DailyAzureUpdatesGenerator

August 21, 2025 - Azure Updates Summary Report (Details Mode)

Generated on: August 21, 2025 Target period: Within the last 24 hours Processing mode: Details Mode Number of updates: 5 items

Update List

1. Public Preview: Azure Bastion now supports connectivity to private AKS clusters via tunneling

Published: August 20, 2025 17:45:19 UTC Link: Public Preview: Azure Bastion now supports connectivity to private AKS clusters via tunneling

Update ID: 500996 Data source: Azure Updates API

Categories: In preview, Networking, Security, Compute, Containers, Azure Bastion, Azure Kubernetes Service (AKS), Features

Summary:

What was updated
Azure Bastion now supports connectivity to private Azure Kubernetes Service (AKS) clusters via tunneling.
Key changes or new features
Users can establish a secure tunnel from their local machines through Azure Bastion directly to the AKS API server. This allows developers and IT professionals to use standard Kubernetes tools (kubectl, etc.) to manage private AKS clusters without exposing the API server publicly. The feature also supports seamless access to both private and public AKS clusters’ API servers through the same mechanism.
Target audience affected
Developers, DevOps engineers, and IT administrators managing AKS clusters, especially those working with private AKS clusters requiring secure, private access to the Kubernetes API server.
Important notes if any
This feature is currently in public preview. It enhances security by eliminating the need for public IP exposure or VPNs to access private AKS API servers. Users should evaluate the preview feature in non-production environments before broad adoption.

For more details, visit: https://azure.microsoft.com/updates?id=500996

Details:

The recent Azure Bastion public preview update introduces native support for secure connectivity to private Azure Kubernetes Service (AKS) clusters via tunneling, enabling IT professionals to seamlessly access AKS API servers without exposing them to the public internet.

Background and Purpose:
Traditionally, accessing private AKS clusters—where the Kubernetes API server endpoint is isolated within a virtual network—requires complex VPN setups, jump boxes, or exposing the API server endpoint publicly, which can increase security risks. Azure Bastion, a fully managed PaaS service providing secure RDP/SSH access to VMs without public IPs, now extends its tunneling capabilities to AKS clusters. This update aims to simplify and secure cluster management by allowing direct, encrypted access to private AKS API servers from a local machine using standard Kubernetes CLI tools (kubectl), without additional network infrastructure.

Specific Features and Detailed Changes:

Secure Tunnel Creation: Users can establish a secure tunnel from their local workstation through Azure Bastion directly to the private AKS API server endpoint.
Standard Kubernetes Tooling Support: The tunnel works transparently with kubectl and other Kubernetes management tools, enabling standard operations such as cluster inspection, deployment, and management.
Unified Access Method: This capability applies to both private and public AKS clusters, providing a consistent access experience.
No Public IP Exposure: The API server endpoint remains private, reducing the attack surface and adhering to zero-trust networking principles.

Technical Mechanisms and Implementation Methods:
Azure Bastion acts as a secure proxy within the Azure virtual network hosting the AKS cluster. When a user initiates a connection, Bastion establishes an encrypted tunnel from the user’s local machine to the AKS API server endpoint inside the VNet. This is achieved by leveraging Bastion’s existing RDP/SSH proxy infrastructure, extended to support Kubernetes API traffic forwarding. The user configures kubectl to connect via this tunnel, typically by setting a local port forwarding or proxy configuration that routes API calls through Bastion. Authentication and authorization continue to be managed via Azure AD and Kubernetes RBAC, ensuring secure access control.

Use Cases and Application Scenarios:

Secure Cluster Management: Operators can manage private AKS clusters without exposing API endpoints publicly or deploying jump boxes.
DevOps Pipelines: CI/CD systems running outside the VNet can securely interact with private clusters through Bastion tunnels.
Hybrid Environments: Teams working from on-premises or remote locations can securely access AKS clusters in Azure without complex VPNs.
Compliance and Security: Organizations with strict network security policies can enforce private endpoints while maintaining operational agility.

Important Considerations and Limitations:

Preview Status: As a public preview feature, it may have limitations or require enabling via Azure CLI or portal settings. Production use should be carefully evaluated.
Performance: Tunnel throughput and latency depend on Bastion’s capacity and network conditions; large data transfers may be impacted.
Supported Tools: Primarily designed for Kubernetes API traffic; other protocols or custom tooling may require additional configuration.
Authentication: Users must have appropriate Azure RBAC and Kubernetes RBAC permissions; Bastion does not bypass existing security controls.
Region Availability: Initially available in select Azure regions; check regional support before planning deployment.

Integration with Related Azure Services:

Azure Kubernetes Service (AKS): Direct integration to provide secure API server access for private clusters.
Azure Bastion: Leverages Bastion’s secure proxy capabilities to extend connectivity beyond VMs to Kubernetes API endpoints.
Azure Active Directory (Azure AD): Maintains identity and access management for users connecting through Bastion tunnels.
Azure Virtual Network (VNet): Ensures that the AKS API server remains within a private subnet, accessible only via Bastion.
**Azure CLI and kub

2. Public Preview: Azure NetApp Files Flexible service level now supports cool access

Published: August 20, 2025 17:30:35 UTC Link: Public Preview: Azure NetApp Files Flexible service level now supports cool access

Update ID: 500712 Data source: Azure Updates API

Categories: In preview, Storage, Azure NetApp Files, Features

Summary:

What was updated
Azure NetApp Files Flexible service level now supports cool access in public preview.
Key changes or new features
The Flexible service level, which enables independent configuration of storage capacity and throughput, has been enhanced to include cool access tier support. This allows customers to optimize costs by storing infrequently accessed data at a lower price point while maintaining the ability to scale performance independently. It is particularly suited for workloads requiring large capacity but low throughput, such as archival or backup data.
Target audience affected
Developers and IT professionals managing file storage solutions with Azure NetApp Files, especially those handling workloads with variable performance and capacity needs or seeking cost optimization through tiered storage.
Important notes if any
This feature is currently in public preview, so users should evaluate it in non-production environments before full deployment. Integration with existing Flexible service level configurations is seamless, but monitoring access patterns is recommended to ensure cost-effectiveness when using the cool tier.

For more details, visit: https://azure.microsoft.com/updates?id=500712

Details:

The recent public preview update for Azure NetApp Files introduces support for cool access within the Flexible service level, enhancing storage management by enabling independent configuration of capacity and throughput tailored to workload demands. This update addresses the need for cost-efficient storage solutions that balance performance and capacity, particularly for workloads requiring large volumes with lower throughput.

Background and Purpose:
Azure NetApp Files (ANF) is a high-performance, enterprise-grade file storage service designed for demanding workloads. The Flexible service level was introduced to decouple storage capacity from throughput, allowing customers to optimize costs by precisely matching performance to workload needs. Prior to this update, Flexible service level primarily supported hot access tiers optimized for high throughput. The addition of cool access support aims to provide a more cost-effective tier for workloads with infrequent access patterns or lower performance requirements, aligning with Azure’s tiered storage strategy.

Specific Features and Detailed Changes:

Cool Access Support: The Flexible service level now supports the cool access tier, which offers lower storage costs by optimizing for infrequently accessed data.
Independent Throughput and Capacity Configuration: Customers can continue to configure throughput independently from capacity, but now with the option to select cool access, enabling cost savings on storage while maintaining throughput as needed.
Seamless Tiering: The update allows workloads to leverage cool access without compromising the flexibility of throughput provisioning, providing granular control over performance and cost.

Technical Mechanisms and Implementation Methods:
Azure NetApp Files uses underlying SSD and HDD storage media managed by the Azure NetApp Files control plane. The cool access tier leverages storage media optimized for lower cost and power consumption, suitable for less frequently accessed data. The Flexible service level’s decoupled architecture allows throughput to be scaled independently, which is implemented via QoS policies at the storage backend. The introduction of cool access involves integrating tiering policies that redirect data to appropriate storage media while maintaining throughput guarantees configured by the user. Customers can select the access tier during volume creation or modify it on existing volumes through the Azure portal, CLI, or REST API.

Use Cases and Application Scenarios:

Archival and Backup Storage: Large datasets that require storage but are infrequently accessed, such as backups or archival data, benefit from cool access to reduce costs.
Development and Test Environments: Environments with variable performance needs but significant storage requirements can optimize spend by using cool access for less critical data.
Media and Content Storage: Large media files that are accessed sporadically but require scalable throughput when accessed can leverage this update.
Big Data and Analytics: Datasets that are processed in batches and remain idle for extended periods can be stored cost-effectively.

Important Considerations and Limitations:

Performance Trade-offs: Cool access is optimized for lower throughput and higher latency compared to hot tiers; workloads requiring consistent high performance may not be suitable.
Data Access Patterns: Frequent or unpredictable access patterns may incur higher costs or performance penalties if cool access is used improperly.
Preview Status: As a public preview feature, it may have limitations in SLA guarantees and support scope; production use should consider this.
Compatibility: Some advanced features or integrations may not yet fully support cool access in Flexible service level.

Integration with Related Azure Services:

Azure Monitor and Metrics: Monitoring throughput and capacity usage remains critical; integration with Azure Monitor allows tracking performance and cost metrics for cool access volumes.
Azure Backup: Cool access volumes can be integrated with Azure Backup solutions for efficient snapshot and backup storage.
Azure Virtual Machines and Kubernetes: Flexible service level volumes with cool access can be mounted to VMs and AKS clusters, enabling cost-effective persistent storage for containerized and VM workloads.
Azure Policy and Governance: Policies can be applied to manage and enforce usage of cool access tiers within organizational compliance frameworks.

In summary, the addition of cool access support to

3. Private Preview: DCesv6 and ECesv6 series confidential VMs with Intel® TDX

Published: August 20, 2025 16:45:09 UTC Link: Private Preview: DCesv6 and ECesv6 series confidential VMs with Intel® TDX

Update ID: 489745 Data source: Azure Updates API

Categories: In preview, Compute, Virtual Machines, Features, Services, Security

Summary:

What was updated
Azure has introduced the private preview of the DCesv6 and ECesv6 series Confidential Virtual Machines (VMs), leveraging 5th Gen Intel® Xeon® processors (Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX).
Key changes or new features
These new VM series provide enhanced hardware-based confidential computing capabilities by isolating workloads within Intel TDX-enabled trusted execution environments. This improves data protection and workload isolation for sensitive applications. The DCesv6 and ECesv6 VMs offer improved performance and security compared to previous confidential VM generations, enabling organizations to run highly sensitive workloads in the cloud with greater assurance.
Target audience affected
Developers and IT professionals focused on security-sensitive workloads, such as financial services, healthcare, and government sectors, will benefit from these VMs. Organizations requiring confidential computing to protect data in use and meet compliance requirements are the primary audience.
Important notes if any
This offering is currently in private preview, so interested customers must apply for access. The use of Intel TDX requires compatible software stacks and may involve adjustments in workload deployment to fully leverage confidential computing features. Further details and availability timelines will be provided as the preview progresses.

Details:

The Azure update announces the private preview release of the DCesv6 and ECesv6 series Confidential Virtual Machines (VMs), leveraging Intel® Trust Domain Extensions (Intel® TDX) on 5th Gen Intel® Xeon® processors (Emerald Rapids). This advancement represents Azure’s next generation of confidential computing infrastructure designed to enhance data security and privacy in cloud workloads.

Background and Purpose
Confidential computing aims to protect data in use by isolating workloads within hardware-based trusted execution environments (TEEs). Previous Azure confidential VM series utilized technologies like AMD SEV and Intel SGX. The introduction of DCesv6 and ECesv6 series with Intel TDX addresses evolving security requirements by providing stronger isolation boundaries that protect data and code from unauthorized access, including from higher-privileged software such as the hypervisor or host OS. This update is targeted at organizations with stringent data protection needs, such as those in finance, healthcare, and government sectors.

Specific Features and Detailed Changes

Processor and Security Technology: The VMs run on 5th Gen Intel Xeon processors (Emerald Rapids) integrated with Intel TDX, which creates isolated Trust Domains (TDs) that shield VM memory and CPU state from the host and other VMs.
VM Series: DCesv6 (general purpose) and ECesv6 (memory optimized) series provide options tailored to different workload profiles, maintaining Azure’s familiar VM sizing and capabilities but with enhanced confidentiality.
Confidentiality Guarantees: Intel TDX hardware enforces memory encryption and attestation, ensuring that only authorized code can access the protected environment.
Private Preview Access: Currently available in private preview, enabling select customers to test and validate workloads before general availability.

Technical Mechanisms and Implementation Methods
Intel TDX extends the CPU architecture to create isolated execution environments called Trust Domains. Each TD runs a guest OS and applications, with memory encryption keys managed by the CPU itself, preventing the host or hypervisor from inspecting or tampering with the VM’s memory. The VM launch process involves remote attestation, allowing customers to verify the integrity and configuration of the confidential VM before deploying sensitive workloads. Azure’s hypervisor integrates with Intel TDX to manage these Trust Domains while maintaining cloud-scale orchestration and management.

Use Cases and Application Scenarios

Sensitive Data Processing: Workloads involving personally identifiable information (PII), financial transactions, or intellectual property benefit from hardware-enforced confidentiality.
Multi-party Collaboration: Enables secure computation across organizational boundaries without exposing raw data to cloud operators or other tenants.
Regulatory Compliance: Helps meet compliance requirements such as GDPR, HIPAA, or FedRAMP by providing strong data-in-use protection.
Confidential AI and Analytics: Protects proprietary models and datasets during training and inference phases.

Important Considerations and Limitations

Preview Status: As a private preview, availability is limited and may require enrollment or invitation. Features and performance characteristics could evolve before GA.
Compatibility: Workloads must be compatible with Intel TDX environments; some legacy or specialized software may require adaptation.
Performance Overhead: Confidential computing introduces some performance overhead due to encryption and isolation, which should be evaluated against security benefits.
Integration Complexity: Developers and IT teams need to incorporate attestation and key management processes into their deployment pipelines.

Integration with Related Azure Services

Azure Attestation Service: Supports remote attestation of confidential VMs, verifying the trustworthiness of the environment before workload deployment.
Azure Key Vault: Can be integrated for secure key management and provisioning of cryptographic keys used within confidential VMs.
Azure Confidential Ledger and Confidential Containers: Complement confidential VMs by enabling secure data storage and containerized confidential workloads.
Azure Monitor and Security Center: Provide monitoring and security posture management

4. Retirement: Microsoft Sentinel Deprecation in Microsoft Azure operated by 21Vianet Announcement

Published: August 20, 2025 16:30:32 UTC Link: Retirement: Microsoft Sentinel Deprecation in Microsoft Azure operated by 21Vianet Announcement

Update ID: 498754 Data source: Azure Updates API

Categories: Hybrid + multicloud, Security, Microsoft Sentinel, Retirements

Summary:

What was updated
Microsoft announced the retirement and deprecation of Microsoft Sentinel in the Microsoft Azure environment operated by 21Vianet.
Key changes or new features
The service will be discontinued due to increasing infrastructure and operational complexity, making continued support unfeasible. No new features will be introduced, and existing Microsoft Sentinel deployments under 21Vianet will be phased out.
Target audience affected
Developers, IT professionals, and security teams using Microsoft Sentinel within the Azure operated by 21Vianet cloud region in China will be impacted. Organizations relying on this service for security information and event management (SIEM) need to plan migration or alternative solutions.
Important notes if any
Customers should begin transitioning their security monitoring and incident response workflows to other supported platforms or regions. Microsoft recommends reviewing current Sentinel configurations and data retention policies to avoid service disruption. Further guidance and timelines for retirement will be provided by Microsoft to assist with migration planning. This change affects only the Azure operated by 21Vianet environment and does not impact Microsoft Sentinel availability in other Azure global regions.

Details:

The recent announcement regarding the retirement of Microsoft Sentinel in the Microsoft Azure operated by 21Vianet environment reflects a strategic decision driven by operational and infrastructure complexities unique to this sovereign cloud region. Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution, has been a critical tool for threat detection, investigation, and response. However, maintaining parity of this service in the 21Vianet-operated Azure China region has become increasingly challenging.

Background and Purpose of the Update
Microsoft continuously evaluates its service portfolio to ensure optimal security, reliability, and performance. The decision to deprecate Microsoft Sentinel in the Azure China region operated by 21Vianet stems from the growing complexity in infrastructure management and operational overhead, which impacts the ability to deliver the service at the expected standards. This update aims to inform customers of the impending retirement, enabling them to plan migration or alternative security monitoring strategies accordingly.

Specific Features and Detailed Changes
The core change is the complete retirement of Microsoft Sentinel within the Azure China operated by 21Vianet environment. This means that new deployments of Sentinel will no longer be possible, and existing Sentinel workspaces will be phased out over a defined timeline. Key features affected include:

Security data collection and analytics from various Azure and on-premises sources.
Threat detection rules and analytics built on Microsoft’s threat intelligence.
Automated incident response playbooks using Azure Logic Apps.
Integration with Azure Security Center and other Microsoft security products.
Post-retirement, these capabilities will no longer be available within this sovereign cloud environment.

Technical Mechanisms and Implementation Methods
Microsoft Sentinel operates by ingesting security data into Log Analytics workspaces, applying analytics rules, and triggering alerts and automated responses. The retirement implies that these underlying Log Analytics workspaces will no longer support Sentinel-specific features. Customers will need to export or archive their existing logs and configurations before the service is disabled. Microsoft typically provides a deprecation timeline with milestones for disabling new data ingestion, alerting, and eventual workspace deletion. Customers should leverage Azure Resource Manager (ARM) templates or APIs to export configurations and data where applicable.

Use Cases and Application Scenarios
Microsoft Sentinel is widely used for centralized security monitoring, threat hunting, compliance reporting, and incident response automation. Organizations operating in China using Azure 21Vianet who rely on Sentinel for these scenarios will need to seek alternative solutions. Potential alternatives include third-party SIEM solutions compatible with Azure China or native Azure Security Center capabilities that remain supported. This update primarily affects enterprises with stringent security monitoring requirements who must adapt their security operations workflows accordingly.

Important Considerations and Limitations

Data retention and export: Customers must plan to export historical security data before retirement to avoid data loss.
Feature gaps: Alternative solutions may not provide the same level of integration or automation as Sentinel.
Compliance and sovereignty: Any replacement solution must comply with China’s regulatory requirements and data sovereignty laws.
Migration complexity: Transitioning security monitoring tools can be complex and requires careful planning to maintain security posture.
Support and SLAs: Post-retirement, Microsoft support for Sentinel-related issues in this region will cease.

Integration with Related Azure Services
Microsoft Sentinel integrates deeply with Azure Security Center, Azure Active Directory, Azure Monitor, and Logic Apps for automated workflows. With the retirement, these integrations will be impacted in the 21Vianet environment. Customers should evaluate how these services can be used independently or in conjunction with third-party SIEM tools. For example, Azure Security Center will continue to provide security recommendations and alerts, but without Sentinel’s advanced analytics and orchestration capabilities. Logic Apps can still be used for automation but will require reconfiguration outside of Sentinel playbooks.

In summary, the retirement of Microsoft Sentinel in the Azure China region operated by 21Vianet is a significant change driven by operational challenges,

5. Retirement: Microsoft Defender for Cloud Deprecation in Microsoft Azure Operated by 21Vianet Announcement

Published: August 20, 2025 16:30:32 UTC Link: Retirement: Microsoft Defender for Cloud Deprecation in Microsoft Azure Operated by 21Vianet Announcement

Update ID: 498749 Data source: Azure Updates API

Categories: Hybrid + multicloud, Security, Microsoft Defender for Cloud, Retirements

Summary:

What was updated
Microsoft announced the retirement of Microsoft Defender for Cloud in the Azure operated by 21Vianet environment.
Key changes or new features
The service will be deprecated due to increasing infrastructure and operational complexity, making continued support unfeasible. No new features will be introduced, and existing Defender for Cloud protections in this region will be discontinued.
Target audience affected
Developers, IT professionals, and security teams using Microsoft Defender for Cloud within Azure operated by 21Vianet (China region) are directly impacted. Customers relying on Defender for Cloud for workload protection and security management in this environment must plan for alternative solutions.
Important notes if any
Microsoft advises customers to transition to other security tools or services as Defender for Cloud support ends in this region. It is critical to review current security postures and update configurations accordingly to maintain protection levels. Further details and timelines should be monitored via official Azure updates. This retirement does not affect Microsoft Defender for Cloud in other global Azure regions.

Details:

The recent announcement regarding the retirement of Microsoft Defender for Cloud in the Microsoft Azure environment operated by 21Vianet reflects a strategic decision driven by increasing infrastructure and operational complexities that impact the service’s sustainability and reliability within this specific regional cloud. This update signifies the deprecation of Microsoft Defender for Cloud—Microsoft’s unified cloud security posture management (CSPM) and cloud workload protection platform (CWPP)—in the China region managed by 21Vianet, which operates Azure services under local compliance and operational frameworks.

Background and Purpose of the Update
Microsoft Defender for Cloud provides advanced threat protection, continuous security assessment, and compliance management across Azure resources. However, the Azure operated by 21Vianet environment has unique infrastructure and regulatory requirements that introduce additional operational overhead. After comprehensive evaluation, Microsoft concluded that maintaining Defender for Cloud in this environment is no longer viable without compromising service quality or compliance. The retirement aims to streamline service offerings, reduce complexity, and focus on core security capabilities that align with regional operational constraints.

Specific Features and Detailed Changes
The update entails the complete deprecation of Microsoft Defender for Cloud within the 21Vianet-operated Azure region. This means that all Defender for Cloud features—including continuous security posture assessment, advanced threat detection, vulnerability management, and compliance monitoring—will cease to function in this environment. Customers will no longer receive security alerts, recommendations, or integrated threat intelligence from Defender for Cloud services. The retirement also impacts integrations such as Security Center dashboards, automated remediation workflows, and API endpoints related to Defender for Cloud.

Technical Mechanisms and Implementation Methods
The deprecation is implemented by disabling Defender for Cloud service endpoints and backend processing within the 21Vianet Azure infrastructure. This involves shutting down telemetry collection, security analytics, and policy evaluation engines specific to Defender for Cloud. Customers’ existing configurations, policies, and security alerts tied to Defender for Cloud will be invalidated. Microsoft will likely provide transition guidance and timelines to allow customers to export existing data and migrate to alternative security solutions. The operational change is region-specific and does not affect Microsoft Defender for Cloud in other global Azure regions.

Use Cases and Application Scenarios
Prior to retirement, Defender for Cloud was widely used for securing multi-cloud and hybrid environments, enforcing compliance standards (e.g., CIS, ISO, NIST), and detecting threats across virtual machines, containers, databases, and serverless workloads. Post-retirement, customers in the 21Vianet region must seek alternative security posture management tools or native security features offered by Azure or third-party vendors compliant with local regulations. Use cases involving automated threat response, integrated vulnerability scanning, and compliance reporting will require re-architecting to accommodate the absence of Defender for Cloud.

Important Considerations and Limitations

The retirement affects only the Azure operated by 21Vianet region; global Azure customers remain unaffected.
Customers should plan for data export and migration before the service is fully disabled.
Alternative security solutions must comply with China’s regulatory environment and integrate with 21Vianet’s operational model.
There may be a temporary gap in security posture visibility and threat detection capabilities during the transition.
Automated remediation and compliance workflows dependent on Defender for Cloud will require redesign or replacement.

Integration with Related Azure Services
Microsoft Defender for Cloud integrates deeply with Azure Security Center, Azure Sentinel, Azure Policy, and Azure Monitor. With its retirement in the 21Vianet region, these integrations will be disrupted. Azure Security Center’s unified security management features will be limited, and Azure Sentinel’s threat detection capabilities may lose Defender for Cloud’s telemetry inputs. Customers should evaluate native security features within Azure 21Vianet and consider third-party SIEM or CSPM tools to maintain security operations continuity. Additionally, Azure Policy enforcement will continue but without Defender for Cloud’s enhanced security recommendations.

In summary, the retirement of Microsoft Defender for Cloud in the Azure operated by 21

This report was automatically generated - 2025-08-21 03:03:00 UTC

This site is open source. Improve this page.