Monthly Cloudy Updates, April 2025

Table of Contents

Hello World!

Hello everyone! Let’s start this year with some interesting news and articles I found interesting.

And now, let’s get to the updates!

AWS

Amazon VPC Route Server is now Generally Available

Route Server allows you to advertise routing information through Border Gateway Protocol (BGP) from virtual appliances and dynamically update the VPC route tables associated with subnets and internet gateway.

AWS Backup introduces support for Amazon Redshift Serverless

More info here.

Amazon QuickSight launches dashboard versioning

Dashboard versioning enables authors to view and easily re-publish previously published versions of their dashboards as well as the notes on what updates were made by whom.

Amazon RDS Proxy announces TLS 1.3 support for PostgreSQL on Aurora and RDS

With this release, RDS Proxy can use TLS 1.3 for connections to Aurora PostgreSQL and RDS for PostgreSQL databases. During connection establishment, Proxy will automatically negotiate the most secure supported TLS version supported with the database. Customers can also configure their PostgreSQL database to require TLS 1.3, by setting the ssl_min_protocol_version parameter in their parameter group. TLS 1.3 is already supported for connections to RDS Proxy, as well as for RDS Proxy connections to MySQL engines.

Amazon CloudFront supports VPC Origin modification with CloudFront Functions

You can automatically route each request to different applications by creating weights to send a certain percentage of traffic to multiple backend services, all without updating your distribution configuration. You can also create new origin groups dynamically, with the ability to set multiple origins with failover criteria. For example, you can create custom failover logic to update the primary and failover origins based on viewer location or request headers to ensure viewers have the lowest possible latency. More info here.

Amazon Security Lake achieves FedRamp High and Moderate authorization

Amazon Security Lake has achieved FedRAMP High authorization in AWS GovCloud (US) Region and FedRAMP Moderate in the US East and US West Regions. If you’re a federal agency, public sector organization, or enterprise with FedRAMP compliance requirements, you can now centralize your security data using Amazon Security Lake.

Monitor service dependencies with Amazon CloudWatch Application Signals SLOs

Amazon CloudWatch Application Signals now supports creating Service Level Objectives (SLOs) using metrics from your service dependencies. You can now monitor the performance of your services’ dependencies, and proactively resolve problems through SLO goal setting, thanks to this new ability.

Amazon Simple Email Service (SES) announces that its Mail Manager email modernization and infrastructure features now accept incoming connections from customer-provisioned Virtual Private Clouds (VPCs) to Mail Manager Ingress Endpoints. This makes use of PrivateLink connectivity features already provided by AWS.

AWS SAM now supports Amazon API Gateway Custom Domain Names for private REST APIs

(AWS SAM) now supports custom domain names for private REST APIs feature of Amazon API Gateway. Developers building serverless applications using SAM can now seamlessly incorporate custom domain names for private APIs directly in their SAM templates, eliminating the need to configure custom domain names separately using other tools.

Load Balancer Capacity Unit Reservation for Gateway Load Balancers

Gateway Load Balancer (GWLB) now supports Load Balancer Capacity Unit (LCU) Reservation that allows you to proactively set a minimum bandwidth capacity for your load balancer, complementing its existing ability to auto-scale based on your traffic pattern.

AWS simplifies Amazon VPC Peering billing

Say hi to “Region_Name-VpcPeering-In/Out-Bytes” in Cost Explorer or Cost and Usage Report.

AWS Client VPN now supports Client Routes Enforcement

The feature continuously tracks your users’ device routing tables to ensure outbound traffic flows through the VPN tunnel according to your configured settings. If the feature detects any modified networking route settings, it automatically restores the routes to your original configuration.

AWS Systems Manager launches just-in-time node access

Customers can create zero standing privileges to nodes by requiring operators to request access to nodes managed by AWS Systems Manager that are running on AWS, hybrid, and multi-cloud environments before remotely connecting using AWS Systems Manager Session Manager.

Azure

Azure File Sync support for managed identities is now Generally Available

When you configure managed identities for your Azure File Sync deployment, system-assigned managed identities will be used for the following scenarios:

  • Storage Sync Service authentication to Azure file share
  • Registered server authentication to Azure file share
  • Registered server authentication to Storage Sync Service

To simplify authentication and enhance security, managed identities are now enabled by default for new Storage Sync Services. You can now configure managed identities in the Azure portal, removing the need for PowerShell.

Azure Front Door now supports custom cipher suite in Public Preview

You can use either a predefined policy or a custom policy per your own needs. More info here.

Autoscale for vCore-based Azure Cosmos DB for MongoDB is now Generally Available

Now you can handle peak loads effortlessly without overprovisioning using the new autoscale capability, currently available for vCore-based Azure Cosmos DB for MongoDB.

CNI Overlay for Application Gateway for Containers and AGIC is in Public Preview

Load balance workloads with scalability and resilience across AKS services in an Azure CNI Overlay cluster using Application Gateway for Containers and Application Gateway Ingress Controller (AGIC).

  • Conserve IP addresses: Conserve VNet IP address space and support maximum cluster scale with CNI Overlay.
  • Control ingress: Manage cluster ingress from external clients and services to specified services within the private overlay network of the AKS cluster, ensuring that traffic remains within the private overlay network to reduce exposure to external threats and enhance overall security.
  • Simplify deployment: Automatically detect the appropriate network configuration for CNI Overlay or CNI with Application Gateway for Containers and Application Gateway Ingress Controller, requiring no additional configuration.

More info here.

Azure CNI Overlay Dual-stack with Cilium Dataplane Support is now Generally Available

Azure CNI overlay now supports dual-stack networking with Azure CNI powered by Cilium, enabling customers to enforce IPv6 network policies and leverage Advanced Container Networking Services (ACNS) in dual-stack environments.

AKS Communication Manager is now Generally Available

This tool enables you to monitor your upgrades closely by providing timely alerts on event triggers and outcomes. If maintenance fails, it notifies you with the reasons for the failure, reducing operational hassles related to observability and follow-ups. You can set up notifications for all types of auto upgrades that utilize maintenance windows. More info here.

Multi-cluster Auto-upgrade in Azure Kubernetes Fleet Manager is now Generally Available

Fleet Manager is announcing the general availability of Auto-upgrade support, which provides an automated trigger for update runs based on new Kubernetes or node image versions being published to Azure. Admins can create multiple auto-upgrade profiles for their fleet to capture combinations of Kubernetes and node image version updates.

Application Insights auto-instrumentation for AKS is in Public Preview

To provide seamless monitoring for Java and Node deployments, AKS now offers Application Insights integration for Java and Node microservices. This integration, available in public preview, allows customers to easily monitor their deployments without changing any code by leveraging auto-instrumentation that is integrated into the AKS cluster.

maxUnavailable Settings for Upgrades in AKS is in Public Preview

AKS now supports setting a maxUnavailable option for upgrading nodepools to a newer version of both Kubernetes and node images. With maxUnavailable, you no longer need to use surge nodes to begin the upgrade process. AKS will instead simply cordon and drain existing nodes on the nodepool.

Standard Load Balancer (SLB) Health Probe Redesign in AKS is in Public Preview

This new capability enhances reliability, reduces misconfigurations, and improves traffic routing. More info here.

AKS Support for Persistent Network Flow Logging for Advanced Container Network Services is in Public Preview

This enhancement allows you to capture and retain detailed network traffic logs over time, providing valuable insights into network behavior and helping to ensure the security and efficiency of your deployments.

Cilium WireGuard Encryption Support in AKS is in Public Preview

This integration provides a lightweight, high-performance encryption mechanism for traffic between nodes in an AKS cluster, ensuring that data in transit remains secure without significant performance overhead. More info here.

Multi-cluster Workload Rollout Strategies and Run with Kubernetes Fleet Manager is in Public Preview

Operators using Azure Kubernetes Fleet Manager’s Cluster Resource Placement for intelligent execution of multi-cluster workload placement can now define reusable staged rollout strategies using ClusterStagedUpdateStrategy custom resource. More info here.

Skip Automatic GPU Driver Installation is now Generally Available

By default, AKS installs NVIDIA GPU drivers when a node pool is created using a VM size that supports NVIDIA GPUs. The ability to skip automatic driver installation on your GPU-enabled node pools is now generally available.

AKS Cost Recommendations in Azure Advisor is now Generally Available

These advisors are designed to identify cost savings opportunities and provide actionable insights to enforce AKS cost best practices. More info here.

Multiple Load Balancers for AKS is now in Public Preview

This enhancement allows for better scalability, workload distribution, and flexibility in managing network traffic across large deployments.

Service Allowed IP Ranges in AKS is now in Public Preview

AKS now allows you to define both IP ranges and service tags for Service LoadBalancers, providing more flexible traffic control than loadBalancerSourceRanges. This eliminates the need for manual service tag updates and ensures seamless traffic management across on-premises and Azure services.

Azure NetApp Files File Access Logs is now in Public Preview

This new feature provides detailed logging of file access activities, including user identity, operation type, and timestamps, enhancing security, reliability, and operational insights. It supports SMB, NFSv4.1, and dual-protocol volumes, offering valuable features for monitoring unauthorized access, tracing activity for compliance, resolving incidents, and optimizing data usage patterns.

You can now configure Application Gateway resources as Private Link enabled origins in your Front Door Premium profile. More info here.

Azure Front Door capturing request header, response header, and request query string values as server variables is now Generally Available

More info here.

Remote Model Context Protocol support in Azure Functions

This will allow you to build tools using remote MCP with server-sent events (SSE) with Azure Functions. More info here.

Performance Plus for Azure Disk Storage

This enhances the IOPS and throughput performance of Premium SSD, Standard SSD, and Standard HDD disks that are sized 513GB or larger. More info here.

Rule-based routing in Azure Container Apps is in Public Preview

Rule-based routing allows you to direct incoming HTTP traffic to different apps within your Container Apps environment based on the requested host name or path. This includes support for custom domains. Instead of having to configure a separate reverse proxy, such as NGINX, you can now provide routing rules for your environment and incoming traffic will automatically be routed to the specified target apps. More info here.

Metrics Usage Insights is in Public Preview

This feature is currently designed for Azure Managed Prometheus users which will analyze all metrics ingested in Azure Managed Workspace (AMW), surfacing actionable insights to optimize your observability setup. More info here.

Azure Compute Fleet is now Generally Available

Azure Compute Fleet allows users to easily obtain large amounts of compute capacity algorithmically mixing and matching a variety of available and VM sizes suitable to a user’s workload, up to 10,000 VMs in a single fleet. A user can specify a variety of VM criteria such as RAM size, core count, SKU type, location, and pricing structure, and Azure Compute Fleet will deploy capacity tailored to those criteria. More info here.

Network Isolated Cluster in AKS

AKS now provides the option to use network isolated clusters to simplify the process of restricting network access and reduce the risk of unintentional exposure of the cluster’s public endpoints to prevent security breaches. More info here.

Inbound Private Endpoint for Azure API Management Standard v2 is in Public Preview

More info here.

Azure WAF CAPTCHA Challenge for Azure Front Door is in Public Preview

More info here.

Azure Virtual Network Terminal Access Point (TAP) is in Public Preview

Unlike traditional packet capture solutions that require the deployment of additional agents or network appliances, virtual network TAP leverages Azure’s native infrastructure to mirror traffic with minimal overhead, enhancing both analytics and security capabilities. More info here.

Larger Container Sizes on Azure Container Instances

This setup supports vCPU counts greater than 4 and memory capacities of 16 GB, with a maximum of 32 vCPU and 256 GB per standard container group and 32 vCPU and 192 GB per confidential container group. More info here.

Google Cloud

Memorystore for Valkey is now Generally Available

With Multi-VPC support, cross-region replication, and version 8.0 available.

Cloud Run

  • Multiple Sidecars Containers for a Cloud Run Job is now Generally Available: You can deploy up to 10 containers per instance including the main job container, more info here.

  • Direct VPC egress support for Cloud Run jobs is now generally available (GA).

  • Configuring GPU in your Cloud Run service is now generally available (GA).

Migrate to Virtual Machines

Migrate to Virtual Machines supports importing Arm disk images to Google Cloud. More info here.

GKE: Identify workloads without resources requests or limits

GKE now provides insights and recommendations that help you identify workloads without resource requests or limits so that you can specify the resource needs for these workloads.

Secrets Manager Add-on for GKE

The Secret Manager add-on for Google Kubernetes Engine (GKE) now supports the automatic rotation of secrets. This is in preview.

Oracle Database@Google Cloud

For Autonomous Databases, you now have the options to set up public network access and private network access in Google Cloud. More info here.

Virtual Private Cloud

If you’re a service producer that makes a service available through VPC Network Peering, you can migrate your service to Private Service Connect without changing the IPv4 address that consumers use to access the service.