Azure Arc Server April 2026 Forum
Please find the recording for the monthly Azure Arc Server Forum on YouTube! During the April 2026 Azure Arc Server Forum, we discussed: Public Preview of Essential Machine Management, learn more at aka.ms/EMM-blog and sign up at aka.ms/EMM-feedback Engage with product group on exploration of AI on bring your own Kubernetes by signing up at aka.ms/arc-ai-survey Product group is investing in extending the Multi-cloud Connector provide customers the ability to connect their MECM environments to Azure for inventory, monitoring, and management To sign up for the Azure Arc Server Forum and newsletter, please register with contact details at https://aka.ms/arcserverforumsignup/. For the latest agent release notes, check out What's new with Azure Connected Machine agent - Azure Arc | Microsoft Learn. Our May 2026 forum will be held on Thursday, May 21 at 9:30 AM PST / 12:30 PM EST. We look forward to you joining us, thank you!
Introducing cert-manager for Azure Arc-enabled Kubernetes: now in Public Preview
Today we’re releasing a public preview of cert-manager for Azure Arc-enabled Kubernetes. It’s an Arc extension that automates TLS certificate and trust bundle management for edge Kubernetes clusters. If you’re running Kubernetes at the edge: in factories, retail stores, remote sites, you’ve probably hit the certificate problem already. Certificates expire. Each cluster has its own tooling. Nobody owns the renewal process until something breaks. We routinely hear from customers that certificate issues are a common source of unplanned outages and last-minute firefighting, especially as workload counts grow. This extension packages the open-source cert-manager and trust-manager into a managed Arc extension with Microsoft support. You get automated lifecycle management and trust distribution without having to run and maintain these tools yourself. What it does The extension bundles two CNCF-graduated projects: cert-manager and trust-manager, into a single Arc-K8s extension that you install once per cluster. From there: 1. You can issue, renew, and rotate certificates automatically. You do not need to manage them manually. 2. You can distribute trusted CA certificates consistently across namespaces. No more per-workload trust configuration. 3. You choose the CA issuer: built-in self-signed for dev/test, or your enterprise PKI for production. 4. The extension ships with enterprise support, regular security patches, and proactive maintenance from Microsoft team. Why we built it We built Microsoft cert-manager for Azure Arc-enabled Kubernetes to address three recurring problems we saw in real hybrid and edge environments. Problem 1: Manual certificate issuance. Many organisations still issue, install, and renew certificates through manual steps across clusters and namespaces. That creates operational overhead, slows teams down, and increases the risk of outages when certificates expire or are configured incorrectly. The answer is automation. With cert-manager running as an Arc-enabled extension, teams can automate certificate issuance, renewal, and rotation through Kubernetes-native workflows instead of relying on tickets, scripts, and manual intervention. Problem 2: Fragmented approaches to automation. Even when teams try to automate, they often end up with a mix of scripts, custom controllers, product-specific setups, and one-off operational patterns. That fragmentation makes certificate management harder to scale, harder to standardise, and harder to operate consistently across environments. The answer is to standardise on cert-manager. It provides a common, Kubernetes-native approach to certificate lifecycle management, helping teams reduce tool sprawl, align on a consistent operating model, and simplify how certificates are managed across clusters. Problem 3: Maintenance and upgrade burden for open-source cert-manager. cert-manager is a powerful open-source project, but many organisations do not want the ongoing burden of packaging, validating, patching, upgrading, and supporting it themselves as a production dependency. That can create operational risk, delay updates, and make long-term ownership unclear. The answer is a Microsoft-supported Arc-enabled extension. Microsoft cert-manager for Azure Arc-enabled Kubernetes gives customers a supported way to use cert-manager, with Microsoft handling packaging, delivery, and ongoing maintenance so teams can adopt the capability without taking on the full operational burden of managing the OSS component themselves. What’s in the public preview Here’s what you get: Certificate lifecycle automation with cert-manager: issuance, renewal, rotation, all handled for you. Trust bundle distribution with trust-manager: push trusted CA certs to every namespace that needs them. Self-signed or external CA. Start with the built-in CA, swap in your enterprise PKI when you’re ready. Secure by default. We turned on the security settings you’d want enabled anyway: TLS enforcement, least-privilege RBAC, restricted pod security. Tested at the edge. Validated on AKS Edge Essentials, AKS on Azure Local, and several third-party Kubernetes distros. Works offline. Fits into your Arc stack If you’re already running Azure IoT Operations or Azure Monitor on Arc-enabled clusters, the extension handles TLS between those services with minimal setup. No custom certificate plumbing required: install the extension and the other Arc components pick it up. Get started The extension is available now in public preview. 👉 Documentation and quickstart
Announcing Public Preview of Argo CD extension on AKS and Azure Arc enabled Kubernetes clusters
We are excited to announce public preview of the Argo CD extension for Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes clusters. As GitOps becomes the standard for deploying and operating applications at scale, enterprises need a way to implement GitOps while staying compliant with best practices for security and identity management. Argo CD extension delivers on this need across 3 pillars - Trusted Identity and Secure Access The Argo CD extension integrates with Microsoft Entra ID to provide a secure, enterprise-ready experience for: Secure authentication using Workload Identity federation to Azure Container Registry (ACR) and Azure DevOps. This removes the need for long-lived credentials or hard-coded secrets in Git Repos, moving your CD pipelines closer to a true zero-trust architecture. Single Sign-On (SSO) using existing Azure identities. Enterprise-Grade Hardening and Security This preview introduces several enhancements to improve your security posture: To minimize the attack surface, the extension’s images are built on Azure Linux, specifically engineered for reduced CVEs and improved baseline security. Opt-in to automatic patch releases to stay current on security fixes while maintaining full control over your change management processes. Parity with upstream Argo CD Argo CD extension is designed to remain fully aligned with the upstream Argo CD open‑source project, so teams can use Argo CD as they do today with support for Configuring Argo CD extension with High availability (HA) for production‑grade deployments of critical workloads. Using hub‑and‑spoke architecture for multi‑cluster GitOps scenarios. Application and ApplicationSet, enabling automated and scalable application delivery across large fleets of clusters. Getting Started We invite you to explore the Argo CD extension and provide feedback as we continue to evolve GitOps capabilities for Kubernetes. To get started today, you can enable the extension on your clusters using the Azure CLI. Argo CD extension management via the Azure Portal will be available in a few weeks.Announcing the General Availability of the Azure Arc Gateway for Arc-enabled Kubernetes!
We’re excited to announce the General Availability of Arc gateway for Arc‑enabled Kubernetes. Arc gateway dramatically simplifies the network configuration required to use Azure Arc by consolidating outbound connectivity through a small, predictable set of endpoints. For customers operating behind enterprise proxies or firewalls, this means faster onboarding, fewer change requests, and a smoother path to value with Azure Arc. What’s new: To Arc‑enable a Kubernetes Cluster, customers previously had to allow 18 distinct endpoints. With Arc gateway GA, you can do the same with just 9, a 50% reduction that removes friction for security and networking teams. Why This Matters Organizations with strict outbound controls often spend days, or weeks, coordinating approvals for multiple URLs before they can onboard resources to Azure Arc. By consolidating traffic to a smaller set of destinations, Arc gateway: Accelerates onboarding for Arc‑enabled Kubernetes by cutting down the proxy/firewall approvals needed to get started. Simplifies operations with a consistent, repeatable pattern for routing Arc agent and extension traffic to Azure. How Arc gateway works Arc gateway introduces two components that work together to streamline connectivity: Arc gateway (Azure resource): A single, unique endpoint in your Azure tenant that receives incoming traffic from on‑premises Arc workloads and forwards it to the right Azure services. You configure your enterprise environment to allow this endpoint. Azure Arc Proxy (on every Arc‑enabled Kubernetes Cluster): A component of the Arc K8s agent that routes agent and extension traffic to Azure via the Arc gateway endpoint. It’s part of the core Arc agent; no separate install is required. At a high level, traffic flows: Arc-enabled Kubernetes agent → Arc Proxy → Enterprise Proxy → Arc gateway → Target Azure service. Scenario Coverage As part of this GA release, Arc-enabled Kubernetes Onboarding and other common Arc‑enabled Kubernetes scenarios are supported through Arc gateway, including: Arc-enabled Kubernetes Cluster Connect Arc-enabled Kubernetes Resource View Custom Location Azure Policy's Extension for Azure Arc For other scenarios, including Microsoft Defender for Containers, Azure Key Vault, Container Insights in Azure Monitor, etc., some customer‑specific data plane destinations (e.g., your Log Analytics workspaces, Storage Accounts, or Key Vault URLs) still need to be allow‑listed per your environment. Please consult the Arc gateway documentation for the current scenario‑by‑scenario coverage and any remaining per‑service URLs. Get started Create an Arc gateway resource using the Azure portal, Azure CLI, or PowerShell. Allow the Arc gateway endpoint (and the small set of core endpoints) in your enterprise proxy/firewall. Onboard or update clusters to use your Arc gateway resource. For step‑by‑step guidance, see the Arc gateway documentation on Microsoft Learn. FAQs Does Arc gateway require new software on my clusters? No additional installation - Arc Proxy is part of the standard Arc-enabled Kubernetes Agent. Will every Arc scenario route through the gateway today? Arc-enablement, and other scenarios are covered at GA; some customer‑specific data plane endpoints (for example, Log Analytics workspace FQDNs) may still need to be allowed. Check the docs for the latest coverage details. What is the status of Arc gateway for other infrastructure types? Arc gateway is already GA for Arc-enabled Servers, and Azure Local. Tell us what you think We’d love your feedback on Arc gateway GA for Kubernetes - what worked well, what could be improved, and which scenarios you want next. Use the Arc gateway feedback form to share your input with the product team.AKS enabled by Azure Arc: Powering AI Applications from Cloud to Edge [Ignite 2025]
A New Era for Hybrid Kubernetes and AI Microsoft Ignite 2025 continues to accelerate Azure’s hybrid vision, extending cloud-native innovation into datacenters, factories, retail sites, and remote, fully disconnected environments. This year’s announcements expand the capabilities of AKS enabled by Azure Arc, making it the most versatile and secure platform for deploying modern applications and AI workloads across any environment. AKS Arc now underpins Azure’s hybrid and edge strategy — and increasingly its hybrid AI strategy by delivering consistent operations, strong security, and flexible deployment models for distributed applications. TL;DR: New AKS Arc offering and features in 2025 Azure Kubernetes Fleet Manager for Arc-enabled clusters Public Preview AKS on Azure Local Disconnected Operations Public Preview Improvements to AKS on Azure Local, including lifecycle, portability, additional GPU support and hardware support expansion. Improvements to AKS on Windows Server, improved platform reliability, security, and consistency through fixes to image packaging, dependency handling, node/agent synchronization, certificate and key management, error detection, telemetry and cleanup of stale resources 2-Node High Availability for AKS Arc at the edge Private Preview AI Foundry Local integration for offline/hybrid AI development KAITO on AKS Arc Public Preview for hybrid/edge model deployment Edge RAG on Azure Local Arc Gateway for AKS Arc Public Preview KMS v2 for secrets encryption on AKS on Azure Local Expanded GPU support for AKS Arc on Azure Local (RTX 6000 Ada GA, NVIDIA L-series Preview) AKS Container Apps on Azure Local Public Preview AKS Edge Essentials release for improved stability and offline operations Arc-enabled Azure Monitor Pipeline, Workload Identity Federation, and Azure Container Storage enhancements Azure Linux 3.0 support, Key Vault Secret Store extension Azure Kubernetes Fleet Manager for Arc-enabled clusters As customers scale Kubernetes across datacenters, edge sites, and multiple clouds, fleet operations become increasingly complex. To address this, Azure Kubernetes Fleet Manager now supports Azure Arc-enabled clusters in Public Preview, extending centralized fleet management to any CNCF-compliant Kubernetes distribution, regardless of where it runs. With Arc-enabled clusters onboarded as Fleet Manager members, teams gain a single place to monitor fleet health, enforce governance, and deploy apps and configurations consistently across environments. Intelligent workload placement further simplifies running the right workloads in the right places, helping customers reduce operational overhead while improving agility and reliability for distributed Kubernetes at scale. Fleet Manager now supports Arc-enabled Kubernetes clusters for unified multi-cluster management. Enables centralized health visibility, consistent configuration rollout, and smarter workload placement across hybrid and multi-cloud fleets. Learn more. AKS on Azure Local: Evolving the Hybrid Managed Kubernetes Platform This year, AKS on Azure Local introduces several major enhancements that broaden where and how customers can deploy AKS as their managed Kubernetes platform at the edge. Disconnected Operations Public Preview AKS on Azure Local can now operate entirely offline, supporting customers in sovereign, regulated, or isolated environments. Clusters can be deployed, managed, and updated without continuous Azure connectivity, syncing only when connectivity is temporarily restored. Small Form Factor Bare-Metal Preview The new SFF edition brings AKS to compact industrial PCs and constrained retail or factory environments. It delivers bare-metal performance in a much smaller footprint, including optional GPU support for edge inferencing. Improvements to Azure Local Azure Local continues to mature with expanded hardware compatibility, improved lifecycle reliability, and better workload portability across cloud and local deployments — enabling enterprises to standardize on AKS across all tiers of infrastructure. 2-Node High Availability for the Edge For space- and cost-constrained environments, AKS Arc can support HA clusters with only two nodes, enabling robust production workloads in places where traditional 3-node clusters are not feasible. Operational Excellence with AKS Arc Enterprises operating distributed Kubernetes fleets will benefit from new governance and connectivity capabilities. AKS Arc Gateway Public Preview Arc Gateway simplifies hybrid connectivity by streamlining cluster onboarding and reducing required firewall rules. This creates a more secure and operationally efficient pattern for managing large fleets of Arc-enabled clusters. KMS v2 for Kubernetes secrets encryption at rest in etcd KMS v2 enhances Kubernetes secret encryption for hybrid and on-prem clusters, delivering improved reliability, stronger security boundaries, and consistency with Azure’s cloud-native cryptography approach. AKS as the Hybrid AI Application Platform AI is the defining theme of Ignite 2025 and AKS enabled by Azure Arc is now the foundation for deploying AI where the data resides. Organizations increasingly need to run AI models in datacenters, factories, field environments, and sovereign locations, and this year’s updates establish AKS Arc as Azure’s platform for distributed and offline AI workloads. AI Foundry Local: Build and Fine-Tune AI Models Anywhere AI Foundry Local brings Azure AI Foundry’s core capabilities: the curated model catalog, development tools, templates, and fine-tuning support into customer environments. It allows developers to run foundation models locally using optimized execution paths for GPUs, NPUs, and CPUs; fine-tune models with LoRA/QLoRA in regulated or offline scenarios; and package model artifacts for deployment on AKS clusters. This enables a complete hybrid AI development loop that works both online and fully disconnected. KAITO Public Preview on AKS Arc KAITO automates model serving across cloud, datacenter, and edge. Now available on AKS Arc, it provides one-click packaging, optimization, and deployment of models built in AI Foundry Local. Customers can run ONNX, Hugging Face, or custom models with edge-aware performance optimization across diverse hardware, including CPU-only and GPU-accelerated nodes. Expanded GPU Capabilities Hybrid AI workloads benefit from expanded GPU options, including general availability of the NVIDIA RTX 6000 Ada, preview support for NVIDIA L-series GPUs, and new GPU Partitioning (GPU-PV) support for efficient resource utilization. These capabilities make it possible to run high-performance inferencing and training workloads across a wide range of hybrid deployment scenarios. RAG on Azure Local: Bring Generative AI to On-Premises Data RAG (Retrieval-Augmented Generation) on Azure Local enables organizations to ground AI in their own on-premises data without moving information to the cloud. Delivered as a first-party Azure Arc extension, it provides an integrated retrieval pipeline for ingesting, indexing, and querying enterprise content stored in datacenters or edge locations. With support for hybrid search, multi-modal data, evaluation tooling, and responsible AI controls, organizations can build RAG applications that remain fully compliant with data sovereignty requirements while reducing latency and improving accuracy. By running the full RAG workflow locally — from retrieval to generation — customers can create intelligent applications that leverage proprietary documents, images, and other unstructured data directly within their secure environments. Expanding Application Capabilities at the Edge AKS Container Apps on the Edge A major milestone this year is the public preview of ACA on the edge, enabling teams to bring the simplicity of Azure Container Apps to Azure Local. Developers can deploy AI-powered microservices, inference endpoints, and event-driven applications at the edge using the same ACA programming model used in Azure. AKS Edge Essentials The latest release improves cluster stability, enhances offline lifecycle operations, and strengthens both Linux and Windows support, making it easier to operate AKS at scale in constrained or intermittently connected environments. Enhanced Storage, Telemetry, and Security for Hybrid AI Distributed AI workloads require robust identity, storage, and observability patterns, and Ignite brings major updates in all three areas. The Arc-enabled Azure Monitor Pipeline improves telemetry ingestion across disconnected or segmented networks, caching data locally and syncing to Azure when connectivity is available. Workload Identity Federation for Arc enables secure, secret-less identity for workloads running at the edge. And Azure Container Storage enabled by Arc, now expanded for AKS Arc clusters, provides a high-performance persistent storage layer suited for vector stores, embedding caches, cloud ingest and mirror. Conclusion Ignite 2025 represents a major step forward for AKS enabled by Azure Arc as both a hybrid Kubernetes platform and a hybrid AI application platform. With disconnected operations, edge-native Container Apps, improved GPU acceleration, KAITO for unified model serving, AI Foundry Local for offline model development, and a fully consistent operational model across cloud, datacenter, and edge, AKS Arc now enables organizations to run their most critical cloud-native and AI workloads anywhere they operate. We look forward to continuing to support customers as they build the next generation of hybrid and edge AI applications.Workload Identity support for Azure Arc-enabled Kubernetes clusters now Generally Available!
We’re excited to announce that Workload Identity support for Azure Arc-enabled Kubernetes is now Generally Available (GA)! This milestone brings a secure way for applications running on Arc-connected clusters running outside of Azure to authenticate to Azure services without managing secrets. Traditionally, workloads outside Azure relied on static credentials or certificates to access Azure resources like Event Hubs, Azure Key Vault, and Azure Storage. Managing these secrets introduces operational overhead and security risks. With Microsoft Entra Workload ID federation, your Kubernetes workloads can now: Authenticate securely using OpenID Connect (OIDC) without storing secrets. Exchange trusted tokens for Azure access tokens to interact with services securely. This means no more manual secret rotation and reduced attack surface, all while maintaining compliance and governance. How It Works The integration uses Service Account Token Volume Projection and aligns with Kubernetes best practices for identity federation. The process involves a few concise steps: Enable OIDC issuer and workload identity on your Arc-enabled cluster using Azure CLI. az connectedk8s connect --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --enable-oidc-issuer –-enable-workload-identity Configure a user-assigned managed identity in Azure to trust tokens from your Azure Arc enabled Kubernetes cluster's OIDC issuer URL. This involves creating a federated identity credential that links the Azure identity with the Kubernetes service account. Applications running in pods, using the annotated Kubernetes service account, can then request Azure tokens via Microsoft Entra ID and access resources they’re authorized for (e.g., Azure Storage, Azure Key Vault). This integration uses Kubernetes-native construct of Service Account Token Volume Projection and aligns with Kubernetes best practices for identity federation. Supported platforms We support a broad ecosystem of distributions, including: Red Hat OpenShift Rancher K3s AKS-Arc (In preview) VMware Tanzu Kubernetes Grid (TKGm) So, whether you’re running clusters in retail stores, manufacturing plants, or remote edge sites, you can connect them to Azure Arc and enable secure identity federation for your workloads to access Azure services. Ready to get started? Follow our step-by-step guide on Deploying and Configuring Workload Identity Federation in Azure Arc-enabled Kubernetes to secure your edge workloads today!Public Preview: Multicloud connector support for Google Cloud
We are excited to announce that the Multicloud connector is now in preview for GCP environments. With the Multicloud connector, you can easily connect your GCP projects and AWS accounts to Azure with the following capabilities: Inventory: Get an up-to-date, comprehensive view of your cloud assets across different cloud providers. Now supporting GCP services (Compute VM, GKE, Storage, Functions, and more), you can now gain insights into your Azure, AWS, and GCP environments in a single pane of glass. The agentless inventory solution will periodically scan your GCP environment, project the discovered resources in GCP as Azure resources, including all of the GCP metadata like GCP labels. Now, you can easily view, query, and tag these resources from a centralized location. Azure Arc onboarding: Automatically Arc-enable your existing and future GCP VMs so you can leverage Azure and Microsoft services, like Azure Monitor and Microsoft Defender for Cloud. Through the multicloud connector, the Azure Arc agent will be automatically installed for machines that meet the prerequisites. How do I get started? You can easily set up the multicloud connector by following our getting started guide which provides step by step instructions on creating the connector and setting up the permissions in GCP which leveraged OIDC federation. What can I do after my connector is set up? With the inventory offering, you can see and query for all of your GCP and Azure resources via Azure Resource Graph. For Azure Arc onboarding, you can apply the Azure management services on your GCP VMs that are Arc-enabled. Learn more here. We are very excited about the expanded support in Google Cloud. Set up your multicloud connector now for free! Please let us know if you have any questions by posting on the Azure Arc forum or via Microsoft support. Here is the mutlicloud capabilities technical documentation. Check out the Ignite session here!Transforming City Operations: How Villa Park and DataON Deliver Real-Time Decisions with Edge RAG
In today’s connected world, customers expect instant, context-rich interactions- even in environments where cloud connectivity isn’t guaranteed. That’s where Edge Retrieval-Augmented Generation (RAG) at the edge comes in. Edge RAG, enabled by Azure Arc, combining local data retrieval with intelligent reasoning to empowers conversational experiences that are fast, secure, and deeply personalized. Together with our Edge Infrastructure partners, we’re applying this technology to transform customer engagement - enabling real-time insights, autonomous workflows, and resilient operations across industries. Edge RAG is a core part of our Adaptive Cloud pillar for Edge AI, ensuring flexibility, resilience, and intelligence wherever customers operate. It uses Foundry language models and together with Foundry Local shape Microsoft’s Foundry Anywhere commitment. Today we’re excited to announce a public preview refresh of Edge RAG at Ignite 2025, bringing new capabilities to accelerate adoption and unlock even more value at the edge: Production-Class LazyGraph RAG with Industry-leading RAG inferencing quality High-Fidelity Parsing: OCR-enabled support for documents, tables, and images SharePoint Server integration (limited access; to register, click here ) Multimodal search with image retrieval & image-rich outputs Chat UI Upgrades and performance improvements Fully Disconnected scenarios enabled by Azure Local for Disconnected Operations The new features in this release are informed by our engagement with the City of Villa Park, in partnership with DataON, where we’ve applied Edge RAG to improve operational efficiency and deliver smarter, real-time services for urban environments. Together, we pilot compliance assistant agentic workflow with OCR & LLM integration. Villa Park: A Blueprint for Smart Cities The City of Villa Park, California, faced challenges common to many municipalities: complex zoning regulations that slowed approvals, lengthy CEQA compliance processes requiring deep environmental analysis, backlogs in accessory dwelling unit (ADU) permit reviews. Working with DataON, a Microsoft partner, and Microsoft, Villa Park deployed Edge RAG on Azure Local, creating a resilient, intelligent planning system that operates seamlessly; even offline. Environmental assessments that once required days are now completed in minutes. The partnership between the City of Villa Park and DataON is a standout example of how municipalities and technology providers can co-innovate to solve real-world challenges. Ray Pascua, Villa Park’s Planning Manager, has led this transformation: “Having the opportunity to utilize AI to perform research and retrieve large datasets specifically from the California Environmental Quality Act (CEQA) Guidelines (Statutory/Categorical Exemptions), and State law relative to Accessory Dwelling Units (ADUs), has been an overall positive experience. AI algorithm is a revolutionary medium that can streamline and improve workflow efficiencies by automating routine and repetitive planning-related tasks and analysis, and would be of particular value and benefit to local government agencies that have limited personnel and resources. While this cutting-edge technological tool is still evolving and has room to improve accuracy and speed, it certainly has a place in the realm of City Planning, as well as other land use development fields and disciplines.” Howard Lo, VP of Sales & Marketing at DataON, shares: “Our collaboration with Microsoft and the City of Villa Park showcases Azure Local's transformative potential for municipal government AI. As a leading Azure Local partner, DataON has optimized our infrastructure to run Microsoft's Edge RAG solution, enabling Villa Park to address real planning challenges while maintaining data control and security. Working directly with Microsoft's engineering team and a forward-thinking city partner, we've proven that Azure Local delivers practical AI value for government operations. We're excited to help other municipalities achieve similar results on our Azure Local platform.” Villa Park’s deployment leverages DataON’s Azure Local-certified hardware, Microsoft’s Arc-enabled AI stack, and the expertise of city planners to deliver: End-to-end digital workflows for CEQA, zoning, and ADU permitting Conversational AI interfaces that empower staff to ask questions and get cited, regulatory-compliant answers instantly Operational resilience with full offline support, ensuring continuity even during network outages A replicable model for other municipalities seeking to modernize planning and compliance About DataON DataON’s edge infrastructure, combined with Azure Local and Edge RAG, forms the core of this transformation. DataON provides robust hardware and delivers deployment, integration, and training services, ensuring a seamless Azure Local experience. Their close support helps organizations quickly adopt and confidently manage edge solutions, resulting in secure, high-performance, and scalable deployments for multi-site environments. Let’s take a closer look at the features we’re announcing today: Deep Search for Complex Reasoning with LazyGarph RAG With the Ignite release, Edge RAG introduces Deep Search powered by LazyGraph RAG; a dynamic graph-based retrieval method that enables advanced, multi-document reasoning. This means Villa Park planners can now ask complex, multi-part questions that span zoning, CEQA, and ADU regulations, and Edge RAG will synthesize answers by connecting information from multiple sources in real time. Image 1: Deep Search capabilities on Edge RAG The system incrementally explores only the most relevant document chunks, reducing compute cost and latency while delivering comprehensive, cited responses. For Villa Park, this translates to resolving intricate regulatory scenarios, such as “What are the environmental constraints for ADUs in zones X, Y, and Z?”. With answers that reference and link multiple regulatory documents and historical decisions, all in a single query. Advanced Document Parsing for Structured Data Edge RAG’s advanced document parsing, introduced in this release, transforms how Villa Park’s planning documents are utilized. During data ingestion, the system now extracts not only free-form text but also tables, images, headings, and rich metadata. This includes full indexing of multi-page tables, column headers, and section context, with each chunk annotated by page number, section heading, and table index. As a result, planners can search for specific permit statistics, environmental impact scores, or compliance tables and retrieve results directly from structured data within city documents; enabling precise, source-attributed answers that were previously difficult or impossible to obtain. Image 2: Advanced document parsing on Edge RAG Enhanced Chat Experience The new model-only chat mode allows staff to interact directly with the language model, bypassing contextual data for general queries or troubleshooting. This flexibility enables Villa Park staff to quickly switch between knowledge-based chat-grounded in city data, and model-only chat for training, testing, or handling ambiguous queries, streamlining both day-to-day operations and onboarding of new team members. Additional Edge RAG Preview Refresh Updates We also improved Edge RAG based on customer feedback, adding these features: Agentic RAG for autonomous workflows: Systems can reason and act at the edge with less manual work. Full offline support: Operates and accesses data even without a network. SharePoint integration (private preview): users will also be able to query Edge RAG directly over SharePoint, enabling enhanced information retrieval and analysis within their workflows. Image 3: Sharepoint as a data source on Edge RAG Performance optimizations: Query responses for every search type, excluding Deep Search, are now delivered in under 15 seconds on legacy A2 and A16 GPUs; a fivefold speed boost. Additionally, streaming image processing has increased one hundred times, allowing 600 images to be handled continuously in just 36 seconds. Since late May, Edge RAG has supported “bring your own model” (BYOM), allowing organizations to deploy their preferred language models such as OpenAI GPT-4o or other advanced models, directly on their own infrastructure. This capability enables advanced features like deep search and hybrid multimodal search, while ensuring that sensitive data remains on-premises. BYOM empowers organizations to tailor Edge RAG’s AI capabilities to their unique compliance, performance, or customization requirements, maintaining full control over both data and model selection. Security, Compliance, and Sustainability Edge RAG is built for trust: data sovereignty ensures sensitive data remains on-premises, zero-trust architecture integrates with Microsoft security stack, and compliance-ready design supports municipal, state, and industry regulations. Sustainability is also a priority, with energy-efficient edge hardware reducing carbon footprint. Looking Ahead: The Future of Edge Intelligence Edge RAG enables flexible edge intelligence deployment in various environments. Its adaptable design handles dynamic workloads, supporting frontline teams as operations evolve. Instead of just speeding up processes or boosting connectivity, Edge RAG fosters innovative applications and smarter decision-making, helping organizations stay agile amid changing technology and business needs. Resources Explore these resources to learn more about Edge RAG, deployment best practices, customer stories, and technical documentation: Product documentation: Edge RAG Preview, enabled by Azure Arc Documentation | Microsoft Learn Get Started: Quickstart: Install Edge RAG Preview enabled by Azure Arc Release notes: What's New in Edge RAG – Azure Arc Tech Talk Distribution List: EdgeRAGTalk@microsoft.com Join the conversation, ask questions, and connect with the Edge RAG team Recommended Ignite sessions: BRK147: What’s new in Azure Local ODSP1467: Unlock your IT potential with Azure Local & DataON Plus Solutions BRK199: From cloud to edge: Building and shipping Edge AI apps with Foundry
Announcing General Availability of the Azure Key Vault Secret Store Extension
We are thrilled to announce Azure Key Vault Secret Store Extension (SSE) is now generally available for Arc-enabled on-premises Kubernetes, including clusters that you connect yourself and AKS Arc managed clusters. SSE automatically fetches secrets from an Azure Key Vault to the on-premises cluster for offline access. This means you can use Azure Key Vault to store, maintain, and rotate your secrets, even when running your Kubernetes cluster in a semi-disconnected state. Key Benefits Offline Access: It’s important that workloads continue even when there are temporary disruptions to connectivity. This includes regular operation as well as the ability to restart pods while there’s a connectivity interruption. With SSE, workloads can access secrets from the local Kubernetes secrets store regardless of connectivity interruptions. Standard K8s Secret Access: Secrets can be accessed via volume mounting, environment variables, or via the Kubernetes API. Workloads and ingress controllers do not need to be customized to access Azure Key Vault and developers have options on how to access secrets. Security: SSE has limited permissions and leverages the latest Kubernetes security features so that cluster admins do not need to configure and limit permissions themselves. Secrets are critical business assets, so the Secret Store helps to secure them through isolated namespaces, role-based access control (RBAC) policies, federated identities for accessing AKV, and limited permissions for the secrets synchronizer. Scalability: SSE helps very large distributed deployments with hundreds or thousands of clusters to work with Azure Key Vault by spreading demand over time. By effectively caching secrets in the Kubernetes secrets store, SSE can also help to lower overall demand on Azure Key Vault instances. Low maintenance: Auto-updates can keep your SSE up to date with security and performance improvements as they are released. Additionally, changes to configured secrets are even easier now with the new simplified configuration experience (in preview). With the simplified configuration style, a single custom resource is all that’s needed, reducing the effort and surface area for misconfigurations. How to Use the Secret Store Extension Install the Secret Store Extension to an Arc-enabled cluster or AKS managed on-premises cluster with configuration parameters such as sync intervals. Configure an Azure managed identity that has permission to read secrets from AKV and federate it with a Kubernetes service account. Configure a secret provider class custom resource (CR) in the cluster with connection details to the Key Vault. Configure a secret sync custom resource (CR) in the cluster for each secret to be synchronized. (Steps 3 and 4 are now even easier with the new simplified configuration!) Apply the CRs in the cluster and secrets will automatically begin syncing to the cluster. Relax knowing that your configured secrets will be kept up to date on the cluster, as frequently as you want. Try out the Secret Store Extension Today! Get started by visiting the SSE documentation Get hands-on even faster with the SSE Jumpstart Drop
