AZURE Cloud Monthly Updates Newsletter –May 2025
Santhosh (Santhoshkumar) Anandakrishnan
Cloud & Cyber Security Architect | 2* Microsoft Azure Dual MVP | Cloud, Infrastructure & Security Consulting | Co-Organiser Azure Builders Meetup
Welcome to Azure Cloud updates!
This newsletter highlights the latest product features and new services announced for Azure Cloud, with a focus on Compute, Storage, Networking, Security, and Containers, as of May 2025. I have compiled comprehensive updates and information to help you. Stay with us for valuable insights!
About the Author: Santhosh (Santhoshkumar) Anandakrishnan - Azure Cloud MVP and Lead Cloud architect with 18 years in Cloud, Infrastructure& Security, specialising in public and hybrid cloud solutions.
You can visit my blog to read more about my work on Azure cloud services.
1. Azure Compute Services
1.1 Generally Available: Azure Quota Groups
Azure Quota Groups enable you to share quotas across multiple subscriptions, thereby reducing the number of quota transactions. This allows you to manage your quota at the group level without needing approvals.
What is changing with this update? This feature enables quota sharing across a group of subscriptions, reducing the number of individual quota transactions. This is available only for Enterprise Agreement and Internal subscriptions. This supports IaaS compute resources only.
Click here to learn more about this update.
1.2 Public Preview: Network Optimised Azure VMs.
What is changing with this update? The Network Optimised sizes leverage Azure Boost enhancements for increased network bandwidth per vCPU, more vNICs, and improved connection setup performance. They extend the v6 Intel DN/DLN/EN disk and disk-full VM SKUs.
Click here to learn more about this update.
2. Azure Data and Storage Services
2.1 Public Preview: Live Re-size of Premium SSD v2 and ultra NVMe disks.
Data disks can be expanded without the need to deallocate the virtual machine (VM). The host cache setting of a disk does not affect the ability to expand a data disk without deallocating the virtual machine (VM).
What is changing with this update? This feature enables you to expand your disk storage capacity without disrupting applications. You can start with smaller disks and increase their capacity as needed, optimising costs while ensuring no downtime.
Click here to learn more about this update.
2.2 Generally Available: Customer-managed keys for Azure NetApp Files volume encryption with Azure Key Vault-managed HSM.
What is changing with this update? Azure NetApp Files has enhanced its volume encryption by supporting customer-managed keys via Azure Key Vault Managed HSM. This upgrade enhances security from FIPS 140-2 Level 2 to Level 3, making it ideal for critical deployments.
HSM security is utilised in applications such as payment processing, encryption, and authentication. Key industries utilising HSMs include financial services, the public sector, IT and telecommunications for secure communications, and the energy sector for safeguarding critical infrastructure.
Click here to learn more about this update.
2.3 Public Preview: Encryption in Transit for Azure Files NFS Shares
Azure Files NFS shares now support in-transit encryption with the AZNFS Mount Helper, ensuring end-to-end encryption for traffic between clients and servers.
What is changing with this update? This tool enables the flexible mounting of shares with or without TLS, allowing organisations to maintain security and compliance while making minimal operational changes.
Click here to learn more about this update.
2.4 Generally Available: Azure NetApp Files Cross-Zone and Cross-region replication across subscriptions.
What is changing with this update? Cross-zone-region replication is an enhancement of cross-region and cross-zone replication. This feature enables the configuration of two protection volumes, utilising a combination of cross-region and cross-zone replication, for a single source volume. Additionally, replication is supported across subscriptions within the same tenant.
Click here to learn more about this update.
2.5 Generally Available: Azure NetApp Files Support for Active Directory connection per NetApp Account.
What is changing with this update? This feature enables multiple Active Directory connections within a single subscription, allowing for operational isolation and tailored hosting scenarios. Users can configure Active Directory connections for various NetApp accounts, making it easier to manage SMB volumes. This enhancement streamlines and scales the management of Active Directory environments.
Click here to learn more about this update.
3. Network and Security Services:
3.1 Generally Available: DNAT on Azure Firewall Private IP address.
Azure Firewall improves the DNAT rule configuration by enabling port translations on its private IP address. Destination Network Address Translation (DNAT) involves transforming the destination IP address and/or port of a packet that is routed, and reverses this process for any responses. In other words, DNAT translates destination IP addresses.
What is changing with this update? DNAT on Azure Firewall with private IP addresses enables the connection of overlapping IP networks, which is common for enterprises onboarding partners or merging through acquisitions. This capability is crucial in hybrid environments, enabling on-premises data centres to communicate effectively with Azure using non-routable IP addresses.
Click here to learn more about this update.
3.2 Public Preview: Azure Front Door now supports origin authentication via managed identities.
Front Door Standard and Premium now support authenticated requests to origins using Managed Identities, enhancing security by allowing only approved Front Door profiles to access them.
What is changing with this update? This feature removes the need for manual credential management, reducing the risk of credential leakage. After enabling managed identity for Azure Front Door and granting appropriate permissions, Front Door uses the managed identity to obtain an access token from Microsoft Entra ID. The token is included in the Authorisation header with the Bearer scheme before forwarding the request to the origin. The token is cached until expiration.
Click here to learn more about this update.
3.3 Generally Available: Azure Private Subnet
What is changing with this update? The private subnet feature enhances security by turning off implicit connectivity for newly created subnets, setting the "default outbound access" parameter to false. Users can select their preferred method for explicit outbound connectivity, such as a NAT Gateway or a Public IP address.
Starting September 30, 2025, new virtual networks will default to private subnets, requiring an explicit outbound method to access public endpoints on the Internet and within Microsoft.
Click here to learn more about this update.
3.4 Public Preview: Microsoft Defender for Cloud-Azure Kubernetes Service (AKS).
Microsoft Defender for Cloud now supports Azure Kubernetes Service (AKS) nodes. There are multiple features available as follows:
Vulnerability assessment and malware detection for AKS nodes: Vulnerability assessments and malware detection for nodes within Azure Kubernetes Service (AKS) are essential for enhancing security. By securing these Kubernetes nodes, organisations can enhance their overall security posture, ensure compliance within their managed Kubernetes environments, and gain a deeper understanding of their roles within the shared security model of the cloud. Click here to learn more about this update.
AKS Security Dashboard: The Azure Kubernetes Service (AKS) security dashboard provides visibility and automated remediation for security issues through the Azure portal, helping teams secure their Kubernetes environment more effectively. Click here to learn more about this update.
Agentless runtime vulnerability assessments for AKS-owned images: This feature helps users identify which images are owned by AKS and which ones belong to customers. It shows any security vulnerabilities (CVEs) in the AKS image and suggests the AKS version or release that includes fixes for these vulnerabilities. Click here to learn more about this update.
Onboarding of individual AKS clusters in MDC. Microsoft Defender for Cloud has enhanced resource-level onboarding for AKS clusters, eliminating the need to onboard an entire subscription at once. This feature offers agentless and sensor-based alerts directly within the AKS dashboard, enabling better management of sensor onboarding and offboarding. It also displays security findings from the cluster operator's perspective, improving the overall security management experience. Click here to learn more about this update.
3.5 Public Preview: VM Network Troubleshooter.
What is changing with this update? Customers can now identify blocked ports more efficiently with the latest enhancement to the Azure Portal. The VM Overview blade now includes a troubleshooter tool that enables users to run network diagnostics and check for standard ports that may be blocked. This enhancement streamlines the process of identifying and resolving common network issues.
Click here to learn more about this update.
4. Azure Container Services:
4.1 Public Preview: Automated deployments support in Azure Kubernetes Fleet Manager.
What is changing with this update? Azure Kubernetes Fleet Manager now supports automated deployments in public preview. This feature enables GitHub repositories to be associated with a Fleet Manager hub cluster for building and staging applications. It can utilise existing artifacts or containerise and publish the source code to an Azure Container Registry, generating Kubernetes manifests. A GitHub Action workflow is triggered with any source code updates for continuous deployment.
Click here to learn more about this update.
4.2 Public Preview: Azure Kubernetes Fleet Manager now supports placement drift detection and takeover.
What is changing with this update? The new “applyStrategy” feature allows operators to define the conflict resolution process for the Fleet Manager when placing a workload that conflicts with an existing workload. It also provides guidance on handling configuration drift for deployed workloads. Additionally, the “ReportDiff” apply mode enables operators to review the drift state of a workload across all clusters where it is deployed.
Click here to learn more about this update.
4.3 Public Preview: Azure Kubernetes Fleet Manager now supports DNS-based public load balancing.
What is changing with this update? Azure Kubernetes Fleet Manager now supports DNS-based public load balancing via Azure Traffic Manager integration. Services across multiple clusters can be included in a Traffic Manager backend, accessible through a public, load-balanced endpoint in a Traffic Manager profile. A weighted profile routes traffic across clusters, with health checks that automatically manage traffic to unhealthy clusters.
Click here to learn more about this update.
4.4 Generally Available: Connected registry in Azure Container Registry.
What is changing with this update? Azure Container Registry (ACR) now offers a connected registry, which lets you manage local resources using cloud-based ACR. You can set it up through the Azure Portal or Command Line Interface (CLI) on Kubernetes clusters with Azure Arc or in on-site or remote environments. The connected registry syncs images and other container artifacts between ACR and your local registry, providing a consistent management solution for both cloud and on-premises setups.
Click here to learn more about this update.
4.5 Generally Available: Track AKS-supported Kubernetes version regional updates in the AKS release tracker.
What is changing with this update? AKS-supported Kubernetes version release information is available in the AKS release tracker. Users can view the currently supported Kubernetes versions and Long-Term Support (LTS) versions for specific regions. Additionally, they can monitor the progress of new patch version releases through the release tracker.
Click here to learn more about this update.
4.6 Public Preview: Gating vulnerable deployments in AKS.
Microsoft Defender for Cloud's feature for gating vulnerable deployments in Azure Kubernetes Service (AKS) is now in public preview.
What is changing with this update? This feature allows users to assess Kubernetes deployments, ensuring each image meets security standards before deployment. It includes auditing, blocking non-compliant deployments, and terminating existing ones. The feature offers two key capabilities:
1. Vulnerability Findings Artifact: Generates findings for each scanned container image.
2. Customised Security Rules: Users can set customizable security rules for different environments or namespaces, defining actions such as 'audit' or 'deny' to align with organisational policies.
Click here to learn more about this update.
4.7 Generally Available features for Azure Kubernetes Service (AKS):
Generally Available: Entity Tags (eTags) for concurrency control in AKS. The Entity Tags (eTags) feature in Azure Kubernetes Service (AKS) offers a built-in mechanism for detecting and preventing conflicting operations. Click here to learn more about this update.
Automated deployments in AKS now support Azure DevOps, AKS-ready templates and service connectors. Automated deployments in AKS now support Azure DevOps and Ready templates. Click here to learn more about this update.
HTTP Proxy can now be enabled on an existing AKS cluster. The HTTP proxy feature enables AKS clusters to use HTTP proxies, securing network traffic in proxy-dependent environments. It sets up both AKS nodes and pods to use the proxy and allows the installation of a trusted certificate authority during cluster setup. Click here to learn more about this update.
Custom certificate authority support in AKS. Custom Authority establishes secure trust between your Azure Kubernetes Service (AKS) cluster and workloads, including private registries, proxies, and firewalls. A Kubernetes secret stores the certificate authority's information, which is then distributed to all nodes in the cluster for security. Click here to learn more about this update.
Core Kubernetes extensions for AKS. Core Kubernetes extensions provide a more native AKS-like experience, enhanced regional and cloud availability, improved version management, simplified network configuration, a smaller identity footprint, and potentially faster installation speeds compared to the existing cluster extension experience. Click here to learn more about this update.
Azure Monitor Prometheus community-recommended alerts for AKS. Azure Monitor now enables one-click activation of Prometheus-recommended alerts in the Azure Portal for AKS clusters. These alerts, based on enhanced Prometheus community rules, cover cluster, node, and pod levels. Previously, activation required manual template downloads and deployment via the command-line interface (CLI). Click here to learn more about this update.
Managed Prometheus visualisations and enhanced monitoring experience in Azure Monitor for AKS. This release offers a consolidated monitoring solution for managing Azure Kubernetes Service (AKS) clusters. Container insights visualisations can now utilise managed Prometheus data, eliminating the need to rely solely on Log Analytics and offering a more cost-effective and efficient option. Click here to learn more about this update.
5. Azure PaaS Services:
5.1 Public Preview: Azure Backup for Elastic SAN
What is changing with this update? Azure Backup now supports Elastic SAN, providing a managed solution for backing up and restoring Elastic SAN volumes. This integration protects data against accidental deletions and ransomware by exporting volumes to independent Managed Disk Incremental Snapshots, stored in locally redundant storage.
Click here to learn more about this update.
5.2 Generally Available: App Service Hybrid Connection Manager
What is changing with this update? Hybrid Connections requires a relay agent, the Hybrid Connection Manager (HCM), to access both the target endpoint and Azure over port 443. The App Service infrastructure connects to Azure Relay on behalf of the web app, enabling access to the endpoint. The connection uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorisation.
Click here to learn more about this update.
5.3 Generally Available: Inbound Private Endpoint Support for Azure API Management Standard v2.
Microsoft has launched the inbound private endpoint feature for the Azure API Management Standard v2 tier.
What is changing with this update? This update enables organisations to securely expose their API Management gateway solely through Azure Private Link, keeping API traffic within the Microsoft backbone network.
This feature is essential for customers in regulated industries, such as finance, healthcare, and government, providing key benefits including end-to-end private connectivity, enhanced security, a reduced attack surface, and better control over data flow and API exposure.
Click here to learn more about this update.
5.4 Generally Available - Azure Log Analytics and Azure Monitor.
Log analytics cross-regional workspace replication: Cross-regional workspace replication enhances resilience to regional incidents by allowing workspace owners to switch to an alternative region when necessary. A copy of the workspace is created in a designated region, and with replication activated, logs are ingested in both regions to ensure observability through dashboards, alerts, and solutions like Microsoft Sentinel. Click here to learn more about this update.
Azure Monitor log analytics UI query limit increased to 100K: Azure Monitor Log Analytics UI has increased its query capacity to support up to 100,000 records, up from the previous limit of 30,000 records. This enhancement enables more extensive investigations and data analysis directly within the portal, allowing users to access and explore larger datasets without the need for external tools. Click here to learn more about this update.
Granular RBAC in Azure Monitor Log Analytics - Public Preview: This capability enables the filtering of data accessible to each user based on specified conditions. It provides control over which users can access specific tables and rows (commonly referred to as Row-Level RBAC) according to business or security requirements and defined criteria. Typical examples include characteristics such as organisational roles, units, geographical locations, or data sensitivity levels.. Click here to learn more about this update.
Azure Monitor Dashboards with Grafana - Public Preview: Grafana dashboards for Azure Kubernetes Services (AKS) and other Azure resources are enabled by default. Users can also import dashboards from various publicly available Grafana community and open-source sources for Prometheus and Azure Monitor. Click here to learn more about this update.
Please subscribe to the Azure Cloud Monthly Updates newsletter for updates on Azure cloud services. Don’t miss our next edition!
Thanks for taking the time to read the newsletter. I appreciate your feedback, and I would like to invite you to contribute suggestions for improvement in the comments section. Your insights will help us enhance our content. Thank you!