AZURE Cloud Monthly Updates Newsletter –July 2025

Welcome to the Monthly newsletter, which provides information about the changes or new services announced in the Azure Cloud.

This newsletter features the latest product updates and new services announced for Azure Cloud, focusing on Compute, Storage, Networking, Security, and Containers as of July 2025. I've gathered comprehensive information to help you. Stay tuned for valuable insights!

About the Author: Santhosh (Santhoshkumar) Anandakrishnan - Azure Cloud MVP and Lead Cloud architect with 18 years in Cloud, Infrastructure & Security, specialising in public and hybrid cloud solutions. You can visit my blog to read more about my work on Azure cloud services.

1. Azure Compute and Identity Services

1.1 Generally Available: Live Resize for Premium SSD v2 and Ultra NVMe Disks.

This feature enables the dynamic expansion of disk storage capacity without disrupting applications. It allows for cost optimisation by starting with smaller disks and gradually increasing their storage capacity as requirements change, all while maintaining operational continuity.

What is changing with this update? You can expand Ultra Disks and Premium SSD v2 disks connected to VMs via NVMe controllers without experiencing downtime in all regions that support these disk types.

Click here to learn more about this update.

2. Azure Data and Storage Services

2.1 Generally Available: Log or block shared access signatures (SAS) tokens for Azure Storage based on expiration policy.

A SAS expiration policy can be configured on the storage account. This policy defines the maximum duration for the validity of a user delegation, a service SAS, or an account SAS. The upper limit is set as a date/time value that combines days, hours, minutes, and seconds.

What is changing with this update? Administrators can set the validity period of a SAS through the SAS expiration policy, with the option to extend it using the SAS signed expiry date. The SAS expiration action allows configuration of responses for non-compliant SAS tokens, including logging the event or blocking the request.

Click here to learn more about this update.

2.2 Public Preview: New SQL Server database migration in Azure Arc.

Migrating SQL Server workloads to Azure has become easier with a unified interface in the Azure portal. This new experience reduces migration timelines from months to days and offers real-time replication, ensuring minimal downtime during the process.

What is changing with this update? The new Azure Arc migration experience helps you move to Azure SQL Managed Instance easily and quickly. This process uses the Azure Database Migration service and can be done in just a few days.

Click here to learn more about this update.

3. Network and Security Services:

3.1 Generally Available: Customer-Controlled Maintenance.

Azure cloud allows customers to configure the maintenance windows for the network gateways.

What is changing with this update? This enables customers to utilise configurable maintenance windows for scheduling maintenance of the Point-to-Site VPN Gateway (P2S VPN) within the Virtual WAN Service. With the general availability of P2S VPN in Virtual WAN Service, customers can configure maintenance windows for all gateway resources across ExpressRoute, VPN, and Virtual WAN services. These resources include:

• Virtual Network Gateway in ExpressRoute service,

• Virtual Network Gateway in VPN Gateway service,

• Site-to-Site VPN Gateway in Virtual WAN service,

• Point-to-Site VPN Gateway in Virtual WAN service, and

• ExpressRoute Gateway in Virtual WAN service.

Click here to learn more about this update.

3.2 Generally Available: ExpressRoute Auto-assigned Public IP for ExpressRoute Gateways

Starting now, all new ExpressRoute Virtual Network Gateways will automatically get Public IP addresses. This change simplifies setting up gateways, as you no longer need to assign a Public IP address manually.

Please note that this change does not affect existing gateways.

What is changing with this update? The Auto-Assigned Public IP feature streamlines the deployment of your ExpressRoute gateway by allowing Microsoft to handle the necessary public IP address for you. With this enhancement, there’s no need to create or manage a separate public IP resource for your gateway when using PowerShell or CLI.

Click here to learn more about this update.

3.3 Public Preview: WAF running on Application Gateway for Containers.

The Application Gateway for Containers is the next evolution in the Application Gateway product. With Azure WAF support, it now protects workloads from web attacks like SQL injections and cross-site scripting.

What is changing with this update? With this change, WAF is supported in the Azure application gateway for containers. When you use a Web Application Firewall (WAF) to protect your Application Gateway for Containers, you get access to Azure’s Default Rulesets (DRS). These rules help defend against threats from the Open Web Application Security Project (OWASP) and provide extra protection from Microsoft’s Threat Intelligence Centre (MSTIC). WAF users of Application Gateway for Containers also benefit from bot protection with manager rulesets and can guard against DDoS attacks by using rate-limiting custom rules.

Click here to learn more about this update.

3.4 Generally Available: Azure Firewall now supports ingestion-time transformation in Log Analytics for flexible, cost-efficient logging.

Azure Firewall has introduced a new feature that allows for ingestion-time transformation of logs in Log Analytics. This enhancement enables users to log and apply advanced filtering to their firewall logs selectively.

What is changing with this update? The significance of this feature lies in its potential to reduce costs for customers who utilise Log Analytics for firewall log analysis. Log ingestion and storage can be expensive, but with the ability to filter and transform logs before ingestion, organisations can manage their costs more effectively while still preserving essential data.

Click here to learn more about this update.

3.5 Generally Available: FQDN filtering in DNAT rules in Azure Firewall.

What is changing with this update? Azure Firewall allows using Fully Qualified Domain Names (FQDNs) in DNAT rules, enabling inbound traffic routing to backend resources via domain names instead of static IPs. This is useful for scenarios with dynamic backend IP addresses or when managed through DNS..

Click here to learn more about this update.

3.6 Generally Available: Customer-controlled maintenance for Azure Firewall.

Azure Firewall allows users to establish a maintenance window with a minimum duration of 5 hours.

What is changing with this update? This feature is designed to accommodate user requirements and reduce the likelihood of unexpected downtime. Firewalls that have a specified maintenance configuration will not receive upgrades outside of the assigned maintenance period.

Click here to learn more about this update.

3.7 Public Preview: Azure Virtual Network Manager high-scale private endpoints in connected groups.

What is changing with this update? This feature helps up to 2,000 private endpoints within a connected group, enabling you to scale workloads more effectively in Azure.

4. Azure Container Services:

4.1 Generally Available: Azure CNI static block allocation for pod subnet.

Azure CNI Pod Subnet: Static Block Allocation enables VNET routed IP addresses that can scale to over 1M pods, providing the simplicity and low latency of a flat network.

What is changing with this update? With this update, each node is allocated specific CIDR blocks, from which all pods on that node receive their IP addresses. This method allows for significant scalability—capable of supporting up to 1 million pods—previously only achievable through overlay networks, while still enjoying all the advantages of a flat network architecture.

Click here to learn more about this update.

4.2 Generally Available: Cluster Extension Manager moves to the AKS control plane.

What is changing with this update? The Extension Manager, essential for managing AKS cluster extensions, has been moved from customer worker nodes to the AKS control plane. This change enhances security, simplifies networking, and reduces operational overhead, resulting in a more efficient experience for managing extensions.

Click here to learn more about this update.

4.3 Public Preview: Max blocked nodes allowed support in AKS.

What is changing with this update? The max blocked nodes allowed feature in AKS allows users to specify the number of nodes that can fail to drain (blocked nodes) during upgrades or similar operations. This feature operates only if the undrainable node behaviour property is set; otherwise, the command will result in an error.

Click here to learn more about this update.

4.4 Generally Available: Virtual machine node pool.

Azure Kubernetes Service (AKS) manages the setup and start of each node in Virtual Machine node pools.

What is changing with this update? When you deploy a workload on AKS, each node pool usually contains only one type of virtual machine (VM). However, with Virtual Machines node pools, you can include different types of VMs from the same family in one node pool.

This approach lets you use a group of similar VM types without needing a separate node pool for each type. This way, you reduce the number of node pools you need.

Click here to learn more about this update.

4.5 Generally Available: CLI command for migration from Availability sets and Basic load balancer on AKS.

Availability Sets and the Basic load balancer will be deprecated on September 30, 2025.

What is changing with this update? AKS now supports a new Azure CLI command in public preview that allows for automatic migration from Availability Sets to Virtual Machines node pool and upgrades the load balancer from Basic to Standard in a single operation.

Click here to learn more about this update.

4.6 Generally Available: Node auto-provisioning support in AKS.

What is changing with this update? Node Auto-Provisioning (NAP) automatically creates single-instance nodes (VMs) for unscheduled pods, removing the need for pre-set node pools.

With NAP, you can scale resources on demand, matching them precisely with your workload, which improves efficiency and cost control.

Click here to learn more about this update.

5. Azure PaaS Services:

5.1 Generally Available: Log Analytics Summary Rules.

Summary rules facilitate the summarisation of high-ingestion rate streams across Analytics, Basic, or Auxiliary plans. This mechanism enables robust analysis, effective dashboarding, and comprehensive long-term reporting on summarised Analytics tables, thereby enhancing data management and interpretation.

What is changing with this update? Summary rules enable batch processing in a Log Analytics workspace by aggregating data segments based on a KQL query. They re-ingest summarised results into a custom log table, optimising data for analysis and reporting while enhancing cost efficiency, security, and data privacy.

Click here to learn more about this update.

5.2 Generally Available: Azure Backup standard policies support for Trusted Launch Virtual machines.

Azure Backup now offers General Availability support for applying standard backup policies to Trusted Launch Virtual Machines. 

What is changing with this update? This means customers can back up the secure VMs using the standard backup policy, which allows daily backups with a 30-day retention for the backups and a 2-day retention for instant recovery snapshots. Backups configured with the Enhanced policy continue to take backups of VMs after you enable Trusted Launch.

Click here to learn more about this update.

5.3 Generally Available: Migrate Azure VM backups from standard to enhanced policy.

Azure Backup now allows for the migration of VM backups from the standard policy to the enhanced policy.

What is changing with this update? This upgrade enables scheduling of multiple backups daily—up to every four hours—longer snapshot retention, and multi-disk crash consistency. Snapshots in the enhanced policy are zonally resilient, and this migration also supports moving VMs to Trusted Launch, as well as utilising Premium SSD v2 and Ultra disks without interrupting existing backups.

Click here to learn more about this update.

6. Azure Retirement Services:

6.1 Azure Front Door (Classic) and Azure CDN from Microsoft Classic SKU ending CNAME-based domain validation and new domain /profile creations by August 15, 2025.

Starting August 15, 2025, Azure Front Door (classic) and Azure CDN from Microsoft Classic SKUs will no longer support new domain onboarding or profile creation. DigiCert will also discontinue CNAME-based Domain Control Validation (DCV) on this date. As a result, switching from Bring Your Own Certificate (BYOC) to managed certificates for existing domains will not be supported. Existing managed certificates will auto-renew before this date, ensuring no service disruption until April 14, 2026.

Required Action:

• To use managed certificates or create new domains/profiles, migrate to Azure Front Door Standard or Premium SKUs before August 15, 2025.

• If you’re using an Azure-managed certificate on existing domains, switch to BYOC or migrate to Standard or Premium SKUs by the same date. For details, refer to the documentation on Configure HTTPS for your custom domain.

Please subscribe to the Azure Cloud Monthly Updates newsletter for updates on Azure cloud services. Don’t miss our next edition!

Thanks for taking the time to read the newsletter. I appreciate your feedback, and I would like to invite you to contribute suggestions for improvement in the comments section. Your insights will help us enhance our content. Thank you.