May felt like a month where Azure was doing a lot of practical plumbing work around Storage and Networking. What stood out to me was how many of these releases were about removing the need for workarounds. Identity for file shares that does not drag a domain controller into every conversation. Storage migrations that can be scheduled rather than babysat. This is the sort of work that quietly improves day-to-day life.

Containers

Application Gateway for Containers service mesh integration with Istio

Application Gateway for Containers service mesh integration with Istio is now generally available. The useful part is the ALB Controller service mesh extension, which automates certificate lifecycle management and reduces some of the repeated mTLS and ingress configuration that normally builds up around north-south traffic into mesh workloads. The catch is that this assumes a sidecar-based Istio deployment and Gateway API, so it is not a universal fit, but it is a meaningful improvement for AKS teams already moving in that direction.

Storage and File Services

Entra-only identities with Azure Files

Azure Files now supports Microsoft Entra Kerberos authentication for cloud-only as well as hybrid identities. The important bit is that cloud-only users can access SMB shares without needing a traditional domain controller in the authentication path, which removes one of the more awkward dependencies in Azure Files deployments. The catch is that a storage account still only supports one identity source for Azure Files, so this helps most when you have already decided to standardise on Entra-based access.

Azure NetApp Files object REST API

Azure NetApp Files object REST API is now generally available, giving Azure NetApp Files an S3-compatible REST surface over the same underlying NAS data. I like this one because it opens up more hybrid patterns where the same data can be exposed both as files and as objects, which is useful for services such as Azure AI Search, Databricks, Fabric, and other S3-aware tooling. It is a practical bridge between existing file estates and newer AI or analytics workflows, not just another API checkbox.

Azure NetApp Files cache volumes

Azure NetApp Files cache volumes are also now generally available. The model is straightforward. Keep the authoritative dataset on external ONTAP or Cloud Volumes ONTAP, but cache the hot data closer to Azure compute so reads and optional write-back happen with much lower latency. For teams trying to burst workloads into Azure without fully relocating large datasets, this is one of the more interesting storage updates this month.

Scheduled migrations in Azure Storage Mover

Azure Storage Mover can now schedule one-time or recurring migrations, which is more significant than it first sounds. This turns it from a tool you trigger manually into something you can use for repeated sync windows, staged cutovers, and periodic migration jobs without building separate orchestration around it. Daily, weekly, and monthly recurrence options make it much more realistic for ongoing migration programmes rather than one-off copies.

Azure Storage Mover Blob-to-Blob migration

Blob-to-Blob migration in Azure Storage Mover is now generally available as well. This fills an obvious gap for teams that need to move data between storage accounts or between Azure environments while still wanting managed progress tracking and logs rather than rolling everything by hand with scripts. It is not the most glamorous feature in the world, but it is the kind of capability that saves time immediately once you need it.

Networking

User Groups and IP address pools for P2S connections

Point-to-site VPN gateways can now assign IP addresses from different pools based on user groups. That means you can map different identity groups to different address ranges and apply downstream controls more cleanly, instead of treating every P2S user as part of one flat network segment. For organisations that care about separating contractors, admins, engineers, or regional user groups, this is a useful operational improvement.

Site-to-site VPN connections with certificate authentication

Site-to-site VPN certificate authentication is now generally available, using X.509 certificates instead of preshared keys. The design is sensible: outbound certificates live in Azure Key Vault, gateways access them through a user-assigned managed identity, and inbound certificate chains are validated on the Azure side. If you have ever ended up with a collection of long-lived shared secrets spread across devices and config files, this is a much cleaner security model.

Virtual network flow logs connector with Microsoft Sentinel

Virtual network flow logs can now be operationalised more cleanly in Microsoft Sentinel through Traffic Analytics integration. In practice, that means you can enable Sentinel on the same Log Analytics workspace, install the Network Session Essentials content, and start using prebuilt analytics and hunting content without building a separate plumbing layer. For teams already using Sentinel, that makes network telemetry much easier to treat as part of day-to-day security operations rather than a pile of logs that never quite gets used.

Further Reading

• Azure Updates
• Azure Updates: April 2026 GA Features
• Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities on Azure Files
• Understand Azure NetApp Files object REST API
• Understand Azure NetApp Files cache volumes
• Job scheduling in Azure Storage Mover
• About site-to-site VPN connections with certificate authentication
• Service mesh integration with Application Gateway for Containers
• Integrate Microsoft Sentinel with Traffic Analytics