Microsoft Azure Cloud HSM is now generally available
Microsoft Azure Cloud HSM is now generally available. Azure Cloud HSM is a highly available, FIPS 140-3 Level 3 validated single-tenant hardware security module (HSM) service designed to meet the highest security and compliance standards. With full administrative control over their HSM, customers can securely manage cryptographic keys and perform cryptographic operations within their own dedicated Cloud HSM cluster. In today’s digital landscape, organizations face an unprecedented volume of cyber threats, data breaches, and regulatory pressures. At the heart of securing sensitive information lies a robust key management and encryption strategy, which ensures that data remains confidential, tamper-proof, and accessible only to authorized users. However, encryption alone is not enough. How cryptographic keys are managed determines the true strength of security. Every interaction in the digital world from processing financial transactions, securing applications like PKI, database encryption, document signing to securing cloud workloads and authenticating users relies on cryptographic keys. A poorly managed key is a security risk waiting to happen. Without a clear key management strategy, organizations face challenges such as data exposure, regulatory non-compliance and operational complexity. An HSM is a cornerstone of a strong key management strategy, providing physical and logical security to safeguard cryptographic keys. HSMs are purpose-built devices designed to generate, store, and manage encryption keys in a tamper-resistant environment, ensuring that even in the event of a data breach, protected data remains unreadable. As cyber threats evolve, organizations must take a proactive approach to securing data with enterprise-grade encryption and key management solutions. Microsoft Azure Cloud HSM empowers businesses to meet these challenges head-on, ensuring that security, compliance, and trust remain non-negotiable priorities in the digital age. Key Features of Azure Cloud HSM Azure Cloud HSM ensures high availability and redundancy by automatically clustering multiple HSMs and synchronizing cryptographic data across three instances, eliminating the need for complex configurations. It optimizes performance through load balancing of cryptographic operations, reducing latency. Periodic backups enhance security by safeguarding cryptographic assets and enabling seamless recovery. Designed to meet FIPS 140-3 Level 3, it provides robust security for enterprise applications. Ideal use cases for Azure Cloud HSM Azure Cloud HSM is ideal for organizations migrating security-sensitive applications from on-premises to Azure Virtual Machines or transitioning from Azure Dedicated HSM or AWS Cloud HSM to a fully managed Azure-native solution. It supports applications requiring PKCS#11, OpenSSL, and JCE for seamless cryptographic integration and enables running shrink-wrapped software like Apache/Nginx SSL Offload, Microsoft SQL Server/Oracle TDE, and ADCS on Azure VMs. Additionally, it supports tools and applications that require document and code signing. Get started with Azure Cloud HSM Ready to deploy Azure Cloud HSM? Learn more and start building today: Get Started Deploying Azure Cloud HSM Customers can download the Azure Cloud HSM SDK and Client Tools from GitHub: Microsoft Azure Cloud HSM SDK Stay tuned for further updates as we continue to enhance Microsoft Azure Cloud HSM to support your most demanding security and compliance needs.Building Azure Right: A Practical Checklist for Infrastructure Landing Zones
When the Gaps Start Showing A few months ago, we walked into a high-priority Azure environment review for a customer dealing with inconsistent deployments and rising costs. After a few discovery sessions, the root cause became clear: while they had resources running, there was no consistent foundation behind them. No standard tagging. No security baseline. No network segmentation strategy. In short—no structured Landing Zone. That situation isn't uncommon. Many organizations sprint into Azure workloads without first planning the right groundwork. That’s why having a clear, structured implementation checklist for your Landing Zone is so essential. What This Checklist Will Help You Do This implementation checklist isn’t just a formality. It’s meant to help teams: Align cloud implementation with business goals Avoid compliance and security oversights Improve visibility, governance, and operational readiness Build a scalable and secure foundation for workloads Let’s break it down, step by step. 🎯 Define Business Priorities Before Touching the Portal Before provisioning anything, work with stakeholders to understand: What outcomes matter most – Scalability? Faster go-to-market? Cost optimization? What constraints exist – Regulatory standards, data sovereignty, security controls What must not break – Legacy integrations, authentication flows, SLAs This helps prioritize cloud decisions based on value rather than assumption. 🔍 Get a Clear Picture of the Current Environment Your approach will differ depending on whether it’s a: Greenfield setup (fresh, no legacy baggage) Brownfield deployment (existing workloads to assess and uplift) For brownfield, audit gaps in areas like scalability, identity, and compliance before any new provisioning. 📜 Lock Down Governance Early Set standards from day one: Role-Based Access Control (RBAC): Granular, least-privilege access Resource Tagging: Consistent metadata for tracking, automation, and cost management Security Baselines: Predefined policies aligned with your compliance model (NIST, CIS, etc.) This ensures everything downstream is both discoverable and manageable. 🧭 Design a Network That Supports Security and Scale Network configuration should not be an afterthought: Define NSG Rules and enforce segmentation Use Routing Rules to control flow between tiers Consider Private Endpoints to keep services off the public internet This stage sets your network up to scale securely and avoid rework later. 🧰 Choose a Deployment Approach That Fits Your Team You don’t need to reinvent the wheel. Choose from: Predefined ARM/Bicep templates Infrastructure as Code (IaC) using tools like Terraform Custom Provisioning for unique enterprise requirements Standardizing this step makes every future deployment faster, safer, and reviewable. 🔐 Set Up Identity and Access Controls the Right Way No shared accounts. No “Owner” access to everyone. Use: Azure Active Directory (AAD) for identity management RBAC to ensure users only have access to what they need, where they need it This is a critical security layer—set it up with intent. 📈 Bake in Monitoring and Diagnostics from Day One Cloud environments must be observable. Implement: Log Analytics Workspace (LAW) to centralize logs Diagnostic Settings to capture platform-level signals Application Insights to monitor app health and performance These tools reduce time to resolution and help enforce SLAs. 🛡️ Review and Close on Security Posture Before allowing workloads to go live, conduct a security baseline check: Enable data encryption at rest and in transit Review and apply Azure Security Center recommendations Ensure ACC (Azure Confidential Computing) compliance if applicable Security is not a phase. It’s baked in throughout—but reviewed intentionally before go-live. 🚦 Validate Before You Launch Never skip a readiness review: Deploy in a test environment to validate templates and policies Get sign-off from architecture, security, and compliance stakeholders Track checklist completion before promoting anything to production This keeps surprises out of your production pipeline. In Closing: It’s Not Just a Checklist, It’s Your Blueprint When implemented well, this checklist becomes much more than a to-do list. It’s a blueprint for scalable, secure, and standardized cloud adoption. It helps teams stay on the same page, reduces firefighting, and accelerates real business value from Azure. Whether you're managing a new enterprise rollout or stabilizing an existing environment, this checklist keeps your foundation strong. Tags - Infrastructure Landing Zone Governance and Security Best Practices for Azure Infrastructure Landing Zones Automating Azure Landing Zone Setup with IaC Templates Checklist to Validate Azure Readiness Before Production Rollout Monitoring, Access Control, and Network Planning in Azure Landing Zones Azure Readiness Checklist for ProductionInfrastructure Landing Zone - Implementation Decision-Making:
🚀 Struggling to choose the right Infrastructure Landing Zone for your Azure deployment? This guide breaks down each option—speed, flexibility, security, and automation—so you can make the smartest decision for your cloud journey. Don’t risk costly mistakes—read now and build with confidence! 🔥Securing the digital future: Advanced firewall protection for all Azure customers
Introduction In today's digital landscape, rapid innovation—especially in areas like AI—is reshaping how we work and interact. With this progress comes a growing array of cyber threats and gaps that impact every organization. Notably, the convergence of AI, data security, and digital assets has become particularly enticing for bad actors, who leverage these advanced tools and valuable information to orchestrate sophisticated attacks. Security is far from an optional add-on; it is the strategic backbone of modern business operations and resiliency. The evolving threat landscape Cyber threats are becoming more sophisticated and persistent. A single breach can result in costly downtime, loss of sensitive data, and damage to customer trust. Organizations must not only detect incidents but also proactively prevent them –all while complying with regulatory standards like GDPR and HIPAA. Security requires staying ahead of threats and ensuring that every critical component of your digital environment is protected. Azure Firewall: Strengthening security for all users Azure Firewall is engineered and innovated to benefit all users by serving as a robust, multifaceted line of defense. Below are five key scenarios that illustrate how Azure Firewall provides security across various use cases: First, Azure Firewall acts as a gateway that separates the external world from your internal network. By establishing clearly defined boundaries, it ensures that only authorized traffic can flow between different parts of your infrastructure. This segmentation is critical in limiting the spread of an attack, should one occur, effectively containing potential threats to a smaller segment of the network. Second, the key role of the Azure Firewall is to filter traffic between clients, applications, and servers. This filtering capability prevents unauthorized access, ensuring that hackers cannot easily infiltrate private systems to steal sensitive data. For instance, whether protecting personal financial information or health data, the firewall inspects and controls traffic to maintain data integrity and confidentiality. Third, beyond protecting internal Azure or on-premises resources, Azure Firewall can also regulate outbound traffic to the Internet. By filtering user traffic from Azure to the Internet, organizations can prevent employees from accessing potentially harmful websites or inadvertently downloading malicious content. This is supported through FQDN or URL filtering, as well as web category controls, where administrators can filter traffic to domain names or categories such as social media, gambling, hacking, and more. In addition, security today means staying ahead of threats, not just controlling access. It requires proactively detecting and blocking malicious traffic before it even reaches the organization’s environment. Azure Firewall is integrated with Microsoft’s Threat Intelligence feed, which supplies millions of known malicious IP addresses and domains in real time. This integration enables the firewall to dynamically detect and block threats as soon as they are identified. In addition, Azure Firewall IDPS (Intrusion Detection and Prevention System) extends this proactive defense by offering advanced capabilities to identify and block suspicious activity by: Monitoring malicious activity: Azure Firewall IDPS rapidly detects attacks by identifying specific patterns associated with malware command and control, phishing, trojans, botnets, exploits, and more. Proactive blocking: Once a potential threat is detected, Azure Firewall IDPS can automatically block the offending traffic and alert security teams, reducing the window of exposure and minimizing the risk of a breach. Together, these integrated capabilities ensure that your network is continuously protected by a dynamic, multi-layered defense system that not only detects threats in real time but also helps prevent them from ever reaching your critical assets. Image: Trend illustrating the number of IDPS alerts Azure Firewall generated from September 2024 to March 2025 Finally, Azure Firewall’s cloud-native architecture delivers robust security while streamlining management. An agile management experience not only improves operational efficiency but also frees security teams to focus on proactive threat detection and strategic security initiatives by providing: High availability and resiliency: As a fully managed service, Azure Firewall is built on the power of the cloud, ensuring high availability and built-in resiliency to keep your security always active. Autoscaling for easy maintenance: Azure Firewall automatically scales to meet your network’s demands. This autoscaling capability means that as your traffic grows or fluctuates, the firewall adjusts in real time—eliminating the need for manual intervention and reducing operational overhead. Centralized management with Azure Firewall Manager: Azure Firewall Manager provides centralized management experience for configuring, deploying, and monitoring multiple Azure Firewall instances across regions and subscriptions. You can create and manage firewall policies across your entire organization, ensuring uniform rule enforcement and simplifying updates. This helps reduce administrative overhead while enhancing visibility and control over your network security posture. Seamless integration with Azure Services: Azure Firewall’s strong integration with other Azure services, such as Microsoft Sentinel, Microsoft Defender, and Azure Monitor, creates a unified security ecosystem. This integration not only enhances visibility and threat detection across your environment but also streamlines management and incident response. Conclusion Azure Firewall's combination of robust network segmentation, advanced IDPS and threat intelligence capabilities, and cloud-native scalability makes it an essential component of modern security architectures—empowering organizations to confidently defend against today’s ever-evolving cyber threats while seamlessly integrating with the broader Azure security ecosystem.Cloud Security as a City Planner: A Guide to Azure Well-Architected Framework’s Security Pillar
Creating and keeping your cloud environment secure has never been more important. Whether you're expanding your cloud footprint or revisiting an Azure deployment that’s been in production for a while, the security pillar of the Microsoft Azure Well-Architected Framework has you covered with a solid security strategy. Microsoft designed the Well-Architected Framework to help everyone build more secure, efficient, and reliable cloud applications. Let’s dive into a few of the key components of the framework's Security pillar and explore how you can secure your Azure environment, step by step. Think of designing secure applications like you are planning a bustling city. You need to give city workers (users) only the access they need to do their jobs. You need to have multiple layers of security (defense in depth), such as security cameras and locked doors, and you need to ensure you are building your city’s infrastructure with the safest materials right from the start (secure defaults). By following these guidelines, you’ll create applications that can be as resilient as a well-planned city. Security Baseline Establishing a security baseline is like setting the building codes and regulations for your city. This step is crucial for maintaining a secure cloud environment. Define well-thought-out security configurations and settings to ensure compliance and protect against threats. Start by assessing your current security posture to pinpoint gaps and areas for improvement. Then, set and enforce security policies that match your organization’s goals. Keep an eye on this baseline and update it as needed to stay ahead of evolving threats. Threat Modeling Threat modeling is similar to preparing for natural disasters and emergencies. Identify what needs protection, like important buildings and infrastructure (data and applications). Analyze potential threats and how they might exploit vulnerabilities. Implement controls to mitigate these risks and regularly update your threat models to stay ahead of new threats. Data Classification Data classification plays a key role in securing your city’s valuables. Categorize data based on sensitivity and importance. Assign a classification level to each type of data and implement appropriate security access controls. Regularly review and update your data classifications to ensure sensitive information is protected. Network Segmentation Network segmentation is like dividing your city into districts and neighborhoods. Isolate critical systems and data to limit the lateral movement of attackers. Use Azure Virtual Networks (VNets) to create isolated environments and apply micro-segmentation with Network Security Groups (NSGs) to control traffic. Implement Azure Firewall to monitor and enforce policies. Identity and Access Management (IAM) Effective identity and access management (IAM) is about knowing who gets access to which buildings in your city. Use multi-factor authentication (MFA) for additional verification and implement role-based access control (RBAC) to assign permissions based on roles. Regularly review and adjust access controls as needed. Network Controls Like keeping the communication lines and transportation routes in your city safe, you need to do the same with your network traffic. Use Virtual Private Networks (VPNs) for secure connections and encrypt data in transit with protocols like TLS. Monitor and control network traffic using NSGs and Azure Firewall to allow only authorized traffic. Secret Storage (Encryption) Like the blueprints and plans for your city’s infrastructure, securing your application secrets, like API keys and connection strings, is crucial. Store secrets securely using Azure Key Vault. Regularly rotate and update secrets to minimize the risk of unauthorized access, and restrict access based on the principle of least privilege. Monitoring and Threat Detection Continuous monitoring and threat detection are essential. It’s like having a dedicated team of city inspectors and surveillance systems. Use tools like the Azure Security Center and Microsoft Sentinel to monitor resources and receive alerts on potential threats. Develop and test incident response plans to handle security incidents quickly. Regularly review and update your strategies to address new threats. Incident Response Plan A well-defined incident response plan is vital for handling security breaches. You need to outline the steps to take during a security incident, including detection, containment, eradication, and recovery. Regularly review, test and update your incident response plan for effectiveness. Tradeoffs When you're designing your workload’s security be sure to think about how choices based on the Security principles and the tips in the Security section might affect other aspects and other pillars in the design framework. Some security decisions might be great for certain areas but could mean compromises for others. Conclusion Security is ongoing work that requires continuous assessment and improvement. By using the guidance provided in the Security section of the Azure Well-Architected Framework, you can help ensure a secure and resilient Azure environment. To dive deeper into the Well Architected Framework’s security pillar, check out the library on Microsoft Learn. Please bookmark the Azure Infrastructure Blog as we continue to publish weekly blogs to help keep you safe on Azure.
Creating an Application Landing Zone on Azure Using Bicep
🧩 What Is an Application Landing Zone? An Application Landing Zone is a pre-configured Azure environment designed to host applications in a secure, scalable, and governed manner. It is a foundational component of the Azure Landing Zones framework, which supports enterprise-scale cloud adoption by providing a consistent and governed environment for deploying workloads. 🔍 Key Characteristics Security and Compliance Built-in policies and controls ensure that applications meet organizational and regulatory requirements. Pre-configured Infrastructure Includes networking, identity, security, monitoring, and governance components that are ready to support application workloads Scalability and Flexibility Designed to scale with application demand, supporting both monolithic and microservices-based architectures. Governance and Management Integrated with Azure Policy, Azure Monitor, and Azure Security Center to enforce governance and provide operational insights. Developer Enablement Provides a consistent environment that accelerates development and deployment cycles. 🏗️ Core Components An Application Landing Zone typically includes: Networking with Virtual Networks (VNets) with subnets and NSGs Azure Active Directory (AAD) integration Role-Based Access Control (RBAC) Azure Key Vault/Managed HSM for secrets management Monitoring and Logging via Azure Monitor and Log Analytics Application Gateway or Azure Front Door for traffic management CI/CD Pipelines integrated with Azure DevOps or GitHub Actions 🛠️ Prerequisites Before deploying the Application Landing Zone, please ensure the following: ✅ Access & Identity Azure Subscription Access: You must have access to an active Azure subscription where the landing zone will be provisioned. This subscription should be part of a broader management group hierarchy if you're following enterprise scale landing zone patterns. A Service Principal (SPN): A Service Principal is required for automating deployments via CI/CD pipelines or Infrastructure as Code (IaC) tools. It should have an atleast Contributor role at the subscription level to create and manage resources. Explicit access to the following is required: - Resource Groups (for deploying application components) - Azure Policy (to assign and manage governance rules) - Azure Key Vault (to retrieve secrets, certificates, or credentials) Azure Active Directory (AAD) Ensure that AAD is properly configured for: - Role-Based Access Control (RBAC) - Group-based access assignments - Conditional Access policies (if applicable) Tip: Use Managed Identities where possible to reduce the need for credential management. ✅ Tooling Azure CLI - Required for scripting and executing deployment commands. - Ensure you're authenticated using az login or a service principal. - Recommended version: 2.55.0 or later for compatibility with Bicep latest Azure features Azure PowerShell - Installed and authenticated (Connect-AzAccount) - Recommended module: Az module version 11.0.0 or later Visual Studio Code Preferred IDE for working with Bicep and ARM templates. - Install the following extensions: - Bicep: for authoring and validating infrastructure templates. - Azure Account: for managing Azure sessions and subscriptions. Source Control & CI/CD Integration Access to GitHub or Azure DevOps is required for: - Storing IaC templates - Automating deployments via pipelines - Managing version control and collaboration � Tip: Use GitHub Actions or Azure Pipelines to automate validation, testing, and deployment of your landing zone templates. ✅ Environment Setup Resource Naming Conventions Define a naming standard that reflects resource type, environment, region, and application. Example: rg-app1-prod-weu for a production resource group in West Europe. Tagging Strategy Predefine tags for: - Cost Management (e.g., CostCenter, Project) - Ownership (e.g., Owner, Team) - Environment (e.g., Dev, Test, Prod) Networking Baseline Ensure that required VNets, subnets, and DNS settings are in place. Plan for hybrid connectivity if integrating with on-premises networks (e.g., via VPN or ExpressRoute). Security Baseline Define and apply: - RBAC roles for least-privilege access - Azure built-in as well as custom Policies for compliance enforcement - NSGs and ASGs for network security 🧱 Application Landing Zone Architecture Using Bicep Bicep is a domain-specific language (DSL) for deploying Azure resources declaratively. It simplifies the authoring experience compared to traditional ARM templates and supports modular, reusable, and maintainable infrastructure-as-code (IaC) practices. The Application Landing Zone (App LZ) architecture leverages Bicep to define and deploy a secure, scalable, and governed environment for hosting applications. This architecture is structured into phases, each representing a logical grouping of resources. These phases align with enterprise cloud adoption frameworks and enable teams to deploy infrastructure incrementally and consistently. 🧱 Architectural Phases The App LZ is typically divided into the following phases, each implemented using modular Bicep templates: 1. Foundation Phase Establishes the core infrastructure and governance baseline: Resource groups Virtual networks and subnets Network security groups (NSGs) Diagnostic settings Azure Policy assignments 2. Identity & Access Phase Implements secure access and identity controls: Role-Based Access Control (RBAC) Azure Active Directory (AAD) integration Managed identities Key Vault access policies 3. Security & Monitoring Phase Ensures observability and compliance: Azure Monitor and Log Analytics Security Center configuration Alerts and action groups Defender for Cloud settings 4. Application Infrastructure Phase Deploys application-specific resources: App Services, AKS, or Function Apps Application Gateway or Azure Front Door Storage accounts, databases, and messaging services Private endpoints and service integrations 5. CI/CD Integration Phase Automates deployment and lifecycle management: GitHub Actions or Azure Pipelines Deployment scripts and parameter files Secrets management via Key Vault Environment-specific configurations 🔁 Modular Bicep Templates Each phase is implemented using modular Bicep templates, which offer: Reusability: Templates can be reused across environments (Dev, Test, Prod). Flexibility: Parameters allow customization without modifying core logic. Incremental Deployment: Phases can be deployed independently or chained together. Testability: Each module can be validated against test cases before full deployment. 💡 Example: A network.bicep module can be reused across multiple landing zones with different subnet configurations. To ensure a smooth and automated deployment experience, here’s the complete flow from setup: ✅ Benefits of This Approach Consistency & Compliance: Enforces Azure best practices and governance policies Modularity: Reusable Bicep modules simplify maintenance and scaling Automation: CI/CD pipelines reduce manual effort and errors Security: Aligns with Microsoft’s security baselines and CAF Scalability: Easily extendable to support new workloads or environments Native Azure Integration: Supports all Azure resources and features. Tooling Support: Integrated with Visual Studio Code, Azure CLI, and GitHub. 🔄 Why Choose Bicep Over Terraform? First-Party Integration: Bicep is a first-party solution maintained by Microsoft, ensuring day-one support for new Azure services and API changes. This means customers can immediately leverage the latest features and updates without waiting for third-party providers to catch up. Azure-Specific Optimization: Bicep is deeply integrated with Azure services, offering a tailored experience for Azure resource management. This integration ensures that deployments are optimized for Azure, providing better performance and reliability. Simplified Syntax: Bicep uses a domain-specific language (DSL) that is more concise and easier to read compared to Terraform's HCL (HashiCorp Configuration Language). This simplicity reduces the learning curve and makes it easier for teams to write and maintain infrastructure code. Incremental Deployment: Unlike Terraform, Bicep does not store state. Instead, it relies on incremental deployment, which simplifies the deployment process and reduces the complexity associated with state management. This approach ensures that resources are deployed consistently without the need for managing state files. Azure Policy Integration: Bicep integrates seamlessly with Azure Policy, allowing for preflight validation to ensure compliance with policies before deployment. This integration helps in maintaining governance and compliance across deployments What-If Analysis: Bicep offers a "what-if" operation that predicts the changes before deploying a Bicep file. This feature allows customers to preview the impact of their changes without making any modifications to the existing infrastructure. 🏁 Conclusion Creating an Application Landing Zone using Bicep provides a robust, scalable, and secure foundation for deploying applications in Azure. By following a phased, modular approach and leveraging automation, organizations can accelerate their cloud adoption journey while maintaining governance and operational excellence.So, you want to have a public IP Address for your application?
In Microsoft Azure, a public IP address is a fundamental component for enabling internet-facing services, such as hosting a web application, facilitating remote access, or exposing an API endpoint. While this connectivity drives functionality, it also exposes resources to the unpredictable and often hostile expanse of the internet. This blog dives deep into the security implications of a public IP in Azure, using a detailed scenario to illustrate potential threats and demonstrating how Azure’s robust toolkit—Network Security Groups (NSGs), Azure DDoS Protection, Azure Firewall, Web Application Firewall (WAF), Private Link, and Azure Bastion—can safeguard against them. Scenario: The exposed e-commerce platform Imagine a small e-commerce business launching its online store on Azure. The infrastructure includes an application gateway hosting a web server with a public IP (e.g., 20.55.123.45), an Azure SQL Database for inventory and customer data, and a load balancer distributing traffic. Initially, the setup works flawlessly, customers browse products, place orders, and the business grows. But one day, the IT team notices unusual activity: failed login attempts spike, site performance dips, and a customer reports a suspicious pop-up on the checkout page. The public IP left with minimal protection has become a target. The threats of public IP exposure A public IP is like an open address in a bustling digital city. It’s visible to anyone with the means to look, and without proper safeguards, it invites a variety of threats: Brute Force Attacks: Exposed endpoints, such as a VM with Remote Desktop Protocol (RDP) or SSH enabled, become prime targets for attackers attempting to guess credentials. With enough attempts, weak passwords can crumble, granting unauthorized access to sensitive systems. Exploitation of Vulnerabilities: Unpatched software or misconfigured services behind a public IP can be exploited. Attackers regularly scan for known vulnerabilities—like outdated web servers or databases—using automated tools to infiltrate systems and extract data or plant malware. Distributed Denial of Service (DDoS) Attacks: A public IP can attract floods of malicious traffic designed to overwhelm resources, rendering services unavailable. For businesses relying on uptime, this can lead to lost revenue and damaged trust. Application-Layer Attacks: Web applications exposed via a public IP are susceptible to threats like SQL injection, cross-site scripting (XSS), or other exploits that manipulate poorly secured code, potentially compromising data integrity or user privacy. Left unprotected, a public IP becomes a liability, amplifying the attack surface and inviting persistent threats from the internet’s darker corners. Azure’s Security Arsenal Azure provides a layered approach to securing resources with public IPs. By leveraging its built-in services, organizations can transform that open gateway into a fortified checkpoint. Here’s how these tools work together to mitigate risks: Azure DDoS Protection Azure DDoS Protection protects from overwhelming public IPs with malicious traffic. Azure DDoS Protection, available for infrastructure protection and as Network & IP Protection SKUs, monitors and mitigates these threats. The Network and IP Protection SKUs uses machine learning to profile normal traffic patterns, automatically detecting and scrubbing malicious floods—such as SYN floods or UDP amplification attacks—before they impact application availability. Azure Web Application Firewall (WAF) When a public IP fronts a web application (e.g., via Azure Application Gateway), the WAF adds application-layer protection. It inspects HTTP/HTTPS traffic, thwarting attacks like SQL injection or XSS by applying OWASP core rule sets. This is critical for workloads where the public IP serves as the entry point to customer-facing services. Network Security Groups (NSGs) NSGs act as a virtual firewall at the subnet or network interface level, filtering traffic based on predefined rules. For the specific scenario above, an NSG should be used to restrict inbound traffic to an Application Gateway’s public IP, allowing only specific ports (e.g., HTTPS on port 443) from trusted sources while blocking unsolicited RDP or SSH attempts. This reduces the attack surface by ensuring only necessary traffic reaches the resource. Azure Private Link Sometimes, the best defense is to avoid public exposure entirely. Azure Private Link allows resources—like Azure SQL Database or Storage—to be accessed over a private endpoint within a virtual network, bypassing the public internet. By pairing a public IP with Private Link for internal services, organizations can limit external exposure while maintaining secure, private connectivity. Azure Bastion For administrative access to backend VMs, exposing RDP or SSH ports via a public IP is a common risk. Azure Bastion eliminates this need by providing a fully managed, browser-based jump box. Admins connect securely through the Azure portal over TLS, reducing the chance of brute force attacks on open ports. Building a Secure Foundation A public IP in Azure doesn’t have to be a vulnerability, it can be a controlled entryway when paired with the right defenses. Start by applying the principle of least privilege with NSGs, restricting traffic to only what’s necessary. Layer on DDoS Protection and Azure Firewall for network-level resilience and add WAF for web-specific threats. Where possible, shift sensitive services to Private Link, and use Bastion for secure management. Together, these services create a multi-tiered shield, turning a potential weakness into a strength. In today’s threat landscape, a public IP is inevitable for many workloads. But leveraging Azure’s built in security tools, your organization can embrace the cloud’s connectivity while keeping threats at bay, allowing you to embrace the cloud without compromising security.How Proactive Network Security Helps Secure Azure Workloads
Today’s network security landscape is a dynamic and challenging frontier. Distributed Denial of Service (DDoS) attacks have escalated, with over 21 million mitigated in 2024—a 53% surge from 2023—peaking at 5.6 terabits per second (Tbps) in Q4, driven by botnets like Mirai variants. Application-layer threats, such as HTTP/HTTPS floods, spiked 548% against telecom sectors, exploiting vulnerabilities in web-facing services. Geopolitical hacktivism has also fueled targeted assaults, with Ukraine seeing a 519% attack increase in 2024. Beyond DDoS, Remote Desktop Protocol (RDP) and Secure Shell (SSH) attacks are on the rise, with over 35% of cloud breaches in 2024 tied to compromised credentials or brute-force attempts on exposed endpoints, according to industry reports. Misconfigured servers, unpatched vulnerabilities (e.g., CVE-2024-3080 in ASUS routers), and weak network policies amplify these risks. For enterprises leveraging Azure’s vast ecosystem, these threats underscore the need to secure virtual networks, public endpoints, and remote access points. Maintaining business continuity, data integrity, and customer trust is crucial. A robust network security strategy strengthens the security and quality of Azure deployments. Proper network security practices ensure availability, so DDoS floods can’t knock critical apps offline, potentially costing you millions if the outage occurs during a peak time. A secure network also helps you protect sensitive data, as network breaches risk customer data, your own IP, and personal data triggering potential compliance violations (e.g. GDPR, CCPA) and loss of trust. These benefits include managing cloud complexity and countering threats like remote access, making proactive network security essential. Application architectures and Azure Native Services for protection Let’s examine two Azure architectures, their threats, and how native services—including Azure Front Door, Azure Firewalls and Azure Network Security Perimeter—mitigate them. Example 1: Multi-Tier Web Application Architecture: A customer-facing web app on Azure App Service, Azure SQL Database backend, and Azure Virtual Network (VNet) connectivity. Traffic flows through Azure Front Door; admins access VMs via RDP/SSH. Threats: - DDoS floods targeting the front-end. - RDP/SSH brute force attacks on exposed VM ports (e.g., 3389, 22). - SQL injection via public endpoints. Azure Services for Protection: Azure Front Door: Acts as a global entry point, providing DDoS protection and Web Application Firewall (WAF) capabilities. It mitigates volumetric and application-layer attacks using Microsoft’s CDN-scale infrastructure, offloading traffic before it reaches the VNET. Azure DDoS Protection: Complements Front Door by protecting VNet resources with real-time traffic analysis, absorbing multi-Tbps floods with 200+ Tbps capacity. Azure Web Application Firewall (WAF): Blocks Layer 7 exploits (e.g., SQL injection, XSS) using OWASP rules. Azure Bastion: Provides secure RDP/SSH access to VMs via a browser-based, managed jumpbox, eliminating public IP exposure for cost-effective dev/test scenarios. Azure Firewall: Inspects VNet traffic, blocking unauthorized RDP/SSH attempts with application-aware rules (e.g., deny port 3389 from untrusted IPs). Network Security Groups (NSGs): Locks down VNet subnets, restricting inbound traffic to trusted sources and protecting against exploits targeting unpatched vulnerabilities (e.g., RDP CVE-2021-34527). Azure Network Security Perimeter: Defines a secure boundary around PaaS services, enforcing centralized policies to block traffic and ensure compliance with organizational standards. Example 2: Microservices with Kubernetes Architecture: A microservices app on Azure Kubernetes Service (AKS), with Azure Load Balancer, Azure Cosmos DB, and API server VNET integration for private network traffic between API server and node pools. Azure Front Door manages ingress; DevOps teams use SSH to manage nodes. Threats: - DDoS targeting public IP resources. - SSH brute-force or credential stuffing on AKS nodes. -insecure network communications between pods, containers running with excessive permissions, leaking of secrets and data breach. - API abuse and container vulnerabilities. Azure Services for Protection: Azure Front Door and Azure Web Application Firewall: Delivers global load balancing and DDoS protection for AKS ingress, filtering floods and Layer 7 threats with integrated WAF, reducing load on downstream services. Azure DDoS Protection: Shields Bastion and Firewall from flood attacks, using adaptive mitigation to maintain uptime. Azure Bastion Developer: Secures SSH access to AKS nodes via private connectivity, avoiding public endpoints—ideal for DevOps workflows. Azure Firewall: Deploys at the VNet edge to filter traffic, blocking SSH exploits and enforcing FQDN-based rules for outbound container updates, thwarting CVE-driven attacks. Network Security Groups (NSGs): Applies granular controls to AKS subnets, denying unauthorized SSH (port 22) or RDP traffic and mitigating risks from misconfigured pods. Azure Network Security Perimeter: Defines a secure boundary around PaaS services, enforcing centralized policies to block traffic and ensure compliance with organizational standards. These tools form a defense-in-depth strategy, leveraging Azure’s scale and intelligence to counter both brute-force and targeted threats. Strategies to help secure your Azure workloads Securing Azure workloads involves consistent monitoring and auditing. Enterprises should use Azure Monitor and Security Center to detect anomalies, such as RDP login spikes or UDP floods, which trigger real-time alerts. Additionally, it is important to audit configurations regularly by reviewing NSGs, Firewall rules, Front Door policies, and Bastion access on a regular basis to correct any misconfigurations, as these are a common cause of breaches according to 2024 data. After monitoring and auditing has succeeded, patching proactively is vital. Update your VMs, containers, and services to address vulnerabilities like CVE-2024-3080, which led to a 3.4 Tbps attack in 2021. After patching, integrate Azure Sentinel with global feeds to preempt exploits or DDOS attacks using Microsoft's threat intelligence. Finally, test your resilience by simulating DDoS and RDP attacks and common vulnerabilities to validate Azure Front Door, Azure Bastion, Azure Firewall, and NSG efficacy, refining your incident response. Protect your business with a network security strategy In network security, threats are multifaceted: DDoS, RDP/SSH exploits, and vulnerabilities threaten Azure workloads, demanding comprehensive security. Azure delivers the tools and native services needed to help fortify your networks against diverse risks. Stay ahead of network threats by integrating security into deployments and maintaining it with monitoring, audits, and testing. While Azure provides the platform, your strategy, including network security, is ultimately what ensures safety.Strengthening Azure infrastructure and platform security - 5 new updates
In the face of AI-driven digital growth and a threat landscape that never sleeps, Azure continues to raise the bar on Zero Trust-ready, “secure-by-default” networking. Today we’re excited to announce five innovations that make it even easier to protect your cloud workloads while keeping developers productive: Innovation What it is Why it matters Next generation of Azure Intel® TDX Confidential VMs (Private Preview) Azure’s next generation of Confidential Virtual Machines now powered by the 5th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). Enables organizations to bring confidential workloads to the cloud without code changes to applications. The supported VMs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. CAPTCHA support for Azure WAF (Public Preview) A new WAF action that presents a visual / audio CAPTCHA when traffic matches custom or Bot Manager rules. Stops sophisticated, human-mimicking bots while letting legitimate users through with minimal friction. Microsoft Learn Azure Bastion Developer (New Regions, simplified secure-by-default UX) A free, lightweight Bastion offering surfaced directly in the VM Connect blade. One-click, private RDP/SSH to a single VM—no subnet planning, no public IP. Gives dev/test teams instant, hardened access without extra cost, jump servers, or NSGs. Azure Azure Virtual Network TAP (Public Preview) Native agentless packet mirroring available for all VM SKUs with zero impact to VM performance and network throughput. Deep visibility for threat-hunting, performance, and compliance—now cloud-native. Microsoft Learn Azure Firewall integration in Security Copilot (GA) A generative AI-powered solution that helps secure networks with the speed and scale of AI. Threat hunt across Firewalls using natural language questions instead of manually scouring through logs and threat databases. Microsoft Learn 1. Next generation of Azure Intel® TDX Confidential VMs (Private Preview) We are excited to announce the preview of Azure’s next generation of Confidential Virtual Machines powered by the 5th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). This will help to enable organizations to bring confidential workloads to the cloud without code changes to applications. The supported VMs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. Azure’s next generation of confidential VMs will bring improvements and new features compared to our previous generation. These VMs are our first offering to utilize our open-source paravisor, OpenHCL. This innovation allows us to enhance transparency with our customers, reinforcing our commitment to the "trust but verify" model. Additionally, our new confidential VMs support Azure Boost, enabling up to 205k IOPS and 4 GB/s throughput of remote storage along with 54 GBps VM network bandwidth. We are expanding the capabilities of our Intel® TDX powered confidential VMs by incorporating features from our general purpose and other confidential VMs. These enhancements include Guest Attestation support, and support of Intel® Tiber™ Trust Authority for enterprises seeking operator independent attestation. The DCesv6-series and ECesv6-series preview is available now in the East US, West US, West US 3, and West Europe regions. Supported OS images include Windows Server 2025, Windows Server 2022, Ubuntu 22.04, and Ubuntu 24.04. Please sign up at aka.ms/acc/v6preview and we will reach out to you. 2. Smarter Bot Defense with WAF + CAPTCHA Modern web applications face an ever-growing array of automated threats, including bots, web scrapers, and brute-force attacks. Many of these attacks evade common security measures such as IP blocking, geo-restrictions, and rate limiting, which struggle to differentiate between legitimate users and automated traffic. As cyber threats become more sophisticated, businesses require stronger, more adaptive security solutions. Azure Front Door’s Web Application Firewall (WAF) now introduces CAPTCHA in public preview—an interactive mechanism designed to verify human users and block malicious automated traffic in real time. By requiring suspicious traffic to successfully complete a CAPTCHA challenge, WAF ensures that only legitimate users can access applications while keeping bots at bay. This capability is particularly valuable for common login and sign-up workflows, mitigating the risk of account takeovers, credential stuffing attacks, and brute-force intrusions that threaten sensitive user data. Key Benefits of CAPTCHA on Azure Front Door WAF Prevent Automated Attacks – Blocks bots from accessing login pages, forms, and other critical website elements. Secure User Accounts – Mitigates credential stuffing and brute-force attempts to protect sensitive user information. Reduce Spam & Fraud – Ensures only real users can submit comments, register accounts, or complete transactions. Easy Deployment and Management – Requires minimal configuration, reducing operational overhead while maintaining a robust security posture. How CAPTCHA Works When a client request matches a WAF rule configured for CAPTCHA enforcement, the user is presented with an interactive CAPTCHA challenge to confirm they are human. Upon successful completion, Azure WAF validates the request and allows access to the application. Requests that fail the challenge are blocked, preventing bots from proceeding further. Getting Started CAPTCHA is now available in public preview for Azure WAF. Administrators can configure this feature within their WAF policy settings to strengthen bot mitigation strategies and improve security posture effortlessly. To learn more and start protecting your applications today, visit our Azure WAF documentation. 3. Azure Bastion Developer—Secure VM Access at Zero Cost Azure Bastion Developer is a lightweight, free offering of the Azure Bastion service designed for Dev/Test users who need secure connections to their Virtual Machines (VMs) without requiring additional features or scalability. It simplifies secure access to VMs, addressing common issues related to usability and cost. To get started, users can sign in to the Azure portal and follow the setup instructions for connecting to their VMs. This service is particularly beneficial for developers looking for a cost-effective solution for secure connectivity. It's now available in 36 regions with a new portal secure by default user experience. Key takeaways Instant enablement from the VM Connect tab. One concurrent session, ideal for dev/test and PoC environments. No public IPs, agents, or client software required. 4. Deep Packet Visibility with Virtual Network TAP Azure virtual network terminal access point enables customers to mirror virtual machine traffic to packet collectors or analytics tools without having to deploy agents or impact virtual machine network throughput, allowing you to mirror 100% of your production traffic. By configuring virtual network TAP on a virtual machine’s network interface, organizations can stream inbound and outbound traffic to destinations within the same or peered virtual network for real-time monitoring for various uses cases, including: Enhanced security and threat detection: Security teams can inspect full packet data in real-time to detect and respond to potential threats. Performance monitoring and troubleshooting: Operations teams can analyze live traffic patterns to identify bottlenecks, troubleshoot latency issues, and optimize application performance. Regulatory compliance: Organizations subject to compliance frameworks such as Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR) can use virtual network TAP to capture network activity for auditing and forensic investigations. Virtual network TAP supports all Azure VM SKU and integrates seamlessly with validated partner solutions, offering extended visibility and security capabilities. For a list of partner solutions that are validated to work with virtual network TAP, see partner solutions. 5. Protect networks at machine speed with Generative AI Azure Firewall intercepts and blocks malicious traffic using the intrusion detection and prevention system (IDPS) today. It processes huge volumes of packets, analyzes signals from numerous network resources, and generates vast amounts of logs. To reason over all this data and cut through the noise to analyze threats, analysts spend several hours if not days performing manual tasks. The Azure Firewall integration in Security Copilot helps analysts perform these investigations with the speed and scale of AI. An example of a security analyst processing the threats their Firewall stopped can be seen below: Analysts spend hours writing custom queries or navigating several manual steps to retrieve threat information and gather additional contextual information such as geographical location of IPs, threat rating of a fully qualified domain name (FQDN), details of common vulnerabilities and exposures (CVEs) associated with an IDPS signature, and more. Copilot pulls information from the relevant sources to enrich your threat data in a fraction of the time and can do this not just for a single threat/Firewall but for all threats across your entire Firewall fleet. It can also correlate information with other security products to understand how attackers are targeting your entire infrastructure. To learn more about the user journey and value that Copilot can deliver, see the Azure blog from our preview announcement at RSA last year. To see these capabilities in action, take a look at this Tech Community blog, and to get started, see the documentation. Looking Forward Azure is committed to delivering secure, reliable, and high-performance connectivity so you can focus on building what’s next. Our team is dedicated to creating innovative, resilient, and secure solutions that empower businesses to leverage AI and the cloud to their fullest potential. Our approach of providing layered defense in depth via our security solutions like Confidential Compute, Azure DDoS Protection, Azure Firewall, Azure WAF, Azure virtual network TAP, network security perimeter will continue with more enhancements and features upcoming. We can’t wait to see how you’ll use these new security capabilities and will be keen to hear your feedback.Check Azure AI Service Models and Features by Region in Excel Format
Introduction While Microsoft's documentation provides information on the OpenAI models available in Azure, it can be challenging to determine which features are included in which model versions and in which regions they are available. There can be occasional inaccuracies in the documentation. I believe this is the limitations of natural language documentation, thus I found that we should investigate directly within the actual Azure environment. This idea led to the creation of this article. You need available Azure subscription, then you can retrieve a list of models available in a specific region using the az cognitiveservices model list command. This command allows you to query the Azure environment directly to obtain up-to-date information on available models. In the following sections, we'll explore how to analyze this data using various examples. Please note that the PowerShell scripts in this article are intended to be run with PowerShell Core. If you execute them using Windows PowerShell, they might not function as expected. Using Azure CLI to List Available AI Models To begin, let's check what information can be retrieved. By executing the following command: az cognitiveservices model list -l westus3 You'll receive a JSON array containing details about each model available in the West US3 region. Here's a partial excerpt from the output: PS C:\Users\xxxxx> az cognitiveservices model list -l westus3 [ { "kind": "OpenAI", "model": { "baseModel": null, "callRateLimit": null, "capabilities": { "audio": "true", "scaleType": "Standard" }, "deprecation": { "fineTune": null, "inference": "2025-03-01T00:00:00Z" }, "finetuneCapabilities": null, "format": "OpenAI", "isDefaultVersion": true, "lifecycleStatus": "Preview", "maxCapacity": 9999, "name": "tts", "skus": [ { "capacity": { "default": 3, "maximum": 9999, "minimum": null, "step": null }, "deprecationDate": "2026-02-01T00:00:00+00:00", "name": "Standard", "rateLimits": [ { "count": 1.0, "key": "request", "renewalPeriod": 60.0, "rules": null } ], "usageName": "OpenAI.Standard.tts" } ], "source": null, "systemData": { "createdAt": "2023-11-20T00:00:00+00:00", "createdBy": "Microsoft", "createdByType": "Application", "lastModifiedAt": "2023-11-20T00:00:00+00:00", "lastModifiedBy": "Microsoft", "lastModifiedByType": "Application" }, "version": "001" }, "skuName": "S0" }, { "kind": "OpenAI", "model": { "baseModel": null, "callRateLimit": null, "capabilities": { "audio": "true", "scaleType": "Standard" }, "deprecation": { "fineTune": null, "inference": "2025-03-01T00:00:00Z" }, "finetuneCapabilities": null, "format": "OpenAI", "isDefaultVersion": true, "lifecycleStatus": "Preview", "maxCapacity": 9999, "name": "tts-hd", "skus": [ { "capacity": { "default": 3, "maximum": 9999, "minimum": null, "step": null }, "deprecationDate": "2026-02-01T00:00:00+00:00", "name": "Standard", "rateLimits": [ { "count": 1.0, "key": "request", "renewalPeriod": 60.0, "rules": null } ], "usageName": "OpenAI.Standard.tts-hd" } ], "source": null, "systemData": { "createdAt": "2023-11-20T00:00:00+00:00", "createdBy": "Microsoft", "createdByType": "Application", "lastModifiedAt": "2023-11-20T00:00:00+00:00", "lastModifiedBy": "Microsoft", "lastModifiedByType": "Application" }, "version": "001" }, "skuName": "S0" }, From the structure of the JSON output, we can derive the following insights: Model Information: Basic details about the model, such as model.format, model.name, and model.version, can be obtained from the format respectively. Available Capabilities: The model.capabilities field lists the functionalities supported by the model. Entries like chat-completion and completions indicate support for Chat Completion and text generation features. If a particular capability isn't supported by the model, it simply won't appear in the capabilities array. For example, if imageGeneration is not listed, it implies that the model doesn't support image generation. Deployment Information: Model's deployment options can be found in the model.skus field, which outlines the available SKUs for deploying the model. Service Type: The kind field indicates the type of service the model belongs to, such as OpenAI, MaaS, or other Azure AI services. By querying each region and extracting the necessary information from the JSON response, we can effectively analyze and understand the availability and capabilities of Azure AI models across different regions. Retrieving Azure AI Model Information Across All Regions To gather model information across all Azure regions, you can utilize the Azure CLI in conjunction with PowerShell. Given the substantial volume of data and to avoid placing excessive load on Azure Resource Manager, it's advisable to retrieve and store data for each region separately. This approach allows for more manageable analysis based on the saved files. While you can process JSON data using your preferred programming language, I personally prefer PowerShell. The following sample demonstrates how to execute Azure CLI commands within PowerShell to achieve this task. # retrieve all Azure regions $regions = az account list-locations --query [].name -o tsv # Use this array if you retrive only specific regions # $regions = @('westus3', 'eastus', 'swedencentral') # retrieve all region model data and put as JSON file $idx = 1 $regions | foreach { $json = $null write-host ("[{0:00}/{1:00}] Getting models for {2} " -f $idx++, $regions.Length, $_) try { $json = az cognitiveservices model list -l $_ } catch { # skip some unavailable regions write-host ("Error getting models for {0}: {1}" -f $_, $_.Exception.Message) } if($json -ne $null) { $models = $json | ConvertFrom-Json if($models.length -gt 0) { $json | Out-File -FilePath "./models/$($_).json" -Encoding utf8 } else { # skip empty array Write-Host ("No models found for region: {0}" -f $_) } } } Summarizing the Collected Data Let's load the previously saved JSON files and count the number of models available in each Azure region. The following PowerShell script reads all .json files from the ./models directory, converts their contents into PowerShell objects, adds the region information based on the filename, and then groups the models by region to count them: # Load all JSON files, convert to objects, and add region information $models = Get-ChildItem -Path "./models" -Filter "*.json" | ForEach-Object { $region = $_.BaseName Get-Content -Path $_.FullName -Raw | ConvertFrom-Json | ForEach-Object { $_ | Add-Member -NotePropertyName 'region' -NotePropertyValue $region -PassThru } } # Group models by region and count them $models | Group-Object -Property region | ForEach-Object { Write-Host ("{0} models in {1}" -f $_.Count, $_.Name) } This script will output the number of models available in each region. For example: 228 models in australiaeast 222 models in brazilsouth 206 models in canadacentral 222 models in canadaeast 89 models in centralus ... Which Models Are Deployable in Each Azure Region? One of the first things you probably want is a list of which models and versions are available in each Azure region. The following script uses -ExpandProperty to unpack the model property array. Additionally, it expands the model.sku property to retrieve information about deployment models. Please note that you have to remove ./model/global.json before running the following script. # Since using 'select -ExpandProperty' modifies the original object, it’s a good idea to reload data from the files each time Get-ChildItem -Path "./models" -Filter "*.json" ` | foreach { Get-Content -Path $_.FullName ` | ConvertFrom-Json ` | Add-Member -NotePropertyName 'region' -NotePropertyValue $_.Name.Split(".")[0] -PassThru } | sv models # Expand model and model.skus, and extract relevant fields $models | select region, kind -ExpandProperty model ` | select region, kind, @{l='modelFormat';e={$_.format}}, @{l='modelName';e={$_.name}}, @{l='modelVersion'; e={$_.version}}, @{l='lifecycle';e={$_.lifecycleStatus}}, @{l='default';e={$_.isDefaultVersion}} -ExpandProperty skus ` | select region, kind, modelFormat, modelName, modelVersion, lifecycle, default, @{l='skuName';e={$_.name}}, @{l='deprecationDate ';e={$_.deprecationDate }} ` | sort-object region, kind, modelName, modelVersion ` | sv output $output | Format-Table | Out-String -Width 4096 $output | Export-Csv -Path "modelList.csv" Given the volume of data, viewing it in Excel or a similar tool makes it easier to analyze. Let’s ignore the fact that Excel might try to auto-convert model version numbers into dates—yes, that annoying behavior. For example, if you filter for the gpt-4o model in the japaneast region, you’ll see that the latest version 2024-11-20 is now supported with the standard deployment SKU. Listing Available Capabilities While the model.capabilities property allows us to see which features each model supports, it doesn't include properties for unsupported features. This omission makes it challenging to determine all possible capabilities and apply appropriate filters. To address this, we'll aggregate the capabilities from all models across all regions to build a comprehensive dictionary of available features. This approach will help us understand the full range of capabilities and facilitate more effective filtering and analysis. # Read from files again Get-ChildItem -Path "./models" -Filter "*.json" ` | foreach { Get-Content -Path $_.FullName ` | ConvertFrom-Json ` | Add-Member -NotePropertyName 'region' -NotePropertyValue $_.Name.Split(".")[0] -PassThru } | sv models # list only unique capabilities $models ` | select -ExpandProperty model ` | select -ExpandProperty capabilities ` | foreach { $_.psobject.properties.name} ` | select -Unique ` | sort-object ` | sv capability_dictionary The result is as follows: allowProvisionedManagedCommitment area assistants audio chatCompletion completion embeddings embeddingsMaxInputs fineTune FineTuneTokensMaxValue FineTuneTokensMaxValuePerExample imageGenerations inference jsonObjectResponse jsonSchemaResponse maxContextToken maxOutputToken maxStandardFinetuneDeploymentCount maxTotalToken realtime responses scaleType search Creating a Feature Support Matrix for Each Model Now, let's use this list to build a feature support matrix that shows which capabilities are supported by each model. This matrix will help us understand the availability of features across different models and regions. # Read from JSON files Get-ChildItem -Path "./models" -Filter "*.json" ` | foreach { Get-Content -Path $_.FullName ` | ConvertFrom-Json ` | Add-Member -NotePropertyName 'region' -NotePropertyValue $_.Name.Split(".")[0] -PassThru } | sv models # Outputting capability properties for each model (null if absent) $models ` | select region, kind -ExpandProperty model ` | select region, kind, format, name, version -ExpandProperty capabilities ` | select (@('region', 'kind', 'format', 'name', 'version') + $capability_dictionary) ` | sort region, kind, format, name, version ` | sv model_capabilities # output as csv file $model_capabilities | Export-Csv -Path "modelCapabilities.csv" Finding Models That Support Desired Capabilities To identify models that support specific capabilities, such as imageGenerations, you can open the CSV file in Excel and filter accordingly. Upon doing so, you'll notice that support for image generation is quite limited across regions. When examining models that support the Completion endpoint in the eastus region, you'll find names like ada, babbage, curie, and davinci. These familiar names bring back memories of earlier models. It also reminds that during the GPT-3.5 Turbo era, models supported both Chat Completion and Completion endpoints. Conclusion By retrieving data directly from the actual Azure environment rather than relying solely on documentation, you can ensure access to the most up-to-date information. In this article, we adopted an approach where necessary information was flattened and exported to a CSV file for examination in Excel. Once you're familiar with the underlying data structure, this method allows for investigations and analyses from various perspectives. As you become more accustomed to this process, it might prove faster than navigating through official documentation. However, for aspects like "capabilities," which may be somewhat intuitive yet lack clear definitions, it's advisable to contact Azure Support for detailed information.
