Unlocking the future: Azure networking updates on security, reliability, availability

Our latest enhancements strengthen core network capabilities for mission-critical applications running in the cloud.

In an era defined by the transformative power of AI, industries are reimagining the possibilities of predictive analytics, automation, and real-time decision-making. AI is now ubiquitous, reshaping sectors from retail and finance to healthcare and biotechnology. While new applications harness AI's potential, it's the evolution of existing applications through generative AI methodologies that drives exponential progress. With applications migrating to the cloud at an increasing pace, cloud platforms serve as the critical backbone of this transformation, connecting users to applications, applications to AI models, and models to the data and computational resources they need.

Microsoft Azure's networking services uniquely empower businesses to capitalize on this digital evolution. Our latest enhancements strengthen core network capabilities: reinforcing security, performance, and reliability for mission-critical applications running in the cloud.

We are excited to share with you our latest announcements and advancements that strengthen the core network services in Azure across our core pillars of security, reliability, scale, and workload productivity.

Fortifying network security

In an era where cyber threats are more sophisticated and pervasive than ever, traditional security practices are no longer sufficient to protect critical assets and data. Zero Trust Network Security is not just a concept-it's an imperative, built around the principle that systems should be "Secure by Default".

Bastion by default

As part of our mission to provide a "secure by default" platform for our customers, I am excited to highlight a recent announcement of ours, the general availability of the Bastion Developer SKU. The Bastion service is used by a multitude of customers in Azure to enable remote desktop (RDP) and secure shell (SSH) access for their virtual machines (VMs) without exposing them publicly to the Internet. This was made possible by a fully managed and dedicated Bastion server running inside the virtual network. Now, with Bastion Developer SKU, we are offering a "no cost" solution that allows users to establish a secure one-click connection to a single VM at a time without exposing public IPs on the VMs. Bastion Developer SKU utilizes a shared pool of resources managed internally by Microsoft for secure VM connectivity. Users can directly access their VMs through the connect experience on the VM blade in Azure portal, with support for RDP/SSH and SSH-only for CLI sessions. Bastion Developer is perfect for users seeking secure VM connections without the need for additional features, configuration, or scaling at no additional cost.

Virtual network encryption

With the rapid growth of data-sensitive industries like finance, healthcare, and government, there is a critical need for uncompromising network security to protect sensitive information and ensure regulatory compliance. Azure's virtual network encryption addresses this need by providing an efficient solution for encrypting communications between VMs within a virtual network. Now generally available across all public Azure regions, this feature represents a significant advancement in secure network design, enabling organizations to safeguard data in transit between VMs without sacrificing performance or agility.

Virtual network encryption leverages the field programmable gate arrays (FPGAs), in the host for encrypting the data which allows for the process to be handled with high efficiency. By offloading encryption to FPGAs, Azure combines top-notch security with high-speed processing, ensuring that encrypted data flows smoothly across the network while minimizing the impact on overall system performance.

DNSSEC

Along similar lines, today we are happy to announce the public preview of DNSSEC support in Azure. With this, customers can turn on DNSSEC on their Domain Name System (DNS) configuration with a simple opt-in from portal and API. DNSSEC is a critical security feature that helps mitigate issues such as cache poisoning and man in the middle attacks, thereby significantly enhancing security for our customers. DNSSEC ensures the integrity and authenticity of DNS responses, providing an additional layer of protection against cyber threats. Moreover, several countries now require the use of DNSSEC making it an essential update for compliance. With DNSSEC, Azure DNS continues to deliver robust and secure DNS solutions, empowering businesses to operate with confidence in a safer digital environment.

Pushing the boundaries on resiliency and reliability

We are equally committed to providing a world-class resilient and reliable network infrastructure to support customers' mission critical workloads. In this regard, I want to highlight several recent enhancements in the platform that bolster this commitment.

ExpressRoute: Enhancing resiliency and high availability

In today's cloud-centric world, ensuring resilient and reliable connectivity is essential, particularly for organizations with mission-critical applications. Azure ExpressRoute offers private, high-throughput connections between on-premises environments and Azure, bypassing public internet traffic to deliver lower latency and consistent performance.

To further strengthen reliability, we're excited to announce ExpressRoute Metro SKU, now generally available. The Metro SKU offers redundancy across multiple edge sites within the same city, guarding against disruptions at any single location. This multi-site design allows organizations to build highly available network architectures that remain operational even during unexpected outages at one edge site.

For those needing additional failover protection, maximum resiliency with ExpressRoute provides dual redundant paths to each edge site, effectively establishing four independent paths to Azure. This feature is invaluable for sectors like finance, healthcare, and e-commerce, where consistent connectivity is critical for compliance and business continuity.

Additionally, to simplify implementation, Azure now offers a guided configuration experience for multi-site ExpressRoute. This new feature in the Azure portal provides users with a dynamic topology map and recommendations for optimal site configuration, empowering teams to make informed decisions for resilient network deployments.

Azure Load Balancer: Improved manageability

Azure Load Balancer, one of the foundational services in the networking portfolio, is a cloud-native high performance network load balancer that is commonly used in customer deployments. While we continue to improve the usability, applicability, and scale to meet evolving customer requirements, a few new announcements in this space will improve the manageability of load balancer significantly.

Admin state

The new "Admin State" functionality of Load Balancer will allow customers to mark a backend instance healthy or unhealthy to influence traffic being directed to the instance. Controlling the status of the load balancer backend is typically done through health probes. However, customers do have a need to explicitly override the health status to take a VM instance out of rotation for maintenance, upgrades or security patching or simply for other customer needs. Instead of implementing response logic and Network Security Group (NSG) rules blocks, customers can simply mark the instance as unhealthy through an API call or a single click in portal and bring it back the same way. We are also enhancing the observability of backend health through our new and improved "Load Balancer Health Status" that provides deep insights into backend instance health covering both user and platform triggered reason codes.

Admin state and load balancer health status are both now generally available in all public cloud regions, Azure China cloud regions and Azure Government cloud regions.

Cross-subscription support

Customers' estate in Azure is usually spread across multiple subscriptions and virtual networks in Azure and even managed by different personnel and departments. Customers find it restrictive to build an application topology just using resources in a single subscription, especially when using basic primitives like load balancers. To address this, Azure load balancers is announcing general availability of cross-subscription usage between front end public IP address, load balancer resource and the backend instances. Such cross-subscription usage allows for better use of resources and avoids duplication.

Managing operations at scale

As organizations scale their cloud environments to accommodate growth, they require network solutions that not only expand capacity but also ensure efficient, reliable, and secure connectivity. Azure's recent advancements in Virtual Network management respond to this need by providing robust tools for IP scalability, efficient address management, and advanced network verification.

Virtual Network Ip Address

A virtual network today supports 65,000 routable IP addresses that could be assigned to virtual machines, virtual machine scale set instances, and pods in an AKS cluster. While this limit is more than sufficient for most customers in Azure, some of our cloud-native customers do require higher scale to keep up with instant demands and frequent scale-out and scale-in operations. To address this, Azure is excited to announce the support of "1 million routable IP Addresses" in a virtual network in preview via the "Ip Prefix on the Network Interface Card" (NIC) feature. This ability allows an additional /28 prefix to be added to the NIC along with a primary /32 Ip address. This increases the usable IP space in a NIC by 16 times.

Virtual Network IP address manager

With more IP addresses to use and manage in Azure, the greater the need for an IP address management system becomes. We are happy to announce the public preview (and soon general availability) of the IP Address Management (IPAM) solution in Azure Virtual Network manager in all public cloud regions. IPAM allows organizations to centrally manage their IP address pool making it easier to plan, allocate, avoid overlaps, and monitor usage of IP address blocks. Customers can also leverage automatic IP address allocation when new virtual networks are created to ensure uniqueness and reduce wastage. IPAM also helps with tracking IP allocations outside Azure making it an all-encompassing solution. IPAM supports both IPv4 and IPv6 address prefixes.

Virtual network verifier

As customers scale their environments in Aure, the tougher it becomes to debug and troubleshoot network connectivity issues. Azure Network Monitoring and Network Watcher helps with real time diagnostics and troubleshooting tools. Azure Virtual Network Manager's virtual network verifier system which is available in preview in all public cloud regions today adds another layer of functionality by providing a static analysis of packer flow based on configuration and control plane changes. Customers can validate their packet flows even before they deploy the configuration changes to reduce the possibility of connection interruptions and packet loss.

Advancements in new horizons

In the rapidly evolving world of cloud-native applications, managing complex container-based architectures with confidence requires robust networking capabilities that ensure security, performance, and seamless scalability. Azure's Advanced Container Networking Services is a major leap forward, providing foundational support and new capabilities for developers deploying microservices and Kubernetes applications in the cloud.

Advanced Container Networking Services

Azure provides foundational network capabilities such as Azure Virtual Network and Azure CNI for IP address management, routing, and network policy enforcement. Network virtual functions like load balancing, Azure Firewall for container apps, and Application Gateway for Containers are also provided to help run micro-services and Kubernetes applications in Azure. On this continuing journey, we are excited to announce the general availability of Advanced Container Networking Services, which provides deep insights into network traffic and application performance helping you confidently manage and scale your infrastructure. Using the performance and security enforcement capabilities of Azure CNI powered by Cilium, Advanced Container Networking Services provides resilient and highly granular network policy and security management capabilities. Extending beyond Cilium with Retina, Advanced Container Networking Services leverages Hubble, providing actionable insights and enabling precise detection and resolution of Kubernetes network issues. Key features include:

• Deep observability into K8s network traffic and application performance for faster debugging, incident resolution times and OpEx savings.
  • K8s Pod level metrics like usage and dropped packets.
  • Transmission control protocol (TCP) and DNS errors and metrics.
  • End to end flow logs.
  • Application service connectivity maps.
• Simplified security with DNS filtering policies to protect container workloads while improving DNS availability.

Looking forward

As we continue to push the boundaries of networking technology, we're fully committed to addressing the new challenges and opportunities presented by the AI-driven future. Our team is dedicated to creating innovative, resilient, and secure solutions that empower businesses to leverage AI and the cloud to their fullest potential. Our latest updates in security, reliability, and scalability are designed to empower organizations to manage their applications with greater confidence and efficiency. We recognize that your feedback is vital to our ongoing development, and we encourage you to share your thoughts and experiences with us. Join us at our Ignite session ( Unveiling the latest in Azure Networking for a secure, connected cloud) to explore these capabilities in detail and share your feedback as we work together to unlock the future.

Public link

Please use the above public link if you want to share this noodl on another website.