Microsoft AKS updates 2025 - Q2 and MS Build 2025

calendarJun 15, 2025 · 14 min read · Kubernetes AKS Defender Security MSBuild Hybrid Compute Containers  ·
Share on: linkedincopy

Within this blog, I want to give an overview of all the feature in Q2 2025 that becomes available in General Available, Public Preview, Private Preview or Retired by Microsoft. This information can be found at Microsoft Azure Updates.

  • Smart VM defaults in AKS since May 2025
    Smart VM defaults are now generally available in AKS. Smart VM defaults automatically select the optimal default VM SKU based on available capacity and quota. This feature ensures that deployments are matched with the best possible SKU, enhancing performance and reliability while optimizing resource utilization. Previously, the default AKS VM SKU was typically Standard_DS2_V2, but now you can expect dynamic outcomes in default provisioning based on SKU availability.
  • Every AKS version is now long term support (LTS) compatible since May 2025
    The Kubernetes community releases a new minor version approximately every four months, with a support window for each version for one year. In Azure Kubernetes Service (AKS), this support window is called community support. AKS supports versions of Kubernetes that are within this community support window to push bug fixes and security updates from community releases. To help you manage your Kubernetes version upgrades, AKS provides a long term support (LTS) option, which extends the support window for a Kubernetes version to give you more time to plan and test upgrades to newer Kubernetes versions. AKS will now ensure that every community version released (GA) is compatible with long term support (LTS), starting with version 1.28 LTS from April 2025. Versions 1.27, 1.28, 1.29, and 1.30 are now LTS, with 1.31 and 1.32 expected soon. LTS provides an additional year of support beyond the community support EOL period, ensuring all core AKS components, add-ons, and Kubernetes components are supported and promptly patched for CVEs and fixes by AKS.
  • Track AKS supported Kubernetes version regional updates in AKS release tracker since May 2025
    AKS supported Kubernetes version release updates are available in AKS release tracker. Users can check current in-support Kubernetes versions and LTS versions for a specific region and track new patches version release progress with release tracker.
  • Entity tags (eTags) for Concurrency control in AKS since May 2025
    Cluster operators and platform teams managing shared Azure Kubernetes Service (AKS) environments often face challenges with conflicting update requests—especially when multiple users or systems interact with the same resource simultaneously. This can result in unintended overwrites or inconsistent states. The Entity Tags (eTags) feature in AKS, now generally available, provides a built-in mechanism to detect and prevent conflicting operations. AKS now performs concurrency checks during update requests, comparing the provided eTag with the latest stored version. If there’s a mismatch, the request is automatically rejected—ensuring that only the most recent and valid changes are applied to your cluster. This improves reliability and safeguards your configurations during concurrent operations.
  • HTTP proxy support can now be enabled on an existing AKS cluster since May 2025
    The HTTP proxy feature adds HTTP proxy support to AKS clusters, exposing a straightforward interface that you can use to secure AKS-required network traffic in proxy-dependent environments. With this feature, both AKS nodes and pods are configured to use the HTTP proxy. The feature also enables installation of a trusted certificate authority onto the nodes as part of bootstrapping a cluster. HTTP Proxy can now be enabled on an existing cluster by updating the cluster to add an HTTP Proxy configuration. AKS will automatically reimage all node pools in the cluster when you update the proxy configuration on your cluster using the az aks update command. You can use Pod Disruption Budgets (PDBs) to safeguard disruption to critical pods during reimage.
  • Custom certificate authority support in AKS since May 2025
    Custom certificate authority (CA) support in AKS is now generally available. CAs allow you to establish trust between your Azure Kubernetes Service (AKS) cluster and your workloads as private registries, proxies, and firewalls. A Kubernetes secret is used to store the certificate authority's information until it is passed to all nodes in the cluster.
  • Core Kubernetes extensions for AKS since May 2025
    Core Kubernetes extensions for AKS offers an ARM-driven experience for the installation and lifecycle management of essential components that can be integrated into your AKS cluster to enhance its functionality. Compared to the existing cluster extension experience, core Kubernetes extensions provide a native AKS feature-like experience, broader regional and cloud availability, updated version management, simplified network setup, reduced identity footprint, and potentially faster installation speeds.
  • Azure monitor Prometheus community recommended alerts for AKS since May 2025
    Azure Monitor now offers one-click enablement of Prometheus recommended alerts directly in the Azure Portal for AKS clusters. These alerts, based on enhanced Prometheus community rules, provide comprehensive coverage across cluster, node, and pod levels. Previously, enabling these alerts required manual template downloads and CLI deployment. To use these alerts, your cluster must have Azure Monitor managed service for Prometheus enabled. They serve as the replacement for the legacy Container insights recommended alerts (custom metrics) (preview). By enabling these alerts, customers will:
    • Receive timely notifications on critical cluster issues;
    • Accelerate triage and troubleshooting with preconfigured signal coverage;
    • Improve cluster reliability and performance with minimal configuration.
  • Managed Prometheus visualizations and enhanced monitoring experience in Azure monitor for AKS since May 2025
    Managed Prometheus visualizations in Azure Monitor are now generally available, along with an enhanced, unified monitoring experience for Azure Kubernetes Service (AKS). This release brings comprehensive monitoring capabilities into a single, streamlined view—designed to address common challenges customers face when managing AKS clusters. Previously, Container insights visualizations were powered by metric data from Log Analytics. Customers now have the option to power these visualizations using managed Prometheus data, offering a more cost-efficient and performant solution. With this feature, customers can:
    • Optimize costs by migrating from Log Analytics based metrics to managed Prometheus;
    • Improve performance with faster metric query response times;
    • Integrate with the new Prometheus based recommended alerts;
    • Gain visibility into control plane metrics for deeper troubleshooting;
    • Monitor at scale with the improved multi-cluster view.
  • [General available] Network isolated clusters in AKS since April 2025
    Today, you can control an AKS cluster's egress traffic using Azure Firewall. While this configuration is intended to isolate the cluster to protect sensitive business or customer data, it adds an additional layer of management complexity and cost. AKS now provides the option to use network isolated clusters to simplify the process of restricting network access and reduce the risk of unintentional exposure of the cluster's public endpoints to prevent security breaches.
  • [General available] Automated deployments in AKS now supports Azure DevOps (ADO), AKS ready templates and service connectors since May 2025
    Automated deployments in AKS now supports the following features:
    • Azure DevOps support: You can now easily generate Azure DevOps (ADO) pipelines to deploy your applications to Azure Kubernetes Service (AKS);
    • Automated deployments also helps you containerize your apps by generating Dockerfiles and Kubernetes manifests—streamlining your path to cloud-native development;
    • AKS-ready templates: You can now generate production-ready Kubernetes manifests out of the box — including deployment, service, ingress, configmap, and more. These new templates are built to help you deploy cloud-native applications faster and more securely by following Kubernetes and AKS best practices. They include:
      • Built-in Horizontal Pod Autoscaler (HPA) configs;
      • Secure securityContext settings for container hardening;
      • Fully templated readiness, liveness, and startup probes;
      • Optional Ingress with managed TLS certificates via app routing.
    • Service connector support: You can now use service connectors to connect your applications to popular Azure services such as Azure SQL Database, PostgreSQL, Cosmos DB, and more. This allows you to easily:
      • Provision secure bindings to Azure services;
      • Automatically inject credentials into your application via Kubernetes secret objects — no manual setup needed.

  • Container Network Logs in AKS for deep Network Visability since June 2025
    Container Network Logs in Azure Kubernetes Service (AKS) introduces a powerful capability for capturing and analyzing network traffic across Kubernetes clusters. By surfacing rich metadata—including source and destination IPs, pod and service names, ports, protocols, and traffic direction—this feature enables deep visibility into Layer 3 (IP), Layer 4 (TCP/UDP), and Layer 7 (HTTP/gRPC/Kafka) communications. With this insight, platform teams can accelerate root cause analysis, visualize traffic flows, and enforce security policies with greater precision. This innovation empowers organizations to operate Kubernetes environments with enhanced observability, resilience, and control.
  • Registry-agnostic agentless runtime container vulnerability assessment (Microsoft Defender for Cloud) since June 2025
    This capability provides comprehensive vulnerability assessment and remediation for container images, regardless of their registry source. With this, organizations expand vulnerability assessment coverage to include running containers with images from any registry (not restricted to supported registries). Vulnerability information powered by Microsoft Defender Vulnerability Management is added to the cloud security graph for contextual risk, calculation of attack paths, and hunting capabilities. Container images are collected from the runtime environment and scanned for vulnerabilities. Scanned images include customer owned containers, Kubernetes add-ons, and third-party tools running on the cluster. Runtime environment images are collected in an agentless manner every 24 hours.
  • Automated deployments support in Azure Kubernetes Fleet Manager since May 2025
    Azure Kubernetes Fleet Manager now supports automated deployments in public preview. This feature adds support for attaching GitHub repositories to a Fleet Manager hub cluster, allowing the application to be built and staged ready for placement. Automated deployments can use existing artifacts, or it can containerize and publish the repository source code to an image in an Azure Container Registry and generate Kubernetes manifests. The resulting GitHub Action workflow is triggered on any source code updates, providing a continuous deployment experience.
  • Azure Kubernetes Fleet Manager now supports placement drift since May 2025
    Azure Kubernetes Fleet Manager’s cluster resource placement has two new preview features to provide more control over placement conflict resolution. Using the new “applyStrategy”, an operator can define how Fleet Manager resolves conflicts when attempting to place a workload where a clashing workload exists and how to treat configuration drift of a placed workload. Additionally, using the new “ReportDiff” apply mode, an operator can inspect the drift state of a workload across all clusters on which it is deployed.
  • Azure Kubernetes Fleet Manager now supports DNS-based public load balancing since May 2025
    Azure Kubernetes Fleet Manager now supports DNS-based public load balancing, delivered via a Kubernetes-native integration with Azure Traffic Manager. Kubernetes services placed on multiple clusters in a fleet can be included in a TrafficManagerBackend which is exposed via a public load balanced endpoint defined in a TrafficManagerProfile. An Azure Traffic Manager weighted profile is used to route traffic across clusters, with configurable health checks allowing automatic control over when unhealthy clusters stop receiving requests.
  • Recommended services in Azure Portal since May 2025
    Azure offers a variety of services for different application use cases, and it can be time-consuming to select, create, deploy, and connect a service to your Azure Kubernetes Service cluster. The recommended services feature, now in public preview, provides customized Azure service recommendations to AKS users to help you choose the right Azure services for your applications. To access recommended services, navigate to your AKS cluster in Azure Portal. In the overview menu, click on the recommendation tab to view your recommendations. You can use service connector to easily connect the service to your AKS cluster after it’s deployed. To try recommended services, visit the Azure Portal: https://ms.portal.azure.com.
  • Gating vulnerable deployments in AKS (Microsoft Defender for Cloud) since May 2025
    Microsoft Defender for Cloud gating vulnerable deployments feature for Azure Kubernetes Service (AKS) is now in public preview. This feature allows you to evaluate deployments in Kubernetes and ensure each image is safe before deployment, based on Vulnerability Assessment and organization security policy. Gating involves both auditing and blocking deployments, as well as terminating existing deployments which do not adhere to the required policies. This feature is based on two new capabilities:
    • Vulnerability findings artifact: Generation of findings for each container image scanned for vulnerability assessment;
    • Customized security rules: You can customize security rules and configure required actions - 'audit' or 'deny' - for various environments, for Kubernetes clusters, or for namespaces, tailored to specific organization needs and compliance requirements.
  • Vulnerability assessment and malware detection for AKS nodes (Microsoft Defender for Cloud) since May 2025
    Microsoft Defender for Cloud now offers, in preview, vulnerability assessments and malware detection for nodes within Azure Kubernetes Service (AKS). By securing these Kubernetes nodes, organizations can enhance their overall security posture, maintain compliance across their managed Kubernetes environments, and better understand their responsibilities within the shared security model of the cloud. To receive the new capabilities, the Agentless scanning for machines toggle needs to be enabled as part of Defender CSPM, Defender for Containers, or Defender for Servers P2 plan on your subscription:
    • Vulnerability Assessment - A new recommendation is now available in Azure portal: AKS nodes should have vulnerability findings resolved. Using this recommendation, you can now review and remediate vulnerabilities and CVEs found on Azure Kubernetes Service (AKS) nodes;
    • Malware detection - New security alerts are triggered when the agentless malware detection capability detects malware in AKS nodes. Agentless malware detection uses the Microsoft Defender Antivirus anti-malware engine to scan and detect malicious files. When threats are detected, security alerts are directed into Defender for Cloud and Defender XDR, where they can be investigated and remediated.
  • [Public Preview] AKS security dashboard (Microsoft Defender for Cloud) since May 2025
    The Azure Kubernetes Service (AKS) security dashboard, now in public preview, provides comprehensive visibility and automated remediation capabilities for security issues through the Azure portal, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the Azure portal allows engineers to benefit from a unified view of their Kubernetes environment, enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows and eventually reducing the risk of oversight security issues and improving remediation cycles. Security issues surfaced in the dashboard are divided into different security types: Vulnerabilities, Misconfigurations, compliance and threat detection alerts. Assigning owners and due dates, as well as onboarding status can be managed via the dashboard and all without leaving the AKS cluster view in Azure portal.
  • Onboarding of individual AKS clusters in Microsoft Defender for Cloud since May 2025
    Microsoft Defender for Cloud now supports, in public preview, onboarding of individual AKS clusters. Instead of having a pre-requisite for onboarding an entire subscription, Microsoft Defender for Cloud now allows for resource level onboarding for AKS clusters. This provides agentless and sensor-based alerts in AKS dashboard, sensor onboarding/offboarding, and cluster operator view of security findings within AKS portal.
  • [Public Preview] Agentless runtime vulnerability assessment for AKS-owned images (Microsoft Defender for Cloud) since May 2025
    Microsoft Defender for Cloud provides comprehensive runtime vulnerability assessment and guided remediation for vulnerable container images that are owned, maintained, and deployed by a cloud service, including those in Azure Kubernetes Service. Remediation may involve upgrading the AKS cluster version or reporting the issue to a specific service channel for vulnerabilities management. This new public preview capability allows users to distinguish AKS-owned images from customer-owned images, provides visibility into any CVEs in the AKS image, and provides recommendations on the AKS version or release containing the fixes for the vulnerabilities.

  • Announcing Azure Command Launcher for Java in AKS since June 2025
    Announcing the private preview of jaz, a new JVM launcher optimized specifically for Azure. This tool provides better default ergonomics for Java applications running in containers and virtual machines, ensuring more efficient use of resources right from the start. By setting JVM parameters tailored for cloud deployments, jaz reduces wasted memory and CPU cycles, improves first-deploy performance, and enhances cost efficiency. This is ideal for developers who want better JVM defaults without diving deep into JVM tuning guides, and  develop and deploy cloud-native microservices. 
    Key Features:
    • Automatically benefits from battle-tested defaults for cloud-native and container workloads;
    • Optimizes resource utilization by setting JVM parameters tailored for cloud deployments;
    • Improves likelihood of first-deploy performance and cost efficiency.
      To request access, submit your interest and participants will receive access to download the software. For more details on how to submit request, read the full announcement.
  • Azure Backup for AKS now supports Azure file Sharing-based Persistent Volumes since April 2025
    With this new capability, customers can now enable snapshot-based backups for AKS applications using both Azure Disks and Azure file shares as persistent storage — expanding protection coverage for stateful workloads on AKS. What’s New:
    • Backup Support for Azure file shares used as Persistent Volumes in AKS;
    • Support for SMB-type Azure file shares, enabling protection for a wider range of applications;
    • Snapshot-based backups for workloads using Azure Disks and Azure file shares;
    • Instant backup and restore experience with retention support up to 30 days.
      Customers interested in trying out this feature can sign up for the Private Preview here. Start safeguarding your AKS workloads with confidence — no matter the storage choice.

  • None