Revolutionizing Reliability: Introducing the Azure Failure Prediction and Detection (AFPD) system
As part of the journey to consistently improve Azure reliability and platform stability, we launched Azure Failure Prediction & Detection (AFPD), Azure’s premiere shift-left reliability solution. AFPD became operational in 2024, unifying failure prediction, detection, mitigation, and remediation services into a single end-to-end system with the goal of preventing Azure Compute customer workload interruptions and repairing nodes at scale. AFPD builds upon previous reliability solutions such as Project Narya, adding new best practices and fleet health management capabilities on top of pre-existing failure prediction and mitigation capabilities. The end-to-end AFPD system has proven to further reduce the overall number of reboots by over 36% and allows for a proactive approach to maintaining the cloud. This system operates for all Azure Compute General Purpose, Specialized Compute, High Performance Computing (HPC)/Artificial Intelligence (AI) workloads and select Azure Storage scenarios. For a deeper dive, you can read the whitepaper here, which won Best Paper Award at the 2025 IEEE Cloud Summit!Announcing preview of new Azure Dasv7, Easv7, Fasv7-series VMs based on AMD EPYC™ ‘Turin’ processor
Today, Microsoft is announcing preview of the new Azure AMD-based Virtual Machines (VMs), powered by 5th Generation AMD EPYC™ (Turin) processors. The preview includes general purpose (Dasv7 & Dalsv7 series), memory-optimized (Easv7 series) and compute-optimized (Fasv7, Falsv7, Famsv7 series) VMs, available with and without local disks. These VMs are in preview in the following Azure regions: East US 2, North Europe, and West US 3. To request access to the preview, please fill out the Preview-Signup. The latest Azure AMD-based VMs deliver significant enhancements over the previous generation (v6) AMD-based VMs: improved CPU performance, greater scalability, and expanded configuration options to meet the needs of a wide range of workloads. Key improvements include: Up to 35% CPU performance improvement compared to equivalent sized (v6) AMD-based VMs. Significant performance gains on other workloads: Up to 25% for Java-based workloads Up to 65% for in-memory cache applications Up to 80% for crypto workloads Up to 130% for web server applications Maximum boost CPU frequency of 4.5 GHz, enabling faster operations for compute-intensive workloads. Expanded VM sizes: Dasv7-series, Dalsv7-series and Easv7-series now scale up to 160 vCPUs. Fasv7-series supports up to 80 vCPUs, with a new 1-core size. Increased memory capacity: Dasv7-series now offers up to 640 GiB of memory. Easv7-series scales up to 1280 GiB and is ideal for memory-intensive applications. Enhanced remote storage performance: VMs offer up to 20% higher IOPS and up to 50% greater throughput compared to similar sized previous generation (v6) VMs. New VM families introduced: Fadsv7, Faldsv7, and Famdsv7 are now available with local disk support. Expanded constrained-core offerings: New constrained-core sizes for Easv7 and Famsv7, available with and without local disks, helping to optimize licensing costs for core-based software licensing. These enhancements make these latest VMs a compelling choice for customers seeking high performance, cost efficiency, and workload flexibility on Azure. Additionally, these VMs leverage the latest Azure Boost technology enhancements to performance and security of these new VMs. The new VMs utilize the Microsoft Azure Network Adapter (MANA), a next-generation network interface that provides stable, forward-compatible drivers for Windows and Linux operating systems. These VMs also support the NVMe protocol for both local and remote disks. The 5th Generation AMD EPYC™ processor family, based on the newest ‘Zen 5’ core, provides enhanced capabilities for these new Azure AMD-based VM series such as AVX-512 with a full 512-bit data path for vector and floating-point operations, higher memory bandwidth, and improved instructions per clock compared to the previous generation. These updates provide increased throughput and ability to scale for compute-intensive tasks like AI and machine learning, scientific simulations, and financial analytics, among others. AMD Infinity Guard hardware-based security features, such as Transparent Secure Memory Encryption (TSME), continue in this generation to ensure sensitive information remains secure. These VMs support three memory (GiB)-to-vCPU ratios such as 2:1 (Dalsv7-series, Daldsv7-series, Falsv7-series and Faldsv7-series), 4:1 (Dasv7-series, Dadsv7-series, Fasv7-series and Fadsv7-series), and 8:1 (Easv7-series, Eadsv7-series, Famsv7-series and Famdsv7-series). The Dalsv7-series are ideal for workloads that require less RAM per vCPU that can reduce costs when running non-memory intensive applications, including web servers, video encoding, batch processing and more. The Dasv7-series VMs work well for many general computing workloads, such as e-commerce systems, web front ends, desktop virtualization solutions, customer relationship management applications, entry-level and mid-range databases, application servers, and more. The Easv7-series VMs are ideal for workloads such as memory-intensive enterprise applications, data warehousing, business intelligence, in-memory analytics, and financial transactions. The new Falsv7-series, Fasv7-series and Famsv7-series VM series do not have Simultaneous Multithreading (SMT), meaning a vCPU equals a full core, which makes these VMs well-suited for compute-intensive workloads needing the highest CPU performance, such as scientific simulations, financial modeling and risk analysis, gaming, and more. In addition to the standard sizes, the latest VM series are available in constrained-core sizes, with vCPU count constrained to one-half or one-quarter of the original VM size, giving you the flexibility to select the core and memory configuration that best fits your workloads. In addition to the new VM capabilities, the previously announced Azure Integrated HSM (Hardware Security Module), will be in Preview soon with the latest Azure AMD-based VMs. Azure Integrated HSM is an ephemeral HSM cache that enables secure key management within Azure virtual machines by ensuring that cryptographic keys remain protected inside a FIPS 140-3 Level 3-compliant boundary throughout their lifecycle. To explore this new feature, please sign up using the form provided below. These latest Azure AMD-based VMs will be charged during preview; pricing information will be shared with access to the VMs. Eligible new Azure customers can sign up for a free account and receive a $200 Azure credit. The new VMs support all remote disk types. To learn more about the disk types and their regional availability, please refer to Azure managed disk type. Disk storage is billed separately from virtual machines. You can learn more about these latest Azure AMD-based VMs by visiting the specification pages at Dasv7-series, Dadsv7-series, Dalsv7-series, Daldsv7-series, Easv7-series, Eadsv7-series, Fasv7-series, Fadsv7-series, Falsv7-series, Faldsv7-series, Famsv7-series and Famdsv7-series. The latest Azure AMD-based VMs provide options for your wide range of computing needs. Explore the new VMs today and discover how these VMs can enhance your workload performance and lower your costs. To request access to the preview, please fill out the Preview-Signup form. Have questions? Please reach us at Azure Support and our experts will be there to help you with your Azure journey.
Increase security for Azure VMs: Trusted launch in-place upgrade support now available!
Introduction We’re excited to announce that Trusted Launch in-place upgrade support is now available to help you strengthen the security of your Azure virtual machines and scale set resources—without the need for complex migrations or rebuilds. Generally available for existing Gen1 & Gen2 virtual machines (VMs), and for Gen1 & Gen2 VM Uniform scale sets In private preview for Gen1 & Gen2 VM Flex scale sets Trusted launch is strongly recommended by Microsoft as the secure path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel Trusted Boot sequence. It helps prevent bootkit malware in the boot process, ensuring your workloads start in a verified and uncompromised state. Disabling Trusted launch puts your infrastructure at risk of bootkit infections, making this upgrade not just beneficial—but essential. By leveraging in-place upgrade support, you can seamlessly enhance foundational security for your existing virtual machine and scale set resources with Trusted launch at no additional cost, ensuring protection against modern threats and readiness for future compliance needs. What is Trusted launch? Trusted Launch is a built-in Azure virtual machine and scale set capability that helps protect your virtual machines from advanced threats—right from the moment they start. It adds a layer of foundational security to your VMs by enabling: Secure Boot: Prevents unauthorized code like rootkits and bootkits from loading during startup. vTPM: Acts as a secure vault for encryption keys and boot measurements, enabling attestation of your VM’s integrity. Boot Integrity Monitoring: Guest attestation extension continuously checks that your VM boots into a trusted, uncompromised state. Trusted Launch enhances the security posture of a VM through cryptographic verification and ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defense-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others. It’s a simple yet powerful way to enhance foundational security of your virtual machine and scale set resources—without changing how you deploy or manage your workloads. Upgrade security of existing VMs and Scale sets to Trusted launch Following table summarizes high level steps associated with Trusted launch upgrade of Gen1 and Gen2 VMs and Scale set including link to public documentation which contains detailed steps. Resource type High level steps Gen1 virtual machine Learn more: Upgrade existing Azure Gen1 VMs to Trusted launch Gen2 virtual machine Learn more: Enable Trusted launch on existing Azure Gen2 VMs Virtual machine scale set Learn more: Upgrade existing Azure Scale set to Trusted launch Conclusion We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services. Upgrading your Azure VMs and Scale Sets to Trusted Launch is a simple yet powerful way to strengthen foundational infrastructure security—without disrupting your existing workloads. With in-place upgrade support now available, you can take advantage of foundational security features like Secure Boot and vTPM to protect against modern threats and meet compliance requirements—all at no additional cost. Next steps Whether you're running Gen1 (BIOS) or Gen2 (UEFI) VM resources, don’t wait to secure your infrastructure—upgrade your VMs and Scale-sets to Trusted Launch today. This upgrade can be completed with minimal effort and downtime. Upgrade your Gen1 VMs to Trusted Launch using generally available upgrade support with step-by-step guide. Upgrade your Gen2 VMs to Trusted Launch using generally available upgrade support with step-by-step guide. Upgrade your Gen1 or Gen2 Uniform Scale sets to Trusted launch using generally available upgrade support with step-by-step guide. For Gen1 or Gen2 Flex Scale sets, private preview access is now open – sign-up for preview and get early access to Trusted launch upgrade experience for Flex scale sets. Trusted launch is your first line of defence against bootkit malware, and upgrading ensures your VMs meet modern security and compliance standards. Act now to protect your workloads and make them resilient against future threats. Frequently Asked Questions Are all upgrade features generally available? Following table summarizes the status of each upgrade feature: Trusted launch upgrade support for resource type Status Learn more Gen1 virtual machine Generally available Upgrade existing Azure Gen1 VMs to Trusted launch Gen2-only virtual machine Generally available Enable Trusted launch on existing Azure Gen2 VMs Scale set (Uniform) Generally available Upgrade existing Azure Scale set to Trusted launch Scale set (Flex) Private preview Sign-up for preview at Enable Trusted Launch on Existing Flex Scale Sets (PREVIEW) What are the pre-requisites to enable Trusted launch? Before planning to upgrade of existing VM or Scale set to Trusted launch, ensure that: VM size of given VM or Scale set is supported for Trusted launch. Change the VM size to Trusted launch supported VM size if needed to support the upgrade. VM or Scale set is running operating system supported with Trusted launch. For Scale set resources, you can change the OS image reference to supported OS version along with Trusted launch upgrade. VM or Scale set is not dependent on Azure features currently not supported with Trusted launch. Azure Backup, if enabled for VMs, should be configured with the Enhanced Backup policy. Existing Azure VM backup can be migrated from the Standard to the Enhanced policy. Azure site recovery (ASR), if enabled for VMs, should be disabled prior to upgrade. You can re-enable ASR replication post completion of Trusted launch upgrade. What are the best practices to consider before upgrade? We recommend following certain best practices before you execute the upgrade to Trusted launch for VMs and Scale set hosting production workloads: Review the step-by-step guide published for Gen1 and Gen2 VM and Scale set including known limitations, issues, roll-back steps. Enable Trusted launch on a test VM or Scale set and determine if any changes are required to meet the prerequisites. Create restore points for VMs associated with production workloads before you enable the Trusted launch security type. You can use the restore points to re-create the disks and VM with the previous well-known state. Can I enable Trusted launch without changing OS from Gen1 (BIOS) to Gen2 (UEFI)? Trusted launch security capabilities (Secure boot, vTPM) can be enabled for Gen2 UEFI-based operating system only, it cannot be enabled for Gen1 BIOS-based operating system. How will my new or other VMs or Scale set be affected? The upgrade is executed on specific VM or Scale set resource only. It does not impact new or other existing Azure VMs, Scale set clusters already running in your environment. Can I roll back Trusted launch upgrade to Gen1 (BIOS) configuration? For virtual machines, you can roll back the Trusted launch upgrade to Gen2 VM without Trusted launch. You cannot in-place roll back from Trusted launch to Gen1 VM. For restoring Gen1 configuration, you’ll need to restore entire VM and disks from the backup or restore point of VM taken prior to upgrade. For scale sets, you can roll back the changes made to previous known good configuration including Gen1 configuration.Announcing the General Availability of Azure FXv2-series Virtual Machines
Today, Microsoft is excited to announce the General Availability of the new Azure FXv2-series Virtual Machines (VMs), powered by the 5th Generation Intel® Xeon® Platinum 8573C (Emerald Rapids) processor. This release includes Compute-optimized VMs FXmsv2-series and FXmdsv2-series. The FXv2-series VMs are optimally designed and purpose-built for compute-intensive workloads such as databases, data analytics, and electronic design automation (EDA), demanding substantial memory, high-performance storage, and I/O bandwidth. FXv2-series VMs offer key advantages for SQL Server workloads, including enhanced performance that ensures efficient management of large volumes of data and transactions. This is essential for applications requiring high I/O operations per second (IOPS) and low latency. Additionally, FXv2-series VMs offer EDA customers an enhanced Intel-based option with larger L3 caches, higher instructions per clock, increased memory capacity, and faster storage compared to the previous generation FXv1 VMs. These improvements are especially beneficial for customers in the semiconductor industry, as they help to reduce chip design turnaround time, accelerate time-to-market, and enhance license utilization to lower overall TCO. Azure FXv2-series VMs have been engineered to deliver exceptional CPU performance of up to 50% better than the previous generation FXv1-series VMs. Azure FXv2-series VMs feature an all-core-turbo frequency up to 4.0 GHz. The FXv2-series offers VM sizes up to 96 vCPUs, which is twice the number of vCPUs compared to the previous generation. Furthermore, these new VMs offer up to 1,832 GiB memory with a memory to core ratio of 21GiB/vCPU. FXv2-series VMs support the NVMe protocol for both local and remote disks, delivering fast, low-latency storage performance. NVMe enables up to 2x IOPS and up to 5x throughput in remote storage performances compared to the previous generation. These VMs support all remote disk types, including Premium SSD v2 and Ultra Disk, offering up to 400K IOPS and up to 11.25 GBps throughput. Additionally, these VMs offer up to 70 Gbps of network bandwidth. Enhancements from Azure Boost significantly improve networking, storage, overall CPU performance, and security of the VMs. It utilizes the new Microsoft Azure Network Adapter (MANA), a next-generation network interface that provides stable, forward-compatible drivers for Windows and Linux operating systems. These VMs have enhanced AI capabilities with Intel® Advanced Matrix Extensions (AMX), delivering higher inference and training performance, and enhanced security capabilities with Intel® Total Memory Encryption (TME) technology, providing enhanced protection to data in system memory. These VMs are offered in standard sizes and constrained-core configurations, which gives you flexibility to choose the core and memory setup that best suits your workload. You may also choose VMs with local disk or without, with the FXmdsv2-series and FXmsv2-series, respectively. You can learn more about the new Azure FXv2-series VMs by visiting the specification pages at FXmdsv2-series , FXmsv2-series and the associated constrained-core sizes. The new FXv2-series VMs are broadly available in the following Azure regions: Australia East, Canada Central, Central US, East US, East US 2, Germany West Central, Japan East, Korea Central, South Africa North, South Central US, Sweden Central, Switzerland North, West Europe, West US 3. Additional regions will be coming in 2025. To learn more, refer to Product Availability by Region. Our customers have shared their perspective: “The new Azure Fxv2 series VMs offer a perfect mix of capabilities for running Oracle databases and RAC clusters. Database workloads benefit from large number of CPU cores, large memory size, high network bandwidth, and fast storage. The Fxv2 have all of the above! The most notable, however, is the 400,000 IOPS and 11,250 MBPS storage throughput. In a 3-node FlashGrid Cluster running Oracle RAC this means 1,200,000 IOPS and 33,750 MBPS, elevating the database performance to new levels. We expect the Fxv2 series soon to become the #1 choice for FlashGrid customers running high-performance Oracle databases on Azure.” —Art Danielov, CEO, FlashGrid. “At OMP, we are committed to optimizing our Unison Planning™ solution that drives supply chain excellence. In our partnership with Microsoft, we have always extensively used the FXv1 series. We have recently partnered with Microsoft to preview the FXv2 series and the upgraded hardware has already shown a performance increase of up to 40%. Moreover, the ability to scale up to 96 vCPUs with 1.8TB of memory doubles our per-VM performance, significantly improving capacity management for our solution.” – Michiel De Palmeneire, Platform Manager, OMP. “The new Azure FXv2-Series Virtual Machines represent a huge step forward for optimizing performance. Through our collaboration, we’ve seen performance gains up to 5X that will deliver transformative impact to customers taking advantage of our premium storage services with Pure Storage Cloud on Azure. Combining Microsoft’s high performance VMs with Pure Storage’s rich feature set accelerates the adoption of mission critical applications in Azure for our mutual customers.” - Cody Hosterman, Senior Director, Cloud Product Management, Pure Storage. “With the performance results we have achieved on the new FXv2-series, we have confidence in providing our largest Unisys ClearPath MCP System clients a seamless transition to Azure, without needing to modify or migrate any of their code.” --- Ken Henry, VP, Unisys Solutions Development, Enterprise Computing Solutions. Here’s what our technology partners are saying: “Canonical is pleased to see the significant performance enhancements with Microsoft Azure's new FXv2-series virtual machines. Ubuntu and Ubuntu Pro are fully compatible with these new instances allowing customers to use a proven and widely-used platform ideal for these compute-intensive workloads. Ubuntu Pro on the new FXv2-series offers comprehensive features for enterprise security, compliance, and operational stability. This enables users to take full advantage of Ubuntu's capabilities and vast software ecosystem on Azure”-- Jehudi Sierra-Castro, Public Cloud Alliance Director. To learn more about the FXv2-series VM pricing, please visit the Azure Virtual Machines pricing. To learn more about remote disk types such as Standard SSD, Standard HDD, Premium SSD (v1), Premium SSD v2 and Ultra Disk storage please refer to Azure managed disk type. The FXv2-series VMs are precisely engineered for compute-intensive tasks, making them ideal for high-performance data processing, complex operations, and intensive analytics. They deliver exceptional performance and efficiency, providing a versatile solution for a wide range of computing needs. Explore the FXv2-series VMs today and discover how they can enhance your performance and operational efficiency. Have questions? Please reach us at Azure Support and our experts will be there to help you with your Azure journey.Announcing General Availability of Azure E128 & E192 Sizes in the Esv6 and Edsv6-series VM Families
Authored by Misha Bansal, Product Manager We’re excited to announce the addition of two new sizes, E128 and E192, in the Azure Esv6 and Edsv6-series Virtual Machine families, powered by the 5th Generation Intel® Xeon® Platinum 8573C (Emerald Rapids) processor. These sizes are generally available with diskful and diskless options in select Azure regions. These new VM sizes offer up to 192 vCPUs and 1832 GiB of RAM, making them ideal for enterprise-scale applications such as in-memory analytics, large relational databases, and in-memory cache workloads. With Intel® Total Memory Encryption (Intel TME) and NVMe-enabled local and remote storage, these VMs deliver both performance and security at scale. Key Highlights Memory-Optimized Performance: Up to 1832 GiB of RAM for memory intensive workloads. Azure Boost: Up to 400K IOPS and 12 GB/s remote storage throughput with 200 Gbps network bandwidth. Security First: Intel TME ensures data protection in system memory. NVMe Interface: 3X improvement in local storage IOPS for low-latency access. Specifications of the E128 and E192 Sizes The new Esv6-series and Edsv6-series virtual machines are built for memory-optimized workloads. Compared to the previous Ev5-series, they deliver up to 30% improved performance and feature an NVMe interface along with increased local and remote storage capacity. Below is an overview of specifications offered by the E128 and E192 Sizes. Please refer to the Azure Esv6 and Edsv6-Series pages for all sizes and specifications. VM Family Size vCPU Memory (GiB) Local Disk (GiB) Max Data Disks Network Gbps Esv6-Series Standard_E128s_v6 128 1024 N/A 64 54 Esv6-Series Standard_E192is_v6 1 192 1832 N/A 64 200 Edsv6-Series Standard_E128ds_v6 128 1024 4x1760 64 54 Edsv6-Series Standard_E192ids_v6 192 1832 6x1760 64 200 1 i refers to Azure isolated size VM Regional Availability The E128 and E192 VM sizes are broadly available in the following Azure regions: Australia East, Canada Central, Central US, East US, East US 2, Germany West Central, Japan East, Korea Central, South Africa North, South Central US, Sweden Central, Switzerland North, West Europe, West US 3. Additional regions will be coming in 2025. To learn more, refer to Product Availability by Region. Pricing To learn more about the Esv6 and Edsv6-Series VM pricing, please visit the Azure Virtual Machines pricing. To learn more about remote disk types such as Standard SSD, Standard HDD, Premium SSD (v1), Premium SSD (v2) and Ultra Disk storage please refer to Azure managed disk type. Getting Started The sizes are now available on Azure Portal in select regions. Learn more about the Azure Dsv6, Ddsv6, Dlsv6, Dldsv6, Esv6, and Edsv6 VMs here: Announcing General Availability of Azure Dl/D/E v6 VMs powered by Intel EMR processor & Azure Boost | Microsoft Community HubKernel Dump based Online Repair
Introduction In the ever-evolving landscape of cloud computing, reliability remains paramount. As workloads scale and businesses depend on uninterrupted service, Azure continues to invest in technologies that enhance system resilience and minimizes customer impact in cases of failures. Azure Compute infrastructure operates at an unmatched scale, with certain Availability Zones (AZs) hosting nearly a million Azure Virtual Machines (Azure VMs) that run customer workloads. These Azure VMs depend on a sophisticated ecosystem of physical machines, networking infrastructure, storage systems, and other essential components. When failures occur at any of these layers—whether from hardware malfunctions, kernel issues, or network disruptions—customers may experience service interruptions. To address these challenges, Azure Compute Repair Platform plays a vital role in identifying, diagnosing, and applying mitigation strategies to resolve issues as quickly as possible. To further improve our ability to diagnose and resolve failures swiftly and accurately, we present a novel approach —a real-time kernel dump analysis technology aimed at identifying the root cause of issues and facilitating precise, data-driven repairs. This is an addition to the gamut of detection and mitigation strategies we already leverage. This capability is generally available in all Azure regions and helps our customers out, including our most critical customers. Real-Time Failure Diagnosis and Repair We have developed a novel approach to diagnosing and mitigating failures in Azure Compute infrastructure by understanding the state of the kernel on the Azure Host Machine through real-time collection and analysis of Live Kernel Dumps (LKD). This enables us to pinpoint the exact issue with the kernel and use that insight for precise repair actions, rather than applying a broad set of mitigation strategies. By reducing trial-and-error repair attempts, we significantly minimize downtime and accelerate issue resolution. Kernel dumps can help detect critical issues such as kernel panics, memory leaks, and driver failures. Kernel panics occur when the system encounters a fatal error, causing the kernel to stop functioning. Memory leaks, where memory is not properly released, can lead to system instability over time. Driver failures, often caused by faulty or incompatible drivers, can also be identified through kernel dump analysis. Importantly, it is the Repair Platform that triggers LKD collection and further consumes the LKD analysis to make informed decisions. By incorporating liver kernel dump analysis into our mitigation workflows, we enhance Azure’s ability to quickly diagnose, categorize, and resolve infrastructure issues, ultimately reducing system downtime and improving overall performance. Architecture How does this system work: Dump Collection: When an issue is detected, the Repair Platform triggers the collection of a Live Kernel Dump (LKD) on the machine hosting the affected Azure VM. Dump Upload: An agent running on the machine monitors a designated storage location for newly generated dumps. When a dump is detected, the agent uploads it from the Azure Host Machine to an online Analysis Service. Failure Classification: The Analysis Service processes the uploaded Live Kernel Dump (LKD), diagnoses the root cause of the failure, and categorizes it accordingly—for example, identifying a networking switch in a hung state. Persistence: The Analysis Service generates a detailed failure message and stores it in an Azure Table for tracking and retrieval. Automated Repair Decisions: The Repair Platform continuously monitors the Azure Table for failure messages. Once a failure is recorded, it retrieves the data and makes an informed repair decision. Impact By leveraging this approach, Azure Compute Repair Platform achieves both a better repair strategy and significant downtime savings. (A) Better Repair Strategy By precisely identifying failures, the Repair Platform can classify issues accurately and apply the most effective resolution method, minimizing unnecessary disruptions and enhancing long-term infrastructure stability. For instance, in the case of a VM Switch Hung issue, the Repair Platform attempts to mitigate the problem on the affected Azure Host Machine. However, if unsuccessful, it migrates the customer's workload to a more stable machine and initiates aggressive repairs on the faulty Azure Host Machine. While this restores service, it does not address the underlying cause, leaving the Azure Host Machine vulnerable to repeated VM Switch Hung failures. Enabling real-time failure classification, the Repair Platform could instead hold a subset of affected Azure Host Machines in a restricted state, preventing new Azure VMs from being assigned to them. This approach allows Azure’s hardware and network partners to run diagnostics, gain deeper insights into the failure, and implement targeted fixes. As a result, Azure has reduced recurring failures, minimized customer impact, and improved overall infrastructure reliability. While the VM Switch Hung issue serves as an example, this data-driven repair strategy can be extended to various failure scenarios, enabling faster recovery, fewer disruptions, and a more resilient platform. (B) Downtime Reduction The longer it takes to resolve an issue, the longer a customer workload may experience interruptions. As a result, downtime reduction is one of the key metrics we prioritize. We significantly reduce time to resolution by providing an early signal that pinpoints the exact issue. This allows the Repair Platform to perform targeted repairs rather than relying on time-consuming, broad mitigation strategies. Sample scenario: When a customer faces issues stopping or destroying an Azure VM, and the problem is severe enough that all repair attempts fail, the only option may be to migrate the customer's workload to a different Azure Host Machine. Today, this process can take up to 26 minutes before the decision to move the customer workload is reached. However, with this new approach, we are optimizing to detect the failure and surface the issue within 3 minutes, enabling a decision much earlier and reducing customer downtime by 23 minutes—a significant improvement in downtime reduction and customer resolution. Conclusion Online kernel dump analysis for machine issue resolution marks a significant advancement in Azure’s commitment to reliability, bringing us closer to a future where failures are not just detected but proactively mitigated in real time. By enabling real-time diagnostics and automated repair strategies, this approach is redefining Compute reliability—drastically reducing mitigation times, enhancing repair accuracy, and ensuring customers experience seamless service continuity. As we continue refining it, our focus remains on expanding its capabilities, enhancing kernel analysis, reducing analysis time, and strengthening the entire pipeline for greater efficiency and resilience. Stay tuned for further updates as we push the boundaries of intelligent cloud reliability.
Announcing General Availability: Ephemeral OS Disk support for v6 Azure VMs
Today, Microsoft is excited to announce the General Availability (GA) of Ephemeral OS Disks with NVMe disk placement for the latest generation of Azure v6 Virtual Machines (VMs), including the Dadsv6, Ddsv6, and related series. This feature brings up to 10X higher OS disk performance compared to Managed OS disks—significantly boosting VM speed and responsiveness for your stateless workloads. What Are Ephemeral OS Disks? Ephemeral OS disks are created directly on the local storage of your VM instead of remote Azure Storage. That means no network latency and up to 10X faster disk operations. These disks are non-persistent, making them perfect for scenarios where performance, scalability, and fast reimaging matter more than long-term data retention. Key benefits: Lower read/write latency: OS disk reads/writes happen directly on local NVMe storage. Fast Reimage: Reset VMs to their original state in seconds. Designed for stateless workloads: Perfect for scale-out scenarios, microservices, and batch processing. Supported on all images: Marketplace, custom, and Azure Compute Gallery images. Now Generally Available on v6 VM Series With this GA release, you can now use Ephemeral OS Disks with NVMe disk placement on the latest v6 VM series, including: Dadsv6 Ddsv6 Daldsv6 Dldsv6 ...and more This unlocks the full performance potential of NVMe-based local storage for your OS disks, delivering the lowest possible latency and fastest VM operations. How to Deploy: Sample Templates and Commands Below are quick-start examples for deploying a VM with Ephemeral OS Disk using NVMe disk placement. ARM Template { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "name": "myVirtualMachine", "location": "East US 2", "apiVersion": "2024-03-01", "properties": { "hardwareProfile": { "vmSize": "Standard_D2ads_v6" }, "storageProfile": { "osDisk": { "diffDiskSettings": { "option": "Local", "placement": "NVMeDisk" }, "caching": "ReadOnly", "createOption": "FromImage" }, "imageReference": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "2016-Datacenter-smalldisk", "version": "latest" } }, "osProfile": { "computerName": "myvirtualmachine", "adminUsername": "azureuser", "adminPassword": "P@ssw0rd!" } } } ] } Azure CLI az vm create \ --resource-group myResourceGroup \ --name myVM \ --image imageName \ --size Standard_D2ads_v6 \ --ephemeral-os-disk-placement NVMeDisk \ --ephemeral-os-disk true PowerShell Set-AzVMOSDisk -DiffDiskSetting Local -DiffDiskPlacement NVMeDisk -Caching ReadOnly Ready to take advantage of Ephemeral OS Disks on your v6 VMs? - Learn how to deploy Ephemeral OS Disks - Frequently Asked Questions We look forward to seeing what you build with this new capability! For feedback or questions, please comment below or reach out via your Microsoft support channels.General Availability: Custom Metrics for Rolling Upgrades on Virtual Machine Scale Sets
We’re excited to announce the general availability of custom metrics for rolling upgrades on Virtual Machine Scale Sets (VMSS). This feature allows you to use the application health extension to emit custom metrics that guide the upgrade process. Key benefits Control upgrade order: Define the sequence in which VMs are upgraded. Skip specific instances: Exclude individual VMs from upgrades without disrupting the rest of the fleet. Seamless integration: Works with rolling upgrade policies, automatic OS and extension upgrades, and MaxSurge. How it works Phase ordering A phase is a logical grouping of virtual machines within a Virtual Machine Scale Set (VMSS). Each phase is defined by metadata emitted from the Application Health Extension via the customMetrics property. VMSS uses this metadata to assign virtual machines to their respective phases. Within each phase, VMSS organizes upgrade batches based on the rolling upgrade policy, which considers each VM’s update domain (UD), fault domain (FD), and zone information. Skip upgrade Skip upgrade is a feature that allows individual virtual machine instances to be excluded from a rolling upgrade. While similar to instance protection, it integrates more seamlessly into the rolling upgrade workflow and supports instance-level application logic. Like phase ordering, skip upgrade settings are communicated to the Virtual Machine Scale Set (VMSS) through the Application Health Extension using the customMetrics property. When a rolling upgrade is initiated, VMSS checks the custom metrics response. If skipUpgrade is set to true, the instance is omitted from the upgrade process. Available Now Custom metrics for rolling upgrades is available in all public Azure regions. Learn more about custom metrics for rolling upgrades on Virtual Machine Scale Sets.[Preview] Trusted launch Default for new Azure virtual machine, Scale set, compute gallery and disk
Introduction Today, we are announcing public preview for upcoming Trusted Launch as default (TLaD) change that will affect new deployments of Gen2 Virtual Machines (VMs), Virtual Machine Scale Sets (Scale set), Azure Compute Gallery (ACG) and OS disk resources in Azure. The change will: Set security type as “TrustedLaunch” by default for new Gen2 VM & Scale set deployments. Set security type as “TrustedLaunchSupported” by default for new Gen2 ACG image definitions. Introduce new property in disk named “SupportedSecurityOption” and inherit the security type value of image using which disk is created. This change is a major step and result of our ongoing efforts to improve the foundational security of our cloud computing platform. The public preview release allows you to validate these changes in your respective environment for all new Azure Gen2 VM, Scale set, ACG, Disks deployments and prepare for this upcoming change which will be announced soon. What is Trusted launch? Trusted Launch VMs provide you with foundational compute security and a robust shield against modern threats by enabling the following capabilities: Secure Boot: Protects OS against rootkits and boot kits. vTPM: It serves as a dedicated secure vault for keys and measurements, enabling attestation by measuring the entire boot chain of your VM. Boot Integrity Monitoring: Guest attestation extension enables proactive attestation and monitoring the boot integrity of your VMs. Trusted Launch enhances the security posture of a VM through cryptographic verification and ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defence-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others. How do I on-board to preview? You can enable the preview feature by registering feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription. Refer to Set up preview features in Azure subscription for steps to register the required feature flag. What does this mean for Azure Users? All new Gen2 VM, Scale set, ACG & Disks deployments using any client tool (ARM template, Bicep, Terraform, etc.) will default to Trusted launch post on-boarding to preview. This change will NOT override inputs provided by you as part of the deployment code. VM & scale set deployments Existing Behaviour To create Trusted launch VM & Scale set, you need to add following securityProfile element in deployment: "securityProfile": { "securityType": "TrustedLaunch", "uefiSettings": { "secureBootEnabled": true, "vTpmEnabled": true, } } Absence of securityProfile element in deployment code will deploy VM & Scale set without enabling Trusted launch. Example ARM template without securityProfile: vm-windows-admincenter – This will deploy Gen2 VM without enabling Trusted launch. Example ARM template with securityProfile: vm-simple-windows – This will deploy Trusted launch VM (without default as securityProfile has been explicitly added to deployment) New Behaviour By using API version 2021-11-01 or higher AND on-boarding to preview, absence of securityProfile element from deployment will enable Trusted launch by default to new VM & Scale set deployed if following conditions are met: Source Marketplace OS image supports Trusted launch. Source ACG OS image supports and has been validated for Trusted launch. Refer to Azure Compute Gallery deployments for more details on validation. Source disk supports Trusted launch. Refer to managed disk deployments for more details. VM size supports Trusted launch. Refer to Trusted launch supported VM sizes. The deployment will not default to Trusted launch if any of the listed condition(s) are not met and complete successfully to create new Gen2 VM & Scale set without Trusted launch. You can choose to explicitly bypass default for VM & Scale set deployment by setting Standard as value of parameter securityType. Refer to Can I disable Trusted Launch for a new VM deployment for more details. Azure compute gallery (ACG) deployments Existing Behaviour To create Trusted launch supported Gen2 ACG OS image definition, you need to add following features element in deployment: "features": [ { "name": "SecurityType", "value": "TrustedLaunchSupported" } ], "hyperVGeneration": "V2" Absence of securityType feature in deployment code will deploy Azure compute gallery image definition without enabling Trusted launch. Trusted launch security type cannot be enabled for VM & Scale set resource deployed using image which is not marked as TrustedLaunchSupported. New Behaviour By using API version 2025-03-03 or above for Microsoft.Compute/galleries resource, absence of securityType feature from deployment, i.e., securityType = null or absent will enable TrustedLaunchSupported by default on new ACG image definitions. Additionally, platform will trigger validation for the OS image to ensure it supports Trusted launch capabilities. The validation will take minimum 1 hour and results will be available as image version property: "validationsProfile": { "executedValidations": [ { "type": "TrustedLaunch", "status": "Succeeded", "version": "0.0.2", "executionTime": "2024-09-30T20:28:38.0129775+00:00" } ], } Note: Validation of Azure compute gallery images is in preview. You can register for preview at https://aka.ms/ACGTLValidationPreview Any new VM & Scale set created using image versions which have been validated successfully will default to Trusted launch security type as described in VM & Scale set section. You can try out the VM & Scale set default using ACG experience in preview starting June 2025. You can choose to explicitly bypass default for new ACG image definitions by setting Standard as value of parameter securityType under features: "features": [ { "name": "SecurityType", "value": "Standard" } ], "hyperVGeneration": "V2" Managed disk deployments Existing Behaviour To create Trusted launch managed disk using a Gen2 OS image as source, you need to add following securityProfile element in deployment: "securityProfile": { "securityType": "TrustedLaunch" } Absence of securityProfile in deployment code will deploy managed disk without enabling Trusted launch. Trusted launch security type cannot be enabled for VM resource deployed using disk without Trusted launch, vice-versa, you can only deploy Trusted launch VM using disk with Trusted launch enabled. New Behaviour Trusted launch as default for disks and VMs created using disk attach is currently not available in Preview. Request to check back again on same blog post in July 2025 for more details on new behaviour. Known limitations Unable to bypass Trusted launch default and create Gen2 (Non-Trusted launch) VM using Azure portal after registering to preview. After registering subscription to preview, setting security type to “Standard” in Azure portal will deploy the VM or Scale set as “Trusted launch”. This limitation will be addressed prior to the upcoming Trusted launch default change. To mitigate this limitation, you can un-register the preview feature by removing feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription. Refer to Un-register preview features in Azure subscription for steps to remove the required feature flag. Unable to re-size VM or Scale set to un-supported Trusted launch VM size family (like M-Series) post default to Trusted launch. Re-sizing Trusted launch VM to VM size family not supported with Trusted launch will not be supported. As mitigation, please register feature flag UseStandardSecurityType under Microsoft.Compute namespace AND roll-back VM from Trusted launch to Gen2-only (Non-Trusted launch) by setting securityType = Standard using available client tools (except Azure portal). What do I need to do? Goal for the preview is to make upcoming change in default as seamless for you as possible. Hence, we strongly recommend to onboard subscription for public preview and validate this change with your existing deployments. You can enable the preview feature by registering feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription. Refer to Set up preview features in Azure subscription for steps to register the required feature flag. Conclusion We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services. We encourage you to take the necessary steps to prepare for this change. If you have any feedback, questions or concerns about this upcoming change, please reach out to us at https://aka.ms/TrustedLaunchDefault/Feedback Our team will actively track your submissions and promptly respond to same. Frequently asked questions When is the upcoming change planned? We are doing our due diligence before scheduling the change. You will receive communication via service notification and blog posts prior to implementation of the change. Will upcoming change impact all my new VM/Scale set deployments? Upcoming change will be implemented on new API version for Microsoft.Compute\virtualMachines & Microsoft.Compute\virtualMachineScaleSets and will only default Gen2 (UEFI) OS image based VM/Scale set deployments to Trusted launch provided conditions described earlier in this post meets Trusted launch default requirements. It does not apply to VM & Scale set deployments referencing Gen1 (BIOS) OS image. How will my existing VMs be affected? This change will not impact existing Azure VMs, Scale set clusters already running in your environment. Do I need to update my automation scripts or deployment templates? You need to update the API versions for following resource providers to validate the Trusted launch default end to end experience as part of the preview: Microsoft.Compute/virtualMachines – API version 2021-11-01 or higher. Microsoft.Compute/virtualMachineScaleSets – API version 2021-11-01 or higher. Microsoft.Compute/galleries – API version 2025-03-03 Microsoft.Compute/disks – (API version details will be added in July 2025 to same blog post). I am currently using VM/Scale set without Trusted Launch and would like to start using Trusted Launch for new deployments. Please update your deployment to specify “TrustedLaunch” security type. Refer to Deploy a VM with Trusted Launch enabled for more details. I am already using VM/Scale set with Trusted Launch. No action is required, your VM/Scale set deployments will continue with defined Trusted Launch configuration. I am currently using Gen2 VM/Scale set without Trusted Launch and would like to continue using Non-Trusted Launch configuration after the upcoming change. Trusted Launch VMs provide you with foundational compute security. We strongly recommend that you don't disable them for new VM or scale set deployments. Please reach out to us at https://aka.ms/TrustedLaunchDefault/Feedback if you still wish to continue without Trusted launch configuration. You can bypass upcoming Trusted launch default behaviour or change by either: continue using existing API versions for deployments OR, please register feature flag UseStandardSecurityType under Microsoft.Compute namespace during public preview AND update your deployment code to specify “Standard” security type to maintain the existing behaviour of your Gen2 VM/Scale set if you need to use latest API version for deployments. Update to deployment code by specifying securityType = Standard is recommended to be done prior to upcoming change to avoid any unintended behaviour after the change. "securityProfile": { "securityType": "Standard", "uefiSettings": "[null()]" } Note: You need not bypass Trusted launch default for Gen1 VM/Scale set deployments as Trusted launch default only applies to Gen2 OS image based VM & Scale set deployments. The feature flag UseStandardSecurityType is required only during preview. This feature flag will not be required once upcoming change is generally available. What could be possible situations where I must bypass Trusted launch defaults for VM/Scale set? You need to explicitly bypass Trusted launch default if one of the following scenarios applies to your Gen2 VM/Scale setdeployments: Gen2 VM is used to generate “TrustedLaunchSupported” or “TrustedLaunchAndConfidentialVMSupported” or “ConfidentialVMSupported” Azure compute gallery images via Azure image builder (AIB) or Packer. OR, Gen2 VM is used to create managed images*. OR, Gen2 Linux VM requires Hibernation enabled. *Note: Recommendation is to move from managed images to Azure compute gallery. My VM/Scale set are deployed using Managed Image and would like to start using Trusted Launch for new deployments. For the most current technology, you are encouraged to use Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image. For more information, see Create an image definition and image version. Will Azure Site Recovery (ASR) support be generally available for Trusted launch before this change? Yes, ASR support will be generally available for Trusted launch Windows & Linux VMs before implementation of Trusted launch as default for Gen2 VM/Scale set deployments. Do I need to update backup properties for new VMs which will default to Trusted launch? Starting API version 2025-01-01 for Microsoft.RecoveryServices, Azure Backup supports Trusted Launch VM backup with both Standard & Enhanced Policy. i.e., you need not update the policy name and target policy for backup of new Gen2 VM/Scale set deployments. You need to update the Policy Name and target policy of type Enhanced Policy if updating API version for Microsoft.RecoveryServices is not feasible. Does using Trusted launch VMs increase my cost? Trusted Launch VMs provide you with foundational compute security at no extra cost to VM billing. Trusted launch VM backup may result in higher storage costs because backup for trusted launch VMs using the standard policy uses Managed Disk snapshots for storage instead of Blob snapshots. For more details, refer to our Azure pricing page Preview feedback Please reach out to us with any feedback, queries or concerns regarding this upcoming change at https://aka.ms/TrustedLaunchDefault/Feedback Our team will actively track your submissions and promptly respond to same.
