This post is a special edition of my regular “Azure IaaS and Azure Local: announcements and updates” series, dedicated entirely to the wave of news coming from Microsoft Ignite 2025. As every year, Ignite condenses in a few days an impressive number of announcements across infrastructure, networking, management, AI, and sovereign cloud – so this edition is intentionally focused on helping you navigate what matters most if you work with Azure IaaS and Azure Local in the field.
Rather than attempting to cover every single announcement, I’ve selected the updates that I consider most relevant for architects, IT pros, and cloud practitioners: from networking and observability improvements, to new capabilities in Azure Local, Sovereign Private Cloud, and Microsoft 365 Local, all the way to storage, and hybrid innovations.
For a complete view of everything announced at Ignite, including services and scenarios outside the scope of this post, I strongly recommend reading the official Microsoft Ignite 2025 Book of News, which provides the full catalog of updates, an interactive table of contents, and translation options for global audiences.
Azure
General
Microsoft Sovereign Cloud: continuous innovation
Alongside the many Azure product updates, Microsoft is also pushing forward on the Microsoft Sovereign Cloud vision, with new capabilities across AI, security, and productivity, plus a roadmap of features specifically targeting sovereign cloud needs.
Microsoft emphasizes that sovereignty is not a one-off project but an area of continuous innovation, and several concrete commitments have already moved into execution. As of this month, Microsoft has:
- Established a European board of directors made up of European nationals, responsible for overseeing all datacenter operations in line with European law – effectively placing Europe’s cloud infrastructure in European hands.
- Expanded European datacenter capacity, with new regions launched in Austria and another coming online in Belgium this month.
- Embedded digital resiliency commitments into all relevant government contracts, making resilience and continuity guarantees part of the core commercial framework.
- Increased investment in open source, by funding secure OSS projects and collaborations, and by publishing AI Access Principles that broaden safe, responsible access to advanced AI so European developers, startups, and enterprises can compete more effectively.
- Advanced the European Security Program, providing AI-powered threat intelligence and cybersecurity capacity-building initiatives to strengthen Europe’s digital resilience against sophisticated threat actors.
Taken together, these steps underscore that the Sovereign Cloud strategy is not just about where data is stored, but also about governance, resilience, open innovation, and security capabilities tailored to regional expectations and regulations.
Networking
ExpressRoute Scalable Gateway
The new ExpressRoute Scalable Gateway (ErGwScale) Virtual Network Gateway SKU is now generally available. It offers ExpressRoute connectivity with bandwidth up to tens of Gbps and supports flexible scaling via scale units, so you can adjust performance to match your workload without recreating the gateway. This simplifies high-bandwidth hybrid connectivity scenarios and improves both reliability and cost control compared to traditional gateway SKUs.
Azure Virtual Network Manager address overlap prevention in mesh
Address overlap prevention for mesh topologies in Azure Virtual Network Manager is now generally available. The service automatically checks that the address spaces of virtual networks included in a mesh do not overlap, and blocks configurations that would cause ambiguous routing or dropped traffic. This improves reliability and simplifies governance of large-scale multi-VNet architectures.
TLS and TCP termination on Azure Application Gateway
Azure Application Gateway now supports general availability of TLS and TCP termination, extending scenarios beyond traditional HTTP(S) workloads. The gateway can front and load balance applications that expose custom TCP/TLS protocols, centralizing certificate and security policy management on the gateway instead of on each backend. This simplifies designs where you want a single entry point for both web and non-HTTP traffic targeting your applications.
Application Gateway for Containers – Slow start
The slow start load-balancing algorithm for Application Gateway for Containers is now generally available. When new pods or backend instances are added to a pool, traffic is ramped up gradually over a configurable warm-up period instead of being sent at full volume immediately. This helps avoid overloading freshly started pods, leads to smoother scale-out events, and reduces transient errors when applications need some time to become fully responsive after startup.
[In preview] – Application Gateway for Containers Istio Service Mesh integration
Application Gateway for Containers introduces, in public preview, integration with Istio via an optional service mesh extension. In this model the gateway acts as the north–south ingress for the mesh: it terminates external traffic, applies advanced L7 inspection and routing, and securely forwards traffic to services managed by Istio. This lets you combine the strengths of a service mesh (policies, observability, mTLS inside the cluster) with the enterprise-grade capabilities of an L7 application gateway at the edge.
[In preview] – Azure Network Watcher – Agentless Connection Troubleshoot
Azure Network Watcher’s Connection Troubleshoot feature now offers a fully agentless mode in public preview. You no longer need to install agents or VM extensions to run connectivity tests: diagnostics can be launched directly from the portal against the selected endpoints, validating NSG rules, effective routes, and reachability. This reduces operational overhead and significantly speeds up network troubleshooting between Azure resources.
[In preview] – Microsoft HTTP DDoS Ruleset 1.0 on Application Gateway WAF v2
Microsoft is releasing the Microsoft HTTP DDoS Ruleset 1.0 in public preview for Application Gateway WAF v2. This rule set is designed to mitigate HTTP layer DDoS attacks and malicious botnet traffic, going beyond static signatures with more behavioral and heuristic analysis of requests. It strengthens protection for web apps exposed via Application Gateway, typically without requiring major changes to existing WAF policies.
[In preview] – Azure Network Watcher Topology – AKS Visualization
The Network Watcher Topology view now extends to Azure Kubernetes Service (AKS) clusters. In preview you can see AKS nodes and their related networking resources, together with the topological relationships, directly inside the Azure networking experience. This makes it easier to investigate connectivity issues or misconfigurations affecting containerized workloads, without constantly switching between AKS blades, network resources, and external tools.
[In preview] – Azure VNet Flow Log – Filtering
Azure VNet Flow Logs, which capture IP traffic traversing virtual networks, subnets, and NICs, now introduce advanced filtering in public preview. You can limit logging to specific IP ranges, ports, directions, or traffic patterns and export only the flows that matter for your scenario. This helps reduce log volume (and cost) while preserving the necessary visibility for monitoring, troubleshooting, performance tuning, security analytics, and compliance.
[In preview] – Cross region pool association support for Azure Virtual Network Manager IP address management
Azure Virtual Network Manager’s IP Address Management (IPAM) feature adds public preview support for associating IP pools across regions. You can now define global IP pools and reuse them in different regions, while keeping centralized control over address uniqueness and alignment with corporate standards. This is particularly valuable for distributed, multi-region environments where manual management of address spaces becomes error-prone and difficult to audit.
[In preview] – Standard V2 NAT Gateway and StandardV2 Public IPs
New StandardV2 NAT Gateway and StandardV2 Public IP SKUs are available in public preview as the next generation outbound connectivity options for Azure. They provide higher scalability and resiliency, including zone-redundant designs in regions with Availability Zones, improving high availability for SNAT traffic to the Internet. These SKUs modernize outbound connectivity patterns from virtual networks and are better suited for large-scale, mission-critical workloads.
Storage
Azure NetApp Files single file restore from backup
Azure NetApp Files now supports single file restore from backup, generally available in all ANF-supported regions. Instead of restoring an entire volume just to recover a few items, you can restore individual files directly from the Azure NetApp Files backup vault. This significantly reduces both the time and cost of recovery operations and makes ANF backups much more practical for everyday “oops” scenarios like accidental deletes or small-scale data corruption.
[In preview] – Azure NetApp Files migration assistant (portal support)
The Azure NetApp Files migration assistant, based on SnapMirror, is now in public preview and available directly in the Azure portal. It leverages ONTAP’s built-in replication engine to deliver efficient, cost-effective data migration from on-premises ONTAP or Cloud Volumes ONTAP/other cloud providers to Azure NetApp Files.
The goal is to accelerate and simplify migrations of business-critical applications and datasets to Azure, while minimizing disruption. Key benefits include:
- Storage-efficient data transfer that reduces network transfer costs for both the initial baseline and incremental updates.
- Low cutover/downtime window, enabling fast and efficient final syncs so you can switch production workloads with minimal impact on users.
- Integrated data protection and metadata preservation: migrations include source volume snapshots for primary data protection, and preserve directory and file metadata to maintain security attributes and access control.
[In preview] – Azure NetApp Files cache volumes
Azure NetApp Files cache volumes are now available in public preview. Built on NetApp ONTAP FlexCache technology, this feature provides a persistent, high-performance cache in Azure for data stored on ONTAP-based storage volumes outside Azure NetApp Files.
By caching active (“hot”) data closer to users and cloud workloads, organizations can dramatically improve data access latency and throughput over WAN links. Practically, this lets you:
- Burst large on-premises datasets into Azure with near-local performance.
- Support compute-heavy workloads in Azure that rely on data hosted elsewhere.
- Enable globally distributed teams to collaborate on shared datasets without slow file transfers or manual data copies.
It’s particularly compelling for HPC, media & entertainment, engineering, and analytics scenarios where large shared datasets need to be accessed quickly from Azure without fully relocating the primary data.
[In preview] – Smart Tier account level tiering (Azure Blob Storage and ADLS)
Smart Tier introduces, in public preview, account-level automatic tiering for Azure Blob Storage and Azure Data Lake Storage (ADLS). Instead of manually moving data between tiers (hot, cool, archive, and so on), the service continuously analyzes access patterns and places objects in the most cost-effective tier, balancing cost and performance. The target is to reduce operational effort and optimize storage spend, especially in environments with large volumes of historical or infrequently accessed data.
[In preview] – Entra-only identities support with Azure Files SMB
Azure Files now supports Entra-only identities for SMB access in public preview. With Microsoft Entra Kerberos, users and groups defined only in the Entra tenant (with no on-premises Active Directory or hybrid sync) can authenticate directly to Azure Files shares. This enables fully cloud-native scenarios: you can retire dedicated domain controllers for these workloads, simplify identity infrastructure, and support solutions like Azure Virtual Desktop with FSLogix using cloud-only accounts.
Azure Local
New Sovereign Private Cloud and AI capabilities
As organizations double down on digital sovereignty, they need to balance strict regulatory requirements with the freedom to innovate. Azure Local continues to evolve in this direction, combining advanced AI capabilities with scalable infrastructure that can run in both public and fully private environments—giving governments, regulated industries, and multinational enterprises more control over where and how their data is processed.
Supporting thousands of AI models on Azure Local with NVIDIA RTX GPUs
To advance its Sovereign Private Cloud story with Azure Local, Microsoft is introducing a new Azure offering based on the latest NVIDIA RTX Pro 6000 Blackwell Server Edition GPU, purpose-built for high-performance AI workloads in sovereign environments.
This GPU is designed to run more than 1,000 AI models, including GPT OSS, DeepSeek-V3, Mistral NeMo, and Llama 4 Maverick, so organizations can accelerate their AI initiatives directly inside a sovereign private cloud. Customers gain the flexibility to experiment, build, and deploy advanced AI solutions with improved performance while maintaining strict control over data protection and compliance.
In addition, customers can tap into thousands of prebuilt and open-source AI models, ready to deploy across scenarios such as generative AI, advanced analytics, and real-time decision making. The combination of powerful GPU infrastructure and a rich model catalog makes it easier to move from experimentation to production while keeping governance and sovereignty front and center.
Increasing Azure Local scale to hundreds of servers
Historically, Azure Local supported single clusters of up to 16 physical servers. With the latest updates, Azure Local can now scale to hundreds of servers per deployment, opening up new options for organizations with large or fast-growing sovereign private cloud needs.
This increased scale allows customers to run bigger, more complex workloads, expand capacity as demand grows, and consolidate more services into a single Azure Local footprint. All of this can be done while remaining aligned with the security, compliance, and sovereignty requirements set by European and global regulators.
SAN support on Azure Local
A key part of expanding Sovereign Private Cloud scale is the introduction of Storage Area Network (SAN) support for Azure Local. Customers can now securely connect existing on-premises SAN solutions from leading storage vendors to Azure Local deployments.
This integration enables organizations to reuse their established storage investments, while taking advantage of Azure Local’s cloud-native services and operational model. Data can stay within the required jurisdiction, helping European enterprises and other regulated customers meet local data residency mandates without giving up performance, resilience, or control.
Microsoft 365 Local: General availability of key workloads
Another important milestone is the general availability of Microsoft 365 Local on Azure Local. Core productivity workloads—Exchange Server, SharePoint Server, and Skype for Business Server—can now run natively on Azure Local.
Starting in December, customers will be able to deploy these workloads in a connected mode, benefiting from Azure Local’s unified management plane and consistent Azure APIs. A fully disconnected option—for customers requiring complete isolation—is planned for early 2026.
This approach lets organizations keep familiar collaboration tools while running them inside a sovereign private cloud environment, maintaining operational control and aligning with stringent compliance and data residency requirements.
Disconnected operations: General availability
Microsoft’s Sovereign Private Cloud offering, powered by Azure Local, is designed for organizations with the strictest compliance, control, and isolation requirements. As part of this, Microsoft is introducing the upcoming general availability of disconnected operations.
Available in early 2026, disconnected operations will allow customers to:
- Run a fully on-premises control plane, independent from the public Azure control plane.
- Manage multiple Azure Local clusters from the same local control plane.
- Operate their private cloud environments securely and independently, within their own facilities or dedicated locations.
This capability is aimed at government agencies, multinational enterprises, and highly regulated or edge scenarios where connectivity to the public cloud may be limited, intermittent, or intentionally restricted. With disconnected operations, customers can maintain business continuity and operational resilience while still benefiting from the same platform consistency and innovation cadence they expect from Azure.
Conclusion
Microsoft Ignite 2025 clearly shows that Azure IaaS and Azure Local are evolving along three main axes: AI at scale, sovereign cloud and compliance-by-design, and operational maturity across different areas. From new capabilities in Azure Local and Microsoft 365 Local, to more advanced observability, networking features, and data services, the common thread is giving organizations more control over where workloads run, how data is governed, and how quickly they can turn innovation into production.
As always, the real value of these announcements comes from mapping them to your roadmap: which features help you modernize existing workloads, which ones enable new scenarios (for example sovereign AI, disconnected operations, or large-scale hybrid deployments), and which should be piloted first. This post has focused on the updates most relevant to Azure IaaS and Azure Local, but if you want to go deeper or explore adjacent areas like developer tools or data & AI platforms, the Microsoft Ignite 2025 Book of News remains the best companion to continue your exploration.
