This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.
Azure
General
CISPE Secures Landmark Licensing Reform in Agreement with Microsoft
CISPE (Cloud Infrastructure Services Providers in Europe) has reached a landmark agreement with Microsoft that introduces significant licensing reforms for Microsoft software running on CISPE member infrastructure. As part of this agreement, Microsoft will allow qualified CISPE members to offer Microsoft software—such as Windows Server and SQL Server—on a pay-as-you-go basis through the CSP-Hoster (CSP-H) program, aligning pricing more closely with that of Microsoft Azure.
This agreement delivers multiple benefits. CISPE members gain access to competitive Pay-As-You-Go licensing models, enhancing flexibility and cost-effectiveness for customers. It also supports digital sovereignty by enabling deployment of Microsoft 365 Local on European cloud infrastructure—pending general availability within Microsoft’s Cloud Solution Program. A major privacy improvement allows CISPE members to host Microsoft workloads without disclosing customer data to Microsoft, addressing long-standing concerns about data sovereignty and vendor neutrality.
The agreement applies to current CISPE members and is also open to eligible European cloud providers that join CISPE in the near future. Microsoft has committed to reviewing the program after one year, with a view to expanding access further—excluding hyperscale cloud providers designated as “Listed Providers” in order to protect competition and support innovation in the European cloud ecosystem.
Microsoft Azure Cloud HSM
Azure Cloud HSM is now generally available, offering a FIPS 140-3 Level 3 certified, highly available, single-tenant Hardware Security Module (HSM) service. Designed to meet the highest security and compliance standards, Azure Cloud HSM gives customers full administrative control over their HSMs, enabling secure cryptographic key management and operations within dedicated Cloud HSM clusters. It supports key cryptographic libraries such as PKCS#11, OpenSSL, and JCE, making it ideal for workloads like Apache/Nginx SSL offload, SQL Server or Oracle TDE, and ADCS hosted on Azure VMs. The solution also supports certificate storage with private keys via PKCS#11 and allows for secure document and code signing. As the successor to Azure Dedicated HSM, this new service provides improved support for general-purpose scenarios requiring isolated and secure key management. Microsoft plans to expand availability across Public, US Gov, and Sovereign Clouds.
Modernizing Azure Resource Manager Throttling for Sovereign Clouds (preview)
Microsoft has announced the public preview of its updated throttling model for Azure Resource Manager (ARM) in sovereign clouds. This update is part of a broader modernization effort aimed at achieving parity between public and sovereign cloud environments by the end of 2026. The revised throttling model brings consistent limits and architecture across all Azure deployments, enhancing operational reliability and simplifying cross-environment workloads. As previously communicated in 2024, the new throttling configuration delivers substantial improvements, including a 30x increase in write limits, a 2.4x increase for deletes, and a 7.5x increase in read operations, greatly improving performance and scalability for ARM users.
Networking
Azure Firewall now supports ingestion-time transformation in Log Analytics
Azure Firewall has introduced support for ingestion-time transformation in Log Analytics, a feature now generally available. This capability allows organizations to filter and transform logs before they are ingested into Log Analytics, offering a flexible and cost-effective logging strategy. The benefits are substantial: security teams can log only suspicious or critical traffic for more effective threat detection; storage costs are reduced by avoiding unnecessary log ingestion; compliance requirements can be met by routing logs through Data Collection Rules (DCRs); and incident response is accelerated through streamlined access to relevant logs. Additionally, users can create customized dashboards and alerts in Azure Monitor, enhancing visibility and control over network activity.
ExpressRoute – Auto-assigned Public IP for ExpressRoute Gateways
Microsoft has introduced a simplification in the deployment of ExpressRoute Virtual Network Gateways: all newly created gateways will now use auto-assigned Public IP addresses. This change eliminates the need for customers to manually assign Public IPs during configuration, streamlining the setup process and reducing operational overhead. The new model enhances deployment consistency across different gateway types. It’s important to note that existing ExpressRoute gateways will remain unaffected by this update.
Web Application Firewall on Application Gateway for Containers (preview)
Azure has introduced Web Application Firewall (WAF) support for Application Gateway for Containers in public preview. Application Gateway for Containers is the next-generation layer 7 load balancing solution for workloads running in Kubernetes clusters, combining the capabilities of Application Gateway and Application Gateway Ingress Controller. With WAF integration, users can now protect their containerized applications from common web vulnerabilities such as SQL injection, cross-site scripting, and protocol anomalies. The solution includes Azure-managed Default Rulesets (DRS), offering protection based on OWASP standards and Microsoft’s Threat Intelligence Center (MSTIC). Additional features include bot protection through bot manager rulesets and rate-limiting custom rules to mitigate DDoS attacks, delivering enterprise-grade security for modern containerized environments.
Storage
AZNFS (3.0) for BlobNFS with FUSE for superior performance (preview)
Microsoft has released the public preview of AZNFS (3.0) for BlobNFS, offering a major upgrade for customers utilizing Azure Blob Storage with native NFSv3 access. The new version leverages the libfuse3 library—also used by BlobFuse—to bring substantial performance and scalability improvements. With this update, users benefit from higher throughput, support for larger files, enhanced metadata performance, and the removal of user group limits. These enhancements make AZNFS (3.0) particularly well-suited for performance-intensive, POSIX-compliant workloads on Linux systems that require consistent and reliable access to Blob Storage using the NFS protocol.
Azure Local
Version 2507 Release: Security Updates and Fixes
Microsoft has released version 2507 of Azure Local, delivering two targeted security updates tied to specific OS builds. The release also addresses several key issues reported in earlier builds. Fixes include resolution of a solution update failure caused by an exception in the ComposedImageUpdate role, and clarification for Azure Government cloud users where the upgrade banner is shown but the environment checker incorrectly flags lack of support. Another critical fix resolves an issue where, during VM deployment, the absence of a specified storage path would cause all resources to be placed on the first available path—potentially leading to disk space exhaustion and deployment failures over time.
End of Support Reminder: Azure Stack HCI Version 23H2
Microsoft has announced that Azure Stack HCI version 23H2 will reach end of support on October 31, 2025. Currently, Azure Local supports two active OS versions: 25398.xxx and 26100.xxx. With update 2510, systems running the 25398.x OS will automatically be upgraded to the latest 26100.x build. For deployments already based on 26100.x, the update will be applied as a feature upgrade. Organizations using Azure Local should plan accordingly to ensure ongoing support, security, and access to new features beyond the 23H2 lifecycle.
Software Defined Networking (SDN) enabled by Azure Arc on Azure Local (preview)
Microsoft has announced the public preview of Software Defined Networking (SDN) enabled by Azure Arc, now available starting with Azure Local version 2506. This release brings native Azure-style network security and control to on-premises infrastructure through Azure Arc integration. Customers can now define and manage Logical Networks, Network Interfaces, and Network Security Groups (NSGs) from the Azure control plane using the Azure Portal, CLI, or ARM templates.
Key capabilities include the ability to deploy VLAN-backed logical networks, assign static or dynamic IP addresses to virtual machines, and enforce granular traffic control policies via NSGs. NSGs can be applied both at the VLAN level and directly to VM network interfaces, using complete 5-tuple rules (source/destination IP, port, and protocol). Default network policies can also be applied during VM creation to secure workloads with predefined rules for inbound and outbound traffic.
This SDN solution is powered by the Network Controller running on Azure Local infrastructure and eliminates the need for dedicated SDN controller VMs by running as a Failover Cluster service. While advanced features such as virtual networks (vNETs), Software Load Balancers (SLBs), and Gateways are not yet supported in this preview, customers can continue to rely on traditional SDN management tools—like SDN Express and Windows Admin Center—if they require those functionalities. Notably, only one SDN management model (Azure Arc or on-premises tools) can be used per environment.
Microsoft 365 Local: New Sovereign Offering with Azure Local Foundation
Microsoft has unveiled a new sovereign solution for regulated and high-compliance environments: Microsoft 365 Local, a “Private Cloud” variant built on Azure Local infrastructure. This solution enables customers to deploy Microsoft productivity workloads such as Exchange Server and SharePoint Server directly in their own datacenters or sovereign cloud regions. With full control over security, compliance, and governance, Microsoft 365 Local extends trusted productivity experiences to environments where data residency and isolation are essential. While specific technical details are still forthcoming, this initiative marks a significant step forward in supporting sovereign cloud strategies globally.
Conclusion
Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.
