOps: Azure Machine Learning Studio allows for efficient creation, training, optimization, and management of ML models. Thanks to the AML Arc Extension, all these features are now also available on local and edge infrastructures.
AI Infrastructure: Supporting all these layers is a solid and scalable technology foundation. Azure Local, together with Azure’s global infrastructure, provides the ideal environment for running AI workloads through containers and optimized virtual machines, ensuring high performance, security, and compliance.

Microsoft’s goal is clear: to eliminate the boundary between the cloud and the edge, enabling organizations to harness the power of AI where the data actually resides.

What is Retrieval-Augmented Generation (RAG)

Within the unified AI ecosystem Microsoft is building, one of the most impactful innovations is Retrieval-Augmented Generation (RAG) — an advanced technique poised to revolutionize the approach to generative AI in the enterprise space. Unlike traditional models that rely solely on knowledge learned during training, RAG enriches model responses by dynamically retrieving up-to-date and relevant content from external sources such as documents, databases, or vector indexes.

RAG operates in two distinct but synergistic phases:

Retrieve: The system searches and selects the most relevant information from external sources, often built using enterprise data.
Generate: The retrieved content is used to generate more accurate responses, consistent with the context and aligned with domain-specific knowledge.

This architecture helps reduce hallucinations, increase response accuracy, and work with updated and specific data without retraining the model, thereby ensuring greater flexibility and reliability.

RAG on Azure Local: Generative AI Serving On-Premises Data

With the introduction of RAG Capabilities in Azure Local environments, organizations can now bring the power of generative AI directly to their data—wherever it resides: in the cloud, on-premises, or across multicloud infrastructures—without needing to move or duplicate it. This approach roots artificial intelligence in enterprise data and enables the native integration of advanced capabilities into local operational workflows.

The solution is available as a native Azure Arc extension for Kubernetes, providing a complete infrastructure for data ingestion, vector index creation, and querying based on language models. Everything is managed through a local portal, which offers essential tools for prompt engineering, monitoring, and response evaluation.

The experience is designed in a No-Code/Low-Code fashion, with an intuitive interface that allows even non-specialized teams to develop, deploy, and manage RAG applications.

Key Benefits

Data Privacy and Compliance: Sensitive data remains within corporate and jurisdictional boundaries, allowing the model to operate securely and in compliance with regulations.
Reduced Latency: Local data processing enables fast responses, which are crucial in real-time scenarios.
Bandwidth Efficiency: No massive data transfers to the cloud, resulting in optimized network usage.
Scalability and Flexibility: Thanks to Azure Arc, Kubernetes clusters can be deployed, monitored, and managed on local or edge infrastructures with the same operational experience as the cloud.
Seamless Integration with Existing Environments: RAG capabilities can be directly connected to document repositories, databases, or internal applications, enabling scenarios such as enterprise chatbots, intelligent search engines, or vertical digital assistants—natively and without invasive infrastructure changes.

This capability represents a fundamental element in Microsoft’s strategy: to make Azure the most open, extensible, and distributed AI platform, capable of enabling innovation wherever data resides and transforming it into a true strategic asset for the digital growth of organizations.

Advanced RAG Capabilities on Azure Local

The RAG capabilities available in Azure Local environments go beyond simply bringing generative AI closer to enterprise data—they represent a comprehensive set of advanced tools designed to deliver high performance, maximum flexibility, and full control, even in the most demanding scenarios. Thanks to continuous evolution, the platform is equipped to support complex and dynamic use cases, while keeping quality, security, and responsibility at the forefront.

Here are the main advanced features available:

Hybrid Search and Lazy Graph RAG (coming soon): The combination of hybrid search with the upcoming support for Lazy Graph RAG enables the creation of efficient, fast, and low-cost indexes, providing accurate and contextual responses regardless of the nature or complexity of the query.
Performance Evaluation: Native evaluation pipelines allow structured testing and measurement of RAG system effectiveness. Multiple experimentation paths are supported—helpful for comparing different approaches in parallel, optimizing prompts, and improving response quality over time.
Multimodality: The platform natively supports text, images, documents, and—soon—videos. By leveraging the best parsers for each format, RAG on Azure Local can process unstructured data located on NFS shares, offering a unified and in-depth view across various content types.
Multilingual Support: Over 100 languages are supported during both ingestion and model interactions, making the solution ideal for organizations with a global presence or diverse language requirements.
Always-Up-to-Date Language Models: Each update of the Azure Arc extension provides automatic access to the latest models, ensuring optimal performance, enhanced security, and alignment with the latest advancements in generative AI.
Responsible and Compliant AI by Design: The platform includes built-in capabilities for managing security, regulatory compliance, and AI ethics. Generated content is monitored and filtered, helping organizations comply with internal policies and external regulations—without placing additional burden on developers.

Key Use Cases of RAG on Azure Local

The integration of RAG into Azure Local environments delivers tangible benefits across several sectors:

Financial Services: in the financial sector, RAG can analyze sensitive data that must remain on-premises due to regulatory constraints. It can automate compliance checks on documents and transactions, provide personalized customer support based on financial data, and create targeted business proposals by analyzing individual profiles and preferences.
Manufacturing: for manufacturing companies, RAG is a valuable ally for enhancing operational efficiency. It can offer real-time assistance in problem resolution through analysis of local production data, help identify process inefficiencies, and support predictive maintenance by anticipating failures through historical data analysis.
Public Sector: public administrations can leverage RAG to gain insights from the confidential data they manage. It’s useful for summarizing large volumes of information to support quick and informed decision-making, creating training materials from existing documentation, and enhancing public safety through predictive analysis of potential threats based on local data.
Healthcare: in the healthcare sector, RAG enables secure handling of clinical data, delivering value across multiple areas. It can support the development of personalized treatment plans based on patient data, facilitate medical research through clinical information analysis, and optimize hospital operations by analyzing patient flow and resource usage.
Retail: in the retail sector, RAG can enhance customer experiences and streamline business operations. It is effective for creating personalized marketing campaigns based on purchasing habits, optimizing inventory management through sales data analysis, and gaining deeper insights into customer behavior to refine product and service offerings.

Conclusion

The integration of RAG capabilities within Azure Local environments marks a significant milestone in the maturity of distributed Artificial Intelligence solutions. With an open, extensible, and cloud-connected architectural approach, Microsoft enables organizations to leverage the benefits of generative AI consistently—even in hybrid and on-premises scenarios. RAG capabilities, in particular, allow advanced language models to connect with the contextual knowledge stored in enterprise systems—without compromising governance, security, or performance. This evolution makes it possible to create intelligent, secure, and customized applications across any operational context, accelerating the time-to-value of AI across multiple industries. Azure Local with RAG represents a strategic opportunity for businesses that want to govern Artificial Intelligence where data is born, lives, and generates value.

Azure IaaS and Azure Local: announcements and updates (May 2025 – Weeks: 21 and 22)

Azure

General

GitHub Copilot for Azure

GitHub Copilot for Azure is now generally available, delivering a streamlined and intelligent development experience across the Azure ecosystem. Designed to enhance developer productivity, this solution integrates natively with Azure resources and offers support for Infrastructure as Code (IaC) through Bicep and Terraform. It enables efficient diagnostics and issue resolution, while providing real-time recommendations to improve code quality. GitHub Copilot for Azure acts as a comprehensive assistant, helping developers design resilient architectures, manage cloud resources, and elevate their Azure expertise with minimal disruption.

Cloudera on Cloud Available in Italy North Region

Cloudera on Cloud is now available in the Italy North Azure region through the Azure Marketplace. This availability expands the regional presence of Cloudera’s analytics and data platform, allowing customers in Italy to deploy and operate Cloudera environments more efficiently and in compliance with local data residency requirements.

Azure Chaos Studio available in ItalyNorth

Azure Chaos Studio has expanded its regional availability and is now offered in the ItalyNorth region. This service enables customers to improve the resilience of their applications by simulating faults and disruptions in a controlled manner. By testing real-world failure scenarios, organizations can proactively address reliability issues and strengthen the stability of their cloud workloads.

Retirement of Azure China North 1 and East 1 Regions

Microsoft has announced the planned retirement of the China North 1 and China East 1 regions, operated by 21Vianet, effective July 1, 2026. This decision follows an ongoing effort to modernize and optimize the Azure infrastructure in China. Customers are encouraged to migrate their resources to newer regions, such as China North 3, which offer improved performance, security, and support for advanced Azure services. To avoid service disruption, all migrations should be completed before the retirement date. Azure in China will continue its operations in multiple enhanced regions to meet evolving customer needs.

Azure Quota Groups

Azure Quota Groups is now generally available, bringing enhanced flexibility and centralized control for Enterprise Agreement (EA) and internal customers. This feature allows quotas to be shared across multiple subscriptions within a designated group, reducing the volume of individual quota requests and simplifying management. Through the use of a centralized Quota Group Azure Resource Manager (ARM) object, customers can self-manage their quota allocations—without requiring Microsoft approval. Benefits include the ability to reassign unused quota across subscriptions, reduced support overhead, and the ability to submit a single quota request for the entire group. Azure Quota Groups significantly streamlines resource governance and boosts operational efficiency.

Compute

ND96isr_H200_v5 Virtual Machines available in ItalyNorth

Azure has expanded the regional availability of ND96isr_H200_v5 Virtual Machines, which are now offered in the ItalyNorth region. These VMs are optimized for high-performance computing and AI workloads, providing enhanced GPU capabilities designed to accelerate demanding applications such as deep learning, data analytics, and large-scale simulations.

Network Optimized Azure Virtual Machines – Dnsv6, Dndsv6, Dnlsv6, Dnldsv6, Ensv6 and Endsv6 (preview)

Azure has introduced a new class of Network Optimized Virtual Machines, now in public preview, built on the 5th Generation Intel® Xeon® Platinum 8537C (Emerald Rapids) processors. These VMs provide enhanced performance and flexibility with three memory-to-core configurations and options with or without local SSDs. Leveraging Azure Boost, these VMs deliver superior network bandwidth per vCPU, increased vNIC capacity, and faster connection setup times. The new SKUs, including Dnsv6, Dndsv6, Dnlsv6, Dnldsv6, Ensv6, and Endsv6, expand the v6 family of Intel-based Azure VMs, making them ideal for network-intensive workloads.

Networking

Private Subnet

Azure announces the general availability of the private subnet functionality. Traditionally, virtual machines created in a virtual network without explicit outbound configuration were assigned a default outbound public IP address. These implicit IPs presented security challenges and lacked association with subscriptions, making them unreliable and difficult to manage. With the private subnet feature, any new subnet defaults to having “default outbound access” set to false, thus eliminating implicit outbound connectivity and promoting Azure’s “secure by default” principle. Users must now explicitly configure outbound access using services such as NAT Gateway or Public IP addresses. Starting September 30th, 2025, all new virtual networks will adopt this default behavior, although existing networks and older API versions will remain unaffected.

Azure Traffic Manager SLA Increased to 100%

Azure Traffic Manager now offers a 100% service level agreement (SLA) for global DNS resolution, guaranteeing uninterrupted resolution of DNS queries to healthy service endpoints. This enhancement reinforces Azure’s commitment to reliability and performance, ensuring that all Traffic Manager profiles automatically benefit from this updated SLA without requiring any customer-side changes.

Destination Network Address Translation (DNAT) on Azure Firewall Private IP address

Azure Firewall now supports Destination Network Address Translation (DNAT) rule configurations on its Private IP address, enabling port translations that were previously unavailable. This enhancement is particularly useful for enterprises dealing with overlapping IP ranges, such as during the integration of new partners or mergers and acquisitions. In hybrid networking scenarios, this feature allows on-premises datacenters to establish communication with Azure resources using private, non-routable IP addresses, ensuring seamless interoperability and connectivity across diverse environments.

Container Apps and Functions as Private Link enabled origins for Front Door Premium

Azure Front Door Premium now supports configuring Azure Container Apps and Azure Functions as Private Link enabled origins. This capability ensures secure backend communication by restricting origin exposure to the public internet. Even though users access content through public Front Door endpoints, the actual origin services remain securely accessible only via Private Link, improving overall network security posture for web applications and APIs.

Azure Front Door supports origin authentication via Managed Identities (preview)

Azure Front Door Standard and Premium now support origin authentication using Managed Identities, currently in public preview. This feature allows secure, identity-based access control between Front Door and its backend origins. By leveraging Managed Identities, customers can avoid the risks and operational overhead associated with managing credentials, ensuring that only authorized Front Door instances can access origin services.

VM Network Troubleshooter in Azure Portal (preview)

Azure has introduced a new VM Network Troubleshooter tool in the Azure Portal, now in public preview. Accessible from the VM Overview blade, this tool allows users to run diagnostics and detect common issues such as blocked ports. This feature significantly streamlines network troubleshooting, enabling quicker identification and resolution of connectivity problems that often affect virtual machine workloads.

Using Server-sent events with Application Gateway (preview)

Azure Application Gateway introduces preview support for Server-sent events (SSE), a technology that enables servers to push real-time updates to clients over persistent HTTP connections. This preview allows developers to build low-latency applications requiring continuous data streaming directly from the server. To utilize this capability, both the Application Gateway and the backend application must be configured appropriately. This feature enhances the ability to deliver dynamic content to clients while maintaining control over scalability and performance at the application delivery layer.

Storage

Availability Set Support for Premium SSD v2 Disk Storage

Azure has added support for Availability Sets with Premium SSD v2 (Pv2) disk storage in regions without Availability Zones, including Australia Southeast, Canada East, North Central US, UK West, West Central US, and West US. Premium SSD v2 offers scalable IOPS and throughput, low latency, and consistent performance—making it a strong choice for enterprise workloads such as SQL Server, Oracle, SAP, and big data platforms. This enhancement allows customers in these regions to build resilient architectures using Availability Sets, ensuring higher availability even in the absence of zonal infrastructure.

Customer-managed keys for Azure NetApp Files volume encryption with Azure Key Vault Managed HSM

Azure NetApp Files now supports customer-managed keys for volume encryption using Azure Key Vault Managed HSM. This enhancement provides an elevated level of security, transitioning from FIPS 140-2 Level 2 to Level 3 compliance for critical deployments. The use of Managed HSM is particularly relevant in sectors that demand high-security standards, such as financial services, public sector, telecommunications, and energy. Applications benefiting from this include payment processing systems, authentication services, and solutions requiring application-level encryption.

Encryption in Transit for Azure Files NFS Shares (preview)

Microsoft has introduced support for encryption in transit for Azure Files NFS v4.1 shares, now available in public preview. This feature enhances data protection by enabling TLS-based encryption for NFS traffic, securing data as it travels between applications and Azure File shares. The solution integrates with the lightweight AZNFS mount helper to deliver a seamless user experience, and it offers flexibility by allowing connections to be mounted with or without encryption, depending on user requirements.

Live Resize for Premium SSD v2 and Ultra NVMe Disks (preview)

Microsoft has announced the public preview of Live Resize for Premium SSD v2 (Pv2) and Ultra NVMe Disks. This new capability enables users to dynamically increase the storage capacity of their disks without causing any disruption to running applications. With Live Resize, organizations can adopt a more cost-effective storage strategy by starting with smaller disk sizes and scaling up as needed—ensuring flexibility, efficiency, and continuous application availability.

Conclusion

Azure IaaS and Azure Local: announcements and updates (May 2025 – Weeks: 19 and 20)

Azure

General

Carbon optimization in Azure

Microsoft has announced the General Availability of carbon optimization in Azure, a built-in solution designed to help organizations measure, manage, and reduce carbon emissions from their Azure workloads. With this capability, customers gain access to built-in dashboards and KPIs directly in the Azure portal, enabling them to track sustainability progress over time. The service provides detailed, resource-level emissions data, unlocking opportunities for deeper optimization. Role-based access control (RBAC) ensures that relevant stakeholders can access appropriate data. Additionally, actionable recommendations are offered to support both carbon reduction and cost savings. This release underscores Microsoft’s commitment to empowering customers to align their cloud operations with sustainability objectives, offering native tools to support greener decision-making across IT environments.

Perth – Azure Extended Zones (preview)

Microsoft has announced the public preview of the Perth Azure Extended Zone. Azure Extended Zones are small-scale Azure deployments located in specific metros, industrial hubs, or jurisdictions to support low-latency applications and enforce data residency requirements. These zones are capable of running virtual machines, containers, storage solutions, and selected Azure services. With the introduction of the Perth Extended Zone, customers in the region can now run latency-sensitive and high-throughput workloads closer to their end users, improving performance while aligning with regulatory and data governance mandates.

Networking

ExpressRoute Metro available in Italy North with Equinix

ExpressRoute Metro is now available in the Italy North region in partnership with Equinix. This connectivity option allows customers to establish private, resilient network connections to Microsoft cloud services through Equinix infrastructure. ExpressRoute Metro offers low-latency, high-bandwidth connectivity within metropolitan areas, supporting performance-sensitive workloads and regulatory compliance needs for businesses operating in or near the Italy North region.

Azure Virtual Network Manager high-scale private endpoints in connected groups (preview)

Microsoft has introduced the public preview of high-scale private endpoints within connected groups using Azure Virtual Network Manager. This new capability is designed to address the growing scalability needs of complex enterprise network environments in Azure. It enables the support of up to 20,000 private endpoints within a single connected group, significantly increasing the ability to scale private connectivity across large environments. This enhancement allows organizations to manage a broader set of workloads efficiently, improving network architecture flexibility while maintaining strong isolation and security.

Storage

Azure File Sync in Italy North

Microsoft has expanded the availability of Azure File Sync to the Italy North region. Azure File Sync provides a hybrid storage solution that allows organizations to tier data from on-premises Windows Servers to Azure Files, optimizing performance while reducing on-premises storage requirements. This expansion brings the service closer to customers in the region, offering reduced latency, improved performance, and compliance with local data residency regulations. With Azure File Sync, businesses can maintain the compatibility and flexibility of traditional file servers while benefiting from the scalability and cost-efficiency of the Azure cloud.

Azure Archive Storage in Italy North

Azure Archive Storage is now available in the Italy North region. This service provides a secure, low-cost option for storing rarely accessed data, such as compliance archives, backup data, and long-term retention files. With this regional expansion, customers in Italy can now benefit from reduced latency and improved data residency compliance when leveraging Azure Archive Storage for their cold data needs.

Azure Storage Actions – Serverless storage data management

Microsoft has announced the general availability of Azure Storage Actions, a fully managed serverless platform for automating data management tasks across Azure Blob and Data Lake Storage. Available in select Azure regions, Storage Actions empowers organizations to scan, analyze, and process billions of objects across multiple storage accounts without writing code. The solution supports the use of blob tags and metadata as dynamic parameters, allowing fine-grained control over how each object is handled. An integrated dashboard provides visibility into operations, including detailed drill-downs. By combining a no-code experience with serverless scalability, Azure Storage Actions significantly simplifies and accelerates storage data workflows.

Azure Premium SSD v2 now available in more regions

Azure Premium SSD v2 is now available in several additional non-availability-zone (non-AZ) regions, including US West, UK West, Canada East, Australia Southeast, North Central US, West Central US, Australia Central 2, and Norway West. Premium SSD v2 is a next-generation general-purpose block storage offering that delivers sub-millisecond latency and optimized price-performance for I/O-intensive enterprise workloads. It is ideal for a wide array of use cases such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful container deployments. This expansion brings high-performance storage closer to more global Azure customers.

Azure NetApp Files support for Active Directory connection per NetApp account

Azure NetApp Files now offers general availability of Active Directory connection per NetApp account. This feature enables each NetApp account to connect independently to its own Active Directory Forest and Domain, allowing multiple, distinct Active Directory configurations within a single Azure region and subscription. With this functionality, organizations can achieve better operational segregation, enhance security, and simplify hosting of specialized or multi-tenant environments. The association of SMB volumes to specific Active Directory connections per NetApp account further streamlines identity and access management across different organizational contexts.

Azure NetApp Files cross-zone and cross-region replication across subscriptions

Azure NetApp Files now supports replication across different subscriptions under the same tenant, enabling cross-subscription replication. This enhancement significantly improves disaster recovery and operational flexibility by utilizing NetApp SnapMirror technology, which optimizes data transfer by replicating only changed blocks in a compressed format. The feature supports both cross-zone replication across all Azure NetApp Files regions with availability zones and cross-region replication across all supported regions. Organizations can now better manage and protect data across different organizational units or cost centers while maintaining efficient and secure replication practices.

Azure NetApp Files cross-zone-region replication (preview)

Microsoft has introduced the public preview of cross-zone-region replication (CZRR) for Azure NetApp Files, a capability that extends existing cross-region and cross-zone replication functionalities. CZRR allows replication of volumes not only across different Azure regions but also across availability zones within the same region. This dual-layer replication enhances both disaster recovery and business continuity. Customers can configure protection by combining various replication setups, such as one cross-zone and one cross-region replication relationship, two cross-region replications, or two cross-zone replications. For cross-zone replication, the source volume must reside in an availability zone. This preview feature aims to deliver higher resilience and data protection for critical workloads.

Azure Premium SSD v2 Disk Storage in Japan West

Azure Premium SSD v2 (Pv2) Disk Storage is now available in the Japan West region. Pv2 represents Azure’s next-generation general-purpose block storage, engineered to provide sub-millisecond latency, flexible scalability, and cost efficiency. It allows users to independently scale IOPS, throughput, and capacity, making it suitable for a wide variety of production workloads. Pv2 supports relational databases such as SQL Server, Oracle, and MariaDB, NoSQL platforms like Cassandra and MongoDB, as well as SAP systems, analytics tasks, gaming environments, and stateful containerized applications. This expansion delivers high-performance disk storage closer to customers in Japan West, enhancing workload responsiveness and data locality.