Archivi categoria: Microsoft Azure

Azure IaaS and Azure Local: announcements and updates (March 2026 – Weeks: 11 and 12)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

Retirement: Azure VMware Solution AV36P and AV52 node retirement on June 30, 2029

Microsoft has announced the retirement of Azure VMware Solution (AVS) AV36P and AV52 nodes effective June 30, 2029. The company stated that existing Reserved Instance (RI) terms for AV36P and AV52 are not affected by this announcement, but customers should review their RI expiration timelines and plan the transition to newer AVS node types. To support this migration, Microsoft will offer AV36P and AV52 VMware Cloud Foundation (VCF) Bring Your Own License (BYOL) 3-year Reserved Instances until June 30, 2026, and 1-year Reserved Instances until June 30, 2028. All migrations away from AV36P and AV52—including Pay-As-You-Go subscriptions—must be completed by June 30, 2029. Microsoft also clarified that this change affects only AV36P and AV52 nodes, while AV48 and AV64 remain available with AVS VCF BYOL options. Customers are advised to move to a supported AVS node type before the end of their current AV36P or AV52 RI term and to use available AVS documentation and HCX migration guidance to plan the transition.

Networking

Default Rule Set 2.2 and updates to ruleset support policy

Microsoft is updating the managed ruleset support policy for Azure Web Application Firewall (WAF) following the general availability of Default Rule Set (DRS) 2.2 on Azure Application Gateway and Azure Front Door. Starting with DRS 2.2, Azure WAF will support the latest three managed ruleset versions at any given time (N, N-1, and N-2). When a new ruleset version is released, the version that becomes N-3 will enter a final one-year support period, during which it may receive only critical security updates if necessary. With the release of DRS 2.2, CRS 3.1 and CRS 3.0 in Azure Application Gateway, as well as DRS 1.2, DRS 1.1, and DRS 1.0 in Azure Front Door, have entered their final support year, which ends on February 26, 2027. Microsoft recommends that customers upgrade to a supported ruleset version to continue receiving full protection coverage, enhanced detections, and improvements aimed at reducing false positives.

Storage

Azure Storage Mover enables private data transfers from AWS S3 to Azure Blob (preview)

Azure Storage Mover now supports direct, private data transfers from Amazon Web Services (AWS) Simple Storage Service (S3) in a Virtual Private Cloud (VPC) to Azure Blob Storage in Public Preview. This capability enables organizations to migrate data securely without relying on manual pipelines or third-party tools, while also supporting automation through the Azure portal and providing real-time monitoring of migration jobs. Following the earlier general availability announcement for AWS-to-Azure transfers over public networks, this update extends Azure Storage Mover with private networking support to address stricter security and compliance requirements. Microsoft highlights automated and scalable workflows through centralized job orchestration and dashboards, secure and compliant transfers aligned with Azure governance frameworks, and faster modernization by making data available in Azure for analytics, AI, and other cloud innovation scenarios as soon as it arrives.

Entra ID-based access for Azure Blob Storage SFTP (preview)

Microsoft Entra ID-based access for Azure Blob Storage SFTP is now available in Public Preview, enabling users to connect securely to Azure Blob Storage over Secure File Transfer Protocol (SFTP) by using Microsoft Entra identities instead of creating and managing local user accounts. This capability also supports guest users through Entra External Identities, allowing organizations to collaborate more securely with partners and vendors. The new model introduces Single Sign-On (SSO) and Multi-Factor Authentication (MFA) support, enables the use of Conditional Access policies based on context such as location, device compliance, and risk, and aligns SFTP access with existing identity lifecycle processes so permissions can be updated or revoked automatically when users change roles or leave the organization. In addition, SFTP authorization integrates natively with Azure Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Access Control Lists (ACLs), ensuring consistent permissions across SFTP, REST APIs, Azure CLI, and other Azure access methods.

Azure Local

Azure Local: Features and improvements in 2603

Microsoft has released the March 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2603.1002.15. This release includes general reliability improvements and bug fixes, while also introducing updates across the operating system, Kubernetes support, GPU enablement, security readiness, and provisioning workflows. From 2603 onward, all new and existing Azure Local deployments run the updated OS version 26100.32522, available from the Azure portal, and customers must ensure they use a driver compatible with OS version 26100.32522 or Windows Server 2025. For Integrated System or Premier solution hardware purchased through the Azure Local Catalog, the OS remains preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain compatible OS images and drivers. The build also updates both .NET Runtime and ASP.NET Core to version 8.0.25.

For Azure Kubernetes Service (AKS) enabled by Azure Arc, this release supports Kubernetes versions 1.31.12, 1.31.13, 1.32.8, 1.32.9, 1.33.4, and 1.33.5, while Kubernetes 1.30 is no longer supported. Microsoft also notes that KMS v1 will be deprecated soon and that KMS v2 is included in this Azure Local release, so customers should plan to redeploy clusters by using KMS v2. In addition, support for the Windows Server 2019 SKU for node pools ends in March 2026, and administrators should verify that AKS clusters are on a supported Kubernetes version before upgrading Azure Local.

This release also introduces support for the NVIDIA RTX PRO 6000 Blackwell Server Edition GPU on Azure Local VMs and on AKS enabled by Azure Arc, enabling GPU-accelerated workloads on Azure Local with this new NVIDIA platform. On the security side, Microsoft has improved Secure Boot certificate readiness by adding built-in orchestration to deploy the new Secure Boot 2023 certificates, helping customers prepare for upcoming Secure Boot changes while reducing update risk. Finally, simplified machine provisioning is now available, allowing customers to install the operating system and register Azure Local machines together through a single streamlined workflow.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (March 2026 – Weeks: 09 and 10)

Azure

General

Microsoft Sovereign Cloud adds governance, productivity, and support for large AI models in fully disconnected environments

Microsoft has expanded Microsoft Sovereign Cloud capabilities to help organizations meet digital sovereignty requirements while maintaining governance, productivity, and AI innovation even in fully disconnected scenarios. The update introduces a “Sovereign Private Cloud” stack that unifies Azure Local, Microsoft 365 Local, and Foundry Local across connected, intermittently connected, and air-gapped environments, enabling consistent policy enforcement and operational continuity within strict sovereign boundaries. Key additions include Azure Local disconnected operations (now available) to run and govern mission-critical infrastructure without cloud connectivity, Microsoft 365 Local disconnected (now available) to keep core productivity services—such as Exchange Server, SharePoint Server, and Skype for Business Server—running entirely inside the customer’s boundary, and Foundry Local enhancements that add modern infrastructure support and enable large, multimodal AI models to run locally on customer-owned hardware (including partner platforms such as NVIDIA) for in-boundary inferencing and APIs without external dependencies.

Compute

DCesv6, DCedsv6, ECesv6, and ECedsv6 confidential VMs

The DCesv6, DCedsv6, ECesv6, and ECedsv6 series are Azure’s next generation of confidential virtual machines (VMs), built on 5th Gen Intel® Xeon® processors with Intel® Trust Domain Extensions (Intel® TDX). Available now for production deployments, these VM families target both general-purpose scenarios (DCesv6, DCedsv6) and memory-optimized workloads (ECesv6, ECedsv6), helping organizations move highly sensitive workloads to the cloud with hardware-enforced isolation and without requiring application code changes. Microsoft positions this release as combining improved performance and scalability with confidential computing protections designed for security-critical enterprise workloads.

Networking

Draft & Deploy on Azure Firewall

Azure Firewall Policy now includes Draft & Deploy, a new capability that introduces a two-phase workflow to reduce deployment time and minimize disruption when updating firewall policies. Previously, any policy change could trigger a full deployment of both the policy and the attached firewall, often taking 2–4 minutes per update. With Draft & Deploy, users can collaboratively prepare multiple edits in a draft version cloned from the current policy without impacting the live environment, and then apply all changes in a single deployment, replacing the existing policy once the draft is finalized.

WAF Insights for Application Gateway (preview)

Application Gateway WAF Insights is now available in Public Preview, providing an interactive experience for exploring Web Application Firewall (WAF) logs and metrics directly within Azure Application Gateway. WAF Insights helps security and operations teams investigate blocked requests more quickly, analyze attack patterns, and drill into key details such as rule IDs and client IPs. With enhanced filters and visualizations, the capability is intended to improve troubleshooting efficiency, support faster identification of false positives, and streamline WAF policy tuning.

Conclusion

Azure Hybrid Management & Security: What’s New and Insights from the Field – February 2026

Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.

This monthly series aims to:

Provide an overview of the most relevant updates released by Microsoft;
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Hybrid and multicloud environment management

Microsoft Sovereign Cloud: more governance, productivity, and AI—even in fully disconnected environments

Microsoft has expanded the capabilities of Microsoft Sovereign Cloud to help organizations meet digital sovereignty requirements, while still maintaining governance, productivity, and innovation in artificial intelligence—even in fully disconnected scenarios.

The update introduces the “Sovereign Private Cloud” stack, which brings together Azure Local, Microsoft 365 Local, and Foundry Local across connected environments, intermittently connected environments, and air-gapped (isolated) environments. This enables consistent policy enforcement and operational continuity while remaining within strict sovereignty boundaries.

Key updates include:

Enhancements to Foundry Local: Add support for modern infrastructure and enable local execution of large and multimodal AI models on customer-owned hardware (including partner platforms such as NVIDIA), delivering “in-boundary” inference and APIs without requiring external connections or services.

Azure Local in disconnected mode: Enables running and governing mission-critical infrastructures without cloud connectivity, ensuring control and compliance even offline.

Microsoft 365 Local in disconnected mode: Allows organizations to keep essential productivity services—such as Exchange Server, SharePoint Server, and Skype for Business Server—entirely within the customer perimeter, with no external dependencies.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Updated logic for CIEM recommendations in Microsoft Defender for Cloud

Microsoft Defender for Cloud is updating the logic used to calculate Cloud Infrastructure Entitlement Management (CIEM) recommendations, now available as a native capability on Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The goal of this update is to improve recommendation accuracy, with potential impacts on results already visible in the portal.

Specifically, the identification of inactive identities is no longer based on sign-in activity, but on the presence of unused role assignments. In addition, the observation window is extended to 90 days (previously 45), and identities created within the last 90 days are excluded from the inactivity assessment. The Permissions Creep Index (PCI) metric is also being retired and will no longer appear in recommendations. CIEM onboarding is simplified by removing the need for elevated permissions that are considered high risk. Overall, this change provides a more reliable view of access-related risk and makes CIEM adoption more practical in enterprise and multicloud environments.

Alert simulation for SQL servers on machines

The SQL simulated alerts capability in Microsoft Defender for Cloud is now generally available. This update enables security teams to safely validate SQL protections, detections, and automated response workflows without introducing real risk into production environments.

Simulations generate realistic alerts, complete with SQL context and machine context (both on Azure VMs and on machines connected via Azure Arc), enabling end-to-end testing of playbooks, SOC procedures, and operational readiness levels. Alerts are produced locally through a secure script extension, with no external payloads and no impact on production resources—an approach particularly useful for periodic exercises, audits, and ongoing hardening of incident response processes.

Scanning support for Minimus and Photon OS container images

The vulnerability scanner in Microsoft Defender for Cloud, based on Microsoft Defender Vulnerability Management, expands its coverage to include Minimus and Photon OS container images as well. The goal is to identify vulnerabilities in these distributions and help teams verify that released images meet appropriate security standards, especially in CI/CD pipelines and high-churn containerized environments.

As the number of analyzed image types increases, the volume of scanning may grow and, as a result, there may be an increase in costs associated with vulnerability assessment. From an operational standpoint, extending coverage is an important step toward reducing visibility gaps in the container supply chain, especially when adopting minimalist distributions to reduce the attack surface.

Threat protection for AI agents in Foundry with Microsoft Defender for Cloud (preview)

Microsoft Defender for Cloud introduces, in Preview, a new threat protection capability for AI agents developed with Foundry, included in the Defender for AI Services plan. The protection is designed to cover the entire lifecycle—from development to runtime—with the goal of identifying and mitigating high-impact, actionable threats, aligned with OWASP guidance for Large Language Model (LLM)-based systems and agentic architectures.

With this update, Microsoft further expands AI security coverage within Defender, helping organizations protect a growing number of AI platforms and implementations while maintaining a consistent approach across application controls, posture management, and in-operation detections.

Database-level recommendations experience for SQL Vulnerability Assessment (preview)

Microsoft Defender for SQL introduces, in Preview, a new way to consume SQL Vulnerability Assessment (SQL VA) recommendations, based on per-database evaluations. The update applies to SQL VA across all supported types (both PaaS and IaaS), including classic and express configurations, and is available in both the Azure portal and the Defender portal.

In the new model, each SQL VA rule generates a distinct assessment for each impacted database, and those assessments are surfaced and managed as actual recommendations on the Defender for Cloud Recommendations page. Previously, results were aggregated at the server or instance level and presented under “umbrella” recommendations (for example, those related to remediating findings for SQL databases or for SQL servers on machines).

This new experience does not change scanning logic, rules, queries, schedules, APIs, or pricing; instead, it changes how results are consumed and managed, aligning them with Defender’s uniform recommendations model. During the preview, these new assessments do not affect the Secure Score in the Azure portal, but they do contribute to the Secure Score in the Defender portal, while the aggregated server-level experience remains available in parallel.

Binary drift with blocking support (preview)

The binary drift capability evolves and, in Preview, enables not only detection of unauthorized changes, but also blocking them. In practice, you can configure policies that prevent binaries from executing inside containers when they appear tampered with or show unexpected modifications compared to the expected image.

This type of enforcement adds a particularly effective layer of protection against runtime and post-deployment compromise techniques, helping contain incidents that stem from filesystem alterations inside the container or the insertion of unauthorized components. For teams managing container workloads at scale, the shift from “detect” to “detect + prevent” represents a tangible move toward more proactive controls.

Runtime anti-malware for containers: detection and blocking (preview)

Microsoft Defender for Cloud introduces, in Preview, runtime anti-malware detection and prevention for containerized workloads, supporting Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).

The capability operates in real time and allows defining anti-malware rules that set conditions for generating alerts and, when appropriate, blocking malware—strengthening cluster protection without relying exclusively on upstream controls (such as image scanning). Rule-based configuration also helps reduce false positives, balancing security and operations, especially in multicloud scenarios where policy consistency and response actions are often key requirements for security and platform engineering teams.

Backup & Resilience

Azure Backup

Vault-based backup for Azure Disks (preview)

With Azure Disk Backup, data is currently protected through regular crash-consistent snapshots of Azure disks, stored within the subscription and tenant in a resource group known as the Operational Tier of Azure Backup. This approach enables fast “operational” restores for common scenarios such as accidental deletions or data corruption, and it is often paired with Azure VM Backup, which provides application-aware protection for virtual machines.

In line with backup best practices (the 3-2-1 strategy), Microsoft introduces Vault Tier backups in Private Preview, extending disk-level protection with vault isolation (offsite), independent access controls, and immutability—key elements for improving resilience against ransomware and tenant-level compromises, and for aligning disk backup security with a cyber-recovery posture comparable to what is already adopted for VM backups.

The preview enables two core capabilities: Vault Tier Backup, to retain isolated copies in the vault to meet compliance and resilience requirements; and Regional Disaster Recovery, which allows restoring disk backups to an Azure paired region, opening up new disaster recovery scenarios in combination with Azure VM Backup and Azure Site Recovery.

Monitoring

Azure Monitor

Data transformations in the Azure Monitor pipeline (preview)

Azure Monitor pipeline data transformations are available in Public Preview and allow shaping telemetry before ingestion into Azure Monitor, with the goal of improving data quality, simplifying analysis, and controlling volumes (and therefore the impact) of large-scale ingestion.

Integrated into the Azure Monitor pipeline for edge and multi-cloud scenarios, transformations enable filtering, aggregating, standardizing, and remapping data such as Syslog and Common Event Format (CEF), reducing noise and redundancy “upstream.” Automated schema standardization mechanisms and validation guardrails help maintain compatibility with standard tables, preventing data flow disruptions when transformations are applied.

In addition, the preview includes built-in templates in Kusto Query Language (KQL) for common use cases and advanced filtering and aggregation functions that, for example, allow compressing high-frequency events into meaningful time windows. In short, by bringing data optimization closer to the source, this capability aims to produce cleaner datasets and faster insights even in complex, high-volume environments.

Secure ingestion and pod placement for Azure Monitor pipeline (preview)

Microsoft announced in Public Preview new capabilities for Azure Monitor pipeline that aim to improve both ingestion security and operational management of Kubernetes components.

On the secure ingress side, the pipeline can now receive traffic from external endpoints using TLS and mutual TLS (mTLS) for TCP-based receivers, introducing support for the Bring Your Own Certificates (BYOC) model. This allows organizations to retain full control over certificate lifecycle management, meet regulatory requirements, and integrate configuration with their existing Public Key Infrastructure (PKI). In practice, you can configure mTLS with your own certificates for mutual client/server authentication, or adopt TLS with a custom server certificate and a dedicated client Certificate Authority (CA).

In parallel, the new pod placement capability provides native controls to determine how pipeline instances are scheduled onto cluster nodes. Through execution placement configuration, you can direct pods to nodes with specific capabilities (for example, high-resource nodes or nodes in particular zones), control instance distribution to reduce resource contention, and apply isolation criteria that are useful in large-scale deployments.

Conclusions

This month’s updates confirm a very clear direction: Microsoft is pushing toward an increasingly uniform, proactive, and “AI-ready” model for management and protection—one that works consistently not only in Azure, but also across hybrid, multicloud, and even disconnected environments.

The evolution of Microsoft Sovereign Cloud and the “Sovereign Private Cloud” stack shows how governance and productivity can extend into air-gapped contexts, while on the security front Defender for Cloud continues to increase both coverage and depth: more reliable and adoptable CIEM, alert simulations to validate SOC processes, more decisive runtime protections for containers, and growing focus on protecting AI workloads and agents. In parallel, Azure Backup strengthens resilience with the “vault tier” approach for disks, aligning protection with more modern cyber-recovery requirements, and Azure Monitor brings optimization closer to the source with data transformations and secure ingestion options (TLS/mTLS) designed for distributed environments.

Azure IaaS and Azure Local: announcements and updates (February 2026 – Weeks: 07 and 08)

Azure

Compute

Encryption at host and disk encryption sets now supported in node auto-provisioning

Node auto-provisioning enabled clusters now support both Encryption at Host and Disk Encryption Sets, removing a previous limitation that prevented some security-sensitive deployments from using node auto-provisioning. With this update, customers can adopt node auto-provisioning while still meeting required encryption controls, and can also benefit from its associated improvements in compute efficiency, resiliency, and cost-management capabilities.

Networking

Azure Front Door Premium now supports Azure Private Link origins in UAE North

Azure Front Door Premium now supports Azure Private Link-enabled origins in the UAE North region, allowing customers to select UAE North as the origin region for Private Link connectivity within their Front Door Premium profiles. With Private Link-enabled origins, customers can deliver content to end users through public Azure Front Door endpoints while keeping the origin service inaccessible from the public internet, strengthening network isolation without sacrificing global edge delivery.

Storage

Instant access support for incremental snapshots of Azure Premium SSD v2 and Ultra Disk

Instant access support for incremental snapshots of Azure Premium SSD v2 (Pv2) and Ultra Disk is now Generally Available (GA), enabling customers to restore new disks immediately after snapshot creation. With this capability, newly restored disks provide high performance right away while data hydration continues in the background, accelerating backup and recovery workflows and reducing downtime for restore scenarios. Common use cases include taking instant backups before software updates and quickly reverting if needed, rapidly scaling stateful applications by cloning primary datasets (for example, adding read-only SQL Server replicas), and performing fast nightly refreshes of training or testing environments from production. Instant access for incremental snapshots is available in all public regions where Premium SSD v2 and Ultra Disk are supported.

Azure Premium SSD v2 Disk now available in Brazil Southeast and in a third Availability Zone in Malaysia West and Indonesia Central

Azure Premium SSD v2 Disk is now available in Brazil Southeast (a region without Availability Zones) and is now supported in a third Availability Zone in both Malaysia West and Indonesia Central, expanding regional and zonal options for customers running IO-intensive workloads. Premium SSD v2 is a next-generation, general-purpose block storage option for Azure virtual machines designed to deliver sub-millisecond latency and strong price-performance, and it is suited for enterprise production scenarios such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data/analytics, and gaming, both on virtual machines and stateful containers.

Azure Local

Features and improvements in 2602

Microsoft has released the February 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2602.1002.7. This release includes general reliability improvements and bug fixes, and it also updates the underlying platform components. From 2602 onward, all new and existing Azure Local deployments run the updated OS version 26100.32370, which is available for download from the Azure portal, and customers must also ensure they have a driver compatible with OS version 26100.32370 (or Windows Server 2025). For Integrated System or Premier solution hardware purchased through the Azure Local Catalog, the OS is preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain compatible OS images and drivers. The build also updates the runtime to .NET 8.0.24 for both .NET Runtime and ASP.NET Core. In addition, the Azure portal update workflow now provides richer, more detailed information to improve the update experience. Finally, Microsoft notes that for environments running OS version 20349.xxxx (Windows Server 22H2), it is no longer possible to purchase Windows Server Subscription or Extended Security Updates (ESU).

Conclusion

Azure IaaS and Azure Local: announcements and updates (February 2026 – Weeks: 05 and 06)

Azure

Compute

AMD v6 confidential VMs (DCa/ECa v6) now available in additional regions

AMD-based confidential virtual machines in the DCa v6 and ECa v6 series are now generally available in 11 additional Azure regions: Canada Central, Canada East, Norway East, Norway West, Italy North, Germany North, France South, Australia East, West US, West US 3, and Germany West Central. This expansion builds on the initial availability announced at launch, which included Korea Central, South Africa North, Switzerland North, UAE North, UK South, and West Central US, giving customers more regional options for running confidential computing workloads backed by hardware-based memory encryption and isolation.

Azure AMD Turin Dasv7, Dalsv7, Easv7, and Fasv7-series Virtual Machines

The Azure AMD Turin-based Dasv7/Dalsv7 (general purpose), Easv7/Eadsv7 (memory optimized), and Fasv7/Falsv7/Famsv7 (compute optimized) virtual machines are now Generally Available (GA), offered both with and without local disk support. These VM families are available in Australia East, Central US, Germany West Central, Japan East, North Europe, South Central US, Southeast Asia, UK South, West Europe, West US 2, and West US 3, with the large 160 vCPU Easv7/Eadsv7 sizes available in North Europe, South Central US, West Europe, and West US 2, and additional regions planned for 2026. Compared to prior-generation v6 instances, Microsoft states these VMs provide up to 35% higher CPU performance and substantial gains for common workload types, including up to 25% for Java workloads, up to 65% for in-memory cache applications, up to 80% for crypto workloads, and up to 130% for web server workloads. The release also introduces new local-disk-enabled variants—Fadsv7, Faldsv7, and Famdsv7—to broaden configuration flexibility for performance-sensitive scenarios.

Intel-based 7th generation Dlsv7/Dsv7/Esv7 Virtual Machines (preview)

Microsoft has announced the Public Preview of new Dlsv7/Dsv7 (general purpose) and Esv7 (memory optimized) virtual machines powered by Intel® Xeon® 6 processors (Granite Rapids). These v7 Intel-based VMs are designed to meet growing datacenter compute requirements and target a broad range of workloads, including traditional enterprise applications and AI-driven scenarios. Compared to v6, Microsoft states they deliver up to 15% better general compute performance, supported by turbo frequencies up to 4.2 GHz and up to 2x higher memory bandwidth. The new series also expands scalability, with Dsv7 and Esv7 scaling up to 372 vCPUs and Esv7 offering up to 2.8 TiB of memory. Networking and remote storage performance are also increased through the latest Azure Boost capabilities, with up to 400 Gbps networking bandwidth on the largest sizes and up to 800k IOPS and 20 GBps throughput to Premium SSD v2 and Ultra Disk remote storage on the largest sizes.

Networking

Default Rule Set (DRS) 2.2 for WAF on Azure Application Gateway

Default Rule Set (DRS) 2.2 for Web Application Firewall on Azure Application Gateway is now Generally Available (GA), providing Azure-managed protections against common web vulnerabilities and exploits. DRS 2.2 includes Microsoft Threat Intelligence collection rules—authored in collaboration with Microsoft intelligence teams—to extend coverage, target emerging exploit patterns, and reduce false positives over time. This release is based on OWASP Core Rule Set 3.3.4 and introduces refinements and new protections such as detections for content types declared outside the actual Content-Type header and enhanced remote code execution (RCE) detections, while adding additional Microsoft Threat Intelligence rules that broaden coverage across SQL injection, cross-site scripting (XSS), and other application-layer attack patterns. To help minimize legitimate traffic being blocked, DRS 2.2 ships with Paranoia Level (PL) 1 enabled by default, while PL2 rules remain disabled by default due to their more aggressive behavior and typical need for tuning.

Azure Virtual Network routing appliance (preview)

The Azure Virtual Network routing appliance is now available in Public Preview, providing private connectivity for workloads across virtual networks using specialized hardware designed for low latency and high throughput. Deployed into a private subnet, the appliance acts as a managed forwarding router, enabling traffic steering through User Defined Routes (UDR) to support scenarios such as spoke-to-spoke communication in traditional hub-and-spoke topologies. As an Azure resource, it integrates with Azure’s management and governance model, allowing customers to adopt appliance-based routing without relying on self-managed virtual machine routers.

X-Forwarded-For (XFF) grouping for rate limiting on Application Gateway WAF v2 (preview)

Application Gateway Web Application Firewall (WAF) v2 now supports additional rate-limiting GroupBy options based on the X-Forwarded-For (XFF) HTTP header in Public Preview. This capability helps customers running Application Gateway behind proxies or Content Delivery Networks (CDNs) apply rate limits using the original client IP rather than the TCP source IP, reducing the risk of throttling legitimate users that share the same proxy egress address. In this preview, custom rate-limit rules can be grouped by Client Address (XFF) or Geo Location (XFF), allowing security teams to more accurately identify and mitigate abusive or high-volume traffic patterns while continuing to use the existing Application Gateway WAF v2 custom rate-limit rules and policy model.

Storage

Azure Container Storage v2.1.0 with Elastic SAN integration and on-demand installation

Azure Container Storage v2.1.0 is now Generally Available (GA), adding native integration with Elastic SAN and introducing a modular, on-demand installation model to simplify deployment and ongoing operations for Kubernetes workloads on Azure. With Elastic SAN supported as a native storage type, customers can provision scalable volume groups and consolidate large numbers of Kubernetes volumes under a single SAN resource, improving attach/detach performance, increasing throughput, and reducing management overhead for stateful applications. The release also includes streamlined setup, improved defaults, and enhanced automation for Elastic SAN resource creation and volume group configuration. In addition, the new modular installation approach allows clusters to deploy only the components required for the chosen storage type, reducing footprint and accelerating rollout, while node selector support provides more precise placement of Azure Container Storage components—useful for dedicated storage node pools or mixed cluster topologies.

Azure NetApp Files support in OpenShift Virtualization (preview)

Azure NetApp Files support in OpenShift Virtualization is now available in Public Preview, enabling faster virtual machine provisioning, instant cloning, and live migration for VM workloads running on OpenShift Virtualization. Microsoft positions Azure NetApp Files as providing scalable storage with predictable performance and enterprise data management capabilities for scenarios ranging from infrastructure VMs to business-critical databases. This preview is available in all Azure regions where Azure NetApp Files and Azure Red Hat OpenShift are offered.

Azure NetApp Files Elastic zone-redundant service level (preview)

Azure NetApp Files Elastic zone-redundant storage (ANF Elastic ZRS) is now available in Public Preview as an advanced high-availability service level designed to keep data continuously accessible with zero data loss, even if an entire Availability Zone becomes unavailable. Built on Azure Zone-redundant storage (ZRS) architecture and compute infrastructure, ANF Elastic ZRS synchronously replicates file data across availability zones within a region, removing single points of failure without requiring special configuration or manual intervention. Microsoft positions this capability as particularly suitable for metadata-intensive workloads across VMs and containers—such as AI, analytics, and Kubernetes/OpenShift environments—while also offering operational simplicity and flexible sizing, including volumes as small as 1 GiB.

Conclusion

Azure Hybrid Management & Security: What’s New and Insights from the Field – January 2025

This monthly series aims to:

Provide an overview of the most relevant updates released by Microsoft;
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.

The main areas addressed in this series, together with the corresponding tools and services, are described in this article.

Security posture across hybrid and multicloud infrastructures

Microsoft Defender for Cloud

Update to the CIEM recommendations logic

In the context of the retirement of Microsoft Entra Permissions Management, Microsoft Defender for Cloud is updating the logic behind CIEM recommendations across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with the goal of improving accuracy and reducing noise in alerts. Among the key changes: the identification of inactive identities is now based on unused role assignments (rather than sign-in activity), the observation window is extended to 90 days (previously 45), and identities created within the last 90 days are not evaluated as inactive. Operationally, this update tends to make recommendations better aligned with actual risk, but it may also change the number and types of findings visible across multicloud tenants.

AWS CloudTrail ingestion (preview)

In preview, ingestion of AWS CloudTrail management events into Microsoft Defender for Cloud is now available. By enabling collection, Defender for Cloud enriches Cloud Infrastructure Entitlement Management (CIEM) analytics by including observed activity (management events) alongside the entitlement signals already available (for example, Access Advisor data). This additional usage context helps make security recommendations in Amazon Web Services (AWS) more accurate, improving the identification of unused permissions, dormant identities, and potential privilege escalation paths. The feature supports both individual AWS accounts and AWS Organizations with centralized logging, simplifying adoption in multi-account organizations.

Microsoft Security Private Link (preview)

Microsoft Defender for Cloud introduces Microsoft Security Private Link in preview, with the goal of enabling private connectivity between the security platform and protected workloads. The integration is implemented by creating private endpoints within the Virtual Network, so that traffic to Defender services remains on Microsoft’s backbone network, avoiding exposure on the public Internet and reducing the attack surface associated with public endpoints. At this stage, private endpoint support is available for the Defender for Containers plan, making it particularly interesting for Kubernetes clusters in “network-restricted” environments with controlled egress requirements.

Integration with Endor Labs

The integration between Microsoft Defender for Cloud and Endor Labs is now generally available (GA). This enhancement strengthens vulnerability analysis by introducing a reachability-based Software Composition Analysis (SCA) approach, which highlights vulnerabilities that could actually be exploitable along the “from code to runtime” path. In practice, the integration helps teams prioritize remediation more effectively, distinguishing what is merely “present” in libraries or dependencies from what is truly reachable and exploitable in running applications—reducing operational overhead and improving triage quality.

Cloud posture management adds serverless protection for Azure and AWS (preview)

Microsoft Defender for Cloud is extending, in preview, the capabilities of the Defender Cloud Security Posture Management (CSPM) plan to serverless workloads in Azure and Amazon Web Services (AWS), both in the Azure portal and in the Defender portal. This capability introduces automatic discovery and security posture assessment for components such as Azure Functions, Azure Web Apps, and AWS Lambda, providing centralized inventory and recommendations for misconfigurations, vulnerabilities, and insecure dependencies. This is a significant step for modern event-driven and microservices scenarios, where the traditional perimeter is more blurred and governance requires continuous visibility and consistent controls even for non-server-based resources.

Conclusions

This month’s updates focus on Microsoft Defender for Cloud and confirm a very clear direction: improving signal quality, expanding multicloud coverage, and reducing operational friction—especially in hybrid and distributed environments. The update to CIEM (Cloud Infrastructure Entitlement Management) recommendations logic goes exactly in this direction, making the identification of inactive identities and unused permissions more reliable thanks to a broader observation window and criteria that better reflect real usage. On the AWS side, ingestion of CloudTrail management events (preview) adds valuable context to refine analytics and more accurately identify escalation paths and unnecessary privileges, while the introduction of Microsoft Security Private Link (preview) opens up interesting scenarios for those who must operate in “network-restricted” environments with strict egress requirements and a need to minimize public exposure. Finally, the Endor Labs integration reaching GA and the extension of CSPM to serverless workloads (preview) highlight the evolution toward an increasingly “code-to-cloud” security posture—better able to prioritize remediation and to ensure visibility and governance even in modern event-driven models.

Azure IaaS and Azure Local: announcements and updates (January 2026 – Weeks: 03 and 04)

Azure

General

Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platforms

Microsoft has been named a Leader in the 2025–2026 IDC MarketScape: Worldwide Unified AI Governance Platforms vendor assessment (Doc #US53514825, December 2025), reflecting the growing need for centralized governance as organizations adopt generative and agentic AI across multicloud and hybrid environments. Microsoft positioned this recognition as validation of its focus on delivering enterprise-ready governance that balances innovation speed with trust, transparency, and compliance, especially as regulatory scrutiny and operational risk concerns increase. In Microsoft’s approach, governance is anchored to its Responsible AI standard and is operationalized through integrated capabilities spanning model lifecycle management, observability, security, and compliance. Microsoft highlighted Microsoft Foundry as a primary control point for model development, evaluation, deployment, and monitoring—supported by curated model catalogs, machine learning operations (MLOps), robust evaluation, and embedded content safety guardrails—while emphasizing deep security integration via Microsoft Purview for data governance and compliance, Microsoft Entra for agent identity and access controls, and Microsoft Defender for AI-specific posture management and runtime threat protection. Microsoft also noted that Microsoft Purview Compliance Manager supports automated alignment to a broad set of regulatory frameworks, reinforced by granular audit logging and automated documentation to strengthen governance and forensic readiness in regulated industries.

Networking

StandardV2 NAT Gateway with zone-redundancy and StandardV2 public IPs

The StandardV2 SKU for Azure NAT Gateway is now Generally Available (GA), providing enhanced resiliency, higher performance, and dual-stack connectivity at the same price point as the Standard SKU. Alongside this release, StandardV2 Public IP addresses and public IP prefixes are also now generally available. StandardV2 NAT Gateway requires StandardV2 public IPs and does not support Standard SKU public IPs. With StandardV2, outbound connectivity is improved through zone redundancy, which automatically preserves outbound access during a single availability zone failure in zone-enabled regions. The new SKU also doubles capacity versus Standard, delivering up to 100 Gbps throughput and 10 million packets per second, and introduces dual-stack capabilities by allowing attachment of up to 16 IPv6 and 16 IPv4 public IP addresses. In addition, flow logs provide IP-level traffic insights to support troubleshooting activities and compliance verification.

Storage

Azure File Sync now available in Israel Central

Azure File Sync is now available in the Israel Central region, bringing the service closer to organizations that require lower latency, improved performance, and support for local data residency requirements. Azure File Sync enables hybrid file services by tiering data from on-premises Windows Servers into Azure Files, supporting both migration scenarios and ongoing hybrid operations. This approach allows customers to retain the compatibility and performance characteristics of on-premises file servers while leveraging the scalability and operational model of Azure Files.

User delegation SAS for Azure Tables, Azure Files, and Azure Queues (preview)

User delegation Shared Access Signature (SAS) for Azure Tables, Azure Files, and Azure Queues is now available in Public Preview, extending a capability that is already generally available for Azure Blob Storage. User delegation SAS enables a more secure authorization approach than account SAS or service SAS by binding the SAS token to the delegating identity, enabling stronger governance and reduced key exposure. With this extension, customers can issue SAS tokens at multiple granularities—including the table, table entity, queue, queue entity, file container, and individual file level—where higher-scope tokens provide access to all entities within scope, and lower-scope tokens restrict access to the specific entity. Microsoft notes that there is no additional charge to use user delegation SAS, and billing follows the standard read/write transaction pricing for the underlying storage account type.

Azure Local

Features and improvements in 2601

Microsoft has released the January 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2601.1002.38. This release includes general reliability improvements and bug fixes, and it also introduces notable enhancements across operating system alignment, portal visibility, VM operations, security posture, and lifecycle validation capabilities.

From 2601 onward, all new and existing Azure Local deployments run the updated OS version 26100.32230, which is available for download from the Azure portal. Deployments also require a driver compatible with OS version 26100.32230 (or Windows Server 2025). For Integrated System or Premier solution hardware sourced via the Azure Local Catalog, the OS is preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain a compatible OS image and driver. The build continues to use .NET 8.0.22 for both .NET Runtime and ASP.NET Core.

Operationally, the infrastructure logical network created during Azure Local deployment is now surfaced in the Azure portal, enabling administrators to review the infrastructure network configuration while also reducing the risk of accidental workload provisioning on a network reserved for Azure Local infrastructure. In addition, VM Connect for Azure Local VMs (preview) is introduced, allowing administrators to connect to Windows and Linux VMs even when network connectivity is unavailable or when the VM experiences boot failures. Disk manageability also improves with a new Unique ID property for data disks, aligning with the disk UniqueId exposed via PowerShell (Get-Disk).

On resiliency, rack aware clustering is now Generally Available (GA), enabling administrators to define local availability zones aligned to physical racks in the datacenter and improving cluster resilience against rack-level failures. Supportability is enhanced through diagnostics log collection directly from the Azure portal, removing the need to manually gather logs from individual nodes during support investigations.

For configuration control and drift management, the release adds a Drift Detection framework for Azure PowerShell modules and Azure Command-line Interface (CLI), continuously validating component-level state against an approved baseline and identifying version mismatches during deployment and runtime. Administrators can also manually trigger validation with the Invoke-AzStackHciVSRDriftDetectionValidation cmdlet to produce detailed drift reports.

Security posture also evolves in this release: Azure Local instances deployed prior to 2504 now transition from Static Root of Trust for Measurement (SRTM) to Dynamic Root of Trust for Measurement (DRTM), enabling stronger defenses against firmware-level attacks (with new deployments since 2504 already having DRTM enabled by default). Additionally, customers upgrading an existing deployment can apply the 26100.XXXX (24H2) security baseline using new cmdlets to align the post-upgrade security posture with newly deployed systems. Finally, the upgrade process includes a new pre-upgrade CredSSP validation check to ensure CredSSP is not disabled, reducing the risk of upgrade failures.

Conclusion

Azure IaaS and Azure Local: announcements and updates (January 2026 – Weeks: 01 and 02)

Azure

General

Microsoft’s strategic AI datacenter planning for large-scale NVIDIA Rubin deployments

Microsoft stated that its long-range Azure datacenter strategy has been designed to enable seamless, large-scale deployment of NVIDIA’s Rubin platform, highlighted around CES 2026. The company explained that Azure’s next-generation AI datacenters and “superfactory” sites—such as its Fairwater locations in Wisconsin and Atlanta—were engineered in advance to accommodate next-gen rack-scale systems like NVIDIA Vera Rubin NVL72, including anticipated requirements for power delivery, cooling/thermal envelopes, memory density, and high-performance networking. Microsoft also emphasized a “systems approach,” where compute, networking, storage, and orchestration are tuned together to maximize utilization at massive cluster scale, with the goal of bringing new NVIDIA generations online quickly and efficiently as they become available.

Cloud-native apps on Kubernetes pricing calculator scenario

Microsoft has introduced a new cloud-native apps on Kubernetes scenario in the Azure pricing calculator to help teams estimate the Total Cost of Ownership (TCO) for a production-ready Azure Kubernetes Service (AKS) cluster. The scenario includes an architecture diagram and a detailed cost estimate that can be customized through workload-specific inputs, and it accounts for common supporting services such as Azure Container Registry (ACR), Azure monitoring capabilities (for example, Azure Monitor), and Microsoft Defender for Cloud. This addition is intended to support both legacy workload migrations and new application deployments—including microservices, web applications, artificial intelligence (AI), graphics processing unit (GPU) workloads, and databases—by providing a clearer baseline for planning and comparison.

Storage

Azure Premium SSD v2 Disk is now available in Austria East and in a second Availability Zone in Japan West

Azure Premium SSD v2 Disk is now available in the Austria East region and in a second Availability Zone (AZ) in Japan West, further expanding regional and zonal options for customers deploying IO-intensive workloads. Premium SSD v2 is positioned as a next-generation, general-purpose block storage offering that delivers sub-millisecond latency and strong price-performance characteristics for demanding production scenarios. It is designed to support a broad set of enterprise workloads—such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data/analytics, and gaming—running on Azure virtual machines or stateful containerized environments.

Azure Local

Features and improvements in 2512

Microsoft has released the December 2025 update for hyperconverged deployments of Azure Local, identified as version 12.2512.1002.16. This release includes general reliability improvements and bug fixes, and it also introduces several platform updates across operating system, deployment authentication, and Kubernetes/GPU support. From 2512 onward, all new and existing Azure Local deployments run the updated OS version 26100.7462 (following the new OS introduced in release 2504), and the 2512 OS image is available from the Azure portal. Microsoft notes that deployments require a driver compatible with OS version 26100.7462 (or Windows Server 2025); if such a driver is not available, customers can use the 2503 image. For Integrated System or Premier solution hardware purchased from the Azure Local Catalog through Microsoft hardware partners, the OS is preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain an OS image compatible with build 12.2512.1002.16 and appropriate drivers for OS 26100.7462 or Windows Server 2025.

This build also standardizes on .NET 8.0.22 for both .NET Runtime and ASP.NET Core. In addition, Azure Local deployment now supports simplified cluster registration by removing the requirement for a Service Principal Name (Microsoft Entra ID app) with a self-signed certificate; instead, the cluster uses a system-assigned managed identity (SMI) to authenticate to Azure during deployment through the Azure portal. Finally, in Public Preview, Azure Local now supports NVIDIA L-series GPUs on Azure Kubernetes Service (AKS) enabled by Azure Arc, enabling GPU-accelerated workloads on AKS clusters running on Azure Local with NVIDIA L-series hardware. The release also includes documentation updates, including newly published guidance for SDN upgrade infrastructure and removal of Azure Stack HCI renaming banners from feature overview articles to align with updated Azure portal experiences.

Conclusion

Azure IaaS and Azure Local: announcements and updates (December 2025 – Weeks: 51 and 52)

Azure

General

Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for AI Application Development Platforms

Microsoft has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Artificial Intelligence (AI) Application Development Platforms, and the company reports it is positioned furthest for Completeness of Vision. Microsoft attributes this recognition to a focus on building production-ready, agentic applications that are grounded in enterprise data and tools, integrated into real business workflows, and governed with end-to-end observability. According to Microsoft, Microsoft Foundry is its unified platform for building, deploying, and governing AI applications, with emphasis on four pillars: secure grounding to enterprise data and tools (including Foundry IQ and Foundry Tools with a large set of connectors), multi-agent orchestration and workflow execution via Foundry Agent Service, organization-wide visibility and policy enforcement through Foundry Control Plane, and the ability to build and run models from cloud to edge using Foundry Models and Foundry Local. Microsoft also highlights deep integration with common developer and productivity tooling such as Visual Studio Code, GitHub, Azure, and Microsoft 365 to support building and operating AI applications at enterprise scale.

Storage

Azure NetApp Files cross-zone-region replication (CZRR)

Azure NetApp Files (ANF) cross-zone-region replication (CZRR) extends the existing cross-region replication and cross-zone replication capabilities by enabling volume replication both across regions and across Availability Zones within the same region. This combined approach helps organizations strengthen disaster recovery and business continuity for critical cloud volumes. To set up protection, two protection volumes are established by creating the appropriate replication relationships—such as one cross-zone replication relationship and one cross-region replication relationship, two cross-region replication relationships, or two cross-zone replication relationships—while ensuring the source volume is placed in an Availability Zone when configuring a cross-zone replication relationship.

Azure NetApp Files advanced ransomware protection (preview)

Azure NetApp Files (ANF) advanced ransomware protection (ARP) is available in Public Preview and is designed to help organizations proactively detect, respond to, and recover from ransomware threats affecting cloud volumes. The feature monitors Azure NetApp Files volumes for suspicious behavior using file extension profiling, entropy analysis, and Input/Output Operations Per Second (IOPS) patterns. When potential ransomware activity is detected, the system automatically creates a point-in-time snapshot to support rapid assessment and recovery. Notifications are delivered through the Azure Activity log, and attack reports are retained for 30 days. The capability is available in Public Preview in all regions, and while there is no specific additional charge for ANF ARP, deployment sizing should account for the considerations required to support the feature.

Azure Storage Mover: Azure Blob container-to-container migration (preview)

Azure Storage Mover has introduced Azure Blob container-to-container migration in Public Preview, enabling organizations to move data between two Blob containers within the same or different storage accounts, subscriptions, or Azure regions in a secure and scalable way. With this capability, customers can reduce reliance on custom pipelines or third-party tools by automating cloud-to-cloud migrations directly from the Azure portal, while also gaining real-time visibility into migration jobs and progress. As a fully managed service, Azure Storage Mover handles the underlying infrastructure, scaling, and reliability to lower operational overhead, and—because it is a cloud-to-cloud scenario—no agent deployment is required. The feature also supports high-speed, parallel transfers, helping accelerate large dataset migrations, especially when moving data across regions or between storage accounts where high throughput is required.

Conclusion

Azure IaaS and Azure Local: announcements and updates (December 2025 – Weeks: 49 and 50)

Azure

General

Perth Azure Extended Zone

Microsoft has announced the General Availability (GA) of the Perth Azure Extended Zone. Azure Extended Zones are small-footprint extensions of Azure placed in metro areas, industry hubs, or specific jurisdictions to support low-latency and data residency workloads. They offer a selection of services across virtual machines (VMs), containers, networking, storage, and other Azure capabilities, enabling latency-sensitive and throughput-intensive applications to run closer to end users while staying within data residency boundaries.

Networking

Default outbound access retirement date extended to March 31, 2026

Microsoft has extended the retirement date for default outbound access to March 31, 2026, replacing the previously communicated September 30, 2025 deadline and aligning the change with the broader Azure Virtual Network (VNet) updates. Starting on March 31, 2026, newly created VNets will default to using private subnets, meaning customers must configure explicit outbound connectivity (for example, through Azure NAT Gateway, User Defined Routes (UDR), or other outbound methods) to reach public internet endpoints or Microsoft services. Default outbound access will be disabled by default (but not removed), and environments that do not implement an outbound method may lose internet connectivity—particularly impacting Azure Batch pools and nodes configured with simplified node communication without public IP addresses. Microsoft recommends reviewing current Batch pool configurations and planning the deployment of an explicit outbound method ahead of the March 2026 deadline.

FIPS compliant mode for Application Gateway V2 SKUs

Azure Application Gateway v2 now supports Federal Information Processing Standard (FIPS) 140-2 mode, a US government standard that defines minimum security requirements for cryptographic modules in IT products and systems. FIPS mode can be enabled during deployment or at any time afterward; when enabled, the gateway uses only FIPS-compliant Transport Layer Security (TLS) policies (both predefined and custom), strengthening cryptographic posture and helping organizations meet security and compliance expectations such as those associated with the Federal Risk and Authorization Management Program (FedRAMP).

Azure Load Balancer bandwidth metrics now support Protocol dimension

Bandwidth metrics for Azure Load Balancer are now published with the metric dimension Protocol, providing more granular visibility into traffic characteristics. When viewing or retrieving Byte, Packet, and SYN Count metrics in the Azure portal, users can now filter and analyze results by protocol, where Transmission Control Protocol (TCP) traffic is identified as Protocol=6 and User Datagram Protocol (UDP) traffic as Protocol=17. This added dimension improves alerting, monitoring, and troubleshooting by making it easier to differentiate traffic patterns, and it is available across all Azure public regions, China cloud regions, and Government cloud regions.

Storage

Zonal placement for Azure file shares in Azure Files Premium LRS in select regions

Zonal placement for Azure Files Premium Locally Redundant Storage (LRS) is now Generally Available (GA) in select regions, providing explicit control over zone locality by pinning storage accounts to a specific availability zone. This capability helps customers build more resilient architectures with improved fault isolation and more predictable low-latency performance for mission-critical workloads. By aligning compute and storage within the same zone, deployments can achieve 10–40% lower latency compared to cross-zone configurations, while also enabling more consistent zone-aware design for higher availability.

Azure Blob Storage Secure File Transfer Protocol (SFTP) – Resumable Uploads

Resumable uploads for Azure Blob Storage Secure File Transfer Protocol (SFTP) are now Generally Available (GA). This feature allows users to resume file uploads from the point of failure after a partial transfer interruption by reopening the partially uploaded file and continuing to write the remaining content. The capability helps optimize transfer time and conserve network bandwidth, especially in environments with unreliable connectivity or when moving large datasets such as multimedia or seismic files. Azure Blob Storage SFTP supports multiple transfer modes for this feature—Write, Write + Create, and Append—to enable resuming uploads by continuing from a specific offset, creating the file if it does not exist, or appending data to the end of an existing file.

Azure Local

Azure Local: Features and improvements in 2511

Microsoft has released the November 2025 update for hyperconverged deployments of Azure Local, identified as version 12.2511.1002.502. Starting with release 2511, both new and existing Azure Local deployments run on the new Operating System (OS) version 26100.7171, introduced with the 2504 release, and the 2511 OS image is available for download from the Azure portal. Microsoft notes that deployments also require a driver compatible with OS version 26100.7171 (or Windows Server 2025); if a compatible driver is not available, customers can use the 2503 image. For customers who purchased Integrated System or Premier solution hardware from the Azure Local Catalog via a Microsoft hardware partner, the OS is expected to be preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain an OS image compatible with build 12.2511.1002.502 and a driver compatible with OS version 26100.7171 or Windows Server 2025. Build 12.2511.1002.502 also improves the reliability of deployment and update administrative actions, and both 12.2511.1002.5 and 12.2511.1002.502 remain supported (with no additional action required for environments already on 12.2511.1002.5). In addition, the release updates the platform to .NET 8.0.22 for both .NET Runtime and ASP.NET Core, and includes broader reliability improvements and bug fixes.