This week in Azure
A wide-ranging update from John this week, with most of the action on storage, monitoring, and PostgreSQL. ANF picked up two big features (user/group quota reports and ML-based ransomware protection), Azure Monitor Pipelines went GA as a gateway-style ingestion path, and PostgreSQL Flexible Server got Premium SSD v2 along with a path off VNet injection toward private endpoints.
On the AI side, Claude Opus 4.7, GPT-5.5, and GPT-Image-2 all landed in Foundry. John also addressed some of the noise around the Mythos preview directly — worth listening to that section if you’ve seen the FUD floating around recently.
A note on Mythos preview
John spent a few minutes on something he doesn’t usually do: pushing back on competitor messaging around Anthropic’s Mythos preview model. The short version: Mythos is a deep-reasoning model that turns out to be very good at finding software vulnerabilities. Anthropic created Project Glasswing, a coordinated effort with around 40 organizations (Microsoft, Google, AWS, Linux Foundation, Cisco, and others) to use the model to find and fix issues before broader release.
Mythos preview is available in Microsoft Foundry, Google, and AWS — but only to the customers inside Project Glasswing. Anthropic controls access. No hyperscaler has an exclusive on it, and Anthropic doesn’t even plan to release this specific model publicly. Future Mythos-class models will be different artifacts. If you’ve seen “use us instead” pitches built on Mythos availability, that’s not a real differentiator.
AKS Ubuntu 22.04 node image retirement
Ubuntu 22.04 is being retired as an AKS node image at the end of June 2027. You’ll need to migrate to a newer node image before that date. Azure Linux is one option, or you can move to a newer Ubuntu version when it’s available in your region. Either way, plan the migration into a maintenance window and validate your workloads on the new base image.
AKS backup via Azure CLI (GA)
Azure Backup for AKS is now configurable through a single Azure CLI command. The CLI installs the required cluster extensions, sets up the backup vault and policies, and configures the trust relationships needed for the backup to actually work.
Before: Manual extension install Configure backup vault separately Set up trust manually Multiple steps, easy to misconfigure
After: az aks backup ──→ Extensions installed ──→ Backup resources configured ──→ Trusts established ──→ DoneIf you’ve been putting off enabling AKS backup because the setup felt fiddly, this collapses it into a one-liner. The actual backup capability covers cluster resources and persistent volumes.
Azure Functions v3 on Linux Consumption retirement
The v3 runtime on Linux Consumption is being disabled at the end of September 2026. The runtime itself was retired some years back; this is the final removal of the legacy infrastructure that was still keeping it alive. Workloads need to move to v4 to keep functioning.
There’s a bigger picture here too: Linux Consumption itself is being retired in September 2028. If you’re still on it, look at moving to Flex Consumption rather than just upgrading your runtime version. Flex Consumption has a richer feature set and is where the investment is going.
Azure NetApp Files user and group quota reports (GA)
ANF has supported user and group quotas on NFS, SMB, and dual-protocol volumes for a while. What was missing was visibility into how those quotas were actually being used. The new quota reports show the configured limits, capacity used, and percentage utilization for each user or group covered by your quota rules.
Reports are visible in the portal and downloadable. If you’ve been guessing at which users are close to their limits, that’s no longer necessary.
Azure NetApp Files ransomware protection (GA)
ANF now has built-in ransomware detection. The capability uses machine learning across signals like file extension profiling, file entropy (a measure of randomness that spikes when files get encrypted), and IOPS patterns to flag suspicious behavior.
ANF Ransomware Protection: Signals monitored: ├── File extension profiling ├── File entropy (encryption indicator) └── IOPS patterns
When suspicious activity detected: ├── Point-in-time snapshot created └── Alert raised in Azure Activity LogWhen something looks wrong, ANF takes a point-in-time snapshot you can recover from and writes an alert to the Azure Activity Log. There’s no charge to enable the feature, but it does consume resources, so the guidance is to raise quality-of-service settings to absorb the overhead. Don’t enable it on more than 10 volumes per subscription without engaging Azure support first.
Azure Elastic SAN capacity autoscaling (GA)
Azure Elastic SAN now scales its capacity automatically based on observed usage. You configure the scaling increments, and the SAN expands itself as needed. This avoids overprovisioning to handle peak demand and removes the manual operations work that used to come with growing storage.
If you’re using Elastic SAN as the backing store for Azure Container Storage or for direct iSCSI connections from VMs, this is a quiet but useful operational improvement.
Azure Monitor Agent native OTLP ingestion (preview)
Last week, Azure Monitor picked up OpenTelemetry support on the AKS side. This week, the same capability lands on Azure Monitor Agent. VMs, VM Scale Sets, and Arc-enabled servers can now ingest OpenTelemetry data over the OTLP protocol natively, without needing a separate collector.
Sources Agent Destination────── ───── ───────────Azure VM ─────┐VM Scale Set ─┼──→ AMA (OTLP) ────→ Azure MonitorArc server ───┘ ├── Traces ├── Metrics └── LogsIf you’re already standardizing on OpenTelemetry instrumentation in your apps, this gives you a vendor-neutral pipeline into Azure Monitor without sidecars or extra moving parts.
Azure Monitor for Arc-enabled Kubernetes and OpenShift (GA)
Azure Monitor now offers a unified onboarding experience for Container Insights, Managed Prometheus, and Managed Grafana on Arc-enabled Kubernetes — including Azure Red Hat OpenShift. As long as your cluster is Arc-enabled, you can light up the full Azure Monitor stack for it without per-service setup.
This matters most for hybrid deployments. If you’re running Kubernetes outside Azure but want one monitoring story across all your clusters, this closes the gap.
App Insights API key retirement extended
If you’re still using legacy API keys to query Application Insights, the retirement deadline has been pushed to the end of September 2026. After that date, you must be using Entra-integrated authentication or you won’t be able to query your App Insights resource.
The extra runway is welcome, but don’t sit on it. API key migrations always take longer than expected once you start finding all the places those keys are embedded.
Azure Monitor Pipelines (GA)
Azure Monitor Pipelines provides an ingestion point that runs close to the source — at an edge location, in another cloud, or on-premises. It buffers, filters, transforms, and aggregates telemetry before routing it to Azure Monitor.
Edge / Other Cloud / On-prem │ ▼ Azure Monitor Pipeline (gateway) ├── Buffer (smooth network issues) ├── Filter (drop noise) ├── Transform (reshape data) └── Aggregate (reduce volume) │ ▼ Azure Monitor (only what you want)The deployment model is gateway-based rather than agent-based: you deploy the workload onto an Arc-enabled Kubernetes cluster (any CNCF-compatible distribution works once it’s Arc-enabled). Compared to running an agent on every source, you get one gateway processing many streams.
Two practical wins: buffering protects you from transient network issues without losing data, and filtering plus aggregation cuts ingestion costs by only sending what you actually want to keep. It supports OpenTelemetry and syslog out of the box.
Cosmos DB Dynamic Data Masking
Cosmos DB now supports server-side dynamic data masking. You define a data mask policy plus custom roles, and Cosmos DB transforms the data on the way out for non-privileged users without changing the underlying records.
Stored data: email: alice@example.com ssn: 123-45-6789 active: true
Privileged user sees: email: alice@example.com ssn: 123-45-6789 active: true
Non-privileged user sees: email: a***@e***.com ssn: XXX-XX-XXXX active: falseMasking options include replacing text with xxx, numbers with 0, booleans with false, or showing a portion of a string (like the first character of an email and the domain). One important limitation: this only works with Entra-integrated authentication. Account keys bypass the mask entirely.
PostgreSQL Flexible Server: Premium SSD v2 (GA)
Premium SSD v2 is now generally available for Azure Database for PostgreSQL Flexible Server. The headline feature of Premium SSD v2 is that IOPS, throughput, and capacity are configured independently — so you stop paying for capacity you don’t need just to get the IOPS you do need.
Real numbers: up to 4x the IOPS of the previous generation, sub-second latency, and better price-performance for high-IO workloads. If your database is IO-bound today, this is the disk tier to evaluate.
PostgreSQL Flexible: VNet integration to private endpoint migration (preview)
If you deployed PostgreSQL Flexible Server with VNet injection because you needed private connectivity, you can now migrate to private endpoints in place. VNet injection comes with delegated subnets and a bunch of operational baggage; private endpoints are simpler to manage and give you the same private connectivity story.
There is downtime during the migration, but you don’t have to recreate the database to make the switch. Plan the change for a maintenance window and you’re done.
PostgreSQL Flexible: logical replication status (preview)
A new metric exposes the state of logical replication: up-to-date, catching up, or unknown. This is the kind of signal you want when you’re using logical replication for migrations or for keeping a downstream system in sync, since it tells you whether your replica is actually keeping up with writes.
Microsoft Fabric: enhanced PostgreSQL mirroring (GA)
Fabric’s PostgreSQL mirroring into OneLake now supports JSON and JSONB column types, plus other commonly used types that were missing before. JSONB is the decomposed binary format that PostgreSQL uses for faster operations on JSON data, so being able to mirror it preserves the performance characteristics on the OneLake side.
The setup and ongoing operations have also been simplified. If you’ve been keeping data out of Fabric because the schema didn’t fit, that constraint just got smaller.
PostgreSQL Flexible Server in Denmark East
Region expansion: PostgreSQL Flexible Server is now available in Denmark East. Useful if you have data residency requirements in the Nordic region.
Azure Arc: SQL Server on Azure VM as a migration target
Arc-enabled SQL Server instances can now be migrated to SQL Server running on an Azure VM as a supported destination. If you’ve been Arc-enabling on-premises SQL instances and want to lift them into Azure without changing the deployment shape (i.e., still running on a VM rather than moving to Azure SQL), this is now a first-class path.
Claude Opus 4.7
Anthropic’s Claude Opus 4.7 is available in Microsoft Foundry, GitHub Copilot, M365 Copilot, Copilot Cowork, and Azure Databricks AI model serving. Opus 4.7 is the deep-reasoning model in Anthropic’s lineup — designed for long-running tasks where quality matters more than latency.
If you’ve been using Sonnet for everything because Opus was overkill, the spread of Opus 4.7 across these surfaces makes it easier to pick the right model per task.
OpenAI GPT-5.5 and GPT-5.5 Pro
GPT-5.5 and GPT-5.5 Pro are now available in Foundry. The 5.5 generation focuses on deeper long-context reasoning, more reliable agentic execution, and better computer-use behavior with greater token efficiency. Pro extends the reasoning depth and task complexity further. Standard agentic-stack improvements over the previous GPT-5 family.
OpenAI GPT-Image-2
GPT-Image-2 is the most interesting AI announcement this week. It’s not an incremental upgrade — it’s a step change in image generation quality. Notable capabilities:
- Renders dense, small text correctly (something nearly every image model has struggled with)
- Outputs text in different languages
- Generates up to 2K resolution
- Supports aspect ratios from 1:3 to 3:1
The use case John highlighted is enterprise UI mockups: generate a high-fidelity interface mockup with GPT-Image-2, then feed it into something like GPT-5.5-Codex to actually code the UI. That’s a different workflow than “make me cool images,” and it’s the kind of thing that could change how teams approach early design phases.
Final thoughts
The storage block deserves the most attention. ANF ransomware protection is the kind of feature you want enabled before you need it, not after. The 10-volume-per-subscription guidance for first-time enablement is a real constraint, so plan a phased rollout if you’re operating at scale.
On the database side, Premium SSD v2 for PostgreSQL Flexible is the upgrade most IO-bound workloads should be evaluating. Combined with the VNet-to-private-endpoint migration path, this is a good window to clean up the deployment shape of any PostgreSQL Flexible servers you’ve been carrying since the early days.
Azure Monitor Pipelines is the operational sleeper hit. If you’re paying for telemetry you don’t actually use, this is the lever to fix that without changing your application instrumentation.
And on the AI side, GPT-Image-2 is worth experimenting with even if you’re not currently doing image generation. The “design then implement” workflow is a real shift.
Sources
- John Savill, “Azure Update - 24th April 2026,” YouTube, https://www.youtube.com/watch?v=AxxFqiUImV4