Category Archives: Azure Networking

Azure IaaS and Azure Local: announcements and updates (June 2026 – Weeks: 23 and 24)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

Compute

Azure NC RTX PRO 6000 Blackwell Server Edition v6 Series Virtual Machines

Azure NCv6-series Virtual Machines (VMs) are now Generally Available (GA) in the Southeast Asia and West US 2 regions. These VMs are powered by NVIDIA RTX PRO 6000 Blackwell Server Edition Graphics Processing Units (GPUs), with each GPU providing 96 GB of GDDR7 memory and the latest NVIDIA Blackwell architecture. This availability expands Azure’s accelerated computing portfolio for workloads that require high GPU performance, including Artificial Intelligence (AI), graphics-intensive applications, visualization, and advanced compute scenarios.

Confidential Live Migration for Intel TDX confidential VMs in Azure

Microsoft has announced Confidential Live Migration for Intel® Trust Domain Extensions (Intel TDX) confidential Virtual Machines (VMs) in Azure. This new capability is designed to improve operational flexibility and availability during platform servicing by helping move a confidential VM to updated infrastructure with minimal interruption, while preserving the confidentiality protections provided by Intel TDX-based virtual machines.

Azure Linux 4.0 for Azure Virtual Machines and VM Scale Sets (preview)

Azure Linux 4.0 for Azure Virtual Machines (VMs) and Virtual Machine Scale Sets (VMSS) is now available in Public Preview. Azure Linux 4.0 is intended for non-production use and testing, providing the next major version of Microsoft’s Linux distribution optimized for Azure workloads. This preview enables customers to validate compatibility and explore upcoming platform capabilities before production availability.

Storage

Premium SSD v2 disks now support non-zonal Azure Virtual Machines

Azure Premium SSD v2 disks now support non-zonal, single-instance Azure Virtual Machines (VMs) in selected Azure regions with Availability Zones (AZs). With this update, customers can deploy Premium SSD v2 with non-zonal virtual machines without selecting a specific Availability Zone, simplifying deployment scenarios while making Premium SSD v2 available to a broader set of VM configurations.

Azure Files assessments now available worldwide using Azure Migrate

Azure Migrate now generally supports discovery and assessment of SMB and NFS file shares hosted on Windows and Linux servers. This capability gives customers a data-driven view of their file share environment and supports migration planning for Azure Files by helping organizations assess existing on-premises file shares before moving them to Azure.

File share centric management model for Azure Files

The file share centric management model for Azure Files is now Generally Available (GA). This new model allows Azure Files file shares to be managed more directly and at scale as Azure resources through Microsoft.FileShares, simplifying the operational experience and enabling more scalable file share management in Azure environments.

Azure Local

Azure Local: from sovereign infrastructure to distributed edge

The announcements related to Azure Local presented over the past few weeks, also as part of Microsoft Build 2026, are numerous and clearly indicate the direction in which Microsoft is taking the platform. The underlying message is clear: Azure Local is evolving along two complementary paths. On one hand, it is becoming a platform for sovereign-scale infrastructure, designed for large regulated, distributed environments or scenarios with strict operational control requirements. On the other hand, it is expanding toward increasingly compact edge scenarios, down to single-node small form factor devices. In both cases, the goal remains the same: to maintain a consistent management experience based on the Azure portal, Azure CLI, Azure Resource Manager, and Azure APIs.

Before looking at the individual announcements, it is useful to clarify the main deployment models currently associated with Azure Local:

Type	OS	Storage / compute	Scale	Status
Hyperconverged	Windows	Storage Spaces Direct	Up to 16 nodes	GA
Disaggregated	Windows	SAN storage, with compute and storage separated	Up to 64 nodes	GA
Multi-rack	Azure Linux	Pre-integrated racks with compute, SAN storage, and managed networking	Hundreds of servers	GA / controlled availability
Small form factor	Linux	Single node, Docker / K3s	Compact edge device	Preview

The most interesting aspect, however, is not only the expansion of the infrastructure options. It is the fact that Azure Local is progressively becoming the local foundation on which Microsoft can bring more layers of its cloud and SaaS platform:

Azure Local for infrastructure;
Microsoft 365 Local for productivity and collaboration in private, hybrid, or disconnected environments;
Foundry Local for AI workloads running locally;
GitHub Enterprise Local for the DevOps lifecycle in sovereign and private cloud scenarios.

The significance is primarily practical: for the first time, these components can operate coherently within the same boundary controlled by the organization, maintaining a cloud-consistent operating model while reducing dependency on connectivity to external services when the scenario requires it.

Azure Local small form factor deployments for edge and Physical AI scenarios (preview)

Microsoft has introduced a new small form factor deployment type for Azure Local in Public Preview, designed for distributed edge environments where a traditional rack-based infrastructure footprint is not practical. This new deployment model targets scenarios such as retail stores, factories, branch offices, field locations, and remote industrial sites, where organizations need a compact, centrally managed device capable of running local data ingestion, Artificial Intelligence (AI) inference, and containerized workloads close to where data is generated.

Unlike traditional Azure Local hyperconverged or disaggregated deployments, this small form factor architecture is based on Linux rather than Windows and runs directly on bare metal without relying on virtualization. It is initially based on Azure Linux and supports container runtime options such as Docker, open-source K3s, and fully managed Azure Kubernetes Service (AKS). The model is single-node only and is optimized for lightweight, performance-oriented edge deployments.

A key element of this preview is the new Provisioned Machine resource type, which allows physical devices to be provisioned and managed from Azure in a way that resembles the management experience of an Azure virtual machine. These devices appear in the Azure portal, can be governed using Microsoft Entra ID, and support centralized lifecycle operations through Azure portal and APIs. Microsoft plans to extend this model with additional capabilities such as update management, metrics, security configuration, and configurable child resources for network interfaces and disks.

The provisioning experience is designed to simplify large-scale edge rollouts through a zero-touch approach: the operating system image is written to a USB drive, the device is started from that image, and after removing the USB drive, the remaining configuration and management are performed from Azure. This reduces the need for local IT tools and manual configuration, making it more practical to deploy and manage devices across hundreds or thousands of distributed locations.

Microsoft positions this deployment model under the broader Physical AI strategy. The small form factor devices are validated to run Foundry Local for local AI inference, Azure IoT Operations for device and sensor connectivity, and AKS on bare metal for containerized workloads at the edge. Validated hardware includes compact devices such as ASUS NUC 14 Pro, ASUS NUC 15 Pro, Lenovo ThinkEdge SE30, Lenovo ThinkEdge SE100, and OnLogic HX521. Together, these capabilities create a centrally managed edge platform for organizations that need to run IoT ingestion, local AI processing, and Kubernetes workloads directly where operational data is produced.

Foundry Local on Azure Local: multi-node deployments and vLLM support (preview)

Foundry Local on Azure Local is expanding in Public Preview with support for multi-node deployments, new local agents and tools, and an expanded model runtime offering that now includes vLLM-optimized models alongside existing ONNX-based options. This update is particularly relevant for sovereign, private, edge, and disconnected environments, where organizations need to run Artificial Intelligence (AI) inference locally, within customer-managed infrastructure and operational boundaries.

With multi-node support, Foundry Local can scale AI inference across multiple nodes in an Azure Local cluster instead of being limited to a single node. This enables organizations to support more demanding inference workloads, improve scalability, and build a stronger foundation for production AI scenarios running on infrastructure they own and control. At the same time, the addition of vLLM is significant because it broadens the range of models that can be deployed locally. While previous Foundry Local scenarios relied primarily on ONNX Runtime, which required models to be available or converted into ONNX format, vLLM enables deployment of large language models in formats commonly used by the open-source AI ecosystem, including models from Hugging Face, without requiring conversion.

Foundry Local also continues to provide a familiar catalog and API-driven deployment experience, allowing customers to explore, deploy, and operate proprietary and community models locally on Azure Local. The platform is designed to support governance, identity, and auditability while keeping execution, data, prompts, and model interactions inside the customer-controlled boundary. In addition, preview capabilities such as agentic retrieval, local agents and tools, and developer acceleration templates help organizations build AI systems that can reason, retrieve information, and take action using enterprise data without sending sensitive information outside the environment.

Combined with Azure Local, GPU-enabled hardware such as NVIDIA RTX PRO 6000 Blackwell Server Edition, the open NVIDIA Nemotron model family, and vLLM, Foundry Local provides a more complete on-premises AI inference stack for regulated and latency-sensitive environments. This enables organizations to run generative, predictive, and agentic AI workloads close to where data is created, whether in connected, intermittently connected, or fully disconnected scenarios, while maintaining consistent governance and operational control through Azure Arc.

Another important capability introduced in this preview is agentic retrieval with Foundry Local, which brings Retrieval-Augmented Generation (RAG) patterns into on-premises and sovereign environments. With this capability, AI models running on Azure Local can search and retrieve contextual information from local Microsoft 365 Local data sources, including SharePoint, OneDrive, and other Microsoft 365 content, without requiring data to leave the customer-controlled infrastructure. The retrieval layer uses the Model Context Protocol (MCP) to expose local RAG capabilities as tools that can be consumed by any MCP-compatible agent. This follows the same architectural pattern used by Foundry IQ in the cloud, but runs locally on the Azure Local cluster, enabling grounded, context-aware AI experiences while preserving data residency, operational control, and compliance boundaries.

Azure Kubernetes Service and Azure IoT Operations

Microsoft is extending additional Azure services to Azure Local, enabling organizations to run Kubernetes and industrial data workloads closer to where operational data is generated. Azure Kubernetes Service (AKS) can now run directly on bare metal without requiring a virtualization layer, while preserving the same enterprise-grade Kubernetes experience already available in Azure and on server-based environments. Once deployed, the AKS cluster is managed consistently with other AKS environments, including Azure-based Role-Based Access Control (RBAC), networking, upgrades, monitoring, and integrations such as AKS Fleet Manager. This allows organizations to extend familiar cloud-native controls and operational tooling from the cloud to distributed and industrial edge locations.

Azure IoT Operations is also supported for edge scenarios, providing a unified data and control plane for physical assets. The service includes connectors, an industrial-grade MQTT broker, and local agents and logic that can continue operating even with intermittent connectivity. This enables organizations to collect, process, and contextualize operational data locally, prepare it for Artificial Intelligence (AI) and analytics scenarios, and connect it to broader cloud services such as Microsoft Fabric Real-Time Intelligence. Azure IoT Operations also provides a no-code graphical interface to configure data flows and supports bidirectional communication with connected machines, enabling messages and commands to be sent back to physical assets.

Azure Kubernetes Fleet Manager support for Arc-enabled clusters

Azure Kubernetes Fleet Manager is expanding beyond Azure to support Arc-enabled Kubernetes clusters, enabling organizations to manage Kubernetes environments across Azure, Azure Local, and other Arc-connected infrastructures from a unified control plane. With this capability, AKS clusters on Azure Local and other Arc-enabled clusters can be organized and operated as part of a fleet, allowing administrators to apply updates, policies, and workload deployments consistently across the broader Kubernetes estate. This is especially useful for organizations running AKS on Azure Local across multiple sites, where managing clusters individually can quickly become operationally complex. By extending fleet management to Arc-enabled clusters, Microsoft provides a more scalable and consistent approach to governing distributed Kubernetes environments, improving operational efficiency across cloud, datacenter, edge, and hybrid scenarios.

GitHub Enterprise Local on Azure Local (preview)

GitHub Enterprise Local is now available in Public Preview, bringing GitHub’s enterprise developer platform into sovereign, private, disconnected, and air-gapped environments. The solution enables organizations to deploy GitHub Enterprise Server (GHES) as a prebuilt virtual machine on Azure Local, keeping source code, repositories, metadata, CI/CD workflows, build pipelines, and development artifacts entirely within customer-owned infrastructure and operational boundaries. This capability is designed for highly regulated sectors such as government, defense, financial services, critical infrastructure, and other environments where sovereignty, operational control, and resiliency are mandatory requirements.

GitHub Enterprise Local preserves a GitHub-consistent developer experience for source control, collaboration, pull requests, branch protection, code reviews, issues, wikis, GitHub Actions with self-hosted runners, and GitHub Packages for artifact management. It can run on single-node Azure Local deployments for preview, proof-of-concept, or low-risk scenarios, or on multi-node Azure Local clusters where the platform provides virtual machine-level high availability and failover for production-oriented deployments.

The solution is designed to operate without internet connectivity by default, while also supporting connected and restricted deployment models depending on customer requirements. In connected environments, organizations can benefit from centralized management and monitoring, while in disconnected environments the entire development platform can remain isolated inside the customer’s security and network perimeter. When combined with Foundry Local and GitHub Copilot, GitHub Enterprise Local also enables AI-assisted development workflows in sovereign environments, helping keep code context, prompts, model execution, and development assets within customer-controlled boundaries. Azure Local provides the underlying private cloud foundation, including virtualization, infrastructure availability, lifecycle operations, customer-controlled networking and security policies, and Azure Arc-enabled management, allowing organizations to modernize application development while maintaining compliance, auditability, and sovereignty requirements.

LAPS for Azure Arc: Local Admin Password Security across hybrid environments

Local Administrator Password Solution (LAPS) for Azure Arc extends Windows LAPS management to hybrid and multi-cloud environments by using Azure Policy and Machine Configuration to audit and enforce local administrator password settings at scale. This capability helps organizations reduce the risk associated with shared or manually managed local administrator credentials by ensuring that each machine uses a unique, randomly generated password that is rotated on a defined schedule and securely stored in Microsoft Entra ID or Active Directory. With Azure Arc, the same declarative policy model can be applied consistently across Azure virtual machines and Arc-enabled servers running on-premises, at the edge, or in other clouds. Administrators can start in audit-only mode to assess compliance across existing environments and then move to audit-and-configure mode to remediate non-compliant machines in controlled deployment rings. Default settings are aligned with common security guidance, including complex passwords, regular rotation, password expiration protection, and post-authentication actions such as password reset and user sign-out after use. This approach is particularly relevant for hybrid, sovereign, and regulated environments, where consistent enforcement, centralized compliance reporting, and audit-ready evidence are essential to reduce credential-related attack paths without replacing existing Windows LAPS deployments.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (May 2026 – Weeks: 21 and 22)

Azure

General

Multiparty private offers in Microsoft Marketplace expand to 30 countries in Europe

Multiparty private offers in Microsoft Marketplace have expanded to 30 countries in Europe, giving Microsoft partners a broader way to procure third-party cloud and Artificial Intelligence (AI) solutions for customers through Marketplace. This capability allows software companies to expand into new markets by collaborating with partners that already have established customer relationships, while customers can continue working through their trusted partners for software and services procurement.

Networking

Application Gateway for Containers service mesh integration with Istio

Application Gateway for Containers service mesh integration with Istio is now Generally Available (GA). This capability simplifies secure north-south traffic into workloads running in an Istio service mesh by automating mutual Transport Layer Security (mTLS) connectivity between Application Gateway for Containers and mesh-enabled services. With this release, customers can use the integration with both upstream open-source Istio and the Istio-based service mesh add-on for Azure Kubernetes Service (AKS), giving teams flexibility to adopt a managed AKS experience while using Application Gateway for Containers as a single ingress path for services inside and outside the mesh. The integration also helps reduce operational overhead by simplifying ingress configuration, avoiding repetitive mTLS definitions, and automating certificate trust and rotation for secure communication with mesh workloads.

User Groups and IP address pools for P2S connections

User Groups and IP address pools for Point-to-Site (P2S) connections in Azure VPN Gateway are now Generally Available (GA). This capability allows customers to assign distinct IP address pools to remote users based on their credentials, enabling more granular segmentation and access control for Azure workloads. User groups within a VPN Gateway can be defined based on Microsoft Entra ID group membership, certificate common name domains, or custom RADIUS attributes. By assigning unique IP address ranges to different user groups, organizations can strengthen security, apply more targeted policies, and simplify access segmentation for remote users.

Summarized advertised gateway prefixes for route advertisement (preview)

Summarized advertised gateway prefixes for route advertisement are now available in Public Preview, allowing customers to define summarized prefixes that Azure gateways—such as ExpressRoute and VPN Gateway—advertise to on-premises networks instead of advertising all individual virtual network and spoke prefixes. This capability helps reduce the number of routes advertised to on-premises environments, simplifies route management in large hub-and-spoke architectures, and improves scalability for hybrid networking scenarios.

Site-to-site VPN connections with certificate authentication

Azure Site-to-Site VPN with digital certificate authentication is now Generally Available (GA). This capability provides an alternative to traditional pre-shared key (PSK) authentication by allowing Azure VPN Gateway and the on-premises VPN device to authenticate each other using certificates. Certificate-based authentication helps improve security and reduce operational risk compared with shared secrets, making site-to-site VPN connectivity easier to secure and govern.

Azure Virtual Network updates: default limits increased for NSGs and route tables

Azure Virtual Network has increased the default platform limits for Network Security Groups (NSGs) and route tables. The new defaults are 2,000 security rules per NSG, 6,000 addresses or ports per NSG rule, 1,000 routes per route table, and 600 route tables per subscription. These higher default limits help customers operate larger and more complex network environments with fewer limit-related constraints, especially in enterprise-scale hub-and-spoke architectures and heavily segmented deployments.

Network Watcher rule impact analyzer

Azure Network Watcher rule impact analyzer is now Generally Available (GA), enabling customers to assess the potential impact of Network Security Group (NSG) or security admin rule changes on live network traffic before applying them. This capability helps validate planned network security changes, reduce configuration risk, and avoid unintended disruptions caused by rule updates.

Azure Front Door WebSocket

Azure Front Door Standard and Premium now support WebSocket in Generally Available (GA). WebSocket is enabled by default and requires no additional configuration on Azure Front Door. This capability enables full-duplex communication between a server and a client over a long-running connection, supporting real-time application scenarios such as live dashboards, collaboration tools, messaging platforms, and interactive web applications.

Azure Virtual Network Manager integration with Virtual WAN (preview)

Azure Virtual Network Manager integration with Azure Virtual WAN is now available in Public Preview, enabling customers to use an Azure Virtual WAN hub as the hub in Azure Virtual Network Manager hub-and-spoke connectivity configurations. This integration combines Azure Virtual Network Manager’s at-scale network management capabilities with Virtual WAN’s managed routing, security, and hybrid connectivity. With this capability, organizations can automatically connect hundreds of spoke virtual networks to a Virtual WAN hub using network groups and connectivity configurations, reducing the need to manually create and manage individual Virtual WAN virtual network connections. Customers can also apply consistent routing configuration through Virtual WAN connection policies, use dynamic group membership to onboard new spokes automatically, and optionally enable direct connectivity mesh between spokes for low-latency east-west traffic while preserving existing Virtual WAN routing intent, firewall integration, and on-premises connectivity.

Virtual network flow logs connector with Microsoft Sentinel

The Virtual Network flow logs connector with Microsoft Sentinel is now Generally Available (GA). This integration enables customers to export and analyze Azure virtual network traffic data directly within Microsoft Sentinel, bringing network-level visibility into security operations workflows. By ingesting virtual network flow logs into Sentinel, security teams can correlate traffic insights with other security signals, improve investigation capabilities, and strengthen detection and response scenarios across Azure network environments.

Storage

Entra-only identities with Azure Files

Azure Files now generally supports Microsoft Entra-only identities for SMB access, enabling organizations to access file shares using cloud-native identities without requiring Active Directory or hybrid identity infrastructure. With Microsoft Entra ID as the authentication authority, users can access Azure Files through Kerberos-based authentication backed entirely by cloud identities, eliminating dependency on domain controllers and simplifying storage and identity architecture. This capability includes cloud-native authentication with Entra ID, granular NTFS Access Control List (ACL) configuration for Entra users and groups through the Azure portal, share-level Role-Based Access Control (RBAC), identity-based access over the internet without Virtual Private Network (VPN) dependencies, and support for modern scenarios such as Azure Virtual Desktop, general-purpose file sharing, and distributed collaboration.

Azure NetApp Files Object REST API

The Object REST API for Azure NetApp Files is now Generally Available (GA), providing an S3-compatible REST API that bridges traditional file-based storage with modern cloud services. This capability allows customers to integrate Azure NetApp Files data with services such as Microsoft Fabric, Azure AI services, and other Azure offerings without moving or replicating data. By enabling native S3-compatible read and write access, modern applications can interact directly with data stored in Azure NetApp Files, unlocking scenarios such as advanced analytics, machine learning, and real-time business intelligence. The feature helps organizations accelerate innovation while keeping data in place, reducing duplication, and maintaining the security controls provided by Azure NetApp Files.

Azure Storage Mover Blob-to-Blob migration

Azure Storage Mover now generally supports Blob container-to-Blob container data transfers, enabling customers to move data across Azure regions, subscriptions, and storage accounts through a fully managed migration experience. This capability provides agentless transfers with no infrastructure deployment required, supports large-scale parallel data movement optimized for high-throughput migrations, and includes integrated job management with progress tracking, resumability, and reliability controls. It also supports both flat namespace (FNS) and hierarchical namespace (HNS) accounts, making it suitable for enterprise-grade migrations involving large object counts, deep directory structures, and multi-GB/s transfer scenarios depending on workload and regional topology.

Schedule one-time or recurring migrations with Azure Storage Mover

Azure Storage Mover now supports built-in job scheduling, giving customers more control over when migrations run and making it easier to automate repeatable data transfers into Azure. Customers can configure jobs to start automatically at a specific date and time or schedule recurring runs to keep target storage synchronized with data from on-premises environments. In the Azure portal, schedules can be configured as no schedule, one-time, or recurring, with recurring options available for daily, weekly, and monthly frequencies. Scheduling helps reduce manual intervention and improve operational consistency for scenarios such as off-hours data movement, staged cutovers, and incremental synchronizations before final migration.

Azure NetApp Files cache volumes

Azure NetApp Files cache volumes are now Generally Available (GA). Cache volumes provide cloud-based caches of external origin volumes and contain only the most actively accessed data, bringing data and files closer to users for faster throughput with a smaller storage footprint. This capability simplifies file distribution, reduces Wide Area Network (WAN) latency, and can lower WAN or ExpressRoute bandwidth costs, making it useful for distributed environments and workloads that require faster access to frequently used data.

Mock runs for Azure Storage Actions

Azure Storage Actions now supports mock runs in Generally Available (GA), allowing customers to simulate task execution at full scale without modifying production data. Azure Storage Actions is a fully managed platform for automating data management tasks across Azure Blob Storage and Azure Data Lake Storage. With mock runs, organizations can validate task configurations, estimate the impact of planned actions, and identify potential issues before applying changes to production storage data.

Azure Local

Features and improvements in 2605

Microsoft has released the May 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2605.1003.210. This release includes general reliability improvements and bug fixes, together with updates to the underlying operating system and runtime components. In the 2605 release, all new and existing Azure Local deployments run the updated OS version 26100.32860, available for download from the Azure portal, and customers must ensure that they use a driver compatible with OS version 26100.32860 or Windows Server 2025. For Integrated System or Premier solution hardware from the Azure Local Catalog, the OS remains preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain a compatible OS image and driver. This build also uses .NET 8.0.27 and .NET 10.0.8 for both .NET Runtime and ASP.NET Core. In addition, Azure Local now supports monitoring GPU metrics for GPUs configured using GPU Partitioning (GPU-P), improving visibility into GPU resource usage and supporting better operational monitoring for GPU-accelerated workloads on Azure Local.

Conclusion

Azure IaaS and Azure Local: announcements and updates (May 2026 – Weeks: 19 and 20)

Azure

General

Azure Resource Manager MCP Server (preview)

Microsoft has announced the Public Preview of the Azure Resource Manager Model Context Protocol (MCP) Server, a remote MCP server that enables Artificial Intelligence (AI) agents to interact with Azure infrastructure operations through Azure Resource Manager (ARM). This capability gives AI agents first-class access to tools for generating, validating, and executing Azure Resource Graph (ARG) queries, as well as deploying and managing ARM template deployments. With this preview, users can ask natural-language questions about their Azure environment and receive real-time answers backed by generated ARG queries, without manually writing Kusto Query Language (KQL). For example, an AI agent can generate a query to identify virtual machines without managed disks across Azure resource types. The server also supports ARM template deployment workflows, allowing agents to start deployments at resource group scope, monitor deployment status, detect issues, and cancel deployments when needed. Microsoft positions this capability as a foundation for building more advanced AI agents that can understand, query, and operate across Azure environments.

Compute

Azure Dl/D/E v7 Virtual Machines

Azure Dl/D/E v7 Virtual Machines are now Generally Available (GA), powered by the latest Intel® Xeon® 6 processors (Granite Rapids). These new general-purpose and memory-optimized VM families are designed for business-critical and performance-sensitive enterprise workloads, offering improved performance, scalability, and configuration flexibility compared with previous-generation v6 VMs. Microsoft reports up to 20% better general compute performance, larger VM sizes and memory capacities, and significant improvements in networking and storage performance. The families provide three memory-to-vCPU configurations: Dlsv7 with 2 GiB per vCPU, Dsv7 with 4 GiB per vCPU, and Esv7 with 8 GiB per vCPU, with optional local NVMe temporary disks available for scenarios that benefit from low-latency local storage. The new VM series is generally available in Central US, with additional regions expected to follow; sizes up to 192 vCPUs are generally available, while 248 and 372 vCPU sizes are expected to become generally available soon.

Networking

Azure Virtual Network Manager rule impact analyzer

Azure Virtual Network Manager rule impact analyzer is now Generally Available (GA), enabling customers to simulate the impact of security admin rules before deploying them into a production network environment. This capability helps network teams understand the potential effects of rule changes in advance, reducing the risk of misconfiguration, unintended connectivity disruption, and operational impact when applying new or updated network security policies.

Application Gateway for Containers managed add-on with AKS Automatic (preview)

Application Gateway for Containers can now be used with AKS Automatic through the Application Gateway for Containers AKS Add-on in Public Preview. This update removes a previous limitation that prevented Application Gateway for Containers from being provisioned into AKS Automatic clusters. Customers using AKS Automatic can now deploy Application Gateway for Containers by enabling the AKS Add-on, allowing ingress and load balancing to be managed and integrated as part of the AKS Automatic experience. This reduces the need to manually provision or manage supporting infrastructure, aligns with the simplified operational model of AKS Automatic, and enables Azure-native, Gateway API-based application delivery for AKS Automatic workloads.

Storage

Support for workloads with large files in Azure NetApp Files

Azure NetApp Files now generally supports file sizes of up to 64 TiB for regular volumes, enabling migration and operation of enterprise workloads that rely on very large files. This enhancement is especially relevant for scenarios such as Azure VMware Solution (AVS) virtual machines with large Virtual Machine Disk (VMDK) files, where customers previously may have needed to split or restructure data before migration. With this update, organizations can run large-file workloads on Azure NetApp Files more easily while preserving the original data layout.

Managed Identity support for Azure Files SMB

Azure Files now generally supports Managed Identities for SMB access, enabling applications and services to authenticate without storing static credentials, account keys, or passwords. This capability aligns with Zero Trust principles by allowing workloads to use Microsoft Entra-issued tokens instead of shared secrets, improving security for applications and virtual machines that need access to Azure Files. The generally available release also includes support for Azure Kubernetes Service (AKS) workload identity and enables application identities and end-user identity access to coexist on the same storage account.

Azure Elastic SAN support for AVS Gen2 Private Cloud

Azure Elastic SAN support for Azure VMware Solution (AVS) Gen2 Private Cloud is now Generally Available (GA), providing simpler connectivity and improved performance for AVS datastore scenarios. With Elastic SAN datastores, customers no longer need an ExpressRoute gateway, and a single Private Endpoint is sufficient to configure the optimal number of iSCSI sessions. This architecture also removes throughput limits imposed by ExpressRoute gateway bandwidth, allowing AVS workloads to consume the full provisioned Elastic SAN throughput. The result is a simpler deployment model and higher-performance storage option for throughput-intensive Azure VMware Solution environments.

Single Volume Snapshots on Azure Elastic SAN

Azure Elastic SAN now supports single volume snapshots in Generally Available (GA), enabling incremental, point-in-time backups of individual SAN volumes. These snapshots capture only changes since the previous snapshot and are stored within the Elastic SAN, allowing customers to quickly create new volumes from snapshot data. Snapshot storage consumes provisioned SAN capacity rather than separate snapshot billing, and snapshot redundancy automatically follows the redundancy configuration of the parent Elastic SAN. For longer-term retention beyond the lifecycle of the source volume, snapshots can also be exported to managed disk snapshots.

AVS support for AV64 SKU on Azure Elastic SAN

Azure Elastic SAN datastores now support the AV64 SKU for Azure VMware Solution (AVS), enabling larger-scale and higher-performance storage configurations for AVS deployments. This enhancement expands the set of AVS scenarios that can use Elastic SAN as a datastore option, helping customers address workloads that require higher throughput, larger scale, and more flexible storage performance for VMware environments running on Azure.

Conclusion

Azure IaaS and Azure Local: announcements and updates (May 2026 – Weeks: 17 and 18)

Azure

Networking

Microsoft HTTP DDoS Ruleset for Azure WAF on Azure Front Door Premium (preview)

The Microsoft HTTP DDoS Ruleset for Azure Web Application Firewall (WAF) on Azure Front Door Premium is now available in Public Preview. This ruleset introduces automated and adaptive Layer 7 protection against HTTP-layer Distributed Denial of Service (DDoS) attacks, which remain a common cause of application downtime. Once assigned to an Azure Front Door profile, the ruleset continuously learns normal traffic patterns at both the profile and per-client level, then uses dynamic thresholds and sensitivity settings to detect attack surges and selectively block offending clients with minimal manual tuning. The ruleset includes two core protections: one targeting high-rate client anomalies and another focused on suspected bots, using Microsoft Threat Intelligence to improve detection and mitigation.

Cross-region IPAM pool association in Azure Virtual Network Manager

Cross-region IP Address Management (IPAM) pool association in Azure Virtual Network Manager is now Generally Available (GA). This capability allows customers to associate a single IPAM pool with virtual networks across multiple Azure regions, helping centralize address planning and reduce configuration complexity in global environments. Instead of creating and maintaining separate pools for each region, organizations can use one multi-region IPAM pool to apply consistent Classless Inter-Domain Routing (CIDR) allocation policies across regions, while still defining regional restrictions when needed. Existing single-region IPAM pools continue to work without required changes, preserving backward compatibility while enabling stronger governance and lower operational overhead for large-scale Azure deployments.

Storage

Azure NetApp Files advanced ransomware protection

Azure NetApp Files advanced ransomware protection (ANF ARP) is now Generally Available (GA) in all Azure NetApp Files regions. This capability is designed to help organizations proactively detect, respond to, and recover from ransomware threats affecting cloud volumes. ANF ARP monitors Azure NetApp Files volumes for suspicious activity by analyzing signals such as file extension profiling, entropy, and Input/Output Operations Per Second (IOPS) patterns. When a potential threat is detected, the system creates a point-in-time snapshot to support rapid evaluation and recovery. Notifications are sent through the Azure Activity Log, and attack reports are retained for 30 days. Microsoft notes that there is no specific additional charge for ANF ARP, although customers should review sizing considerations before enabling the feature.

Elastic SAN CRC Protection

Azure Elastic SAN now generally supports CRC-32C checksum verification, enabling stronger data integrity validation when the feature is enabled on the client side for connections to Elastic SAN volumes. Azure Elastic SAN also allows this protection to be enforced through a property configured at the volume group level, with all volumes in that group inheriting the setting. When enabled, Elastic SAN rejects any client connection to volumes in that group if CRC-32C is not configured for header or data digests on the connection. When the property is disabled, checksum verification still depends on whether CRC-32C is enabled on the client, but Elastic SAN does not reject connections. This feature can be enabled either when creating a new Elastic SAN or on an existing deployment.

Capacity Autoscaling for Elastic SAN

Capacity Autoscaling for Elastic SAN is now Generally Available (GA), allowing customers to automatically expand SAN capacity based on actual usage instead of relying on manual provisioning or static overprovisioning strategies. With autoscaling policies, organizations can define scaling increments to improve predictability and maintain greater control over costs as capacity grows. This capability is particularly valuable in scenarios involving rapid business growth or unexpected usage spikes, where storage demand can increase quickly and manual capacity management may become operationally inefficient.

Connect to Azure Elastic SAN from Windows VM via VM Extension

Azure Elastic SAN now supports volume connectivity for Windows Virtual Machines (VMs) using the Elastic SAN VM extension directly from the Azure portal. This capability allows customers to connect Elastic SAN volumes during VM deployment, simplifying the configuration process and reducing the need for manual post-deployment setup. By integrating Elastic SAN connectivity into the deployment workflow, Microsoft makes it easier to adopt Elastic SAN for workloads that require scalable block storage attached to Windows virtual machines.

Azure Local

Azure Local 2604 expands to sovereign-scale and disaggregated infrastructure

With the 2604 release, Azure Local introduces a major platform evolution for sovereign private cloud, edge, and enterprise-scale infrastructure scenarios. Identified as version 12.2604.1003.209, the April 2026 update brings general reliability improvements and bug fixes, together with significant enhancements across deployment architecture, storage integration, identity, update control, performance, virtualization, GPU acceleration, and portal management experiences.

The most significant infrastructure enhancement is the General Availability (GA) of disaggregated Azure Local deployments with Storage Area Network (SAN) storage. This enables compute and storage to be deployed and scaled independently, extending Azure Local beyond single-node and traditional hyperconverged architectures while preserving an Azure-consistent management and operational experience. Customers can adopt SAN-only or hybrid architectures, attach external SAN devices via Fibre Channel (FC), and reuse existing enterprise storage investments without replacing their storage estates. iSCSI support is planned for a future release. This architecture allows Azure Local clusters to scale from single-node edge deployments to multi-rack environments beyond 16 nodes, addressing sovereign private cloud, government, defense, regulated industries, and other large-scale infrastructure scenarios. It also supports workloads with massive storage requirements, including virtual machines, Kubernetes environments, and Azure Virtual Desktop. Azure Local can now coexist with both Storage Spaces Direct volumes and external SAN volumes, with ecosystem support from partners such as DataON, Dell Technologies, Everpure, HPE, Hitachi Vantara, Lenovo, and NetApp.

From version 2604 onward, all new and existing Azure Local deployments run the updated OS version 26100.32690, available from the Azure portal. Customers must use drivers compatible with OS version 26100.32690 or Windows Server 2025. For Integrated System or Premier solution hardware from the Azure Local Catalog, the OS remains preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain compatible OS images and drivers. This build also uses .NET 8.0.26 and .NET 10.0.6 for both .NET Runtime and ASP.NET Core.

For Azure Kubernetes Service (AKS) enabled by Azure Arc, Azure Local 2604 continues to support Kubernetes versions 1.31.12, 1.31.13, 1.32.8, 1.32.9, 1.33.4, and 1.33.5, while Kubernetes 1.30 is no longer supported. Microsoft also notes that Key Management Service (KMS) v1 will be deprecated soon and that KMS v2 is included in this Azure Local release. Customers should therefore plan cluster redeployment using KMS v2 and ensure AKS clusters are running a supported Kubernetes version before upgrading Azure Local.

Another important enhancement is the General Availability of Local Identity with Azure Key Vault, which allows Azure Local to be provisioned without infrastructure dependencies on Microsoft Active Directory. This simplifies deployments in disconnected, air-gapped, edge, and regulated environments by reducing the need for additional domain controller infrastructure and complex firewall configurations. The release also adds support for domain join prior to deployment and introduces new controls to manage how updates are applied to Azure Local.

Deployment and lifecycle operations have been optimized as well. Validation time is reduced by up to 50%, validation can resume from the point of failure within a three-hour window, and deployment duration is now more consistent for clusters of up to eight nodes, with an overall deployment time reduction of up to 40%. These improvements help accelerate both initial deployment and ongoing update workflows.

On the resiliency and virtualization side, rack-aware clustering now supports deployments that use Local Identity with Azure Key Vault, combining simplified identity requirements with the high availability needed in industries such as manufacturing, energy, and other distributed environments. GPU acceleration for Azure Local virtual machines is now Generally Available, enabling administrators to attach or detach full Graphics Processing Units (GPUs) through Discrete Device Assignment (DDA) or GPU partitions (GPU-P) during VM creation or as a Day-2 operation through the Azure CLI or Azure portal. VM restart operations have also been improved with graceful restart by default, meaning Azure Local VM restart operations now perform a graceful shutdown unless explicitly bypassed.

The Azure portal experience has also been enhanced. Administrators can now create new data disks at the cluster level with a richer disk overview experience, benefit from usability improvements across disk management workflows, and attach existing disks directly from the Azure Local VM view. Azure Marketplace image navigation has been improved by moving image selection to a full-page experience when creating a new VM image. Finally, Azure Local now supports enabling or disabling Software Defined Networking (SDN) management per network interface, giving administrators more granular control over network interface behavior.

Microsoft also notes that pricing for multi-rack and sovereign-scale deployments is being introduced as part of this release. Customers interested in large-scale or sovereign Azure Local scenarios should work with their Microsoft account team to understand pricing, configuration options, and early access programs.

Conclusion

Azure IaaS and Azure Local: announcements and updates (April 2026 – Weeks: 15 and 16)

Azure

General

Microsoft named a Leader in The Forrester Wave™ for Sovereign Cloud Platforms

Microsoft has been named a Leader in The Forrester Wave™: Sovereign Cloud Platforms, Q2 2026, an evaluation that assessed major sovereign cloud providers based on current offerings, strategy, and customer feedback. Microsoft presents this recognition as confirmation of its long-term commitment to helping organizations adopt cloud and Artificial Intelligence (AI) capabilities without compromising control, compliance, operational independence, or innovation. According to Microsoft, the report highlights an important reality of digital sovereignty: there is no single deployment model that fits every requirement, and organizations often combine public cloud, private cloud, and disconnected environments to balance regulation, risk, functionality, and cost. Microsoft states that its approach is based on delivering consistent sovereign controls across multiple environments rather than relying on a single isolated sovereign cloud model. The company also emphasizes that Microsoft Sovereign Cloud brings together public cloud controls such as data residency and access protections, private cloud and hybrid deployments enabled by Azure Local and Azure Arc, and partner-operated national clouds. Microsoft further notes that Forrester recognized its ability to extend sovereignty across cloud, AI, productivity, and security services, while maintaining consistency in management, governance, and deployment models across connected and disconnected environments.

Microsoft Azure now available from new cloud region in Denmark

Microsoft has announced the opening of a new Azure cloud region in Denmark, further expanding its global infrastructure footprint to support digital transformation and Artificial Intelligence (AI) innovation. The new Denmark East region provides Danish customers with local and secure cloud infrastructure, helping address requirements for data residency, low latency, and in-country cloud adoption.

Compute

Ephemeral OS Disk with full caching for VM and VMSS (preview)

Ephemeral OS Disk with full caching is now available in Public Preview for Azure Virtual Machines (VMs) and Virtual Machine Scale Sets (VMSS), delivering faster and more reliable operating system disk performance for supported workloads. This capability works by caching the entire OS disk image on local VM storage—including cache disk, resource disk, or NVMe disk—resulting in improved input/output (I/O) performance, consistently low latency, and greater resilience during remote storage disruptions. Microsoft highlights that this feature is especially well suited for I/O-sensitive stateless workloads, such as Artificial Intelligence (AI) scenarios, quorum-based databases, data analytics, real-time processing systems, and large-scale stateless services on general-purpose VM families. During the preview, the feature is available for most general-purpose VM SKUs, excluding 2-vCPU and 4-vCPU virtual machines, across a broad set of 29 Azure regions.

Networking

Rule impact analysis on Azure Network Watcher (preview)

Rule impact analysis in Azure Network Watcher is now available in Public Preview, enabling customers to preview the impact of security admin rules before applying them to their environments. This capability helps administrators better understand the potential effects of rule changes in advance, reducing the risk of unintended connectivity issues and improving change validation for network security configurations.

Unlock client-side configuration at scale with Azure App Configuration and Azure Front Door (preview)

Azure App Configuration now integrates with Azure Front Door in Public Preview, allowing customers to deliver dynamic configuration securely to client-side applications at Content Delivery Network (CDN) scale. This capability gives modern applications greater flexibility by enabling client-side configuration updates at global scale, while benefiting from Azure Front Door’s distribution and edge delivery capabilities.

StandardV2 NAT Gateway as an outbound type for AKS (preview)

Azure Kubernetes Service (AKS) now supports managed and user-assigned StandardV2 NAT Gateway as an outbound type for both AKS-managed and bring-your-own virtual networks (BYO VNets) in Public Preview. This update provides additional flexibility for outbound connectivity design in AKS, enabling customers to take advantage of the newer StandardV2 NAT Gateway option when planning egress architecture for Kubernetes workloads.

Storage

Granular encryption-in-transit controls for SMB and NFS on Azure Files

Azure Files now supports independent configuration of encryption-in-transit settings for SMB and NFS protocols at the storage account level. This capability allows customers to define protocol-specific security policies and apply more precise control over encryption requirements for each protocol without compromise. Microsoft positions this enhancement as especially useful for mixed-protocol workloads, where SMB and NFS may require different security configurations while still sharing the same storage environment.

Azure Storage Mover now available in Azure Government (US)

Azure Storage Mover is now available in Azure Government (US), enabling U.S. government customers and partners to securely migrate large-scale file data into Azure Government cloud environments by using a fully managed migration service. This availability expands Storage Mover’s reach to government scenarios that require stronger compliance and sovereign cloud alignment, while helping organizations simplify large-scale file migrations without relying on self-managed tooling.

Azure Data Box now supports Azure Files Provisioned v2

Azure Data Box now supports data ingestion into Azure Files Provisioned v2 storage accounts. This enhancement extends Azure Data Box compatibility to the newer billing and provisioning model for Azure Files, helping customers move data into Provisioned v2 environments as part of migration and large-scale data transfer scenarios.

Azure File Sync now available in Belgium Central, Malaysia West, and Indonesia Central

Azure File Sync is now available in Belgium Central, Malaysia West, and Indonesia Central, extending the service to additional regions and bringing it closer to organizations with hybrid file storage requirements. Azure File Sync enables seamless tiering of data from on-premises Windows Servers to Azure Files, supporting both hybrid use cases and simplified migration scenarios. With this regional expansion, customers can benefit from lower latency, improved performance, and support for local data residency requirements, while continuing to use the performance, flexibility, and compatibility of their on-premises file servers together with the scale and cost efficiency of Azure Files.

Encrypt Premium SSD v2 and Ultra Disks with cross-tenant customer-managed keys

Cross-tenant customer-managed keys (CMK) for Premium SSD v2 and Ultra Disks are now Generally Available (GA). This capability allows managed disks to be encrypted with a customer-managed key stored in an Azure Key Vault located in a different Microsoft Entra tenant from the disk resource itself. The feature is designed for scenarios where resource ownership and key ownership are intentionally separated across tenants, such as in multi-tenant or service provider environments, helping organizations enforce stronger separation of duties and more flexible encryption governance models.

Minimum billable object size for cooler storage tiers

Microsoft has announced a minimum billable object size for cooler storage tiers in storage accounts that use Azure Blob Storage or Azure Data Lake Storage (ADLS) Gen2. This update affects how objects stored in cooler tiers are billed, introducing a minimum billable size threshold for stored objects. Based on the available information, Microsoft has announced the change, but no additional publicly indexed details were available in the provided sources regarding the full scope or implementation specifics.

Smart Tier for Azure Blob and Data Lake Storage

Smart Tier for Azure Blob Storage and Azure Data Lake Storage (ADLS) is now Generally Available (GA) in nearly all zonal public cloud regions, with Israel Central, Qatar Central, and UAE North excluded from this announcement. Smart Tier is a fully managed and automated data tiering capability for object storage standard online tiers, designed to reduce the need for manual tier placement decisions. By automating data placement across supported tiers, Smart Tier helps customers simplify storage management and optimize data lifecycle handling for object storage workloads.

Azure Data Box enhances compliance with automatic Secure Erasure Certificates

Azure Data Box now automatically generates a downloadable Secure Erasure Certificate for every completed order, improving compliance and auditability for data transfer workflows. This enhancement provides customers with a more consistent way to document secure data removal after transfer operations, which can be especially useful for governance, regulatory, and audit requirements.

Azure Files assessments now available using Azure Migrate (preview)

Azure Migrate now supports Azure Files assessments in Public Preview, allowing customers and partners to more effectively plan migrations of on-premises SMB and NFS shares. With this capability, organizations can discover and review existing on-premises file shares, then group, tag, and assess them to support migration planning and improve visibility into file-based modernization scenarios.

User and group quota reports in Azure NetApp Files (preview)

User and group quota reports in Azure NetApp Files are now Generally Available (GA). This capability provides organizations using individual user and group quotas on NFS, SMB, and dual-protocol volumes with improved visibility into quota consumption by exposing key metrics such as quota limits, used capacity, and percentage utilization for each targeted user or group defined in a quota rule. With this reporting functionality, administrators can more easily monitor capacity usage, identify potential imbalances, and manage storage allocation more effectively across Azure NetApp Files environments.

Azure NetApp Files storage with cool access enhancement (preview)

Azure NetApp Files is introducing a storage with cool access enhancement in Public Preview for the Premium and Ultra service levels. This enhancement more precisely aligns throughput with data tiering by dynamically calculating maximum throughput based on the amount of data tiered to cool access storage, rather than applying a fixed reduction. With this model, hot data retains its configured performance, while throughput adjustments occur only for the data that has been moved to the cool tier, enabling more efficient performance management for tiered storage scenarios.

Azure Local

Foundry Local on Azure Local single-node deployments (preview)

Microsoft has announced the Public Preview of Foundry Local support for single-node Azure Local deployments, extending its edge Artificial Intelligence (AI) capabilities to industrial, manufacturing, and sovereign scenarios where inference must run locally without relying on cloud connectivity or multi-node clusters. Delivered both as a Kubernetes-native service and as an Azure Arc-enabled extension, this preview allows organizations to deploy, manage, and run advanced AI models directly on local infrastructure, such as servers on the factory floor, in remote plants, or in highly regulated and disconnected environments. Foundry Local provides REST and OpenAI-compatible APIs, enabling teams to use familiar cloud-aligned patterns for local AI workloads, while supporting built-in generative models from the Foundry Local catalog, custom predictive models such as Open Neural Network Exchange (ONNX) models from Open Container Initiative (OCI) registries, and multi-model orchestration for agent-style applications a single Kubernetes cluster. On Azure Local single-node systems, Foundry Local runs on Azure Kubernetes Service (AKS) enabled by Azure Arc, with Graphics Processing Unit (GPU) access enabled through the NVIDIA device plugin, providing a validated and supported edge AI foundation. Microsoft also offers two deployment paths: an Azure Arc-enabled Kubernetes extension for simplified lifecycle management through the Azure portal, and a Helm chart-based installation option for teams that require more granular control over deployment configuration, GPU allocation, storage, and GitOps workflows.

Conclusion

Azure IaaS and Azure Local: announcements and updates (April 2026 – Weeks: 13 and 14)

Azure

General

Availability of Microsoft Azure and related services

Microsoft has announced several generally available updates related to the expansion of Azure infrastructure and storage services. First, Microsoft has opened its new cloud region in Denmark, Denmark East, to support digital transformation and AI innovation for customers in the country. This new region provides local, secure cloud infrastructure with support for data residency, low-latency access, and access to advanced cloud and AI services. In addition, Azure Premium SSD v2 is now available in US Gov Arizona, a region without Availability Zones, extending access to this next-generation general-purpose block storage option for Azure virtual machines in government environments. Azure Premium SSD v2 offers sub-millisecond latency and strong price-performance characteristics for IO-intensive workloads such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data and analytics platforms, and gaming workloads running on virtual machines or stateful containers. Azure Premium SSD v2 is also now available in South India, further expanding regional access to this storage option for enterprise production workloads that require high performance and cost efficiency.

Compute

Ephemeral OS Disk with full caching for VM/VMSS (preview)

Ephemeral OS Disk with full caching is now available in public preview for Azure Virtual Machines and Virtual Machine Scale Sets, delivering significantly faster and more reliable OS disk performance for supported workloads. This capability works by caching the entire OS disk image on local VM storage, including cache disk, resource disk, or NVMe disk, which results in improved I/O performance, consistently low latency, and greater resilience in scenarios involving remote storage disruptions. The feature is especially beneficial for stateless and I/O-sensitive workloads such as AI applications, quorum-based databases, data analytics platforms, and large-scale stateless services running on General Purpose VM families. It is currently available on most General Purpose VM SKUs, excluding 2-core and 4-core virtual machines, in Central US. Customers can enable it by setting the

enableFullCaching

flag to

true

for Ephemeral OS disks in ARM templates or REST API definitions when creating new virtual machines or virtual machine scale sets.

Networking

Unlock client-side configuration at scale with Azure App Configuration and Azure Front Door (preview)

Azure App Configuration, integrated with Azure Front Door, is now available in public preview and enables organizations to deliver dynamic configuration directly to client-side applications securely and at CDN scale. This new capability brings greater flexibility to modern application architectures and is particularly relevant for AI-powered and agentic client applications. It supports a wide range of client experiences, including Single Page Applications built with frameworks such as React, Vue, Angular, and Next.js, as well as mobile and desktop applications developed with .NET MAUI, browser-based JavaScript components, embedded widgets, and other web applications capable of running JavaScript. With this integration, customers can centrally manage feature flags and configuration settings and propagate updates to browsers and mobile apps in real time without redeploying applications. Azure Front Door provides low-latency delivery for large global audiences, while the design ensures that secrets are not exposed to clients, as only scoped configuration values are delivered through managed identity. This built-in approach also simplifies application architecture by removing the need for custom proxy layers.

Storage

Azure Data Box enhancements

Azure Data Box now includes two generally available enhancements designed to improve compliance, transparency, and data transfer flexibility. First, Azure Data Box automatically generates a downloadable Secure Erasure Certificate for every completed order, verifying that all data on the device has been securely erased in accordance with NIST 800-88 Revision 2 standards. The certificate is produced as part of the standard cleanup process and is available directly through the Azure portal, reducing audit complexity, eliminating the need for manual validation, and simplifying compliance requirements for organizations working with sensitive data, including those in government, law enforcement, and financial services. In addition, Azure Data Box now supports data ingestion into Azure Files Provisioned v2 storage accounts. This allows customers to transfer data directly into a storage model where capacity, IOPS, and throughput are provisioned independently, offering greater flexibility and cost control for file share workloads across most public Azure regions.

Azure NetApp Files storage with cool access enhancement (preview)

The cool access enhancement for Azure NetApp Files storage is now in public preview and introduces an updated Quality of Service (QoS) behavior for Premium and Ultra service levels. This enhancement improves the way Azure NetApp Files balances performance and cost for environments that combine hot and cool data workloads. As data moves to cool storage, throughput is automatically adjusted to preserve hot-tier performance while still allowing customers to take advantage of cool access at scale. The capability continuously optimizes pool and volume throughput according to changing cool access patterns, delivering a more seamless operational experience and reducing the need for manual tuning. As a result, organizations can better align storage performance with workload demand while improving cost efficiency for mixed-use datasets.

Conclusion

Azure IaaS and Azure Local: announcements and updates (March 2026 – Weeks: 11 and 12)

Azure

Compute

Retirement: Azure VMware Solution AV36P and AV52 node retirement on June 30, 2029

Microsoft has announced the retirement of Azure VMware Solution (AVS) AV36P and AV52 nodes effective June 30, 2029. The company stated that existing Reserved Instance (RI) terms for AV36P and AV52 are not affected by this announcement, but customers should review their RI expiration timelines and plan the transition to newer AVS node types. To support this migration, Microsoft will offer AV36P and AV52 VMware Cloud Foundation (VCF) Bring Your Own License (BYOL) 3-year Reserved Instances until June 30, 2026, and 1-year Reserved Instances until June 30, 2028. All migrations away from AV36P and AV52—including Pay-As-You-Go subscriptions—must be completed by June 30, 2029. Microsoft also clarified that this change affects only AV36P and AV52 nodes, while AV48 and AV64 remain available with AVS VCF BYOL options. Customers are advised to move to a supported AVS node type before the end of their current AV36P or AV52 RI term and to use available AVS documentation and HCX migration guidance to plan the transition.

Networking

Default Rule Set 2.2 and updates to ruleset support policy

Microsoft is updating the managed ruleset support policy for Azure Web Application Firewall (WAF) following the general availability of Default Rule Set (DRS) 2.2 on Azure Application Gateway and Azure Front Door. Starting with DRS 2.2, Azure WAF will support the latest three managed ruleset versions at any given time (N, N-1, and N-2). When a new ruleset version is released, the version that becomes N-3 will enter a final one-year support period, during which it may receive only critical security updates if necessary. With the release of DRS 2.2, CRS 3.1 and CRS 3.0 in Azure Application Gateway, as well as DRS 1.2, DRS 1.1, and DRS 1.0 in Azure Front Door, have entered their final support year, which ends on February 26, 2027. Microsoft recommends that customers upgrade to a supported ruleset version to continue receiving full protection coverage, enhanced detections, and improvements aimed at reducing false positives.

Storage

Azure Storage Mover enables private data transfers from AWS S3 to Azure Blob (preview)

Azure Storage Mover now supports direct, private data transfers from Amazon Web Services (AWS) Simple Storage Service (S3) in a Virtual Private Cloud (VPC) to Azure Blob Storage in Public Preview. This capability enables organizations to migrate data securely without relying on manual pipelines or third-party tools, while also supporting automation through the Azure portal and providing real-time monitoring of migration jobs. Following the earlier general availability announcement for AWS-to-Azure transfers over public networks, this update extends Azure Storage Mover with private networking support to address stricter security and compliance requirements. Microsoft highlights automated and scalable workflows through centralized job orchestration and dashboards, secure and compliant transfers aligned with Azure governance frameworks, and faster modernization by making data available in Azure for analytics, AI, and other cloud innovation scenarios as soon as it arrives.

Entra ID-based access for Azure Blob Storage SFTP (preview)

Microsoft Entra ID-based access for Azure Blob Storage SFTP is now available in Public Preview, enabling users to connect securely to Azure Blob Storage over Secure File Transfer Protocol (SFTP) by using Microsoft Entra identities instead of creating and managing local user accounts. This capability also supports guest users through Entra External Identities, allowing organizations to collaborate more securely with partners and vendors. The new model introduces Single Sign-On (SSO) and Multi-Factor Authentication (MFA) support, enables the use of Conditional Access policies based on context such as location, device compliance, and risk, and aligns SFTP access with existing identity lifecycle processes so permissions can be updated or revoked automatically when users change roles or leave the organization. In addition, SFTP authorization integrates natively with Azure Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Access Control Lists (ACLs), ensuring consistent permissions across SFTP, REST APIs, Azure CLI, and other Azure access methods.

Azure Local

Azure Local: Features and improvements in 2603

Microsoft has released the March 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2603.1002.15. This release includes general reliability improvements and bug fixes, while also introducing updates across the operating system, Kubernetes support, GPU enablement, security readiness, and provisioning workflows. From 2603 onward, all new and existing Azure Local deployments run the updated OS version 26100.32522, available from the Azure portal, and customers must ensure they use a driver compatible with OS version 26100.32522 or Windows Server 2025. For Integrated System or Premier solution hardware purchased through the Azure Local Catalog, the OS remains preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain compatible OS images and drivers. The build also updates both .NET Runtime and ASP.NET Core to version 8.0.25.

For Azure Kubernetes Service (AKS) enabled by Azure Arc, this release supports Kubernetes versions 1.31.12, 1.31.13, 1.32.8, 1.32.9, 1.33.4, and 1.33.5, while Kubernetes 1.30 is no longer supported. Microsoft also notes that KMS v1 will be deprecated soon and that KMS v2 is included in this Azure Local release, so customers should plan to redeploy clusters by using KMS v2. In addition, support for the Windows Server 2019 SKU for node pools ends in March 2026, and administrators should verify that AKS clusters are on a supported Kubernetes version before upgrading Azure Local.

This release also introduces support for the NVIDIA RTX PRO 6000 Blackwell Server Edition GPU on Azure Local VMs and on AKS enabled by Azure Arc, enabling GPU-accelerated workloads on Azure Local with this new NVIDIA platform. On the security side, Microsoft has improved Secure Boot certificate readiness by adding built-in orchestration to deploy the new Secure Boot 2023 certificates, helping customers prepare for upcoming Secure Boot changes while reducing update risk. Finally, simplified machine provisioning is now available, allowing customers to install the operating system and register Azure Local machines together through a single streamlined workflow.

Conclusion

Azure IaaS and Azure Local: announcements and updates (March 2026 – Weeks: 09 and 10)

Azure

General

Microsoft Sovereign Cloud adds governance, productivity, and support for large AI models in fully disconnected environments

Microsoft has expanded Microsoft Sovereign Cloud capabilities to help organizations meet digital sovereignty requirements while maintaining governance, productivity, and AI innovation even in fully disconnected scenarios. The update introduces a “Sovereign Private Cloud” stack that unifies Azure Local, Microsoft 365 Local, and Foundry Local across connected, intermittently connected, and air-gapped environments, enabling consistent policy enforcement and operational continuity within strict sovereign boundaries. Key additions include Azure Local disconnected operations (now available) to run and govern mission-critical infrastructure without cloud connectivity, Microsoft 365 Local disconnected (now available) to keep core productivity services—such as Exchange Server, SharePoint Server, and Skype for Business Server—running entirely inside the customer’s boundary, and Foundry Local enhancements that add modern infrastructure support and enable large, multimodal AI models to run locally on customer-owned hardware (including partner platforms such as NVIDIA) for in-boundary inferencing and APIs without external dependencies.

Compute

DCesv6, DCedsv6, ECesv6, and ECedsv6 confidential VMs

The DCesv6, DCedsv6, ECesv6, and ECedsv6 series are Azure’s next generation of confidential virtual machines (VMs), built on 5th Gen Intel® Xeon® processors with Intel® Trust Domain Extensions (Intel® TDX). Available now for production deployments, these VM families target both general-purpose scenarios (DCesv6, DCedsv6) and memory-optimized workloads (ECesv6, ECedsv6), helping organizations move highly sensitive workloads to the cloud with hardware-enforced isolation and without requiring application code changes. Microsoft positions this release as combining improved performance and scalability with confidential computing protections designed for security-critical enterprise workloads.

Networking

Draft & Deploy on Azure Firewall

Azure Firewall Policy now includes Draft & Deploy, a new capability that introduces a two-phase workflow to reduce deployment time and minimize disruption when updating firewall policies. Previously, any policy change could trigger a full deployment of both the policy and the attached firewall, often taking 2–4 minutes per update. With Draft & Deploy, users can collaboratively prepare multiple edits in a draft version cloned from the current policy without impacting the live environment, and then apply all changes in a single deployment, replacing the existing policy once the draft is finalized.

WAF Insights for Application Gateway (preview)

Application Gateway WAF Insights is now available in Public Preview, providing an interactive experience for exploring Web Application Firewall (WAF) logs and metrics directly within Azure Application Gateway. WAF Insights helps security and operations teams investigate blocked requests more quickly, analyze attack patterns, and drill into key details such as rule IDs and client IPs. With enhanced filters and visualizations, the capability is intended to improve troubleshooting efficiency, support faster identification of false positives, and streamline WAF policy tuning.

Conclusion

Azure IaaS and Azure Local: announcements and updates (February 2026 – Weeks: 07 and 08)

Azure

Compute

Encryption at host and disk encryption sets now supported in node auto-provisioning

Node auto-provisioning enabled clusters now support both Encryption at Host and Disk Encryption Sets, removing a previous limitation that prevented some security-sensitive deployments from using node auto-provisioning. With this update, customers can adopt node auto-provisioning while still meeting required encryption controls, and can also benefit from its associated improvements in compute efficiency, resiliency, and cost-management capabilities.

Networking

Azure Front Door Premium now supports Azure Private Link origins in UAE North

Azure Front Door Premium now supports Azure Private Link-enabled origins in the UAE North region, allowing customers to select UAE North as the origin region for Private Link connectivity within their Front Door Premium profiles. With Private Link-enabled origins, customers can deliver content to end users through public Azure Front Door endpoints while keeping the origin service inaccessible from the public internet, strengthening network isolation without sacrificing global edge delivery.

Storage

Instant access support for incremental snapshots of Azure Premium SSD v2 and Ultra Disk

Instant access support for incremental snapshots of Azure Premium SSD v2 (Pv2) and Ultra Disk is now Generally Available (GA), enabling customers to restore new disks immediately after snapshot creation. With this capability, newly restored disks provide high performance right away while data hydration continues in the background, accelerating backup and recovery workflows and reducing downtime for restore scenarios. Common use cases include taking instant backups before software updates and quickly reverting if needed, rapidly scaling stateful applications by cloning primary datasets (for example, adding read-only SQL Server replicas), and performing fast nightly refreshes of training or testing environments from production. Instant access for incremental snapshots is available in all public regions where Premium SSD v2 and Ultra Disk are supported.

Azure Premium SSD v2 Disk now available in Brazil Southeast and in a third Availability Zone in Malaysia West and Indonesia Central

Azure Premium SSD v2 Disk is now available in Brazil Southeast (a region without Availability Zones) and is now supported in a third Availability Zone in both Malaysia West and Indonesia Central, expanding regional and zonal options for customers running IO-intensive workloads. Premium SSD v2 is a next-generation, general-purpose block storage option for Azure virtual machines designed to deliver sub-millisecond latency and strong price-performance, and it is suited for enterprise production scenarios such as SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data/analytics, and gaming, both on virtual machines and stateful containers.

Azure Local

Features and improvements in 2602

Microsoft has released the February 2026 update for hyperconverged deployments of Azure Local, identified as version 12.2602.1002.7. This release includes general reliability improvements and bug fixes, and it also updates the underlying platform components. From 2602 onward, all new and existing Azure Local deployments run the updated OS version 26100.32370, which is available for download from the Azure portal, and customers must also ensure they have a driver compatible with OS version 26100.32370 (or Windows Server 2025). For Integrated System or Premier solution hardware purchased through the Azure Local Catalog, the OS is preinstalled, and Microsoft recommends working with the Original Equipment Manufacturer (OEM) to obtain compatible OS images and drivers. The build also updates the runtime to .NET 8.0.24 for both .NET Runtime and ASP.NET Core. In addition, the Azure portal update workflow now provides richer, more detailed information to improve the update experience. Finally, Microsoft notes that for environments running OS version 20349.xxxx (Windows Server 22H2), it is no longer possible to purchase Windows Server Subscription or Extended Security Updates (ESU).

Conclusion

Azure IaaS and Azure Local: announcements and updates (February 2026 – Weeks: 05 and 06)

Azure

Compute

AMD v6 confidential VMs (DCa/ECa v6) now available in additional regions

AMD-based confidential virtual machines in the DCa v6 and ECa v6 series are now generally available in 11 additional Azure regions: Canada Central, Canada East, Norway East, Norway West, Italy North, Germany North, France South, Australia East, West US, West US 3, and Germany West Central. This expansion builds on the initial availability announced at launch, which included Korea Central, South Africa North, Switzerland North, UAE North, UK South, and West Central US, giving customers more regional options for running confidential computing workloads backed by hardware-based memory encryption and isolation.

Azure AMD Turin Dasv7, Dalsv7, Easv7, and Fasv7-series Virtual Machines

The Azure AMD Turin-based Dasv7/Dalsv7 (general purpose), Easv7/Eadsv7 (memory optimized), and Fasv7/Falsv7/Famsv7 (compute optimized) virtual machines are now Generally Available (GA), offered both with and without local disk support. These VM families are available in Australia East, Central US, Germany West Central, Japan East, North Europe, South Central US, Southeast Asia, UK South, West Europe, West US 2, and West US 3, with the large 160 vCPU Easv7/Eadsv7 sizes available in North Europe, South Central US, West Europe, and West US 2, and additional regions planned for 2026. Compared to prior-generation v6 instances, Microsoft states these VMs provide up to 35% higher CPU performance and substantial gains for common workload types, including up to 25% for Java workloads, up to 65% for in-memory cache applications, up to 80% for crypto workloads, and up to 130% for web server workloads. The release also introduces new local-disk-enabled variants—Fadsv7, Faldsv7, and Famdsv7—to broaden configuration flexibility for performance-sensitive scenarios.

Intel-based 7th generation Dlsv7/Dsv7/Esv7 Virtual Machines (preview)

Microsoft has announced the Public Preview of new Dlsv7/Dsv7 (general purpose) and Esv7 (memory optimized) virtual machines powered by Intel® Xeon® 6 processors (Granite Rapids). These v7 Intel-based VMs are designed to meet growing datacenter compute requirements and target a broad range of workloads, including traditional enterprise applications and AI-driven scenarios. Compared to v6, Microsoft states they deliver up to 15% better general compute performance, supported by turbo frequencies up to 4.2 GHz and up to 2x higher memory bandwidth. The new series also expands scalability, with Dsv7 and Esv7 scaling up to 372 vCPUs and Esv7 offering up to 2.8 TiB of memory. Networking and remote storage performance are also increased through the latest Azure Boost capabilities, with up to 400 Gbps networking bandwidth on the largest sizes and up to 800k IOPS and 20 GBps throughput to Premium SSD v2 and Ultra Disk remote storage on the largest sizes.

Networking

Default Rule Set (DRS) 2.2 for WAF on Azure Application Gateway

Default Rule Set (DRS) 2.2 for Web Application Firewall on Azure Application Gateway is now Generally Available (GA), providing Azure-managed protections against common web vulnerabilities and exploits. DRS 2.2 includes Microsoft Threat Intelligence collection rules—authored in collaboration with Microsoft intelligence teams—to extend coverage, target emerging exploit patterns, and reduce false positives over time. This release is based on OWASP Core Rule Set 3.3.4 and introduces refinements and new protections such as detections for content types declared outside the actual Content-Type header and enhanced remote code execution (RCE) detections, while adding additional Microsoft Threat Intelligence rules that broaden coverage across SQL injection, cross-site scripting (XSS), and other application-layer attack patterns. To help minimize legitimate traffic being blocked, DRS 2.2 ships with Paranoia Level (PL) 1 enabled by default, while PL2 rules remain disabled by default due to their more aggressive behavior and typical need for tuning.

Azure Virtual Network routing appliance (preview)

The Azure Virtual Network routing appliance is now available in Public Preview, providing private connectivity for workloads across virtual networks using specialized hardware designed for low latency and high throughput. Deployed into a private subnet, the appliance acts as a managed forwarding router, enabling traffic steering through User Defined Routes (UDR) to support scenarios such as spoke-to-spoke communication in traditional hub-and-spoke topologies. As an Azure resource, it integrates with Azure’s management and governance model, allowing customers to adopt appliance-based routing without relying on self-managed virtual machine routers.

X-Forwarded-For (XFF) grouping for rate limiting on Application Gateway WAF v2 (preview)

Application Gateway Web Application Firewall (WAF) v2 now supports additional rate-limiting GroupBy options based on the X-Forwarded-For (XFF) HTTP header in Public Preview. This capability helps customers running Application Gateway behind proxies or Content Delivery Networks (CDNs) apply rate limits using the original client IP rather than the TCP source IP, reducing the risk of throttling legitimate users that share the same proxy egress address. In this preview, custom rate-limit rules can be grouped by Client Address (XFF) or Geo Location (XFF), allowing security teams to more accurately identify and mitigate abusive or high-volume traffic patterns while continuing to use the existing Application Gateway WAF v2 custom rate-limit rules and policy model.

Storage

Azure Container Storage v2.1.0 with Elastic SAN integration and on-demand installation

Azure Container Storage v2.1.0 is now Generally Available (GA), adding native integration with Elastic SAN and introducing a modular, on-demand installation model to simplify deployment and ongoing operations for Kubernetes workloads on Azure. With Elastic SAN supported as a native storage type, customers can provision scalable volume groups and consolidate large numbers of Kubernetes volumes under a single SAN resource, improving attach/detach performance, increasing throughput, and reducing management overhead for stateful applications. The release also includes streamlined setup, improved defaults, and enhanced automation for Elastic SAN resource creation and volume group configuration. In addition, the new modular installation approach allows clusters to deploy only the components required for the chosen storage type, reducing footprint and accelerating rollout, while node selector support provides more precise placement of Azure Container Storage components—useful for dedicated storage node pools or mixed cluster topologies.

Azure NetApp Files support in OpenShift Virtualization (preview)

Azure NetApp Files support in OpenShift Virtualization is now available in Public Preview, enabling faster virtual machine provisioning, instant cloning, and live migration for VM workloads running on OpenShift Virtualization. Microsoft positions Azure NetApp Files as providing scalable storage with predictable performance and enterprise data management capabilities for scenarios ranging from infrastructure VMs to business-critical databases. This preview is available in all Azure regions where Azure NetApp Files and Azure Red Hat OpenShift are offered.

Azure NetApp Files Elastic zone-redundant service level (preview)

Azure NetApp Files Elastic zone-redundant storage (ANF Elastic ZRS) is now available in Public Preview as an advanced high-availability service level designed to keep data continuously accessible with zero data loss, even if an entire Availability Zone becomes unavailable. Built on Azure Zone-redundant storage (ZRS) architecture and compute infrastructure, ANF Elastic ZRS synchronously replicates file data across availability zones within a region, removing single points of failure without requiring special configuration or manual intervention. Microsoft positions this capability as particularly suitable for metadata-intensive workloads across VMs and containers—such as AI, analytics, and Kubernetes/OpenShift environments—while also offering operational simplicity and flexible sizing, including volumes as small as 1 GiB.