Category Archives: Azure Storage

Azure IaaS and Azure Local: announcements and updates (October 2025 – Weeks: 41 and 42)

This blog post series highlights the key announcements and major updates related to Azure Infrastructure as a Service (IaaS) and Azure Local, as officially released by Microsoft in the past two weeks.

Azure

General

Azure Integrated HSM (preview)

Azure is releasing Azure Integrated Hardware Security Module (HSM), a built-in HSM cache and cryptographic accelerator designed to improve both security and performance for cryptographic operations within virtual machines. Targeted at crypto-intensive workloads, the feature provides secure key storage with fast, in-boundary retrieval and uses specialized hardware engines for encryption, decryption, signing, and verification while keys remain protected inside the integrated HSM. Azure Integrated HSM is part of the AMD D- and E-series v7 preview, designed to meet Federal Information Processing Standards (FIPS) 140-3 Level 3 requirements, and is available on the Dasv7, Dadsv7, Easv7, and Eadsv7 series with 8 vCores and above. The preview initially supports Windows (Linux support is coming soon) and is offered at no additional cost.

Compute

Retirement of F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series VMs in 2028

Microsoft has announced that the F, Fs, Fsv2, Lsv2, G, Gs, Av2, Amv2, and B-series Azure Virtual Machines will retire on November 15, 2028, and will no longer be usable or purchasable after that date. Customers should plan migrations of affected workloads to newer VM series to ensure continuity. Three-year reserved instances for these series cannot be purchased or renewed starting November 15, 2025, and one-year reserved instances will not be available for purchase or renewal after November 15, 2027. Existing three-year reservations will continue to provide benefits until their contracted end date; after expiration, usage will be billed at pay-as-you-go rates. Customers are advised to review current reservations to identify impacted VMs and expiration timelines and to plan migration accordingly.

Networking

Prescaling in Azure Firewall

Azure Firewall now supports prescaling, enabling administrators to provision and reserve capacity units ahead of anticipated demand—such as seasonal peaks or planned business events—to maintain consistent throughput, accelerate scaling response, and gain tighter control over capacity. In addition, a new Observed Capacity metric surfaces current and historical capacity usage to inform planning, while flexible billing ensures organizations pay only for the provisioned capacity units and can adjust them as needs evolve. Prescaling is available for Azure Firewall Standard and Premium Stock Keeping Unit (SKU) tiers in all public regions.

Observed capacity metric in Azure Firewall

Azure Firewall introduces the Observed Capacity metric to help teams understand how their firewalls scale in real-world conditions by tracking the number of actively utilized capacity units over time. With this signal, operators can validate that prescaling or autoscaling configurations behave as expected, set proactive alerts as usage approaches defined thresholds, diagnose whether scaling is keeping pace with demand, and forecast future capacity requirements using both historical and current traffic trends.

Azure Firewall updates – Customer-provided public IP address support in secured hubs

Azure Firewall in Virtual WAN secured hubs now supports customer-provided public IP addresses, allowing organizations to “bring their own” IPs already allocated within their Azure subscription. This gives teams greater control over egress identity and simplifies compliance, security policy enforcement, and third-party integrations that depend on stable, preapproved public IPs. Instead of relying on Azure-managed addresses, customers can assign their own, enabling consistent addressing across environments and reducing operational friction.

Azure Firewall updates – IP Group limit increased to 600 per Firewall Policy

Azure Firewall Policy now supports up to 600 IP Groups per policy (previously 200), enabling administrators to better organize large rule sets and reduce rule complexity. With more IP Groups, enterprises managing extensive, segmented networks can model application tiers and subnets more cleanly, while named groups improve readability and speed up troubleshooting and audits by clarifying rule intent in logs and reviews.

Private Link Service Direct Connect (preview)

Azure is introducing Private Link Service Direct Connect, which extends Azure Private Link by allowing a private link service to connect directly to any routable destination IP address—removing the previous requirement to place applications behind a Standard Load Balancer. This enhancement preserves the same private and secure access model while simplifying architectures for publishing services to customers. The limited public preview is initially available in North Central US, East US 2, Central US, South Central US, West US, West US 2, West US 3, Asia Southeast, Australia East, and Spain Central, with additional regions to follow.

Storage

Azure NetApp Files short-term clones

Azure NetApp Files short-term clones are now generally available, providing space-efficient, instant read/write copies created from existing volume snapshots without requiring full data duplication. The clones persist for up to 32 days and consume capacity only for incremental changes, accelerating development, analytics, disaster recovery drills, and testing with large datasets. By enabling rapid refreshes from the latest snapshots and minimizing operational overhead, this capability improves workflow velocity, quality, and cost efficiency across data-intensive scenarios.

Azure Storage Discovery

Azure Storage Discovery delivers enterprise-wide visibility across the Azure Storage data estate, allowing organizations to deeply analyze used capacity and activity, optimize costs, strengthen security posture, and improve operational efficiency. Integrated with Azure Copilot, it lets stakeholders—from cloud architects to storage administrators and data governance leads—unlock insights with natural language prompts and quickly answer questions such as total data stored across all accounts, regions with the fastest growth, and where to reduce costs via tiering adjustments or cleanup of stale data. The service is offered in two plans—Free for basic insights and Standard for full capabilities—and can begin analyzing data across subscriptions within hours, providing some pre-deployment history and up to 18 months of retention to reveal long-term patterns like workload peaks and valleys.

Conclusion

Over the past two weeks, Microsoft has introduced a slew of updates and announcements pertaining to Azure Infrastructure as a Service (IaaS) and Azure Local. These developments underscore the tech giant’s unwavering commitment to enhancing its cloud offerings and adapting to the ever-evolving needs of businesses and developers. Users of Azure can anticipate improved functionalities, streamlined services, and enriched features as a result of these changes. Stay tuned for more insights as I continue to monitor and report on Azure’s progression in the cloud sphere.

Azure IaaS and Azure Local: announcements and updates (October 2025 – Weeks: 39 and 40)

Azure

Compute

Azure VMware Solution AV36 Node Retirement on June 30, 2028

Microsoft announces the retirement of the AV36 node type for Azure VMware Solution effective June 30, 2028. Existing AV36 Reserved Instance (RI) terms remain unchanged, but customers are advised to review their AV36 RI expiration timelines and coordinate next steps with their Microsoft account teams. To ease the transition, Microsoft will offer AV36 1-year RIs with VCF included until October 15, 2025, and AV36 VCF BYOL 1-year RIs until June 30, 2026 (requiring a portable Broadcom VCF subscription). Existing AV36 Pay-As-You-Go subscriptions will continue through September 30, 2027. This change impacts only AV36; AV36P, AV48, AV52, and AV64 remain available with AVS VCF BYOL options.

Retirement: NVv3-series Azure Virtual Machines will be retired on September 30, 2026

Microsoft will retire the NVv3-series VM sizes—Standard_NV12s_v3, Standard_NV12hs_v3, Standard_NV24s_v3, Standard_NV24ms_v3, Standard_NV32ms_v3, and Standard_NV48s_v3—on September 30, 2026. To avoid disruption, organizations should migrate workloads to newer sizes within the NV product line. Microsoft recommends NVadsA10_v5 VMs, which provide higher GPU memory bandwidth per GPU and are well suited for GPU-accelerated graphics, virtual desktops, visualization workloads, and smaller AI scenarios.

Networking

Using Server-Sent Events with Application Gateway

Azure Application Gateway now supports Server-Sent Events (SSE) in general availability, enabling real-time, server-to-client data streaming over a persistent HTTP connection. To adopt SSE, administrators must apply specific configurations on both the Application Gateway resource and the backend application so that server push updates flow reliably to connected clients.

Retirement: Azure VPN Gateway support for SSTP Protocol will be retired on March 31, 2027

Azure VPN Gateway support for the SSTP protocol will be phased out due to limited scalability and performance. Customers are advised to migrate to IKEv2 or OpenVPN, which provide significantly higher connection limits—up to 10,000 connections—and aggregate throughput up to 10 Gbps depending on the gateway SKU. Key dates include March 31, 2026, when enabling SSTP on VPN gateways will no longer be supported, and March 31, 2027, when existing SSTP-enabled gateways will no longer be able to establish SSTP connections. To avoid disruption, customers should complete migration to IKEv2 or OpenVPN before March 31, 2027.

New health check infrastructure for Azure Traffic Manager

Azure Traffic Manager has introduced new health check infrastructure designed to improve resiliency and horizontal scalability. Customers are being migrated to the new platform, which enhances the reliability of health probes. Because probes originate from updated IP addresses, environments with strict firewall controls should ensure health checks are allowed. The recommended approach is to use the AzureTrafficManager Service Tag in NSGs or Azure Firewall so rules stay current automatically. Where Service Tags are not feasible (such as custom appliances or non-Azure environments), administrators should manually update ACLs or firewall rules with the latest IP prefixes from the Azure IP Ranges and Service Tags JSON and refresh them periodically.

Storage

Azure NetApp Files Flexible Service Level

Azure NetApp Files introduces the Flexible service level, allowing independent configuration of storage capacity and throughput to optimize cost and performance without volume moves. Supported on manual QoS capacity pools, throughput can be tuned between 128 MiB/s and 640 MiB/s per provisioned TiB, with a baseline 128 MiB/s provided for every pool at no additional cost. This enables right-sizing for both capacity-heavy workloads with modest performance needs and demanding workloads—such as Oracle or SAP HANA—that require higher throughput on smaller capacity footprints. The Flexible service level is available for newly created pools only, is supported in all Azure NetApp Files regions, and works with cool access for additional savings.

Cross-tenant customer-managed keys for Azure NetApp Files volume encryption

Azure NetApp Files now supports cross-tenant Customer-Managed Keys (CMK) for volume encryption, enabling customers to manage their own encryption keys across different Azure tenancies. This capability gives SaaS providers and their end users greater control in multi-tenant scenarios by allowing end users to retain full key ownership while providers offer flexible key-management options. The feature is available in all Azure NetApp Files–supported regions, delivering secure, scalable, and compliant data protection across tenant boundaries.

Azure NetApp Files support for OpenLDAP, FreeIPA, and Red Hat Directory Server (preview)

Azure NetApp Files introduces public preview support for integrating with FreeIPA, OpenLDAP, and Red Hat Directory Server, enabling secure LDAP over TLS for NFSv3 and NFSv4.1 volumes alongside Microsoft Active Directory. This enhancement streamlines identity integration for hybrid environments and regulated industries, improving access control for NFS workloads. Key benefits include broader LDAP support, secure LDAP over TLS, seamless use with existing identity infrastructure, and greater flexibility for compliance-driven deployments. The preview is available in all Azure NetApp Files regions, with use cases spanning financial services, government, and enterprises standardizing identity across cloud and on-premises estates.

Azure Local

Arc Gateway for Azure Local

Arc Gateway for Azure Local is now generally available, delivering a single, centralized HTTPS egress point for all Azure-bound traffic from Azure Local instances and workloads. By consolidating outbound connectivity behind one “front door,” it reduces the need for sprawling firewall rules and eliminates wildcards, significantly simplifying configuration and strengthening security posture. The gateway cuts required endpoints from well over 100 to fewer than 28 and integrates seamlessly with enterprise proxies by routing outbound traffic through existing proxy infrastructure before reaching Azure. It provides comprehensive coverage for workloads: Azure Local VMs can use Arc Gateway whether or not the infrastructure enabled it during deployment—so long as an Arc Gateway resource exists and guest management is enabled; new VMs can also be deployed with the gateway. AKS clusters on Azure Local implicitly leverage the host-level Arc Gateway when it was enabled for the infrastructure at deployment; AKS with Arc Gateway remains in Public Preview until its future GA. Support for enabling Arc Gateway on existing Azure Local infrastructure is planned for a future release.

Conclusion

Azure IaaS and Azure Local: announcements and updates (September 2025 – Weeks: 37 and 38)

Azure

General

Licensing changes for future Azure VMware Solution subscriptions starting October 16, 2025

Microsoft has announced licensing changes for Azure VMware Solution (AVS) following Broadcom’s updates to VMware licensing policies. Beginning October 16, 2025, customers purchasing new or additional AVS nodes must bring their own portable VMware Cloud Foundation (VCF) subscription from Broadcom or an authorized reseller. Existing AVS deployments with VCF included under Reserved Instance (RI) terms can continue operating without licensing or product changes through the end of the RI term, and customers may use the self-service exchange process to trade in an RI on or before October 15, 2025 for a later expiration date. For Pay-As-You-Go subscriptions that included VCF, customers are advised to contact their Microsoft account team for details and key dates. The AVS service itself is unchanged and remains a fully managed VCF private cloud in Azure.

At-cost data transfer between Azure and an external endpoint

Azure now provides at-cost data transfer for customers and Cloud Solution Provider partners in Europe who move data over the public internet between Azure and another data processing provider, supporting interoperable, multi-cloud architectures. Eligible organizations—those with billing addresses in the European Economic Area (EEA), European Free Trade Association (EFTA), or the United Kingdom—may request a credit for such cross-cloud transfers by following the documented Azure Support process and meeting the stated eligibility requirements.

Azure mandatory multifactor authentication: Phase 2 starting in October 2025

Microsoft confirmed the next phase of its mandatory multifactor authentication (MFA) rollout for Azure sign-ins, citing research that MFA can block more than 99.2% of account compromise attempts. Following the August 2024 announcement and the completion of Phase 1 in March 2025 (enforcement for Azure Portal, Microsoft Entra admin center, and Intune admin center sign-ins across 100% of tenants), Phase 2 will begin on October 1, 2025. This phase enforces MFA at the Azure Resource Manager layer for resource management operations across clients including Azure CLI, Azure PowerShell, the Azure Mobile App, REST APIs, SDK libraries, and Infrastructure-as-Code tools, with gradual application via Azure Policy under safe deployment practices. Notifications have been sent to Microsoft Entra Global Administrators through email and Azure Service Health. The change requires users to authenticate with MFA before executing resource management actions; workload identities such as managed identities and service principals are not impacted. To prepare, organizations are advised to enable MFA for users by October 1, 2025, assess potential impact using built-in Azure Policy definitions in audit or enforcement mode, and update clients to Azure CLI version 2.76 and Azure PowerShell version 14.3 or later. If MFA cannot be enabled by the start date, a Global Administrator can postpone enforcement in the Azure portal, with further communications to follow via established channels.

Compute

Retirement: Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026 (preview)

Azure Kubernetes Service on VMware (preview) will be retired on March 16, 2026. Customers are encouraged to transition to Azure Kubernetes Service on Azure Local before that date to take advantage of its enhanced capabilities. After March 16, 2026, deployments of AKS on VMware will no longer be possible and support will cease. For additional questions, Microsoft directs customers to AKS on Azure Local.

Azure D192 sizes in the Azure Dsv6 and Ddsv6-series VM families

Microsoft has added the D192 size to the Dsv6 and Ddsv6-series VMs, powered by 5th Gen Intel® Xeon® Platinum 8573C (Emerald Rapids). Dsv6 uses Azure managed disks only, while Ddsv6 offers local temporary storage. These sizes deliver 192 vCPUs and 768 GiB RAM, targeting general-purpose, memory-intensive, and enterprise workloads such as SAP, SQL, in-memory analytics, large relational databases, web/app servers under moderate-to-heavy traffic, batch processing, and dev/test. Azure Boost provides up to 400K IOPS and 12 GB/s remote storage throughput with NVMe-enabled local and remote storage, and up to 82 Gbps network bandwidth. Security is strengthened with Intel® Total Memory Encryption (TME), and the NVMe interface yields up to a 3× improvement in local storage IOPS for low-latency access.

DCa/ECa v6-series AMD-based confidential VMs now generally available

Microsoft is making the new DCa/ECa v6-series AMD-based confidential virtual machines generally available in UAE North, Korea Central, West Central US, South Africa North, Switzerland North, and UK South. Powered by 4th Gen AMD EPYC™ processors with Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), these VMs provide hardware-based memory encryption so that memory written by a VM can only be accessed by that VM, with encryption keys generated by a dedicated secure processor on the CPU and not retrievable from software. The lineup includes the general-purpose DCasv6-series and the memory-optimized ECasv6-series, offering improved performance and price-performance over prior AMD-based confidential VMs. Workloads can typically migrate without code changes, making these VMs well-suited for processing sensitive data such as PII and PHI within an attested trusted execution environment.

Azure HBv5-series VMs (preview)

Azure has introduced HBv5-series VMs in public preview in the South Central US region. Designed for memory bandwidth–intensive HPC workloads—including CFD, automotive and aerospace simulation, weather modeling, energy research, molecular dynamics, and computer-aided engineering—HBv5 features 6.7 TB/s of memory bandwidth across 450 GB (438 GiB) of HBM. Each VM provides 368 4th Gen AMD EPYC™ cores at 3.5 GHz base and up to 4.0 GHz boost with no simultaneous multithreading, 800 Gb/s NVIDIA Networking InfiniBand for supercomputer-scale MPI, and 15 TiB of local NVMe SSD delivering up to 50 GB/s reads and 30 GB/s writes.

Networking

Introducing the new Network Security Hub experience

Microsoft has expanded and rebranded the Azure Firewall Manager experience as the Network Security Hub, a centralized interface that unifies Azure Firewall, Web Application Firewall (WAF), and DDoS Protection. The refreshed experience simplifies the Azure Networking portfolio with improved navigation, consolidated service overviews, and enhanced visibility into security coverage. A redesigned landing page surfaces common use cases, documentation, pricing, and recommended scenarios to accelerate onboarding. Key highlights include a single hub to manage Firewall, WAF, and DDoS Protection, an enhanced coverage dashboard across virtual networks, hubs, and applications, Azure Advisor–driven recommendations for security and performance, and streamlined discovery of resources such as Virtual Hub deployments and Firewall Policies.

Enabling dedicated connections to backends in Azure Application Gateway

Azure Application Gateway v2 now supports dedicated connections from the gateway to backend servers. While the default behavior reuses idle backend TCP connections to optimize resource usage, the new setting maps each incoming client connection to its own distinct backend connection, enabling strict one-to-one communication between frontend and backend when required.

Backend TLS validation controls in Azure Application Gateway

Azure Application Gateway v2 announces the general availability of customer-controlled backend TLS validations. When HTTPS is selected in Backend Settings, operators can now enable or disable certificate chain and expiry verification and separately enable or disable SNI verification. These options allow teams to tailor TLS behavior to the needs of diverse environments while preserving secure, reliable connectivity to backend services.

Storage

Azure NetApp Files migration assistant

Azure NetApp Files migration assistant (using SnapMirror) is now generally available, enabling efficient, cost-effective data migration from on-premises environments or CVO/other cloud providers to Azure NetApp Files. Available via REST API, the capability leverages ONTAP replication to reduce network transfer for baseline and incremental updates, supports low-downtime cutovers to minimize business disruption, and preserves primary data protection with source volume snapshots while maintaining directory and file metadata, including security attributes.

Retirement: OS disks on Standard HDD will be retired on September 8, 2028

Microsoft announced that service for operating system (OS) disks running on Standard HDD will be retired on September 8, 2028, in alignment with evolving usage patterns and investments in disk performance and reliability. After that date, any remaining OS disks on Standard HDD will be converted to Standard SSD of equivalent size if not migrated beforehand, with further details to follow in public documentation. This change does not affect Standard HDD data disks (non-boot volumes) or Ephemeral OS disks. To mitigate risk, customers are expected to avoid deploying new VMs with HDD OS disks and to migrate existing HDD OS disks to Standard SSD or Premium SSD ahead of the retirement date.

Azure Data Box Next Gen expands general availability to additional regions

Microsoft has expanded general availability for Azure Data Box Next Gen to India, Qatar, South Africa, and Korea. With this update, both the 120 TB and 525 TB NVMe-based Data Box devices are generally available in the US, UK, Europe, US Gov, Canada, Japan, Australia, Singapore, India, and Qatar. The 120 TB model is also generally available in Brazil, UAE, Hong Kong, Switzerland, Norway, South Africa, and Korea. Announced earlier this year, the next-generation devices have already ingested several petabytes across multiple industries, with customers reporting up to 10× faster transfers. Organizations value the devices’ reliability and efficiency for large-scale migration projects, and can select the appropriate SKU and place orders directly from the Azure portal.

File share-centric management model for Azure Files (preview)

Azure Files now introduces a file share–centric management model via the Microsoft.FileShares resource provider, making file shares top-level Azure resources that no longer require a storage account. With this shift, file shares can be provisioned independently for capacity, IOPS, and throughput—removing contention with other shares and enabling granular networking and security controls. The model adopts the SSD provisioned v2 cost structure for predictable, flexible billing and brings ~2× faster provisioning, higher scale limits, and share-level billing for clearer cost attribution. This preview streamlines creation and lifecycle management while aligning performance and cost directly to each share.

Azure Local

Direct upgrade from Azure Stack HCI OS 22H2 to 24H2 via PowerShell

With the 2505 release, Azure Stack HCI administrators can now perform a direct in-place upgrade from version 20349.xxxx (22H2) to version 26100.xxxx (24H2) using PowerShell. This streamlined path removes an intermediate hop, reducing the number of reboots and simplifying maintenance planning ahead of the broader solution upgrade.

Conclusion

Azure IaaS and Azure Local: announcements and updates (September 2025 – Weeks: 35 and 36)

Azure

General

Microsoft to Tighten Cloud Security with Mandatory MFA for Azure Resource Management

Microsoft has announced that Multi-Factor Authentication (MFA) will be enforced for all Azure resource management actions starting October 1, 2025. The enforcement will apply to sign-ins via Azure CLI, PowerShell, SDKs, REST APIs, Infrastructure as Code tools, and the Azure mobile app, as part of the Secure Future Initiative (SFI). SFI focuses on Secure by Design, Secure by Default, and Secure in Operations across engineering pillars such as identity protection, network security, threat detection, and rapid vulnerability remediation. To prepare, administrators are advised to upgrade to Azure CLI v2.76+ and PowerShell v14.3+, migrate automation from user identities to workload identities, use Azure Policy in audit/enforcement mode to assess impact, and monitor MFA registration with built-in reports or scripts. Enforcement will roll out gradually across all tenants, with global administrators able to defer until July 1, 2026. Microsoft’s research indicates that accounts with MFA enabled are 99.99% resistant to hacking attempts, and that MFA reduces unauthorized access risk by 98.56% even when credentials are compromised.

Compute

Upgrade Existing Azure Gen1 VMs to Gen2 Trusted Launch

Microsoft has made generally available the ability to enable Trusted Launch on existing Azure Generation 1 virtual machines by upgrading them to Generation 2 with Trusted Launch. This capability strengthens foundational compute security by enabling Secure Boot and virtual TPM (vTPM), and by measuring the VM’s boot chain for attestation. By helping defend against bootkits and rootkits, the upgrade enhances the security posture of existing workloads without requiring full redeployment.

Retirement of Confidential VM SKUs DCesv5, DCedsv5, ECesv5, ECedsv5

Microsoft is retiring the Confidential VM SKUs DCesv5, DCedsv5, ECesv5, and ECedsv5, with the DCesv6 and ECesv6 sizes designated as their successors. The next-generation sizes—currently in public preview—introduce enhancements such as integration with OpenHCL and will be the primary focus going forward. As part of the transition, all new and existing deployments of the retiring series will be stopped by September 12, 2025. After that date, no new VMs can be created, and any VM from these series that is rebooted will no longer be available. Customers are encouraged to plan migrations to the v6 series to maintain continuity and benefit from the latest confidential computing capabilities.

Networking

Multiple Address Prefixes for Subnets in Azure Virtual Networks

Support for multiple address prefixes per subnet in Azure Virtual Networks is now generally available. Previously, a subnet could hold only a single prefix, which complicated scale-out when the address space was exhausted. The new capability allows additional prefixes to be added directly to a subnet, expanding available address space without emptying or resizing the subnet. This enables dynamic subnet growth with minimal disruption and more efficient use of address space, while preserving headroom for future expansion.

Retirement of Azure CDN in Azure China—migrate to Azure Front Door by December 1, 2025

Azure CDN operated by 21Vianet in Azure China will be retired on December 1, 2025. Because Azure CDN relies on local provider POPs via API integrations and lacks deep, native Azure integration, Microsoft is directing customers to Azure Front Door as the native, more integrated alternative with built-in security features such as WAF and Private Link to origins. Customers should complete migration and validation and delete Azure CDN resources by November 15, 2025. If migration is not completed by that date, the Azure Front Door team will attempt to migrate eligible CDN profiles. Profiles that are disabled, have had no active traffic in the prior three months, or are otherwise incompatible will not be migrated and will experience service disruption starting December 1, 2025. In such cases, customers should migrate to Azure Front Door or another CDN solution before November 15, 2025.

Azure Front Door Standard and Premium now available in Azure China

Azure Front Door Standard and Premium are now generally available in the Azure China regions (China North 3 and China East 3), operated by 21Vianet. With this release, customers can deliver secure, reliable, high-performance applications using a natively integrated platform that provides global load balancing with instant failover, edge caching and protocol optimizations for acceleration, and enterprise-grade security including WAF, DDoS protection, and TLS/SSL offload. The service supports local compliance requirements such as ICP filing for custom domains and offers end-to-end observability through Azure Monitor metrics, logs, and analytics, enabling reduced latency, improved resilience, and a consistent operational experience across global and China regions.

CNI Overlay for Application Gateway for Containers and AGIC

Azure CNI Overlay support with Application Gateway for Containers and the Application Gateway Ingress Controller (AGIC) is now generally available. With CNI Overlay, AKS clusters can assign pod IPs from a separate CIDR, conserving VNet IP space and simplifying multi-cluster deployments. When paired with Application Gateway and Application Gateway for Containers, this approach provides secure, efficient load balancing to designated services inside the cluster’s private overlay network while reducing external exposure. Network configuration (CNI Overlay or traditional CNI) is detected automatically by the platform, eliminating additional setup and streamlining deployment.

Custom block response code and body for Application Gateway WAF (preview)

Azure Web Application Firewall (WAF) integrated with Application Gateway now supports customizable response status codes and bodies for blocked requests in public preview. By default, WAF returns HTTP 403 with “The request is blocked” when a rule is triggered; with this preview, administrators can define a custom status code and message at the policy level so that all blocked requests receive a consistent, tailored response. This enhancement aligns Application Gateway WAF with the customization already available on WAF with Azure Front Door, giving teams greater flexibility and control over client-facing behavior during enforcement.

Storage

Azure NetApp Files short-term clones (preview)

Azure NetApp Files short-term clones are available in public preview, enabling space-efficient, instant read/write access by creating temporary thin clones from existing volume snapshots rather than full data copies. Suitable for development, analytics, disaster recovery scenarios, and testing of large datasets, these clones can be refreshed quickly from the latest snapshots and remain temporary for up to one month, consuming capacity only for incremental changes. The capability accelerates workflows, improves quality and resilience, and lowers costs by avoiding full-copy storage and reducing operational overhead, and is available in all Azure NetApp Files supported regions.

Entra ID and RBAC support for supplemental Azure Storage APIs

Support for Entra ID (OAuth 2.0) and Azure RBAC is now generally available for the following Azure Storage operations: Get Account Information, Get/Set Container ACL, Get/Set Queue ACL, and Get/Set Table ACL. With this change, REST responses for unauthorized access have been aligned with other OAuth-enabled Storage APIs: calls made with OAuth that lack required permissions now return 403 (Forbidden) instead of the previous 404, while anonymous requests for a bearer challenge return 401 (Unauthorized). For example, GetAccountInformation requires the RBAC action Microsoft.Storage/storageAccounts/blobServices/getInfo/action. Applications that depend on the old 404 behavior should be updated to handle both 403 and 404 responses, as SDKs will not automatically adjust this behavior.

Conclusion

Azure IaaS and Azure Local: announcements and updates (August 2025 – Weeks: 33 and 34)

Azure

General

Microsoft recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Cloud-Native Application Platforms

Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Cloud-Native Application Platforms for the second consecutive year, positioned furthest to the right for Completeness of Vision. The recognition reflects Microsoft’s continued product innovation, cohesive developer experience, and leadership in AI—enabling customers to build cloud-native applications and AI agents across web apps, APIs, event-driven workloads, serverless functions, and containers, backed by global scale and deep enterprise expertise. Microsoft reiterates its commitment to helping organizations innovate with AI while maintaining scalable, cost-efficient operations.

Microsoft Azure now available from cloud region in Austria

Microsoft announced the opening of its cloud region in Austria to accelerate digital transformation and AI innovation. The new region enables enterprises and public sector organizations in Austria to store and process data locally and securely, in compliance with data protection regulations. To help customers adopt the new region and its Availability Zones, Azure supports region portability for many resource types via Azure Resource Mover, easing migrations and minimizing disruption.

Compute

DCesv6 and ECesv6 confidential VMs with Intel® TDX (preview)

Azure introduced the DCesv6 (general purpose) and ECesv6 (memory-optimized) series as its next generation of Confidential VMs, powered by 5th Gen Intel® Xeon® processors (“Emerald Rapids”) with Intel® Trust Domain Extensions (TDX). In private preview, these VMs are designed for tenants with stringent security and confidentiality requirements, providing a strong, hardware-enforced boundary so data and applications remain private and encrypted in memory while in use. They are intended to run confidential workloads without requiring application code changes and include in-guest attestation, enabling customers to verify the integrity of their environments before processing sensitive data.

Networking

Application Gateway adds MaxSurge support for zero-capacity-impact upgrades

Azure Application Gateway now supports MaxSurge, allowing new instances to be provisioned during rolling upgrades without taking existing ones offline. With this capability, customers can move to newer gateway versions while maintaining full traffic handling and reducing deployment risk. The enhancement strengthens resiliency and reliability for mission-critical applications that require consistent performance during infrastructure updates.

Private Application Gateway on Azure Application Gateway v2

Azure introduced Private Application Gateway on the Application Gateway v2 SKU, enabling fully private Layer-7 load balancing with a private frontend IP. This capability helps organizations publish internal web applications without exposing public endpoints, align with zero-trust network patterns, and simplify routing inside virtual networks and peered environments. By leveraging the v2 platform, customers also benefit from autoscaling, zone redundancy, and WAF integration for enhanced resilience and security.

Inbound IPv6 support on public multi-tenant App Service

Inbound IPv6 support for public multi-tenant Azure App Service is now generally available across all public Azure regions. The capability spans multi-tenant apps on Basic, Standard, and Premium SKUs, as well as Functions Consumption, Functions Elastic Premium, and Logic Apps Standard. With native IPv6 ingress, customers can meet dual-stack requirements, improve addressability, and align with regulatory and enterprise mandates while keeping existing deployment workflows unchanged.

Azure Bastion connectivity to private AKS clusters via tunneling (preview)

In public preview, Azure Bastion enables a secure tunnel from a user’s local machine—through Bastion—directly to an AKS API server using standard Kubernetes tooling. This capability provides seamless access to private AKS clusters, as well as to public clusters configured with API server authorized IP ranges, eliminating the need for complex VPNs, jump boxes, or exposing public endpoints. The result is simplified, consistent, and secure access for developers, operators, and partners working with private AKS environments.

Storage

Azure NetApp Files file access logs

The Azure NetApp Files file access logs feature is now generally available, delivering enterprise-grade visibility into file-level operations across SMB, NFSv4.1, and dual-protocol volumes. By capturing detailed telemetry—including user identity, operation type, and timestamps—the feature helps organizations bolster security, streamline operations, and meet compliance requirements in alignment with Azure’s Well-Architected Framework security best practices. File access logs are currently available in select regions, with broader regional support planned.

Azure Blob Storage Archive tier now in Malaysia West

The Archive access tier for Azure Blob Storage is now generally available in the Malaysia West region. This expansion lets customers in Malaysia store infrequently accessed data cost-effectively while meeting local data residency and compliance needs. Archive remains ideal for long-term backup, compliance, and archival scenarios and can be managed via the Azure portal, CLI, PowerShell, or REST API. With this addition, Malaysia West supports the full tier lineup: Hot, Cool, Cold, and Archive.

Azure Files provisioned v2 billing model for SSD (premium)

Azure Files now supports the provisioned v2 billing model on the SSD (premium) tier, allowing independent provisioning of storage, IOPS, and throughput so shares can be right-sized to precise performance and capacity targets. The model also increases the share size range from 32 GiB up to 256 TiB. Provisioned v2 for both SSD and HDD is generally available in all public cloud regions, giving customers consistent deployment options globally.

Azure NetApp Files Flexible service level: cool access support (preview)

Azure NetApp Files now extends its Flexible service level with cool access in public preview, allowing customers to independently configure capacity and throughput while automatically tiering cold data from volumes in Flexible service level capacity pools to Azure storage accounts. This helps optimize cost and performance across diverse workloads—supporting scenarios that require high capacity with low throughput or vice versa—while maintaining seamless access for active data. Cool access also supports cross-region replication for destination-only volumes, enhancing data protection without affecting source latency, and is available in all Azure NetApp Files regions.

Azure Local

Veeam support for Azure Local 24H2 (version 26100.x)

Veeam has added support for Azure Local 24H2 (version 26100.x). The minimum required release is Veeam Backup & Replication 12.3.2 (build 12.3.2.3617). The update excludes Azure Arc VM management; however, Arc-enabled VMs in a “Running” state can be backed up. On restore, these VMs are converted to standard Hyper-V workloads, and if the original VM no longer exists, the Azure Arc connection is expected to persist when the VM is restored to the same cluster within the Azure Arc reconnection window (typically up to 45 days).

Conclusion

Azure IaaS and Azure Local: announcements and updates (August 2025 – Weeks: 31 and 32)

Azure

Compute

Azure 128 & 192 vCPU sizes for the Esv6 and Edsv6 series VMs

Microsoft has introduced new VM sizes in the Esv6 and Edsv6 series, offering configurations with up to 192 vCPUs and 1832 GiB of RAM. These high-capacity virtual machines are designed for enterprise-scale workloads, including in-memory analytics, large relational databases, and in-memory cache scenarios. Equipped with Intel® Total Memory Encryption (Intel TME) and NVMe-enabled local and remote storage, these VMs deliver both robust performance and enhanced data security. Key advantages include up to 400K IOPS and 12 GB/s remote storage throughput with 200 Gbps network bandwidth, three times the local storage IOPS thanks to the NVMe interface, and strong memory protection capabilities provided by Intel TME.

Networking

Network Security Perimeter

Microsoft has introduced Network Security Perimeter, a feature that allows organizations to define a logical network isolation boundary for PaaS resources, such as Azure Storage accounts and SQL Database servers, deployed outside their virtual networks. This capability restricts public network access to PaaS resources within the perimeter, with exceptions managed through explicit inbound and outbound access rules. Key benefits include secure resource-to-resource communication within perimeter members to prevent data exfiltration, centralized management of external public access, detailed access logs for audit and compliance, and a unified experience across supported PaaS resources.

Customer-controlled maintenance

Microsoft has announced that customers can now define configurable maintenance windows for the Point-to-Site (P2S) VPN Gateway in the Virtual WAN service, which has reached general availability. This capability allows greater control over planned updates and enhances operational predictability. With this release, maintenance window configuration is now supported across multiple gateway resources in Azure networking services, including: Virtual Network Gateway in ExpressRoute, Virtual Network Gateway in VPN Gateway, Site-to-Site VPN Gateway in Virtual WAN, Point-to-Site VPN Gateway in Virtual WAN, and ExpressRoute Gateway in Virtual WAN. This improvement ensures that organizations can align gateway maintenance with their operational and compliance requirements.

Azure DNS Public Zones DNS Security Extensions (DNSSEC) in US Gov and China regions

Microsoft has announced the general availability of Domain Name System Security Extensions (DNSSEC) for Azure DNS Public Zones in US Gov and China regions. This enhancement enables cryptographic authentication of DNS data, providing protection against threats such as cache poisoning and man-in-the-middle attacks. Administrators can enable DNSSEC for both new and existing DNS zones via the Azure Portal, CLI, PowerShell, or API. Azure manages all key operations, simplifying deployment and maintenance while ensuring high availability and performance through its global infrastructure.

Azure Virtual Network Manager mesh now supports 5,000 virtual networks (preview)

Azure Virtual Network Manager now supports grouping up to 5,000 virtual networks in a mesh connectivity configuration, available in public preview for supported regions. A mesh topology establishes bi-directional connectivity between every virtual network in the group, removing the need for manual peerings, reducing network hops, and ensuring low-latency traffic flows under a unified control plane. This approach is particularly beneficial in hub-and-spoke environments, where spokes can communicate directly without routing through the hub, lowering latency while retaining security oversight via Azure Virtual Network Manager security admin rules, NSGs, and comprehensive traffic monitoring through flow logs.

Storage

Log or block shared access signature (SAS) tokens for Azure Storage based on expiration policy

Azure Storage now supports enhanced enforcement options for Shared Access Signature (SAS) token expiration policies. Administrators have long been able to define the validity interval for SAS tokens using a storage account’s expiration policy. However, it was previously possible to override this with a longer signed expiry date on the SAS token itself. With the new SAS expiration action capability, administrators can now choose to either log or block requests that violate the configured expiration policy. The ‘Log’ action provides visibility into out-of-policy usage without disrupting service, making it ideal for auditing and trend analysis. Conversely, the ‘Block’ action enforces strict compliance by denying access to expired tokens. Microsoft recommends beginning with the ‘Log’ action to monitor access patterns, followed by implementing ‘Block’ to secure environments against unauthorized or outdated token usage.

Azure Data Box Next Gen is now generally available in additional regions

Azure Data Box Next Gen is now generally available in new regions, including Australia, Japan, Singapore, Brazil, Hong Kong, UAE, Switzerland, and Norway. This expansion complements the existing availability of both the 120 TB and 525 TB models in the US, UK, Canada, EU, US Government, Australia, Japan, and Singapore. Additionally, the 120 TB model is now available in Brazil, UAE, Hong Kong, Switzerland, and Norway. These next-generation NVMe-based devices have already facilitated the ingestion of several petabytes of data across various industries, delivering up to 10× faster transfer speeds. Customers value their reliability and efficiency for large-scale migration projects, making them a preferred choice for secure and high-speed data movement.

Azure Storage Actions now in 22 more regions

Azure Storage Actions is now available in 22 additional Azure regions, expanding its global reach and providing customers with more options for data residency and compliance. This broader availability enhances the ability to automate data management tasks across a wider range of geographic locations, supporting diverse operational and regulatory requirements.

Azure Storage Discovery (preview)

Microsoft has announced the public preview of Azure Storage Discovery, a fully managed service providing enterprise-wide visibility into Azure Blob Storage estates. This solution offers deep insights into capacity usage, activity trends, cost optimization opportunities, and security enhancements, all accessible directly within the Azure Portal. Azure Storage Discovery integrates with Azure Copilot, enabling users to obtain actionable insights through natural language queries without needing to learn a query language or write code.
Organizations can analyze trends over time, drill down into top storage accounts, and filter reports by configuration details such as region, redundancy, performance type, and encryption. The service supports analysis of up to one million storage accounts across multiple subscriptions and resource groups in a single workspace. Key benefits include automated aggregation of metrics, interactive reporting, 30 days of historical data upon deployment, and retention of insights for up to 18 months. The Standard tier is free to use until September 30, after which charges will apply, while the Free tier offers basic insights at no cost.

Conclusion

Azure IaaS and Azure Local: announcements and updates (July 2025 – Weeks: 29 and 30)

Azure

General

CISPE Secures Landmark Licensing Reform in Agreement with Microsoft

CISPE (Cloud Infrastructure Services Providers in Europe) has reached a landmark agreement with Microsoft that introduces significant licensing reforms for Microsoft software running on CISPE member infrastructure. As part of this agreement, Microsoft will allow qualified CISPE members to offer Microsoft software—such as Windows Server and SQL Server—on a pay-as-you-go basis through the CSP-Hoster (CSP-H) program, aligning pricing more closely with that of Microsoft Azure.

This agreement delivers multiple benefits. CISPE members gain access to competitive Pay-As-You-Go licensing models, enhancing flexibility and cost-effectiveness for customers. It also supports digital sovereignty by enabling deployment of Microsoft 365 Local on European cloud infrastructure—pending general availability within Microsoft’s Cloud Solution Program. A major privacy improvement allows CISPE members to host Microsoft workloads without disclosing customer data to Microsoft, addressing long-standing concerns about data sovereignty and vendor neutrality.

The agreement applies to current CISPE members and is also open to eligible European cloud providers that join CISPE in the near future. Microsoft has committed to reviewing the program after one year, with a view to expanding access further—excluding hyperscale cloud providers designated as “Listed Providers” in order to protect competition and support innovation in the European cloud ecosystem.

Microsoft Azure Cloud HSM

Azure Cloud HSM is now generally available, offering a FIPS 140-3 Level 3 certified, highly available, single-tenant Hardware Security Module (HSM) service. Designed to meet the highest security and compliance standards, Azure Cloud HSM gives customers full administrative control over their HSMs, enabling secure cryptographic key management and operations within dedicated Cloud HSM clusters. It supports key cryptographic libraries such as PKCS#11, OpenSSL, and JCE, making it ideal for workloads like Apache/Nginx SSL offload, SQL Server or Oracle TDE, and ADCS hosted on Azure VMs. The solution also supports certificate storage with private keys via PKCS#11 and allows for secure document and code signing. As the successor to Azure Dedicated HSM, this new service provides improved support for general-purpose scenarios requiring isolated and secure key management. Microsoft plans to expand availability across Public, US Gov, and Sovereign Clouds.

Modernizing Azure Resource Manager Throttling for Sovereign Clouds (preview)

Microsoft has announced the public preview of its updated throttling model for Azure Resource Manager (ARM) in sovereign clouds. This update is part of a broader modernization effort aimed at achieving parity between public and sovereign cloud environments by the end of 2026. The revised throttling model brings consistent limits and architecture across all Azure deployments, enhancing operational reliability and simplifying cross-environment workloads. As previously communicated in 2024, the new throttling configuration delivers substantial improvements, including a 30x increase in write limits, a 2.4x increase for deletes, and a 7.5x increase in read operations, greatly improving performance and scalability for ARM users.

Networking

Azure Firewall now supports ingestion-time transformation in Log Analytics

Azure Firewall has introduced support for ingestion-time transformation in Log Analytics, a feature now generally available. This capability allows organizations to filter and transform logs before they are ingested into Log Analytics, offering a flexible and cost-effective logging strategy. The benefits are substantial: security teams can log only suspicious or critical traffic for more effective threat detection; storage costs are reduced by avoiding unnecessary log ingestion; compliance requirements can be met by routing logs through Data Collection Rules (DCRs); and incident response is accelerated through streamlined access to relevant logs. Additionally, users can create customized dashboards and alerts in Azure Monitor, enhancing visibility and control over network activity.

ExpressRoute – Auto-assigned Public IP for ExpressRoute Gateways

Microsoft has introduced a simplification in the deployment of ExpressRoute Virtual Network Gateways: all newly created gateways will now use auto-assigned Public IP addresses. This change eliminates the need for customers to manually assign Public IPs during configuration, streamlining the setup process and reducing operational overhead. The new model enhances deployment consistency across different gateway types. It’s important to note that existing ExpressRoute gateways will remain unaffected by this update.

Web Application Firewall on Application Gateway for Containers (preview)

Azure has introduced Web Application Firewall (WAF) support for Application Gateway for Containers in public preview. Application Gateway for Containers is the next-generation layer 7 load balancing solution for workloads running in Kubernetes clusters, combining the capabilities of Application Gateway and Application Gateway Ingress Controller. With WAF integration, users can now protect their containerized applications from common web vulnerabilities such as SQL injection, cross-site scripting, and protocol anomalies. The solution includes Azure-managed Default Rulesets (DRS), offering protection based on OWASP standards and Microsoft’s Threat Intelligence Center (MSTIC). Additional features include bot protection through bot manager rulesets and rate-limiting custom rules to mitigate DDoS attacks, delivering enterprise-grade security for modern containerized environments.

Storage

AZNFS (3.0) for BlobNFS with FUSE for superior performance (preview)

Microsoft has released the public preview of AZNFS (3.0) for BlobNFS, offering a major upgrade for customers utilizing Azure Blob Storage with native NFSv3 access. The new version leverages the libfuse3 library—also used by BlobFuse—to bring substantial performance and scalability improvements. With this update, users benefit from higher throughput, support for larger files, enhanced metadata performance, and the removal of user group limits. These enhancements make AZNFS (3.0) particularly well-suited for performance-intensive, POSIX-compliant workloads on Linux systems that require consistent and reliable access to Blob Storage using the NFS protocol.

Azure Local

Version 2507 Release: Security Updates and Fixes

Microsoft has released version 2507 of Azure Local, delivering two targeted security updates tied to specific OS builds. The release also addresses several key issues reported in earlier builds. Fixes include resolution of a solution update failure caused by an exception in the ComposedImageUpdate role, and clarification for Azure Government cloud users where the upgrade banner is shown but the environment checker incorrectly flags lack of support. Another critical fix resolves an issue where, during VM deployment, the absence of a specified storage path would cause all resources to be placed on the first available path—potentially leading to disk space exhaustion and deployment failures over time.

End of Support Reminder: Azure Stack HCI Version 23H2

Microsoft has announced that Azure Stack HCI version 23H2 will reach end of support on October 31, 2025. Currently, Azure Local supports two active OS versions: 25398.xxx and 26100.xxx. With update 2510, systems running the 25398.x OS will automatically be upgraded to the latest 26100.x build. For deployments already based on 26100.x, the update will be applied as a feature upgrade. Organizations using Azure Local should plan accordingly to ensure ongoing support, security, and access to new features beyond the 23H2 lifecycle.

Software Defined Networking (SDN) enabled by Azure Arc on Azure Local (preview)

Microsoft has announced the public preview of Software Defined Networking (SDN) enabled by Azure Arc, now available starting with Azure Local version 2506. This release brings native Azure-style network security and control to on-premises infrastructure through Azure Arc integration. Customers can now define and manage Logical Networks, Network Interfaces, and Network Security Groups (NSGs) from the Azure control plane using the Azure Portal, CLI, or ARM templates.

Key capabilities include the ability to deploy VLAN-backed logical networks, assign static or dynamic IP addresses to virtual machines, and enforce granular traffic control policies via NSGs. NSGs can be applied both at the VLAN level and directly to VM network interfaces, using complete 5-tuple rules (source/destination IP, port, and protocol). Default network policies can also be applied during VM creation to secure workloads with predefined rules for inbound and outbound traffic.

This SDN solution is powered by the Network Controller running on Azure Local infrastructure and eliminates the need for dedicated SDN controller VMs by running as a Failover Cluster service. While advanced features such as virtual networks (vNETs), Software Load Balancers (SLBs), and Gateways are not yet supported in this preview, customers can continue to rely on traditional SDN management tools—like SDN Express and Windows Admin Center—if they require those functionalities. Notably, only one SDN management model (Azure Arc or on-premises tools) can be used per environment.

Microsoft 365 Local: New Sovereign Offering with Azure Local Foundation

Microsoft has unveiled a new sovereign solution for regulated and high-compliance environments: Microsoft 365 Local, a “Private Cloud” variant built on Azure Local infrastructure. This solution enables customers to deploy Microsoft productivity workloads such as Exchange Server and SharePoint Server directly in their own datacenters or sovereign cloud regions. With full control over security, compliance, and governance, Microsoft 365 Local extends trusted productivity experiences to environments where data residency and isolation are essential. While specific technical details are still forthcoming, this initiative marks a significant step forward in supporting sovereign cloud strategies globally.

Conclusion

Azure IaaS and Azure Local: announcements and updates (July 2025 – Weeks: 27 and 28)

Azure

General

Two-Way Forest Trusts for Microsoft Entra Domain Services

Microsoft has announced the general availability of Two-Way Forest Trusts for Microsoft Entra Domain Services. This enhancement enables organizations to establish bi-directional forest trusts between Microsoft Entra Domain Services and on-premises Active Directory Domain Services (AD DS). Previously, only one-way outbound trusts were supported, which allowed users in the on-premises environment to access resources in the managed domain. Now, administrators can configure one-way inbound, one-way outbound, or two-way forest trusts, granting users from either domain reciprocal access to resources. This added flexibility allows enterprises to better align their hybrid identity strategies, with support for more granular control over trust relationships. An Enterprise or Premium SKU license is required to configure these trusts.

Compute

Enable Trusted Launch on Existing Virtual Machine Uniform Scale Set

Microsoft has announced the general availability of the ability to enable Trusted Launch on existing Virtual Machine Uniform Scale Sets by upgrading these resources to Gen2-Trusted Launch. This enhancement allows organizations to bolster the foundational security of their existing infrastructure without needing to redeploy. Trusted Launch VMs support Secure Boot and virtual Trusted Platform Module (vTPM), protecting the guest operating system from bootkits, rootkits, and other low-level threats. Additionally, attestation capabilities measure the integrity of the VM’s boot process, further strengthening security posture.

Trusted Launch Default for New Gen2 VMs & Scale Sets (preview)

A new public preview introduces Trusted Launch as default (TLaD) for newly deployed Generation 2 Virtual Machines, Virtual Machine Scale Sets, and Azure Compute Gallery resources. This default behavior enables foundational security features, including Secure Boot and vTPM, without requiring any changes to deployment templates or automation scripts (e.g., SDKs, Bicep, ARM templates, Terraform). With Trusted Launch enabled by default, new deployments gain enhanced protection against rootkits and bootkits, while also enabling attestation to verify the VM’s boot process integrity, simplifying secure adoption of Generation 2 resources.

Networking

Azure DNS Security Policy

Azure DNS Security Policy is now generally available, offering comprehensive control and visibility over DNS traffic at the virtual network level. This new capability allows administrators to filter DNS queries by allowing, alerting, or blocking name resolutions based on domain lists, helping to protect against access to known malicious or undesired domains. Security policies can be applied to virtual networks within the same region and can be linked to multiple VNets. Organizations can gain deep visibility into DNS traffic by sending detailed logs to a storage account, Log Analytics workspace, or Event Hubs. The feature also supports granular DNS traffic rules and location-based domain lists, providing a powerful mechanism to enhance DNS security and compliance across Azure environments.

FQDN Filtering in DNAT Rules in Azure Firewall

Azure Firewall now supports Fully Qualified Domain Name (FQDN) filtering in Destination Network Address Translation (DNAT) rules, which is now generally available. This feature allows administrators to define backend resources using domain names instead of static IP addresses for inbound traffic routing. It is particularly beneficial in environments where backend IPs are dynamic or managed via DNS. With FQDN-based targeting, organizations gain improved flexibility and easier backend management. Additionally, administrators can monitor DNAT activity through AZFWNatRule logs to ensure proper policy enforcement and troubleshooting.

Customer Controlled Maintenance for Azure Firewall

Azure Firewall now supports customer-controlled maintenance windows, offering greater flexibility and operational control. With this update, users can define a recurring daily maintenance window of at least five hours during which updates and upgrades to the firewall will be applied. Firewalls that are configured with such a maintenance policy will not undergo upgrades outside the specified window, reducing the likelihood of unexpected downtime and allowing organizations to align updates with their internal change management processes. This enhancement helps ensure service continuity and better aligns with enterprise maintenance practices.

Storage

Granular Role-Based Access Control (RBAC) for Azure File Sync

Azure File Sync now includes two new built-in RBAC roles: Azure File Sync Administrator and Azure File Sync Reader. These roles are designed to improve security and streamline operations by offering more granular access control than traditional roles such as Owner or Contributor. With these purpose-built roles, organizations can better enforce the principle of least privilege when assigning permissions related to Azure File Sync. Users can create and manage essential components such as Storage Sync Services, Sync Groups, Server Endpoints, and Cloud Endpoints, as well as register servers, all while avoiding broader permissions like VM management. This update removes the need to define custom roles for common administrative tasks, supporting compliance and operational efficiency by limiting access only to what is required.

Encryption in Transit for Azure Files NFS Shares

Encryption in Transit (EiT) for Azure Files NFS shares is now generally available, providing secure data transmission over the network by using TLS 1.3. This enhancement ensures the confidentiality, integrity, and authenticity of all NFS traffic. It supports a wide range of environments, including all major Linux distributions, Azure Linux virtual machines, and on-premises Linux servers. To simplify deployment, Microsoft offers the open-source AZNFS mount helper, which automates the TLS tunneling and volume mount process. This added security layer helps organizations meet compliance requirements while preserving performance and usability in enterprise-scale file sharing scenarios.

Azure Storage Mover Adds Free, Direct AWS S3-to-Azure Blob Migration (preview)

Azure Storage Mover has introduced a new public preview feature that enables free, direct migration of data from Amazon S3 to Azure Blob Storage. Designed for organizations with multi-cloud strategies or planning a complete transition to Azure, this Cloud-to-Cloud migration capability supports secure, petabyte-scale data transfers without disrupting ongoing operations. In addition to this new path, Azure Storage Mover already supports migrating on-premises SMB shares to Azure File and transferring both SMB and NFS data to Azure Blob Storage. The integration of Azure Arc streamlines authentication when connecting to AWS, ensuring secure and seamless operations. As a fully managed and cost-free service, Azure Storage Mover helps businesses modernize their storage architectures more efficiently and with minimal complexity.

Azure Local

Updates in the 2506 Release

The 2506 release of Azure Local delivers a comprehensive set of updates across operating system support, security, networking, and deployment processes. New deployments now use OS version 26100.4349, with driver compatibility required for this version or Windows Server 2025. Existing deployments remain on version 25398.1665. The release also integrates improved deployment validation through updated environment checkers for Microsoft On-premises Cloud and Azure Resource Bridge. On the security front, a new baseline expands to 407 evaluated rules, improving alignment with CIS and DISA STIG standards, and introduces enhanced Microsoft Defender Antivirus configurations. Administrators can now fine-tune drift control settings instead of disabling them globally, and the minimum password length has been raised to 14 characters to meet NIST 2 compliance. In preview, Software-Defined Networking (SDN) enabled by Azure Arc allows the creation and assignment of Network Security Groups (NSGs) and security rules for a consistent cloud-to-edge networking model. Additional features include an overprovisioning alert to warn of insufficient compute capacity before updates, .NET 8.0.17 runtime support, and the archival of Azure Local version 22H2 documentation. Notably, this release is not supported for Azure Local instances deployed in Azure Government cloud.

Conclusion

Azure IaaS and Azure Local: announcements and updates (June 2025 – Weeks: 25 and 26)

Azure

General

Microsoft announces comprehensive sovereign solutions for European organizations (preview)

Microsoft has introduced a broad expansion of its sovereign cloud offerings with the goal of empowering European organizations with enhanced data privacy, operational autonomy, and digital resilience. Building on its longstanding presence in Europe, the new Microsoft Sovereign Cloud initiative spans public cloud, private cloud infrastructure, and national partner environments. Among the new capabilities announced are Data Guardian, which ensures only European personnel oversee remote system access; External Key Management, allowing customers to control encryption with their own HSMs; and Regulated Environment Management, a centralized portal for configuring and monitoring sovereign workloads.

The Sovereign Public Cloud—an evolution of the Microsoft Cloud for Sovereignty—supports Microsoft Azure, Microsoft 365, Security, and Power Platform services across all European datacenter regions, guaranteeing data stays within the EU and is operated under European law by local staff. Additionally, Sovereign Private Cloud (preview), powered by Azure Local and the newly announced Microsoft 365 Local, enables deployment of productivity and cloud services in customer-controlled environments, supporting high levels of compliance and business continuity.

Microsoft is also expanding support for National Partner Clouds through collaborations such as Bleu in France and Delos Cloud in Germany, offering independently operated sovereign environments. These initiatives aim to deliver the most comprehensive sovereignty solutions in the industry, allowing European customers to operate confidently and in full compliance with evolving regulations—without sacrificing access to innovation or requiring data migration.

Microsoft Azure now available from new cloud region in Chile

Microsoft has announced the general availability of its first cloud region in Chile, further expanding its global infrastructure footprint. The new Chile Central region offers Azure Availability Zones and provides scalable, highly available, and resilient cloud services to customers across Latin America and beyond. This launch reinforces Microsoft’s commitment to accelerating digital transformation and innovation in Chile, while ensuring high standards of security, privacy, and regulatory compliance for data residency. Organizations in the region can now benefit from low-latency access to trusted Microsoft Cloud services hosted within the country.

Compute

Azure FXv2-series Virtual Machines

Microsoft has announced the General Availability of Azure FXv2-series Virtual Machines (VMs), powered by the 5th Generation Intel® Xeon® Platinum 8573C processor. These VMs deliver substantial enhancements in CPU performance, memory capacity, and storage throughput, making them ideal for compute-intensive workloads such as databases and data analytics. The FXv2-series VMs provide up to 50% better CPU performance compared to the previous generation, with sizes supporting up to 96 vCPUs and 1,832 GiB of memory. NVMe support ensures high-performance remote storage, with up to 400K IOPS and 11.25 GBps throughput. Designed for high-demand scenarios, such as SQL Server and electronic design automation (EDA), the FXv2-series offers enhanced memory configurations and improved I/O bandwidth.

Networking

Azure WAF integration in Microsoft Security Copilot

The integration of Azure Web Application Firewall (WAF) with Microsoft Copilot for Security has reached general availability. This integration spans both Azure Front Door WAF and Azure Application Gateway WAF, enabling organizations to enhance their threat detection and response capabilities through AI-powered insights. The solution provides automated analysis of SQL Injection (SQLi) and Cross-Site Scripting (XSS) attacks, delivering summaries and justifications for WAF actions. It also includes advanced diagnostics such as tracking attack trends, identifying top offending IPs, and analyzing frequently triggered WAF rules. These features help security teams streamline investigations and proactively adjust their defenses based on real-time intelligence.

Azure Virtual Network Manager IP address management

The IP address management capability in Azure Virtual Network Manager is now generally available, offering centralized tools to enhance IP planning and allocation across complex network environments. This feature allows automatic assignment of non-overlapping IP addresses, supports IP reservations for specific workloads, and prevents conflicts across Azure, on-premises, and multi-cloud environments. Integrated with Azure Policy, it also enforces network creation using designated IP pools, ensuring consistency and compliance. The feature provides clear visibility into IP usage across network resources, helping organizations maintain efficient and conflict-free IP address spaces.

Draft & Deploy on Azure Firewall (preview)

The new Draft & Deploy feature for Azure Firewall Policy introduces a more efficient, two-phase approach to managing firewall configurations, now available in public preview. Previously, any change to a policy would initiate a full deployment of both the policy and associated firewall, resulting in delays of 2–4 minutes per update. With this feature, users can create a draft version cloned from the current policy, allowing collaborative edits without impacting the live environment. Once all changes are finalized, the updated policy can be deployed in a single operation, streamlining the update process and reducing operational disruption.

Azure Front Door supports managed certificate for wildcard domains (preview)

Azure Front Door Standard and Premium profiles now support managed certificates for wildcard domains, a feature previously limited to Bring Your Own Certificate (BYOC) configurations. This enhancement allows customers to secure multiple subdomains using a single managed certificate, which is especially beneficial for SaaS providers and organizations operating large-scale, multi-tenant applications. The new capability simplifies operations by eliminating the need to manage certificates per subdomain, improves scalability by reducing configuration overhead, and enhances security through automated certificate renewals.

Storage

Transition existing platform-managed keys to customer-managed keys for Azure NetApp Files volumes

Customers can now seamlessly transition Azure NetApp Files volumes from platform-managed keys (PMK) to customer-managed keys (CMK), without requiring data migration. This capability is now generally available across all Azure NetApp Files supported regions. Using CMK provides enhanced security and control, allowing organizations to manage their own encryption key lifecycle, including renewals and rotations. It also aligns with stringent regulatory and compliance requirements typical in industries such as finance, healthcare, and government. Importantly, there is no performance impact when using CMK, as the feature simply secures the account encryption key with Azure Key Vault, offering protection against unauthorized access and insider threats.

Conclusion

Azure IaaS and Azure Local: announcements and updates (June 2025 – Weeks: 23 and 24)

Azure

Compute

New Storage Optimized Laosv4, Lasv4, and Lsv4 Azure VM Series

Azure has announced the general availability of the Laosv4, Lasv4, and Lsv4 storage-optimized virtual machine series. The Laosv4 and Lasv4 VMs are powered by 4th Gen AMD EPYC™ (Genoa) processors, while the Lsv4 series uses 5th Gen Intel® Xeon® (Emerald Rapids) CPUs. These VMs offer sizes ranging from 2 to 96 vCPUs, with 8GB of memory and substantial local NVMe disk capacity per vCPU. In particular, the largest VMs offer up to 23TB of local storage. All three VM series come with Azure Boost and Azure Boost SSDs, support NVMe local SSD disk encryption by default, and feature an NVMe remote storage interface with premium storage caching, enhancing remote storage performance. These VMs are ideal for storage-intensive, distributed workloads such as big data analytics, Elasticsearch, distributed file systems, and data warehousing, delivering the high performance and flexibility needed for modern enterprise applications.

Networking

Profile and Route WAF Policies on Azure Front Door (private preview)

Azure has introduced a private preview of profile and route-based Web Application Firewall (WAF) policies for Azure Front Door. Previously, WAF policies could only be associated with a Front Door instance via frontends or custom domains. With this update, WAF policies can now also be applied at the Front Door profile level and at the individual route level within a domain. This new flexibility allows administrators to define a global policy at the profile level to cover all associated domains, while also enabling more granular security through route-specific policies. For instance, more sensitive routes—such as login or payment pages—can have stricter rules applied. The policy hierarchy ensures that more specific policies override broader ones: route-level policies take precedence over domain-level policies, which in turn override profile-level policies. This enhancement empowers organizations to implement targeted protection strategies within a unified WAF framework.

Azure Virtual Network Manager in Azure China

Azure Virtual Network Manager is now generally available in Azure China, bringing centralized control over connectivity, security rules, and routing configurations across subscriptions at scale. This service simplifies network topology management using hub-and-spoke or mesh configurations, helping administrators ensure consistent connectivity and policy enforcement throughout complex environments. The security admin rules feature allows organizations to define security policies that take precedence over traditional Network Security Group (NSG) rules, helping to avoid misconfigurations and maintain compliance across environments. Additionally, flow logs offer visibility and diagnostics for traffic governed by these rules. Routing configurations can also be standardized and applied automatically to multiple subnets or virtual networks, supporting scenarios like routing spoke traffic through Azure Firewall or enabling cross-hub connections, further simplifying enterprise network architecture.

Storage

Archive Access Tier Now Available in Italy North

The Archive access tier for Azure Blob Storage is now generally available in the Italy North region. This development enables customers to store infrequently accessed data in a highly cost-effective manner while ensuring data residency and compliance with Italian regulations. Ideal for long-term data retention, backup, and compliance scenarios, the Archive tier supports comprehensive data lifecycle management. Users can manage data in the Archive tier through the Azure portal, CLI, PowerShell, or REST API. With this release, the Italy North region now supports the full spectrum of Azure Blob Storage tiers—Hot, Cool, Cold, and Archive—aligning it with other fully featured Azure regions.

Azure Storage Mover support for SMB source to Azure Blob target

Azure Storage Mover has expanded its capabilities to support the migration of SMB shares directly to Azure Blob containers. This fully managed migration service enables seamless and secure transfer of on-premises files and folders to Azure Storage, minimizing downtime during migration processes. With integration features like just-in-time permission setting and Azure Key Vault support, organizations can perform secure migrations end-to-end. This enhancement complements the existing support for migrations from NFS shares to Azure Blob and from SMB sources to Azure File shares.

NFS Azure Files volume mount support in Azure Container Apps (preview)

Azure Container Apps now support mounting Network File System (NFS) Azure Files volumes to containerized applications. This enhancement allows developers to leverage a scalable and high-performance file system that can be shared across multiple containers within an application. The use of NFS Azure Files volumes also ensures data persistence across container restarts, making it ideal for stateful workloads or data-intensive jobs running in container environments.

Encrypt Premium SSD v2 and Ultra Disks with Cross-Tenant Customer Managed Keys (preview)

Microsoft has introduced a public preview for encrypting Premium SSD v2 and Ultra Disks using Cross-Tenant Customer Managed Keys (CMK) in select regions. This feature enables encryption of managed disks using a CMK that resides in an Azure Key Vault located in a different Microsoft Entra tenant from the disk itself. This advancement is particularly beneficial for service providers building Software as a Service (SaaS) solutions on Azure, as it allows their customers to manage their own encryption keys independently. Customers can now host and control their CMKs in their own tenant, granting them full sovereignty over their data and encryption practices.