AZURE Cloud Monthly Updates Newsletter – September 2024.

Welcome to the monthly Azure Cloud newsletter. Please stay tuned for the latest news and tips on maximizing the benefits of Azure cloud services. Whether you are an experienced Azure user or just beginning to explore its potential, I am committed to providing valuable insights and information to help you leverage the cloud's capabilities.

1. Azure Compute Services

1.1 Public Preview: Entra ID support for SSH connections in the portal

Azure announced Azure Bastion now supports the portal's Microsoft Entra ID authentication for SSH connections. With Microsoft Entra ID authentication, users can connect to virtual machines with two main benefits. First, it eliminates the need for local authentication mechanisms, reducing the point of attack for malicious actors. Second, with Microsoft Entra ID authentication set as the authentication mechanism, users can experience a one-click sign-on into their virtual machines instead of providing additional authentication to connect.

What is changing with this update? Azure Bastion's support for Microsoft Entra ID authentication streamlines securing SSH connections. Entra ID allows users to leverage single sign-on and conditional access policies, enhancing security and making it easier to manage user access. This integration simplifies the authentication process and aligns with best practices for identity management in cloud environments.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh-linux#microsoft-entra-id-authentication-preview

1.2 Generally Available: VMSS Automatic Instance Repairs – Reimage, Restart Repair Actions

Azure announces that?customers can now choose between Replace, Reimage (New), or Restart (New) as the default repair action performed in response to an "Unhealthy" application signal. These new options provide a less impactful repair process, ensuring higher application availability while preserving VM properties and metadata for customers with sensitive workloads.

What is changing with this update? Enabling automatic instance repairs for Azure Virtual Machine Scale Sets helps achieve high application availability by maintaining a set of healthy instances. If an unhealthy instance is found by the Application Health extension?or?Load balancer health probes, automatic instance repairs will attempt to recover it by triggering repair actions such as deleting and creating a new one to replace it, reimaging the unhealthy instance, or restarting it.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs?tabs=portal-1%2Cportal-2%2Crest-api-4%2Crest-api-5

2. Azure Data and Storage Services

2.1 Generally Available: Azure Storage Mover with Bandwidth Management.

Azure Storage Mover now supports?setting bandwidth management schedules?for your Storage Mover agents to optimize your file migrations and ensure smooth network performance.?

What is changing with this update? This feature helps Storage Mover agents act as good neighbours in your on-prem data centres by limiting their WAN link upload bandwidth consumption at any given time. When migrating your files and folders to Azure, you need to carefully consider the upload bandwidth you want to make available to each of your Storage Mover agents. Other workloads may also depend on having sufficient bandwidth available. You can schedule limits for each agent to make your Storage Mover agents an excellent neighbour to other workloads in your network.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/storage-mover/bandwidth-management

2.2 Generally Available: Azure SQL Database Hyperscale elastic pools.

Azure SQL Database Hyperscale elastic pools are now generally available. Hyperscale elastic pools enable software-as-a-service (SaaS) developers to optimize the price-performance ratio for a group of databases while delivering predictable performance and elasticity for each database.

What is changing with this update? Hyperscale elastic pools are built on top of Hyperscale's cloud-native architecture and provide the cost-effectiveness of elastic pools. The cloud-native architecture for Hyperscale elastic pools enables independent scaling of computing and storage quickly and predictably. This allows customers to perfectly optimize their compute resources while relying on auto-scaling storage, which provides hands-off scalability and excellent performance as their databases grow.

To learn more about this update, visit: https://techcommunity.microsoft.com/t5/azure-sql-blog/elastic-pools-for-azure-sql-database-hyperscale-now-generally/ba-p/4242658

2.3 Public Preview: Live Resize for Azure Premium SSD v2 and Ultra Disks.

Azure announced the Public Preview of Live Resize for Premium SSD v2 and Ultra Disks. This feature lets you dynamically increase your disk storage capacity without disrupting your applications.

What is changing with this update? Expanding without downtime for Ultra Disks and Premium SSD v2 for the VMs. To reduce costs, you can create smaller disks and gradually increase their storage capacity without experiencing downtime.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/expand-os-disk#expand-without-downtime

2.4 Generally Available: Force detach zone redundant data disks during zone outage.

Azure announces support for forcing ZRS data disks to be detachable from a stand-alone virtual machine or virtual machine scale set residing in a zone impacted by the failure. Customers can now detach and attach the ZRS data disks to another VM, decreasing the RTO. Please note that the feature is NOT supported for ZRS OS disks.

What is changing with this update? A ZRS disk lets you recover from failures in availability zones. If a zone went down and your virtual machine (VM) wasn't affected, your workload continued running. But if your VM was affected by an outage and you want to recover before it's resolved, you can force detach your ZRS disks from the failed VM, freeing them to attach to another VM.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-redundancy#zone-redundant-storage-for-managed-disks

2.5 Generally Available: Azure NetApp Files Reserved Capacity.

Reserved capacity is available in stackable increments of 100TiB and 1PiB at a region's standard, premium, and ultra service levels. Azure NetApp Files reserved capacity benefits are automatically applied to existing Azure NetApp Files capacity pools in matching regions and service levels.

What is changing with this update? Azure NetApp Files reservations can significantly reduce the capacity costs of storing data in your Azure NetApp Files volumes. How much you save depends on the total capacity you choose to reserve. Additional usage is conveniently billed at the regular pay-as-you-go rate.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/azure-netapp-files/reservations

2.6 Generally Available: Access-based enumeration and non-browsable shares for SMB and dual-protocol Azure NetApp Files volumes.

This new feature prevents the Windows client from browsing the share, and the share does not show up in the Windows File Explorer. This new capability provides an additional?layer of security by not displaying these shares. This setting does not impact permissions; users with access to the share will maintain access.

What is changing with this update? Enabling Access-based enumeration (ABE) on Azure NetApp file volumes ensures users only see those files and folders in directory listings they can access. If a user does not have Read (or equivalent) permissions for a folder, the Windows client hides the folder from the user’s view. This new capability provides an additional layer of security by only displaying files and folders a user can access and, conversely, hiding file and folder information a user cannot access. You can enable ABE on Azure NetApp Files SMB and dual-protocol (with NTFS security style) volumes.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-volumes-dual-protocol

2.7 Generally Available: Online migration from Azure Database for PostgreSQL - Single Server to Flexible Server.

Now, the online migration option is to migrate from Azure Database for PostgreSQL –Single Server to Flexible Server. Online migration is the ideal choice when you have large databases and require limited application downtime.

What is changing with this update? In online migration, applications connecting to your source instance aren't stopped while databases are copied to a flexible server. The initial copy of the databases is followed by replication to keep the flexible server in sync with the source instance. A cutover is performed when the flexible server completely syncs with the source instance, resulting in minimal application downtime.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/postgresql/migrate/migration-service/tutorial-migration-service-single-to-flexible?tabs=portal%2Conline

3. Azure Network and Security Services:

3.1 Generally Available: Azure Public IPs are zone redundant by default.

From now on, all Standard Public IPs will be made zone-redundant by default. This means that whether you are creating a new Standard Public IP or using an existing one without specified zones, you will automatically benefit from this feature at no additional cost.

What is changing with this update? As a result, Microsoft is transitioning away from non-zonal Standard IPs and ensuring that Public IPs without specified zones are zone-redundant by default, free of charge, in Azure regions where zones are supported. It’s important to note that the pricing for Standard Public IPs will remain unchanged as specified on the Public IP pricing page.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#availability-zone

3.2 Public Preview: DNAT on Azure Firewall Private IP address.

Destination Network Address Translation (DNAT) on Azure Firewall, a Private IP address, helps connect overlapped IP networks. This is a common scenario for enterprises when onboarding new partners to their network or merging with new acquisitions.?

This capability is also relevant for hybrid scenarios, connecting on-premises datacenters to Azure, where DNAT bridges the gap, enabling communication between private resources over non-routable IP addresses.

What is changing with this update? You can configure Azure Firewall DNAT to translate and filter inbound Internet and/or Intranet traffic to your subnets. When you configure DNAT, the DNAT rule collection action is set to DNAT type. Each rule in the DNAT rule collection can then translate the firewall's public or private IP address and port to a different IP address and port.

To learn more about this update, visit: https://techcommunity.microsoft.com/t5/azure-network-security-blog/private-ip-dnat-support-preview-and-scenarios-with-azure/ba-p/4230073

4. Azure Containers Services:

4.1 Public Preview: Azure Container Storage enabled by Azure Arc Edge Volumes.

Azure Container Storage enabled by Azure Arc is a first-party storage system designed for Arc-connected Kubernetes clusters.

What is changing with this update? Azure Container Storage enabled by Azure Arc can be deployed to write files to a "ReadWriteMany" persistent volume claim (PVC), which is then transferred to Azure Blob Storage. Azure Container Storage enabled by Azure Arc is a native persistent storage system for Arc-connected Kubernetes clusters. Its primary role is to provide a reliable, fault-tolerant file system that allows data to be tiered to Azure.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/azure-arc/container-storage/overview

4.2 Public Preview: Advanced Container Networking Services: Enhancing security and observability in AKS.

Advanced Container Networking Service offers advanced security features and FQDN filtering. FQDN filtering allows you to define granular network policies based on domain names rather than IP addresses.

What is changing with this update? This simplifies policy management, reduces administrative overhead, and ensures consistent policy enforcement across the network. FQDN filtering helps prevent unauthorized access and mitigate security risks by restricting access to specific domains.

To complement FQDN filtering, the HA DNS proxy ensures uninterrupted DNS resolution. This redundancy enhances your containerised applications' overall reliability and availability, minimizing downtime and disruptions.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/aks/advanced-network-container-services-security-concepts

4.3 Generally Available: gRPC and frontend mTLS are now available for Application Gateway for Containers.

Application Gateway for Containers is introducing support for gRPC and frontend mutual authentication (mTLS).

Frontend mutual authentication (mTLS) brings feature parity to Application Gateway for Containers for customers using Application Gateway Ingress Controller. This enhancement increases security by ensuring only specific clients are authenticated before their requests are proxied to a backend service. Combined with the previously released backend mutual authentication, this update unlocks end-to-end mutual authentication.

What is changing with this update? Application Gateway for Containers, which now supports gRPC and mTLS. With gRPC, four new communication methods are enabled between the client and Application Gateway for Containers: client, server, and bidirectional streaming capabilities.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/grpc

https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/how-to-frontend-mtls-gateway-api?tabs=alb-managed

4.4 Generally Available: FIPS mutability support in AKS.

The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Azure Kubernetes Service (AKS) allows you to create Linux and Windows node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see Federal Information Processing Standard (FIPS) 140.

What is changing with this update? With FIPS mutability, you can enable or disable FIPS on an existing Linux node pool. When you update an existing node pool, the node image will change from the current image to the recommended FIPS image of the same OS SKU, immediately triggering a reimage. When you migrate your application to FIPS, you first validate that it is working correctly in a test environment before migrating it to a production environment.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/aks/enable-fips-nodes

4.5 Generally Available: Long-term support for version 1.27 and 1.30 in Azure Kubernetes Service (AKS).

To help you manage your Kubernetes version upgrades, AKS provides a long-term support (LTS) option. This option extends the support window for a Kubernetes version to give you more time to plan and test upgrades to newer ones. The Kubernetes community releases a new minor version approximately every four months, with a support window for each version for one year. In Azure Kubernetes Service (AKS), this support window is called community support.

What is changing with this update? To help you manage your Kubernetes version upgrades, AKS provides a long-term support (LTS) option. This option extends the support window for a Kubernetes version to give you more time to plan and test upgrades to newer versions. AKS now supports the 1.27 and 1.30 versions in LTS.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/aks/long-term-support

4.5 Public Preview: Virtual machines node pools support in AKS.

With the virtual machine's node pools, Azure Kubernetes Service directly manages the provisioning and bootstrapping of every single node. Typically, when deploying a workload onto Azure Kubernetes Service (AKS), each node pool can only contain one virtual machine (VM) type or SKU. Virtual Machines node pools allow adding multiple VM SKUs of a similar family to a single node pool.

What is changing with this update? A node pool consists of virtual machines with different sizes designated to support different workloads. These virtual machine sizes, referred to as SKUs, are categorized into different families optimized for specific purposes. Virtual Machines node pools allow you to specify a family of SKUs for a node pool without maintaining one node pool per SKU type, reducing the node pool footprint.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/aks/virtual-machines-node-pools

5. Azure PaaS Services:

5.1 Public Preview: Expanded GenAI Gateway capabilities in Azure API Management.

Mmicrosoft announces new enhancements to our GenAI Gateway capabilities, specifically designed for large language model (LLM) use cases. Building on our initial release in May 2024, we are introducing new policies to support a broader range of LLMs via the Azure AI Model Inference API. These new policies offer the same robust functionality as our initial offerings but are now compatible with a broader array of models available in Azure AI Studio.

What is changing with this update? These enhancements ensure efficient, cost-effective, and robust LLM usage, allowing you to take full advantage of the models available in Azure AI. With seamless integration and enhanced monitoring capabilities, Azure API Management continues to empower your intelligent applications with advanced AI functionalities.

To learn more about this update, visit: https://techcommunity.microsoft.com/t5/azure-integration-services-blog/expanding-genai-gateway-capabilities-in-azure-api-management/ba-p/4214245

https://learn.microsoft.com/en-us/azure/ai-studio/reference/reference-model-inference-api?tabs=python

6. Other Azure Services:

6.1 Public Preview – Out-of-box monitoring dashboards for Logic Apps Standard.

Azure Logic Apps Standard offers curated visualizations to help you monitor your applications and workflows more effectively. These new dashboards give a comprehensive view of your Logic Apps Standard environments, enabling better oversight of integration scenarios.

What is changing with this update? Logic Apps are connected to Application Insights for telemetry collection. It's also essential to use the updated V2 schema for telemetry to enable all features. Built using Azure Workbooks, these dashboards are easily extendable, allowing you to tailor the visualizations to specific needs.

With these new monitoring capabilities, developers, IT operations teams, and product owners can now gain clearer visibility into their Logic Apps Standard workflows, enhancing their ability to manage and optimize Azure services effectively.

To learn more about this update, visit: https://techcommunity.microsoft.com/t5/azure-integration-services-blog/logic-apps-standard-monitoring-dashboards/ba-p/4220065

6.2 Public Preview – Templates Support in Azure Logic Apps Standard.

Templates in Azure Logic Apps are pre-built workflow solutions designed to address common integration scenarios. They cover many use cases, from simple data transfers to complex, multi-step automation and event-driven processes. Templates provide a solid foundation, allowing users to quickly set up and deploy workflows without starting from scratch.

What is changing with this update? Azure Logic Apps gives you a faster way to start creating integration applications by providing prebuilt templates to use when you build Standard workflows in the Azure portal. These workflow templates follow commonly used patterns and help you streamline development by offering a starting point or baseline with predefined business logic and configurations.

With Templates Support now in Public Preview, developers can leverage a growing library of pre-built templates to kickstart their Logic Apps projects. These templates are designed to cover a wide range of scenarios, from common workflows to complex integrations, making it easier than ever to build, deploy, and manage your applications.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/logic-apps/create-single-tenant-workflows-templates

6.3 Generally Available: Auto-renewal of certificates for on-premises to Azure Site Recovery.

Azure Site Recovery has introduced automatic renewal of certificates for on-premises to Azure disaster recovery.?Azure Site Recovery uses various components for disaster recovery (DR) from on-premises to Azure. Certificates are essential for communication between components and need regular renewal to avoid disruptions in Azure Site Recovery operations (like data replication, etc.).

What is changing with this update? This new capability ensures the automatic renewal of certificates without affecting ongoing replication. For auto-renewal, customers need to ensure that the mobility agent and components within the appliance are updated to the latest version. If specific components are not updated or cannot be communicated, automatic renewal may fail, leading to?appliance health errors?or?agent health errors. Customers should follow the documentation to renew the certificates if needed manually.?

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/site-recovery/vmware-troubleshoot-mobility-agent-health

6.4 Generally Available: Automated Patching retirement and replacement with Azure Update Manager.

Effective September 15th, 2027, Azure will retire the Automated Patching feature and replace it with Azure Update Manager.

What is changing with this update? Azure Update Manager is a powerful enterprise-class tool that provides a centralised update management dashboard with customised schedules and patch compliance reports.

To learn more about this update, visit: https://learn.microsoft.com/en-au/azure/update-manager/overview?tabs=azure-vms

6.5 Public Preview: Announcing Azure Monitor Metrics Export.

Azure Monitor Metrics Export is configurable through Data Collection Rules (DCR), which can route Azure resource metrics data to Azure Storage Accounts, Azure Event Hubs and Azure Log Analytics Workspace for 18 resource types and 10 Azure public regions.

To learn more about this update, visit: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-metrics?tabs=log-analytics-workspaces

6.6 Azure Automange Best Practices Migrating to Azure Policy.

Azure Automanage Best Practices helped automate the configuration and management of virtual machines according to Azure's best practices. It achieved this by automatically onboarding VMs to services like Azure Monitor, Backup, and Microsoft Defender and continuously monitoring and correcting configuration drift to ensure compliance.

All Automanage Best Practices features, and much more are available in Azure Policy today. Azure encourages the transition to Azure Policy before the retirement date to experience its new capabilities.

To learn more about this update, visit https://learn.microsoft.com/en-us/azure/governance/policy/how-to/migrate-from-automanage-best-practices

7. Retirement Azure Services:

7.1 Azure PostgreSQL migration extension in Azure Data Studio (ADS).

The Azure PostgreSQL migration extension in Azure Data Studio (ADS) will be officially retired on November 15, 2024. As part of our commitment to providing you with the most advanced and reliable tools, we are phasing out this extension in Azure Data Studio. The Azure PostgreSQL migration extension offers limited functionality and needs more support for the latest Azure Database for PostgreSQL SKUs, making it less effective for your migration needs. By retiring the extension in Azure Data Studio, we aim to focus on improving and supporting the tools that will offer you the most value in your migration journey.

If you continue to use the Azure PostgreSQL migration extension after November 15, 2024, it will no longer be enhanced or supported and will not have the latest security and compliance features.

Required Action: Azure encourages transitioning to the enhanced migration services available in the Azure portal as a feature of Azure Database for PostgreSQL—Flexible server or through Azure CLI. These services include pre-migration validation and are designed to support your migration projects better, ensuring a smoother and more efficient transition to Azure.

7.2 Azure VpnGw1-5 (non-AZ SKUs) will be retired on September 30, 2026. Gateways will be automatically migrated to AZ SKUs.

Due to the lack of redundancy, lower availability, and potentially higher costs associated with additional failover solutions, we will transition all non-AZ SKUs to AZ SKUs.?On September 30, 2026, the VpnGw1–5 (non-AZ SKUs) will be retired.

Required Action: Starting Jan 1, 2025, creating new gateways on VpnGw1-5 (non-AZ SKUs) will no longer be possible. Azure will seamlessly migrate all the gateways from VpnGw1-5 (non-AZ SKUs) to VpnGw1-5 (AZ SKUs) between April 2025 and October 2026. To facilitate this migration, we are reducing the prices on AZ SKUs.

Please note the following important dates:

Jan 1, 2025:?Creation of new gateways on VpnGw1-5 SKUs (Non-AZ SKUs) will no longer be possible.?

Jan 1, 2025:?Reduced pricing for AZ SKUs will occur.?

Sep 30, 2026:?VpnGw1-5 (Non-AZ SKUs) will be retired, and all gateways will be automatically migrated before this date.?

7.3 Azure Network security group flow logs in Azure Network Watcher will be retired.

The?network security group (NSG) flow logs?in Azure Network Watcher will be retired on September 30th, 2027.

As part of this retirement,?you'll no longer be able to create new NSG flow logs starting June 30th, 2025.?We recommend?migrating to?virtual network flow logs?in Network Watcher, which overcomes the limitations of NSG flow logs and provides enhanced capabilities.

Required Action: To avoid service disruptions,?migrate to virtual network flow logs?by September 30th, 2027.

7.4 Azure Load Balancer Inbound NAT rule V1 for Azure VMs and Azure VMSS will be retired.

On September 30, 2027, Inbound NAT rule V1 for Azure Virtual Machines and Azure Virtual Machine Scale Sets in Azure Load Balancer will be retired. To avoid service disruptions, you must migrate to Inbound NAT rule V2 by that date.

As part of this retirement, you’ll no longer be able to create new instances of Inbound NAT rule V1 starting September 30, 2026. We recommend migrating to Inbound NAT rule V2 before that date to take advantage of additional benefits.

Required Action: By September 30, 2027,?migrate to Inbound NAT rule V2?in Azure Load Balancer to avoid service disruptions.

I appreciate you taking the time to read our newsletter. Your feedback is valuable to us, so please don't hesitate to share any suggestions in the comments for improving it.