Hello Folks!
Welcome Back to AZ Update
A few years ago, Antony Bartolo and I launched a simple idea called AZ Update.
The goal was to provide a place where IT professionals could quickly understand what was changing in Azure, why it mattered, and what they should pay attention to next. The show became a weekly conversation focused on Azure news, infrastructure, operations, security, and the real-world impact of Microsoft's latest cloud updates.
Today, Azure is moving faster than ever.
Every week brings new services, platform capabilities, operational improvements, AI innovations, and architectural guidance. Keeping up is a full-time job. Most of us don't have time to read every blog post, release note, announcement, and documentation update.
That's why I'm bringing AZ Update back.
This time, as a weekly LinkedIn newsletter and this blog. To be completely transparent I am using an AI Agent to parse the update list for any in the last 7 days, filter for Infra/Ops content and research product docs and help with the draft. I do review content and write the post myself.
Each edition will cut through the noise and focus on what matters most for cloud architects, platform engineers, infrastructure teams, SREs, security professionals, and IT operators. I'll share the Azure announcements worth your attention, explain why they're important, highlight practical implications, and point you to the resources that can help you go deeper.
Just a concise weekly briefing from one ITPro to another.
If your day-to-day involves building, operating, securing, or modernizing infrastructure in Azure, Azure Arc, AKS, hybrid environments, or the growing world of AI-powered operations, this newsletter is for you.
Welcome to the next chapter of AZ Update.
Here is week 1!
This week’s Azure infrastructure updates bring practical operational gains for security, platform reliability, disaster recovery, and identity-driven access control. Here is a detailed ITPro breakdown with implementation guidance you can use in production planning.
- Update #1 - Generally Available: Network Security Perimeter support for Azure Event Hubs
- Update #2 - Generally Available: Confidential Computing support for Azure Event Hubs Dedicated
- Update #3 - Generally Available: Support 5x churn in Azure Site Recovery
- Update #4 - Generally Available: Microsoft Entra ID-based access for Azure Blob Storage SFTP
Update #1 - Generally Available: Network Security Perimeter support for Azure Event Hubs
Why ITPros should care
Network Security Perimeter for Event Hubs changes how ITPros enforce connectivity boundaries around mission-critical event pipelines. Instead of depending only on isolated firewall rules per namespace, you can apply perimeter-aware controls that are easier to govern consistently across multiple services.
From an operations perspective, this is a service-level hardening improvement. It helps reduce accidental exposure and supports better audit conversations when security teams ask for clear evidence of allowed and denied paths.
Operational value
The operational value is stronger day-two control. You can standardise network access policy patterns for producer and consumer applications, reduce policy drift, and simplify incident investigations when unexpected traffic appears.
For production rollout, validate all dependencies first: private endpoints, DNS resolution, trusted service exceptions, managed identities, and cross-subscription network paths.
Real-world example with step-by-step guidance
- Inventory current producer and consumer traffic flows, including private endpoints, DNS zones, and any trusted service allowances.
- Deploy a pilot Event Hubs namespace with perimeter controls in non-production and mirror realistic ingestion and consumption traffic.
- Apply least-privilege inbound and outbound perimeter rules, then execute end-to-end send/receive tests with representative message volume.
- Review diagnostic logs for denies, refine exceptions only where business-justified, and capture evidence for change management.
- Promote to production in stages with a rollback plan that restores previous network policy if message flow health degrades.
Technical details including code examples
Use the following sequence when validating that perimeter onboarding did not break data plane operations. The first command confirms your active Azure context, the second verifies endpoint reachability, and the third validates Event Hub metadata retrieval.
Run this safely in a test window before production enforcement. If connectivity and control-plane checks pass in test, repeat with production namespace read-only checks before enabling stricter policies.
az account show --output table
Test-NetConnection <namespace>.servicebus.windows.net -Port 5671
az eventhubs eventhub show --resource-group <rg> --namespace-name <namespace> --name <eventhub> --output table
Expected outcome: TCP probe to port 5671 succeeds, and Event Hub metadata query returns without auth or network timeout errors. If probe fails, check DNS, NSGs, route tables, private endpoint linkage, and perimeter rule assignment scope.
Comprehensive Resources
Update #2 - Generally Available: Confidential Computing support for Azure Event Hubs Dedicated
Why ITPros should care
Confidential Computing support for Event Hubs Dedicated matters when ITPros operate regulated or high-sensitivity event streams. It extends protection expectations beyond encryption at rest and in transit, into stronger assurances during processing.
Compared with older architectures, this reduces the need for some compensating controls and helps security and operations teams align on platform-native protections for streaming workloads.
Operational value
Operationally, this strengthens trust boundaries for event ingestion platforms that feed analytics, SIEM, and business-critical automation. It also improves evidence posture for compliance reviews where data handling controls must be demonstrated end to end.
Before rollout, validate throughput impact, partition behaviour, client compatibility, and observability baselines so confidentiality controls do not create unexpected SLO regressions.
Real-world example with step-by-step guidance
- Classify Event Hubs namespaces by sensitivity and select the first dedicated environment where enhanced confidentiality requirements apply.
- Enable and validate in non-production with representative producer and consumer load, including peak and burst patterns.
- Measure latency, throughput, and throttling trends before and after enablement to confirm workload behaviour remains acceptable.
- Capture attestation and configuration evidence required by internal security governance or external auditors.
- Roll out in waves by workload criticality, with rollback criteria tied to message latency, error rates, and throttling thresholds.
Technical details including code examples
This validation example confirms namespace details and metrics health so you can compare baseline vs post-change behaviour. The metrics query focuses on ingestion, egress, and throttling signals that commonly surface operational risk first.
Run with a least-privileged operations identity that can read namespace configuration and metrics. Avoid making unrelated changes while collecting baseline evidence.
az eventhubs namespace show --resource-group <rg> --name <namespace> --output jsonc
az monitor metrics list --resource /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.EventHub/namespaces/<namespace> --metric IncomingMessages OutgoingMessages ThrottledRequests --interval PT5M
az account show --query user.name -o tsv
Expected outcome: namespace query succeeds, metrics return consistently, and no abnormal throttling spike appears after control changes. If results diverge, review dedicated capacity planning, partition strategy, RBAC scope, and workload profile fidelity.
Comprehensive Resources
Update #3 - Generally Available: Support 5x churn in Azure Site Recovery
Why ITPros should care
Higher churn support in Azure Site Recovery is directly relevant for ITPros protecting write-intensive systems. It expands what can be replicated reliably, reducing DR exceptions for fast-changing workloads.
Compared with the previous operational envelope, this gives more room for modern transactional applications while still requiring disciplined capacity and replication health management.
Operational value
Operational value is improved DR coverage and better alignment between production write behaviour and recovery plans. Teams can protect more workloads without bespoke workaround architecture.
For production rollout, validate process server sizing, bandwidth headroom, cache storage performance, and sustained replication lag during peak change windows.
Real-world example with step-by-step guidance
- Baseline current churn and replication lag for candidate workloads to identify which systems benefit most from the increased support.
- Enable replication in a pilot for one high-churn workload and observe initial seeding and steady-state health.
- Run test failover and reprotect to verify recovery objectives and operational runbook completeness.
- Tune bandwidth and cache settings if lag increases during peak write intervals or backup overlap windows.
- Onboard additional workloads incrementally and use replication health gates before each expansion wave.
Technical details including code examples
These commands are relevant for validating actual recovery readiness instead of configuration-only status. They expose protected item health and support controlled failover rehearsal.
Use a non-production network for test failover and document outputs so operations and business continuity stakeholders share the same readiness evidence.
az site-recovery fabric list --resource-group <rg> --vault-name <vault> -o table
az site-recovery protected-item list --resource-group <rg> --vault-name <vault> --fabric-name <fabric> --protection-container <container> -o table
az site-recovery recovery-plan test-failover --resource-group <rg> --vault-name <vault> --name <recoveryPlan> --network-id <testNetworkId>
Expected outcome: protected items remain healthy, lag remains within target, and test failover completes without consistency errors. If failures occur, inspect connectivity, process server capacity, cache throughput, and policy mappings.
Comprehensive Resources
Update #4 - Generally Available: Microsoft Entra ID-based access for Azure Blob Storage SFTP
Why ITPros should care
This launch modernises SFTP access for Azure Blob Storage by bringing identity control closer to Microsoft Entra. ITPros gain stronger governance options than local-account-only models for many enterprise scenarios.
Operationally, the key change is identity lifecycle alignment: provisioning, review, and revocation can be managed with central identity processes instead of fragmented local credentials.
Operational value
The value is reduced credential sprawl, better auditability, and clearer access accountability across teams and external partners exchanging files over SFTP.
Before production, validate client compatibility, RBAC scope, network restrictions, access review cadence, and emergency break-glass procedures.
Real-world example with step-by-step guidance
- Confirm SFTP is enabled on the storage account and validate networking model (public endpoint restrictions or private access path) matches policy.
- Assign Entra-based permissions with least privilege and validate scope at storage account and container boundaries.
- Test SFTP authentication and file operations using approved clients while collecting diagnostic logs for audit evidence.
- Validate joiner-mover-leaver scenarios by changing membership and role assignments, then confirming access updates propagate correctly.
- Roll out in stages by partner or workload segment with clear support ownership and incident response runbooks.
Technical details including code examples
This sequence verifies account capability and role assignment posture before user acceptance testing. It is useful for catching scope mistakes that often cause authentication-success/data-access-failure patterns.
Run safely by using a dedicated test identity and non-production storage account first; then repeat read-only validation in production before broad enablement.
az storage account show --name <storageAccount> --resource-group <rg> --query "{name:name,isSftpEnabled:isSftpEnabled,allowBlobPublicAccess:allowBlobPublicAccess}" -o jsonc
az role assignment list --assignee <principalObjectId> --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storageAccount> -o table
az account show --query user.name -o tsv
Expected outcome: SFTP capability is enabled, expected role assignments are present, and test identity can perform allowed operations only. If sign-in works but file actions fail, inspect RBAC propagation delay, ACL/permission scope, and storage network restrictions.
Comprehensive Resources
If you are planning adoption, start with one workload per update area, collect operational evidence, and standardise the validated pattern in your runbooks and IaC modules. That approach keeps change safe while accelerating delivery.
Cheers!
Pierre