Generally Available: Azure Firewall integration in Security Copilot

Public Preview: Improve the security of Generation 2 VMs via Trusted Launch in Azure DevTest Labs

To improve the security of Generation 2 (Gen2) virtual machines (VMs) in Azure DevTest Labs, we’re excited to introduce Trusted Launch for Gen2 VMs, now in public preview. Trusted Launch protects against advanced and persistent attack techniques and is composed of several coordinated infrastructure technologies that can be enabled independently.

Public Preview: Larger container sizes on Azure Container Instances
April 2025
Azure Container Instances now supports larger container size instances in public preview. You can now deploy workloads with higher vCPU and memory for standard containers, confidential containers, containers with virtual networks, as well as containers utilizing virtual nodes to connect to AKS.

This setup supports vCPU counts greater than 4 and memory capacities of 16 GB, with a maximum of 32 vCPU and 256 GB per standard container group and 32 vCPU and 192 GB per confidential container group.

Public Preview: Azure virtual network terminal access point (TAP)
April 2025
Virtual network TAP enables customers to continuously stream virtual machine network traffic to a network packet collector or analytics tool. Unlike traditional packet capture solutions that require the deployment of additional agents or network appliances, virtual network TAP leverages Azure’s native infrastructure to mirror traffic with minimal overhead, enhancing both analytics and security capabilities.

As organizations migrate to the cloud, traditional network monitoring approaches often fall short. Many security and performance monitoring tools depend on packet-level visibility, which is challenging to obtain in cloud environments. Virtual network TAP addresses this challenge by offering the following benefits:

• Agentless, transparent traffic mirroring without having to alter your topology
• Zero performance impact on VMs; mirrored traffic does not count against VM bandwidth.
• Broad compatibility with third-party security and monitoring tools, allowing seamless integration into existing cybersecurity frameworks.

Public Preview: Cross-tenant customer-managed keys for Azure NetApp Files
April 2025
Cross-tenant customer-managed keys for Azure NetApp Files volume encryption. This feature enables individual customers to manage their own keys across different tenancies. In scenarios such as SaaS provider/user configurations, it ensures that the end user retains full control of their keys, rather than the SaaS provider. This capability provides SaaS providers with the flexibility to offer customers customizable key management options. It is available in all Azure NetApp Files supported regions. This feature is currently in preview.

Public Preview: Azure WAF CAPTCHA Challenge for Azure Front Door
April 2025
Announcing the public preview of CAPTCHA for Azure Web Application Firewall (WAF) with Azure Front Door.

Modern web applications face evolving threats, including bots, web scrapers, and brute-force attacks, many of which can bypass traditional security controls like IP blocking and rate limiting. CAPTCHA provides an adaptive layer of protection, ensuring legitimate users can access applications while blocking harmful automated traffic.

This new security feature enhances bot mitigation strategies by introducing an interactive challenge that verifies human users in real time, helping organizations protect their applications from automated attacks.

Public Preview: Inbound Private Endpoint for Azure API Management
April 2025
We’re announcing the open public preview of inbound private endpoint support for the Azure API Management Standard v2 tier. This capability enables private, secure access to the API Management gateway from within your virtual network using Azure Private Link.

Customers can now:

• Enable inbound traffic to API Management over a private IP address from their virtual network
• Use Azure Private Link to route traffic via the Microsoft backbone, avoiding public internet exposure
• Configure multiple Private Link connections per API Management instance
• Apply policies to differentiate traffic sources (e.g., private vs. public)
• Restrict API gateway access to private endpoints only to reduce data exfiltration risks
• Use custom DNS or Azure Private DNS zones for private hostname resolution
• Combine with outbound virtual network integration for end-to-end network isolation

Generally Available: Announcing Service Update Configuration for Azure API
April 2025
We’re introducing service update settings for Azure API Management, giving customers greater control over when and how their instances receive platform updates—including new features, security patches, and reliability improvements.
Customers can now:

Select an update group for their API Management instance:

• Early – Receive updates at the beginning of the rollout for testing and early access (not recommended for production).
• Default – Receive updates as part of the standard rollout (recommended for most use cases).
• Late – Defer updates to later in the cycle (ideal for mission-critical workloads).
• AI Gateway Early – Get early access to AI Gateway updates while receiving other service updates on the Late schedule.

Configure a custom maintenance window:

• Set preferred times for updates to occur, with the ability to specify different windows per day.
• Default window is 10 PM to 6 AM in the instance’s local time zone.

Generally Available: Next hop IP support for Virtual WAN
April 2025
Azure Virtual WAN hub router, also called virtual hub router, acts as a route manager and provides simplification in routing operation within and across virtual hubs. The virtual hub router exposes the ability to peer with it, thereby exchanging routing information directly through the Border Gateway Protocol (BGP) routing protocol. With the added support for Next hop IP in Virtual WAN, you can peer the hub with NVAs or BGP endpoints and advertise routes for VMs that are deployed behind a load balancer.Learn more.

Generally Available: Azure Firewall integration in Security Copilot
April 2025
The Azure Firewall integration in Security Copilot helps analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their firewalls across their entire fleet using natural language questions.

The following capabilities can be accessed either via the Security Copilot portal or the Copilot in Azure experience directly on the Azure portal:

• Retrieve the top IDPS signature hits for an Azure Firewall: Get log information about the traffic intercepted by the IDPS feature instead of constructing KQL queries manually.
• Enrich the threat profile of an IDPS signature beyond log information: Get additional details to enrich the threat information/profile of an IDPS signature instead of compiling it yourself manually.
• Look for a given IDPS signature across your tenant, subscription, or resource group: Perform a fleet-wide search (over any scope) for a threat across all your Firewalls instead of searching for the threat manually.
• Generate recommendations to secure your environment using Azure Firewall's IDPS feature: Get information from documentation about using Azure Firewall's IDPS feature to secure your environment instead of having to look up this information manually.

Generally Available: Network isolated cluster in AKS
April 2025
Today, you can control an AKS cluster's egress traffic using Azure Firewall. While this configuration is intended to isolate the cluster to protect sensitive business or customer data, it adds an additional layer of management complexity and cost.
AKS now provides the option to use network isolated clusters to simplify the process of restricting network access and reduce the risk of unintentional exposure of the cluster's public endpoints to prevent security breaches.

**Generally Available: Azure Functions support for Python 3.12
Azure Functions**
April 2025
You can now develop functions using Python 3.12 locally and deploy them to all Azure Functions plans.

Python 3.12 builds on the performance enhancements that were first released with Python 3.11 and adds several performance and language readability features in the interpreter. You can now take advantage of these new features and enhancements when creating serverless applications on Azure Functions.

Generally Available: Azure Compute Fleet
April 2025

Azure Compute Fleet is now generally available in all regions. Azure Compute Fleet allows users to easily obtain large amounts of compute capacity algorithmically mixing and matching a variety of available and VM sizes suitable to a user's workload, up to 10,000 VMs in a single fleet. A user can specify a variety of VM criteria such as RAM size, core count, SKU type, location, and pricing structure, and Azure Compute Fleet will deploy capacity tailored to those criteria.
Azure Compute Fleet also has a variety VM fleet management features that automatically and programmatically control how fleets respond to changing variables, such as cost overruns, capacity shortages for specific VM sizes, or the eviction of Spot VMs.

Public Preview: Metrics Usage Insights
April 2025
Announcing the Public Preview of ‘metrics usage insights’, a feature currently designed for Azure Managed Prometheus users which will analyze all metrics ingested in Azure Managed Workspace (AMW), surfacing actionable insights to optimize your observability setup.
Metrics usage insights is built to empower teams with the visibility and tools the organizations need to manage observability costs effectively. It empowers customers to pinpoint metrics that align with their business objectives, uncover areas of unnecessary spend by identifying unused metrics, and sustain a streamlined, cost-effective monitoring approach.

Metrics usage insights sends usage data to a Log Analytics Workspace (LAW) for analysis. This is a free offering, and there is no charge associated for the data sent to the Log Analytics workspace, storage or queries. Customers will be guided to enable the feature as part of the standard out of the box experience during new AMW resource creation. For existing AMWs this can be configured using diagnostic settings.

Public Preview: Multitenant managed logging in Container insights
April 2025

This is useful for customers who operate shared cluster platforms using AKS. Customers need the ability to configure container console log collection in a way that segregates logs by different teams so that each has access to the container logs of the containers running in K8s namespaces that they own and the ability to access the billing and management associated with the Azure Log analytics workspace. For example, container logs from infrastructure namespaces such as kube-system can be directed to a specific Log Analytics workspace for the infrastructure team, while each application team's container logs can be sent to their respective workspaces.