This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.
Azure
General
Azure MCP Server
Azure MCP Server is now generally available, bringing the power of the cloud directly into agent-based and AI-driven workflows while redefining how developers interact with Azure. Built on the Model Context Protocol (MCP), it establishes a secure, standards-based bridge between Azure services—such as Azure Kubernetes Service (AKS), Azure Container Apps (ACA), App Service, Cosmos DB, Azure SQL, Azure AI Foundry, and Microsoft Fabric—and AI-powered tools like GitHub Copilot. By enabling agents to securely access and operate on these services, Azure MCP Server helps eliminate context switching, streamline development and operations tasks, and accelerate innovation. At the same time, it is designed with enterprise-grade security and scalability in mind, allowing organizations to confidently integrate AI-driven automation into their Azure environments.
Networking
Three important updates for Azure Virtual Network Manager
Azure Virtual Network Manager (AVNM) is now enriched with three generally available capabilities designed to enhance governance, automation, and compliance at scale. First, the new UseExisting mode for User-Defined Route (UDR) management allows AVNM to detect and append only the necessary routes to an existing route table associated with a subnet, preserving the original route table’s name, resource group, and tags. If no route table is present, AVNM continues to create and manage one as before. This gives customers the flexibility to retain ownership of routing configurations while benefiting from centralized automation. Second, the IP Address Management (IPAM) Pool Association Recommendation feature automatically identifies all virtual networks within an AVNM scope that are not associated with an IPAM pool and recommends the most suitable pool based on longest-prefix matching. Administrators can then bulk associate these virtual networks directly from the Azure portal, reducing manual effort and minimizing address-space conflicts. Third, peering compliance introduces protection for virtual network peerings managed through AVNM topology by preventing unauthorized changes or deletions outside AVNM. Key peering properties can only be modified via AVNM connectivity configurations, ensuring cons
DNS flow trace logs for Azure Firewall
Azure Firewall now supports DNS flow trace logs, a new logging capability that delivers deep, end-to-end visibility into DNS traffic and name resolution paths. Building on existing DNS Proxy functionality, this feature records rich metadata such as query types, response codes, queried domains, upstream DNS servers, and the source and destination IP addresses for each request. With this enhanced telemetry, customers can more effectively troubleshoot application connectivity issues, validate DNS forwarding and custom DNS configurations, and strengthen their security posture through improved auditing and investigations. The capability also provides insights into whether the Azure Firewall DNS cache was used during resolution, enabling teams to better understand performance characteristics and optimize DNS behavior across their environments.
Troubleshooting Azure Firewall using packet capture
Azure Firewall now supports packet capture as a generally available capability to help customers troubleshoot network issues with greater precision. Packet capture is designed to record specific traffic flows, which can be filtered based on parameters such as protocol, flags, and custom filters, allowing teams to focus on the most relevant data for their investigations. Administrators can initiate packet captures directly from the Azure portal for an interactive experience, or automate and script the process using PowerShell for repeatable diagnostics in larger environments. By analyzing the captured packets, network and security teams can more easily identify misconfigurations, connectivity problems, or anomalous traffic patterns, accelerating root-cause analysis and improving the overall reliability and security of their Azure Firewall deployments.
Azure WAF JavaScript challenge on Azure Front Door
Azure Web Application Firewall (WAF) on Azure Front Door now offers a JavaScript (JS) challenge as a generally available security feature, designed to enhance bot mitigation without impacting user experience. The JS challenge runs silently in the background to distinguish legitimate clients from malicious automated traffic, avoiding the friction and user interaction typical of CAPTCHA-based approaches. Malicious bots that fail the challenge are blocked, helping protect web applications from automated attacks such as credential stuffing, scraping, and abuse of exposed endpoints. At the same time, legitimate users experience seamless access with no interruptions. The JS challenge is available as a mitigation action within both the Bot Managed ruleset and custom rules, giving security teams flexibility to integrate it into existing WAF policies and tailor protections to their specific application scenarios.
Application Gateway for Containers with Web Application Firewall
Azure Web Application Firewall (WAF) support for Application Gateway for Containers is now generally available, bringing advanced web protection to containerized application workloads. Application Gateway for Containers represents the next evolution of Application Gateway combined with Application Gateway Ingress Controller, and with integrated WAF it can now safeguard workloads against a broad range of web-based attacks, including SQL injection, cross-site scripting, and protocol anomalies. By enabling WAF, customers gain access to Azure-managed Default Rulesets (DRS), which provide protection not only against threats identified by the Open Web Application Security Project (OWASP), but also additional signatures curated by Microsoft’s Threat Intelligence Center (MSTIC). Furthermore, users can take advantage of bot protection via bot manager rulesets and apply rate limiting custom rules to help mitigate distributed denial-of-service (DDoS) style behaviors at the application layer, enhancing both security and resilience for container-based applications.
ExpressRoute resiliency
ExpressRoute resiliency capabilities are now generally available, offering customers deeper insights into and validation of the reliability of their hybrid connectivity. At the core of this enhancement is resiliency insights, an assessment feature that calculates a resiliency index—a percentage score derived from factors such as route resilience, use of zone-redundant gateways, adherence to advisory recommendations, and the results of resiliency validation tests. This index evaluates the control plane resiliency of ExpressRoute connectivity between Azure Virtual Network Gateways and on-premises networks, helping organizations identify gaps and strengthen their architecture. Complementing this, resiliency validation enables customers to perform site failovers for their Virtual Network Gateways, simulating site outages and migration scenarios to test failover effectiveness. By proactively assessing and improving their resiliency index and running validation tests, customers can enhance the robustness of their ExpressRoute connectivity and better ensure continuous access to Azure workloads.
Monitoring end-to-end ExpressRoute connectivity with Connection Monitor
Monitoring integration for ExpressRoute with Connection Monitor is now generally available, simplifying end-to-end observability for hybrid network workloads. With this capability, customers can enable Connection Monitor directly during the creation or update of their ExpressRoute connections, eliminating the need for separate monitoring configuration steps. Once enabled, Connection Monitor provides continuous visibility into connectivity health, latency, and reachability across ExpressRoute paths, offering actionable insights into the performance and reliability of on-premises-to-Azure connectivity. By activating monitoring from day one, organizations can more quickly detect issues, validate the behavior of their network architecture, and maintain a consistently high level of service for critical applications that rely on ExpressRoute.
Storage
Object Replication Priority Replication for Azure Blob
Object Replication Priority Replication for Azure Blob is now generally available, enabling users to obtain prioritized replication from the source to the destination storage account defined in their replication policy. When priority replication is enabled, and both the source and destination accounts are located within the same continent, customers benefit from a Service Level Agreement (SLA) that guarantees 99.0% of operations are replicated from the source container to the destination container within 15 minutes over the billing month. This capability offers organizations greater assurance that their data is replicated quickly and consistently, supporting scenarios that require tighter recovery point objectives, more predictable cross-account synchronization, and stronger safeguards for business-critical workloads.
Geo Priority Replication for Azure Blob
Geo Priority Replication for Azure Blob is now generally available, enhancing the replication experience for Geo-Redundant Storage (GRS) and Geo-Zone-Redundant Storage (GZRS) accounts by accelerating data replication between primary and secondary regions. This feature is backed by a Service Level Agreement (SLA) that ensures the Last Sync Time for Block Blob data remains at 15 minutes or less for 99.0% of the billing month. By providing a predictable upper bound on replication lag, Geo Priority Replication strengthens confidence in data durability and availability, particularly in scenarios where an unexpected outage in the primary region may trigger a failover. Organizations can rely on this capability to maintain a more up-to-date replica of their data in the secondary region, improving their resilience posture and readiness for regional disruptions.
Ultra Disk’s new flexible provisioning model
The new flexible provisioning model for Azure Ultra Disk is now generally available, giving customers greater control over performance and cost optimization for demanding workloads. With this enhancement, users can configure disk capacity, IOPS, and throughput (MBps) more independently, rather than being constrained by fixed performance tiers. This flexibility allows organizations to right-size performance characteristics to match specific application requirements, whether they are optimizing for latency-sensitive databases, high-throughput analytics, or transaction-heavy workloads. The new model applies to both new and existing Ultra Disks, enabling customers to adjust current deployments without re-architecting their infrastructure, and helping them achieve an improved balance between performance and total cost of ownership.
Object Replication Metrics for Azure Blob Storage
Object Replication metrics for Azure Blob Storage are now generally available in all regions, giving customers deeper visibility into the progress and health of their replication workflows. These metrics introduce two key indicators: Pending Operations, which tracks the total number of operations awaiting replication from the source to the destination storage account, and Pending Bytes, which tracks the total volume of data still pending replication. Both metrics are emitted in time buckets (for example, <5 minutes, 5–10 minutes, 10–15 minutes), showing how long operations have been waiting to replicate. This granular view helps organizations quickly identify delays in the replication pipeline, optimize performance, and maintain high availability across their Object Replication policies by proactively responding to emerging bottlenecks.
Planned Failover for Azure Storage
Planned Failover for Azure Storage is now generally available, enabling customer-managed failover of geo-redundant storage accounts while preserving geo-redundancy and data durability. With this capability, organizations can seamlessly swap the primary and secondary endpoints of a geo-redundant account so that, after failover, all new write operations target the original secondary region, which becomes the new primary. This feature supports scenarios such as disaster recovery drills, partial outages where storage remains healthy, and proactive preparation for potential disasters. Planned Failover is available for GPv2 storage accounts and is compatible with Blob, Azure Data Lake Storage Gen2, Table, File, and Queue data, giving customers a consistent mechanism to validate and execute controlled failovers across a broad range of storage workloads.
Azure NetApp Files Object REST API (preview)
The Azure NetApp Files Object REST API, currently in public preview, introduces an S3-compatible REST interface that bridges traditional file-based storage with modern cloud-native services. By exposing object-style access on top of Azure NetApp Files, this capability allows customers to reuse existing datasets with new consumption patterns, including native S3 access from modern applications and integration with other Azure services. In particular, it enables scenarios such as direct integration with Microsoft Fabric and Azure AI services, helping organizations unlock new analytics and AI-driven use cases without restructuring their storage architecture. As a result, customers can reduce costs, accelerate innovation, and derive more value from their existing data and storage investments while evaluating this new capability during the preview phase.
Conclusion
Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.
