Monthly Cloudy Updates, June 2025
Table of Contents
Hello World!
Hello everyone! Let’s start this year with some interesting news and articles I found interesting.
-
This article delves on the value of being an Expert Generalist.
-
Uber’s approach to database backup and recovery Robust Database Backup Recovery at Uber.
-
“The real horror isn’t that AI will take our jobs. It’s that it will entice people who never wanted the job to begin with” The Copilot Delusion.
-
“Being supported by AI tools is not a substitute for mastery. You can’t borrow skills. You have to earn them” What I’d do as a College Freshman in 2025.
And now, let’s get to the updates!
AWS
AWS Private CA announces support for Microsoft Active Directory child domains
With this feature, customers get a consistent experience using AWS Private CA across parent and child AD domains. AD administrators can issue certificates to users, computers, and devices in a child domain independently of the parent domain and other child domains. More info here.
Amazon VPC Route Server announces logging enhancements
These metrics allow customers to proactively monitor network health, troubleshoot network issues and gain visibility into route propagation and peer connectivity. Previously, customers would manually track Border Gateway Protocol (BGP) and Bidirectional Forwarding Detection (BFD) session changes and often required AWS Support assistance for network troubleshooting. With these new logging capabilities, customers can independently monitor and diagnose network connectivity issues, leading to faster resolution times and improved network visibility. The enhancement offers real-time monitoring of BGP and BFD session states, historical peer-to-peer session data logging and flexible log delivery options through CloudWatch, S3, Data Firehose or AWS CLI. More info here.
Amazon API Gateway introduces routing rules for REST APIs
Amazon API Gateway now supports routing rules for REST APIs using custom domain names. This new capability enables you to dynamically route incoming requests based on HTTP header values, URL base paths, or a combination of both. This flexibility enables various use cases, including A/B testing, API versioning, and dynamic backend selection. More info here.
AWS Site-to-Site VPN introduces three new capabilities for enhanced security
-
AWS Secrets Manager Integration: With the AWS Secrets Manager integration, when customers store their pre-shared keys (PSKs) in Secrets Manager, VPN connection API responses will redact the PSK and instead display the Secrets Manager ARN (Amazon Resource Name), providing enhanced security.
-
New API to track VPN algorithms: You can now easily track the currently negotiated internet key exchange (IKE) version, Diffie-Hellman (DH) groups, encryption algorithms, and integrity algorithms using the “GetActiveVpnTunnelStatus” API. This new API eliminates the need for you to enable Site-to-Site VPN logs to get this information, saving time and reducing operational overhead.
-
Recommended Configuration: “GetVpnConnectionDeviceSampleConfiguration” API now includes “recommended” parameter to help you use the best-practices security configuration - IKE version 2, DH group 20, SHA-384 integrity algorithm, and AES-GCM-256 encryption algorithm - on your customer gateway devices, reducing configuration time and potential errors.
More info here.
AWS Resource Groups now supports IPv6
AWS Resource Group APIs now supports IPv6 for dual stack subnets so you can filter IPv4 and IPv6 traffic flows to and from the public internet, on-premises network, or any endpoint in your Amazon Virtual Private Cloud (VPC).
Amazon EKS add-ons now supports Private CA Connector for Kubernetes
This new integration allows customers to easily issue certificates from AWS Private Certificate Authority (AWS Private CA) to their Kubernetes clusters running on Amazon Elastic Kubernetes Service (Amazon EKS). More info here.
AWS Invoice Summary API is now generally available
This allows you to retrieve your AWS invoice summary details programmatically via SDK. You can retrieve multiple invoice summary details by making a single API call that accepts input parameters like AWS Account ID, AWS Invoice ID, billing period, or a date range as input. More info here.
ASN match support for AWS WAF
AWS WAF now supports matching incoming request against Autonomous System Numbers (ASNs). By monitoring and restricting traffic from specific ASNs, you can mitigate risks associated with malicious actors, comply with regulatory requirements, and optimize the performance and availability of your web applications.
Open sourcing pgactive: active-active replication extension for PostgreSQL
Pgactive lets you use asynchronous active-active replication for streaming data between database instances to provide additional resiliency and flexibility in moving data between database instances, including writers located in different regions. This helps maintain availability for operations like switching write traffic to a different instance. More info here.
Amazon EFS now supports Internet Protocol Version 6 (IPv6)
More info here.
AWS Control Tower now supports service-linked AWS Config managed Config rules
AWS Control Tower now deploys service-linked Config rules directly in managed accounts, replacing the previous AWS CloudFormation StackSets deployment method. More info here.
AWS WAF now supports automatic application layer distributed denial of service (DDoS) protection
AWS WAF application layer (L7) DDoS protection is an AWS Managed Rule group that automatically detects and mitigates DDoS events of any duration to ensure your applications on Amazon CloudFront, Application Load Balancer (ALB) and other AWS services supported by WAF stay available and responsive to your users. More info here.
AWS Network Firewall now supports AWS Transit Gateway native integration
AWS Network Firewall now supports native integration with AWS Transit Gateway for simplified deployment and management of network security across your global AWS infrastructure. AWS Transit Gateway interconnects your Amazon Virtual Private Clouds (VPCs) and on-premises networks, while AWS Network Firewall provides comprehensive security controls for those VPCs. More info here.
AWS IAM now enforces MFA for root users across all account types
More info here.
AWS Certificate Manager introduces public certificates you can use anywhere
You can now issue public certificates that you can export and access the certificate’s private key to securely terminate TLS traffic on any compute workload. This includes EC2 instances, containers, or on-premises hosts. More info here.
IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources
AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. More info here.
AWS Network Firewall launches support for active threat defense
AWS Network Firewall with active threat defense provides automated, intelligence-driven protection against dynamic, ongoing threat activities observed across AWS infrastructure. Once enabled, you can configure the managed rule group in your firewall policy to automatically block suspicious traffic, such as command-and-control (C2) communication, embedded URLs, and malicious domains. More info here.
AWS WAF reduces web application security configuration steps and provides expert-level protection
AWS WAF simplified console experience that reduces web application security configuration steps by up to 80% and provides expert-level protection to help you optimize application security. More info here.
Amazon Inspector launches code security to shift security left in development
This new feature, with native integration to GitHub and GitLab, helps you rapidly identify and prioritize security vulnerabilities and misconfigurations across your application source-code, dependencies, and infrastructure as code (IaC). More info here.
AWS Security Incident Response adds integration with Amazon EventBridge
This integration enables customers to react, monitor, and orchestrate events associated with cases and memberships within AWS Security Incident Response. More info here.
AWS Firewall Manager provides support for AWS WAF L7 DDOS managed rules
The application layer (L7) DDoS protection is an AWS Managed Rule group that automatically detects and mitigates DDoS events of any applications on Amazon CloudFront, Application Load Balancer (ALB) and other AWS services supported by WAF. More info here.
Azure
Azure Storage Mover can now migrate your SMB shares to Azure Blob container
Besides the existing general available capability to migrate from an on-premises NFS share to an Azure blob container and SMB source to Azure File shares, Azure Storage Mover now supports SMB source to Azure Blob container as target.
Public Preview: Azure Site Recovery (ASR) for Virtual Machines with Premium SSD v2 disks
More info here.
Public Preview: Azure Migrate now supports migration to ZRS Disks.
Azure Migrate now migrates ZRS as the target disk type for eligible data disks in regions where ZRS is supported. ZRS for managed disks is only supported with Premium SSD and Standard SSD managed disks.
Upsert and Script activity in Data Factory in Microsoft Fabric for Azure Database for PostgreSQL
With the Upsert method, you can now merge incoming data into existing tables without writing complex logic, reducing overhead and improving performance. The Script activity allows you to execute custom SQL scripts as part of your data workflows, enabling advanced transformations, procedural logic, and fine-grained control over data operations. More info here.
Generally Available: Azure Database for PostgreSQL support for pg_cron extension in PG17
This extension brings powerful, built-in job scheduling to PostgreSQL 17—previously available only in earlier versions. More info here.
Generally Available: Azure Database for MySQL bindings for Azure Functions
With this integration, Azure Functions can seamlessly interact with Azure Database for MySQL databases using input and output bindings. More info here.
Generally Available: NFS Azure Files volume mount support in Azure Container Apps
NFS Azure Files volumes provide a scalable and high-performance file system for your apps and jobs. You can use NFS Azure Files volumes to share data between multiple containers in your application, or to persist data across container restarts.
Private Preview: Profile and Route WAF Policies on Azure Front Door
Previously, to protect your applications from malicious attacks, a WAF policy had to be linked to a Front Door via one or more Front Door frontends or custom domains. With the release of this feature, the association can now happen at two additional levels: the top-level Front Door profile level and the bottom route level.
This feature allows you to have a global profile level policy that can be generally applied to all domains within a profile through the Front Door profile level association. Furthermore, you can also apply a more finely tuned WAF policy to a specific route within a domain like a login page, or a payment page, that’s likely to have different security requirements.
If you’re interested in participating in this private preview, please fill out this sign-up form.
Public Preview: Container Network Logs in AKS for deep Network Visibility
This feature enables deep visibility into Layer 3 (IP), Layer 4 (TCP/UDP), and Layer 7 (HTTP/gRPC/Kafka) communications. With this insight, platform teams can accelerate root cause analysis, visualize traffic flows, and enforce security policies with greater precision.
Public Preview: Azure Databricks Power Platform Connectors
The new connector enables you to:
- Support real-time data access without the need for data copying.
- Create dynamic applications that take advantage of large datasets directly from Azure Databricks.
- Easily set up connections through support for API key authentication and additional developer options.
- Efficiently visualize and work with data using the Power FX formula language.
More info here.
Generally Available: Azure Site Recovery Support for Azure Trusted Launch VMs Running Linux OS
Azure Site Recovery support for Azure Trusted Launch VMs running Linux OS is Generally Available. Azure Trusted Launch VMs provide foundational compute security to Azure Generation 2 VMs by enabling Secure Boot and vTPM capabilities. More info here.
Generally Available: Increased Disk Capacity for Azure VM Backup
VMs can now be protected with individual disks up to 64 TB and a total of 512 TB per VM. This enables large disk support for business continuity and recovery from disasters or ransomware attacks. More info here.
Public Preview: Azure Site Recovery Support for Virtual Machines with Ultra disks
More info here.
Generally Available: Kubernetes v1.31 and 1.32 available as Long-Term Support (LTS) versions in AKS
More info here.
Generally Available: Azure SQL Managed Instance faster management operations
The new faster management operations experience enhances elasticity by enabling you to provision any configuration of your instance in under 30 minutes—whether it uses default or custom settings. Update and scaling operations are similarly accelerated, completing in less than 60 minutes compared to the previous four-hour process. More info here.
Public Preview: Customizing RAM per vCore with additional memory
With this new capability, you can now adjust the memory/vCore ratio to better suit your workload requirements, optimizing your Azure SQL Managed Instance configuration. This feature is available exclusively in the Next-gen General Purpose tier for premium-series hardware. More info here.
Generally Available: Azure Front Door now supports managed certificate for wildcard domains
Azure Front Door standard and premium profiles now support managed certificate for wildcard domains. Previously, you can only bring your own certificate for wildcard domains on Azure Front Door. More info here.
Public Preview: Microsoft Cost Management add support for FOCUS 1.2
This update introduces key enhancements that help FinOps teams streamline reporting, unify billing data across clouds, and enable consistent multi-currency financial analysis. More info here.
Public Preview: Draft & Deploy on Azure Firewall
With Draft & Deploy, users can collaboratively make multiple changes in a draft version cloned from the current policy without affecting the live environment. Once finalized, all changes can be deployed at once, replacing the existing policy.
Generally Available: Azure Virtual Network Manager IP address management
More info here.
Generally Available: Encryption in Transit (EiT) for Azure Files NFS shares
Azure Files NFS shares now support Encryption in Transit (EiT) using TLS 1.3 to secure all NFS traffic, ensuring confidentiality, integrity, and authentication. More info here.
Generally Available: FQDN Filtering in DNAT Rules for Azure Firewall
Azure Firewall supports the use of Fully Qualified Domain Names (FQDNs) in DNAT (Destination Network Address Translation) rules, allowing inbound traffic to be routed to backend resources using domain names instead of static IP addresses.
Key Highlights:
- DNS-based backend targeting: Route inbound traffic to backend servers using FQDNs.
- Dynamic IP support: Ideal for applications where backend IPs change frequently.
- Monitoring: Monitor DNAT activity using AZFWNatRule logs.
More info here.
Generally Available: Two-Way Forest Trust for Microsoft Entra Domain Services
Now, Entra Domain Services supports three possible directions when you create a forest trust:
- One-way out-bound: This allows users in the on-premises domain to access resources in the managed domain, but not vice versa.
- One-way in-bound: This option allows users in the managed domain to access resources in the on-premises domain.
- Two-way: This is a bi-directional trust that allows users in both the managed domain and the on-premises domain to access resources in either domain. More info here.
Google Cloud
Cloud Pub/Sub introduced Pub/Sub Single Message Transforms (SMTs)
The first SMT is available now: JavaScript User-Defined Functions (UDFs), which allows you to perform simple, lightweight modifications to message attributes and/or the data directly within Pub/Sub via snippets of JavaScript code. More info here.
Serverless Spark Now GA in BigQuery
Run Spark and SQL side-by-side on the same data, powered by the Lightning Engine for up to 3.6x faster performance and enhanced with Gemini productivity. More info here.
DeepSeek R1, a powerful 671B parameters model, is now available as a fully managed API on Vertex AI in Preview
Model as a Service (MaaS) offering eliminates the need for extensive GPU resources and infrastructure management, allowing developers to focus on building applications. DeepSeek R1 on Vertex AI provides a simple, scalable API with features like transparent “chain-of-thought” reasoning and enterprise-ready security. More info here.
Backup vaults now support disk backups and multi-regions
You can now secure your Persistent Disk and Hyperdisk backups in backup vaults, protecting them from cyber attacks and accidental data loss. In addition, backup vaults can now be created in multi-region storage locations, maximizing your data resilience and supporting compliance with business continuity requirements. More info here.
Simplify Your Multi-Cloud Strategy with Cloud Location Finder, now in Public Preview
This service provides up-to-date location data across Google Cloud, Amazon Web Services (AWS), Azure, and Oracle Cloud Infrastructure (OCI). Now, you can strategically deploy workloads across different cloud providers with confidence and control. Cloud Location Finder is accessible via REST APIs and gcloud CLI. More info here.
Run non-request workloads at scale with Cloud Run Worker Pools, now in Public Preview
Looking for the ease-of-use and scalability of serverless, without being limited to HTTP request-driven workloads? Cloud Run Worker Pools provide the same elasticity and high-quality developer experience as Cloud Run Services, but are designed for non-request workloads. Worker Pools are ideal for pull-based use cases like processing messages from Pub/Sub or Kafka, and other backend processing. More info here.