Weekly Azure Roundup: Time-bound migrations in apps and networks
This week's Azure roundup focuses on platform migrations where waiting can turn a routine change into a risky cutover. Logic Apps Standard is preparing to move from in-proc hosting to the Azure Functions out-of-proc model as part of the path to .NET 10, so teams should validate early and avoid depending on temporary redirect behavior. On the networking side, Azure Firewall explicit proxy shifts PAC retrieval to Azure Storage with SAS and identity-based access, while large hub-and-spoke topologies get a practical playbook for moving ExpressRoute MSEE hairpin routing to AVNM mesh without weakening segmentation or inspection.
This Week's Overview
Migration watch: Logic Apps, Azure Firewall explicit proxy, and large network topologies
A few Azure platform areas are in active migration mode this month, and the through-line is “make the change before the safety rails disappear.” Picking up from last week's push to standardize integration and networking operations (Logic Apps cleanup/CI diagnostics and AVNM guardrails like Rule Impact Analyzer), this week tightens the spotlight on time-bound platform transitions where delaying work increases cutover risk. Logic Apps Standard is moving away from the in-proc hosting model so the runtime can keep pace with the .NET 10 timeline, while Azure Firewall explicit proxy users need to rework how PAC files are retrieved and authorized. On the networking side, large hub-and-spoke designs are being nudged away from ExpressRoute hairpin routing through MSEE and toward Azure Virtual Network Manager (AVNM) mesh, with guidance on how to roll out without breaking segmentation or inspection.
Azure Logic Apps: in-proc to Functions out-of-proc hosting (for .NET 10)
Building on last week's Logic Apps operational hygiene work (bulk diagnostics and workflow cleanup), this is the runtime-level migration you do not want to discover at the end of a quarter: Logic Apps Standard is preparing to migrate from in-proc hosting to the Azure Functions out-of-proc hosting model, which is positioned as a prerequisite on the path to .NET 10 support. If you rely on NuGet-based deployment, you need to adjust your packaging/deployment approach before the platform removes the redirect behavior.
A key control point is the LOGICAPP_INPROC_REDIRECT app setting, which governs automatic migration behavior. Teams should treat this as a time-bound compatibility switch: validate your workflows under out-of-proc early, then remove dependence on the redirect so you are not forced into a last-minute runtime change.
Azure Firewall explicit proxy: PAC retrieval moves to Storage + SAS, with Managed Identity/RBAC
In the same spirit as last week's “make identity and change control explicit” guidance (for example, OIDC over long-lived secrets and safer rule changes), Azure Firewall explicit proxy is changing how PAC file-based configurations are expected to work, and the migration guidance is concrete: host the PAC file in Azure Storage, retrieve it via a SAS URL, and use Managed Identity with the right Azure Storage RBAC roles. This is a meaningful operational change because it shifts PAC distribution from “wherever you host it today” into a model with explicit identity, permissions, and auditable access paths.
The migration guide walks through portal configuration as well as PowerShell and Azure CLI commands for Azure Firewall Policy updates. If your current setup assumes unauthenticated PAC retrieval or relies on legacy hosting patterns, plan time to re-issue SAS URLs, validate identity permissions, and confirm clients can still fetch PAC reliably during rollout.
Large-scale VNet connectivity: migrate MSEE hairpin routing to AVNM mesh (and keep guardrails)
Following last week's networking theme of reducing blast radius before pushing changes (route summarization and AVNM Rule Impact Analyzer), Microsoft published a detailed path to transition to Azure Virtual Network Manager mesh connectivity for complex hub-and-spoke environments using ExpressRoute hairpin routing through MSEE. The guidance highlights newer high-scale limits and how to enable HSPE (High-Scale Private Endpoints), which matters if you are pushing private connectivity patterns across many VNets and subscriptions.
The practical value is in the rollout mechanics: phased deployment, validation and rollback planning, and specific techniques to preserve firewall inspection and segmentation. Expect to spend time on UDR strategy and Security Admin Rules so that moving to mesh does not accidentally create east-west paths that bypass controls you previously enforced in the hub.