Monthly Cloudy Updates, March 2025

Table of Contents

Hello World!

Hello everyone! Let’s start this year with some interesting news and articles I found interesting.

We are destroying software.
Something that not only applies to AWS, but pretty much to all cloud providers: The Missing Tier in AWS Network Controls.
Are you also having a bad time with AI Crawlers? This is of your interest Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content.
If you are interested in this year’s State for FinOps Report, here it it.
If you saw the headlines about TypeScript being rewritten in Golang but didn’t have time to read the article, here’s a great summary.

And now, let’s get to the updates!

AWS

AWS Outposts racks for high throughput, network-intensive workloads (Preview)

designed specifically for on-premises high throughput, network-intensive workloads. With these new Outposts racks, telecom service providers (telcos) can extend AWS infrastructure and services to telco locations, enabling them to deploy on-premises network functions requiring low latency, high throughput, and real-time performance.

Amazon Cognito now supports access token customization for machine-to-machine (M2M) authorization flows

M2M authorization is commonly used for automated processes such as scheduled data synchronization tasks, event-driven workflows, microservices communication, or real-time data streaming between systems. More info here.

Amazon CloudWatch RUM introduces resource-based policy support for data ingestion access

With resource-based policies, you can specify which Identity and Access Management (IAM) principals have access to ingest data to your RUM app monitors— effectively which clients can write data to RUM. This would also allow you to ingest data at higher volume and gives you greater control over data ingress in RUM.

AWS Lambda adds support for Amazon CloudWatch Logs Live Tail in VS Code IDE

WS Lambda now supports Amazon CloudWatch Logs Live Tail in VS Code IDE through the AWS Toolkit for Visual Studio Code. Live Tail is an interactive log streaming and analytics capability which provides real-time visibility into logs, making it easier to develop and troubleshoot Lambda functions.

IAM Access Analyzer now supports Internet Protocol Version 6 (IPv6)

To learn more on best practices for configuring IPv6 in your environment, visit the whitepaper on IPv6 in AWS.

Bottlerocket now supports AWS Neuron accelerated instance types

Customers using Bottlerocket AMIs can now deploy and manage machine learning inference and training workloads on AWS Neuron accelerated instance types, including Inf1, Inf2, Trn1, and Trn2. EKS customers can use these Bottlerocket AMIs with Karpenter version 1.2.2 and above.

Amazon EKS now envelope encrypts all Kubernetes API data by default

Amazon Elastic Kubernetes Service (EKS) enables default envelope encryption for all Kubernetes API data in EKS clusters running Kubernetes version 1.28 or higher.

Application Load Balancer announces integration with Amazon VPC IPAM

With this feature, customers can optimize public IPv4 cost by using BYOIP in public IPAM pools. More info here.

Amazon WorkSpaces Pools now supports FIPS 140-2 validated endpoints

To enable FIPS endpoint encryption for end user streaming via AWS Console, navigate to Directories, and verify that the Pools directory where you want to add FIPS is in a STOPPED state, and that the preferred protocol is set to TCP. Once verified, select the directory and on the Directory Details page update the endpoint encryption to FIPS 140-2 Validated Mode and save. More info here.

AWS WAF now supports PCI DSS4.0 compliance protection with partner solutions

AWS WAF’s new partner solutions page, available today, enables you to easily discover and implement PCI DSS v4.0 compliance solutions for your web applications. Choose from industry-leading security providers Human Security and DataDome, who offer client-side protection solutions directly through the AWS WAF console.

Amazon EventBridge expands IAM execution role support to all targets

Amazon EventBridge expands execution role support to AWS Lambda, Amazon SNS, and Amazon SQS event bus targets, making this feature available for all target types.

Amazon Inspector expands ECR support for minimal container base images and enhanced detections

Inspector now supports scratch, distroless (Debian/Ubuntu based), and Chainguard image scanning. More info here.

Amazon ECR announces ECR to ECR pull through cache

This enables customers to benefit from the reduced latency of pulling cached images in-region. With today’s release, Amazon ECR makes it easier for customers to optimize storage costs by providing a simple and reliable way to store local copies of only the images that are pulled across regions/accounts. More info here.

AppSync Events adds publishing over WebSocket for real-time pub/sub

Developers can now use their AppSync Events APIs to publish events directly over WebSocket connections, complementing the existing HTTP API publishing capability. More info here.

Manage SLO exclusion time windows using CloudWatch Application Signals

Customers can now set exclusion time windows to avoid affecting a service’s reliability score during planned downtime. This feature works with service-level objectives (SLOs) that are created and tracked using CloudWatch Application Signals.

PySpark available in AWS Clean Rooms

AWS announces the general availability of PySpark in AWS Clean Rooms, enabling companies and their partners to run sophisticated analytics across large datasets using PySpark, the Python API for Apache Spark.

AWS WAF now supports URI fragment field matching

AWS WAF now supports URI fragment field matching, enabling customers to match against the URI fragment and along with the already supported URI path. With this feature, customers can create rules that inspect and match against the content of the URI fragment within the URI path. More info here.

Amazon EventBridge Scheduler now supports AWS PrivateLink

Amazon EventBridge Scheduler now supports AWS PrivateLink, providing you access to Scheduler from within your Amazon Virtual Private Cloud (VPC) without using the public internet. This feature eliminates the need for an internet gateway, firewall rules, or proxy servers when accessing EventBridge Scheduler from a private subnet. More info here.

Amazon EC2 now supports more bandwidth and jumbo frames to select destinations

Amazon EC2 now supports up to the full EC2 instance bandwidth for inter-region VPC peering traffic and to AWS Direct Connect. Additionally, EC2 supports jumbo frames up to 8500 Bytes for cross region VPC peering. More info here.

API Gateway launches support for dual-stack (IPv4 and IPv6) endpoints

You can now configure your REST, HTTP or WebSocket APIs as well as custom domains, to accept calls from IPv6 clients alongside the existing IPv4 support. You can also call APIGW management APIs from dual-stack clients. More info here.

AWS Resource Access Manager (RAM) now supports Internet Protocol Version 6 (IPv6)

The existing RAM endpoints supporting IPv4 will remain available for backwards compatibility. The new dual-stack domains are available either from the internet or from within an Amazon Virtual Private Cloud (VPC) using AWS PrivateLink.

Azure

Azure Backup Vaulted Support for Azure Files Shares Standard is Now Generally Available

Previously, customers had the ability to schedule point-in-time snapshots, now with vaulted backup you will have the following additional benefits:

Vaulted backup support now enables adherence to the widely accepted 3-2-1 backup rule for Azure files protection alongside centralized management to gain visibility, monitor jobs, alerts and reporting using Azure Business Continuity Center.
Protect against ransomware and malicious activities with immutable backups and soft delete functionality on recovery services vault.
Long-term retention is essential for meeting compliance and audit requirements. Vaulted backup provides daily, monthly, and yearly backups that can be retained in cost-effective storage for up to 99 years.

More info here.

Azure Load Balancer Health Event Logs are now Generally Available

These built-in logs help you troubleshoot specific scenarios and allow you to identify and alert on availability issues affecting your load balancer. More info here.

Azure Managed Prometheus Supports Horizontal Pod Autoscaling for Replicaset Pods in AKS

More info here.

Edit Network Features for Azure NetApp Files with No Downtime

You are now able to edit existing Azure NetApp Files volumes and upgrade Basic network features to Standard network features with no downtime. This feature is available in all Azure NetApp Files enabled regions. More info here.

Azure Storage Object Replication Metrics for Visibility into Replication Progress is Now Generally Available

Two new metrics in Azure Storage, designed to provide users with enhanced visibility and insights into their object replication progress. These new metrics include:

Pending Operations: The number of operations pending replication.
Pending Bytes: The amount of data pending replication.

More info here.

Azure Site Recovery Support for Azure Trusted Launch VMs Running Linux OS is in Public Preview

This Public Preview is available for Azure Trusted launch VMs running Linux OS. Azure Site Recovery support for Trusted launch VM running Windows OS is already Generally Available. More info here.

API Management as a Private Link Enabled Origin for Front Door Premium is Now Generally Available

You can now configure Azure API Management resources as Private Link enabled origins in your Front Door Premium profile. More info here.

Azure Virtual Network Manager Network Verifier is Now Generally Available

This feature enables you to check if your network policies allow or disallow traffic between your Azure network resources. More info here.

Control Plane Azure Platform Metrics in AKS is in Public Preview

The metrics provide insight into the availability and performance of your managed control plane components, helping you detect and resolve issues relating to the control plane. More info here.

Windows Support for Virtual Machines Node Pools in AKS is in Public Preview

With Virtual Machines node pools, Azure Kubernetes Services directly manages the provisioning and bootstrapping of every single node. With Virtual Machines node pools, Azure Kubernetes Services directly manages the provisioning and bootstrapping of every single node. More info here.

Node Auto-Repair Kubernetes Events in AKS

Node auto-repair is a built-in process which automatically detects unhealthy nodes and attempts to repair them through reboot, reimage, and redeploy actions. You can create alerts on the new events and be notified if there are any errors with the process.

Kubenet Networking for AKS to be Retired on March 31, 2026

To avoid service disruptions, you’ll need to follow these instructions to upgrade to Azure Container Networking Interface (CNI) overlay before that date, when workloads running on kubenet for AKS will no longer be supported.

VM Hibernation for GPU VMs is now Generally Available

More info here.

Serverless GPUs in Azure Container Apps with NVIDIA NIM Support is Now Generally Available

Serverless GPUs with NVIDIA NIM support is now generally available in Azure Container Apps. Serverless GPUs enable you to seamlessly run your AI workloads on-demand with automatic scaling, optimized cold start, per-second billing with scale down to zero when not in use, and reduced operational overhead to support easy real-time custom model inferencing and other GPU related tasks. More info here and here.

Azure Monitor Managed Service for Prometheus for Azure Arc enabled Kubernetes is Now Generally Available

Azure Monitor managed service for Prometheus for Azure Arc-enabled Kubernetes allows customers to monitor their Kubernetes clusters running anywhere. It offers fully managed collection, storage, rule evaluation, and querying of Prometheus data. More info here.

Docker Content Trust will be Replaced by the Notary Project and Azure Key Vault

Docker Content Trust no longer meets the requirements of modern supply chain security for containers. As a result, Docker Content Trust will be deprecated and no longer available in ACR after March 31, 2028. If you currently use Docker Content Trust, you should transition to the Notary Project ecosystem, including their open-source supply chain tool, Notation.

Log Analytics Delete Data API is Now Generally Available

The Delete Data API lets you make asynchronous requests to remove data, such as sensitive, personal, or corrupt from your Log Analytics workspace. This API is more performant than Purge API since tagging logs as deleted, rather than performing heady delete operation. It’s recommended to use this API for all non-GDPR data deletion.

Google Cloud

Pub/Sub

You can now ingest streaming data into Pub/Sub by using an import topic, from the following external sources:

Azure Event Hubs
Amazon Managed Streaming for Apache Kafka (MSK)
Confluent Cloud

Cloud Run Supports the Go 1.23 Runtime now

More info here.

App Engine standard environment

App Engine now sets the automatic scaling maximum instances default for standard environment deployments to 20. This change doesn’t impact existing apps. To override the default, specify a new max_instances value in your app.yaml file, and deploy a new version or redeploy over an existing version.

Cloud Load Balancing

Application Load Balancers now support the use of custom metrics that let you configure your load balancer’s traffic distribution behavior to be based on metrics specific to your application or infrastructure requirements. More info here.

Memorystore for Redis Cluster

Memorystore for Redis Cluster supports storing and querying vector data. This feature is now Generally Available (GA). More info here.

Cloud Router

Cloud Router support for BGP route policies is now generally available. More info here.

Virtual Private Cloud

The following features of internal ranges are available in Preview:

Reserving internal ranges with IPv6 addresses
Creating immutable internal ranges (ranges that can’t be updated, except for the description)
Editable descriptions

More info here.

Compute Engine

Compute flexible committed use discounts (CUDs) are available for Local SSD disks that you attach to instances of eligible machine types. More info here.

Anywhere Cache for Cloud Storage is Now Generally Available

Anywhere Cache enables you to create SSD-backed caches in the same zones as your workloads, helping you get access to your data faster and avoid multi-region data transfer fees. To learn more about Anywhere Cache, more info here.

Compute Engine Instant Snapshots

You can use instant snapshots to take in-place backups of the following types of disks:

Hyperdisk Balanced
Hyperdisk Balanced High Availability
Hyperdisk Extreme

More info here.