Monthly Cloudy Updates, November 2024

Table of Contents

Hello World!

Loads of updates this month thanks to Microsoft Ignite and AWS pre:Invent. But before going into the updates let me share some interesting news and articles I found interesting.

  • Want to learn how Discord reduced websocket traffic by 40%, look here.

  • If you wonder why and how Wafris migrated from Redis to SQLite from one of their use cases, you need to read this.

  • Everyone is obsessed with FinOps these days, and Duolingo is no exception. They shared the story about how they achieved 20% cost savings without compromising performance.

  • Have you ever wondered how a change can lead to a massive cost reduction? Recall.ai shares a story of how they slashed their AWS bill by writing a Rust interface to transport data over Shared Memory.

  • The Gitpod team shares valuable lessons on building a scalable and reliable developer platform, a great resource for anyone in the industry. We’re leaving Kubernetes.

And now, let’s get to the updates!

AWS

Amazon WorkSpaces WSP enables desktop traffic over TCP/UDP port 443

Customers using port 4195 can continue to do so. The WorkSpaces client application prioritizes UDP (QUIC) for optimal performance, but will fallback to TCP if UDP is blocked.

Amazon Bedrock announces support for cost allocation tags on inference profiles

Customers can categorize their GenAI inference costs by department, team, or application using AWS cost allocation tags. You can leverage this feature by creating an application inference profile and tagging it.

Amazon CloudFront no longer charges for requests blocked by AWS WAF

With this change, CloudFront customers will never incur request fees or data transfer charges for requests blocked by AWS WAF. This update requires no changes to your applications and applies to all CloudFront distributions using AWS WAF.

Lambda supports Customer Managed Key (CMK) encryption for Zip function code artifacts

AWS Lambda now supports encryption of Lambda function Zip code artifacts using customer managed keys instead of default AWS owned keys. Using keys that they create, own, and manage can satisfy customer’s organizational security and governance requirements.

AWS Fault Injection Service now generates experiment reports

(AWS FIS) now generates reports for experiments, reducing the time and effort to produce evidence of resilience testing.

Application Signals now supports burn rate for application performance goals

Customers can now receive alerts when these SLOs reach a critical burn rate. This new feature allows you to calculate how quickly your service is consuming its error budget relative to the SLO’s attainment goal. More info here.

AWS Lambda adds support for Python 3.13

More details here.

Customize scope of IAM Access Analyzer unused access analysis

Now, customers can optionally customize the analysis to meet their needs. Customers can select accounts, roles, and users to exclude from analysis and focus on specific areas to identify and remediate unused access. More info here.

AWS launches user-based subscription of Microsoft Remote Desktop Services

Customers can now purchase user-based subscription of Microsoft Remote Desktop Services licenses directly from AWS. More info here.

Split cost allocation data for Amazon EKS now supports metrics from Amazon CloudWatch Container Insights

You can use CPU and memory metrics collected by Amazon CloudWatch Container Insights for your Amazon Elastic Kubernetes Service (EKS) clusters in split cost allocation data for Amazon EKS, so you can get granular Kubernetes pod-level costs and make it available in AWS Cost and Usage Reports (CUR). More info here.

Centrally manage root access in AWS Identity and Access Management (IAM)

Now, administrators can remove unnecessary root credentials for member accounts in AWS Organizations and then, if needed, perform tightly scoped privileged actions using temporary credentials. More info here.

AWS Organizations member accounts can now regain access to accidentally locked Amazon S3 buckets

AWS Organizations member accounts can now use a simple process through AWS Identity and Access Management (IAM) to regain access to accidentally locked Amazon S3 buckets. More info here.

Amazon Route 53 Resolver DNS Firewall Advanced

A new set of capabilities on Route 53 Resolver DNS Firewall that allow you to monitor and block suspicious DNS traffic associated with advanced DNS threats, such as DNS tunneling and Domain Generation Algorithms (DGAs), that are designed to avoid detection by threat intelligence feeds or are difficult for threat intelligence feeds alone to track and block in time. More info here.

Amazon VPC Lattice now supports Amazon Elastic Container Service (Amazon ECS)

More info here.

Amazon EFS now supports cross-account Replication

More info here.

AWS Billing and Cost Management announces Savings Plans Purchase Analyzer

Savings Plans Purchase Analyzer enables you to interactively model a wide range of Savings Plan purchase scenarios with customizable parameters, including commitment amounts, custom lookback periods, and the option to exclude expiring Savings Plans. More info here.

Amazon EC2 Auto Scaling introduces highly responsive scaling policies

Target Tracking now automatically adapts to the unique usage patterns of your individual applications, and can be configured to monitor high-resolution CloudWatch metrics to make more timely scaling decisions.

Amazon SageMaker introduces Scale Down to Zero for AI inference to help customers save costs

More info here.

More info here.

Azure

App Service Multi Plan subnet join is now GA

More info here.

Application Insights Code Optimizations

Utilizing an advanced AI-based model, it analyzes Application Insights profiler traces and provides actionable next steps in the Azure portal at no additional cost. More info here.

Bot Manager Ruleset 1.1 on Azure WAF with Azure Application Gateway

This updated ruleset enhances the existing Bot Manager 1.0 by introducing new bad bot and good bot rules. More info here.

Edit network features with no downtime for Azure NetApp Files volumes is in Preview

More info here.

Azure File Sync support for managed identities is now in public preview

Managed Identity eliminates the need for shared keys as a method of authentication to your Azure file shares by utilizing a system-assigned managed identity provided by Microsoft Entra ID. More info here.

Azure cross subscription Load Balancer is now GA

More info here.

Vector data type and functions in Azure SQL

Store embeddings and run vector similarity searchs right in Azure SQL using the new vector type and the related vector functions.

Azure Load Balancer Administrative State is now GA

Admin State enables you to override the health probe behavior for each instance without additional configuration changes to your Load Balancer such as changing network security rules or closing ports. More info here.

SeccompDefault support in AKS is in public preview

This establishes an extra layer of protection against common system call vulnerabilities exploited by malicious actors and allows you to specify a default seccomp profile for all workloads in the node. More info here.

Azure Databricks Serverless Compute Services discount

You will continue to get 50% off serverless compute for Jobs and Pipelines and 30% off serverless compute for Notebooks, until January 31, 2025. More info here.

Advanced Container Networking Services is now GA

More info here.

Network isolated clusters in AKS in now in public preview

AKS now provides the option to use network isolated clusters to simplify the process of restricting network access and reduce the risk of unintentional exposure of the cluster’s public endpoints to prevent security breaches. More info here.

SSH authentication with Microsoft Entra ID is now GA

Microsoft Entra ID authentication set as the authentication mechanism, instead of providing additional authentication to connect, users can experience a one-click sign-on into their virtual machines. More info here.

WAF running on Application Gateway for Containers is in private preview

Fill this form if you are interested.

Network security perimenter is in public preview

Network Security Perimeter allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Storage account and SQL Database server) that are deployed outside your organization’s virtual networks. More info here.

New features in Azure Deployment Environments

More info here.

Azure Local

Azure Local brings the power of Azure compute and platform services to customers’ distributed and on-premises locations, addressing both mission critical and cloud-native applications like AI with flexibility and scalability. More info here.

Serverless GPU in Azure Container Apps is in public preview

Serverless GPUs enable you to seamlessly run your AI workloads on-demand with automatic scaling, optimized cold start, per-second billing with scale down to zero when not in use, and reduced operational overhead to support easy real-time custom model inferencing and other machine learning tasks. More info here.

Standby Pools for Azure Container Instances is now in public preview.

This enables customers to create a pool of pre-provisioned container groups that can be used to scale out in response to incoming traffic. More info here.

Azure SQL Managed Instance mirroring to Microsoft Fabric is in public preview

You can now use mirroring to easily replicate Azure SQL Managed Instance data to Microsoft Fabric. Mirroring replicates your data in near real-time directly into Fabric OneLake. More info here. This is also available for Azure SQL Database.

Azure Managed Redis is now in public preview

Well! You pretty much know what this is about. More info here.

Spot Placement Score is in public preview

A feature designed to help you assess the likelihood of success for your Spot VM deployments. More info here.

Azure DNS Support for DNSSEC is in public preview

Was about time! More info here.

Google Cloud

Cloud Load Balancing Percentage-based request mirroring is in preview

Percentage-based request mirroring is now supported for the global and regional external Application Load Balancers (classic is not supported). By default, the mirrored backend service receives all requests, even if the original traffic is being split between multiple weighted backend services. More info here.

Google Kubernetes Engine confidential mode Hyperdisk

In GKE version 1.26 and later, Hyperdisk Balanced volumes can be created in Confidential mode for custom boot disks and persistent volumes and attached to Confidential GKE Nodes.

Compute Engine gVNIC driver for Windows

An updated version of the gVNIC driver for Windows offers improved network performance and support for Jumbo frames. For more information, see Update to the latest gVNIC driver for Windows.

GKE Volume Populator

This feature provides a way to automate data transfer from a Google Cloud Storage bucket source storage to a destination PersistentVolumeClaim backed by a Parallelstore instance.

Memorystore for Redis Cluster now in preview

Added support for multiple VPC networks.

GKE automatic application monitoring

Enabling this feature automatically deploys PodMonitoring configurations to capture key metrics for supported workloads like Apache Airflow, Istio, and RabbitMQ.

Restore soft-deleted Cloud Storage buckets

If you delete a bucket with an active soft delete policy, Cloud Storage retains the bucket for the specified soft delete retention duration, during which the bucket can be restored to a live state.

Cloud Storage IP Filtering is in preview

With bucket IP filtering, you can restrict access to a bucket based on the source IP address of the request and secure your data from unauthorized access.

Spanner backup schedules

You can enable or disable default backup schedules in an instance when creating the instance or by editing the instance later.