Introduction

Another week, another set of Azure updates from John Savill. This week was a bit shorter because John was in New York presenting the security part of the keynote at the AI Tour. If you get the chance to attend an AI Tour event near you, it’s worth it.

There’s one big announcement this week that many of us have been waiting for: the Standard V2 NAT Gateway with zone redundancy support.

NAT Gateway V2: Finally Zone Redundant

This is the highlight of the week. The Standard V2 NAT Gateway is now generally available, and it brings zone redundancy.

If you’ve worked with NAT Gateway before, you know the pain. The original version was either regional or zonal, but not zone redundant. This didn’t fit well with zone-redundant architectures. You had to deploy zonal NAT Gateways and somehow align them with specific subnets, which made no sense because subnets span all zones.

The V2 version fixes this:

  • Zone redundant deployment - finally matches how we design everything else
  • 100 Gbps throughput - up from the previous limits
  • 10 million packets per second
  • Dual stack support - up to 16 IPv4/IPv6 addresses
  • Flow logs - for traffic insights

If you’re currently using the original NAT Gateway with awkward zonal workarounds, this is your upgrade path. The architecture becomes much cleaner when NAT Gateway can be zone redundant like your other resources.

AKS: Deployment Safeguards with Pod Security Standards

AKS deployment safeguards now include pod security standards in GA.

This gives you centrally managed security profiles:

  • Baseline - minimal restrictions
  • Restricted - follows pod security best practices
  • Privileged - for workloads that need elevated access

You can enable this on new or existing clusters. If you have special namespaces that need exemptions, you can exclude them.

This is useful for platform teams who want consistent security policies across all clusters without managing individual pod security policies manually.

User-Delegated SAS for Tables, Files, and Queues

User-delegated SAS tokens are now available for Azure Tables, Files, and Queues. We already had this for Blob storage.

Why this matters: Account-level and service-level SAS tokens are signed using the storage account keys. Those keys are all-powerful. If they leak, everything is exposed.

User-delegated SAS is different:

  • Signed by the Entra ID identity creating it
  • Can never have more permissions than that identity
  • Maximum validity of 7 days

It’s the more secure option. If you’re generating SAS tokens for applications, consider switching to user-delegated SAS now that it’s available across all storage services.

Azure NetApp Files: Oracle Data Protection

The application volume group for Oracle in Azure NetApp Files now supports data protection volumes.

Context: Oracle databases typically need multiple volumes (2 to 12 depending on size and configuration). The app volume group creates all of them following best practices.

Currently, you need to enable this via the REST API. But it’s a good option for Oracle workloads that need disaster recovery without manual volume replication setup.

Azure Load Testing: Switzerland North

Azure Load Testing is now available in Switzerland North.

If you’re not familiar with it: this is the managed service for running Apache JMeter or Locust scripts at cloud scale. You can also use the web experience to generate scripts without writing them manually.

The service doesn’t just stress test your application. It gives you analytics on how components behaved under load, helping you identify bottlenecks.

More regions means lower latency for test orchestration and potentially meeting data residency requirements.

App Testing: Enhanced Playwright Reporting

Azure App Testing has updated its reporting capabilities, now in GA.

The improvement is around debugging. When you enable debugging, you specify a storage account for the data. Through the portal, you can then use:

  • Trace viewer for deeper analysis
  • Full reporting of test execution

If you’re using Playwright for end-to-end testing, this makes debugging failed tests easier without having to download and parse trace files locally.

GitHub Copilot SDK

GitHub Copilot now has an SDK. This means you can use the same agentic capabilities you get in VS Code within your own applications.

What you can do:

  • Multi-step planning
  • Multiple model support
  • MCP server integration
  • Custom agent building

This is interesting for building internal developer tools or automating workflows that benefit from AI assistance. Instead of building your own agent framework, you can use the Copilot SDK and get the same capabilities.

Azure File Sync: Israel Central

Azure File Sync is now available in Israel Central. This is the service that synchronises Windows SMB shares via an Azure file share in the cloud.

Useful for:

  • Multi-site file server synchronisation
  • Cloud tiering when local storage is limited
  • Meeting data residency requirements in Israel

Final Thoughts

The NAT Gateway V2 is the big one this week. Zone redundancy for NAT Gateway has been a gap in Azure networking for a while, and it’s good to see it addressed. If you’re designing new network architectures or cleaning up existing ones, this simplifies things significantly.

The user-delegated SAS expansion is also worth noting. It’s a small change that improves security posture without much effort.

Sources

  1. John Savill, “Azure Update - 23rd January 2026,” YouTube, https://www.youtube.com/watch?v=FfYk17LiOmM