azupdate
80 TopicsAz Update - Week 2 of the return editions
Hello Folks! This week's updates all focus on something we hear from IT pros and platform engineers all the time: How do we make our environments more secure, more manageable, and easier to modernize without adding more complexity? Whether you're running PostgreSQL workloads in Azure, securing Kubernetes storage, or planning your next wave of SQL Server migrations, this week's announcements bring practical improvements that can help reduce operational overhead while strengthening your overall platform strategy. We'll look at three newly available capabilities: Update #1 - Generally Available: Microsoft Defender security assessments for Azure Database for PostgreSQL Flexible Server Update #2 - Generally Available: Encryption in Transit for Azure Files NFS Shares in Azure Kubernetes Service (AKS) Update #3 - Generally Available: Expanding Azure Arc SQL Migration with SQL Server on Azure Virtual Machines As always, I'm approaching these updates from an infrastructure and operations perspective. I'll cover why each capability matters, what to watch out for before production deployment, and some practical steps you can take to start evaluating them in your own environment. Let's dig in. Update #1 - Generally Available: Microsoft Defender security assessments for Azure Database for PostgreSQL Flexible Server Why ITPros should care This release brings automated security posture assessment directly into managed PostgreSQL environments. For ITPros, this matters because database security is often treated separately from infrastructure security tooling, creating blind spots and silos. What changed is that Defender now runs native vulnerability scanning and compliance checks against PostgreSQL configurations, patches, and the ways a database could be exposed to security risks or attack opportunities. Instead of relying on external scanners or manual audits, you get platform-native assessments integrated with your existing Defender workflows. The operational impact is significant: you can now enforce security baselines at the database layer with the same consistency you apply to VMs and network resources, reducing the gap between infrastructure and data security accountability. Operational value Operationally, this improves your security baseline enforcement and reduces the need for separate database security assessment tools. It also strengthens how well you can demonstrate and prove that security controls are in place and working for compliance reviews where regulators expect consistent, documented security controls. Before production rollout, validate that Defender cost models fit your budget, that assessment frequency aligns with your change windows, and that remediation guidance maps to your patch and maintenance processes. Prerequisites include enabling Microsoft Defender for Cloud, registering the PostgreSQL Flexible Server provider, and ensuring network connectivity so assessments can reach the database endpoint. Real-world example with step-by-step guidance Enable Microsoft Defender for Cloud if not already active, and ensure PostgreSQL Flexible Server subscription coverage. Register the target PostgreSQL Flexible Server instances and confirm Defender has network visibility to the database endpoints. Run a baseline assessment and review initial findings to understand current security posture and common remediation patterns. Prioritise findings by severity and business impact, then schedule patches and configuration changes in maintenance windows. Monitor ongoing assessments and track remediation progress through Defender dashboards, validating that fixes reduce exposure scores. Technical details including code examples This example validates that Defender is actively assessing your PostgreSQL estate. The sequence checks Defender status, confirms PostgreSQL registration, and retrieves current assessment scores. Run these queries in a pilot subscription first to understand data structure and expected output before scaling to production databases. az account set --subscription <subscriptionId> az security sql-vulnerability-assessment baseline show --resource-group <rg> --server-name <postgresServer> --database-name <databaseName> az security pricing show --subscription <subscriptionId> --query "[?name=='VirtualMachines' || name=='SqlServers' || name=='StorageAccounts'].[name,pricingTier]" -o table az provider show --namespace Microsoft.DBforPostgreSQL --query "registrationState" -o tsv Expected behaviour: Defender status shows active, PostgreSQL instances are registered with the provider, and pricing tier reflects your coverage level. If assessments do not run, check network rules, managed identity permissions, and Defender plan activation. If baseline data is missing, trigger a manual scan and wait for completion. Comprehensive Resources Azure update: Microsoft Defender security assessments for Azure Database for PostgreSQL Flexible Server Microsoft Defender for Cloud overview Azure Database for PostgreSQL security SQL vulnerability assessments in Defender for Cloud Enable Defender for Cloud Update #2 - Generally Available: Encryption in Transit for Azure Files NFS Shares in Azure Kubernetes Service (AKS) Why ITPros should care This release closes a significant gap in data protection for Kubernetes workloads consuming NFS shares from Azure Files. Previously, NFS traffic between AKS nodes and Azure Files was unencrypted, creating compliance and security risks for sensitive workloads. What changed is that you can now enforce encryption for NFS communication at the Azure Files layer, not just at the application layer. This is important because traditional NFS lacks built-in encryption, and relying on network isolation alone is increasingly insufficient. For ITPros managing regulated workloads (healthcare, finance, PII-sensitive data), this removes a control gap. Encryption in transit now becomes a platform-native feature instead of a workaround, reducing architecture complexity and improving auditability. Operational value The operational value is stronger compliance posture and reduced attack surface for data in motion between containers and storage. It also simplifies the security story when auditors ask about data protection controls. Before enabling in production, validate that NFS-over-TLS introduces acceptable latency overhead for your workload patterns, test failover and reconnection behaviour under encryption, and confirm that monitoring and logging still work correctly. Prerequisites include running AKS with Azure CNI or Kubenet networking, having Azure Files with NFS 4.1 enabled, and ensuring the NFS client libraries on container images support TLS. Real-world example with step-by-step guidance Create an Azure Files NFS share with encryption in transit enabled and confirm TLS version alignment with your security standards. Deploy a test AKS workload that mounts the NFS share and validate that pods mount successfully with encrypted traffic. Run performance baselines (throughput, latency, CPU overhead) before and after enabling encryption to document operational expectations. Monitor pod logs and Azure Files metrics during the test to confirm no silent failures or unexpected throttling occurs. Roll out to production workloads in stages, with clear rollback criteria tied to application latency and error rates. Technical details including code examples This example validates that your AKS cluster can successfully mount NFS shares with encryption enabled. The sequence checks cluster networking, confirms NFS connectivity, and tests mount success. Run these commands in a non-production cluster first to validate environment readiness before touching production storage. az aks show --resource-group <rg> --name <clusterName> --query "networkProfile.{networkPlugin:networkPlugin,networkPolicy:networkPolicy,podCidr:podCidr}" -o jsonc az storage account show --resource-group <rg> --name <storageAccount> --query "{name:name,kind:kind,accessTier:accessTier}" -o jsonc kubectl get pvc -A --all-namespaces -o wide kubectl describe pv <pvName> | grep -i nfs Expected behaviour: cluster networking is properly configured, storage account kind supports NFS, and PVC/PV resources show NFS mount points. If mounts fail, check network security group rules, storage account firewall allowances, and subnet delegation. If latency increases, monitor resource utilisation and adjust workload placement if needed. Comprehensive Resources Azure update: Encryption in Transit for Azure Files NFS Shares in Azure Kubernetes Service (AKS) Azure Files NFS support Mount Azure Files with NFS in AKS Azure storage security AKS networking concepts Update #3 - Generally Available: Expanding Azure Arc SQL Migration with SQL Server on Azure Virtual Machines Why ITPros should care This capability brings SQL Server migration into the Azure Arc operational footprint, creating a unified migration and inventory experience. For ITPros, this matters because SQL Server modernisation is often fragmented across multiple tools and teams. What changed is that you can now discover, assess, and execute SQL migrations through Arc-native workflows, using the same permissions and governance model you already have for infrastructure and hybrid resources. The operational gain is consistency: discovery data feeds migration planning, assessments surface blockers early, and rollout can be controlled through the same change and approvals processes you use for other infrastructure migrations. Operational value Operationally, this reduces tooling sprawl and improves coordination between infrastructure and database teams. Arc becomes your single control plane for tracking migration progress, managing runbooks, and collecting audit evidence. Before production use, validate that your SQL Server inventory is complete, that migration blockers are understood and addressed, and that your maintenance windows can accommodate expected cutover timings. Prerequisites include Azure Arc agent deployment on source VMs, Azure Database Migration Service readiness, and network connectivity to target Azure SQL resources. Real-world example with step-by-step guidance Deploy Azure Arc agents to SQL Server VMs and confirm all instances report healthy status with complete inventory data. Run Arc-integrated SQL Server assessments to identify compatibility issues, dependencies, and recommended migration targets. Pilot migration for a non-critical workload to establish runbook patterns, measure cutover time, and validate post-migration validation procedures. Execute validation tests: connectivity, login success, database consistency checks, job execution, and application integration tests. Scale migration in waves using documented runbooks, with gates for monitoring data health and application performance after each cutover. Technical details including code examples This example validates Arc agent health and SQL Server discovery completeness. The sequence ensures your Arc infrastructure is ready for migration workflows. Run these commands as part of your pre-migration checklist to catch configuration gaps before committing to migration timelines. az account show --output table az connectedmachine list --resource-group <rg> --query "[].{name:name,status:status,osName:osName}" -o table az resource list --resource-type Microsoft.AzureArcData/sqlServerInstances --query "[].{name:name,resourceGroup:resourceGroup,location:location}" -o table az connectedmachine machine extension list --resource-group <rg> --machine-name <vmName> --query "[].{name:name,provisioningState:provisioningState}" -o table Expected behaviour: Arc agents report healthy status, SQL Server instances are fully discovered with accurate inventory, and required extensions are provisioned successfully. If discovery is incomplete, check Arc agent connectivity, extension deployment, and SQL service running status on source VMs. If migration pre-checks fail, verify SQL Server version compatibility and review Defender logs for blocking issues. Comprehensive Resources Azure update: Expanding Azure Arc SQL Migration with SQL Server on Azure Virtual Machines Azure Arc SQL Server Overview Azure Arc-enabled servers SQL Server on Azure Virtual Machines Azure Database Migration Service For any new capability this week, if they map to your operational roadmap, run a controlled pilot, measure the impact, and then scale with confidence. That is how you move the needle on modernisation while managing risk. Cheers! Pierre Roman39Views1like0CommentsAzUpdate: Sysinternal Updates, MS Certs renewal, App service on Kubernetes on Azure Arc and more
A plethora of announcements was released at Microsoft Build 2021 as expected. Here is what the team will be reporting on this week: certain certifications will require yearly renewal, Sysinternal Tools Updates Announced, App Service Managed Certificates now generally available, Run App Service on Kubernetes or anywhere with Azure Arc and of course the Microsoft Learn module of the week.3.5KViews0likes1CommentAzUpdate S04E17: Azure Key Vault, Azure WAF and Azure Backup
Hello folks, This week is the last episode of season 4. We will be retooling the format during the summer to figure out how to make this more valuable for you and easier to produce for us. But today is Canada Day (The Canadian national holiday, it celebrates the anniversary of the Canadian Confederation which occurred on July 1, 1867) and Monday will be America’s Independence Day. So, like a holiday sandwich. However, Amy Colyer (@wyrdgirl) and I will still be covering the news from Azure that the IT/Ops audience cares about. Or not… let me know in the comments. No really, please subscribe and let us know in the comments what you’d like to cover. This week Amy and I will discuss news about Azure Key Vault, Azure WAF, and Azure Backup.
3.8KViews1like1CommentAzUpdate S04E16: Windows Admin Center, Azure Bastion, Connection Monitor & Trusted launch.
Hello folks, This week my boss, the one and only Rick Claus (@RicksterCDN) is joining me to cover the news from Azure that the IT/Ops audience cares about. Or not… let me know in the comments. No really, please subscribe and let us know in the comments what you’d like to cover. Anyway, this week Rick and I will discuss news about Windows Admin Center, Azure Bastion, Connection Monitor & Trusted launch.
3.4KViews1like0CommentsAzUpdate S04E12: Passwordless, Azure Key Vault, Azure Functions and Microsoft Authenticator
Hello Folks, Well, I’m back this week after my first in-person event in over 2 years!!! OMG, it was wonderful to sit in a large room with like-minded people discussing tech in a fun open, and respectful environment. I was at the PowerShell Summit in Seattle, and it was great. You’ll be able to see all the content from that event on their YouTube channel soon. However, I saw the episode last week and I’m not sure I can follow that up. Amy (@wyrdgirl) and Shannon (@shankuehn) did a fantastic job. Check it out! This week I will be joined by my boss. The one and only Rick Claus (@RicksterCDN), and we will cover the news from the mothership that impacts the IT/Ops audience. More specifically, we’ll cover Passwordless RDP with Windows Hello for Business, Automated key rotation in Azure Key Vault, Azure Functions supports PowerShell 7.2, and strong passwords with Microsoft Authenticator. here we go! … Join us online on YouTube? (Live at 10 am eastern time zone) or catch the replay below.
4.8KViews2likes0CommentsAzUpdate S04E10: Certification Windows Defender Firewall Azure Containers Apps & Azure Monitor
Hello Folks, Guess who's back? Back Again, Guess who's back? Tell a friend…. Guess who's back, la, la, la No, it’s not the Slim Shady… This week Anthony Bartolo (@Wirelesslife) is back behind the desk to help me round up the news from around the mothership for all things Azure as it relates to IT and Operations. We will be covering Microsoft Certification for Students, New Reporting Functionality for Device Control, and Windows Defender Firewall, Metrics, and alerts support in Azure Container Apps, and finally, Azure Monitoring Agent supports custom and IIS logs. So here we go… Join us online on YouTube? (Live at 10 am eastern time zone) or catch the replay below.
3.4KViews0likes0CommentsAzUpdate S04E08: Azure Data Explorer, Azure Disk Storage, Azure Front Door & Azure Site Recovery
Hello Folks, Today, please look around and ensure that none of your teammates play some tricks on you. That being said, I’m trusting my teammate Amy Colyer (@wyrdgirl) to behave. (Well, I may be the one she needs to worry about…. LOL) In any case, what’s not a trick is the news coming out of the Redmond mothership this week. We’ll dive into Azure Data Explorer supports Conditional Access, Cross-region snapshot copy for Azure Disk Storage, Azure Front Door & On-demand capacity reservation with Azure Site Recovery So here we go… Join us online on YouTube? (Live at 10 am eastern time zone) or catch the replay below.
2.8KViews1like1CommentAzUpdate S04E07: VNET & Changes in IP addresses, Azure Dedicated Host SKUs, ARM Templates & more.
Hello Folks, We are back with AzUpdate. Our Schedule has been “wonky” for the past few weeks in light of world events and guidance from our central comms team. But we’re here this week. This week my co-pilot is the one and only Amy Colyer (@wyrdgirl) and together we’ll cover some of the news around Microsoft Azure. We’ll discuss VNET configurations and changes in IP addresses, Azure Dedicated Host SKUs, Templates functionality in the Azure portal, and Azure Load Balancer. Why don’t you join us online on YouTube? (Live at 10 am eastern time zone) or catch the replay below
3KViews1like0CommentsAzUpdate S04E06: Azure Backup, Azure Cost Management, Container Runtime, and Azure Monitor.
Hello Folks, We are back with AzUpdate. We took some time off the last couple of weeks in support of the Ukrainian people. This week we are back, but still, carry them in our hearts. Vinícius Apolinário (@vrapolinario) is joining me this week to cover some of the news around Microsoft Azure. This week we will cover Azure Backup, Azure Cost Management, Container Runtime, and Azure Monitor Why don’t you join us online on YouTube? (Live at 10 am eastern time zone) or catch the replay below
2.8KViews1like0CommentsAzUpdate S04E05: Azure Kubernetes Service, CIS Certification, Windows Server, and burstable disks.
This week Pierre is off which means I return as your host with new team member Joylynn Kirui! We got to learn a bit more about Joylynn and her lovely home nation, Kenya. Let’s jump right into it. This week we’ll cover updates for AKS, Azure Virtual Machines, and Windows Server.
3.7KViews1like0Comments