Announcing General Availability of Software Defined Networking (SDN) on Azure Local
Starting in Azure Local version 2510, we’re excited to announce the General Availability of Software Defined Networking (SDN) on Azure Local enabled by Azure Arc. This release introduces cloud-native networking capabilities for access control at the network layer, utilizing Network Security Groups (NSGs) on Azure Local. Key highlights in this release are: 1- Centralized network management: Manage Logical networks, network interfaces, and NSGs through the Azure control plane – whether your preference is the Azure Portal, Azure Command-Line Interface (CLI), or Azure Resource Manager templates. 2- Fine-grained traffic control: Safeguard your edge workloads with policy-driven access controls by applying inbound and outbound allow/deny rules on NSGs, just as you would in Azure. 3- Seamless hybrid consistency: Reduce operational friction and accelerate your IT staff’s ramp-up on advanced networking skills by using the same familiar tools and constructs across both Azure public cloud and Azure Local. Software Defined Networking (SDN) forms the backbone of delivering Azure-style networking on-premises. Whether you’re securing enterprise applications or extending cloud-scale agility to your on-premises infrastructure, Azure Local, combined with SDN enabled by Azure Arc, offers a unified and scalable solution. Try this feature today and let us know how it transforms your networking operations! Feature Capabilities Here’s what you can do today with SDN enabled by Azure Arc: ✅ Run SDN control plane (Network Controller) as a Failover Cluster service on the Azure Local physical hosts — no VMs required! ✅ Deploy logical networks — use VLAN-backed networks in your datacenter that integrate with SDN enabled by Azure Arc. ✅ Attach VM Network Interfaces — assign static or DHCP IPs to VMs from logical networks. ✅ Apply NSGs - create, attach, and manage NSGs directly from Azure on your logical networks (VLANs in your datacenter) and/or on the VM network interface. This enables a generic rule set for VLANs, with a crisper rule set for individual Azure Local VM network interface using a complete 5-tuple control: source and destination IP, port, and protocol. ✅ Use Default Network Policies — apply baseline security policies during VM creation for your primary NIC. Select well-known inbound ports such as HTTP (while we block everything else for you), while still allowing outbound traffic. Or select an existing NSG you already have! ✅ Azure Arc Resource Bridge (ARB) Disaster Recovery capable - In case ARB on the cluster needs to be recovered, NSGs and its rules can be recovered along with VMs and its associated resources. SDN enabled by Azure Arc vs. SDN managed by on-premises tools Choosing Your Path: Some SDN features like virtual networks (vNETs), Load Balancers (SLBs), and Gateways are not yet supported in SDN enabled by Azure Arc. But good news: you’ve still got options. If your workloads need those features today, you can leverage SDN managed by on-premises tools: - SDN Express (PowerShell) - Windows Admin Center (WAC) The SDN managed by on-premises tools continues to provide full-stack SDN capabilities, including SLBs, Gateways, and VNET peering, while we actively work on bringing this additional value to complete SDN enabled by Azure Arc feature set. You must choose one of the modes of SDN management and cannot run in a hybrid management mode, mixing the two. Please read this important consideration section before getting started! Thank You to Our Community This milestone was only possible because of your input, your use cases, and your edge innovation. We're beyond excited to see what you build next with SDN enabled by Azure Arc. To try it out, head to the Azure Local documentation Let’s keep pushing the edge forward. Together!
A Guide to Adaptive Cloud at Microsoft Ignite 2025
Get ready to supercharge your Ignite experience! This guide is your go‑to playbook for all things Adaptive Cloud. You’ll find clear pointers on where to learn about the latest updates for unifying hybrid, multicloud, and edge environments, with the latest updates from Azure Monitor, Azure Local, Azure Backup, and more. Connect with experts and peers, prioritize sessions, and navigate the event flow with quick links to the session catalog and resources to confirm times and locations throughout the event. We can’t wait to connect!Azure Migrate Expands Capabilities to Accelerate Migration to Azure Local
As organizations accelerate their digital transformation, Microsoft provides flexible paths to migrate and modernize applications, enabling businesses to choose the best approach for their needs - whether embracing the cloud, leveraging cloud-managed infrastructure locally, or balancing both. Unified management, governance, and security can be applied across all strategies, empowering organizations to utilize cloud-based tools, policies, and monitoring wherever their workloads reside. Many organizations operate virtualized environments and can optimize and modernize their infrastructure with several proven approaches. These strategies allow teams to maximize existing investments while exploring new opportunities for agility, cost savings, and growth. Three Paths to Modernization Modernize and Move: For applications ready to evolve, Azure’s IaaS and PaaS offerings provide a secure and scalable foundation to reduce costs, increase agility, and spark innovation. Azure Migrate supports readiness assessments, cost estimates, business case development, and seamless transitions - all while maintaining centralized governance and security throughout the process. Lift and Optimize: For VMware customers looking for a fast path to the cloud, Azure VMware Solution (AVS) allows organizations to rehost existing VMware workloads with minimal disruption and no code changes. AVS is a VMware VCF private cloud in Azure that allows organizations to leverage their portable VCF licenses and connect to 200+ Azure services. Customers can use Azure Migrate for assessment and planning, leverage VMware HCX for seamless migrations, and connect Azure Arc for centralized governance, unified management and enhanced security across cloud and hybrid environments. Edge-Optimized Deployment: For workloads that need to remain close to where data is created or consumed – whether for low latency, regulatory compliance, data residency, or sovereign requirements - Azure Local leverages Azure Arc to extend Azure services across distributed environments, providing a sovereign, cloud-managed platform with local control. Azure Local and its centralized management enabled by Azure Arc supports OEM hardware partners such as Dell, Lenovo, HPE, and more, ensuring flexibility, operational assurance, and compliance-ready governance. Enhanced and Unified Management: Across all three options, organizations can enhance their strategy with unified management, governance, and security via Azure control plane - benefiting from cloud-based capabilities no matter where their workloads run. General Availability: Azure Migrate supports VMware VMs to Azure Local Today, we are excited to announce the General Availability of Azure Migrate support for migrating VMware VMs to Azure Local. With this release, organizations can easily move their VMware workloads to cloud-managed infrastructure while maintaining consistency across environments. Key Features Orchestrate migrations from Azure portal: Gain full visibility into replication progress, cutover readiness, and migration history. Leverage an agentless architecture: Simplify deployment across large VMware environments without installing agents on source VMs. Replicate with no downtime impact: Keep critical workloads running while data synchronizes in the background. Migrate securely with sovereign control: Maintain full data residency and operational sovereignty while keeping all VM migration traffic and data entirely on-premises. Perform cutovers with minimal downtime: Use optimized Azure Migrate techniques to reduce disruption. This GA milestone brings several advanced features shaped by customer and partner feedback during the preview, such as: Static IP address retention for Windows and Linux VMs. PowerShell migration support for scripting and automation. Advanced compute and disk customization during migration. Get Started! Ready to get started? Visit Azure Migrate documentation to explore: Monthly product updates. Prerequisites and requirements. Tutorials for VMware to Azure Local VM migrations. FAQs and troubleshooting guides. Thank you to our Community We’d like to thank all the customers and partners who participated in the preview program and provided invaluable feedback. Your input has directly shaped this GA release, and we’re excited to continue building with you.Operate everywhere with AI-enhanced management and security
Farzana Rahman and Dushyant Gill from Microsoft discuss new AI-enhanced features in Azure that make it simpler to acquire, connect, and operate with Azure's management offerings across multiple clouds, on-premises, and at the edge. Key updates include enhanced management for Windows servers and virtual machines with Windows Software Assurance, Windows Server 2025 hotpatching support in Azure Update Manager, simplified hybrid environment connectivity with Azure Arc gateway, a multicloud connector for AWS, and Log Analytics Simple Mode. Additionally, Azure Migrate Business Case helps compare the total cost of ownership, and new Copilot in Azure capabilities that simplify cloud management and provide intelligent recommendations.Public Preview: Audit and Enable Windows Recovery Environment (WinRE) for Azure Arc-enabled Servers
Windows Recovery Environment is a secure, isolated partition that enables diagnostics and repair when a system encounters critical failures – such as a stop error (commonly known as the blue screen of death). WinRE provides a reliable fallback mechanism for mission-critical workloads, allowing IT administrators to recover systems quickly and securely. With this Public Preview, Azure Arc introduces a set of Azure Policies that allow organizations to audit and enable WinRE across their fleet of Arc-enabled Windows Servers. These policies are powered by the Machine Configuration component of the Azure Connected Machine agent, which ensures secure and compliant configuration enforcement. Through the Azure Policy, the Azure Connected Machine agent detects whether WinRE is configured and reports its health status. If WinRE is not configured and the WinRE partition has been provisioned, customers can enable WinRE through the Azure Policy. These Azure Policies are available at no additional cost for servers covered under: Windows Server 2012 Extended Security Updates (ESUs) Microsoft Defender for Servers Plan 2 Windows Server Software Assurance attestation Windows Server Pay-as-you-Go licensing For other servers, these policies will incur charges associated with Azure Machine Configuration. To get started, deploy and assign these Azure Policies to Azure Arc-enabled servers in your existing subscription. [Preview]: Audit Windows machines that do not have Windows Recovery Environment (WinRE) enabled [Preview]: Configure Windows Recovery Environment (WinRE) on Windows machines Auditing and enablement of WinRE through Azure Arc underscores the capability of Azure Arc to increasingly afford resiliency across hybrid, multicloud, and edge workloads.
Addressing Air Gap Requirements through Secure Azure Arc Onboarding
This blog post explores the challenges and solutions for implementing air gap environments in highly regulated sectors like finance, healthcare, and government. It discusses the complexities of air gap implementation, the importance of control and data plane separation, and provides architectural patterns for secure Azure Arc onboarding. By adopting a zero-trust approach and leveraging Azure Arc, organizations can achieve secure, compliant connectivity while modernizing their IT operations.Announcing the General Availability of the Azure Arc Gateway for Arc-enabled Servers!
We’re excited to announce the General Availability of Arc gateway for Arc‑enabled servers. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc. What’s new: To Arc‑enable a server, customers previously had to allow 19 distinct endpoints. With Arc gateway GA, you can do the same with just 7, a ~63% reduction that removes friction for security and networking teams. Why This Matters Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway: Accelerates onboarding for Arc‑enabled servers by cutting down the proxy/firewall approvals needed to get started. Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure. How Arc gateway works Arc gateway introduces two components that work together to streamline connectivity: Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint. Azure Arc Proxy (on every Arc‑enabled server): A component of the connected machine agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required. At a high level, traffic flows: Arc agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service. Scenario Coverage As part of this GA release, common Arc‑enabled Server scenarios are supported through the gateway, including: Windows Admin Center SSH Extended Security Updates (ESU) Azure Extension for SQL Server For other scenarios, some customer‑specific data plane destinations (e.g., your Log Analytics workspace or Key Vault URLs) may still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. Over time, the number of scenarios filly covered by Arc gateway will continue to grow. Get started Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell. Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall. Onboard or update servers to use your Arc gateway resource and start managing them with Azure Arc. For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. You can also watch a quick Arc gateway Jumpstart demo to see the experience end‑to‑end. FAQs Does Arc gateway require new software on my servers? No additional installation - Arc Proxy is part of the standard connected machine agent for Arc‑enabled servers. Will every Arc scenario route through the gateway today? Many high‑value server scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. When will Arc gateway for Azure Local be GA? Today! Please refer to the Arc gateway GA on Azure Local Announcement to learn more. When will Arc gateway for Arc-enabled Kubernetes be GA? We don't have an exact ETA to share quite yet for Arc gateway GA for Arc-enabled Kubernetes. The feature is currently still in Public Preview. Please refer to the Public Preview documentation for more information. Tell us what you think We’d love your feedback on Arc gateway GA for servers—what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.Strengthening Azure File Sync security with Managed Identities
Hello Folks, As IT pros, we’re always looking for ways to reduce complexity and improve security in our infrastructure. One area that’s often overlooked is how our services authenticate with each other. Especially when it comes to Azure File Sync. In this post, I’ll walk you through how Managed Identities can simplify and secure your Azure File Sync deployments, based on my recent conversation with Grace Kim, Program Manager on the Azure Files and File Sync team. Why Managed Identities Matter Traditionally, Azure File Sync servers authenticate to the Storage Sync service using server certificates or shared access keys. While functional, these methods introduce operational overhead and potential security risks. Certificates expire, keys get misplaced, and rotating credentials can be a pain. Managed Identities solve this by allowing your server to authenticate securely without storing or managing credentials. Once enabled, the server uses its identity to access Azure resources, and permissions are managed through Azure Role-Based Access Control (RBAC). Using Azure File Sync with Managed Identities provides significant security enhancements and simpler credential management for enterprises. Instead of relying on storage account keys or SAS tokens, Azure File Sync authenticates using a system-assigned Managed Identity from Microsoft Entra ID (Azure AD). This keyless approach greatly improves security by removing long-lived secrets and reducing the attack surface. Access can be controlled via fine-grained Azure role-based access control (RBAC) rather than a broadly privileged key, enforcing least-privileged permissions on file shares. I believe that Azure AD RBAC is far more secure than managing storage account keys or SAS credentials. The result is a secure-by-default setup that minimizes the risk of credential leaks while streamlining authentication management. Managed Identities also improve integration with other Azure services and support enterprise-scale deployments. Because authentication is unified under Azure AD, Azure File Sync’s components (the Storage Sync Service and each registered server) seamlessly obtain tokens to access Azure Files and the sync service without any embedded secrets. This design fits into common Azure security frameworks and encourages consistent identity and access policies across services. In practice, the File Sync managed identity can be granted appropriate Azure roles to interact with related services (for example, allowing Azure Backup or Azure Monitor to access file share data) without sharing separate credentials. At scale, organizations benefit from easier administration. New servers can be onboarded by simply enabling a managed identity (on an Azure VM or an Azure Arc–connected server) and assigning the proper role, avoiding complex key management for each endpoint. Azure’s logging and monitoring tools also recognize these identities, so actions taken by Azure File Sync are transparently auditable in Azure AD activity logs and storage access logs. Given these advantages, new Azure File Sync deployments now enable Managed Identity by default, underscoring a shift toward identity-based security as the standard practice for enterprise file synchronization. This approach ensures that large, distributed file sync environments remain secure, manageable, and well-integrated with the rest of the Azure ecosystem. How It Works When you enable Managed Identity on your Azure VM or Arc-enabled server, Azure automatically provisions an identity for that server. This identity is then used by the Storage Sync service to authenticate and communicate securely. Here’s what happens under the hood: The server receives a system-assigned Managed Identity. Azure File Sync uses this identity to access the storage account. No certificates or access keys are required. Permissions are controlled via RBAC, allowing fine-grained access control. Enabling Managed Identity: Two Scenarios Azure VM If your server is an Azure VM: Go to the VM settings in the Azure portal. Enable System Assigned Managed Identity. Install Azure File Sync. Register the server with the Storage Sync service. Enable Managed Identity in the Storage Sync blade. Once enabled, Azure handles the identity provisioning and permissions setup in the background. Non-Azure VM (Arc-enabled) If your server is on-prem or in another cloud: First, make the server Arc-enabled. Enable System Assigned Managed Identity via Azure Arc. Follow the same steps as above to install and register Azure File Sync. This approach brings parity to hybrid environments, allowing you to use Managed Identities even outside Azure. Next Steps If you’re managing Azure File Sync in your environment, I highly recommend transitioning to Managed Identities. It’s a cleaner, more secure approach that aligns with modern identity practices. ✅ Resources 📚 https://learn.microsoft.com/azure/storage/files/storage-sync-files-planning 🔐 https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview ⚙️ https://learn.microsoft.com/azure/azure-arc/servers/overview 🎯 https://learn.microsoft.com/azure/role-based-access-control/overview 🛠️ Action Items Audit your current Azure File Sync deployments. Identify servers using certificates or access keys. Enable Managed Identity on eligible servers. Use RBAC to assign appropriate permissions. Let me know how your transition to Managed Identities goes. If you run into any snags or have questions, drop a comment. Cheers! PierreFirmware Analysis now Generally Available
Back in June, we announced the public preview of firmware analysis, a new capability available through Azure Arc to help organizations gain visibility into the security of their Internet of Things (IoT), Operational Technology (OT), and network devices. Today, we are excited to announce that firmware analysis is generally available (GA) for all Azure customers. In modern industrial environments, firmware security is a foundational requirement. IoT sensors and smart devices collect the data fueling AI-driven insights; if those devices aren’t secure, your data and operational continuity are at risk. During the preview, we heard from many customers who used firmware analysis to shine a light into their device software and address hidden vulnerabilities before attackers or downtime could strike. With general availability, firmware analysis is ready to help organizations fortify the “blind spots” in their infrastructure – from factory-floor sensors to branch office routers – by analyzing the software that runs on those devices. What Firmware Analysis Does for You Firmware analysis examines the low-level software (firmware) that powers IoT, OT and network devices, with no agent required on the device. You can upload a firmware image (for example, an extracted embedded Linux image), and the cloud service performs an automated security inspection. Key features include: Software inventory & vulnerability scanning: The service builds a Software Bill of Materials (SBOM) of components within the firmware and checks each component against known CVEs (Common Vulnerabilities and Exposures). This quickly surfaces any known vulnerabilities in your device’s software stack so you can prioritize patching those issues. Security configuration and hardening check: Firmware analysis evaluates how the firmware binaries are built, looking for security hardening measures (e.g. stack protections, ASLR) or dangerous configurations. If certain best practices are missing, the firmware might be easier to exploit – the tool flags this to inform the device manufacturer or your security team. Credential and secrets discovery: The analysis finds any hard-coded credentials (user accounts/password hashes) present in the firmware, as well as embedded cryptographic material like SSL/TLS certificates or keys. These could pose serious risks – for instance, default passwords that attackers could exploit (recall the Mirai botnet using factory-default creds) are identified so you can mitigate them. Any discovered certificates or keys can indicate potentially insecure design if left in production firmware. Comprehensive report: All security findings – from the Software Bill of Materials (SBOM), list of vulnerabilities to hardening recommendations and exposed secrets – are provided in a detailed report for each firmware image analyzed. This gives device makers and operators actionable intelligence to improve their device security posture. In short, firmware analysis provides deep insights into the contents and security quality of device firmware. It turns opaque firmware into transparent data, helping you answer, “What’s really inside my device software?” so you can address weaknesses proactively. What’s New and Licensing We’ve been hard at work making firmware analysis even better as we move to GA. Based on preview feedback, we’ve addressed bugs, implemented usability suggestions and improved the firmware analysis SDKs, CLI and PowerShell extensions. A new Azure resource called “firmware workspace” now stores analyzed firmware images. Firmware analysis workspaces are currently available as a Free Firmware Analysis Workspace SKU with capacity limits. Getting Started If you have IoT, OT and network devices in your environment, use firmware analysis to test just how secure your devices are. Getting started is easy: access firmware analysis by searching “firmware analysis” in the Azure portal, or access using this link. Onboard your subscription and then upload firmware images for analysis. For a step-by-step tutorial, visit our official documentation. The service currently supports embedded Linux-based images up to 1GB in size. We want to thank all the preview participants who tested firmware analysis and provided feedback. You helped us refine the service for GA and we’re thrilled to make this powerful tool broadly available to help secure IoT, OT and network devices around the world. We can’t wait to see how you put it to work. As always, we value your feedback, so please let us know what you think.
