Introduction
A solid week of Azure updates. John Savill also published a new “state of the union” video covering Azure identity, governance, and core compute, plus his take on whether you should learn AI. His answer: yes, and those who don’t focus on it now will get left behind. I tend to agree.
Two things caught my attention this week: the VNet routing appliance preview (finally, a native option that isn’t a VM bottleneck) and the Front Door/CDN cipher suite retirement in April. The cipher change probably won’t affect you, but it’s worth checking.
VNet routing appliance (preview)
If you’ve ever hit performance limits on a VM-based network virtual appliance in a hub-spoke network, this one’s for you.
Today, managing traffic routing typically means deploying an NVA VM and using user-defined routes to make it the next hop. That VM becomes the bottleneck. Everyone knows it, everyone works around it.
The VNet routing appliance is Azure’s native answer. It runs in a dedicated subnet, scales horizontally on its own, and handles east-west traffic (within and across connected VNets) without you babysitting a VM.
IPv4 only for now. If your current NVA is struggling or you just want fewer VMs to manage, this is worth testing.
Azure Container Storage 2.1 GA
Azure Container Storage is designed specifically for Kubernetes. It uses the AC Store backend instead of traditional CSI drivers, which opens up storage options that CSI drivers can’t match.
The main news: Elastic SAN support is now GA. It was in preview with v2.0, but now it’s production-ready. If you need stateful workloads with high throughput on AKS, this is what you want. The v2.0 ephemeral disk support was useful but not persistent since it used local node storage.
The installer is also smarter now. It only deploys the components you actually need, so your cluster footprint stays smaller.
App Gateway DRS 2.2 rule set GA
The Default Rule Set 2.2 for Azure Application Gateway is now GA.
Quick context: App Gateway is the regional Layer 7 load balancer. The DRS is Microsoft’s version of the OWASP Core Rule Set (3.3.4), with Microsoft threat intelligence rules added on top.
What’s new in 2.2: updated OWASP protections, more Microsoft-specific rules, and paranoia levels. That last one is interesting. You can now dial up or down how aggressive the WAF behaves, which helps when you’re getting false positives on legitimate traffic.
If you’re running App Gateway with WAF, test 2.2 in your environment and see where your paranoia level should sit.
App Gateway v2: X-Forwarded-For rate limiting (preview)
App Gateway v2 can now rate limit based on the X-Forwarded-For header.
Why this matters: when traffic comes through a proxy or CDN, the source IP you see is the proxy’s IP, not the actual client. X-Forwarded-For preserves the original client IP in the header.
With this feature, you can group and rate limit by the real originating IP, not the proxy. You can also use geolocation from that IP for traffic decisions. Handy if you have a CDN in front of App Gateway and want to throttle specific sources.
Azure Front Door and CDN: weak cipher suites retiring
In early April, Azure Front Door and Azure CDN drop support for weak cipher suites, specifically the DHE (Diffie-Hellman Ephemeral) variants.
Some context: TLS negotiates cipher suites for key exchange, identity validation, encryption, and hashing. The DHE suites are old. ECDHE (the elliptic curve version) gives the same security with smaller keys, so it’s faster and uses less resources. Most things use ECDHE already.
You probably don’t need to do anything. Cipher suites are negotiated on connection, and modern clients handle ECDHE fine. But if you have origins behind Front Door or CDN that only speak DHE, you’ll need to update them before April. Worth a quick check.
Kubernetes Fleet Manager: namespace-scoped placement
Azure Kubernetes Fleet Manager now supports namespace-scoped placement, not just cluster-level targeting.
Fleet Manager handles multi-cluster management for AKS and Arc-enabled Kubernetes: workload placement, node image updates, version upgrades, DNS load balancing, that kind of thing.
The problem before: when you deployed across clusters, you targeted an entire namespace. If you had multiple workloads sharing that namespace, too bad. You updated everything.
Now you can target by resource name, resource type, or labels. Much more useful when namespaces are shared, which they often are in practice.
AMD v6 confidential VMs: 11 new regions
AMD-based confidential VMs are now in 11 more regions, bringing the total to 17.
Quick refresher: we have encryption at rest, encryption in transit (TLS), and now encryption in use. Confidential computing encrypts memory and CPU state while the VM runs.
The AMD SKUs do whole-VM encryption, so you don’t touch your application. Deploy on a confidential VM SKU, and the hardware handles it. Nice if you have compliance requirements around data-in-use protection.
Azure Monitor Agent: Event Hub and Storage retirement
The preview feature that let Azure Monitor Agent send data directly to Storage Accounts or Event Hubs is going away.
If you were using Storage for cheap log storage, look at custom tables in Log Analytics with the Auxiliary plan. That’s the low-cost tier meant for this use case.
If you were using Event Hubs to forward data somewhere else, check what’s natively supported now. Azure Monitor’s export options have grown a lot, and your destination might just work directly.
Azure NetApp Files: elastic ZRS (preview)
Azure NetApp Files now has elastic zone-redundant storage in preview.
Zone redundancy means synchronous replication across availability zones. If an AZ goes down, you get zero data loss and automatic failover. No manual intervention.
The elastic ZRS volumes support all the usual ANF stuff: NFSv3, NFSv4.1, SMB, snapshots, encryption. The zone redundancy just happens behind the scenes.
Serverless workspaces in Azure Databricks GA
Databricks serverless workspaces are now GA. Spin up a workspace, pay for the compute you use, don’t think about infrastructure.
Good for testing, training, or anything short-lived where you don’t want to manage clusters. Also works for production if your workloads fit the serverless model.
You still get Unity Catalog for governance and metadata. Feels more like SaaS than IaaS.
Claude Opus 4.6 in Azure AI Foundry
Anthropic’s Claude Opus 4.6 is now available in Azure AI Foundry and Copilot Studio, with GitHub Copilot coming too.
Opus 4.6 is Anthropic’s strongest reasoning model. It’s built for complex coding, large codebases, and long-running tasks. The context window goes up to 1 million tokens in beta, with 128K token output limits.
If you’re building agents or working with big codebases, it’s another option in the Azure model catalog.
Final thoughts
The VNet routing appliance is the one I’m most curious about. If it actually scales the way they say, it could clean up a lot of hub-spoke designs that currently rely on VM-based NVAs. Preview, so no production yet, but worth testing.
Azure Container Storage 2.1 with Elastic SAN is a practical update if you’re running stateful workloads on AKS. The modular installer is a nice touch too.
And check your origins for the Front Door/CDN cipher retirement. You’re probably fine, but “probably” isn’t a great answer for April.
Sources
- John Savill, “Azure Update - 6th February 2026,” YouTube, https://www.youtube.com/watch?v=edJujekFU58
- John Savill, “Should I learn AI”, YouTube, https://www.youtube.com/watch?v=4b93U-rZ7xo
- John Savill, “Azure State of the Union 2026”, YouTube, https://www.youtube.com/watch?v=FDRuQVG30Bo