Azure: Zone-redundant NAT Gateway and 400-Gigabit ExpressRoute

Microsoft has announced a series of innovations for Azure Networking, primarily aimed at enterprise customers with AI and cloud-native workloads. The focus is on the Standard NAT Gateway V2, which offers a zone-redundant architecture at no extra cost in public preview. The gateway automatically distributes traffic to available zones if a single zone fails, achieving a throughput of up to 100 gigabits per second and 10 million packets per second. IPv6 support and detailed flow logs are directly integrated.

The background to the updates is a large-scale expansion of Azure's network infrastructure. Microsoft has tripled its total capacity since the end of fiscal year 2024, now reaching 18 petabits per second. According to TechWiese, the global backbone comprises over 60 AI regions and more than 500,000 miles of fiber optics. The architecture combines InfiniBand and high-speed Ethernet, optimized for long-lasting high-bandwidth flows in training large AI models and latency-critical GPU clusters. Distributed GPU pools across multiple regions utilize a dedicated AI WAN with private connections via Azure Private Link.

In terms of security features, Microsoft has moved several services to general availability or preview. DNS Security Policy with Threat Intelligence is now generally available and protects against known malicious domains through continuously updated threat intelligence feeds. Private Link Direct Connect, in public preview, extends private connectivity to any routable private IP address – including for SaaS providers outside of Azure. The Application Gateway receives native JWT validation at Layer 7, moving token verification from the backend to the gateway and reducing latency and complexity. Forced Tunneling for Virtual WAN Secure Hubs enables the enforcement of security controls for outbound internet traffic through central firewalls or network virtual appliances.

ExpressRoute with 400 Gigabit from 2026

For AI workloads and large enterprise networks, Microsoft is announcing significant scaling improvements. Starting in 2026, Azure ExpressRoute Direct will support 400-gigabit ports, which can be bundled into multi-terabit connections. The VPN Gateway now reaches up to 20 gigabits per second total throughput and 5 gigabits per second per TCP flow. Private Link is expanding to up to 5000 private endpoints per virtual network and 20,000 across peered VNets – a significant increase compared to previous limits.

Additionally, Microsoft is introducing more precise traffic filtering in Network Watcher to optimize analysis and storage costs. Administrators can now filter more precisely which network data is captured and stored. The maximum number of private endpoints per subnet is also increasing, enabling larger architectures with many microservices.

Container Networking for AKS Improved

For containerized workloads on Azure Kubernetes Service (AKS), Microsoft is bringing several optimizations. eBPF Host Routing accelerates data traffic directly in the Linux kernel, reducing latency for container applications. The flexible extension of Pod CIDRs in Azure CNI Overlay allows for larger Kubernetes deployments without needing to re-provision the cluster. The Web Application Firewall for Application Gateway for Containers is generally available and provides unified protection across all environments. Azure Bastion also facilitates secure, isolated access to private AKS clusters and aims to reduce setup effort.

The availability of the features is staggered: while DNS Security Policy and the WAF for Containers are already generally available, NAT Gateway V2, Private Link Direct Connect, and Forced Tunneling for Virtual WAN are still in public preview. The 400-gigabit support for ExpressRoute Direct is announced for 2026. Detailed information can be found in the Azure Networking Blog.

(fo)