diff --git a/azure/images/versions.tf b/azure/images/versions.tf
index 9355745..7fa8ab9 100644
--- a/azure/images/versions.tf
+++ b/azure/images/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.6.0"
+      version = "3.7.0"
     }
   }
 }
diff --git a/azure/init/versions.tf b/azure/init/versions.tf
index 9355745..7fa8ab9 100644
--- a/azure/init/versions.tf
+++ b/azure/init/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.6.0"
+      version = "3.7.0"
     }
   }
 }
diff --git a/azure/instances-controlplane.tf b/azure/instances-controlplane.tf
index 37ef2cf..027acc0 100644
--- a/azure/instances-controlplane.tf
+++ b/azure/instances-controlplane.tf
@@ -6,7 +6,7 @@ resource "azurerm_availability_set" "controlplane" {
   resource_group_name = local.resource_group
 
   platform_update_domain_count = 1
-  platform_fault_domain_count  = 1
+  platform_fault_domain_count  = 2
 
   tags = merge(var.tags, { type = "infra" })
 }
diff --git a/azure/instances-werker.tf b/azure/instances-werker.tf
index ff9d2e1..48bf10b 100644
--- a/azure/instances-werker.tf
+++ b/azure/instances-werker.tf
@@ -51,8 +51,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "worker" {
 
   os_disk {
     caching              = "ReadOnly"
-    storage_account_type = "StandardSSD_LRS"
-    disk_size_gb         = lookup(try(var.instances[each.key], {}), "worker_os_ephemeral", false) ? null : 50
+    storage_account_type = lookup(try(var.instances[each.key], {}), "worker_os_ephemeral", false) ? "Standard_LRS" : "StandardSSD_LRS"
+    disk_size_gb         = lookup(try(var.instances[each.key], {}), "worker_os_ephemeral", false) ? 50 : 50
 
     dynamic "diff_disk_settings" {
       for_each = lookup(try(var.instances[each.key], {}), "worker_os_ephemeral", false) ? ["Local"] : []
@@ -83,6 +83,6 @@ resource "azurerm_linux_virtual_machine_scale_set" "worker" {
 
   boot_diagnostics {}
   lifecycle {
-    ignore_changes = [instances, admin_username, admin_ssh_key, os_disk, source_image_id]
+    ignore_changes = [instances, admin_username, admin_ssh_key, source_image_id]
   }
 }
diff --git a/azure/modules/controlplane/main.tf b/azure/modules/controlplane/main.tf
index 4ca16dc..68aebc8 100644
--- a/azure/modules/controlplane/main.tf
+++ b/azure/modules/controlplane/main.tf
@@ -81,7 +81,6 @@ resource "azurerm_linux_virtual_machine" "controlplane" {
   computer_name              = "controlplane-${lower(var.region)}-${1 + count.index}"
   resource_group_name        = var.instance_resource_group
   location                   = var.region
-  extensions_time_budget     = "PT1H30M"
   size                       = var.instance_type
   allow_extension_operations = false
   provision_vm_agent         = false
@@ -155,7 +154,7 @@ resource "local_file" "controlplane" {
         try(azurerm_public_ip.controlplane_v6[count.index].ip_address, ""),
       ])
       ipAliases   = compact([var.instance_params["lbv4"], var.instance_params["lbv6"]])
-      nodeSubnets = [var.network_internal.cidr[0], "!${var.instance_params["lbv4"]}"]
+      nodeSubnets = [cidrsubnet(var.network_internal.cidr[0], 1, 0), "!${var.instance_params["lbv4"]}"]
     })
   )
   filename        = "_cfgs/controlplane-${lower(var.region)}-${1 + count.index}.yaml"
diff --git a/azure/modules/controlplane/outputs.tf b/azure/modules/controlplane/outputs.tf
index 6ec367b..2aa140b 100644
--- a/azure/modules/controlplane/outputs.tf
+++ b/azure/modules/controlplane/outputs.tf
@@ -7,6 +7,8 @@ output "controlplane_endpoints" {
 
 output "controlplane_bootstrap" {
   description = "Kubernetes controlplane bootstrap command"
-  value       = var.instance_count > 0 ? "talosctl apply-config --insecure --nodes ${try([for ip in azurerm_public_ip.controlplane_v4 : ip.ip_address], [""])[0]} --file _cfgs/controlplane-${lower(var.region)}-1.yaml" : ""
-  depends_on  = [azurerm_linux_virtual_machine.controlplane]
+  value = var.instance_count > 0 ? try([
+    for n, ip in azurerm_public_ip.controlplane_v4 : "talosctl apply-config --insecure --nodes ${ip.ip_address} --file _cfgs/controlplane-${lower(var.region)}-${n + 1}.yaml" if ip.ip_address != ""
+  ]) : []
+  depends_on = [azurerm_linux_virtual_machine.controlplane]
 }
diff --git a/azure/modules/controlplane/versions.tf b/azure/modules/controlplane/versions.tf
index 9355745..7fa8ab9 100644
--- a/azure/modules/controlplane/versions.tf
+++ b/azure/modules/controlplane/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.6.0"
+      version = "3.7.0"
     }
   }
 }
diff --git a/azure/prepare/outputs.tf b/azure/prepare/outputs.tf
index 62598f8..c8905a5 100644
--- a/azure/prepare/outputs.tf
+++ b/azure/prepare/outputs.tf
@@ -18,6 +18,7 @@ output "network" {
   description = "The network"
   value = { for zone, net in azurerm_virtual_network.main : zone => {
     name = net.name
+    nat  = try(azurerm_public_ip.nat[zone].ip_address, "")
   } }
 }
 
diff --git a/azure/prepare/secgroup-controlplane.tf b/azure/prepare/secgroup-controlplane.tf
index 2fd9495..b953f6b 100644
--- a/azure/prepare/secgroup-controlplane.tf
+++ b/azure/prepare/secgroup-controlplane.tf
@@ -30,22 +30,22 @@ resource "azurerm_network_security_group" "controlplane" {
       protocol                   = "Tcp"
       source_port_range          = "*"
       source_address_prefix      = security_rule.value
-      destination_port_ranges    = ["6443", "50000-50001", "22"]
+      destination_port_ranges    = ["6443", "50000-50001"]
       destination_address_prefix = "*"
     }
   }
 
-  security_rule {
-    name                       = "etcd"
-    priority                   = 1550
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    source_address_prefix      = "*"
-    destination_port_range     = "2379-2380"
-    destination_address_prefix = "*"
-  }
+  # security_rule {
+  #   name                       = "etcd"
+  #   priority                   = 1550
+  #   direction                  = "Inbound"
+  #   access                     = "Allow"
+  #   protocol                   = "Tcp"
+  #   source_port_range          = "*"
+  #   source_address_prefix      = "*"
+  #   destination_port_range     = "2379-2380"
+  #   destination_address_prefix = "*"
+  # }
 
   tags = merge(var.tags, { type = "infra" })
 }
diff --git a/azure/prepare/versions.tf b/azure/prepare/versions.tf
index 9355745..7fa8ab9 100644
--- a/azure/prepare/versions.tf
+++ b/azure/prepare/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.6.0"
+      version = "3.7.0"
     }
   }
 }
diff --git a/azure/templates/controlplane.yaml.tpl b/azure/templates/controlplane.yaml.tpl
index 240827a..c1c8fd5 100644
--- a/azure/templates/controlplane.yaml.tpl
+++ b/azure/templates/controlplane.yaml.tpl
@@ -51,7 +51,8 @@ cluster:
         node-cidr-mask-size-ipv4: 24
         node-cidr-mask-size-ipv6: 112
   scheduler: {}
-  etcd: {}
+  etcd:
+    subnet: ${nodeSubnets[0]}
   inlineManifests:
     - name: azure-cloud-controller-config
       contents: |-
diff --git a/azure/versions.tf b/azure/versions.tf
index 9355745..7fa8ab9 100644
--- a/azure/versions.tf
+++ b/azure/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.6.0"
+      version = "3.7.0"
     }
   }
 }