This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
During these two weeks of holidays, there were no notable news related to these areas.
We look forward to 2023 for lots of news!
I wish everyone a happy 2023!
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Azure Dedicated Host: Restart
Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware. With this new capability, now generally available, you can take troubleshooting steps at the host level.
New Memory Optimized VM sizes (preview)
The new E96bsv5 and E112ibsv5 VM sizes part of the Azure Ebsv5 VM series offer the highest remote storage performances of any Azure VMs to date. The new VMs can now achieve even higher VM-to-disk throughput and IOPS performance with up to 8,000 MBps and 260,000 IOPS. This enables you to run data intensive workloads more efficiently and process more data on fewer vCPUs, potentially optimizing infrastructure and licensing costs.
Feature enhancements to Azure Web Application Firewall (WAF)
Azure’s global Web Application Firewall (WAF) running on Azure Front Door, and Azure’s regional WAF running on Application Gateway, now support additional features that help organizations improve their security posture and make it easier to manage logging across resources:
In addition, Azure regional WAF on Application Gateway now has:
Azure NetApp Files cross-zone replication (preview)
The cross-zone replication feature allows you to replicate your Azure NetApp Files volumes asynchronously from one Azure availability zone (AZ) to another in the same region. It uses a combination of the SnapMirror® technology used with cross-region replication and the new availability zone volume placement feature, to replicate data in-region; only changed blocks are sent over the network in a compressed, efficient format. It helps you protect your data from unforeseeable zone failures, without the need for host-based data replication. This feature minimizes the amount of data required to replicate across the zones, therefore limiting data transfers required and also shortens the replication time, so you can achieve a smaller restore point objective (RPO). Cross-zone replication doesn’t involve any network transfer costs, and hence it is highly cost-effective.
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Azure HX series and HBv4 series virtual machines (preview)
The Azure HX series and HBv4 series virtual machines (VMs) are now in preview in the East US region. These VMs, powered by AMD 4th gen EPYCTM “Genoa” CPUs, improve the performance and cost-effectiveness of a variety of memory performance bound, compute bound, and massively parallel workloads. These new VMs deliver more performance, value-adding innovation, and cost-effectiveness to every Azure HPC customer.
Azure Bastion now support shareable links (preview)
With the new Azure Bastion shareable links feature in public preview and included in Standard SKU, you can now connect to a target resource (virtual machine or virtual machine scale set) using Azure Bastion without accessing the Azure portal.
This feature will solve two key pain points:
Azure File Sync agent v15.2
Azure File Sync agent v15.2 is now on Microsoft Update and Microsoft Download Center.
Improvements and issues that are fixed:
More information about this release:
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
What’s new in Azure VMware Solution
Recent updates for Azure VMware Solution:
Virtual Machine software reservations
The new Virtual Machine software reservations enable savings on your Virtual Machine software costs when you make a one- to three-year commitment for plans offered by third-party publishers such as Canonical, Citrix, and Red Hat.
Arm-based VMs now available in four additional Azure regions
The Dpsv5, Dplsv5, and Epsv5 VMs are available in the following additional four Azure regions: West US, North Central US, UK South, and France Central
Encrypt managed disks with cross-tenant customer-managed keys
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.
New capabilities for Azure Firewall
Azure Firewall is a cloud-native firewall as a service offering that enables customers to centrally govern and log all their traffic flows using a DevOps approach.
Several key Azure Firewall capabilities are now generally available:
Azure Front Door: new features in preview
New features are available for Azure Front Door (preview):
Default Rule Set 2.1 for Azure Web Application Firewall
Default Rule Set 2.1 (DRS 2.1) on Azure’s global Web Application Firewall (WAF) running on Azure Front Door is available. This rule set is available on the Azure Front Door Premium tier.
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team. As with previous DRS releases, DRS 2.1 rules are also tailored by Microsoft Threat Intelligence Center (MSTIC). The MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address those issues while also reducing false positives to our customers.
Bot Manager Rule Set 1.0 on regional Web Application Firewall
A new bot protection rule set (Microsoft_BotManagerRuleSet_1.0) is now generally available for Azure Web Application Firewall (WAF) with Azure Application Gateway. Added to this updated rule set are three bot categories: good, bad, and unknown. Bot signatures are managed and dynamically updated by Azure WAF. The default action for bad bot groups is set to Block, for the verified search engine crawlers group it’s set to Allow, and for the unknown bot category it’s set to Log. You may overwrite the default action with Allow, Block, or Log for any type of bot rule
Per Rule Actions on regional Web Application Firewall
Azure’s regional Web Application Firewall (WAF) with Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis. This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions.
Network HUD
Network HUD is a new feature, available with the November update on Azure Stack HCI that detects operational network issues causing stability issues or degrade performance. It distills the various indicators of problems generated by event logs, performance counters, the physical network and more, to proactively identify issues and alert you with contextual messages that you can act on. It also integrates with the existing alerting mechanisms you’re already used to and leverages Network ATC for intent-based analytics and remediation.
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Attribute-based access control for standard storage accounts
Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, and requests. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments in the existing identity and access management (IAM) system. This release makes generally available role assignment conditions using request and resource attributes on Blobs, ADLS Gen2 and storage queues for standard storage accounts.
Premium SSD v2 disks available on Azure Disk CSI driver
Premium SSD v2 is the next-generation Azure Disk Storage optimized for performance-sensitive and general-purpose workloads that need consistent low average read and write latency combined with high IOPS and throughput. Premium SSD v2 is now available with the Azure Disk CSI driver to deploy stateful workloads in Kubernetes on Azure.
Ephemeral OS disk support for confidential virtual machines
The support to create confidential VMs using Ephemeral OS disks is available. This enables customers using stateless workloads to benefit from the trusted execution environments (TEEs). Trusted execution environments protect data being processed from access outside the trusted execution environments.
Encrypt storage account with cross-tenant customer-managed keys
The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.
Availability zone volume placement for Azure NetApp Files (preview)
Azure NetApp Files availability zone volume placement feature lets you deploy new volumes in the logical availability zone of your choice to support enterprise, mission-critical high availability (HA) deployments across multiple availability zones.
Azure Virtual WAN announcements
Multiple areas of Azure Virtual WAN (vWAN) have key announcements:
Multipool user group support preview
Secure hub routing intent preview
Hub routing preference (HRP) is generally available
Bypass next hop IP for workloads within a spoke VNet connected to the virtual WAN hub generally available
Border Gateway Protocol (BGP) Peering with a virtual hub is generally available
BGP dashboard is now generally available
Virtual Network Gateway VPN over ExpressRoute private peering (AZ and non-AZ regions) is generally available
Custom traffic selectors (portal)
High availability for Azure VPN client using secondary profile is generally available
Private connectivity (also known as ExpressRoute)
ExpressRoute circuit with visibility of Virtual WAN connection
Fortinet SDWAN is generally available
Aruba EdgeConnect Enterprise SDWAN preview
Checkpoint NG Firewall preview
Custom IP Prefixes (BYOIP) available in US Government regions
The ability to bring your own public IP ranges is now available in all US Government regions.
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
In this dedicated post you can find the most important announcements and major updates officialized last week during Microsoft Ignite (October 2022) conference.
Azure savings plan for compute
Azure savings plan for compute is an easy and flexible way to save significantly on compute services, compared to pay-as-you-go prices. The savings plan unlocks lower prices on select compute services when customers commit to spend a fixed hourly amount for one or three years. Choose whether to pay all upfront or monthly at no extra cost. As you use select compute services across the world, your usage is covered by the plan at reduced prices, helping you get more value from your cloud budget. During the times when your usage is above your hourly commitment, you’ll be billed at your regular pay-as-you-go prices. With savings automatically applying across compute usage globally, you’ll continue saving even as your usage needs change over time.
SFTP support for Azure Blob Storage
SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is now generally available. Azure Blob Storage now supports SFTP, enabling you to leverage object storage economics and features for your SFTP workloads. With just one click, you can provision a fully managed, highly scalable SFTP endpoint for your storage account. This expands Blob Storage’s multi-protocol access capabilities and eliminates data silos, meaning you can run different applications, requiring different protocols, on a single storage platform with no code changes.
This special edition includes Microsoft’s most important announcements and major updates, regarding Azure infrastructure as a service (IaaS) and Azure Stack, which were officially announced this week at the Microsoft Ignite conference (October 2022). Microsoft announced a number of significant enhancements to its Azure infrastructure as a service (IaaS) portfolio, and Microsoft infrastructure services continue to evolve to improve the experience of running business-critical workloads in a hybrid environment.
Nutanix Cloud Clusters now generally available on Azure
Nutanix Cloud Clusters on Azure, now generally available, simplifies and accelerates the customer journey to the cloud. Nutanix customers can migrate or extend their workloads to Azure, without modification or retooling. With Nutanix Cloud Clusters on Azure, customers can leverage their existing Nutanix skills and tools, add Azure services such as security, identity and analytics and gain cost efficiencies with license portability that enables them to use their existing licenses for Azure deployment. And, to further support a hybrid model, customers can also seamlessly extend Azure data services to their on-premises Azure Arc-enabled Kubernetes clusters using the Nutanix platform.
New features for Azure VMWare Solution
Two new Azure VMware Solution features support higher availability and security for
customers’ mission critical workloads and include:
Azure savings plan for compute offers a new price offering
Microsoft is launching a new price offering, Azure savings plan for compute. This new offer, generally available later in October, will allow customers to save across select compute services globally by committing to spend a fixed hourly amount (for example, $5/hour) for one or three years. As customers use select compute services around the world, their usage is covered by the plan at reduced prices, helping them get more value from their cloud budget. During times when their usage is above their hourly commitment, users will simply be billed at the regular pay-as-you-go prices. With savings automatically applying across compute usage globally, they’ll continue saving even as their usage needs change over time. This plan lets customers increase the value of their cloud budget, retain financial control and optimize costs amid increasing cloud spends to help them do more with less.
New Azure Virtual Machine Scale Set and Spot Virtual Machines capabilities (preview)
A new Virtual Machine Scale Sets feature that enables Azure customers to include standard and Spot Virtual Machine types in the same virtual machine scale set is now in preview. This new capability is available with flexible orchestration mode and can help you achieve significant cost savings given the deep discount rates that Spot Virtual Machines usually provide. Virtual Machines Scale Sets flexible orchestration mode provides you with the ability to deploy highly available large-scale cloud infrastructure quickly, reliably, and easily. You can also set up policies that define the percentage allocation of standard versus Spot Virtual Machines. The number of standard VMs that need to be running at any given time, in addition to the percentage of Spot Virtual Machines, can also be defined.
Confidential VM option for SQL Server on Azure Virtual Machines
With the confidential VM option for SQL Server on Azure Virtual Machines, you can now run your SQL Server workloads on the latest AMD-backed confidential virtual machines. This ensures that both the data in use (the data processed inside the memory of the SQL Server) as well as the data at rest stored on your VM’s drives, are inaccessible to unauthorized users from the outside of the VM. This can be done without the need to change the code of your SQL Server applications or your database schemas, including stored procedures.
Next-gen Azure Premium SSD Disk Storage
The new Azure Premium SSD v2 Disk Storage is the most advanced general purpose block storage solution available, designed for performance-critical workloads like online transaction processing systems that consistently need sub-millisecond latency combined with high IOPS and throughput. Premium SSD v2 enables you to improve the price-performance of a broad range of enterprise production workloads that require sub-millisecond latency with high IOPS and throughput such as SQL Server, Oracle® DB, MariaDB, SAP, Cassandra, Mongo DB, big data, analytics, gaming, on virtual machines, or stateful containers. With Premium SSD v2, you can provision up to 64TiBs, 80,000 IOPS, and 1,200 MB/s throughput on a single disk. You can specify disk size ranging from 1 GiB up to 64 TiBs, in 1-GiB increments. You can provision separately disk size, IOPS, and throughput to match your workload requirements, resulting in greater flexibility when managing performance and costs. Furthermore, you can dynamically scale up or down the performance as needed without downtime, giving you the flexibility to manage disk performance cost-effectively.
Azure Elastic SAN (preview)
Azure Elastic SAN, now in preview, is a unique cloud-native and fully managed storage area network (SAN) service. Combining SAN-like capabilities with the benefits of being a cloud-native service, Azure Elastic SAN will offer a scalable, cost-effective, high-performance and reliable storage solution. It can connect to a variety of Azure compute services, enabling customers to seamlessly lift and shift their SAN workloads to the cloud without having to change their provisioning and management model.
These features include:
Azure DNS Private Resolver
Azure DNS Private Resolver is a cloud-native, highly available, and DevOps-friendly service. It provides a simple, zero- maintenance, reliable, and secure DNS service to resolve and conditionally forward DNS queries from a virtual network, on-premises, and to other target DNS servers without the need to create and manage a custom DNS solution. Resolve DNS names hosted in Azure Private DNS Zones from on-premises networks as well as DNS queries for your own domain names. This will make your DNS infrastructure work privately and seamlessly across on-premises networks and enable key hybrid networking scenarios.
Azure Resource Topology
Azure Resource Topology (ART) allows visualizing the resources in a network, acquire system context, understand state and debug issues faster. It provides a visualized connected experience for inventory management and monitoring. This unified topology leads to upgrading the network monitoring and management experience in Azure. Replacing the Network Watcher topology, this topology will allow the users to draw a unified and dynamic topology across multiple subscription, regions, and resource groups (RGs) comprising of multiple resources. Allowing deep dive into your environment, ART provides the capability for users to drill down from regions, VNETs to subnets, and resource view diagram of resources supported in Azure. It also stitches the end-to-end monitoring and diagnostics story with the capability to run next hop directly from a VM selected in the topology after specifying the destination IP address. Selecting a resource in the topology highlights the node and all other nodes/resources connected to it via edges. These edges define the connections among regions which can be done through VNET peering, VNET Gateways, etc. The side pane shows extensive resource details and properties for selected node/resource.
Static IP configurations of private endpoints
Private endpoint support for statically defined IP addresses is generally available. This feature allows you to add customizations to your deployments. Leverage already reserved IP addresses and allocate them to your private endpoint without relying on the randomness of Azure’s dynamic IP allocation. In doing so, you can account for a consistent IP address to the private endpoint to use alongside IP based security rules and scripts.
Custom network interface name configurations of private endpoints
Private endpoint support for custom network interface (NIC) is now generally available. This feature allows you to define your own string name at the time of creation of the private endpoint NIC deployed. This enhances customizations to your deployments by allowing private endpoint resources to comply with your naming structure. You can leverage this feature to define a private endpoint NIC outside of the existing format of [Private Endpoint Name].nic.GUID.
IP Protection SKU for Azure DDoS Protection (preview)
IP Protection is designed with SMBs in mind and delivers enterprise-grade, cost-effective DDoS protection. Instead of enabling DDoS protection on a per virtual network basis, including all public IP resources associated with resources in those virtual networks, you now have the flexibility to enable DDoS protection on an individual public IP. The existing standard SKU of Azure DDoS Protection will now be known as Network Protection. IP Protection includes the same features as Network Protection, but Network Protection will have in the following value-added services: DDoS Rapid Response support, cost protection, integration with Azure Firewall Manager, and discounts on Azure Web Application Firewall.
ExpressRoute Metro (in development)
ExpressRoute Metro offers you the ability to create private connections via an ExpressRoute Circuit with dual connections from a Service provider (AT&T, Equinix, Verizon etc.,) or connecting directly with ExpressRoute Direct over a dual 10 Gbps or 100 Gbps physical port in two different Microsoft Edge location in a metropolitan area offering higher redundancy and resiliency.
Azure public multi-access edge compute (MEC)
Azure public multi-access edge compute (MEC) allows enterprises and developers to
deliver innovative, high-performance, low-latency apps using operators’ public 5G
networks. Azure public MEC is available with AT&T in Atlanta and Dallas. This offers
customers the unique ability to analyze data closer to where it is being captured for
proactive actions and decisions. Azure public MEC with the AT&T 5G network will be available in November in Atlanta and Dallas. Additional sites will be coming soon to Detroit and New York City.
New benefit for Software Assurance customers
Microsoft is expanding Azure Hybrid Benefit, a program that enables Software Assurance (SA) customers to reduce costs. With the new Azure Hybrid Benefit for Azure Kubernetes Service (AKS) and Azure Stack HCI, customers can:
Azure Arc-enabled VM management: public preview 2
Microsoft is adding some important new features in public preview 2 to manage virtual machines:
22H2 feature update
All existing Azure Stack HCI clusters are eligible to receive 22H2 as a free over-the-air update. You can apply the update non-disruptively with cluster-aware updating, just like a monthly security patch. Microsoft recommends version 22H2 for all new Azure Stack HCI deployments. No matter how you use Azure Stack HCI, there’s something for you in the 22H2 feature update.
Network
With version 22H2, Network ATC can automatically assign IP addresses to your intra-cluster storage networks, and automatically name your cluster networks based on their intended use. It can also manage live migration settings for you, like selecting the best network, best transport, and best bandwidth allocation.
Storage
Storage management is more flexible: you can modify existing storage volumes to increase their resiliency (e.g., from two-way to three-way mirror) or convert in-place from fixed to thin provisioning.
Storage replication between sites in a stretch cluster is faster with new optional compression. Hyper-V live migration is more reliable for switchless 2-node and 3-node clusters. And there’s new tag-based network segmentation, enabling you to secure virtualized workloads against lateral threats based on custom tags of your choice.
Management tools
Management tools are being refreshed to support the new update. You can use Windows Admin Center to manage version 22H2 right now, and in mid-November, the next Windows Admin Center release will bring enhancements to light up new features, like modifiable volume settings, an improved cluster settings design, and more. In mid-November, the first Update Rollup (UR1) for System Center 2022 will add official support for Azure Stack HCI, version 22H2.
Azure Kubernetes Service hybrid deployment options
Azure Kubernetes Service (AKS) on Azure Stack HCI, Windows Server 2019, and 2022 Datacenter can be provisioned from the Azure Portal/CLI. Through this consistent managed Kubernetes experience, organizations can run containerized apps regardless of their location in a datacenter, the Azure cloud and/or a physical location or device.
Hardware
In 2023, Microsoft will begin offering an Azure Stack HCI integrated system based on hardware that’s designed, shipped, and supported by Microsoft. The solution, called the “Pro 2”, has a 2U half-depth form factor that’s ideal for deployment outside the datacenter, in locations like retail, manufacturing and healthcare. The Pro 2 will be available in several configurations, with specs tailored to edge use cases and the option for up to two NVIDIA A2 GPUs. You’ll be able to order it directly from the Azure Portal and it’ll ship with Azure Stack HCI pre-installed. And hardware management will be integrated directly into the existing cluster management tools, including a new Windows Admin Center extension that’s under development now.
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Azure NetApp Files new regions and cross-region replication
Azure NetApp Files is now available in the following additional regions:
Additionally, Azure NetApp Files cross-region replication has been enabled between following regions:
ExpressRoute FastPath support for Vnet peering and UDRs
FastPath now supports virtual network peering and user defined routing (UDR). FastPath will send traffic directly to any VM deployed in a spoke virtual network peered to the virtual network where the ExpressRoute virtual network gateway is deployed. Additionally, FastPath will now honor UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third-party Network Virtual Appliance (NVA).
Azure Firewall Basic (preview)
Azure Firewall Basic is a new SKU for Azure Firewall designed for small and medium-sized businesses.
Comprehensive, cloud-native network firewall security:
Simple setup and easy-to-use:
Cost-effective:
Policy analytics for Azure Firewall (preview)
Policy analytics for Azure Firewall, now in public preview, provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance.
Azure Basic Load Balancer will be retired
On 30 September 2025, Azure Basic Load Balancer will be retired. You can continue to use your existing Basic Load Balancers until then, but you’ll no longer be able to deploy new ones after 31 March 2025.
To keep your workloads appropriately distributed, you’ll need to upgrade to Standard Load Balancer, which provides significant improvements including:
Basic SKU public IP addresses will be retired
On 30 September 2025, Basic SKU public IP addresses will be retired in Azure. You can continue to use your existing Basic SKU public IP addresses until then, however, you’ll no longer be able to create new ones after 31 March 2025.
Standard SKU public IP addresses offer significant improvements, including:
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Azure File Sync agent v15.1
Improvements and issues that are fixed:
To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.
More information about this release:
Standard network features for Azure NetApp Files
Standard network features for Azure NetApp Files volumes are available. Standard network features provide you with an enhanced, and consistent virtual networking experience along with security posture for Azure NetApp Files.
You are now able to choose between standard or basic network features while creating a new Azure NetApp Files volume:
Immutable storage for Azure Data Lake Storage
Immutable storage for Azure Data Lake Storage is now generally available. Immutable storage provides the capability to store data in a write once, read many (WORM) state. Once data is written, the data becomes non-erasable and non-modifiable and you can set a retention period so that files can’t be deleted until after that period has elapsed. Additionally, legal holds can be placed on data to make that data non-erasable and non-modifiable until the hold is removed.
Improved Append Capability on Immutable Storage for Blob Storage
Immutable storage for Blob Storage on containers (which has been generally available since September 2018) now includes a new append capability. This capability, titled “Allow Protected Appends for Block and Append Blobs”, allows you to set up immutable policies for block and append blobs to keep already written data in a WORM state and continue to add new data. This capability is available for both legal holds and time-based retention policies.
Encrypt managed disks with cross-tenant customer-managed keys
Many service providers building Software as a Service (SaaS) offerings on Azure want to give their customers the option of managing their own encryption keys. Customers of service providers can now use cross-tenant customer-managed keys to manage encryption keys in their own Azure AD tenant and subscription using Azure Key Vault. As a result, they will have complete control of their customer-managed keys and their data.
Azure Dedicated Host support for Ultra Disk Storage
Virtual machines (VMs) running on Azure Dedicated Host support the use of standard and premium disks as data disks, and now there is also the support for ultra disks on dedicated host.
Azure unmanaged disks will be retired on 30 September 2025
Azure Managed Disks now have full capabilities of unmanaged disks and other advancements. Microsoft will begin deprecating unmanaged disks on September 30, 2022, and this functionality will be completely retired on September 30, 2025.
Encryption scopes on hierarchical namespace enabled storage accounts (preview)
Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The preview is available for REST, HDFS, NFSv3, and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.
Customer initiated storage account conversion (preview)
The self-service option to convert storage accounts from non-zonal redundancy (LRS/GRS) to zonal redundancy (ZRS/GZRS) is available. This allows you to initiate the conversion of storage accounts via the Azure portal without the necessity of creating a support ticket.
Resizing of peered virtual networks
Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address space or resize for a peered virtual network without removing the peering.
Improvements to Azure Web Application Firewall (WAF) custom rules
This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.
Azure Virtual Machines with Ampere Altra Arm–based processors
Microsoft is announcing the general availability of the latest Azure Virtual Machines featuring the Ampere Altra Arm–based processor. The new virtual machines will be generally available on September 1, and customers can now launch them in 10 Azure regions and multiple availability zones around the world. In addition, the Arm-based virtual machines can be included in Kubernetes clusters managed using Azure Kubernetes Service (AKS). This ability has been in preview and will be generally available over the coming weeks in all the regions that offer the new virtual machines.
Prevent a lifecycle management policy from archiving recently rehydrated blobs
Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. You can configure rules to move a blob to archive tier based on last modified condition. If you rehydrate a blob by changing its tier, this rule may move the blob back to the archive tier. This can happen if the last modified time is beyond the threshold set for the policy. Now you can add a new condition, daysAfterLastTierChangeGreaterThan, in your rules, to skip the archiving action if the blobs are newly rehydrated.
Encrypt storage account with cross-tenant customer-managed keys (preview)
The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available in preview. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.
Ephemeral OS disks supports host-based encryption using customer managed key
Ephemeral OS disk customers can choose encryption type between platform managed keys or customer managed keys for host-based encryption. The default is platform managed keys. This feature would enable our customers to meet organization’s compliance needs.
Resource instance rules for access to Azure Storage
Resource instance rules enable secure connectivity to a storage account by restricting access to specific resources of select Azure services.
Azure Storage provides a layered security model that enables you to secure and control access to your storage account. You can configure network access rules to limit access to your storage account from select virtual networks or IP address ranges. Some Azure services operate on multi-tenant infrastructure, so resources of these services cannot be isolated to a specific virtual network.
With resource instance rules, you can now configure your storage account to only allow access from specific resource instances of such Azure services. For example, Azure Synapse offers analytic capabilities that cannot be deployed into a virtual network. If your Synapse workspace uses such capabilities, you can configure a resource instance rule on a secured storage account to only allow traffic from that Synapse workspace.
Resource instances must be in the same tenant as your storage account, but they may belong to any resource group or subscription in the tenant.
ExpressRoute IPv6 Support for Global Reach
IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.