Azure Update 1st May 2026

John Savill covers the key Azure platform updates for the week of 1st May 2026, spanning compute, networking, storage, databases, and Azure AI/agent tooling.

Full summary based on transcript

Context and related content callout

• Savill mentions recent discussion about quantum computing progress and the risk it poses to today’s cryptography.
• He references a separate video he made about post-quantum cryptography, emphasizing that people should at least be aware of the topic.

Compute updates

AKS: in-transit encryption for pod traffic (Azure CNI powered by Cilium)

• For AKS clusters using Azure CNI powered by Cilium plus Advanced Container Networking Services, it’s now possible to enable in-transit encryption using WireGuard.
• What it does:
  • Encrypts pod traffic between nodes.
• Operational notes:
  • No application/workload changes required.
  • No additional sidecars.
  • Can be enabled on existing clusters.
  • Requires restarting the Cilium agent on all nodes.
  • On large clusters, the restart can take time and cause temporary workload impact, so it should be done in a maintenance window.

AKS: Container Network “insights agent” (preview)

• AKS container network has an insights agent in preview.
• Goal:
  • Natural-language interaction: describe the problem and it finds relevant telemetry (logs, metrics, flows) to help identify root cause.
  • Can advise on next steps.

Azure Red Hat OpenShift: new region

• Azure Red Hat OpenShift is now available in Austria East in GA.

Azure Functions: Java 25 support (GA)

• Azure Functions (Windows and Linux), including the Flex Consumption plan, now supports Java 25 in GA.

Networking updates

Azure Front Door WAF: HTTP DDoS rule set

• A new capability for Azure Front Door when enabling Web Application Firewall (WAF):
  • HTTP distributed denial-of-service (DDoS) rule set.
• Applies to:
  • Azure Front Door Premium SKU.
• How it works (as described):
  • Adaptive Layer 7 protection.
  • Uses machine learning to learn baseline traffic.
  • Detects attack surges and selectively blocks sources of surges.

Azure Virtual Network Manager: cross-region pool association

• Azure Virtual Network Manager (centralized management of VNets across subscriptions for connectivity, security rules, and IP address management) now supports cross-region pool association.
• Example:
  • Create an IP pool in IPAM and associate it with a VNet in a different region.

Storage updates

Azure Elastic SAN: CRC32C checksums

• Azure Elastic SAN (native iSCSI target over IP) can now enable CRC32C checksums.
• Notes:
  • Can be enabled on new or existing SANs.
  • Uses client header communication.
  • Can be enforced at the volume level:
    • Require CRC usage and reject connections that don’t have the required CRC/data digest set in the header.

Azure Elastic SAN: connect via Windows VM extension

• It’s now possible to enable connections to Azure Elastic SAN from a Windows VM using Azure VM extensions.
• What the extension does:
  • Ensures Windows iSCSI and Multipath I/O (MPIO) capabilities are enabled.
  • Configures them and connects to the iSCSI target.
• Why it matters:
  • Extensions can be configured via templates, so this can be automated through ARM templates, Bicep, Terraform, etc.

Azure Elastic SAN: Azure Backup support

• Elastic SAN now supports Azure Backup.
• As described:
  • Backup is separate from the Elastic SAN storage itself.
  • Uses independent managed disk snapshots.
  • Helps recover from accidental/malicious deletion or logical corruption (including content changes/encryption).
  • Taken every 24 hours with up to 450 recovery points maintained.

Azure Blob Storage: user delegated SAS prefix support (GA)

• User delegated SAS prefix support is now GA for blobs.
• Background:
  • Historically SAS tokens were signed by storage account keys.
  • With user delegated SAS, an Entra-based user delegation key is used (identity/managed identity signs the SAS).
• New capability:
  • Restrict access to blobs that start with a specific prefix.
• Practical implication:
  • Even though blob storage doesn’t have “real” directories (without hierarchical namespace), many tools treat name prefixes as virtual directories.
  • Prefix restriction can effectively limit access to specific virtual directories (e.g., per project/business unit/customer) within a single storage account.

Database updates

Azure Database for PostgreSQL: cascading read replicas (GA)

• Cascading read replicas for PostgreSQL are now GA.
• Prior model:
  • Primary can have up to 5 read replicas.
• New model:
  • A replica can have replicas (replica-of-replica), up to two levels.
  • Up to 5 replicas of a replica, enabling up to 30 read replicas total.
• Benefit:
  • Scales read workloads without adding as much load to the primary (primary still feeds five; additional replicas “ripple out”).

AI / agents and platform tooling updates

Microsoft Agent Framework 1.0 (GA)

• Microsoft Agent Framework 1.0 is now GA for .NET and Python.
• Savill describes it as a merging of Semantic Kernel and AutoGen.
• Supports:
  • Agents
  • Graph-based workflows for finer control over multi-step tasks

Boundary hosted agents (preview)

• Boundary hosted agents are in preview.
• Purpose:
  • Run each agent session in its own isolated environment (described as VM kernel-mode isolation / secure execution environment).
• Flexibility:
  • Can use any framework (Agent Framework, LangGraph, custom code).
  • Can use custom protocols.
  • Control CPU/memory allocation.
  • Optional persistence via special endpoints (Savill mentions a “home files” concept).
• Deployment model:
  • Provide a container image.
  • Publish it to Azure Container Registry.
  • Deploy via the agent service, which pulls the image, stands up required components, assigns an identity, and exposes an endpoint.

Foundry tooling and agent service updates

• A Foundry toolkit for VS Code is mentioned to help set up and work with Agent Framework capabilities.
• Foundry agent service: “bring your own AI gateway” is now GA.
  • Savill notes you could use Azure API Management, but also non-Azure AI model gateways.

Foundry agent service: managed memory (preview)

• Memory capability is now in preview for Foundry agent service.
• Savill frames this as “memory as a service” and a major differentiator for agent experiences.
• Described behavior:
  • Enable managed long-term memory.
  • Integrates with Microsoft Agent Framework and LangGraph.
  • Extract key information from interactions.
  • Consolidate memories over time to keep storage efficient.
  • Retrieve memories during recall scenarios.
  • Accessed via a memory search tool added to the agent, enabling read/write during conversations.

Prompt flow retirement

• Prompt flow is being retired in April 2027.
• Reason given:
  • With the introduction of Microsoft Agent Framework, Prompt flow is “no longer required.”