This post is a special edition of my regular “Azure IaaS and Azure Local: announcements and updates” series, dedicated entirely to the wave of news coming from Microsoft Ignite 2025. As every year, Ignite condenses in a few days an impressive number of announcements across infrastructure, networking, management, AI, and sovereign cloud – so this edition is intentionally focused on helping you navigate what matters most if you work with Azure IaaS and Azure Local in the field.

Rather than attempting to cover every single announcement, I’ve selected the updates that I consider most relevant for architects, IT pros, and cloud practitioners: from networking and observability improvements, to new capabilities in Azure Local, Sovereign Private Cloud, and Microsoft 365 Local, all the way to storage, and hybrid innovations.

For a complete view of everything announced at Ignite, including services and scenarios outside the scope of this post, I strongly recommend reading the official Microsoft Ignite 2025 Book of News, which provides the full catalog of updates, an interactive table of contents, and translation options for global audiences.

Azure

General

Microsoft Sovereign Cloud: continuous innovation

Alongside the many Azure product updates, Microsoft is also pushing forward on the Microsoft Sovereign Cloud vision, with new capabilities across AI, security, and productivity, plus a roadmap of features specifically targeting sovereign cloud needs.

Microsoft emphasizes that sovereignty is not a one-off project but an area of continuous innovation, and several concrete commitments have already moved into execution. As of this month, Microsoft has:

• Established a European board of directors made up of European nationals, responsible for overseeing all datacenter operations in line with European law – effectively placing Europe’s cloud infrastructure in European hands.
• Expanded European datacenter capacity, with new regions launched in Austria and another coming online in Belgium this month.
• Embedded digital resiliency commitments into all relevant government contracts, making resilience and continuity guarantees part of the core commercial framework.
• Increased investment in open source, by funding secure OSS projects and collaborations, and by publishing AI Access Principles that broaden safe, responsible access to advanced AI so European developers, startups, and enterprises can compete more effectively.
• Advanced the European Security Program, providing AI-powered threat intelligence and cybersecurity capacity-building initiatives to strengthen Europe’s digital resilience against sophisticated threat actors.

Taken together, these steps underscore that the Sovereign Cloud strategy is not just about where data is stored, but also about governance, resilience, open innovation, and security capabilities tailored to regional expectations and regulations.

Networking

ExpressRoute Scalable Gateway

The new ExpressRoute Scalable Gateway (ErGwScale) Virtual Network Gateway SKU is now generally available. It offers ExpressRoute connectivity with bandwidth up to tens of Gbps and supports flexible scaling via scale units, so you can adjust performance to match your workload without recreating the gateway. This simplifies high-bandwidth hybrid connectivity scenarios and improves both reliability and cost control compared to traditional gateway SKUs.

Azure Virtual Network Manager address overlap prevention in mesh

Address overlap prevention for mesh topologies in Azure Virtual Network Manager is now generally available. The service automatically checks that the address spaces of virtual networks included in a mesh do not overlap, and blocks configurations that would cause ambiguous routing or dropped traffic. This improves reliability and simplifies governance of large-scale multi-VNet architectures.

TLS and TCP termination on Azure Application Gateway

Azure Application Gateway now supports general availability of TLS and TCP termination, extending scenarios beyond traditional HTTP(S) workloads. The gateway can front and load balance applications that expose custom TCP/TLS protocols, centralizing certificate and security policy management on the gateway instead of on each backend. This simplifies designs where you want a single entry point for both web and non-HTTP traffic targeting your applications.

Application Gateway for Containers – Slow start

The slow start load-balancing algorithm for Application Gateway for Containers is now generally available. When new pods or backend instances are added to a pool, traffic is ramped up gradually over a configurable warm-up period instead of being sent at full volume immediately. This helps avoid overloading freshly started pods, leads to smoother scale-out events, and reduces transient errors when applications need some time to become fully responsive after startup.

[In preview] – Application Gateway for Containers Istio Service Mesh integration

Application Gateway for Containers introduces, in public preview, integration with Istio via an optional service mesh extension. In this model the gateway acts as the north–south ingress for the mesh: it terminates external traffic, applies advanced L7 inspection and routing, and securely forwards traffic to services managed by Istio. This lets you combine the strengths of a service mesh (policies, observability, mTLS inside the cluster) with the enterprise-grade capabilities of an L7 application gateway at the edge.

[In preview] – Azure Network Watcher – Agentless Connection Troubleshoot

Azure Network Watcher’s Connection Troubleshoot feature now offers a fully agentless mode in public preview. You no longer need to install agents or VM extensions to run connectivity tests: diagnostics can be launched directly from the portal against the selected endpoints, validating NSG rules, effective routes, and reachability. This reduces operational overhead and significantly speeds up network troubleshooting between Azure resources.

[In preview] – Microsoft HTTP DDoS Ruleset 1.0 on Application Gateway WAF v2

Microsoft is releasing the Microsoft HTTP DDoS Ruleset 1.0 in public preview for Application Gateway WAF v2. This rule set is designed to mitigate HTTP layer DDoS attacks and malicious botnet traffic, going beyond static signatures with more behavioral and heuristic analysis of requests. It strengthens protection for web apps exposed via Application Gateway, typically without requiring major changes to existing WAF policies.

[In preview] – Azure Network Watcher Topology – AKS Visualization

The Network Watcher Topology view now extends to Azure Kubernetes Service (AKS) clusters. In preview you can see AKS nodes and their related networking resources, together with the topological relationships, directly inside the Azure networking experience. This makes it easier to investigate connectivity issues or misconfigurations affecting containerized workloads, without constantly switching between AKS blades, network resources, and external tools.

[In preview] – Azure VNet Flow Log – Filtering

Azure VNet Flow Logs, which capture IP traffic traversing virtual networks, subnets, and NICs, now introduce advanced filtering in public preview. You can limit logging to specific IP ranges, ports, directions, or traffic patterns and export only the flows that matter for your scenario. This helps reduce log volume (and cost) while preserving the necessary visibility for monitoring, troubleshooting, performance tuning, security analytics, and compliance.

[In preview] – Cross region pool association support for Azure Virtual Network Manager IP address management

Azure Virtual Network Manager’s IP Address Management (IPAM) feature adds public preview support for associating IP pools across regions. You can now define global IP pools and reuse them in different regions, while keeping centralized control over address uniqueness and alignment with corporate standards. This is particularly valuable for distributed, multi-region environments where manual management of address spaces becomes error-prone and difficult to audit.

[In preview] – Standard V2 NAT Gateway and StandardV2 Public IPs

New StandardV2 NAT Gateway and StandardV2 Public IP SKUs are available in public preview as the next generation outbound connectivity options for Azure. They provide higher scalability and resiliency, including zone-redundant designs in regions with Availability Zones, improving high availability for SNAT traffic to the Internet. These SKUs modernize outbound connectivity patterns from virtual networks and are better suited for large-scale, mission-critical workloads.

Storage

Azure NetApp Files single file restore from backup

Azure NetApp Files now supports single file restore from backup, generally available in all ANF-supported regions. Instead of restoring an entire volume just to recover a few items, you can restore individual files directly from the Azure NetApp Files backup vault. This significantly reduces both the time and cost of recovery operations and makes ANF backups much more practical for everyday “oops” scenarios like accidental deletes or small-scale data corruption.

[In preview] – Azure NetApp Files migration assistant (portal support)

The Azure NetApp Files migration assistant, based on SnapMirror, is now in public preview and available directly in the Azure portal. It leverages ONTAP’s built-in replication engine to deliver efficient, cost-effective data migration from on-premises ONTAP or Cloud Volumes ONTAP/other cloud providers to Azure NetApp Files.

The goal is to accelerate and simplify migrations of business-critical applications and datasets to Azure, while minimizing disruption. Key benefits include:

• Storage-efficient data transfer that reduces network transfer costs for both the initial baseline and incremental updates.
• Low cutover/downtime window, enabling fast and efficient final syncs so you can switch production workloads with minimal impact on users.
• Integrated data protection and metadata preservation: migrations include source volume snapshots for primary data protection, and preserve directory and file metadata to maintain security attributes and access control.

[In preview] – Azure NetApp Files cache volumes

Azure NetApp Files cache volumes are now available in public preview. Built on NetApp ONTAP FlexCache technology, this feature provides a persistent, high-performance cache in Azure for data stored on ONTAP-based storage volumes outside Azure NetApp Files.

By caching active (“hot”) data closer to users and cloud workloads, organizations can dramatically improve data access latency and throughput over WAN links. Practically, this lets you:

• Burst large on-premises datasets into Azure with near-local performance.
• Support compute-heavy workloads in Azure that rely on data hosted elsewhere.
• Enable globally distributed teams to collaborate on shared datasets without slow file transfers or manual data copies.

It’s particularly compelling for HPC, media & entertainment, engineering, and analytics scenarios where large shared datasets need to be accessed quickly from Azure without fully relocating the primary data.

[In preview] – Smart Tier account level tiering (Azure Blob Storage and ADLS)

Smart Tier introduces, in public preview, account-level automatic tiering for Azure Blob Storage and Azure Data Lake Storage (ADLS). Instead of manually moving data between tiers (hot, cool, archive, and so on), the service continuously analyzes access patterns and places objects in the most cost-effective tier, balancing cost and performance. The target is to reduce operational effort and optimize storage spend, especially in environments with large volumes of historical or infrequently accessed data.

[In preview] – Entra-only identities support with Azure Files SMB

Azure Files now supports Entra-only identities for SMB access in public preview. With Microsoft Entra Kerberos, users and groups defined only in the Entra tenant (with no on-premises Active Directory or hybrid sync) can authenticate directly to Azure Files shares. This enables fully cloud-native scenarios: you can retire dedicated domain controllers for these workloads, simplify identity infrastructure, and support solutions like Azure Virtual Desktop with FSLogix using cloud-only accounts.

Azure Local

New Sovereign Private Cloud and AI capabilities

As organizations double down on digital sovereignty, they need to balance strict regulatory requirements with the freedom to innovate. Azure Local continues to evolve in this direction, combining advanced AI capabilities with scalable infrastructure that can run in both public and fully private environments—giving governments, regulated industries, and multinational enterprises more control over where and how their data is processed.

Supporting thousands of AI models on Azure Local with NVIDIA RTX GPUs

To advance its Sovereign Private Cloud story with Azure Local, Microsoft is introducing a new Azure offering based on the latest NVIDIA RTX Pro 6000 Blackwell Server Edition GPU, purpose-built for high-performance AI workloads in sovereign environments.

This GPU is designed to run more than 1,000 AI models, including GPT OSS, DeepSeek-V3, Mistral NeMo, and Llama 4 Maverick, so organizations can accelerate their AI initiatives directly inside a sovereign private cloud. Customers gain the flexibility to experiment, build, and deploy advanced AI solutions with improved performance while maintaining strict control over data protection and compliance.

In addition, customers can tap into thousands of prebuilt and open-source AI models, ready to deploy across scenarios such as generative AI, advanced analytics, and real-time decision making. The combination of powerful GPU infrastructure and a rich model catalog makes it easier to move from experimentation to production while keeping governance and sovereignty front and center.

Increasing Azure Local scale to hundreds of servers

Historically, Azure Local supported single clusters of up to 16 physical servers. With the latest updates, Azure Local can now scale to hundreds of servers per deployment, opening up new options for organizations with large or fast-growing sovereign private cloud needs.

This increased scale allows customers to run bigger, more complex workloads, expand capacity as demand grows, and consolidate more services into a single Azure Local footprint. All of this can be done while remaining aligned with the security, compliance, and sovereignty requirements set by European and global regulators.

SAN support on Azure Local

A key part of expanding Sovereign Private Cloud scale is the introduction of Storage Area Network (SAN) support for Azure Local. Customers can now securely connect existing on-premises SAN solutions from leading storage vendors to Azure Local deployments.

This integration enables organizations to reuse their established storage investments, while taking advantage of Azure Local’s cloud-native services and operational model. Data can stay within the required jurisdiction, helping European enterprises and other regulated customers meet local data residency mandates without giving up performance, resilience, or control.

Microsoft 365 Local: General availability of key workloads

Another important milestone is the general availability of Microsoft 365 Local on Azure Local. Core productivity workloads—Exchange Server, SharePoint Server, and Skype for Business Server—can now run natively on Azure Local.

Starting in December, customers will be able to deploy these workloads in a connected mode, benefiting from Azure Local’s unified management plane and consistent Azure APIs. A fully disconnected option—for customers requiring complete isolation—is planned for early 2026.

This approach lets organizations keep familiar collaboration tools while running them inside a sovereign private cloud environment, maintaining operational control and aligning with stringent compliance and data residency requirements.

Disconnected operations: General availability

Microsoft’s Sovereign Private Cloud offering, powered by Azure Local, is designed for organizations with the strictest compliance, control, and isolation requirements. As part of this, Microsoft is introducing the upcoming general availability of disconnected operations.

Available in early 2026, disconnected operations will allow customers to:

• Run a fully on-premises control plane, independent from the public Azure control plane.
• Manage multiple Azure Local clusters from the same local control plane.
• Operate their private cloud environments securely and independently, within their own facilities or dedicated locations.

This capability is aimed at government agencies, multinational enterprises, and highly regulated or edge scenarios where connectivity to the public cloud may be limited, intermittent, or intentionally restricted. With disconnected operations, customers can maintain business continuity and operational resilience while still benefiting from the same platform consistency and innovation cadence they expect from Azure.

Conclusion

Microsoft Ignite 2025 clearly shows that Azure IaaS and Azure Local are evolving along three main axes: AI at scale, sovereign cloud and compliance-by-design, and operational maturity across different areas. From new capabilities in Azure Local and Microsoft 365 Local, to more advanced observability, networking features, and data services, the common thread is giving organizations more control over where workloads run, how data is governed, and how quickly they can turn innovation into production.

As always, the real value of these announcements comes from mapping them to your roadmap: which features help you modernize existing workloads, which ones enable new scenarios (for example sovereign AI, disconnected operations, or large-scale hybrid deployments), and which should be piloted first. This post has focused on the updates most relevant to Azure IaaS and Azure Local, but if you want to go deeper or explore adjacent areas like developer tools or data & AI platforms, the Microsoft Ignite 2025 Book of News remains the best companion to continue your exploration.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Azure MCP Server

Azure MCP Server is now generally available, bringing the power of the cloud directly into agent-based and AI-driven workflows while redefining how developers interact with Azure. Built on the Model Context Protocol (MCP), it establishes a secure, standards-based bridge between Azure services—such as Azure Kubernetes Service (AKS), Azure Container Apps (ACA), App Service, Cosmos DB, Azure SQL, Azure AI Foundry, and Microsoft Fabric—and AI-powered tools like GitHub Copilot. By enabling agents to securely access and operate on these services, Azure MCP Server helps eliminate context switching, streamline development and operations tasks, and accelerate innovation. At the same time, it is designed with enterprise-grade security and scalability in mind, allowing organizations to confidently integrate AI-driven automation into their Azure environments.

Networking

Three important updates for Azure Virtual Network Manager

Azure Virtual Network Manager (AVNM) is now enriched with three generally available capabilities designed to enhance governance, automation, and compliance at scale. First, the new UseExisting mode for User-Defined Route (UDR) management allows AVNM to detect and append only the necessary routes to an existing route table associated with a subnet, preserving the original route table’s name, resource group, and tags. If no route table is present, AVNM continues to create and manage one as before. This gives customers the flexibility to retain ownership of routing configurations while benefiting from centralized automation. Second, the IP Address Management (IPAM) Pool Association Recommendation feature automatically identifies all virtual networks within an AVNM scope that are not associated with an IPAM pool and recommends the most suitable pool based on longest-prefix matching. Administrators can then bulk associate these virtual networks directly from the Azure portal, reducing manual effort and minimizing address-space conflicts. Third, peering compliance introduces protection for virtual network peerings managed through AVNM topology by preventing unauthorized changes or deletions outside AVNM. Key peering properties can only be modified via AVNM connectivity configurations, ensuring cons

DNS flow trace logs for Azure Firewall

Azure Firewall now supports DNS flow trace logs, a new logging capability that delivers deep, end-to-end visibility into DNS traffic and name resolution paths. Building on existing DNS Proxy functionality, this feature records rich metadata such as query types, response codes, queried domains, upstream DNS servers, and the source and destination IP addresses for each request. With this enhanced telemetry, customers can more effectively troubleshoot application connectivity issues, validate DNS forwarding and custom DNS configurations, and strengthen their security posture through improved auditing and investigations. The capability also provides insights into whether the Azure Firewall DNS cache was used during resolution, enabling teams to better understand performance characteristics and optimize DNS behavior across their environments.

Application Gateway for Containers with Web Application Firewall

Azure Web Application Firewall (WAF) support for Application Gateway for Containers is now generally available, bringing advanced web protection to containerized application workloads. Application Gateway for Containers represents the next evolution of Application Gateway combined with Application Gateway Ingress Controller, and with integrated WAF it can now safeguard workloads against a broad range of web-based attacks, including SQL injection, cross-site scripting, and protocol anomalies. By enabling WAF, customers gain access to Azure-managed Default Rulesets (DRS), which provide protection not only against threats identified by the Open Web Application Security Project (OWASP), but also additional signatures curated by Microsoft’s Threat Intelligence Center (MSTIC). Furthermore, users can take advantage of bot protection via bot manager rulesets and apply rate limiting custom rules to help mitigate distributed denial-of-service (DDoS) style behaviors at the application layer, enhancing both security and resilience for container-based applications.

ExpressRoute resiliency

ExpressRoute resiliency capabilities are now generally available, offering customers deeper insights into and validation of the reliability of their hybrid connectivity. At the core of this enhancement is resiliency insights, an assessment feature that calculates a resiliency index—a percentage score derived from factors such as route resilience, use of zone-redundant gateways, adherence to advisory recommendations, and the results of resiliency validation tests. This index evaluates the control plane resiliency of ExpressRoute connectivity between Azure Virtual Network Gateways and on-premises networks, helping organizations identify gaps and strengthen their architecture. Complementing this, resiliency validation enables customers to perform site failovers for their Virtual Network Gateways, simulating site outages and migration scenarios to test failover effectiveness. By proactively assessing and improving their resiliency index and running validation tests, customers can enhance the robustness of their ExpressRoute connectivity and better ensure continuous access to Azure workloads.

Monitoring end-to-end ExpressRoute connectivity with Connection Monitor

Monitoring integration for ExpressRoute with Connection Monitor is now generally available, simplifying end-to-end observability for hybrid network workloads. With this capability, customers can enable Connection Monitor directly during the creation or update of their ExpressRoute connections, eliminating the need for separate monitoring configuration steps. Once enabled, Connection Monitor provides continuous visibility into connectivity health, latency, and reachability across ExpressRoute paths, offering actionable insights into the performance and reliability of on-premises-to-Azure connectivity. By activating monitoring from day one, organizations can more quickly detect issues, validate the behavior of their network architecture, and maintain a consistently high level of service for critical applications that rely on ExpressRoute.

Storage

Object Replication Priority Replication for Azure Blob

Object Replication Priority Replication for Azure Blob is now generally available, enabling users to obtain prioritized replication from the source to the destination storage account defined in their replication policy. When priority replication is enabled, and both the source and destination accounts are located within the same continent, customers benefit from a Service Level Agreement (SLA) that guarantees 99.0% of operations are replicated from the source container to the destination container within 15 minutes over the billing month. This capability offers organizations greater assurance that their data is replicated quickly and consistently, supporting scenarios that require tighter recovery point objectives, more predictable cross-account synchronization, and stronger safeguards for business-critical workloads.

Geo Priority Replication for Azure Blob

Geo Priority Replication for Azure Blob is now generally available, enhancing the replication experience for Geo-Redundant Storage (GRS) and Geo-Zone-Redundant Storage (GZRS) accounts by accelerating data replication between primary and secondary regions. This feature is backed by a Service Level Agreement (SLA) that ensures the Last Sync Time for Block Blob data remains at 15 minutes or less for 99.0% of the billing month. By providing a predictable upper bound on replication lag, Geo Priority Replication strengthens confidence in data durability and availability, particularly in scenarios where an unexpected outage in the primary region may trigger a failover. Organizations can rely on this capability to maintain a more up-to-date replica of their data in the secondary region, improving their resilience posture and readiness for regional disruptions.

Ultra Disk’s new flexible provisioning model

The new flexible provisioning model for Azure Ultra Disk is now generally available, giving customers greater control over performance and cost optimization for demanding workloads. With this enhancement, users can configure disk capacity, IOPS, and throughput (MBps) more independently, rather than being constrained by fixed performance tiers. This flexibility allows organizations to right-size performance characteristics to match specific application requirements, whether they are optimizing for latency-sensitive databases, high-throughput analytics, or transaction-heavy workloads. The new model applies to both new and existing Ultra Disks, enabling customers to adjust current deployments without re-architecting their infrastructure, and helping them achieve an improved balance between performance and total cost of ownership.

Object Replication Metrics for Azure Blob Storage

Object Replication metrics for Azure Blob Storage are now generally available in all regions, giving customers deeper visibility into the progress and health of their replication workflows. These metrics introduce two key indicators: Pending Operations, which tracks the total number of operations awaiting replication from the source to the destination storage account, and Pending Bytes, which tracks the total volume of data still pending replication. Both metrics are emitted in time buckets (for example, <5 minutes, 5–10 minutes, 10–15 minutes), showing how long operations have been waiting to replicate. This granular view helps organizations quickly identify delays in the replication pipeline, optimize performance, and maintain high availability across their Object Replication policies by proactively responding to emerging bottlenecks.

Planned Failover for Azure Storage

Planned Failover for Azure Storage is now generally available, enabling customer-managed failover of geo-redundant storage accounts while preserving geo-redundancy and data durability. With this capability, organizations can seamlessly swap the primary and secondary endpoints of a geo-redundant account so that, after failover, all new write operations target the original secondary region, which becomes the new primary. This feature supports scenarios such as disaster recovery drills, partial outages where storage remains healthy, and proactive preparation for potential disasters. Planned Failover is available for GPv2 storage accounts and is compatible with Blob, Azure Data Lake Storage Gen2, Table, File, and Queue data, giving customers a consistent mechanism to validate and execute controlled failovers across a broad range of storage workloads.

Azure NetApp Files Object REST API (preview)

The Azure NetApp Files Object REST API, currently in public preview, introduces an S3-compatible REST interface that bridges traditional file-based storage with modern cloud-native services. By exposing object-style access on top of Azure NetApp Files, this capability allows customers to reuse existing datasets with new consumption patterns, including native S3 access from modern applications and integration with other Azure services. In particular, it enables scenarios such as direct integration with Microsoft Fabric and Azure AI services, helping organizations unlock new analytics and AI-driven use cases without restructuring their storage architecture. As a result, customers can reduce costs, accelerate innovation, and derive more value from their existing data and storage investments while evaluating this new capability during the preview phase.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

RHEL Software Reservations Now Available on Azure with Updated Pricing

Red Hat Enterprise Linux (RHEL) software reservations are available again on Azure with updated billing meters and pricing. The revised structure addresses issues present in previous meters and aligns with Red Hat’s current pricing model, improving accuracy and transparency. With clearer pricing visibility and alignment to the latest licensing framework, customers can more easily plan and optimize RHEL deployment costs on Azure—purchasing reservations to reduce operational expenses while retaining enterprise-grade Linux capabilities.

VM vCore customization features disabling simultaneous multi-threading (SMT/HT) and constrained cores (preview)

Azure announces public preview of Virtual Machine (VM) customization features that provide granular control over virtual CPU (vCPU) configurations to optimize performance and licensing. Customers can disable Simultaneous Multi-Threading (SMT, also known as Intel Hyper-Threading (HT)) to run with one thread per core for latency-sensitive or single-threaded workloads, and select a custom vCPU count from validated options to lower per-vCPU licensing costs while preserving full memory, storage, and I/O bandwidth. The capabilities are available across a broad set of VM sizes in select regions during preview and can be used independently or together. They are well suited for database and High-Performance Computing (HPC) scenarios, and are accessible through the Azure portal, ARM templates, Azure CLI, and PowerShell.

Sharing Capacity Reservation Groups (preview)

Azure introduces public preview support for sharing Capacity Reservation Groups (CRGs) across subscriptions, expanding beyond the previous limitation of using CRGs only within a single subscription. By enabling on-demand CRGs to be shared, organizations can centralize capacity management, promote resource reuse, scale out more cost-effectively, and separate security responsibilities from capacity planning. This enhancement simplifies governance for enterprises operating multiple subscriptions while maintaining reserved capacity for planned Virtual Machine (VM) deployments.

Networking

Enhanced cloning and Public IP retention scripts for Azure Application Gateway migration

Azure Application Gateway provides two production-ready PowerShell scripts to accelerate migration from V1 (Standard or Web Application Firewall (WAF)) to V2 (Standard_V2 or WAF_V2). The cloning script automates end-to-end configuration replication—including front-end Transport Layer Security (TLS) and trusted root certificates—and supports private-only V2 gateways, while the Public IP retention script allows the existing V1 public IP to be preserved on the V2 gateway. With V1 retirement set for April 2026, these tools reduce downtime, minimize manual steps, and de-risk large-scale cutovers.

Azure WAF CAPTCHA Challenge for Azure Front Door

Azure Front Door now offers General Availability of a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge within Azure Web Application Firewall (WAF). This feature adds an adaptive, interactive layer to existing defenses—such as IP blocking and rate limiting—to distinguish legitimate users from automated traffic in real time. By verifying human interaction before granting access, the CAPTCHA challenge strengthens bot mitigation strategies and helps organizations protect web applications from scrapers, brute-force attempts, and other automated attacks.

High Scale Private Endpoints

Microsoft has introduced High Scale Private Endpoints (HSPE) to raise Azure Private Endpoint (PE) limits within a single Azure Virtual Network (VNet). Previously, VNets were capped at 1,000 private endpoints, and attempts to exceed that threshold triggered a PrivateEndpointsPerVnetLimitReached error that required deleting endpoints or opening a support request. With HSPE enabled, organizations can deploy up to 5,000 private endpoints in one VNet. Microsoft also recommends keeping the cumulative total across peered VNets to 4,000 to avoid potential connectivity issues; upgrading to HSPE lifts the cross-peering guideline to 20,000 endpoints. In addition, Azure Virtual Network Manager (AVNM) support for HSPE in mesh (connected groups) is now generally available, allowing enterprises to scale private connectivity across large, interconnected topologies with minimal complexity.

Storage

Cloud-to-Cloud migration made simple with Azure Storage Mover

Azure Storage Mover now offers a generally available Amazon Web Services (AWS) Simple Storage Service (S3) to Azure Blob Storage migration path, enabling direct, secure, and scalable cloud-to-cloud data transfers. As a fully managed service, it removes infrastructure overhead while delivering high, parallelized throughput for large datasets across regions or storage accounts. For cloud-to-cloud scenarios, no on-premises agent is required, simplifying setup and operations. Customers can automate end-to-end migrations in the Azure portal and gain real-time visibility into job status, eliminating the need for manual pipelines or third-party tooling.

Azure Storage Mover support for NFS source to Azure File Share (NFS 4.1) target

Azure Storage Mover now supports migrating Network File System (NFS) shares directly to Azure File Shares using NFS 4.1. The fully managed service enables organizations to move on-premises files and folders to Azure Storage with minimal downtime, leveraging just-in-time permission setting and Azure Key Vault to keep data protected end-to-end. In addition to the generally available capabilities—such as migrating from an on-premises NFS share to an Azure Blob container and from Server Message Block (SMB) sources to Azure File Shares or Azure Blob containers—this update adds NFS source to Azure File Shares (NFS 4.1) as a supported target, expanding options for secure and streamlined file migrations.

Instant Access Snapshots for Azure Premium SSD v2 and Ultra Disks (preview)

Microsoft has announced Public Preview of Instant Access Snapshots for Premium SSD v2 (Pv2) and Ultra Disks, enabling new disks to be restored immediately after a snapshot is created. Restored disks deliver full performance instantly while data hydration completes rapidly in the background. This capability accelerates common workflows such as taking instant backups before software updates for quick rollback, rapidly scaling stateful applications by cloning primary data for new instances (for example, adding read-only Microsoft SQL Server replicas), and performing fast, recurring refreshes of training or testing environments from production.

Azure Local

General

Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for Distributed Hybrid Infrastructure

Microsoft has been recognized as a Leader in the 2025 Gartner Magic Quadrant for Distributed Hybrid Infrastructure for the third consecutive year. The recognition reflects Azure’s adaptive cloud approach, centered on Azure Arc and Azure Local, which brings the cloud operating model to datacenters, edge, multicloud, and sovereign environments. Azure Arc extends Azure management and governance—via Azure Resource Manager—to any infrastructure and enables services such as Azure Kubernetes Service (AKS), Microsoft Defender for Cloud, Azure IoT Operations, and Azure AI Video Indexer. Azure Local builds on Azure Arc to run cloud-native workloads, including virtual machines and Arc-enabled AKS, in customer-owned environments while supporting Microsoft’s Sovereign Private Cloud strategy. Together, these capabilities provide unified governance, security, and management across distributed estates, helping organizations innovate, remain secure, and scale with confidence.

Azure Local 2510 release

Microsoft has released Azure Local 2510, a milestone update that resolves 437 bugs and delivers multiple features aimed at improving performance, resilience, and operational efficiency. The release expands upgrade eligibility (11.2510/23H2 to 12.2510/24H2) for all customers without opt-in, and advances partner lifecycle consistency through SBE 5.0 support in the 2-Tier Program, raising the bar on capabilities like download, health checks, threat modeling, and custom Cluster-Aware Updating (CAU) plugins.

Ability to inject Hotfix during Deploy

The 2510 release adds the ability to inject hotfixes into deployment packages, allowing post-release fixes to be applied as part of a fresh deploy. This shortens time-to-resolution, reduces repeat incidents across customers, and lowers support overhead. Microsoft has already scheduled two hotfix waves for 2510 to improve reliability across deployment and upgrade paths.

Deployment using Local Identity (preview)

Azure Local now supports “AD-less” deployment using local identities. This approach reduces external dependencies for edge scenarios by using local accounts to set up the cluster. Node-to-node communications authenticate via certificates, while sensitive node secrets such as BitLocker keys are stored securely in Azure Key Vault, simplifying initial rollout without sacrificing security.

Enable upgrade to 12.2510 (24H2)

Beginning with this release, customers running solution version 11.2510 (23H2) can upgrade directly to 12.2510 (24H2). The broadened availability removes prior opt-in requirements, streamlining planning and enabling faster access to new capabilities.

SBE 5.0 support for 2-Tier Program

Azure Local 2510 introduces support for SBE 5.0 packages across both tiers of the program. By requiring all tiers—not only premier solutions—to meet key SBE capabilities (download, health checks, threat modeling, and custom CAU plugins), the release standardizes and strengthens lifecycle management, delivering a consistent, secure, and scalable experience.

Compute

Rack Aware Cluster (preview)

Rack-aware clustering enables customers to define local availability zones that map to physical racks within their datacenter. By spreading roles and data across rack boundaries, the feature increases fault tolerance and reduces the risk of downtime or data loss from a single rack failure.

Trusted Virtual Machine Guest Attestation (preview)

Trusted VM Guest Attestation allows customers to verify that a VM boots into a known-good state by validating the integrity of the full boot chain—including firmware, boot loader, and drivers. This preview enhances supply-chain and platform trust by detecting unexpected changes before workloads run.

KMSv2 encryption for AKS-HCI clusters

KMS v2 replaces the deprecated KMS v1 (in Kubernetes v1.28) and is enabled by default for new AKS-HCI clusters. The change improves security posture and operational continuity for edge environments with no workload disruption during cluster creation, while providing automatic key rotation and stronger compliance readiness.

Kubernetes v1.32 support on AKS Arc

Azure Local 2510 enables deployment of AKS Arc clusters running Kubernetes v1.32. The update delivers the latest upstream capabilities and performance improvements, helping customers maintain feature parity and modern security baselines across Arc-managed Kubernetes estates.

Networking

Software Defined Network with Network Security Groups

Software Defined Network (SDN) with Network Security Groups (NSGs) is now generally available for Azure Local. Customers can create and manage NSGs and granular security rules for Azure Local virtual machines, enabling improved segmentation, consistent policy enforcement, and defense-in-depth across on-premises deployments.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Azure Integrated HSM (preview)

Azure is releasing Azure Integrated Hardware Security Module (HSM), a built-in HSM cache and cryptographic accelerator designed to improve both security and performance for cryptographic operations within virtual machines. Targeted at crypto-intensive workloads, the feature provides secure key storage with fast, in-boundary retrieval and uses specialized hardware engines for encryption, decryption, signing, and verification while keys remain protected inside the integrated HSM. Azure Integrated HSM is part of the AMD D- and E-series v7 preview, designed to meet Federal Information Processing Standards (FIPS) 140-3 Level 3 requirements, and is available on the Dasv7, Dadsv7, Easv7, and Eadsv7 series with 8 vCores and above. The preview initially supports Windows (Linux support is coming soon) and is offered at no additional cost.

Compute

Retirement of F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series VMs in 2028

Microsoft has announced that the F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series Azure Virtual Machines will retire on November 15, 2028, and will no longer be usable or purchasable after that date. Customers should plan migrations of affected workloads to newer VM series to ensure continuity. Three-year reserved instances for these series cannot be purchased or renewed starting November 15, 2025, and one-year reserved instances will not be available for purchase or renewal after November 15, 2027. Existing three-year reservations will continue to provide benefits until their contracted end date; after expiration, usage will be billed at pay-as-you-go rates. Customers are advised to review current reservations to identify impacted VMs and expiration timelines and to plan migration accordingly.

Networking

Prescaling in Azure Firewall

Azure Firewall now supports prescaling, enabling administrators to provision and reserve capacity units ahead of anticipated demand—such as seasonal peaks or planned business events—to maintain consistent throughput, accelerate scaling response, and gain tighter control over capacity. In addition, a new Observed Capacity metric surfaces current and historical capacity usage to inform planning, while flexible billing ensures organizations pay only for the provisioned capacity units and can adjust them as needs evolve. Prescaling is available for Azure Firewall Standard and Premium Stock Keeping Unit (SKU) tiers in all public regions.

Observed capacity metric in Azure Firewall

Azure Firewall introduces the Observed Capacity metric to help teams understand how their firewalls scale in real-world conditions by tracking the number of actively utilized capacity units over time. With this signal, operators can validate that prescaling or autoscaling configurations behave as expected, set proactive alerts as usage approaches defined thresholds, diagnose whether scaling is keeping pace with demand, and forecast future capacity requirements using both historical and current traffic trends.

Azure Firewall updates – Customer-provided public IP address support in secured hubs

Azure Firewall in Virtual WAN secured hubs now supports customer-provided public IP addresses, allowing organizations to “bring their own” IPs already allocated within their Azure subscription. This gives teams greater control over egress identity and simplifies compliance, security policy enforcement, and third-party integrations that depend on stable, preapproved public IPs. Instead of relying on Azure-managed addresses, customers can assign their own, enabling consistent addressing across environments and reducing operational friction.

Azure Firewall updates – IP Group limit increased to 600 per Firewall Policy

Azure Firewall Policy now supports up to 600 IP Groups per policy (previously 200), enabling administrators to better organize large rule sets and reduce rule complexity. With more IP Groups, enterprises managing extensive, segmented networks can model application tiers and subnets more cleanly, while named groups improve readability and speed up troubleshooting and audits by clarifying rule intent in logs and reviews.

Private Link Service Direct Connect (preview)

Azure is introducing Private Link Service Direct Connect, which extends Azure Private Link by allowing a private link service to connect directly to any routable destination IP address—removing the previous requirement to place applications behind a Standard Load Balancer. This enhancement preserves the same private and secure access model while simplifying architectures for publishing services to customers. The limited public preview is initially available in North Central US, East US 2, Central US, South Central US, West US, West US 2, West US 3, Asia Southeast, Australia East, and Spain Central, with additional regions to follow.

Storage

Azure NetApp Files short-term clones

Azure NetApp Files short-term clones are now generally available, providing space-efficient, instant read/write copies created from existing volume snapshots without requiring full data duplication. The clones persist for up to 32 days and consume capacity only for incremental changes, accelerating development, analytics, disaster recovery drills, and testing with large datasets. By enabling rapid refreshes from the latest snapshots and minimizing operational overhead, this capability improves workflow velocity, quality, and cost efficiency across data-intensive scenarios.

Azure Storage Discovery

Azure Storage Discovery delivers enterprise-wide visibility across the Azure Storage data estate, allowing organizations to deeply analyze used capacity and activity, optimize costs, strengthen security posture, and improve operational efficiency. Integrated with Azure Copilot, it lets stakeholders—from cloud architects to storage administrators and data governance leads—unlock insights with natural language prompts and quickly answer questions such as total data stored across all accounts, regions with the fastest growth, and where to reduce costs via tiering adjustments or cleanup of stale data. The service is offered in two plans—Free for basic insights and Standard for full capabilities—and can begin analyzing data across subscriptions within hours, providing some pre-deployment history and up to 18 months of retention to reveal long-term patterns like workload peaks and valleys.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

Azure VMware Solution AV36 Node Retirement on June 30, 2028

Microsoft announces the retirement of the AV36 node type for Azure VMware Solution effective June 30, 2028. Existing AV36 Reserved Instance (RI) terms remain unchanged, but customers are advised to review their AV36 RI expiration timelines and coordinate next steps with their Microsoft account teams. To ease the transition, Microsoft will offer AV36 1-year RIs with VCF included until October 15, 2025, and AV36 VCF BYOL 1-year RIs until June 30, 2026 (requiring a portable Broadcom VCF subscription). Existing AV36 Pay-As-You-Go subscriptions will continue through September 30, 2027. This change impacts only AV36; AV36P, AV48, AV52, and AV64 remain available with AVS VCF BYOL options.

Retirement: NVv3-series Azure Virtual Machines will be retired on September 30, 2026

Microsoft will retire the NVv3-series VM sizes—Standard_NV12s_v3, Standard_NV12hs_v3, Standard_NV24s_v3, Standard_NV24ms_v3, Standard_NV32ms_v3, and Standard_NV48s_v3—on September 30, 2026. To avoid disruption, organizations should migrate workloads to newer sizes within the NV product line. Microsoft recommends NVadsA10_v5 VMs, which provide higher GPU memory bandwidth per GPU and are well suited for GPU-accelerated graphics, virtual desktops, visualization workloads, and smaller AI scenarios.

Networking

Using Server-Sent Events with Application Gateway

Azure Application Gateway now supports Server-Sent Events (SSE) in general availability, enabling real-time, server-to-client data streaming over a persistent HTTP connection. To adopt SSE, administrators must apply specific configurations on both the Application Gateway resource and the backend application so that server push updates flow reliably to connected clients.

Retirement: Azure VPN Gateway support for SSTP Protocol will be retired on March 31, 2027

Azure VPN Gateway support for the SSTP protocol will be phased out due to limited scalability and performance. Customers are advised to migrate to IKEv2 or OpenVPN, which provide significantly higher connection limits—up to 10,000 connections—and aggregate throughput up to 10 Gbps depending on the gateway SKU. Key dates include March 31, 2026, when enabling SSTP on VPN gateways will no longer be supported, and March 31, 2027, when existing SSTP-enabled gateways will no longer be able to establish SSTP connections. To avoid disruption, customers should complete migration to IKEv2 or OpenVPN before March 31, 2027.

New health check infrastructure for Azure Traffic Manager

Azure Traffic Manager has introduced new health check infrastructure designed to improve resiliency and horizontal scalability. Customers are being migrated to the new platform, which enhances the reliability of health probes. Because probes originate from updated IP addresses, environments with strict firewall controls should ensure health checks are allowed. The recommended approach is to use the AzureTrafficManager Service Tag in NSGs or Azure Firewall so rules stay current automatically. Where Service Tags are not feasible (such as custom appliances or non-Azure environments), administrators should manually update ACLs or firewall rules with the latest IP prefixes from the Azure IP Ranges and Service Tags JSON and refresh them periodically.

Storage

Azure NetApp Files Flexible Service Level

Azure NetApp Files introduces the Flexible service level, allowing independent configuration of storage capacity and throughput to optimize cost and performance without volume moves. Supported on manual QoS capacity pools, throughput can be tuned between 128 MiB/s and 640 MiB/s per provisioned TiB, with a baseline 128 MiB/s provided for every pool at no additional cost. This enables right-sizing for both capacity-heavy workloads with modest performance needs and demanding workloads—such as Oracle or SAP HANA—that require higher throughput on smaller capacity footprints. The Flexible service level is available for newly created pools only, is supported in all Azure NetApp Files regions, and works with cool access for additional savings.

Cross-tenant customer-managed keys for Azure NetApp Files volume encryption

Azure NetApp Files now supports cross-tenant Customer-Managed Keys (CMK) for volume encryption, enabling customers to manage their own encryption keys across different Azure tenancies. This capability gives SaaS providers and their end users greater control in multi-tenant scenarios by allowing end users to retain full key ownership while providers offer flexible key-management options. The feature is available in all Azure NetApp Files–supported regions, delivering secure, scalable, and compliant data protection across tenant boundaries.

Azure NetApp Files support for OpenLDAP, FreeIPA, and Red Hat Directory Server (preview)

Azure NetApp Files introduces public preview support for integrating with FreeIPA, OpenLDAP, and Red Hat Directory Server, enabling secure LDAP over TLS for NFSv3 and NFSv4.1 volumes alongside Microsoft Active Directory. This enhancement streamlines identity integration for hybrid environments and regulated industries, improving access control for NFS workloads. Key benefits include broader LDAP support, secure LDAP over TLS, seamless use with existing identity infrastructure, and greater flexibility for compliance-driven deployments. The preview is available in all Azure NetApp Files regions, with use cases spanning financial services, government, and enterprises standardizing identity across cloud and on-premises estates.

Azure Local

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Licensing changes for future Azure VMware Solution subscriptions starting October 16, 2025

Microsoft has announced licensing changes for Azure VMware Solution (AVS) following Broadcom’s updates to VMware licensing policies. Beginning October 16, 2025, customers purchasing new or additional AVS nodes must bring their own portable VMware Cloud Foundation (VCF) subscription from Broadcom or an authorized reseller. Existing AVS deployments with VCF included under Reserved Instance (RI) terms can continue operating without licensing or product changes through the end of the RI term, and customers may use the self-service exchange process to trade in an RI on or before October 15, 2025 for a later expiration date. For Pay-As-You-Go subscriptions that included VCF, customers are advised to contact their Microsoft account team for details and key dates. The AVS service itself is unchanged and remains a fully managed VCF private cloud in Azure. 

At-cost data transfer between Azure and an external endpoint

Azure now provides at-cost data transfer for customers and Cloud Solution Provider partners in Europe who move data over the public internet between Azure and another data processing provider, supporting interoperable, multi-cloud architectures. Eligible organizations—those with billing addresses in the European Economic Area (EEA), European Free Trade Association (EFTA), or the United Kingdom—may request a credit for such cross-cloud transfers by following the documented Azure Support process and meeting the stated eligibility requirements.

Azure mandatory multifactor authentication: Phase 2 starting in October 2025

Microsoft confirmed the next phase of its mandatory multifactor authentication (MFA) rollout for Azure sign-ins, citing research that MFA can block more than 99.2% of account compromise attempts. Following the August 2024 announcement and the completion of Phase 1 in March 2025 (enforcement for Azure Portal, Microsoft Entra admin center, and Intune admin center sign-ins across 100% of tenants), Phase 2 will begin on October 1, 2025. This phase enforces MFA at the Azure Resource Manager layer for resource management operations across clients including Azure CLI, Azure PowerShell, the Azure Mobile App, REST APIs, SDK libraries, and Infrastructure-as-Code tools, with gradual application via Azure Policy under safe deployment practices. Notifications have been sent to Microsoft Entra Global Administrators through email and Azure Service Health. The change requires users to authenticate with MFA before executing resource management actions; workload identities such as managed identities and service principals are not impacted. To prepare, organizations are advised to enable MFA for users by October 1, 2025, assess potential impact using built-in Azure Policy definitions in audit or enforcement mode, and update clients to Azure CLI version 2.76 and Azure PowerShell version 14.3 or later. If MFA cannot be enabled by the start date, a Global Administrator can postpone enforcement in the Azure portal, with further communications to follow via established channels.

Compute

Retirement: Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026 (preview)

Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026. Customers are encouraged to transition to Azure Kubernetes Service on Azure Local before that date to take advantage of its enhanced capabilities. After March 16, 2026, deployments of AKS on VMware will no longer be possible and support will cease. For additional questions, Microsoft directs customers to AKS on Azure Local. 

Azure D192 sizes in the Azure Dsv6 and Ddsv6-series VM families

Microsoft has added the D192 size to the Dsv6 and Ddsv6-series VMs, powered by 5th Gen Intel® Xeon® Platinum 8573C (Emerald Rapids). Dsv6 uses Azure managed disks only, while Ddsv6 offers local temporary storage. These sizes deliver 192 vCPUs and 768 GiB RAM, targeting general-purpose, memory-intensive, and enterprise workloads such as SAP, SQL, in-memory analytics, large relational databases, web/app servers under moderate-to-heavy traffic, batch processing, and dev/test. Azure Boost provides up to 400K IOPS and 12 GB/s remote storage throughput with NVMe-enabled local and remote storage, and up to 82 Gbps network bandwidth. Security is strengthened with Intel® Total Memory Encryption (TME), and the NVMe interface yields up to a 3× improvement in local storage IOPS for low-latency access.

DCa/ECa v6-series AMD-based confidential VMs now generally available

Microsoft is making the new DCa/ECa v6-series AMD-based confidential virtual machines generally available in UAE North, Korea Central, West Central US, South Africa North, Switzerland North, and UK South. Powered by 4th Gen AMD EPYC™ processors with Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), these VMs provide hardware-based memory encryption so that memory written by a VM can only be accessed by that VM, with encryption keys generated by a dedicated secure processor on the CPU and not retrievable from software. The lineup includes the general-purpose DCasv6-series and the memory-optimized ECasv6-series, offering improved performance and price-performance over prior AMD-based confidential VMs. Workloads can typically migrate without code changes, making these VMs well-suited for processing sensitive data such as PII and PHI within an attested trusted execution environment.

Azure HBv5-series VMs (preview)

Azure has introduced HBv5-series VMs in public preview in the South Central US region. Designed for memory bandwidth–intensive HPC workloads—including CFD, automotive and aerospace simulation, weather modeling, energy research, molecular dynamics, and computer-aided engineering—HBv5 features 6.7 TB/s of memory bandwidth across 450 GB (438 GiB) of HBM. Each VM provides 368 4th Gen AMD EPYC™ cores at 3.5 GHz base and up to 4.0 GHz boost with no simultaneous multithreading, 800 Gb/s NVIDIA Networking InfiniBand for supercomputer-scale MPI, and 15 TiB of local NVMe SSD delivering up to 50 GB/s reads and 30 GB/s writes.

Networking

Introducing the new Network Security Hub experience

Microsoft has expanded and rebranded the Azure Firewall Manager experience as the Network Security Hub, a centralized interface that unifies Azure Firewall, Web Application Firewall (WAF), and DDoS Protection. The refreshed experience simplifies the Azure Networking portfolio with improved navigation, consolidated service overviews, and enhanced visibility into security coverage. A redesigned landing page surfaces common use cases, documentation, pricing, and recommended scenarios to accelerate onboarding. Key highlights include a single hub to manage Firewall, WAF, and DDoS Protection, an enhanced coverage dashboard across virtual networks, hubs, and applications, Azure Advisor–driven recommendations for security and performance, and streamlined discovery of resources such as Virtual Hub deployments and Firewall Policies.

Enabling dedicated connections to backends in Azure Application Gateway

Azure Application Gateway v2 now supports dedicated connections from the gateway to backend servers. While the default behavior reuses idle backend TCP connections to optimize resource usage, the new setting maps each incoming client connection to its own distinct backend connection, enabling strict one-to-one communication between frontend and backend when required.

Backend TLS validation controls in Azure Application Gateway

Azure Application Gateway v2 announces the general availability of customer-controlled backend TLS validations. When HTTPS is selected in Backend Settings, operators can now enable or disable certificate chain and expiry verification and separately enable or disable SNI verification. These options allow teams to tailor TLS behavior to the needs of diverse environments while preserving secure, reliable connectivity to backend services.

Storage

Azure NetApp Files migration assistant

Azure NetApp Files migration assistant (using SnapMirror) is now generally available, enabling efficient, cost-effective data migration from on-premises environments or CVO/other cloud providers to Azure NetApp Files. Available via REST API, the capability leverages ONTAP replication to reduce network transfer for baseline and incremental updates, supports low-downtime cutovers to minimize business disruption, and preserves primary data protection with source volume snapshots while maintaining directory and file metadata, including security attributes.

Retirement: OS disks on Standard HDD will be retired on September 8, 2028

Microsoft announced that service for operating system (OS) disks running on Standard HDD will be retired on September 8, 2028, in alignment with evolving usage patterns and investments in disk performance and reliability. After that date, any remaining OS disks on Standard HDD will be converted to Standard SSD of equivalent size if not migrated beforehand, with further details to follow in public documentation. This change does not affect Standard HDD data disks (non-boot volumes) or Ephemeral OS disks. To mitigate risk, customers are expected to avoid deploying new VMs with HDD OS disks and to migrate existing HDD OS disks to Standard SSD or Premium SSD ahead of the retirement date.

Azure Data Box Next Gen expands general availability to additional regions

Microsoft has expanded general availability for Azure Data Box Next Gen to India, Qatar, South Africa, and Korea. With this update, both the 120 TB and 525 TB NVMe-based Data Box devices are generally available in the US, UK, Europe, US Gov, Canada, Japan, Australia, Singapore, India, and Qatar. The 120 TB model is also generally available in Brazil, UAE, Hong Kong, Switzerland, Norway, South Africa, and Korea. Announced earlier this year, the next-generation devices have already ingested several petabytes across multiple industries, with customers reporting up to 10× faster transfers. Organizations value the devices’ reliability and efficiency for large-scale migration projects, and can select the appropriate SKU and place orders directly from the Azure portal. 

File share-centric management model for Azure Files (preview)

Azure Files now introduces a file share–centric management model via the Microsoft.FileShares resource provider, making file shares top-level Azure resources that no longer require a storage account. With this shift, file shares can be provisioned independently for capacity, IOPS, and throughput—removing contention with other shares and enabling granular networking and security controls. The model adopts the SSD provisioned v2 cost structure for predictable, flexible billing and brings ~2× faster provisioning, higher scale limits, and share-level billing for clearer cost attribution. This preview streamlines creation and lifecycle management while aligning performance and cost directly to each share.

Azure Local

Direct upgrade from Azure Stack HCI OS 22H2 to 24H2 via PowerShell

With the 2505 release, Azure Stack HCI administrators can now perform a direct in-place upgrade from version 20349.xxxx (22H2) to version 26100.xxxx (24H2) using PowerShell. This streamlined path removes an intermediate hop, reducing the number of reboots and simplifying maintenance planning ahead of the broader solution upgrade.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Microsoft to Tighten Cloud Security with Mandatory MFA for Azure Resource Management

Microsoft has announced that Multi-Factor Authentication (MFA) will be enforced for all Azure resource management actions starting October 1, 2025. The enforcement will apply to sign-ins via Azure CLI, PowerShell, SDKs, REST APIs, Infrastructure as Code tools, and the Azure mobile app, as part of the Secure Future Initiative (SFI). SFI focuses on Secure by Design, Secure by Default, and Secure in Operations across engineering pillars such as identity protection, network security, threat detection, and rapid vulnerability remediation. To prepare, administrators are advised to upgrade to Azure CLI v2.76+ and PowerShell v14.3+, migrate automation from user identities to workload identities, use Azure Policy in audit/enforcement mode to assess impact, and monitor MFA registration with built-in reports or scripts. Enforcement will roll out gradually across all tenants, with global administrators able to defer until July 1, 2026. Microsoft’s research indicates that accounts with MFA enabled are 99.99% resistant to hacking attempts, and that MFA reduces unauthorized access risk by 98.56% even when credentials are compromised.

Compute

Upgrade Existing Azure Gen1 VMs to Gen2 Trusted Launch

Microsoft has made generally available the ability to enable Trusted Launch on existing Azure Generation 1 virtual machines by upgrading them to Generation 2 with Trusted Launch. This capability strengthens foundational compute security by enabling Secure Boot and virtual TPM (vTPM), and by measuring the VM’s boot chain for attestation. By helping defend against bootkits and rootkits, the upgrade enhances the security posture of existing workloads without requiring full redeployment.

Retirement of Confidential VM SKUs DCesv5, DCedsv5, ECesv5, ECedsv5

Microsoft is retiring the Confidential VM SKUs DCesv5, DCedsv5, ECesv5, and ECedsv5, with the DCesv6 and ECesv6 sizes designated as their successors. The next-generation sizes—currently in public preview—introduce enhancements such as integration with OpenHCL and will be the primary focus going forward. As part of the transition, all new and existing deployments of the retiring series will be stopped by September 12, 2025. After that date, no new VMs can be created, and any VM from these series that is rebooted will no longer be available. Customers are encouraged to plan migrations to the v6 series to maintain continuity and benefit from the latest confidential computing capabilities.

Networking

Multiple Address Prefixes for Subnets in Azure Virtual Networks

Support for multiple address prefixes per subnet in Azure Virtual Networks is now generally available. Previously, a subnet could hold only a single prefix, which complicated scale-out when the address space was exhausted. The new capability allows additional prefixes to be added directly to a subnet, expanding available address space without emptying or resizing the subnet. This enables dynamic subnet growth with minimal disruption and more efficient use of address space, while preserving headroom for future expansion.

Retirement of Azure CDN in Azure China—migrate to Azure Front Door by December 1, 2025

Azure CDN operated by 21Vianet in Azure China will be retired on December 1, 2025. Because Azure CDN relies on local provider POPs via API integrations and lacks deep, native Azure integration, Microsoft is directing customers to Azure Front Door as the native, more integrated alternative with built-in security features such as WAF and Private Link to origins. Customers should complete migration and validation and delete Azure CDN resources by November 15, 2025. If migration is not completed by that date, the Azure Front Door team will attempt to migrate eligible CDN profiles. Profiles that are disabled, have had no active traffic in the prior three months, or are otherwise incompatible will not be migrated and will experience service disruption starting December 1, 2025. In such cases, customers should migrate to Azure Front Door or another CDN solution before November 15, 2025.

Azure Front Door Standard and Premium now available in Azure China

Azure Front Door Standard and Premium are now generally available in the Azure China regions (China North 3 and China East 3), operated by 21Vianet. With this release, customers can deliver secure, reliable, high-performance applications using a natively integrated platform that provides global load balancing with instant failover, edge caching and protocol optimizations for acceleration, and enterprise-grade security including WAF, DDoS protection, and TLS/SSL offload. The service supports local compliance requirements such as ICP filing for custom domains and offers end-to-end observability through Azure Monitor metrics, logs, and analytics, enabling reduced latency, improved resilience, and a consistent operational experience across global and China regions.

CNI Overlay for Application Gateway for Containers and AGIC

Azure CNI Overlay support with Application Gateway for Containers and the Application Gateway Ingress Controller (AGIC) is now generally available. With CNI Overlay, AKS clusters can assign pod IPs from a separate CIDR, conserving VNet IP space and simplifying multi-cluster deployments. When paired with Application Gateway and Application Gateway for Containers, this approach provides secure, efficient load balancing to designated services inside the cluster’s private overlay network while reducing external exposure. Network configuration (CNI Overlay or traditional CNI) is detected automatically by the platform, eliminating additional setup and streamlining deployment.

Custom block response code and body for Application Gateway WAF (preview)

Azure Web Application Firewall (WAF) integrated with Application Gateway now supports customizable response status codes and bodies for blocked requests in public preview. By default, WAF returns HTTP 403 with “The request is blocked” when a rule is triggered; with this preview, administrators can define a custom status code and message at the policy level so that all blocked requests receive a consistent, tailored response. This enhancement aligns Application Gateway WAF with the customization already available on WAF with Azure Front Door, giving teams greater flexibility and control over client-facing behavior during enforcement.

Storage

Azure NetApp Files short-term clones (preview)

Azure NetApp Files short-term clones are available in public preview, enabling space-efficient, instant read/write access by creating temporary thin clones from existing volume snapshots rather than full data copies. Suitable for development, analytics, disaster recovery scenarios, and testing of large datasets, these clones can be refreshed quickly from the latest snapshots and remain temporary for up to one month, consuming capacity only for incremental changes. The capability accelerates workflows, improves quality and resilience, and lowers costs by avoiding full-copy storage and reducing operational overhead, and is available in all Azure NetApp Files supported regions.

Entra ID and RBAC support for supplemental Azure Storage APIs

Support for Entra ID (OAuth 2.0) and Azure RBAC is now generally available for the following Azure Storage operations: Get Account Information, Get/Set Container ACL, Get/Set Queue ACL, and Get/Set Table ACL. With this change, REST responses for unauthorized access have been aligned with other OAuth-enabled Storage APIs: calls made with OAuth that lack required permissions now return 403 (Forbidden) instead of the previous 404, while anonymous requests for a bearer challenge return 401 (Unauthorized). For example, GetAccountInformation requires the RBAC action Microsoft.Storage/storageAccounts/blobServices/getInfo/action. Applications that depend on the old 404 behavior should be updated to handle both 403 and 404 responses, as SDKs will not automatically adjust this behavior.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.