This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Boost (preview)

Azure Boost is one of Microsoft Azure’s latest infrastructure innovations. Azure Boost is a new system that offloads virtualization processes traditionally performed by the hypervisor and host OS onto purpose-built hardware and software, such as networking, storage, and host management. By separating hypervisor and host OS functions from the host infrastructure, Azure Boost enables greater network and storage performance at scale, improves security by adding another layer of logical isolation, and reduces the maintenance impact for future Azure software and hardware upgrades.
This innovation enables Azure customers participating in the preview to achieve a 200 Gbps networking throughput and a leading remote storage throughput up to 10 GBps and 400K IOPS, enabling the fastest storage workloads available today.
Azure Boost allows preview users to achieve this performance through access to experimental SKUs. This preview will be important for many customers and partners to integrate critical components of Azure Boost into their current VM solutions, ensuring smooth operation on this new system in the future.
Azure Boost has been providing benefits to millions of existing Azure VMs in production today, such as enabling the exceptional remote storage performance of the Ebsv5 VM series and networking throughput and latency improvements for the entire Ev5 and Dv5 VM series. Azure Boost will continue to innovate and provide benefits for Azure infrastructure users going forward.

The Classic VMs retirement deadline is now September 6, 2023

The deadline to migrate your Iaas VMs from Azure Service Manager to Azure Resource Manager is now September 6, 2023. To avoid service disruption, we recommend that you complete your migration as soon as possible. Microsoft will not provides any additional extenstions after September 6, 2023.

Networking

Updated default TLS policy for Azure Application Gateway

Microsoft has updated the default TLS configuration for new deployments of the Application Gateway to Predefined AppGwSslPolicy20220101 policy to improve the default security. This recently introduced, generally available, predefined policy ensures better security with minimum TLS version 1.2 (up to TLS v1.3) and stronger cipher suites.

Always Serve for Azure Traffic Manager

Always Serve for Azure Traffic Manager (ATM) is now generally available. You can disable endpoint health checks from an ATM profile and always serve traffic to that given endpoint. You can also now choose to use 3rd party health check tools to determine endpoint health, and ATM native health checks can be disabled, allowing flexible health check setups.

Azure Application Gateway for Containers (preview)

Azure Application Gateway for Containers is a new SKU to the Application Gateway family. Application Gateway for Containers is the next evolution of Application Gateway + Application Gateway Ingress Controller (AGIC), providing application (layer 7) load balancing and dynamic traffic management capabilities for workloads running in a Kubernetes cluster.

Application Gateway for Containers introduces the following improvements over AGIC:

• Performance: Achieve near-to-real-time convergence times to reflect add/remove of pods, routes, probes, and other load balancing configuration within Kubernetes yaml configuration.
• Scale: push boundaries past current AGIC limits, exceeding 1400 backend pods and 100 listeners with Application Gateway for Containers.
• Deployment: enable a familiar deployment of ARM resources via ARM, PowerShell, CLI, Bicep, and Terraform or define all configuration within Kubernetes and have Application Gateway for Containers manage the rest in Azure.
• Gateway API support: the next evolution in defining Kubernetes service networking through expressive, extensible, and role-oriented interfaces.
• Weighted / Split traffic distribution: enable blue-green deployment strategies and active / active or active / passive routing.

Network observability add-on for AKS (preview)

The new network observability add-on for AKS, now in public preview, provides complete observability into the network health and connectivity of your AKS cluster.

Key benefits:

• Get access to cluster level network metrics like packet drops, connections stats and more.
• (GA) Access to pod-level metrics and network debuggability features.
• Support for all Azure CNIs – AzureCNI and AzureCNI (Powered by Cilium).
• Support for all AKS node types – Linux and Windows.
• Easy deployment using native Azure tools – AKS CLI, ARM templates, PowerShell, etc.
• Seamless integration with the Azure managed Prometheus and Azure-managed Grafana offerings.

Azure Stack

General Availability of Remote Support for Azure Stack systems

Support requests for Azure Stack systems have always been managed through the Azure Portal and covered under your Azure support plan. The next big step is the remote support for all Azure Stack systems.

With remote support, you can temporarily grant Microsoft Support engineers constrained access to your on-premises edge devices to gather logs and fix issues. By default, remote support is off. It’s easy to turn on and off, when needed. After creating an Azure support request, it’s recommended to grant remote support access to enable Microsoft Support to resolve the issue as soon as possible. This takes just a few minutes in only a few steps. Once the support request is closed, you can just as easily turn off remote support access

Remote support for Azure Stack systems provides benefits to both customers and Microsoft Support:

• Improved time to resolution: eliminate the back-and-forth hassle of scheduling a call and gathering logs yourself.
• Safe and secure: you can grant just-in-time (JIT) authenticated access and define the access level and duration for each incident. You can revoke access anytime.
• Audited troubleshooting: Microsoft Support can only run Just Enough Administration (JEA) approved commands and everything they do is recorded for you to audit.
• Free: Remote support is included in your Azure subscription at no additional cost. You can get remote support for both unregistered and registered Azure Stack HCI systems.

Version availability:

• For Azure Stack Hub, remote support is available for version 2108 and later.
• For Azure Stack Edge, remote support is available for version 2110 and later.
• For Azure Stack HCI, remote support is available for version 22H2 and later.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Latest generation burstable VMs – Bsv2, Basv2, and Bpsv2 (preview)

The Bsv2, Basv2, and Bpsv2 series virtual machines are the latest generation of Azure burstable general purpose VMs, providing a baseline level of CPU utilization and capable of expanding to higher CPU utilization as workload volume increases. This is ideal for many applications such as development and test servers, low traffic web servers, small databases, micro services, servers for proof-of-concepts, build servers, and code repositories. These new B series v2 virtual machines, compared to B series v1, offer up to >15% better price-performance, up to 5X higher network bandwidth with accelerated networking and 10X higher remote storage throughput.

Azure Dedicated Host – Resize (preview)

With Azure Dedicated Host’s new ‘resize’ feature, you can easily move your existing dedicated host to a new Azure Dedicated Host SKU (e.g., from Dsv3-Type1 to Dsv3-Type4). This new ‘resize’ feature minimizes the impact and effort involved in configuring VMs when you want to upgrade your underlying dedicated host system.

Networking

Azure’s cross-region Load Balancer is now generally available

Azure Load Balancer’s Global tier is a cloud-native global network load balancing solution. With cross-region Load Balancer, you can distribute traffic across multiple Azure regions with ultra-low latency and high performance. Azure cross-region Load Balancer provides customers a static globally anycast IP address. Through this global IP address, you can easily add or remove regional deployments without interruption.

ExpressRoute private peering support for BGP communities

ExpressRoute private peering now supports the use of custom Border Gateway Protocol (BGP) communities with virtual networks connected to your ExpressRoute circuits. Once you configure a custom BGP community for your virtual network, you can view the regional and custom community values on outbound traffic sent over ExpressRoute when originating from that virtual network. These values can be used when applying filters or specifying routing preferences for traffic sent to your on-premises from your Azure environment.

Azure Virtual Network encryption

With Virtual Network encryption, customers can enable encryption of traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network and between regionally and globally peered virtual networks. This new feature enhances the existing encryption in transit capabilities in Azure.

Sensitive Data Protection for Application Gateway Web Application Firewall logs (preview)

Azure’s regional Web Application Firewall (WAF) running on Application Gateway now supports sensitive data protection through log scrubbing. When a request matches the criteria of a rule, and triggers a WAF action, that event is captured within the WAF logs. WAF logs are stored as plain text for debuggability, and any matching patterns with sensitive customer data like IP address, passwords, and other personally identifiable information could potentially end up in logs as plain text. To help safeguard this sensitive data, you can now create log scrubbing rules that replace the sensitive data with “******”.

Storage

Azure Managed Lustre now generally available

Azure Managed Lustre is a managed file system, designed specifically for HPC and AI workloads on a pay-as-you-go model. It delivers high-performance distributed parallel file system with hundreds of GBps storage bandwidth and solid-state disk latency. The system fully integrates with Azure services such as Azure HPC Compute, Azure Kubernetes Service, and Azure Machine Learning.

Key benefits include:

• a customizable Lustre file system that can be deployed on demand in minutes;
• the high throughput needed for computationally intensive workloads;
• easy integration with other Azure services;
• managed pay-as-you-go model that allows organizations to save costs on maintenance and infrastructure setup.

Azure Premium SSD v2 Disk Storage is now available in more regions

Azure Premium SSD v2 Disk Storage is now available in Switzerland North, Japan East, Korea Central, South Africa North, Sweden Central, Canada Central and Central US regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure HBv4 and HX Series VMs for HPC

Azure HBv4 and HX-series Virtual Machines (VMs) are now generally available. With the general availability, Microsoft is offering customers the first VMs featuring the latest 4th Gen AMD EPYC™ processors with AMD 3D V-Cache™ technology (codename ‘Genoa-X’), paired with 400 Gigabit NVIDIA Quantum-2 InfiniBand. Azure HBv4 and HX-series VMs offer leadership levels of performance, scaling efficiency, and cost-effectiveness for a variety of HPC workloads such as computational fluid dynamics (CFD), financial services calculations, finite element analysis (FEA), geoscience simulations, weather simulation, rendering, quantum chemistry, and silicon design.

Networking

Azure Application Gateway: using a common port for public and private listeners (preview)

Azure Application Gateway now supports configuring the same port number for public and private listeners in preview. You no longer need to use non-standard ports or customize the backend application. This provision enables you to use a single Application Gateway deployment and easily configure it to serve traffic for both internet-facing and internal clients.

Default Rule Set 2.1 for Regional WAF with Application Gateway (preview)

Announcing the preview of the Default Rule Set 2.1 (DRS 2.1) for regional WAF on Azure Application Gateway. The default rule set is now available on the Azure Application Gateway WAF V2 SKU. DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team. The Microsoft Threat Intel team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to address CVE and reduce false positives.

Storage

Azure Premium SSD v2 Disk Storage in Southeast Asia, UK South, South Central US and West US 3

Azure Premium SSD v2 Disk Storage is now available in Southeast Asia, UK South, South Central US and West US 3 regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

Azure NetApp Files double encryption at-rest (preview)

Azure NetApp Files double encryption at-rest feature now provides multiple independent encryption layers, protecting against attacks to any single encryption layer. Threats are diminished to the encrypted data, for example:
– Single encryption key being compromised
– Encryption algorithms with implementation errors
– Data encryption configuration errors

This feature is currently available in West Europe, East US 2, East Asia regions and will roll out to other regions as the preview progresses.

Azure Elastic SAN Public Preview improvements

Azure Elastic SAN is currently in preview and several improvements have been made to the service. These include expanded regional availability, simplified multi-session connectivity for optimized volume performance, and native integration with Azure Container Storage (in preview). Azure Container Storage leverages Azure Elastic SAN as the backing storage resource to optimize price versus performance through dynamic resource sharing. Microsoft has also made it easier to migrate to Azure Elastic SAN and other block storage offerings like Premium SSD V2 and Ultra Disk, by including them in the Storage Migration Program.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution Stretched Clusters with Customer-Managed Keys

Stretched clusters for Azure VMware Solution (AVS) is now Generally Available, providing 99.99% uptime for mission critical applications that require the highest availability. With this release, customers can use Customer-Managed Keys to encrypt the stretched vSAN. By default, virtual machines within vSAN datastore are protected with data-at-rest encryption using FIPS 140-2 compliant Data Encryption Key (DEK) generated for each local disk on ESXi hosts. These DEKs are encrypted by VMware vSAN Key Encryption Key (service-managed key) provided by Microsoft.

Stretched Cluster Benefits:

• improved application availability;
• provide a zero-recovery point objective (RPO) capability for enterprise applications without needing to redesign them or deploy expensive disaster recovery solutions;
• A private cloud with stretched clusters is designed to provide 99.99% availability due to its resilience to AZ failures.

Azure VMware Solution customer-managed encryption is supported through integration with Azure Key Vault. You can create your own encryption keys and store them in a Key Vault, or you can use Azure Key Vault API to generate encryption keys.

Mv2 Virtual Machine: 8TB memory

Mv2 High Memory virtual machines serve largest in-memory workloads providing infrastructure for 6 and 12TB memory needs. Based on customer demand, an 8TB memory virtual machine (VM) Standard_M416ms_8_v2 is now available, that offers an intermediate size to scale between 6TB and 12TB.

NGads V620-series VMs optimized for cloud gaming

NGads V620-series virtual machines (VMs), powered by AMD RadeonTM PRO V620 GPUs and AMD EPYCTM 7763 CPUs, are purpose-built for generating and streaming high quality graphics for an interactive gaming experience hosted on Azure. Featuring GPU partitioning with options for ¼, ½, or 1 full GPU, they allow customers to right-size their choice for the performance and cost of the business need. These VMs also feature the AMD Adrenaline Gaming Driver Cloud Edition that targets the same optimizations available in the consumer gaming version of the Adrenaline driver but is further optimized for the cloud environment.In addition, the NGads V620-series VMs also support graphics-accelerated virtual desktop infrastructure (VDI) and visualization rendering, using the AMD Pro Workstation Driver, Cloud Edition.

Azure VMware Solution now available in North Switzerland

With the introduction of AV36 in North Switzerland, customers will receive access to 36 cores, 2.3 GHz clock speed, 576GB of RAM, and 15.36TB of SSD storage.

Confidential Virtual Machines (VM) support in Azure Virtual Desktop (preview)

Azure Confidential Virtual Machines (VMs) support in Azure Virtual Desktop is in public preview. Confidential Virtual Machines increase data privacy and security by protecting data in use. The Azure DCasv5 and ECasv5 confidential VM series provide a hardware-based Trusted Execution Environment (TEE) that features AMD SEV-SNP security capabilities, which harden guest protections to deny the hypervisor and other host management code access to VM memory and state, and that is designed to protect against operator access and encrypts data in use. With this preview, support for Windows 11 22H2 has been added to Confidential Virtual Machines.

Networking

Private Link support for Application Gateway

Private link configuration for Application Gateway enables incoming traffic to an Azure Application Gateway frontend and can be secured to clients running in another Azure Virtual Network, Azure subscription, or Azure subscription linked to a different Azure Active Directory tenant through Azure Private Link.

Azure Load Balancer per VM limit removal

The “Load balancer per VM” limit is now removed for customers using Standard Load Balancer. Previously this limit was 2 load balancers per VM (1 public and 1 internal). Now with this limit removed, you can associate as many load balancers per VM with either types (public or internal) up to the Azure Load Balancer’s limits.

Azure Load Balancer: inbound ICMPv6 pings and traceroute are now supported

Standard Public Load Balancer now supports inbound ICMP pings on IPv6 frontends as well as inbound tracerouting support to both IPv4 and IPv6 frontends. This is an addition to previous announcement of ICMPv4 pings support on Azure Load Balancer. Now, you can ping and traceroute to both IPv4 and IPv6 frontend of a Standard Public Load Balancer like you natively would on an on-premises device without any external software needed. This enables you to troubleshoot network issues, identify network bottlenecks, verify network paths, and monitor network performance between Azure Load Balancer and your client device. This functionality is generally available in all public regions, Azure China cloud regions, and Azure Government cloud regions.

Azure Front Door integration with managed identities

Azure Front Door now supports managed identities generated by Azure Active Directory to allow Front Door to easily and securely access other Azure AD-protected resources such as Azure Key Vault. This feature is in addition to the AAD Application access to Key Vault that is currently supported.

Azure Front Door upgrade from standard to premium

Azure Front Door supports upgrading from Standard to Premium tier without downtime. Azure Front Door Premium supports advanced security capabilities and has increased quota limits, such as managed Web Application Firewall rules and private connectivity to your origin using Private Link.

Azure Front Door Migration from classic to standard/premium

In March 2022, Microsoft announced the general availability of two new Azure Front Door tiers. Azure Front Door Standard and Premium are native, modern cloud content delivery network (CDN) catering to both dynamic and static content delivery acceleration with built-in turnkey security and a simple and predictable pricing model. The migration capability enables you to perform a zero-downtime migration from Azure Front Door (classic) to Azure Front Door Standard or Premium in just three simple steps or five simple steps if your Azure Front Door (classic) instance has custom domains with your own certificates. The migration will take a few minutes to complete depending on the complexity of your Azure Front Door (classic) instance, such as number of domains, backend pools, routes, and other configurations.

Azure Front Door Standard/Premium in Azure Government (preview)

Azure Front Door (AFD) Standard and Premium tier is now available in Azure Government in public preview, in the regions of Arizona and Texas. After this release, Local Government (US) customers and their partners can benefit from the new and enhanced capabilities on standard and premium. The new and enhanced capabilities include, but are not limited to, better reporting and diagnostic capabilities, expanded rules engine with server variables, enhanced Web Application Firewall (latest DRS rule set, Bot protection, Web Application Firewall Notebook using Sentinel for security investigation and monitoring, Microsoft Sentinel Analytics) and security capabilities (Private Link connectivity to your origin, subdomain takeover prevention) and many upcoming new features.

Storage

Zone Redundant Storage for Azure Disks is now available in more regions

Zone Redundant Storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in Brazil South, UK South, East US, East US 2, and South-Central US regions. Disks with ZRS provide synchronous replication of data across three availability zones in a region, enabling disks to tolerate zonal failures without causing disruptions to your application. This feature enables disks to tolerate zonal failures without causing disruptions to your application. Additionally, it allows you to maximize virtual machine availability without the need for application-level replication of data across zones. You can also use ZRS with shared disks to provide higher availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS, or GFS2.

Azure Files scalability improvement for Azure Virtual Desktop and other workloads that open root directory handles

Azure Files has increased the root directory handle limit per share from 2,000 to 10,000 for standard and premium file shares. This improvement benefits applications that keep an open handle on the root directory. For example, Azure Virtual Desktop with FSLogix profile containers now supports 10,000 active users per share.

Zone Redundant Storage for Azure Disks is now available in Japan East and Korea Central

Zone Redundant Storage (ZRS) for Azure Disk Storage is now generally available on Azure Premium SSDs and Standard SSDs in Japan East and Korea Central regions.

Azure NetApp Files Availability zone volume placement enhancement: populate existing volume (preview)

Azure NetApp Files availability zone volume placement feature lets you deploy new volumes in the availability zone of your choice, in alignment with Azure compute and other services in the same zone. With this ‘Populate existing volume’ enhancement you can now obtain and, if desired, populate previously deployed, existing volumes with the logical availability zone information. It will automatically map the physical zone the volumes were deployed in and map it to the logical zone for your subscription. This feature will not move any volumes between zones. With this capability you can enhance workloads that were previously deployed regionally and align them with VMs in the same failure domain, for example to enable HA architectures across availability zones.

Azure AD Support for Azure Files SMB shares REST API (preview)

The public preview of Azure Active Directory (Azure AD) for Azure SMB Shares enables share-level read and write access for users, groups, and managed identities (MI) when accessing through the REST API. With Azure AD support, applications can now access Azure file shares securely, without storing or managing any credentials. Applications can leverage managed identities to securely access the customer-owned file shares. Azure Portal also now supports using Azure AD to authenticate requests to Azure Files. Users can choose Azure AD identity-based authentication method for the actions they take through portal such as browsing their file share contents.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Generation 2 VM for Windows

Generation 2 VMs support key features that aren’t supported in generation 1 VMs. These features include increased memory, Intel Software Guard Extensions (Intel SGX), and virtualized persistent memory (vPMEM). You can now run Windows workloads on Generation 2 VMs in production to take advantage of these Generation 2 features.

Azure HX Virtual Machines for HPC

HX-series Virtual Machines (VMs) are optimized for large memory HPC workloads such as backend EDA, finite element analysis, computational geoscience, and big data analytics.

These VMs feature:

• Up to 176 AMD EPYC™ 9004-series CPU cores with AMD 3D V-Cache (Genoa-X), 1.4 TB of RAM, clock frequencies up to 3.7 GHz, and no simultaneous multithreading.
• Up to 1.4 TB/s of effective memory bandwidth and 2.3 GB L3 cache per VM, up to 12 GB/s (reads) and 7 GB/s (writes) of block device SSD performance.
• 400 Gb/s NDR InfiniBand from NVIDIA Networking to enable supercomputer-scale MPI workloads.

Storage

Azure Files geo-redundancy for standard large file shares (preview)

Azure Files geo-redundancy for large file shares is now in public preview for standard SMB file shares. Azure Files has supported large file shares for several years which not only provides file share capacity up to 100TiB but improved IO operations per second (IOPS) and throughput as well. Large file shares are widely adopted by customers using locally redundant storage (LRS) and zone-redundant storage (ZRS) but has not been available for geo-redundant storage (GRS) and geo-zone redundant storage (GZRS) until now. Geo-redundancy is critical for meeting various compliance and regulatory requirements. Geo-redundant storage asynchronously replicates to a secondary region and if the primary region becomes unavailable, you can initiate a failover to the secondary region.

New features in Azure Container Storage (preview)

Azure Container Storage, a unique storage service built natively for containers, is introducing several new features in preview to enhance the performance, reliability, and backup experience for its customers. Among the new features are volume snapshot, which allows you to capture the point-in-time state of persistent volumes, enabling you to back up data before applying changes. Additionally, the scalability target of Persistent Volumes has increased, empowering you to easily scale up your storage footprint. This means you can focus on building data services without worrying about the limitations of the underlying infrastructure.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution on Azure Government

Azure VMware Solution will become generally available on May 17, 2023, to US Federal and State and Local Government (US) customers and their partners, in the regions of Arizona and Virgina. With this release, Microsoft is combining world-class Azure infrastructure together with VMware technologies by offering Azure VMware Solutions on Azure Government, which is designed, built, and supported by Microsoft.

Networking

Routing Intent and Virtual WAN Integrated Firewall NVAs

Routing intent allows you to set up simple and declarative routing policies to configure Virtual WAN to route traffic to bump-in-the-wire security solutions such as Azure Firewall, Integrated Firewall NVA and SaaS deployed in the Virtual WAN hub. This feature delivers two critical use cases: inter-region/inter-hub traffic inspection and branch-to-branch (on-premises to on-premises traffic inspection). With the General Availability of routing intent feature, the Virtual WAN team also extended routing intent capabilities to Next Generation Firewall NVA’s integrated within the Virtual WAN hub. As a result, the Virtual WAN team is also announcing the General Availability of the first two integrated Firewall NVA’s in Virtual WAN: Check Point CloudGuard Network Security and Fortinet NGFW.

Seamlessly upgrade your Application Gateway V2 WAF configuration to a policy

Azure’s regional Web Application Firewall (WAF) on Application Gateway now supports a fully automated experience when upgrading your WAF from a configuration to a policy. WAF policies offer you multiple benefits over WAF configurations including:

• richer feature set: Advanced features like newer managed rule sets, custom rules, per rule exclusions, bot protection rules, and more;
• higher scale and performance with our next generation WAF engine;
• simplified management experience: WAF policy allows you to define your WAF setup once, and share it across multiple gateways, listeners, and URL paths;
• latest features: you can keep up to date with the latest features and enhancements.

Policy analytics for Azure Firewall

As application migration to the cloud accelerates, it’s common to update Azure Firewall configuration daily (sometimes hourly) to meet the growing application needs and respond to a changing threat landscape. Frequently, changes are managed by multiple administrators spread across geographies. Over time, the firewall configuration can grow sub optimally impacting firewall performance and security. It’s a challenging task for any IT team to optimize firewall rules without impacting applications and causing serious downtime. Policy analytics help address these challenges faced by IT teams by providing visibility into traffic flowing through the firewall with features such as firewall flow logs, rule to flow match, rule hit rate, and single rule analysis. IT admins can refine Azure Firewall rules in a few simple steps through the Azure portal.

Inbound ICMPv4 pings are now supported on Azure Load Balancer

Standard Public Load Balancer now supports inbound ICMP pings on IPv4 frontends. Previously, to determine reachability of a Load Balancer’s frontend, a TCP-based ping tool like Psping would need to be used. This added complexity as external software was needed on each client machine. Now, you can ping the IPv4 frontend of a Standard Public Load Balancer like you natively would on an on-premises device without any external software needed. This enables you to troubleshoot network traffic between Azure Load Balancer and your client device.

Azure Bastion now support shareable links

With the Azure Bastion shareable links feature, you can now connect to a target resource (virtual machine or virtual machine scale set) using Azure Bastion without accessing the Azure portal.
This feature will solve two key pain points:

• administrators will no longer have to provide full access to their Azure accounts to one-time VM users—helping to maintain their privacy and security;
• users without Azure subscriptions can seamlessly connect to VMs without exposing RDP/SSH ports to the public internet.

Now generally available, the shareable links feature is supported for peered VNETs across subscriptions and across regions. It is also supported for national clouds.

Azure DNS Private Resolver is available in additional regions

Azure DNS Private Resolver is now available in West US, Canada East, Qatar Central, UAE North, Australia Southeast, Norway East, Norway East, and Poland Central.

Always Serve for Azure Traffic Manager (preview)

Always Serve for Azure Traffic Manager (ATM) is now available in public preview. You can disable endpoint health checks from an ATM profile and always serve traffic to that given endpoint. You can also now choose to use 3rd party health check tools to determine endpoint health, and ATM native health checks can be disabled, allowing flexible health check setups.

Storage

Azure Container Storage (preview)

Azure Container Storage, now in preview, is a unique volume management service built natively for containers. It provides a consistent experience across different types of storage offerings, including Managed option (backed by Azure Elastic SAN), Azure Disks, and ephemeral disk on container services. This simplifies the deployment of persistent volumes and offers a highly scalable, cost-effective, high-performance and resilient storage solution. With Azure Container Storage, you can easily create and manage block storage volumes for production-scale stateful container applications and run them on Kubernetes, ensuring consistent experiences across different environments. The solution is optimized to enhance the performance of stateful workloads on Azure Kubernetes Service (AKS) clusters by accelerating the deployment of stateful containers with persistent volumes and improving quality with reduced pod failover time through fast attach/detach. Additionally, by efficiently deploying and managing persistent volumes on backend storage options, you can reduce the total cost of ownership (TCO) associated with container storage.

Azure NetApp Files Standard Network Features – Edit Volumes (preview)

Standard Network Features provide you with an enhanced Virtual Networking experience for a seamless and consistent experience along with security posture for Azure NetApp Files. You are now able to edit existing ANF volumes and upgrading Basic network features to Standard network features.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Microsoft Azure available from new cloud region in Poland

The newest cloud region in Poland is available with Azure Availability Zones and provides customers with the highest standards of security, privacy, and regulatory-compliant data storage in the country.

Ebsv5 and Ebdsv5 NVMe-enabled VM sizes

The Ebsv5 and Ebdsv5 VM series are the first Azure VM series to support NVMe storage protocol. NVMe support enables these series to achieve the highest Disk Storage IOPS and throughput of any Azure VMs to date. NVMe is a high-performance storage interface that is faster and more efficient compared to other traditional storage protocols like SCSI, which is the only other protocol that most Azure VMs use currently. With NVMe interface supported, customers can now use these VMs to achieve even higher VM-to-disk throughput and IOPS performance per core, with up to 8,000 MBps and 260,000 IOPS. This enables customers that process extremely data-intensive workloads to process more data on fewer core compute resources, potentially saving them money on infrastructure and commercial software licensing costs.

DCesv5 and ECesv5-series Confidential VMs with Intel TDX (preview)

There is an expansion of Confidential VM family with the launch of the DCesv5-series and ECesv5-series in preview. Featuring 4th Gen Intel® Xeon® Scalable processors, these VMs are backed by an all-new hardware-based Trusted Execution Environment called Intel® Trust Domain Extensions (TDX). Organizations can use these VMs to seamlessly bring confidential workloads to the cloud without any code changes to their applications.

Networking

Cloud Next-Generation Firewall (NGFW) Palo Alto Networks – an Azure Native ISV Service

Cloud NGFW Palo Alto Networks is the first ISV next-generation firewall service natively integrated in Azure. Developed through a collaboration between Microsoft and Palo Alto Networks, this service delivers the cutting-edge security features of Palo Alto Networks NGFW technology while also offering the simplicity and convenience of cloud-native scaling and management. NGFWs provide superior network security by offering enhanced capabilities compared to traditional firewalls. These include deep packet inspection, advanced visibility and control features, and the use of AI to improve threat detection and response.

Palo Alto Networks SaaS Cloud NGFW Integration with Virtual WAN (preview)

Palo Alto Networks Cloud NGFW is the first security software-as-a-service (SaaS) solution to be integrated in Azure Virtual WAN, allowing you to enjoy the simplicity of a SaaS security offering without the hassles of managing provisioning, scaling, resiliency, software updates, or routing.

Cloud NGFW SaaS integration with Virtual WAN provides you with the following benefits:

• protect workloads with a highly available NGFW powered by machine learning to
• detect and stop known, unknown and zero-day threats;
• fully managed infrastructure and software lifecycle under SaaS model;
  consumption-based pay-as-you-go billing;
• dedicated and streamlined support channel between Azure and Palo Alto Networks to provide a delightful customer support experience;
• simple one-click routing to inspect on-premises, Azure VNets and Internet traffic;
• deep and cohesive integration with Azure that provides a cloud-native experience.

Application Gateway V1 will be retired on 28 April 2026

Because Application Gateway V1 retires on 28 April 2026, please transition to Application Gateway V2 by that date.

Alongside the Application Gateway V1 features you already use, Application Gateway V2 provides:

• additional features – Autoscaling, zone redundancy, URL rewrite, mutual authentication mTLS , Azure Kubernetes Service Ingress Controller, Keyvault integration;
• increased performance – 5x Better TLS offload performance compared to V1;
• enhanced security – Faster update of security rules, WAF custom rules and policy associations, bot protection-

From now through 28 April 2026, you can continue using Application Gateway V1 but begin transitioning to Application Gateway V2.

New customers (customers who doesn’t not have Application Gateway V1 SKU in their subscriptions in the month of June 2023) won’t be able to create V1 gateways from 1st July 2023.

Existing customers with subscriptions containing V1 gateways, will no longer be able to create V1 gateways after 28th August 2024. However, they can manage V1 gateways until the retirement date of 28 April 2026. After 28 April 2026, Application Gateway V1 will not be supported.

Storage

Cross-region service endpoints for Azure Storage

Cross-region service endpoints is now generally available for Azure Blob and Data Lake Storage in all Azure regions. Virtual Network (VNet) service endpoints provide secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Service endpoints in Azure Storage already allow the ability to connect to a storage account to VNets in the same or paired region. With this release, cross-region service endpoints can be configured to allow access to an Azure Blob or Data Lake storage account from VNets in any region. This is valuable for customer scenarios such as global storage resource and access management.

Azure Blob Storage adds a new online access: Cold Storage (preview)

Azure Blob Storage is optimized for storing massive amounts of unstructured data. With blob access tiers, you can store your blob data in the most cost-effective manner based on how frequently it will be accessed and how long it will be retained. Now Azure Blob Storage adds a new online access tier, cold, in addition to hot, cool and archive.

Cold tier pricing is positioned between cool and archive, with 90-day early deletion policy. See the prices in Azure Blob Storage pricing. You can seamlessly use the cold tier the way you use hot and cool, through REST API, SDK, tools, and lifecycle management policy. Cold public preview is now available in Canada Central, Canada East, France Central and Korea Central.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Hotpatch for Windows Server VMs on Azure with desktop experience

Hotpatch is now available for Windows Server Azure edition VMs running the desktop experience. Hotpatch is a feature that allows you to patch and install updates to Windows Server Azure Edition virtual machines on Azure without requiring a reboot. It was previously available for the server core installation mode, but now, Windows Server Azure edition VMs installed with the desktop experience mode (the Windows Explorer shell, Start Menu, etc.) will no longer reboot every month for security updates, providing:

• lower workload impact with less reboots;
• faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager;
• better protection, as the hotpatch update packages are scoped to Windows security updates that install faster without rebooting.

Trusted launch on existing Azure Gen2 VMs (preview)

Trusted launch provides a seamless way to improve the security of Azure Generation 2 VMs. It protects against advanced and persistent attack techniques by combining technologies which can be independently enabled like secure boot and virtualized version of trusted platform module (vTPM). The preview is available to support to enable Trusted launch on existing Gen2 VMs by upgrading the security type of the Gen2 VM to Trusted launch. This will help improve the foundational security of existing Gen2 VMs.

Networking

Azure CNI overlay in generally available

Azure CNI overlay addresses performance, scalability and IP exhaustion challenges while using traditional Azure Container Networking Interface (CNI). With Azure CNI overlay AKS clusters can be scaled to very large sizes by assigning pod IP addresses from user defined overlay address space which are logically different from VNet IP address space hosting the cluster nodes. Additionally, user defined private CIDR can be reused in different AKS clusters, truly extending the IP space available for containerized applications in AKS. Pod and node traffic within the cluster use an overlay network via Azure Software Defined Network (SDN) without any additional encapsulation. Network Address Translation (using the node’s IP address) is used to reach resources outside the cluster.

Storage

Azure Storage Mover is now Generally Available

Azure Storage Mover is a new, fully managed migration service that enables you to migrate your files and folders to Azure Storage while minimizing downtime for your workload. You can use Storage Mover for different migration scenarios such as lift-and-shift, and for cloud migrations that you have to repeat occasionally. Azure Storage Mover also helps maintain oversight and manage the migration of all your globally distributed file shares from a single storage mover resource.

Support for Linux clients to use identity-based access to Azure file shares over SMB

Azure Files now supports Linux clients to use identity-based authentication over Server Message Block (SMB). Previously only Windows clients were supported by Azure Files.

In order to leverage identity based authentication and authorization, the clients need to be domain joined to one of the following Domain Services:

• On-premises Active Directory Domain Services (AD DS)
• Azure Active Directory Domain Services (Azure AD DS)

Azure Active Directory (Azure AD) Kerberos for hybrid identities is NOT supported yet for Linux clients. This capability will enable customers who are moving a mix of Windows and Linux environments to cloud to have a consistent identity system across both Windows and Linux workstations.

Azure Elastic SAN Public Preview is now available in more regions

Azure Elastic SAN, which is currently in preview, is available with locally redundant storage (LRS) in several regions, including Australia East, Southeast Asia, France Central (including ZRS), North Europe (including ZRS), Sweden Central, UK South, West Europe (including ZRS), East US, East US 2, South Central US, West US 2 (including ZRS), and West US 3. By combining SAN-like capabilities with the advantages of being a cloud-native service, Azure Elastic SAN provides a storage solution that is highly scalable, cost-effective, high-performing, and resilient. It caters to various storage needs, whether you’re migrating your on-premises SAN to the cloud or creating your application directly in the cloud.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New General-Purpose VMs: Dlsv5 and Dldsv5

The Dlsv5 and Dldsv5 VM series are ideal for workloads that require less RAM per vCPU than standard general purpose VM sizes. Target workloads include web servers, gaming, video encoding, AI/ML, batch processing and more. These VM series can potentially improve price-performance and reduce the cost of running workloads that do not require more memory per vCPU. The new VMs feature sizes with and without local temporary storage.

Networking

Azure Firewall enhancements for troubleshooting network performance and traffic visibility (preview)

Microsoft Azure Firewall now offers new logging and metric enhancements designed to increase visibility and provide more insights into traffic processed by the firewall. IT security administrators may use (in preview) a combination of the following to root cause application performance issues:

o    Latency Probe metric
o    Flow Trace Log
o    Top Flows Log

Private Application Gateway v2 (preview)

Application Gateway v2 is introducing a collection of new capabilities to further enable you to control network exposure using Application Gateway v2 skus:

• private IP only frontend configuration (elimination of Public IP);
• enhanced control over Network Securtiy Groups:
  • eliminate GatewayManager service tag requirement;
  • enable definition of Deny All Outbound rule;
• enhanced control over Route Table rules:
  • forced Tunelling Support (learning of 0.0.0.0/0 route via BGP);
  • route Table rule of 0.0.0.0/0 next hop Virtual Appliance.

Storage

Azure File Sync agent v16

The Azure File Sync agent v16 release has finished flighting and is now available on both Microsoft Update and the Microsoft Download Center.

Improvements and issues that are fixed:

• improved Azure File Sync service availability:
  • Azure File Sync is now a zone-redundant service which means an outage in a zone has limited impact while improving the service resiliency to minimize customer impact. To fully leverage this improvement, configure your storage accounts to use zone-redundant storage (ZRS) or Geo-zone redundant storage (GZRS) replication. To learn more about different redundancy options for your storage accounts, see: Azure Storage redundancy
• immediately run server change enumeration to detect files changes that were missed on the server:
  • Azure File Sync uses the Windows USN journal feature on Windows Server to immediately detect files that were changed and upload them to the Azure file share. If files changed are missed due to journal wrap or other issues, the files will not sync to the Azure file share until the changes are detected. Azure File Sync has a server change enumeration job that runs every 24 hours on the server endpoint path to detect changes that were missed by the USN journal. If you don’t want to wait until the next server change enumeration job runs, you can now use the Invoke-StorageSyncServerChangeDetection PowerShell cmdlet to immediately run server change enumeration on a server endpoint path;
• bug fix for the PowerShell script FileSyncErrorsReport.ps1;
• miscellaneous reliability and telemetry improvements for cloud tiering and sync.

More information about this release:

• this release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations;
• the agent version for this release is 16.0.0.0;
• installation instructions are documented in KB5013877.

Azure Files NFS: nconnect support

Azure Files NFS v4.1 share now support nconnect option. Nconnect is a client-side Linux mount option that increases performance at scale. With nconnect, the NFS mount uses more TCP connections between the client and the Azure Files service for NFSv4.1. Using Nconnect can improve a client’s throughput/IOPS upto 4X and reduce TCO by upto 70%. There is no additional billing cost associated to using this feature. This feature is available to all existing and new shares.

Azure Premium SSD v2 Disk Storage in new regions

Azure Premium SSD v2 Disk Storage is now available in East US 2, North Europe, and West US 2 regions. This next-generation storage solution offers advanced general-purpose block storage with the best price performance, delivering sub-millisecond disk latencies for demanding IO-intensive workloads at a low cost. It is well-suited for a wide range of enterprise production workloads, including SQL Server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data analytics, gaming on virtual machines, and stateful containers.

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure VMware Solution: Azure Hybrid Benefit for SQL Server

Azure Hybrid Benefit (AHB) for SQL Server is now available in Azure VMware Solution (AVS). With AHB for SQL Server on Azure VMware Solution, you can take advantage of the unlimited virtualization licensing capability included with the SQL Server Software Assurance. To this end, you can configure and enable VM-Host placement policies via the Azure portal and apply Azure Hybrid Benefit.

Networking

Azure Firewall Basic

Azure Firewall Basic is a new SKU for Azure Firewall designed for small and medium-sized businesses. Azure Firewall Basic can be deployed inside a virtual network or a virtual hub. This gives businesses the flexibility to choose the deployment option that best meets their needs.

The main benefits are:

• Comprehensive, cloud-native network firewall security
  • Network and application traffic filtering
  • Threat intelligence to alert on malicious traffic
  • Built-in high availability
  • Seamless integration with other Azure security services
• Simple setup and easy-to-use
  • Setup in just a few minutes
  • Automate deployment (deploy as code)
  • Zero maintenance with automatic updates
  • Central management via Azure Firewall Manager
• Cost-effective
  • Designed to deliver essential, cost-effective protection of your resources within your virtual network

Pricing and billing for Azure Firewall Basic with secured virtual hub will be effective starting May 1, 2023.

Azure Virtual Network Manager

Azure Virtual Network Manager (AVNM) is now generally available. AVNM is a highly scalable and available network management solution that allows you to simplify network management across subscriptions globally. Using its centralized network management capabilities, you can manage your network resources at scale from a single plane of glass.

Key features of Azure Virtual Network Manager include:

• global management of virtual network resources across regions, subscriptions, and tenants;
• automated management and deployment of virtual network topology to create hub and spoke*;
• high-priority security rule enforcement at scale to protect your network resources*;
• safe deployment of network configurations across desired regions.

*The mesh topology and security admin rule features remain in public preview and will become generally available soon

Azure Traffic Manager: reserved namespaces for subdomains

Azure Traffic Manager has added functionality for reserving domain labels for traffic manager profiles. Any customer requesting a traffic manger profile of the form label1.trafficmanager.net will have “label1” label reserved for the tenant and another user will not be able to create a new traffic manager profile with this name or subdomains below it. For example if a user creates a profile names label1.trafficmanager.net then “label1” and all labels of form “<labelN>….<lable2>.<label1>.trafficmanager.net” will be reserved for the subscription. With these enhancements, once a namespace is created by a customer under trafficmanager.net domain, it will not be available for any other tenant. This enhancement ensures that customers have full control over the labels tree used in their traffic manager profiles and enables customers better manage their namespace without having to worry about a specific name/label being in use by other tenants.

Illumio for Azure Firewall (preview)

Microsoft partnered with Illumio, the leader in Zero Trust Segmentation, to build Illumio for Azure Firewall, an integrated solution that brings the benefits of Zero Trust Segmentation to Azure Firewall.

Illumio for Azure Firewall uses the Azure platform to protect your resources across your Azure virtual networks and at your Azure perimeter. It enables organizations to understand application traffic and dependencies and apply consistent protection across your environment – limiting exposure, containing breaches, and improving efficiency. Illumio for Azure Firewall also helps simplify Zero Trust Segmentation by enhancing visibility, streamlining policy management, and providing scalable security.

Key benefits:

• Reduce security risks with a single view of your east-west and north-south traffic based on Azure Firewall flow data within your Azure subscriptions.
• Gain a holistic view of your application traffic with real-time visibility of interactions and dependencies across your environment.
• Easily deploy and configure Azure application-based polices within the Illumio platform.
• Deploy Azure Firewall policies confidently with policies that automatically scale along with your applications.
• Avoid application downtime by understanding the impact of Azure Firewall policies before they are enforced.
• Works with all 3 SKUs of Azure Firewall – Basic, Standard, and Premium – to meet the needs of any organization.

Accelerated Connections for Network Virtual Appliances now in Azure Marketplace (preview)

Accelerated Connections is a new product that enhances Accelerated Networking enabled vNICs, enabling customer flexibility in selecting the best option of CPS capabilities suited to match their Azure implementation. This offering will enable you to achieve the first bare-metal-like performance levels for connections per second (CPS) in Azure.

Storage

Ephemeral OS disks supports encryption at host using customer managed keys

Ephemeral OS disks can be encrypted at host using platform managed keys or customer managed keys. The default is platform managed keys. This feature would enable our customers to meet your organization’s compliance needs.

Azure Ultra Disk Storage in Brazil Southeast, South Africa North and UAE North

Azure Ultra Disk Storage is now available in one zone in Brazil Southeast, South Africa North and UAE North region. Azure Ultra Disk Storage offers high throughput, high IOPS and consistent low latency disk storage for Azure Virtual Machines (VMs). Ultra Disk Storage is well suited for data-intensive workloads such as SAP HANA, top-tier databases and transaction-heavy workloads.

Encryption scopes on hierarchical namespace enabled storage accounts

Encryption scopes introduce the option to provision multiple encryption keys in a storage account with hierarchical namespace. Using encryption scopes, you now can provision multiple encryption keys and choose to apply the encryption scope either at the container level (as the default scope for blobs in that container) or at the blob level. The capability is available for REST, HDFS, NFSv3 and SFTP protocols in an Azure Blob / Data Lake Gen2 storage account. The key that protects an encryption scope may be either a Microsoft-managed key or a customer-managed key in Azure Key Vault. You can choose to enable automatic rotation of a customer-managed key that protects an encryption scope. When you generate a new version of the key in your Key Vault, Azure Storage will automatically update the version of the key that is protecting the encryption scope, within a day.

Performance Plus for Azure Disk Storage (preview)

Azure Disk Storage now offers a new feature called Performance Plus, which enhances the IOPS and throughput performance of Standard HDD, Standard SSD, and Standard HDD disks that are sized 1TB or larger. Performance Plus is offered for free and is available to use through deployments on Azure Command-Line Interface (CLI) and PowerShell.