+ > [!NOTE]

+ > [!NOTE]

+ $tenantId = $context.Tenant.Id

+ $clientId = $app.ApplicationId

+ $clientSecret = "<YOUR_PASSWORD>"

+ $resourceUrl = "https://cognitiveservices.azure.com/"

+ $tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/token"

+ $body = @{

+ grant_type = "client_credentials"

+ client_id = $clientId

+ client_secret = $clientSecret

+ resource = $resourceUrl

+ }

+

+ $responseToken = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body

+ $accessToken = $responseToken.access_token

+ ```

+ > [!NOTE]

+ > Anytime you use passwords in a script, the most secure option is to use the PowerShell Secrets Management module and integrate with a solution such as Azure KeyVault.

+

+ $result = Invoke-RestMethod -Uri $url -Method Get -Headers @{"Authorization"="Bearer $accessToken"} -Verbose

+- [PersonDirectory Person APIs](https://westus.dev.cognitive.microsoft.com/docs/services/face-v1-0-preview/operations/5f06637aad1c4fba7238de25)

+- [PersonDirectory DynamicPersonGroup APIs](https://westus.dev.cognitive.microsoft.com/docs/services/face-v1-0-preview/operations/5f066b475d2e298611e11115)

+# Using SDK targeting 2023-10-31-preview, make sure your resource is in one of these regions: East US, West US2, West Europe

+* Complete a [Document Intelligence quickstart](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true) and get started creating a document processing app in the development language of your choice.

+> * There are no breaking changes to application programming interfaces (APIs) or SDKs prior to and including v3.1. Starting from v4.0, APIs and SDKs are updated to Document Intelligence.

+ [**Layout**](#layout) | Extract text, tables, </br>and document structure.

+ :::image type="icon" source="media/overview/icon-general-document.png" link="#general-document-deprecated-in-2023-10-31-preview":::</br>

+ [**General document**](#general-document-deprecated-in-2023-10-31-preview) | Extract text, </br>structure, and key-value pairs.

+Document Intelligence supports optional features that can be enabled and disabled depending on the document extraction scenario. The following add-on capabilities are available for `2023-07-31 (GA)` and later releases:

+Document Intelligence supports optional features that can be enabled and disabled depending on the document extraction scenario. The following add-on capabilities are available for `2023-10-31-preview` and later releases:

+|prebuilt-layout|Γ£ô|Γ£ô|Γ£ô|Γ£ô|Γ£ô|O|O|O| |O|O|O|Γ£ô|

+### General document (deprecated in 2023-10-31-preview)

+|[**prebuilt-document**](concept-general-document.md)|&#9679; Extract **text,layout, and key-value pairs** from documents.</br>&#9679; [Data and field extraction](concept-general-document.md#data-extraction)|&#9679; Key-value pair extraction.</br>&#9679; Form processing.</br>&#9679; Survey data collection and analysis.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/document)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)|

+|[**prebuilt-invoice**](concept-invoice.md) |&#9679; Extract key information from invoices.</br>&#9679; [Data and field extraction](concept-invoice.md#field-extraction) |&#9679; Accounts payable processing.</br>&#9679; Automated tax recording and reporting. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

+|[**prebuilt-receipt**](concept-receipt.md) |&#9679; Extract key information from receipts.</br>&#9679; [Data and field extraction](concept-receipt.md#field-extraction)</br>&#9679; Receipt model v3.0 supports processing of **single-page hotel receipts**.|&#9679; Expense management.</br>&#9679; Consumer behavior data analysis.</br>&#9679; Customer loyalty program.</br>&#9679; Merchandise return processing.</br>&#9679; Automated tax recording and reporting. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

+|[**prebuilt-idDocument**](concept-id-document.md) |&#9679; Extract key information from passports and ID cards.</br>&#9679; [Document types](concept-id-document.md#supported-document-types)</br>&#9679; Extract endorsements, restrictions, and vehicle classifications from US driver's licenses. |&#9679; Know your customer (KYC) financial services guidelines compliance.</br>&#9679; Medical account management.</br>&#9679; Identity checkpoints and gateways.</br>&#9679; Hotel registration. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

+| [**prebuilt-healthInsuranceCard.us**](concept-health-insurance-card.md)|&#9679; Extract key information from US health insurance cards.</br>&#9679; [Data and field extraction](concept-health-insurance-card.md#field-extraction)|&#9679; Coverage and eligibility verification. </br>&#9679; Predictive modeling.</br>&#9679; Value-based analytics.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=healthInsuranceCard.us)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

+|**prebuilt-contract**|Extract contract agreement and party details.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=contract)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)|

+|[**prebuilt-tax.us.W-2**](concept-w2.md) |&#9679; Extract key information from IRS US W2 tax forms (year 2018-2021).</br>&#9679; [Data and field extraction](concept-w2.md#field-extraction)|&#9679; Automated tax document management.</br>&#9679; Mortgage loan application processing. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model) |

+|**prebuilt-tax.us.1098**|Extract mortgage interest information and details.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)|

+|**prebuilt-tax.us.1098E**|Extract student loan information and details.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098E)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)|

+|**prebuilt-tax.us.1098T**|Extract tuition information and details.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098T)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)|

+|**prebuilt-tax.us.1099(Variations)**|Extract information from 1099 form variations.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio)</br>&#9679; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=intelligence)|

+|[**prebuilt-businessCard**](concept-business-card.md) |&#9679; Extract key information from business cards.</br>&#9679; [Data and field extraction](concept-business-card.md#field-extractions) |&#9679; Sales lead and marketing management. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

+|[**Custom model**](concept-custom.md) | Extracts information from forms and documents into structured data based on a model created from a set of representative training document sets.|Extract distinct data from forms and documents specific to your business and use cases.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/build-model?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|

+|[**Custom Template model**](concept-custom-template.md) | The custom template model extracts labeled values and fields from structured and semi-structured documents.</br> | Extract key data from highly structured documents with defined visual templates or common visual layouts, forms.| &#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/build-model?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|

+|[**Custom Neural model**](concept-custom-neural.md)| The custom neural model is used to extract labeled data from structured (surveys, questionnaires), semi-structured (invoices, purchase orders), and unstructured documents (contracts, letters).|Extract text data, checkboxes, and tabular fields from structured and unstructured documents.|[**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/build-model?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|

+|[**Composed custom models**](concept-composed-models.md)| A composed model is created by taking a collection of custom models and assigning them to a single model built from your form types.| Useful when you train several models and want to group them to analyze similar form types like purchase orders.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/compose-model?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&#9679; [**C# SDK**](/dotnet/api/azure.ai.formrecognizer.training.formtrainingclient.startcreatecomposedmodel)</br>&#9679; [**Java SDK**](/jav?view=doc-intel-3.0.0&preserve-view=true)|

+|[**Composed classification model**](concept-custom-classifier.md)| Custom classification models combine layout and language features to detect, identify, and classify documents within an input file.|&#9679; A loan application packaged containing application form, payslip, and, bank statement.</br>&#9679; A collection of scanned invoices. |&#9679; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [REST API](/rest/api/aiservices/document-classifiers/build-classifier?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>|

+| **Prebuilt models** | &#9679; [**Invoice model**](concept-invoice.md?view=doc-intel-2.1.0&preserve-view=true)</br>&#9679; [**Receipt model**](concept-receipt.md?view=doc-intel-2.1.0&preserve-view=true) </br>&#9679; [**Identity document (ID) model**](concept-id-document.md?view=doc-intel-2.1.0&preserve-view=true) </br>&#9679; [**Business card model**](concept-business-card.md?view=doc-intel-2.1.0&preserve-view=true) </br>|

+ Title: Azure OpenAI Service API version retirement

+description: Learn more about API version retirement in Azure OpenAI Services

+recommendations: false

+# Azure OpenAI API preview lifecycle

+This article is to help you understand the support lifecycle for the Azure OpenAI API previews.

+## Latest preview API release

+Azure OpenAI API version 2023-12-01-preview is currently the latest preview release.

+This version contains support for all the latest Azure OpenAI features including:

+- [Fine-tuning](./how-to/fine-tuning.md) `gpt-35-turbo`, `babbage-002`, and `davinci-002` models.[**Added in 2023-10-01-preview**]

+- [Whisper](./whisper-quickstart.md). [**Added in 2023-09-01-preview**]

+- [Function calling](./how-to/function-calling.md) [**Added in 2023-07-01-preview**]

+- [DALL-E](./dall-e-quickstart.md) [**Added in 2023-06-01-preview**]

+- [Retrieval augmented generation with the on your data feature](./use-your-data-quickstart.md). [**Added in 2023-06-01-preview**]

+## Retiring soon

+On April 2, 2024 the following API preview releases will be retired and will stop accepting API requests:

+- 2023-03-15-preview

+- 2023-06-01-preview

+- 2023-07-01-preview

+- 2023-08-01-preview

+To avoid service disruptions, you must update to use the latest preview version prior to the retirement date.

+## Updating API versions

+We recommend first testing the upgrade to new API versions to confirm there is no impact to your application from the API update prior to making the change globally across your environment.

+If you are using the OpenAI Python client library or the REST API, you will need to update your code directly to the latest preview API version.

+If you are using one of the Azure OpenAI SDKs for C#, Go, Java, or JavaScript you will instead need to update to the latest version of the SDK. Each SDK release is hardcoded to work with specific versions of the Azure OpenAI API.

+## Next steps

+- [Learn more about Azure OpenAI](overview.md)

+- [Learn about working with Azure OpenAI models](./how-to/working-with-models.md)

+## Streaming

+Azure OpenAI Service includes a content filtering system that works alongside core models. The following section describes the AOAI streaming experience and options in the context of content filters.

+### Default

+The content filtering system is integrated and enabled by default for all customers. In the default streaming scenario, completion content is buffered, the content filtering system runs on the buffered content, and ΓÇô depending on content filtering configuration ΓÇô content is either returned to the user if it does not violate the content filtering policy (Microsoft default or custom user configuration), or itΓÇÖs immediately blocked which returns a content filtering error, without returning harmful completion content. This process is repeated until the end of the stream. Content was fully vetted according to the content filtering policy before returned to the user. Content is not returned token-by-token in this case, but in ΓÇ£content chunksΓÇ¥ of the respective buffer size.

+### Asynchronous modified filter

+Customers who have been approved for modified content filters can choose Asynchronous Modified Filter as an additional option, providing a new streaming experience. In this case, content filters are run asynchronously, completion content is returned immediately with a smooth token-by-token streaming experience. No content is buffered, the content filters run asynchronously, which allows for zero latency in this context.

+> [!NOTE]

+> Customers must be aware that while the feature improves latency, it can bring a trade-off in terms of the safety and real-time vetting of smaller sections of model output. Because content filters are run asynchronously, content moderation messages and the content filtering signal in case of a policy violation are delayed, which means some sections of harmful content that would otherwise have been filtered immediately could be displayed to the user.

+

+**Annotations**: Annotations and content moderation messages are continuously returned during the stream. We strongly recommend to consume annotations and implement additional AI content safety mechanisms, such as redacting content or returning additional safety information to the user.

+**Content filtering signal**: The content filtering error signal is delayed; in case of a policy violation, itΓÇÖs returned as soon as itΓÇÖs available, and the stream is stopped. The content filtering signal is guaranteed within ~1,000-character windows in case of a policy violation.

+Approval for Modified Content Filtering is required for access to Streaming ΓÇô Asynchronous Modified Filter. The application can be found [here](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu). To enable it via Azure OpenAI Studio please follow the instructions [here](/azure/ai-services/openai/how-to/content-filters) to create a new content filtering configuration, and select ΓÇ£Asynchronous Modified FilterΓÇ¥ in the Streaming section, as shown in the below screenshot.

+### Overview

+| Category | Streaming - Default | Streaming - Asynchronous Modified Filter |

+||||

+|Status |GA |Public Preview |

+| Access | Enabled by default, no action needed |Customers approved for Modified Content Filtering can configure directly via Azure OpenAI Studio (as part of a content filtering configuration; applied on deployment-level) |

+| Eligibility |All customers |Customers approved for Modified Content Filtering |

+|Modality and Availability |Text; all GPT-models |Text; all GPT-models except gpt-4-vision |

+|Streaming experience |Content is buffered and returned in chunks |Zero latency (no buffering, filters run asynchronously) |

+|Content filtering signal |Immediate filtering signal |Delayed filtering signal (in up to ~1,000 char increments) |

+|Content filtering configurations |Supports default and any customer-defined filter setting (including optional models) |Supports default and any customer-defined filter setting (including optional models) |

+### Annotations and sample response stream

+#### Prompt annotation message

+This is the same as default annotations.

+```json

+data: {

+ "id": "",

+ "object": "",

+ "created": 0,

+ "model": "",

+ "prompt_filter_results": [

+ {

+ "prompt_index": 0,

+ "content_filter_results": { ... }

+ }

+ ],

+ "choices": [],

+ "usage": null

+}

+```

+#### Completion token message

+Completion messages are forwarded immediately. No moderation is performed first, and no annotations are provided initially.

+```json

+data: {

+ "id": "chatcmpl-7rAJvsS1QQCDuZYDDdQuMJVMV3x3N",

+ "object": "chat.completion.chunk",

+ "created": 1692905411,

+ "model": "gpt-35-turbo",

+ "choices": [

+ {

+ "index": 0,

+ "finish_reason": null,

+ "delta": {

+ "content": "Color"

+ }

+ }

+ ],

+ "usage": null

+}

+```

+#### Annotation message

+The text field will always be an empty string, indicating no new tokens. Annotations will only be relevant to already-sent tokens. There may be multiple Annotation Messages referring to the same tokens.

+ΓÇ£start_offsetΓÇ¥ and ΓÇ£end_offsetΓÇ¥ are low-granularity offsets in text (with 0 at beginning of prompt) which the annotation is relevant to.

+ΓÇ£check_offsetΓÇ¥ represents how much text has been fully moderated. It is an exclusive lower bound on the end_offsets of future annotations. It is nondecreasing.

+```json

+data: {

+ "id": "",

+ "object": "",

+ "created": 0,

+ "model": "",

+ "choices": [

+ {

+ "index": 0,

+ "finish_reason": null,

+ "content_filter_results": { ... },

+ "content_filter_raw": [ ... ],

+ "content_filter_offsets": {

+ "check_offset": 44,

+ "start_offset": 44,

+ "end_offset": 198

+ }

+ }

+ ],

+ "usage": null

+}

+```

+### Sample response stream

+Below is a real chat completion response using Asynchronous Modified Filter. Note how prompt annotations are not changed; completion tokens are sent without annotations; and new annotation messages are sent without tokens, instead associated with certain content filter offsets.

+`{"temperature": 0, "frequency_penalty": 0, "presence_penalty": 1.0, "top_p": 1.0, "max_tokens": 800, "messages": [{"role": "user", "content": "What is color?"}], "stream": true}`

+```

+data: {"id":"","object":"","created":0,"model":"","prompt_annotations":[{"prompt_index":0,"content_filter_results":{"hate":{"filtered":false,"severity":"safe"},"self_harm":{"filtered":false,"severity":"safe"},"sexual":{"filtered":false,"severity":"safe"},"violence":{"filtered":false,"severity":"safe"}}}],"choices":[],"usage":null}

+data: {"id":"chatcmpl-7rCNsVeZy0PGnX3H6jK8STps5nZUY","object":"chat.completion.chunk","created":1692913344,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"role":"assistant"}}],"usage":null}

+data: {"id":"chatcmpl-7rCNsVeZy0PGnX3H6jK8STps5nZUY","object":"chat.completion.chunk","created":1692913344,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":"Color"}}],"usage":null}

+data: {"id":"chatcmpl-7rCNsVeZy0PGnX3H6jK8STps5nZUY","object":"chat.completion.chunk","created":1692913344,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":" is"}}],"usage":null}

+data: {"id":"chatcmpl-7rCNsVeZy0PGnX3H6jK8STps5nZUY","object":"chat.completion.chunk","created":1692913344,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":" a"}}],"usage":null}

+...

+data: {"id":"","object":"","created":0,"model":"","choices":[{"index":0,"finish_reason":null,"content_filter_results":{"hate":{"filtered":false,"severity":"safe"},"self_harm":{"filtered":false,"severity":"safe"},"sexual":{"filtered":false,"severity":"safe"},"violence":{"filtered":false,"severity":"safe"}},"content_filter_offsets":{"check_offset":44,"start_offset":44,"end_offset":198}}],"usage":null}

+...

+data: {"id":"chatcmpl-7rCNsVeZy0PGnX3H6jK8STps5nZUY","object":"chat.completion.chunk","created":1692913344,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":"stop","delta":{}}],"usage":null}

+data: {"id":"","object":"","created":0,"model":"","choices":[{"index":0,"finish_reason":null,"content_filter_results":{"hate":{"filtered":false,"severity":"safe"},"self_harm":{"filtered":false,"severity":"safe"},"sexual":{"filtered":false,"severity":"safe"},"violence":{"filtered":false,"severity":"safe"}},"content_filter_offsets":{"check_offset":506,"start_offset":44,"end_offset":571}}],"usage":null}

+data: [DONE]

+```

+### Sample response stream (blocking)

+`{"temperature": 0, "frequency_penalty": 0, "presence_penalty": 1.0, "top_p": 1.0, "max_tokens": 800, "messages": [{"role": "user", "content": "Tell me the lyrics to \"Hey Jude\"."}], "stream": true}`

+```

+data: {"id":"","object":"","created":0,"model":"","prompt_filter_results":[{"prompt_index":0,"content_filter_results":{"hate":{"filtered":false,"severity":"safe"},"self_harm":{"filtered":false,"severity":"safe"},"sexual":{"filtered":false,"severity":"safe"},"violence":{"filtered":false,"severity":"safe"}}}],"choices":[],"usage":null}

+data: {"id":"chatcmpl-8JCbt5d4luUIhYCI7YH4dQK7hnHx2","object":"chat.completion.chunk","created":1699587397,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"role":"assistant"}}],"usage":null}

+data: {"id":"chatcmpl-8JCbt5d4luUIhYCI7YH4dQK7hnHx2","object":"chat.completion.chunk","created":1699587397,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":"Hey"}}],"usage":null}

+data: {"id":"chatcmpl-8JCbt5d4luUIhYCI7YH4dQK7hnHx2","object":"chat.completion.chunk","created":1699587397,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":" Jude"}}],"usage":null}

+data: {"id":"chatcmpl-8JCbt5d4luUIhYCI7YH4dQK7hnHx2","object":"chat.completion.chunk","created":1699587397,"model":"gpt-35-turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":","}}],"usage":null}

+...

+data: {"id":"chatcmpl-8JCbt5d4luUIhYCI7YH4dQK7hnHx2","object":"chat.completion.chunk","created":1699587397,"model":"gpt-35-

+turbo","choices":[{"index":0,"finish_reason":null,"delta":{"content":" better"}}],"usage":null}

+data: {"id":"","object":"","created":0,"model":"","choices":[{"index":0,"finish_reason":null,"content_filter_results":{"hate":{"filtered":false,"severity":"safe"},"self_harm":{"filtered":false,"severity":"safe"},"sexual":{"filtered":false,"severity":"safe"},"violence":{"filtered":false,"severity":"safe"}},"content_filter_offsets":{"check_offset":65,"start_offset":65,"end_offset":1056}}],"usage":null}

+data: {"id":"","object":"","created":0,"model":"","choices":[{"index":0,"finish_reason":"content_filter","content_filter_results":{"protected_material_text":{"detected":true,"filtered":true}},"content_filter_offsets":{"check_offset":65,"start_offset":65,"end_offset":1056}}],"usage":null}

+data: [DONE]

+```

+Give the model instructions about how it should behave and any context it should reference when generating a response. You can describe the assistant's personality, what it should and shouldn't answer, and how to format responses. There are token limits that apply to the system message, used with every API call, and counted against the overall token limit. The system message will be truncated if it exceeds the token limits listed in the [token estimation](#token-usage-estimation-for-azure-openai-on-your-data) section.

+import os

+ model= "text-embedding-ada-002" # model = "deployment_name".

+### Microsoft Entra ID authentication

+ <voice name='PhoenixV2Neural'>

+ > [!NOTE]

+ >

+ > * [Custom Translator Portal](https://portal.customtranslator.azure.ai/) access can only be enabled through a public network.

+ > * For information on how to use selected networks and private endpoints, see [Enable Custom Translator through Azure Virtual Network](enable-vnet-service-endpoint.md).

+For Azure OpenAI models such as GPT-4, Azure AI Studio provides AI safety filter during the deployment to ensure responsible use of AI. AI content safety filter allows moderation of harmful and sensitive contents to promote the safety of AI-enhanced applications. In addition to AI safety filter, Azure AI Studio offers model monitoring for deployed models. Model monitoring for LLMs uses the latest GPT language models to monitor and alert when the outputs of the model perform poorly against the set thresholds of generation safety and quality. For example, you can configure a monitor to evaluate how well the model's generated answers align with information from the input source ("groundedness") and closely match to a ground truth sentence or document ("similarity").

+Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits don't suffice your scenarios.

+> Monitoring requires the endpoint to be used at least 10 times to collect enough data to provide insights. If you'd like to test sooner, manually send about 50 rows in the 'test' tab before running the monitor.

+ResourceNotFound: Deployment failed due to timeout while waiting for Environment Image to become available. Check Environment Build Log in ML Studio Workspace or Workspace storage for potential failures. Image build summary: [N/A]. Environment info: Name: CliV2AnonymousEnvironment, Version: 'Ver', you might be able to find the build log under the storage account 'NAME' in the container 'CONTAINER_NAME' at the Path 'PATH/PATH/image_build_aggregate_log.txt'.

+ az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.objectId -o tsv

+ export IDENTITY_OBJECT_ID="$(az identity show -g <resource-group> --name <identity-name> --query 'principalId' -o tsv)"

+ az role assignment create --role "Key Vault Administrator" --assignee $IDENTITY_OBJECT_ID --scope $KEYVAULT_SCOPE

+ - port: 80

+ - port: 80

+ - port: 80

+ - port: 80

+ - hosts:

+ - host: demo.azure.com

+ Title: Azure Kubernetes Service (AKS) Free, Standard and Premium pricing tiers for cluster management

+# Free, Standard and Premium pricing tiers for Azure Kubernetes Service (AKS) cluster management

+- Create a resource group using the [az group create][az-group-create] command. The following example creates a resource group named *myResourceGroup* in the *eastus* location. Enter this command and other commands in this article into a BASH shell:

+- The cluster is configured with two nodes to ensure it operates reliably. A [node](../concepts-clusters-workloads.md#nodes-and-node-pools) is an Azure virtual machine (VM) that runs the Kubernetes node components and container runtime.

+To create the AKS cluster with Azure CLI, follow these steps:

+1. Create a username to use as administrator credentials for the Windows Server nodes on your cluster. The following commands prompt you for a username and set it to *WINDOWS_USERNAME* for use in a later command.

+1. Create a password for the administrator username you created in the previous step. The password must be a minimum of 14 characters and meet the [Windows Server password complexity requirements][windows-server-password].

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster. Occasionally, the cluster can take longer than a few minutes to provision. Allow up to 10 minutes for provisioning.

+ If you get a password validation error, and the password that you set meets the length and complexity requirements, try creating your resource group in another region. Then try creating the cluster with the new resource group.

+ The administrator username can't be changed, but you can change the administrator password that your AKS cluster uses for Windows Server nodes using `az aks update`. For more information, see [Windows Server node pools FAQ][win-faq-change-admin-creds].

+ To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses [Azure CNI (advanced)][azure-cni] network plugin. The `--network-plugin azure` parameter specifies Azure CNI.

+### [Windows node pool (default SKU)](#tab/add-windows-node-pool)

+### [Windows Server 2022 node pool](#tab/add-windows-server-2022-node-pool)

+To use Windows Server 2022, specify the following parameters:

+- `os-sku` set to `Windows2022`

+> Windows Server 2022 requires Kubernetes version 1.23.0 or higher.

+Add a Windows Server 2022 node pool using the `az aks nodepool add` command:

+ --os-sku Windows2022 \

+### [Windows Server 2019 node pool](#tab/add-windows-server-2019-node-pool)

+To use Windows Server 2019, specify the following parameters:

+- `os-sku` set to `Windows2019`

+> Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes].

+Add a Windows Server 2019 node pool using the `az aks nodepool add` command:

+ --os-sku Windows2019 \

+You use [kubectl][kubectl], the Kubernetes command-line client, to manage your Kubernetes clusters. If you use Azure Cloud Shell, `kubectl` is already installed. If you want to install `kubectl` locally, you can use the [az aks install-cli][az-aks-install-cli] command.

+ aks-nodepool1-20786768-vmss000000 Ready agent 22h v1.27.7 10.224.0.4 <none> Ubuntu 22.04.3 LTS 5.15.0-1052-azure containerd://1.7.5-1

+ aks-nodepool1-20786768-vmss000001 Ready agent 22h v1.27.7 10.224.0.33 <none> Ubuntu 22.04.3 LTS 5.15.0-1052-azure containerd://1.7.5-1

+ aksnpwin000000 Ready agent 20h v1.27.7 10.224.0.62 <none> Windows Server 2022 Datacenter 10.0.20348.2159 containerd://1.6.21+azure

+ ```

+ > The container runtime for each node pool is shown under *CONTAINER-RUNTIME*. The container runtime values begin with `containerd://`, which means that they each use `containerd` for the container runtime.

+ If you create and save the YAML file locally, then you can upload the manifest file to your default directory in CloudShell by selecting the **Upload/Download files** button and selecting the file from your local file system.

+ aks-agentpool-41946322-vmss000001 Ready agent 7m51s v1.27.7

+ aks-agentpool-41946322-vmss000002 Ready agent 7m5s v1.27.7

+ aks-npwin-41946322-vmss000000 Ready agent 7m43s v1.27.7

+ aks-userpool-41946322-vmss000001 Ready agent 7m47s v1.27.7

+ aks-userpool-41946322-vmss000002 Ready agent 6m57s v1.27.7

+ If you create and save the YAML file locally, then you can upload the manifest file to your default directory in CloudShell by selecting the **Upload/Download files** button and selecting the file from your local file system.

+To create the AKS cluster with Azure PowerShell, follow these steps:

+1. Create the administrator credentials for your Windows Server containers using the following command. This command prompts you to enter a `WindowsProfileAdminUserName` and `WindowsProfileAdminUserPassword`. The password must be a minimum of 14 characters and meet the [Windows Server password complexity requirements][windows-server-password].

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster. Occasionally, the cluster can take longer than a few minutes to provision. Allow up to 10 minutes for provisioning.

+ If you get a password validation error, and the password that you set meets the length and complexity requirements, try creating your resource group in another region. Then try creating the cluster with the new resource group.

+ The administrator username can't be changed, but you can change the administrator password that your AKS cluster uses for Windows Server nodes using `az aks update`. For more information, see [Windows Server node pools FAQ][win-faq-change-admin-creds].

+ To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses [Azure CNI (advanced)][azure-cni] network plugin. The `-NetworkPlugin azure` parameter specifies Azure CNI.

+### [Windows node pool (default SKU)](#tab/add-windows-node-pool)

+### [Windows Server 2022 node pool](#tab/add-windows-server-2022-node-pool)

+To use Windows Server 2022, specify the following parameters:

+- `OsSKU` set to `Windows2022`

+> - Specifying the `OsSKU` parameter requires PowerShell Az module version 9.2.0 or higher.

+> - Windows Server 2022 requires Kubernetes version 1.23.0 or higher.

+To add a Windows Server 2022 node pool, call the [New-AzAksNodePool][new-azaksnodepool] cmdlet:

+ -OsSKU Windows2022 `

+### [Windows Server 2019 node pool](#tab/add-windows-server-2019-node-pool)

+To use Windows Server 2019, specify the following parameters:

+- `OsSKU` set to `Windows2019`

+> - `OsSKU` requires PowerShell Az module version 9.2.0 or higher.

+> - Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes].

+To add a Windows Server 2019 node pool, call the [New-AzAksNodePool][new-azaksnodepool] cmdlet:

+ -OsSKU Windows2019 `

+ NAME STATUS ROLES AGE VERSION

+ aks-nodepool1-20786768-vmss000000 Ready agent 22h v1.27.7

+ aks-nodepool1-20786768-vmss000001 Ready agent 22h v1.27.7

+ aksnpwin000000 Ready agent 21h v1.27.7

+ If you create and save the YAML file locally, then you can upload the manifest file to your default directory in CloudShell by selecting the **Upload/Download files** button and selecting the file from your local file system.

+[win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster

+## HTTP

+| Name | Description | Required | Default | Availability |

+|-||-|-| -|

+| net.server.http.forwarded.proto.enabled | Capability to honor `X-Forwarded-Proto` header to identify scheme to resolve called API route (http/https only). | No | false | v2.5+ |

+| openid-config |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice. <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Microsoft Entra ID use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- v2 `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/>- v2 Multi-Tenant ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- v1 `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/>- Customer tenant (preview) `https://{tenant-name}.ciamlogin.com/{tenant-id}/v2.0/.well-known/openid-configuration` <br/><br/> Substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | No |

+### Microsoft Entra ID single tenant token validation

+### Microsoft Entra ID customer tenant token validation

+```xml

+<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">

+ <openid-config url="https://<tenant-name>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration" />

+ <required-claims>

+ <claim name="azp" match="all">

+ <value>insert claim here</value>

+ </claim>

+ </required-claims>

+</validate-jwt>

+```

+ai-usage: ai-assisted

+This video shows you how to set up staging environments in Azure App Service.

+> [!VIDEO 99aaff5e-fd3a-4568-b03a-a65745807d0f]

+The steps in the video are also described in the following sections.

+When you swap two slots (usually from a staging slot *as the source* into the production slot *as the target*), App Service does the following to ensure that the target slot doesn't experience downtime:

+1. Apply the following settings from the target slot (for example, the production slot) to all instances of the source slot:

+ Any of these cases trigger all instances in the source slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings.

+ai-usage: ai-assisted

+This video shows you how to use managed identities for App Service.

+> [!VIDEO 4fdf7a78-b3ce-48df-b3ce-cd7796d0ad5a]

+The steps in the video are also described in the following sections.

+> * To configure `dnsMaxCacheTimeout`, you need to ensure that caching is enabled by adding the app setting `WEBSITE_ENABLE_DNS_CACHE`="true". If you enable caching, but do not configure `dnsMaxCacheTimeout`, the timeout will be set to 30.

+ai-usage: ai-assisted

+This video shows you how to deploy an ASP.NET web app.

+> [!VIDEO 31309745-82c2-4208-aed5-7ace0b7f7f4d]

+The steps in the video are also described in the following sections.

+The following table includes links to Azure CLI scripts for Azure App Configuration using the [az appconfig](/cli/azure/appconfig) commands in the Azure CLI:

+## Azure Kubernetes Service access to App Configuration

+The following options are available for workloads hosted in Azure Kubernetes Service (AKS) to access Azure App Configuration. These options also apply to Kubernetes in general.

+* **Add [Azure App Configuration Kubernetes Provider](./quickstart-azure-kubernetes-service.md) to your AKS cluster.** The Kubernetes provider runs as a pod in the cluster. It can construct ConfigMaps and Secrets from key-values and Key Vault references in your App Configuration store. The ConfigMap and Secret are consumable as environment variables or mounted files without requiring any modifications to your application code. If you have multiple applications running in the same AKS cluster, they can all access the generated ConfigMaps and Secrets, eliminating the need for individual requests to App Configuration. The Kubernetes provider also supports dynamic configuration updates. This is the recommended option if feasible for you.

+* **Update your application to use Azure App Configuration provider libraries.** The provider libraries are available in many frameworks and languages, such as [ASP.NET](./quickstart-aspnet-core-app.md), [.NET](./quickstart-dotnet-core-app.md), [Java Spring](./quickstart-java-spring-app.md), [JavaScript/Node.js](./quickstart-javascript-provider.md), and [Python](./quickstart-python-provider.md). This approach gives you full access to App Configuration's functionalities, including dynamic configuration and feature management. You have granular control of what data to load and from which App Configuration store for each application.

+* **[Integrate with Kubernetes deployment using Helm](./integrate-kubernetes-deployment-helm.md).** If you do not wish to update your application or add a new pod to your AKS cluster, you have the option of bringing data from App Configuration to your Kubernetes cluster by using Helm via deployment. This approach enables your application to continue accessing configuration from Kubernetes variables and Secrets. You can run Helm upgrade whenever you want your application to incorporate new configuration changes.

+- **Snapshot Name**: Specifies snapshot from which key-values should be retrieved in Azure App Configuration.

+As an extension of the Azure location construct, a *custom location* provides a reference as a deployment target that administrators can set up when creating an Azure resource. The custom location feature abstracts the backend infrastructure details from application developers, database admin users, or other users in the organization. These users can then reference the custom location without having to be aware of these details.

+Custom locations can be used to enable [Azure Arc-enabled Kubernetes clusters](../kubernetes/overview.md) as target locations for deploying Azure services instances. Azure offerings that can be deployed on top of custom locations include databases, such as [SQL Managed Instance enabled by Azure Arc](/azure/azure-arc/data/managed-instance-overview) and [Azure Arc-enabled PostgreSQL server](/azure/azure-arc/data/what-is-azure-arc-enabled-postgresql).

+On Arc-enabled Kubernetes clusters, a custom location represents an abstraction of a namespace within the Azure Arc-enabled Kubernetes cluster. Custom locations create the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the cluster.

+## Custom location permissions

+Since the custom location is an Azure Resource Manager resource that supports [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md), an administrator or operator can determine which users have access to create resource instances on:

+* A namespace within a Kubernetes cluster to target deployment of SQL Managed Instance enabled by Azure Arc or Azure Arc-enabled PostgreSQL server.

+* The compute, storage, networking, and other vCenter or Azure Stack HCI resources to deploy and manage VMs.

+For example, a cluster operator could create a custom location **Contoso-Michigan-Healthcare-App** representing a namespace on a Kubernetes cluster in your organization's Michigan Data Center. The operator can assign Azure RBAC permissions to application developers on this custom location so that they can deploy healthcare-related web applications. The developers can then deploy these applications to **Contoso-Michigan-Healthcare-App** without having to know details of the namespace and Kubernetes cluster.

+When an administrator enables the custom locations feature on a cluster, a ClusterRoleBinding is created, authorizing the Microsoft Entra application used by the Custom Locations Resource Provider (RP). Once authorized, the Custom Locations RP can create ClusterRoleBindings or RoleBindings needed by other Azure RPs to create custom resources on this cluster. The cluster extensions installed on the cluster determine the list of RPs to authorize.

+[  ](../kubernetes/media/conceptual-custom-locations-usage.png#lightbox)

+The sequence of steps to create the SQL managed instance or PostgreSQL instance are identical to the sequence of steps described above.

+* Use our quickstart to [connect a Kubernetes cluster to Azure Arc](../kubernetes/quickstart-connect-cluster.md).

+* Learn how to [create a custom location](../kubernetes/custom-locations.md) on your Azure Arc-enabled Kubernetes cluster.

+[Resource Graph sample queries by category](../governance/resource-graph/samples/samples-by-category.md)

+and [Resource Graph sample queries by table](../governance/resource-graph/samples/samples-by-table.md).

+- See samples of [starter Resource Graph queries](../governance/resource-graph/samples/starter.md).

+- See samples of [Advanced Resource Graph queries](../governance/resource-graph/samples/advanced.md).

+Microsoft recommends running Azure Arc-enabled services on validated platforms whenever possible. This article explains how various Azure Arc-enabled components are validated.

+Currently, validated solutions are available from partners for [Azure Arc-enabled Kubernetes](../kubernetes/overview.md) and [Azure Arc-enabled data services](../dat).

+## Validated Azure Arc-enabled Kubernetes distributions

+Azure Arc-enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. The Azure Arc team worked with key industry Kubernetes offering providers to [validate Azure Arc-enabled Kubernetes with their Kubernetes distributions](../kubernetes/validation-program.md?toc=/azure/azure-arc/toc.json&bc=/azure/azure-arc/breadcrumb/toc.json). Future major and minor versions of Kubernetes distributions released by these providers will be validated for compatibility with Azure Arc-enabled Kubernetes.

+## Validated data services solutions

+The Azure Arc team worked with original equipment manufacturer (OEM) partners and storage providers to [validate Azure Arc-enabled data services solutions](../dat?toc=/azure/azure-arc/toc.json&bc=/azure/azure-arc/breadcrumb/toc.json). This includes partner solutions, versions, Kubernetes versions, SQL engine versions, and PostgreSQL server versions that have been verified to support the data services.

+For more details about the validation process, see the [Azure Arc validation process](https://github.com/Azure/azure-arc-validation/) in GitHub. Here you find information about how offerings are validated with Azure Arc, the test harness, strategy, and more.

+* Learn about [Validated Kubernetes distributions](../kubernetes/validation-program.md?toc=/azure/azure-arc/toc.json&bc=/azure/azure-arc/breadcrumb/toc.json)

+* Learn about [validated solutions for data services](../dat?toc=/azure/azure-arc/toc.json&bc=/azure/azure-arc/breadcrumb/toc.json)

+ - This metric is only available in Standard and Premium tier caches.

+ - This metric is not available for caches that are affected by Cloud Service retirement. See more information [here](cache-faq.yml#caches-with-a-dependency-on-cloud-services--classic)

+This article creates an HTTP triggered function that runs on .NET 8 in an isolated worker process. For information about .NET versions supported for C# functions, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions). There's also a [Visual Studio Code-based version](create-first-function-vs-code-csharp.md) of this article.

+ func init LocalFunctionProj --worker-runtime dotnet-isolated --target-framework net8.0

+This article creates an HTTP triggered function that runs on .NET 8 in an isolated worker process. For information about .NET versions supported for C# functions, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions).

+ | **Select a .NET runtime** | Choose `.NET 8.0 Isolated (LTS)`.|

+By default, this article shows you how to create C# functions that run on .NET 8 in an [isolated worker process](dotnet-isolated-process-guide.md). Function apps that run in an isolated worker process are supported on all versions of .NET that are supported by Functions. For more information, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions).

+ | **Functions worker** | **.NET 8.0 Isolated (Long Term Support)** | Your functions run on .NET 8 in an isolated worker process. |

+A log alert rule monitors a resource by using a Log Analytics query to evaluate logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.

+## Queries that check virtual machine health

+This query finds virtual machines marked as critical that haven't had a heartbeat in the last 2 minutes.

+```kusto

+ arg("").Resources

+ | where type == "microsoft.compute/virtualmachines"

+ | summarize LastCall = max(case(isnull(TimeGenerated), make_datetime(1970, 1, 1), TimeGenerated)) by name, id

+ | extend SystemDown = case(LastCall < ago(2m), 1, 0)

+ | where SystemDown == 1

+```

+This query finds virtual machines marked as critical that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.

+ {

+ Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName in ('_Total,'total'))

+ | where type =~ 'Microsoft.Compute/virtualMachines'

+ | where (tostring(tags.monitorRuleGroup) in (RuleGroupTags))

+ | extend changeTime = todatetime(properties.changeAttributes.timestamp),

+ | where changeType == "Create" and changeTime <ago(1h)

+The following sample shows how to exclude metrics with names "metricA" and "metricB".

+The following sample show how to turn off all metrics including the default auto-collected performance metrics like cpu and memory.

+```json

+"processors": [

+ {

+ "type": "metric-filter",

+ "exclude": {

+ "matchType": "regexp",

+ "metricNames": [

+ ".*"

+ ]

+ }

+ }

+]

+```

+az aks update --disable-azure-monitor-metrics -g <cluster-resource-group> -n <cluster-name>

+az aks update --enable-azure-monitor-metrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id

+> | servers | **Yes** | **Yes** | You can use a cross-region read replica to move an existing server. [Learn more](../../postgresql/howto-move-regions-portal.md).<br/><br/> If the service is provisioned with geo-redundant backup storage, you can use geo-restore to restore in other regions. [Learn more](../../mariadb/concepts-business-continuity.md#recovery-from-an-azure-regional-datacenter-outage).

+ Title: Plan to manage costs for Azure Batch

+description: Learn how to plan for and manage costs for Azure Batch workloads by using cost analysis in the Azure portal.

+# Plan to manage costs for Azure Batch

+This article describes how you plan for and manage costs for Azure Batch. Before you deploy the service, you can use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate costs for Azure Batch. Later, as you deploy Azure resources, review the estimated costs.

+After you start running Batch workloads, use Cost Management features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. Costs for Azure Batch are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for Azure Batch, you're billed for all Azure services and resources used in your Azure subscription, including the third-party services.

+## Prerequisites

+Cost analysis in Cost Management supports most Azure account types, but not all of them. To view the full list of supported account types, see [Understand Cost Management data](../cost-management-billing/costs/understand-cost-mgt-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). To view cost data, you need at least read access for an Azure account. For information about assigning access to Microsoft Cost Management data, see [Assign access to data](../cost-management/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).

+## Estimate costs before using Azure Batch

+Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate costs before you add virtual machines.

+1. On the **Products** tab, go to the **Compute** section or search for *Batch* in the search bar. on the **Batch** tile, select **Add to estimate** and scroll down to the **Your Estimate** section.

+1. Notice that Azure Batch is a free service and that the costs associated with Azure Batch are for the underlying resources that run your workloads. When adding Azure Batch to your estimate, the pricing calculator automatically creates a selection for **Cloud Services** and **Virtual machines**. You can read more about [Azure Cloud Services](../cloud-services/cloud-services-choose-me.md) and [Azure Virtual Machines (VMs)](../virtual-machines/overview.md) in each product's documentation. What you need to know for estimated the cost of Azure Batch is that virtual machines are the most significant resource.

+ Select options from the drop-downs. There are various options available to choose from. The options that have the largest impact on your estimate total are your virtual machine's operating system, the operating system license if applicable, the [VM size](../virtual-machines/sizes.md) you select under **INSTANCE**, the number of instances you choose, and the amount of time your month your instances to run.

+ Notice that the total estimate changes as you select different options. The estimate appears in the upper corner and the bottom of the **Your Estimate** section.

+ 

+ You can learn more about the cost of running virtual machines from the [Plan to manage costs for virtual machines documentation](../virtual-machines/plan-to-manage-costs.md).

+## Understand the full billing model for Azure Batch

+Azure Batch runs on Azure infrastructure that accrues costs when you deploy new resources. It's important to understand that there could be other additional infrastructure costs that might accrue.

+### How you're charged for Azure Batch

+Azure Batch is a free service. There are no costs for Batch itself. However, there can be charges for the underlying compute resources and software licenses used to run Batch workloads. Costs may be incurred from virtual machines in a pool, data transfer from the VM, or any input or output data stored in the cloud.

+### Costs that might accrue with Azure Batch

+Although Batch itself is a free service, many of the underlying resources that run your workloads aren't. These include:

+- [Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/)

+ - To learn more about the costs associated with virtual machines, see the [How you're charged for virtual machines section of Plan to manage costs for virtual machines](../virtual-machines/plan-to-manage-costs.md#how-youre-charged-for-virtual-machines).

+ - Each VM in a pool created with [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration) has an associated OS disk that uses Azure-managed disks. Azure-managed disks have an additional cost, and other disk performance tiers have different costs as well.

+- Storage

+ - When applications are deployed to Batch node virtual machines using [application packages](batch-application-packages.md), you're billed for the Azure Storage resources that your application packages consume. You're also billed for the storage of any input or output files, such as resource files and other log data.

+ - In general, the cost of storage data associated with Batch is much lower than the cost of compute resources.

+- In some cases, a [load balancer](https://azure.microsoft.com/pricing/details/load-balancer/)

+- Networking resources

+ - For Virtual Machine Configuration pools, standard load balancers are used, which require static IP addresses. The load balancers used by Batch are visible for [accounts](accounts.md#batch-accounts) configured in user subscription mode, but not those in Batch service mode.

+ - Standard load balancers incur charges for all data passed to and from Batch pool VMs. Select Batch APIs that retrieve data from pool nodes (such as Get Task/Node File), task application packages, resource/output files, and container images also incur charges.

+ - [Virtual Network](https://azure.microsoft.com/pricing/details/virtual-network/)

+- Depending on what services you use, your Batch solution may incur additional fees. Services commonly used with Batch that may have associated costs include:

+ - Application Insights

+ - Data Factory

+ - Azure Monitor

+### Costs might accrue after resource deletion

+After you delete Azure Batch resources, the following resources might continue to exist. They continue to accrue costs until you delete them.

+- Virtual machine

+- Any disks deployed other than the OS and local disks

+ - By default, the OS disk is deleted with the VM, but it can be [set not to during the VM's creation](../virtual-machines/delete.md)

+- Virtual network

+ - Your virtual NIC and public IP, if applicable, can be set to delete along with your virtual machine

+- Bandwidth

+- Load balancer

+For virtual networks, one virtual network is billed per subscription and per region. Virtual networks cannot span regions or subscriptions. Setting up private endpoints in vNet setups may also incur charges.

+Bandwidth is charged by usage; the more data transferred, the more you're charged.

+### Using Azure Prepayment with Azure Batch

+While Azure Batch is a free service, you can pay for underlying resource charges with your Azure Prepayment credit. However, you can't use Azure Prepayment credit to pay for charges for third party products and services including those from the Azure Marketplace.

+## View cost analysis and create budgets

+As you use Azure resources with Azure Batch, you incur costs. Azure resource usage unit costs vary by time intervals (seconds, minutes, hours, and days) or by unit usage (bytes, megabytes, and so on.) As soon as Azure resource use starts, costs are incurred, and you can see the costs in [cost analysis](../cost-management/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). [Microsoft Cost Management](../cost-management-billing/cost-management-billing-overview.md) lets you plan, analyze and reduce your spending to maximize your cloud investment. You can view and filter Batch costs to be viewed and filtered, forecast future costs, and set spending limits with alerts when those limits are reached.

+In the Azure portal, you can create budgets and spending alerts for your Batch pools or Batch accounts. Budgets and alerts are useful for notifying stakeholders of any risks of overspending, although it's possible for there to be a delay in spending alerts and to slightly exceed a budget.

+The following screenshot shows an example of the **Cost analysis** view for a subscription, filtered to only display the accumulated costs associated with all Batch accounts. The lower charts show how the total cost for the period selected can be categorized by consumed service, location, and meter. While this is an example and is not meant to be reflective of costs you may see for your subscriptions, it is typical in that the largest cost is for the virtual machines that are allocated for Batch pool nodes.

+A further level of cost analysis detail can be obtained by specifying a **Resource** filter. For Batch accounts, these values are the Batch account name plus pool name. This allows you to view costs for a specific pool, multiple pools, or one or more accounts.

+### View cost analysis for a Batch pool

+#### Batch service pool allocation mode

+For Batch accounts created with the Batch service pool allocation mode:

+1. In the Azure portal, type in or select **Cost Management + Billing** .

+1. Select your subscription in the **Billing scopes** section.

+1. Under **Cost Management**, select **Cost analysis**.

+1. Select **Add Filter**. In the first drop-down, select **Resource**.

+1. In the second drop-down, select the Batch pool. When the pool is selected, you see the cost analysis for your pool. The screenshot below shows example data.

+ :::image type="content" source="media/plan-to-manage-costs/pool-cost-analysis.png" alt-text="Screenshot showing cost analysis of a Batch pool in the Azure portal.":::

+The resulting cost analysis shows the cost of the pool as well as the resources that contribute to this cost. In this example, the VMs used in the pool are the most costly resource.

+> [!NOTE]

+> The pool in this example uses **Virtual Machine Configuration**, which is [recommended for most pools](batch-pool-cloud-service-to-virtual-machine-configuration.md) and are charged based on the Virtual Machines pricing structure. Pools that use **Cloud Services Configuration** are charged based on the Cloud Services pricing structure.

+[Tags](../azure-resource-manager/management/tag-resources.md) can be associated with Batch accounts, allowing tags to be used for further cost filtering. For example, tags can be used to associate project, user, or group information with a Batch account. Tags cannot currently be associated with Batch pools.

+#### User subscription pool allocation mode

+For Batch accounts created with the user subscription pool allocation mode:

+1. In the Azure portal, type in or select **Cost Management + Billing** .

+1. Select your subscription in the **Billing scopes** section.

+1. Under **Cost Management**, select **Cost analysis**.

+1. Select **Add Filter**. In the first drop-down, select **Tag**.

+1. In the second drop-down, select **poolname**.

+1. In the third drop-down, select the Batch pool. When the pool is selected, you see the cost analysis for your pool. The screenshot below shows example data.

+ :::image type="content" source="media/plan-to-manage-costs/user-subscription-pool.png" alt-text="Screenshot showing cost analysis of a user subscription Batch pool in the Azure portal.":::

+Note that if you're interested in viewing cost data for all pools in a user subscription Batch account, you can select **batchaccountname** in the second drop-down and the name of your Batch account in the third drop-down.

+> [!NOTE]

+> Pools created by user subscription Batch accounts don't show up under the **Resource** filter, though their usage still shows up when filtering for "virtual machines" under service name.

+### Create a budget for a Batch pool

+Budgets can be created and cost alerts issued when various percentages of a budget are reached, such as 60%, 80%, and 100%. The budgets can specify one or more filters, so you can monitor and alert on Batch account costs at various granularities.

+1. From the **Cost analysis** page, select **Budget: none**.

+1. Select **Create new budget >**.

+1. Use the resulting window to configure a budget specifically for your pool. For more information, see [Tutorial: Create and manage Azure budgets](../cost-management-billing/costs/tutorial-acm-create-budgets.md).

+## Minimize costs associated with Azure Batch

+Depending on your scenario, you may want to reduce costs as much as possible. Consider using one or more of these strategies to maximize the efficiency of your workloads and reduce potential costs.

+### Reduce pool node use

+The largest costs associated with using Batch are typically from the virtual machines allocated for pool nodes. For Virtual Machine configuration pools, the associated managed disks used for the VM OS disks can also contribute significantly to costs.

+Evaluate your Batch application to determine if pool nodes are being well utilized by job tasks, or if pool nodes are idle for more than the expected time. It may be possible to reduce the number of pool nodes that are allocated, reduce the rate of pool node scale-up, or increase the rate of scale-down to increase utilization.

+In addition to custom monitoring, [Batch metrics](batch-diagnostics.md#view-batch-metrics) can help to identify nodes that are allocated but in an idle state. You can select a metric for most pool node states to view by using Batch monitoring metrics in the Azure portal. The 'Idle Node Count' and 'Running Node Count' could be viewed to give an indication of how well the pool nodes are utilized, for example.

+### Ensure pool nodes are able to run tasks

+Allocated nodes that are listed for a pool normally incur costs, but it is possible for pool nodes to be in a state where can't run tasks, such as 'unusable' or 'starttaskfailed'. Batch APIs or metrics can be used to monitor for and detect this category of VM. The reason for these states can then be determined and corrective action taken to reduce or eliminate these unhealthy nodes.

+### Use the right pool node VM size

+Ensure the appropriate VM size is being used, so that VMs are utilized well when running tasks while providing the performance necessary to complete your job tasks in the required time. Pool node VMs can be underutilized in some situations, such as low CPU usage. Costs can be saved by choosing a VM size with a lower price.

+To determine VM utilization, you can log in to a node when running tasks to view performance data or use [monitoring capabilities](monitoring-overview.md), such as Application Insights, to obtain performance data from pool nodes.

+### Use pool slots to reduce node requirements

+Multiple task slots can be specified for a pool, so that the corresponding number of tasks can be run in parallel on each node. Pool task slots can be used to reduce the number of nodes used in a pool by choosing larger VM sizes and running multiple tasks in parallel on the node to ensure the node is well utilized. If nodes are underutilized, slots can be used to increase utilization. For example, for a single-threaded task application, one slot per core could be configured. It is also possible to have more slots than cores. This would be applicable if the application blocks significantly waiting for calls to external services to be returned, for one example.

+Setting [`taskSchedulingPolicy`](/rest/api/batchservice/pool/add#taskschedulingpolicy) to `pack` helps ensure VMs are utilized as much as possible, with scaling more easily able to remove nodes not running any tasks.

+### Use Azure Spot virtual machines

+[Azure Spot VMs](batch-spot-vms.md) reduce the cost of Batch workloads by taking advantage of surplus computing capacity in Azure. When you specify Spot VMs in your pools, Batch uses this surplus to run your workload. There can be substantial cost savings when you use Spot VMs instead of dedicated VMs. Keep in mind that Spot VMs are not suitable for all workloads, since there may not be available capacity to allocate, or they may get preempted.

+### Use ephemeral OS disks

+By default, pool nodes use managed disks, which incur costs. Virtual Machine Configuration pools in some VM sizes can use [ephemeral OS disks](create-pool-ephemeral-os-disk.md), which create the OS disk on the VM cache or temporary SSD, to avoid extra costs associated with managed disks.

+### Purchase reservations for virtual machine instances

+If you intend to use Batch for a long period of time, you can reduce the cost of VMs by using [Azure Reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) for your workloads. A reservation rate is considerably lower than a pay-as-you-go rate. Virtual machine instances used without a reservation are charged at the pay-as-you-go rate. When you purchase a reservation, the reservation discount is applied. When you commit to one-year or three-year plans for [VM instances](../virtual-machines/prepay-reserved-vm-instances.md), significant discounts are applied to VM usage, including [VMs consumed via Batch pools](../virtual-machines/prepay-reserved-vm-instances.md#determine-the-right-vm-size-before-you-buy).

+It is important to note that reservation discount is "use-it-or-lose-it." If there no matching resources are used for an hour, you'll lose the reservation quantity for that hour. Unused reserved hours can't be carried forward, and are therefore lost if not used. Batch workloads often scale the number of allocated VMs according to load and have varying load, including periods where there is no load. Care therefore needs to be taken determining the reservation amount, given that reserved hours are lost if Batch VMs are scaled down below the reservation quantity.

+### Use automatic scaling

+[Automatic scaling](batch-automatic-scaling.md) dynamically scales the number of VMs in your Batch pool based on demands of the current job. When you scale the pool based on the lifetime of a job, automatic scaling ensures that VMs are scaled up and used only when there is a job to perform. When the job is complete, or when there are no jobs, the VMs are automatically scaled down to save compute resources. Scaling allows you to lower the overall cost of your Batch solution by using only the resources you need.

+## Next steps

+- Learn more about [Microsoft Cost Management + Billing](../cost-management-billing/cost-management-billing-overview.md).

+- Learn about using [Azure Spot VMs with Batch](batch-spot-vms.md).

+| 9.2 <span class="pill purple">Tech Preview (SEV-SNP Only)</span> | 22H2 Enterprise N | 2022 Server Core |

+| 9.3 (SEV-SNP Only) | 22H2 Enterprise Multi-session | 2022 Azure Edition |

+- Your Azure Container Registry must allow ARM audience tokens for authentication in order to use managed identity to pull images.

+ Use the following command to check if ARM tokens are allowed to access your ACR:

+ ```azurecli

+ az acr config authentication-as-arm show -r <REGISTRY>

+ ```

+ If ARM tokens are disallowed, you can allow them with the following command:

+ ```azurecli

+ az acr config authentication-as-arm update -r <REGISTRY> --status enabled

+ ```

+- Azure Spring Apps - The Azure savings plan for compute can only be applied to the Azure Spring Apps Enterprise plan.

+A Python package is a way to organize related Python modules into a single directory hierarchy. A package is typically represented as a directory that contains a special file called `__init__.py`. Inside a package directory, you can have multiple Python module files (.py files) that define functions, classes, and variables.

+In the context of Azure Data Factory Managed Airflow, you can use Python packages to organize and distribute your custom Airflow Plugins and Provider packages.

+This article provides step-by-step instructions on how to install a .whl (Wheel) file, which serves as a binary distribution format for a Python package, as a requirement in your Managed Airflow runtime.

+For illustration purposes, you create a custom operator as a Python package that you can import as a module inside a directed acyclic graph (DAG) file.

+## Prerequisites

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Data Factory**: Create or select an existing [Data Factory](https://azure.microsoft.com/products/data-factory#get-started) instance in a [region where the Managed Airflow preview is supported](concept-managed-airflow.md#region-availability-public-preview).

+- **Azure Storage account**: If you don't have a storage account, see [Create an Azure Storage account](/azure/storage/common/storage-account-create?tabs=azure-portal) for steps to create one. Ensure the storage account allows access only from selected networks.

+## Develop a custom operator

+1. Create the file `sample_operator.py`.

+ ```python

+ from airflow.models.baseoperator import BaseOperator

+

+

+ class SampleOperator(BaseOperator):

+ def __init__(self, name: str, **kwargs) -> None:

+ super().__init__(**kwargs)

+ self.name = name

+

+ def execute(self, context):

+ message = f"Hello {self.name}"

+ return message

+ ```

+1. To create a Python package for this file, see [Create a package in Python](https://airflow.apache.org/docs/apache-airflow/stable/administration-and-deployment/modules_management.html#creating-a-package-in-python).

+1. Create the DAG file `sample_dag.py` to test your operator.

+

+ ```python

+ from airflow_operator.hello_operator import SampleCustomOperator

+ from airflow import DAG

+

+

+ with DAG(

+ "tutorial",

+ tags=["example"],

+ ) as dag:

+ sample_task = SampleCustomOperator(task_id="sample-task", name="foo_bar")

+ ```

+## Create a storage container

+Use the steps described in [Manage blob containers using the Azure portal](/azure/storage/blobs/blob-containers-portal) to create a storage account to upload DAGs and your package file.

+## Upload the private package into your storage account

+1. Go to the designated container where you intend to store your Airflow DAG and Plugin files.

+1. Upload your private package file to the container. Common file formats include .zip, .whl, or `tar.gz`. Place the file within either the `Dags` or `Plugins` folder, as appropriate.

+## Add your private package as a requirement

+1. Add your private package as a requirement in the `requirements.txt` file. Add this file if it doesn't already exist.

+1. Be sure to prepend the prefix `/opt/airflow` to the package path. For instance, if your private package resides at `/dats/test/private.wht`, your `requirements.txt` file should feature the requirement `/opt/airflow/dags/test/private.wht`.

+## Import your folder to an Airflow integration runtime environment

+When you import your folder into an Airflow integration runtime environment, select the **Import requirements** checkbox to load your requirements inside your Airflow environment.

+### Check the import

+Inside the Airflow UI, you can run the DAG file you created in step 1 to check if the import was successful.

+This article explains how to enhance security of your data stores and resources by restricting access solely to your Azure Data Factory Managed Airflow cluster. In this article, you walk through the process of retrieving and adding the unique IP address associated with your Managed Airflow cluster to your storage firewall's allowlist. This process enables you to access data stores or resources through the list of permitted IP addresses on the firewall's allowlist. Access from all other IP addresses via the public endpoint is prevented.

+> Importing DAGs is currently not supported by using blob storage with IP allow listing or by using private endpoints. We suggest using Git sync instead.

+## Prerequisites

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+### Retrieve the bearer token for the Airflow API

+- Similar to the authentication process used in the standard Azure REST API, acquiring an access token from Microsoft Entra ID is required before you make a call to the Airflow REST API. For more information on how to obtain the token from Microsoft Entra ID, see [Azure REST API reference](/rest/api/azure).

+- Also, the service principal used to obtain the access token needs to have at least a Contributor role on the Azure Data Factory instance where the Airflow integration runtime is located.

+For more information, see the following screenshots.

+1. Use the Microsoft Entra ID API call to get an access token.

+ :::image type="content" source="media/airflow-get-ip-airflow-cluster/get-access-token.png" alt-text="Screenshot that shows the API used to retrieve the access token to invoke Airflow APIs." lightbox="media/airflow-get-ip-airflow-cluster/get-access-token.png":::

+1. Use the access token acquired as a bearer token from step 1 to invoke the Airflow API.

+ :::image type="content" source="media/airflow-get-ip-airflow-cluster/get-dags.png" alt-text="Screenshot that shows a sample Airflow API request using a bearer token fetched in the initial step." lightbox="media/airflow-get-ip-airflow-cluster/get-dags.png":::

+### Retrieve the Managed Airflow cluster's IP address

+1. Use the Managed Airflow UI.

+ :::image type="content" source="media/airflow-get-ip-airflow-cluster/get-cluster-ip-from-ui.png" alt-text="Screenshot that shows how to retrieve a cluster's IP by using the UI." lightbox="media/airflow-get-ip-airflow-cluster/get-cluster-ip-from-ui.png":::

+1. Use the Rest API.

+ For more information, see [Managed Airflow IP address - Get](/rest/api/datafactory/integration-runtimes/get?tabs=HTTP#code-try-0).

+ You should retrieve the Airflow cluster's IP address from the response, as shown in the screenshot.

+ #### Sample response

+ :::image type="content" source="media/airflow-get-ip-airflow-cluster/get-cluster-ip-from-api.png" alt-text="Screenshot that shows how to retrieve a cluster's IP by using an API." lightbox="media/airflow-get-ip-airflow-cluster/get-cluster-ip-from-api.png":::

+### Add the Managed Airflow cluster IP address to the storage account you want to secure

+> You can add the Managed Airflow IP address to other storage services too, like Azure SQL Database and Azure Key Vault.

+- To add a Managed Airflow cluster IP address in Azure Key Vault, see [Azure SQL Database and Azure Synapse IP firewall rules](/azure/key-vault/general/network-security).

+- To add a Managed Airflow cluster IP address in Azure Blob Storage, see [Configure Azure Storage firewalls and virtual networks](/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range).

+- To add a Managed Airflow cluster IP address in Azure SQL Database, see [Configure Azure Key Vault firewalls and virtual networks](/azure/azure-sql/database/firewall-configure).

+- To add a Managed Airflow cluster IP address in Azure PostgreSQL Database, see [Create and manage firewall rules for Azure Database for PostgreSQL - Single server using the Azure portal](/azure/postgresql/single-server/how-to-manage-firewall-using-portal).

+- [Change the password for Managed Airflow environments](password-change-airflow.md)

+ Title: Import Airflow DAGs by using Azure Blob Storage

+description: This document shows the steps required to import Airflow DAGs by using Azure Blob Storage.

+# Import DAGs by using Azure Blob Storage

+This article shows you step-by-step instructions on how to import directed acyclic graphs (DAGs) into Azure Data Factory Managed Airflow by using Azure Blob Storage.

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Data Factory**: Create or select an existing [Data Factory](https://azure.microsoft.com/products/data-factory#get-started) instance in a [region where the Managed Airflow preview is supported](concept-managed-airflow.md#region-availability-public-preview).

+- **Azure Storage account**: If you don't have a storage account, see [Create an Azure Storage account](/azure/storage/common/storage-account-create?tabs=azure-portal) for steps to create one. Ensure the storage account allows access only from selected networks.

+Blob Storage behind virtual networks isn't supported during the preview. Azure Key Vault configuration in `storageLinkedServices` isn't supported to import DAGs.

+## Import DAGs

+1. Copy either [Sample Apache Airflow v2.x DAG](https://airflow.apache.org/docs/apache-airflow/stable/tutorial/fundamentals.html) or [Sample Apache Airflow v1.10 DAG](https://airflow.apache.org/docs/apache-airflow/1.10.11/_modules/airflow/example_dags/tutorial.html) based on the Airflow environment that you set up. Paste the content into a new file called *tutorial.py*.

+ Upload the *tutorial.py* file to Blob Storage. For more information, see [Upload a file into a blob](../storage/blobs/storage-quickstart-blobs-portal.md).

+ > You need to select a directory path from a Blob Storage account that contains folders named *dags* and *plugins* to import them into the Airflow environment. Plugins aren't mandatory. You can also have a container named **dags** and upload all Airflow files within it.

+1. Under the **Manage** hub, select **Apache Airflow**. Then hover over the previously created **Airflow** environment and select **Import files** to import all DAGs and dependencies into the Airflow environment.

+ :::image type="content" source="media/how-does-managed-airflow-work/import-files.png" alt-text="Screenshot that shows importing files in the Manage hub." lightbox="media/how-does-managed-airflow-work/import-files.png":::

+1. Create a new linked service to the accessible storage account mentioned in the "Prerequisites" section. You can also use an existing one if you already have your own DAGs.

+1. Use the storage account where you uploaded the DAG. (Check the "Prerequisites" section.) Test the connection and then select **Create**.

+ :::image type="content" source="media/how-does-managed-airflow-work/linked-service-details.png" alt-text="Screenshot that shows some linked service details." lightbox="media/how-does-managed-airflow-work/linked-service-details.png":::

+1. Browse and select **airflow** if you're using the sample SAS URL. You can also select the folder that contains the *dags* folder with DAG files.

+ > You can import DAGs and their dependencies through this interface. You need to select a directory path from a Blob Storage account that contains folders named *dags* and *plugins* to import those into the Airflow environment. Plugins aren't mandatory.

+ :::image type="content" source="media/how-does-managed-airflow-work/browse-storage.png" alt-text="Screenshot that shows the Browse storage button on the Import Files screen." lightbox="media/how-does-managed-airflow-work/browse-storage.png" :::

+ :::image type="content" source="media/how-does-managed-airflow-work/browse.png" alt-text="Screenshot that shows the airflow root folder on Browse." lightbox="media/how-does-managed-airflow-work/browse.png" :::

+1. Select **Import** to import files.

+ :::image type="content" source="media/how-does-managed-airflow-work/import-in-import-files.png" alt-text="Screenshot that shows the Import button on the Import Files screen." lightbox="media/how-does-managed-airflow-work/import-in-import-files.png" :::

+ :::image type="content" source="media/how-does-managed-airflow-work/import-dags.png" alt-text="Screenshot that shows importing DAGs." lightbox="media/how-does-managed-airflow-work/import-dags.png" :::

+Importing DAGs could take a couple of minutes during the preview. You can use the notification center (bell icon in the Data Factory UI) to track import status updates.

+description: This article provides step-by-step instructions for how to sync a GitHub repository by using Managed Airflow in Azure Data Factory.

+In this article, you learn how to synchronize your GitHub repository in Azure Data Factory Managed Airflow in two different ways:

+- By using **Enable git sync** in the Managed Airflow UI.

+- By using the Rest API.

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin. Create or select an existing [Data Factory](https://azure.microsoft.com/products/data-factory#get-started) instance in a [region where the Managed Airflow preview is supported](concept-managed-airflow.md#region-availability-public-preview).

+- **GitHub repository**: You need access to a GitHub repository.

+## Use the Managed Airflow UI

+To sync your GitHub repository by using the Managed Airflow UI:

+1. Ensure that your repository contains the necessary folders and files:

+ - **Dags/**: For Apache Airflow directed acyclic graphs (DAGs) (required).

+ - **Plugins/**: For integrating external features to Airflow.

+ :::image type="content" source="media/airflow-git-sync-repository/airflow-folders.png" alt-text="Screenshot that shows the Airflow folders structure in GitHub.":::

+1. When you create an Airflow integration runtime, select **Enable git sync** in the **Airflow environment setup** dialog.

+ :::image type="content" source="media/airflow-git-sync-repository/enable-git-sync.png" alt-text="Screenshot that shows the Enable git sync checkbox in the Airflow environment setup dialog that appears during creation of an Airflow integration runtime.":::

+1. Select one of the following supported Git service types:

+ - **GitHub**

+ - **ADO**

+ - **GitLab**

+ - **BitBucket**

+

+ :::image type="content" source="media/airflow-git-sync-repository/git-service-type.png" alt-text="Screenshot that shows the Git service type selection dropdown in the Airflow environment setup dialog that appears during creation of an Airflow integration runtime.":::

+1. Select a credential type:

+ - **None** (for a public repo): When you select this option, make sure that your repository's visibility is public. Then fill out the details:

+ - **Git repo url** (required): The clone URL for the GitHub repository you want.

+ - **Git branch** (required): The current branch, where the Git repository you want is located.

+ - **Git personal access token**:

+ After you select this option for a personal access token (PAT), fill out the remaining fields based on the selected **Git service type**:

+ - GitHub personal access token

+ - ADO personal access token

+ - GitLab personal access token

+ - BitBucket personal access token

+ :::image type="content" source="media/airflow-git-sync-repository/git-pat-credentials.png" alt-text="Screenshot that shows the Git PAT credential options in the Airflow environment setup dialog that appears during creation of an Airflow integration runtime.":::

+ - **SPN** ([service principal name](https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/)): Only ADO supports this credential type.

+ After you select this option, fill out the remaining fields based on the selected **Git service type**:

+ - **Git repo url** (required): The clone URL to the Git repository to sync.

+ - **Git branch** (required): The branch in the repository to sync.

+ - **Service principal app id** (required): The service principal app ID with access to the ADO repo to sync.

+ - **Service principal secret** (required): A manually generated secret in the service principal whose value is used to authenticate and access the ADO repo.

+ - **Service principal tenant id** (required): The service principal tenant ID.

+

+ :::image type="content" source="media/airflow-git-sync-repository/git-spn-credentials.png" alt-text="Screenshot that shows the Git SPN credential options in the Airflow environment setup dialog that appears during creation of an Airflow integration runtime.":::

+1. Select **Create**.

+## Use the REST API

+To sync your GitHub repository by using the Rest API:

+- **Type property**:

+ |computeProperties |computeProperty |Configuration of the compute type used for the environment |

+ |airflowProperties |airflowProperty |Configuration of the Airflow properties for the environment |

+- **Compute property**:

+ |location |string |The Airflow integration runtime location defaults to the data factory region. To create an integration runtime in a different region, create a new data factory in the required region. |

+ | computeSize | string |The size of the compute node you want your Airflow environment to run on. Examples are Large or Small. Three nodes are allocated initially. |

+ | extraNodes | integer |Each extra node adds three more workers. |

+- **Airflow property**:

+ |airflowVersion | string | Current version of Airflow. For example, 2.4.3. |

+ |airflowRequirements | Array\<string\> | Python libraries you want to use. For example, ["flask-bcrypy=0.7.1"]. Can be a comma-delimited list. |

+ |airflowEnvironmentVariables | Object (Key/Value pair) | Environment variables you want to use. For example, { "SAMPLE_ENV_NAME": "test" }. |

+ |gitSyncProperties | gitSyncProperty | Git configuration properties. |

+ |enableAADIntegration | boolean | Allows Microsoft Entra ID to log in to Airflow. |

+ |userName | string or null | Username for Basic Authentication. |

+ |password | string or null | Password for Basic Authentication. |

+- **Git sync property**:

+ |gitServiceType | string | The Git service where your desired repository is located. Values are GitHub, ADO, GitLab, or BitBucket. |

+ |gitCredentialType | string | Type of Git credential. Values are PAT (for personal access token), SPN (supported only by ADO), and None. |

+ |repo | string | Repository link. |

+ |branch | string | Branch to use in the repository. |

+ |username | string | GitHub username. |

+ |Credential | string | Value of the PAT. |

+ |tenantId | string | The service principal tenant ID (supported only by ADO). |

+- **Responses**:

+ |Unauthorized | 401 | [Cloud Error](/rest/api/datafactory/factories/get?tabs=HTTP#clouderror) | Array with more error details |

+Review the following examples.

+Sample body:

+Sample response:

+Response body:

+- Git sync properties for GitHub with PAT:

+- Git sync properties for ADO with PAT:

+- Git sync properties for ADO with service principal:

+- Git sync properties for a GitHub public repo:

+## Import a private package with Git sync

+This optional process only applies when you use private packages.

+This process assumes that your private package was autosynced via Git sync. You add the package as a requirement in the Data Factory Airflow UI along with the path prefix `/opt/airflow/git/\<repoName\>/`, if you're connecting to an ADO repo. Use `/opt/airflow/git/\<repoName\>.git/` for all other Git services.

+For example, if your private package is in `/dags/test/private.whl` in a GitHub repo, you should add the requirement `/opt/airflow/git/\<repoName\>.git/dags/test/private.whl` to the Airflow environment.

+- [Change the password for Managed Airflow environments](password-change-airflow.md)

+description: Learn how to create a Managed Airflow environment.

+This article describes how to set up and configure your Azure Data Factory Managed Airflow environment.

+- **Azure subscription**: If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Data Factory**: Create or select an existing Data Factory instance in the region where the Managed Airflow preview is supported.

+## Create the environment

+To create a new Managed Airflow environment:

+1. Go to the **Manage** hub and select **Airflow (Preview)** > **+ New** to open the **Airflow environment setup** page.

+ :::image type="content" source="media/how-does-managed-airflow-work/create-new-airflow.png" alt-text="Screenshot that shows how to create a new Managed Airflow environment.":::

+1. Enter information and select options for your Airflow configuration.

+ :::image type="content" source="media/how-does-managed-airflow-work/airflow-environment-details.png" alt-text="Screenshot that shows Airflow environment details." lightbox="media/how-does-managed-airflow-work/airflow-environment-details.png":::

+ > When you use **Basic** authentication, remember the username and password specified on this page. You need them to sign in later in the Airflow UI. The default option is **Azure AD**. It doesn't require creating a username and password for your Airflow environment. Instead, it uses the signed-in user's credential for Azure Data Factory to sign in and monitor directed acyclic graphs (DAGs).

+ More options on the **Airflow environment setup** page:

+ - **Enable git sync**: You can allow your Airflow environment to automatically sync with a Git repository instead of manually importing DAGs. For more information, see [Sync a GitHub repository in Managed Airflow](airflow-sync-github-repository.md).

+ - **Airflow configuration overrides** You can override any Airflow configurations that you set in `airflow.cfg`. Examples are ``name: AIRFLOW__VAR__FOO`` and ``value: BAR``. For more information, see [Airflow configurations](airflow-configurations.md).

+ - **Environment variables**: You can use this key value store within Airflow to store and retrieve arbitrary content or settings.

+ - **Requirements**: You can use this option to preinstall Python libraries. You can update these requirements later.

+ - **Kubernetes secrets**: You can create a custom Kubernetes secret for your Airflow environment. An example is [Private registry credentials to pull images for KubernetesPodOperator](kubernetes-secret-pull-image-from-private-container-registry.md).

+1. After you fill out all the information according to the requirements, select **Create**.

+description: This article explains how to delete files in Managed Airflow.

+This article walks you through the steps to delete directed acyclic graph (DAG) files in an Azure Data Factory Managed Airflow environment.

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Data Factory**: Create or select an existing [Data Factory](https://azure.microsoft.com/products/data-factory#get-started) instance in a [region where the Managed Airflow preview is supported](concept-managed-airflow.md#region-availability-public-preview).

+## Delete DAGs by using Git sync

+When you use the Git sync feature, it isn't possible to delete DAGs in Managed Airflow because all your Git source files are synchronized with Managed Airflow. We recommend removing the file from your source code repository so that your commit syncs with Managed Airflow.

+## Delete DAGs by using Azure Blob Storage

+1. In this example, you want to delete the DAG named `adf.py`.

+ :::image type="content" source="media/airflow-import-delete-dags/sample-dag-to-be-deleted.png" alt-text="Screenshot that shows the DAG to delete.":::

+1. Select the ellipsis icon and select **Delete DAG**.

+ :::image type="content" source="media/airflow-import-delete-dags/delete-dag-button.png" alt-text="Screenshot that shows the Delete DAG button.":::

+1. Enter the name of your DAG file.

+ :::image type="content" source="media/airflow-import-delete-dags/dag-filename-input.png" alt-text="Screenshot that shows the DAG filename.":::

+1. Select **Delete**.

+1. You see a message that tells you the file was successfully deleted.

+ :::image type="content" source="media/airflow-import-delete-dags/dag-delete-success.png" alt-text="Screenshot that shows successful DAG deletion.":::

+description: This article explains how to enable Azure Key Vault as the secret back end for a Managed Airflow instance.

+Apache Airflow offers various back ends for securely storing sensitive information such as variables and connections. One of these options is Azure Key Vault. This article walks you through the process of configuring Key Vault as the secret back end for Apache Airflow within a Managed Airflow environment.

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open-source Apache Airflow application. For documentation and more tutorials for Airflow, see the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) webpages.

+## Prerequisites

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Storage account**: If you don't have a storage account, see [Create an Azure Storage account](/azure/storage/common/storage-account-create?tabs=azure-portal) for steps to create one. Ensure the storage account allows access only from selected networks.

+- **Azure Key Vault**: You can follow [this tutorial to create a new Key Vault instance](/azure/key-vault/general/quick-create-portal) if you don't have one.

+- **Service principal**: You can [create a new service principal](/azure/active-directory/develop/howto-create-service-principal-portal) or use an existing one and grant it permission to access your Key Vault instance. For example, you can grant the **key-vault-contributor role** to the service principal name (SPN) for your Key Vault instance so that the SPN can manage it. You also need to get the service principal's **Client ID** and **Client Secret** (API Key) to add them as environment variables, as described later in this article.

+Assign your SPN the following roles in your Key Vault instance from the [built-in roles](/azure/role-based-access-control/built-in-roles):

+## Enable the Key Vault back end for a Managed Airflow instance

+To enable Key Vault as the secret back end for your Managed Airflow instance:

+1. Go to the [Managed Airflow instance's integration runtime environment](how-does-managed-airflow-work.md).

+1. Install [apache-airflow-providers-microsoft-azure](https://airflow.apache.org/docs/apache-airflow-providers-microsoft-azure/stable/https://docsupdatetracker.net/index.html) for the **Airflow requirements** during your initial Airflow environment setup.

+ :::image type="content" source="media/enable-azure-key-vault-for-managed-airflow/airflow-environment-setup.png" alt-text="Screenshot that shows the Airflow Environment Setup window highlighting the Airflow requirements." lightbox="media/enable-azure-key-vault-for-managed-airflow/airflow-environment-setup.png":::

+1. Add the following settings for the **Airflow configuration overrides** in integration runtime properties:

+ - **AIRFLOW__SECRETS__BACKEND**: `airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend`

+ - **AIRFLOW__SECRETS__BACKEND_KWARGS**: `{"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "vault_url": **\<your keyvault uri\>**}`

+ :::image type="content" source="media/enable-azure-key-vault-for-managed-airflow/airflow-configuration-overrides.png" alt-text="Screenshot that shows the configuration of the Airflow configuration overrides setting in the Airflow environment setup." lightbox="media/enable-azure-key-vault-for-managed-airflow/airflow-configuration-overrides.png":::

+1. Add the following variables for the **Environment variables** configuration in the Airflow integration runtime properties:

+ :::image type="content" source="media/enable-azure-key-vault-for-managed-airflow/environment-variables.png" alt-text="Screenshot that shows the Environment variables section of the Airflow integration runtime properties." lightbox="media/enable-azure-key-vault-for-managed-airflow/environment-variables.png":::

+1. Then you can use variables and connections and they're stored automatically in Key Vault. The names of the connections and variables need to follow `AIRFLOW__SECRETS__BACKEND_KWARGS`, as defined previously. For more information, see [Azure Key Vault as secret back end](https://airflow.apache.org/docs/apache-airflow-providers-microsoft-azure/stable/secrets-backends/azure-key-vault.html).

+## Sample DAG using Key Vault as the back end

+1. Create the new Python file `adf.py` with the following contents:

+1. Store variables for connections in Key Vault. For more information, see [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md).

+ :::image type="content" source="media/enable-azure-key-vault-for-managed-airflow/secrets-configuration.png" alt-text="Screenshot that shows the configuration of secrets in Azure Key Vault." lightbox="media/enable-azure-key-vault-for-managed-airflow/secrets-configuration.png":::

+- [Change the password for Managed Airflow environments](password-change-airflow.md)

+This article explains how to add a Kubernetes secret to pull a custom image from a private Azure Container Registry within the Azure Data Factory Managed Airflow environment.

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open-source Apache Airflow application. You can find documentation and more tutorials for Airflow on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) webpages.

+- **Azure subscription**: If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- **Azure Storage account**: If you don't have a storage account, see [Create an Azure Storage account](/azure/storage/common/storage-account-create?tabs=azure-portal) for steps to create one. Ensure the storage account allows access only from selected networks.

+- **Azure Container Registry**: Configure an [Azure Container Registry](/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli) with the custom Docker image you want to use in the directed acyclic graph (DAG). For more information on push and pull container images, see [Push and pull container image - Azure Container Registry](/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli).

+### Create a new Managed Airflow environment

+Open Azure Data Factory Studio and on the toolbar on the left, select the **Manage** tab. Then under **Workflow orchestration manager**, select **Apache Airflow**. Finally, select **+ New** to create a new Managed Airflow environment.

+### Add a Kubernetes secret

+On the **Airflow environment setup** window, scroll to the bottom and expand the **Advanced** section. Then under **Kubernetes secrets**, select **+ New**.

+### Configure authentication

+Provide the required field **Secret name**. For **Secret type**, select **Private registry auth**. Then enter information in the other required fields. The **Registry server URL** should be the URL of your private container registry, for example, ```\registry_name\>.azurecr.io```.

+After you enter information in the required fields, select **Apply** to add the secret.

+- [Change the password for Managed Airflow environments](password-change-airflow.md)

+ Title: REST APIs for the Managed Airflow integration runtime

+description: This article documents the REST APIs for the Managed Airflow integration runtime.

+# REST APIs for the Managed Airflow integration runtime

+This article documents the REST APIs for the Azure Data Factory Managed Airflow integration runtime.

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open-source Apache Airflow application. You can find documentation and more tutorials for Airflow on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) webpages.

+ |dataFactoryName | path | True | string | Name of the Azure Data Factory instance (Regex pattern: ```^[A-Za-z0-9]+(?:-[A-Za-z0-9]+)*$``` |

+- **Type property**:

+ |computeProperties |computeProperty |Configuration of the compute type used for the environment |

+ |airflowProperties |airflowProperty |Configuration of the Airflow properties for the environment |

+- **Compute property**:

+ |location |string |The Airflow integration runtime location defaults to the data factory region. To create an integration runtime in a different region, create a new data factory in the required region. |

+ | computeSize | string |The size of the compute node you want your Airflow environment to run on. Examples are Large or Small. Three nodes are allocated initially. |

+ | extraNodes | integer |Each extra node adds three more workers. |

+- **Airflow property**:

+ |airflowVersion | string | Current version of Airflow. For example, 2.4.3. |

+ |airflowRequirements | Array\<string\> | Python libraries you want to use. For example, ["flask-bcrypy=0.7.1"]. Can be a comma-delimited list. |

+ |airflowEnvironmentVariables | Object (Key/Value pair) | Environment variables you want to use. For example, { "SAMPLE_ENV_NAME": "test" }. |

+ |gitSyncProperties | gitSyncProperty | Git configuration properties. |

+ |enableAADIntegration | boolean | Allows Microsoft Entra ID to log in to Airflow. |

+ |userName | string or null | Username for Basic Authentication. |

+ |password | string or null | Password for Basic Authentication. |

+- **Git sync property**:

+ |gitServiceType | string | The Git service where your desired repository is located. Values are GitHub, ADO, GitLab, or BitBucket. |

+ |gitCredentialType | string | Type of Git credential. Values are PAT (for personal access token) and None. |

+ |repo | string | Repository link. |

+ |branch | string | Branch to use in the repository. |

+ |username | string | GitHub username. |

+ |Credential | string | Value of the PAT. |

+- **Responses**:

+ |Unauthorized | 401 | [Cloud Error](/rest/api/datafactory/factories/get?tabs=HTTP#clouderror) | Array with more error details |

+ |IntegrationRuntimeName | string | Airflow environment name. |

+ |LinkedServiceName | string | Azure Blob Storage account name where DAGs to be imported are located. |

+ |StorageFolderPath | string | Path to the folder in Azure Blob Storage with the DAGs. |

+ |Overwrite | boolean | Overwrite the existing DAGs (Default=True). |

+ |CopyFolderStructure | boolean | Controls whether the folder structure is copied or not. |

+- **Responses**:

+ |Unauthorized | 401 | [Cloud Error](/rest/api/datafactory/factories/get?tabs=HTTP#clouderror) | Array with more error details |

+Review the following examples.

+### Create a new environment by using REST APIs

+Sample body:

+Sample response:

+Response body:

+Sample request:

+Sample body:

+Sample response:

+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce).

+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5).

+ Title: Vulnerability assessment for Azure powered by Qualys (Deprecated)

+# Vulnerability assessment for Azure powered by Qualys (Deprecated)

+> [!IMPORTANT]

+>

+> The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is now on a retirement path completing on **March 1st, 2024**. If you are currently using container vulnerability assessment powered by Qualys, start planning your transition to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md).

+>

+> - For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+>

+> - For more information about migrating to our new container vulnerability assessment offering powered by Microsoft Defender Vulnerability Management, see [Transition from Qualys to Microsoft Defender Vulnerability Management](transition-to-defender-vulnerability-management.md).

+>

+> - For common questions about the transition to Microsoft Defender Vulnerability Management, see [Common questions about the Microsoft Defender Vulnerability Management solution](common-questions-microsoft-defender-vulnerability-management.md).

+> [!IMPORTANT]

+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md).

+>

+> For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+>

+> Check out the [common questions](faq-scanner-detection.yml) regarding the transition to Microsoft Defender Vulnerability Management.

+>

+> Customers who want to continue using Qualys, can do so with the [Bring Your Own License (BYOL) method](deploy-vulnerability-assessment-byol-vm.md).

+ Title: Enable vulnerability scanning with the integrated Qualys scanner (deprecated)

+# Enable vulnerability scanning with the integrated Qualys scanner (deprecated)

+> [!IMPORTANT]

+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md).

+>

+> For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+>

+> Check out the [common questions](faq-scanner-detection.yml) regarding the transition to Microsoft Defender Vulnerability Management.

+>

+> Customers who want to continue using Qualys, can do so with the [Bring Your Own License (BYOL) method](deploy-vulnerability-assessment-byol-vm.md).

+> [Agentless secrets scanning for virtual machines](episode-forty-two.md)

+ Title: Agentless secrets scanning for virtual machines | Defender for Cloud in the field

+description: Learn about agentless secrets scanning for virtual machines

+# Agentless secrets scanning for virtual machines

+**Episode description**: In this episode of Defender for Cloud in the Field, Ortal Parpara joins Yuri Diogenes to talk about agentless secrets scanning for virtual machines in Microsoft Defender for Cloud. Ortal explains the use case scenario for this feature, how the feature works, and the prerequisites for this feature to work. The demonstration shows how the attack path uses this feature to provide more insights about secrets that are located in virtual machines, and how it can be used to detect potential cross-cloud attacks.

+> [!VIDEO https://aka.ms/docs/player?id=3eb19963-8988-44eb-8052-e2255616a95e]

+- [01:18](/shows/mdc-in-the-field/agentless-secret-scanning-for-virtual-machines#time=01m18s) - Understanding secrets scanning capability for VMs in Defender for Cloud

+- [02:40](/shows/mdc-in-the-field/agentless-secret-scanning-for-virtual-machines#time=02m40s) - How agentless scanning for VMs works

+- [04:30](/shows/mdc-in-the-field/agentless-secret-scanning-for-virtual-machines#time=04m30s) - Secrets detection

+- [06:50](/shows/mdc-in-the-field/agentless-secret-scanning-for-virtual-machines#time=06m50s) - Performance considerations

+- [08:32](/shows/mdc-in-the-field/agentless-secret-scanning-for-virtual-machines#time=08m32s) - Demonstration

+## Recommended resources

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY).

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS).

+- Follow us on social media:

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity).

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+ Title: Transition to Microsoft Defender Vulnerability Management for servers

+# Transition to Microsoft Defender Vulnerability Management for servers

+> [!IMPORTANT]

+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that is set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to transition to the Microsoft Defender Vulnerability Management vulnerability scanning using the steps on this page.

+>

+> For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+>

+> Check out the [common questions](faq-scanner-detection.yml) regarding the transition to Microsoft Defender Vulnerability Management.

+>

+> Customers who want to continue using Qualys, can do so with the [Bring Your Own License (BYOL) method](deploy-vulnerability-assessment-byol-vm.md).

+Microsoft Defender Vulnerability Management integrates across many cloud native use cases, such as containers ship and runtime scenarios. As part of this change, we're retiring our built-in vulnerability assessments offering powered by Qualys.

+> [!IMPORTANT]

+> The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is now on a retirement path completing on **March 1st, 2024**.

+>

+> Customers that onboarded at least one subscription to Defender for Containers prior to **November 15th, 2023** can continue to use Container Vulnerability Assessment powered by Qualys until **March 1st, 2024**.

+>

+> For more information about the change, see [Defender for Cloud unifies Vulnerability Assessment solution powered by Microsoft Defender Vulnerability Management](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+If you're currently using the built vulnerability assessment solution powered by Qualys, start planning for the upcoming retirement by following the steps on this page.

+| [Azure registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)-Preview](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |

+| [Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path) | January 9, 2024 | May 2024 |

+| [Retirement of the Defender for Cloud Containers Vulnerability Assessment powered by Qualys](#retirement-of-the-defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys) | January 9, 2023 | March 2024 |

+## Defender for Servers built-in vulnerability assessment (Qualys) retirement path

+**Announcement date: January 9, 2024**

+**Estimated date for change: May 2024**

+The Defender for Servers built-in vulnerability assessment solution powered by Qualys is on a retirement path which is estimated to complete on **May 1st, 2024**. If you are currently using the vulnerability assessment solution powered by Qualys, you should plan your [transition to the integrated Microsoft defender vulnerability management solution](how-to-transition-to-built-in.md).

+

+For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, you can read [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+You can also check out the [common questions about the transition to Microsoft Defender Vulnerability Management solution](faq-scanner-detection.yml).

+## Retirement of the Defender for Cloud Containers Vulnerability Assessment powered by Qualys

+**Announcement date: January 9, 2023**

+**Estimated date for change: March 2024**

+The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is now on a retirement path completing on **March 1st, 2024**. If you are currently using container vulnerability assessment powered by Qualys, start planning your transition to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md).

+For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, see [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112).

+For more information about transitioning to our new container vulnerability assessment offering powered by Microsoft Defender Vulnerability Management, see [Transition from Qualys to Microsoft Defender Vulnerability Management](transition-to-defender-vulnerability-management.md).

+For common questions about the transition to Microsoft Defender Vulnerability Management, see [Common questions about the Microsoft Defender Vulnerability Management solution](common-questions-microsoft-defender-vulnerability-management.md).

+ - IPv4 address range: 10.0.0.0/16

+## OSDU groups structure and naming

+The entitlements service of Azure Data Manager for Energy allows you to create groups and manage memberships of the groups. An entitlement group defines permissions on services/data sources for a given data partition in your Azure Data Manager for Energy instance. Users added to a given group obtain the associated permissions. All group identifiers (emails) are of form `{groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}`.

+ 1. The data groups start with the word "data." such as data.welldb.viewers and data.welldb.owners.

+ 1. The service groups start with the word "service." such as service.storage.user and service.storage.admin.

+ 1. The service groups start with the word "users." such as users.datalake.viewers and users.datalake.editors.

+ 3. There's one exception of this group naming rule for "users" group. It gets created when a new data partition is provisioned and its name follows the pattern of `users@{partition}.{domain}`. It has the list of all the users with any type of access in a given data partition. Before adding a new user to any entitlement groups, you need to add the new user to the `users@{partition}.{domain}` group as well.

+1. To provision the Azure Data Manager for Energy platform, you must register your app in the [Azure portal app registration page](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app. For steps on how to configure, see [Register your app documentation](../active-directory/develop/quickstart-register-app.md#register-an-application).

+2. In the app overview section, if there's no redirect URIs specified, you can add a platform, select "Web", add `http://localhost:8080`, and select save.

+3. Fetch the `redirect-uri` (or reply URL) for your app to receive responses from Microsoft Entra ID.

+1. Create [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md).

+2. Navigate to your Azure Data Manager for Energy *Overview* page on the Azure portal.

+3. Copy the URI from the essentials pane.

+1. After replacing the parameters, you can paste the request in the URL of any browser and hit enter.

+3. You might see 'can't reach this page' error in the browser. You can ignore that.

+

+4. The browser redirects to `http://localhost:8080/?code={authorization code}&state=...` upon successful authentication.

+5. Copy the response from the URL bar of the browser and fetch the text between `code=` and `&state`

+6. This is the `authorization_code` to keep handy for future use.

+

+#### Request format

+ ```bash

+ &redirect_uri={redirect-uri}

+Run the below curl command in Azure Cloud Bash to get all the groups that are available for you or you have access to in the given data partition of Azure Data Manager for the Energy instance.

+ Title: Create a policy assignment with Bicep file

+description: In this quickstart, you use a Bicep file to create an Azure policy assignment that identifies non-compliant resources.

+# Quickstart: Create a policy assignment to identify non-compliant resources by using a Bicep file

+In this quickstart, you use a Bicep file to create a policy assignment that validates resource's compliance with an Azure policy. The policy is assigned to a resource group scope and audits if virtual machines use managed disks. Virtual machines deployed in the resource group that don't use managed disks are _non-compliant_ with the policy assignment.

+> [!NOTE]

+> Azure Policy is a free service. For more information, go to [Overview of Azure Policy](./overview.md).

+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- [Bicep](../../azure-resource-manager/bicep/install.md).

+- [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli).

+- [Visual Studio Code](https://code.visualstudio.com/) and the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep).

+- `Microsoft.PolicyInsights` must be [registered](../../azure-resource-manager/management/resource-providers-and-types.md) in your Azure subscription.

+The Bicep file creates a policy assignment for a resource group scope and assigns the built-in policy definition [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json). For a list of available built-in policies, see [Azure Policy samples](./samples/index.md).

+Create the following Bicep file as _policy-assignment.bicep_.

+1. Open Visual Studio Code and select **File** > **New Text File**.

+1. Copy and paste the Bicep file into Visual Studio Code.

+1. Select **File** > **Save** and use the filename _policy-policy-assignment.bicep_.

+param policyAssignmentName string = 'audit-vm-managed-disks'

+resource assignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = {

+ name: policyAssignmentName

+ scope: resourceGroup()

+ properties: {

+ policyDefinitionId: policyDefinitionID

+ description: 'Policy assignment to resource group scope created with Bicep file'

+ displayName: 'audit-vm-managed-disks'

+ nonComplianceMessages: [

+ {

+ message: 'Virtual machines should use managed disks'

+ }

+ ]

+ }

+The resource type defined in the Bicep file is [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments).

+For more information about Bicep files:

+- To find more Bicep samples, go to [Browse code samples](/samples/browse/?expanded=azure&languages=bicep).

+- To learn more about template reference's for deployments, go to [Azure template reference](/azure/templates/microsoft.authorization/allversions).

+- To learn how to develop Bicep files, go to [Bicep documentation](../../azure-resource-manager/bicep/overview.md).

+- To learn about subscription-level deployments, go to [Subscription deployments with Bicep files](../../azure-resource-manager/bicep/deploy-to-subscription.md).

+## Deploy the Bicep file

+You can deploy the Bicep file with Azure PowerShell or Azure CLI.

+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Connect-AzAccount

+# Run these commands if you have multiple subscriptions

+Get-AzSubScription

+Set-AzContext -Subscription <subscriptionID>

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az login

+# Run these commands if you have multiple subscriptions

+az account list --output table

+az account set --subscription <subscriptionID>

+```

+The following commands create a resource group and deploy the policy definition.

+```azurepowershell

+New-AzResourceGroup -Name "PolicyGroup" -Location "westus"

+ -TemplateFile policy-assignment.bicep

+```azurecli

+az group create --name "PolicyGroup" --location "westus"

+ --template-file policy-assignment.bicep

+The Bicep file outputs the policy `assignmentId`. You create a variable for the policy assignment ID in the commands that validate the deployment.

+After the policy assignment is deployed, virtual machines that are deployed to the _PolicyGroup_ resource group are audited for compliance with the managed disk policy.

+1. Sign in to [Azure portal](https://portal.azure.com)

+1. Go to **Policy** and select **Compliance** on the left side of the page.

+1. Search for the _audit-vm-managed-disks_ policy assignment.

+The **Compliance state** for a new policy assignment is shown as **Not started** because it takes a few minutes to become active.

+For more information, go to [How compliance works](./concepts/compliance-states.md).

+You can also get the compliance state with Azure PowerShell or Azure CLI.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+# Verifies policy assignment was deployed

+$rg = Get-AzResourceGroup -Name "PolicyGroup"

+Get-AzPolicyAssignment -Name "audit-vm-managed-disks" -Scope $rg.ResourceId

+# Shows the number of non-compliant resources and policies

+$policyid = (Get-AzPolicyAssignment -Name "audit-vm-managed-disks" -Scope $rg.ResourceId)

+Get-AzPolicyStateSummary -ResourceId $policyid.ResourceId

+```

+The `$rg` variable stores the resource group's properties and `Get-AzPolicyAssignment` shows your policy assignment. The `$policyid` variable stores the policy assignment's resource ID, and `Get-AzPolicyStateSummary` shows the number of non-compliant resources and policies.

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+# Verifies policy assignment was deployed

+rg=$(az group show --resource-group PolicyGroup --query id --output tsv)

+az policy assignment show --name "audit-vm-managed-disks" --scope $rg

+# Shows the number of non-compliant resources and policies

+policyid=$(az policy assignment show --name "audit-vm-managed-disks" --scope $rg --query id --output tsv)

+az policy state summarize --resource $policyid

+```

+The `$rg` variable stores the resource group's properties and `az policy assignment show` displays your policy assignment. The `$policyid` variable stores the policy assignment's resource ID and `az policy state summarize` shows the number of non-compliant resources and policies.

+## Clean up resources

+To remove the assignment from Azure, follow these steps:

+1. Select **Compliance** in the left side of the Azure Policy page.

+1. Locate the _audit-vm-managed-disks_ policy assignment.

+1. Right-click the _audit-vm-managed-disks_ policy assignment and select **Delete

+ :::image type="content" source="./media/assign-policy-bicep/delete-assignment.png" alt-text="Screenshot of the context menu to delete an assignment from the Policy Compliance page.":::

+1. Delete the resource group _PolicyGroup_. Go to the Azure resource group and select **Delete resource group**.

+1. Delete the _policy-assignment.bicep_ file.

+You can also delete the policy assignment and resource group with Azure PowerShell or Azure CLI.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Remove-AzPolicyAssignment -Id $policyid.ResourceId

+Remove-AzResourceGroup -Name "PolicyGroup"

+# Sign out of Azure

+Disconnect-AzAccount

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az policy assignment delete --name "audit-vm-managed-disks" --scope $rg

+az group delete --name PolicyGroup

+# Sign out of Azure

+az logout

+```

+In this quickstart, you assigned a built-in policy definition to a resource group scope and reviewed its compliance report. The policy definition audits if the virtual machine resources in the resource group are compliant and identifies resources that aren't compliant.

+tutorial.

+HDInsight provides various example data sets, which are stored in the `/example/data` and `/HdiSamples` directory. These directories are in the default storage for your cluster. In this document, we use the `/example/data/gutenberg/davinci.txt` file. This file contains the notebooks of `Leonardo da Vinci`.

+| [SSH](apache-hadoop-use-mapreduce-ssh.md) |Use the Hadoop command through **SSH** |Linux, Unix, `MacOS X`, or Windows |

+| [Curl](apache-hadoop-use-mapreduce-curl.md) |Submit the job remotely by using **REST** |Linux, Unix, `MacOS X`, or Windows |

+The curl command retrieves a JSON document with HBase configuration information, and the `grep` command returns only the "hbase.zookeeper.quorum" entry, for example:

+Replace `CLUSTERNAME`, and `RESOURCEGROUP` with the relevant values and then enter the following commands:

+* To list all of the applications for the HDInsight cluster.

+Replace `NAME`, `CLUSTERNAME`, and `RESOURCEGROUP` with the relevant values and then enter the following command:

+* Consider whether a monitoring solution or service would be a useful benefit. The Microsoft System Center provides an [HDInsight management pack](https://systemcenter.wiki/?Get_ManagementPackBundle=Microsoft.HDInsight.mpb&FileMD5=10C7D975C6096FFAA22C84626D211259). You can also use third-party tools such as Apache Chukwa and Ganglia to collect and centralize logs. Many companies offer services to monitor Hadoop-based big data solutions, for example: `Centerity`, Compuware APM, Sematext SPM, and Zettaset Orchestrator.

+The aggregated logs aren't directly readable, as they're written in a `TFile` binary format indexed by container. Use the YARN `ResourceManager` logs or CLI tools to view these logs as plain text for applications or containers of interest.

+|FHIR Applications were down in EUS2 region|January 8, 2024 2 pm PST|--|January 8, 2024 4:15 pm PST|

+|API queries to FHIR service returned Internal Server error in UK south region |August 10, 2023 9:53 am PST|--|August 10, 2023 10:43 am PST|

+ - `tableName`: The name of the Delta table to create or append to in the Data Lake Storage account. This field is also known as the container name when used with Azure Data Lake Storage Gen2. It can contain any **lower case** English letter, and underbar `_`, with length up to 256 characters. No dashes `-` or space characters are allowed.

+ tableName: "orders"

+For this quickstart, we recommend GitHub Codespaces as a quick way to get started in a virtual environment without installing new tools. Or, use Azure Kubernetes Service (AKS) Edge Essentials to create a cluster on Windows devices or K3s on Ubuntu Linux devices.

+* In this quickstart, you use the `AksEdgeQuickStartForAio.ps1` script to set up an AKS Edge Essentials single-machine K3S Linux-only cluster. To learn more, see the [AKS Edge Essentials system requirements](/azure/aks/hybrid/aks-edge-system-requirements). For this quickstart, ensure that your machine has a minimum of 10 GB RAM, 4 vCPUs, and 40 GB free disk space.

+* An Azure subscription. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+#### Prerequisites if backing up and restoring using user assigned managed identity:

+1. Ensure you have the Azure CLI version 2.56.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+### Backup HSM using user assigned managed identity

+### Restore HSM using user assigned managed identity

+### Selective key restore using user assigned managed identity

+- **[Cross-region replication](../../availability-zones/cross-region-replication-azure.md)**. You can use multi region replication in Managed HSM to deploy HSMs in a secondary region.

+A managed HSM security domain serves the following purposes:

+When the external clients to the backend VMs go through the load balancer, the IP address of the clients is used for the communication. Make sure the IP address of the clients are added into the NSG allowlist.

+## Problem: No outbound connectivity from Standard internal Load Balancers (ILB)

+### Validation and Resolution

+## Problem: No inbound connectivity to Standard external Load Balancers (ELB)

+### Cause

+Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource, traffic isn't allowed to reach this resource.

+### Resolution

+## Problem: Can't change backend port for existing LB rule of a load balancer that has Virtual Machine Scale Set deployed in the backend pool.

+### Cause

+The backend port can't be modified for a load balancing rule that's used by a health probe for load balancer referenced by Virtual Machine Scale Set

+### Resolution

+## Problem: Small traffic is still going through load balancer after removing VMs from backend pool of the load balancer.

+### Cause

+VMs removed from backend pool should no longer receive traffic. The small amount of network traffic could be related to storage, DNS, and other functions within Azure.

+### Resolution

+## Problem: Load Balancer in failed state

+### Resolution

+## Network captures needed for troubleshooting and support cases

+If you decide to open a support case, collect the following information for a quicker resolution. Choose a single backend VM to perform the following tests:

+- Use `ps ping` from one of the backend VMs within the virtual network to test the probe port response (example: ps ping 10.0.0.4:3389) and record results.

+- If no response is received in these ping tests, run a simultaneous Netsh trace on the backend VM and the virtual network test VM while you run PsPing then stop the Netsh trace.

+-

+In *multitenant* Azure Logic Apps, deployment depends on Azure Resource Manager templates (ARM templates), which combine and handle resource provisioning for both logic apps and infrastructure. This design poses a challenge when you have to maintain environment variables for logic apps across various dev, test, and production environments. Everything in an ARM template is defined at deployment. If you need to change just a single variable, you have to redeploy everything.

+Both of the following settings are used to manually stop and immediately delete the specified workflows in Standard logic app.

+> [!NOTE]

+>

+> Use these settings with caution and only in non-production environments, such as load

+> or performance test environments, as you can't undo or recover from these operations.

+| Setting | Default value | Description |

+|||-|

+| `Jobs.CleanupJobPartitionPrefixes` | None | Immediately deletes all the run jobs for the specified workflows. |

+| `Jobs.SuspendedJobPartitionPartitionPrefixes` | None | Stops the run jobs for the specified workflows. |

+The following example shows the syntax for these settings where each workflow ID is followed by a colon (**:**) and separated by a semicolon (**;**):

+```json

+"Jobs.CleanupJobPartitionPrefixes": "<workflow-ID-1>:; <workflow-ID-2:",

+"Jobs.SuspendedJobPartitionPrefixes": "<workflow-ID-1>:; <workflow-ID-2>:"

+```

+| `Runtime.Backend.HttpOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for HTTP actions only, not triggers. For more information, see [Limitations](#limitations). |

+| `Runtime.Backend.HttpWebhookOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for HTTP webhook actions only, not triggers. For more information, see [Limitations](#limitations). |

+| `Runtime.Backend.FunctionOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for Azure Functions actions. For more information, see [Limitations](#limitations). |

+| `Runtime.Backend.ApiConnectionOperation.MaxContentSize` | `104857600` bytes | Sets the maximum request size in bytes for managed API connector triggers and actions. For more information, see [Limitations](#limitations). |

+### Limitations

+- Maximum content size

+ By default, built-in triggers, such as HTTP or Request, are limited to the message size described in [Limits and configuration reference - Messages](logic-apps-limits-and-config.md#messages). To handle files larger than the limit, try uploading your content as a blob to [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), and then get your content using the [Azure Blob connector](../connectors/connectors-create-api-azureblobstorage.md).

+This reference guide describes the limits and configuration information for Azure Logic Apps and related resources. Based on your scenario, solution requirements, the capabilities that you want, and the environment where you want to run your workflows, you choose whether to create a Consumption logic app workflow that runs in *multitenant* Azure Logic Apps or an integration service environment (ISE). Or, create a Standard logic app workflow that runs in *single-tenant* Azure Logic Apps or an App Service Environment (v3 - Windows plans only).

+The following table briefly summarizes differences between a Consumption logic app and a Standard logic app. You'll also learn how single-tenant Azure Logic Apps compares to multitenant Azure Logic Apps and an ISE for deploying, hosting, and running your logic app workflows.

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+* In multitenant Azure Logic Apps, the 90-day default limit is the same as the maximum limit. You can only decrease this value.

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+| Concurrent iterations | Concurrency off: 20 <br><br>Concurrency on: <br><br>- Default: 20 <br>- Min: 1 <br>- Max: 50 | Concurrency off: 20 <br>(Default) <br><br>Concurrency on: <br><br>- Default: 20 <br>- Min: 1 <br>- Max: 50 | Concurrency off: 20 <br><br>Concurrency on: <br><br>- Default: 20 <br>- Min: 1 <br>- Max: 50 | The number of **For each** loop iterations that can run at the same time, or in parallel. <br><br>To change this value in multitenant Azure Logic Apps, see [Change **For each** concurrency limit](../logic-apps/logic-apps-workflow-actions-triggers.md#change-for-each-concurrency) or [Run **For each** loops sequentially](logic-apps-workflow-actions-triggers.md#sequential-for-each). <br><br>To change the default limit in the single-tenant service, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+| Iterations | - Default: 60 <br>- Min: 1 <br>- Max: 5,000 | Stateful workflow: <br><br>- Default: 60 <br>- Min: 1 <br>- Max: 5,000 <br><br>Stateless workflow: <br><br>- Default: 60 <br>- Min: 1 <br>- Max: 100 | - Default: 60 <br>- Min: 1 <br>- Max: 5,000 | The number of cycles that an **Until** loop can have during a workflow run. <br><br>To change this value in multitenant Azure Logic Apps, in the **Until** loop shape, select **Change limits**, and specify the value for the **Count** property. <br><br>To change the default value in the single-tenant service, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Timeout | Default: PT1H (1 hour) | Stateful workflow: PT1H (1 hour) <br><br>Stateless workflow: PT5M (5 min) | Default: PT1H (1 hour) | The amount of time that the **Until** loop can run before exiting and is specified in [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601). The timeout value is evaluated for each loop cycle. If any action in the loop takes longer than the timeout limit, the current cycle doesn't stop. However, the next cycle doesn't start because the limit condition isn't met. <br><br>To change this value in multitenant Azure Logic Apps, in the **Until** loop shape, select **Change limits**, and specify the value for the **Timeout** property. <br><br>To change the default value in the single-tenant service, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+| Trigger - concurrent runs | Concurrency off: Unlimited <br><br>Concurrency on (irreversible): <br><br>- Default: 25 <br>- Min: 1 <br>- Max: 100 | Concurrency off: Unlimited <br><br>Concurrency on (irreversible): <br><br>- Default: 100 <br>- Min: 1 <br>- Max: 100 | Concurrency off: Unlimited <br><br>Concurrency on (irreversible): <br><br>- Default: 25 <br>- Min: 1 <br>- Max: 100 | The number of concurrent runs that a trigger can start at the same time, or in parallel. <br><br>**Note**: When concurrency is turned on, the **SplitOn** limit is reduced to 100 items for [debatching arrays](../logic-apps/logic-apps-workflow-actions-triggers.md#split-on-debatch). <br><br>To change this value in multitenant Azure Logic Apps, see [Change trigger concurrency limit](../logic-apps/logic-apps-workflow-actions-triggers.md#change-trigger-concurrency) or [Trigger instances sequentially](../logic-apps/logic-apps-workflow-actions-triggers.md#sequential-trigger). <br><br>To change the default value in the single-tenant service, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Maximum waiting runs | Concurrency off: <br><br>- Min: 1 run <br><br>- Max: 50 runs <br><br>Concurrency on: <br><br>- Min: 10 runs plus the number of concurrent runs <br><br>- Max: 100 runs | Concurrency off: <br><br>- Min: 1 run <br>(Default) <br><br>- Max: 50 runs <br>(Default) <br><br>Concurrency on: <br><br>- Min: 10 runs plus the number of concurrent runs <br><br>- Max: 200 runs <br>(Default) | Concurrency off: <br><br>- Min: 1 run <br><br>- Max: 50 runs <br><br>Concurrency on: <br><br>- Min: 10 runs plus the number of concurrent runs <br><br>- Max: 100 runs | The number of workflow instances that can wait to run when your current workflow instance is already running the maximum concurrent instances. <br><br>To change this value in multitenant Azure Logic Apps, see [Change waiting runs limit](../logic-apps/logic-apps-workflow-actions-triggers.md#change-waiting-runs). <br><br>To change the default value in the single-tenant service, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Name | Multitenant | Single-tenant | Notes |

+| Action - Executions per 5-minute rolling interval | Default: 100,000 executions <br>- High throughput mode: 300,000 executions | None | In multitenant Azure Logic Apps, you can raise the default value to the maximum value for your workflow. For more information, see [Run in high throughput mode](#run-high-throughput-mode), which is in preview. Or, you can [distribute the workload across more than one workflow](handle-throttling-problems-429-errors.md#logic-app-throttling) as necessary. |

+| Managed connector throttling | Throttling limit varies based on connector | Throttling limit varies based on connector | For multitenant, review [each managed connector's technical reference page](/connectors/connector-reference/connector-reference-logicapps-connectors). <br><br>For more information about handling connector throttling, review [Handle throttling problems ("429 - Too many requests" errors)](handle-throttling-problems-429-errors.md#connector-throttling). |

+## Scale for high throughput

+### [Standard](#tab/standard)

+Single-tenant Azure Logic Apps uses storage and compute as the primary resources to run your Standard logic app workflows.

+### Storage

+Stateful workflows use Azure Table storage and Azure Blob storage for persistenting data storage during runtime and for maintaining run histories. These workflows also use Azure Queues for scheduling. A single storage account enables a substantial number of requests with rates of up to 2K per partition and 20K requests per second at the account level. Beyond these thresholds, request rates are subject to throttling. For storage scalability limits, see [Targets for data operations](../storage/tables/storage-performance-checklist.md#targets-for-data-operations).

+Although a single storage account can handle reasonably high throughput, as the workflow execution rate increases, you might encounter partition level throttling or account level throttling. To ensure smooth operations, make sure that you understand the possible limitations and ways that you can address them.

+##### Share workload across multiple workflows

+Single-tenant Azure Logic Apps minimizes partition level throttling by distributing storage transactions across multiple partitions. However, to improve distribution and mitigate partition level throttling, [distribute the workload across multiple workflows](handle-throttling-problems-429-errors.md#logic-app-throttling), rather than a single workflow.

+##### Share workload across multiple storage accounts

+ If your logic app's workflows require high throughput, use multiple storage accounts, rather than a single account. You can significantly increase throughput by distributing your logic app's workload across multiple storage accounts with 32 as the limit. To determine the number of storage accounts that you need, use the general guideline for ~100,000 action executions per minute, per storage account. While this estimate works well for most scenarios, the number of actions might be lower if your workflow actions are compute heavy, for example, a query action that processes large data arrays. Make sure that you perform load testing and tune your solution before using in production.

+ To enable using multiple storage accounts, follow these steps before you create your Standard logic app. Otherwise, if you change the settings after creation, you might experience data loss or not achieve the necessary scalability.

+ 1. [Create the storage accounts](../storage/common/storage-account-create.md?tabs=azure-portal) that you want to use. Save the connection string for each storage account.

+ 1. Find and open your Standard logic app, and then [edit your logic app's host settings (**host.json** file)](edit-app-settings-host-settings.md?tabs=azure-portal#manage-host-settingshostjson) to include the following **`extensions`** object, which contains the **`workflow`** and **`settings`** objects with the **Runtime.ScaleUnitsCount** setting:

+ ```json

+ "extensions": {

+ "workflow": {

+ "settings": {

+ "Runtime.ScaleUnitsCount": "<storage-accounts-number>"

+ }

+ }

+ }

+ ```

+ The following example specifies **3** as the number of storage accounts:

+ ```json

+ {

+ "version": "2.0",

+ "extensionBundle": {

+ "id": "Microsoft.Azure.Functions.ExtensionBundle.Workflows",

+ "version": "[1.*, 2.0.0)"

+ },

+ "extensions": {

+ "workflow": {

+ "settings": {

+ "Runtime.ScaleUnitsCount": "3"

+ }

+ }

+ }

+ }

+ ```

+ 1. [Edit your logic app's application configuration settings (**local.settings.json**)](edit-app-settings-host-settings.md?tabs=azure-portal#manage-app-settingslocalsettingsjson) to add an app setting named **CloudStorageAccount.Workflows.ScaleUnitsDataStorage.CU0\<*storage-account-number*>\.ConnectionString** and the corresponding storage account connection string using the following syntax where the first storage account number is **`00`** up to the number of storage accounts minus 1, for example:

+ | App setting name | Value |

+ ||-|

+ | **CloudStorageAccount.Workflows.ScaleUnitsDataStorage.CU00.ConnectionString** | `<connection-string-1>` |

+ | **CloudStorageAccount.Workflows.ScaleUnitsDataStorage.CU01.ConnectionString** | `<connection-string-2>` |

+ | **CloudStorageAccount.Workflows.ScaleUnitsDataStorage.CU02.ConnectionString** | `<connection-string-3>` |

+ 1. In your logic app's application configuration settings, update the **AzureWebJobsStorage** setting value with the same connection string that's in the **CloudStorageAccount.Workflows.ScaleUnitsDataStorage.CU00.ConnectionString** setting.

+#### Compute

+A Standard logic app runs by using one of the [available compute plans](logic-apps-pricing.md#standard-pricing-tiers), which provide different levels of virtual CPU and memory, or by using an App Service Environment v3, which provides more compute options.

+Single-tenant Azure Logic Apps dynamically scales to effectively handle increasing loads. Your logic app uses the following primary factors to determine whether to scale.

+> [!NOTE]

+>

+> For a Standard logic app in an App Service Environment v3, dynamic scaling isn't available.

+> You must set scaling rules on the associated App Service Plan. As a commonly used scaling rule,

+> you can use the CPU metric, and scale your App Service Plan to keep the virtual CPU between 50-70%.

+> For more information, see [Get started with autoscale in Azure](../azure-monitor/autoscale/autoscale-get-started.md).

+- Trigger

+ To determine scaling requirements, the scaler analyzes the trigger that starts each workflow in your logic app. For example, for a workflow with a Service Bus trigger, if the queue length continuously grows, the scaler takes action to add worker instances, which enable processing more messages. Likewise, for a workflow with a Request trigger, if the request latency experiences an upward trend, the scaler increases the number of worker instances to distribute the request load more efficiently. For more information about worker instances, see [Azure Logic Apps (Standard) - Runtime Deep Dive](https://techcommunity.microsoft.com/t5/azure-integration-services-blog/azure-logic-apps-running-anywhere-runtime-deep-dive/ba-p/1835564).

+- Workflow job execution delay

+ At runtime, workflow actions are divided into individual jobs that are queued for execution. Job dispatchers regularly poll the job queue to retrieve and execute these jobs. However, if compute capacity is insufficient to pick up these jobs, they stay in the queue for a longer time, resulting in increased execution delays. The scaler monitors this situation and make scaling decisions to keep the execution delays under control. For more information about how the runtime schedules and runs jobs, see [Azure Logic Apps (Standard) - Runtime Deep Dive](https://techcommunity.microsoft.com/t5/azure-integration-services-blog/azure-logic-apps-running-anywhere-runtime-deep-dive/ba-p/1835564).

+

+ The scaler also considers the minimum and maximum worker instance counter configuration to determine whether to make scaling decisions, such as adding, removing, or maintaining the current number of worker instances. Typically, the scaler makes these decisions at intervals of approximately 15-30 seconds. So, consider this ramp-up time and its impact on your logic app's scaling speed to effectively handle peak loads. For example, if your workload requires scaling your logic app from just 1 worker instance to 100 worker instances, the ramp-up alone might take 25-50 minutes. Single-tenant Azure Logic Apps scaling shares the same [Azure Functions scaling infrastructure](../azure-functions/event-driven-scaling.md).

+##### Configure your logic app compute for faster scaling

+- Share workload across multiple logic apps.

+ Each logic app can scale independently, so distributing your workload across more than one logic app can significantly accelerate the scaling speed. For example, two logic apps can scale to twice the number of worker instances in the same timeframe as a single logic app. By splitting your workload across multiple apps, you can effectively multiply the scalability and achieve faster scaling results.

+- Use prewarmed instances.

+ If your scenario requires quicker ramp-up time, consider using prewarmed instances. If your peak load times are deterministic, you can use an automation task to adjust these prewarm instances on a schedule. For more information, see [Manage Azure resources and monitor costs by creating automation tasks (preview)](create-automation-tasks-azure-resources.md).

+### [Consumption](#tab/consumption)

+Multitenant Azure Logic Apps has a [default limit](#throughput-limits) on the number of actions that run every 5 minutes. To raise the default value to the [maximum value](#throughput-limits), you can enable high throughput mode, which is in preview. Or, [distribute the workload across multiple logic apps and workflows](handle-throttling-problems-429-errors.md#logic-app-throttling), rather than rely on a single logic app and workflow.

+#### Enable high throughput in the portal

+#### Enable high throughput in a Resource Manager template

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+||-|||-|

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+||-|||-|

+| Name | Multitenant | Single-tenant | Notes |

+||-||-|

+| Request trigger (inbound) and webhook-based triggers - Content size limit per 5-minute rolling interval per workflow | 3,145,728 KB | None | This limit applies only to the content size for inbound requests received by the Request trigger or any webhook trigger. <br><br>For example, suppose the backend has 100 workers. Each worker has a limit of 31,457,280 bytes, which is the result from dividing 3,145,728,000 bytes by 100 workers. To avoid experiencing premature throttling for the Request trigger, use a new HTTP client for each request, which helps evenly distribute the calls across all nodes. For a webhook trigger, you might have to use multiple workflows, which split the load and avoids throttling. |

+| Name | Chunking enabled | Multitenant | Single-tenant | Integration service environment | Notes |

+|||-|-||-|

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+||-|||-|

+In multitenant Azure Logic Apps and the integration service environment only, you can create and use [custom managed connectors](/connectors/custom-connectors), which are wrappers around an existing REST API or SOAP API. In single-tenant Azure Logic Apps, you can create and use only [custom built-in connectors](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272).

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+||-|||-|

+| Name | Multitenant | Single-tenant | Integration service environment | Notes |

+||-|||-|

+> - **SAP**: The return caller depends on whether the deployment environment is either multitenant Azure or ISE.

+> In the multitenant environment, the on-premises data gateway makes the call back to the Azure Logic Apps service.

+<a name="multitenant-inbound"></a>

+#### Multitenant - Inbound IP addresses

+<a name="multitenant-outbound"></a>

+#### Multitenant - Outbound IP addresses

+* [Create an example Consumption logic app workflow in multitenant Azure Logic Apps](quickstart-create-example-consumption-workflow.md)

+# Submit a training job in Studio

+* You may enter the job creation UI from the homepage. Click **Create new** and select **Job**.

+[](media/how-to-train-with-ui/unified-job-submission-home.png)

+ Enable ensemble stacking | Ensemble learning improves machine learning results and predictive performance by combining multiple models as opposed to using single models. [Learn more about ensemble models](concept-automated-ml.md#ensemble).

+ Explain best model| Automatically shows explainability on the best model created by Automated ML.

+

+1. The **[Optional] Limits** form allows you to do the following.

+ | Option | Description |

+ ||--|

+ |**Max trials**| Maximum number of trials, each with different combination of algorithm and hyperparameters to try during the AutoML job. Must be an integer between 1 and 1000.

+ |**Max concurrent trials**| Maximum number of trial jobs that can be executed in parallel. Must be an integer between 1 and 1000.

+ |**Max nodes**| Maximum number of nodes this job can use from selected compute target.

+ |**Metric score threshold**| When this threshold value will be reached for an iteration metric the training job will terminate. Keep in mind that meaningful models have correlation > 0, otherwise they are as good as guessing the average Metric threshold should be between bounds [0, 10].

+ |**Experiment timeout (minutes)**| Maximum time in minutes the entire experiment is allowed to run. Once this limit is reached the system will cancel the AutoML job, including all its trials (children jobs).

+ |**Iteration timeout (minutes)**| Maximum time in minutes each trial job is allowed to run. Once this limit is reached the system will cancel the trial.

+ |**Enable early termination**| Select to end the job if the score is not improving in the short term.

+description: Learn about business continuity (point-in-time restore, datacenter outage, geo-restore) when you're using the Azure Database for MariaDB service.

+This article describes the capabilities that Azure Database for MariaDB provides for business continuity and disaster recovery. Learn about options for recovering from disruptive events that could cause data loss or cause your database and application to become unavailable. Learn what to do when a user error or application error affects data integrity, an Azure region has an outage, or your application needs maintenance.

+## Features for business continuity

+As you develop your business continuity plan, you need to understand your:

+- **Recovery time objective (RTO)**: The maximum acceptable time before the application fully recovers after a disruptive event.

+- **Recovery point objective (RPO)**: The maximum amount of recent data updates (time interval) that the application can tolerate losing when it's recovering after a disruptive event.

+Azure Database for MariaDB provides business continuity and disaster recovery features that include geo-redundant backups with the ability to initiate geo-restore, and deploying read replicas in another region. Each has different characteristics for the recovery time and the potential data loss.

+With [geo-restore](concepts-backup.md), Azure Database for MariaDB creates a new server by using the backup data that's replicated from another region. The overall time to restore and recover depends on the size of the database and the amount of log data to recover. The overall time to establish the server varies from few minutes to few hours.

+With [read replicas](concepts-read-replicas.md), transaction logs from the primary database are asynchronously streamed to a replica. If there's a primary database outage due to a zone-level or a region-level fault, failing over to the replica provides a shorter RTO and reduced data loss.

+> The lag between the primary database and the replica depends on the latency between the sites, the amount of data to be transmitted, and (most important) the write workload of the primary server. Heavy write workloads can generate a significant lag.

+> Because of the asynchronous nature of the replication that's used for read replicas, don't consider read replicas to be a high-availability solution. The higher lags can mean higher RTO and RPO. Read replicas can act as a high-availability alternative only for workloads where the lag remains smaller through the peak and off-peak times. Otherwise, read replicas are intended for true read scale for read-heavy workloads and for disaster recovery scenarios.

+The following table compares RTO and RPO in a *typical workload* scenario:

+| Capability | Basic | General purpose | Memory optimized |

+| Point-in-time restore from backup | Any restore point within the retention period <br/> RTO varies <br/>RPO is less than 15 minutes| Any restore point within the retention period <br/> RTO varies <br/>RPO is less than 15 minutes | Any restore point within the retention period <br/> RTO varies <br/>RPO is less than 15 minutes |

+| Geo-restore from geo-replicated backups | Not supported | RTO varies <br/>RPO is greater than 24 hours | RTO varies <br/>RPO is greater than 24 hours |

+| Read replicas | RTO is minutes <br/>RPO is less than 5 minutes | RTO is minutes <br/>RPO is less than 5 minutes| RTO is minutes <br/>RPO is less than 5 minutes|

+RTO and RPO *can be much higher* in some cases, depending on factors like latency between sites, the amount of data to be transmitted, and the primary database's write workload.

+## Recovery of a server after a user or application error

+You can use the service's backups to recover a server from various disruptive events. For example, a user might accidentally delete some data, inadvertently drop an important table, or even drop an entire database. An application might accidentally overwrite good data with bad data because of an application defect.

+You can perform a point-in-time-restore to create a copy of your server to a known good point in time. This point in time must be within the backup retention period that you configured for your server. After the data is restored to the new server, you can either replace the original server with the newly restored server or copy the needed data from the restored server to the original server.

+> You can restore deleted servers only within *five days* of deletion. After five days, the backups are deleted. You can access and restore the database backup only from the Azure subscription that hosts the server. To restore a dropped server, refer to the [documented steps](howto-restore-dropped-server.md). To help protect server resources from accidental deletion or unexpected changes after deployment, administrators can use [management locks](../azure-resource-manager/management/lock-resources.md).

+## Recovery from an Azure regional datacenter outage

+Although it's rare, an Azure datacenter can have an outage. When an outage occurs, it causes a business disruption that might last only a few minutes but could last for hours.

+One option is to wait for your server to come back online when the datacenter outage is over. When datacenter has an outage, you don't know how long the outage might last. So this option works only for applications that can afford to have the server offline for some time (for example, a development environment).

+The geo-restore feature restores the server by using geo-redundant backups. The backups are hosted in your server's [paired region](../availability-zones/cross-region-replication-azure.md). These backups are accessible even when the region where your server is hosted is offline. You can restore from these backups to any other region and then bring your server back online. Learn more about geo-restore in the [article about backup and restore concepts](concepts-backup.md).

+> Geo-restore is possible only if you provisioned the server with geo-redundant backup storage. If you want to switch from locally redundant to geo-redundant backups for an existing server, you must generate a backup of your existing server by using [mysqldump](howto-migrate-dump-restore.md). Then, restore to a newly created server that's configured with geo-redundant backups.

+You can use cross-region read replicas to enhance your planning for business continuity and disaster recovery. Read replicas are updated asynchronously through MySQL's replication technology for binary logs. Learn more about read replicas, available regions, and how to fail over in the [article about read replica concepts](concepts-read-replicas.md).

+By default, Azure Database for MariaDB doesn't move or store customer data out of the region where it's deployed. However, you can optionally choose to enable [geo-redundant backups](concepts-backup.md#backup-redundancy-options) or create [cross-region read replicas](concepts-read-replicas.md#cross-region-replication) for storing data in another region.

+- Learn how to restore by using [the Azure portal](howto-restore-server-portal.md) or [the Azure CLI](howto-restore-server-cli.md).

+description: This article provides information on high availability in Azure Database for MariaDB.

+The Azure Database for MariaDB service is suitable for running mission-critical databases that require high uptime. It provides high availability during:

+- Planned events, such as user-initiated scale compute operations.

+- Unplanned events, such as underlying hardware, software, or network failures.

+Azure Database for MariaDB provides a [financially backed service-level agreement](https://azure.microsoft.com/support/legal/sla/MariaDB) for uptime. Because the service is built on Azure architecture, you can take advantage of its capabilities for high availability, redundancy, and resiliency without configuring any additional components.

+| Component | Description|

+| MariaDB database server | Azure Database for MariaDB provides security, isolation, resource safeguards, and fast restart capability for database servers. These capabilities facilitate operations such as scaling and database server recovery (in seconds) after an outage. <br/>Data modifications in the database server typically occur in the context of a database transaction. All database changes are recorded synchronously in the form of write-ahead logs (*ib_log* files) on Azure Storage, which is attached to the database server. During the database [checkpoint](https://mariadb.com/kb/innodb-redo-log/#checkpoints) process, data pages from the database server memory are also flushed to the storage. |

+| Remote storage | All MariaDB physical data files and log files are stored on Azure Storage, which stores three copies of data within a region to provide data redundancy, availability, and reliability. The storage layer is independent of the database server. It can be detached from a failed database server and reattached to a new database server in a few seconds. <br/>Azure Storage continuously monitors for any storage faults. If it detects a block corruption, it automatically fixes the problem by instantiating a new storage copy. |

+| Gateway | The gateway acts as a database proxy by routing all client connections to the database server. |

+## Mitigation of planned downtime

+The architecture of Azure Database for MariaDB provides high availability during planned downtime operations.

+

+Here are some scenarios for planned maintenance:

+| Scenario | Description|

+| Compute scale-up or scale-down | When you perform a compute scale-up or scale-down operation, Azure Database for MariaDB provisions a new database server by using the scaled compute configuration. On the old database server, the service allows active checkpoints to finish, drains client connections, and cancels any uncommitted transactions. The service then shuts down the old database server. It detaches the storage from the old database server and attaches the storage to the new database server. When the client application retries the connection or tries to make a new connection, the gateway directs the connection request to the new database server.|

+| Scaling up storage | Scaling up the storage is an online operation and doesn't interrupt the database server.|

+| New software deployment (Azure) | Rollouts of new features or bug fixes automatically happen as part of the service's planned maintenance. For more information, see the [documentation](concepts-monitoring.md#planned-maintenance-notification) and check your [portal](https://aka.ms/servicehealthpm).|

+| Minor version upgrades | Azure Database for MariaDB automatically patches database servers to the minor version that Azure determines. Automatic patching happens as part of the service's planned maintenance. It incurs a short downtime in terms of seconds, and the database server is automatically restarted with the new minor version. For more information, see the [documentation](concepts-monitoring.md#planned-maintenance-notification) and check your [portal](https://aka.ms/servicehealthpm).|

+## Mitigation of unplanned downtime

+Unplanned downtime can occur as a result of unforeseen failures, including underlying hardware faults, network problems, and software bugs. If the database server goes down unexpectedly, a new database server is automatically provisioned in seconds. The remote storage is automatically attached to the new database server.

+The MariaDB engine performs the recovery operation by using write-ahead log and database files, and it opens the database server to allow clients to connect. Uncommitted transactions are lost, and the application must retry them.

+Although you can't avoid unplanned downtime, Azure Database for MariaDB mitigates it by automatically performing recovery operations at both the database server and storage layers without requiring human intervention.

+

+### Unplanned downtime: Failure scenarios and service recovery

+Here are two failure scenarios and how Azure Database for MariaDB automatically recovers:

+| Scenario | Automatic recovery |

+| Database server failure | If the database server is down because of an underlying hardware fault, Azure Database for MariaDB drops active connections and cancels any inflight transactions. The service automatically deploys a new database server and attaches the remote data storage to the new database server. After the database recovery is complete, clients can connect to the new database server through the gateway. <br />Applications that use the MariaDB databases need to be built in a way that they detect and retry dropped connections and failed transactions. When the application retries a connection, the gateway transparently redirects the connection to the newly created database server. |

+| Storage failure | Storage-related problems, such as a disk failure or a physical block corruption, don't affect applications. Because the data is stored in three copies, the surviving storage serves the copy of the data. Azure Database for MariaDB automatically corrects block corruptions. If a copy of data is lost, the service automatically creates a new copy of the data. |

+Here are failure scenarios that require user action to recover:

+| Scenario | Recovery plan |

+| - | - |

+| Region failure | Failure of a region is a rare event. However, if you need protection from a region failure, you can configure one or more read replicas in other regions for disaster recovery. For details, see [this article](howto-read-replicas-portal.md) about creating and managing read replicas. If a region-level failure happens, you can manually promote a read replica configured in another region to be your production database server. |

+| Logical/user error | Recovery from user errors, such as accidentally dropped tables or incorrectly updated data, involves performing a [point-in-time recovery](concepts-backup.md). This action restores and recovers the data until the time just before the error occurred.<br> If you want to restore only a subset of databases or specific tables rather than all databases in the database server, you can restore the database server in a new instance, export the tables via [mysqldump](howto-migrate-dump-restore.md), and then [restore](howto-migrate-dump-restore.md#restore-your-mariadb-database) those tables in your database. |

+Azure Database for MariaDB has inherent high-availability capabilities to help protect your databases from common outages. It provides fast restart capability of database servers, redundant storage, and efficient routing from the gateway. For additional data protection, you can configure backups to be geo-replicated and deploy read replicas in other regions.

+- Learn about [Azure regions](../availability-zones/az-overview.md).

+- Learn about [handling transient connectivity errors](concepts-connectivity.md).

+- Learn how to [replicate your data with read replicas](howto-read-replicas-portal.md).

+To analyze outbound traffic from NAT gateway, use NSG flow logs. NSG flow logs provide connection information for your virtual machines. The connection information contains the source IP and port and the destination IP and port and the state of the connection. The traffic flow direction and the size of the traffic in number of packets and bytes sent is also logged. The source IP and port specified in the NSG flow log is for the virtual machine and not the NAT gateway.

+When associating a NAT gateway to a subnet that contains a virtual machine network interface (NIC) in a failed state, you receive an error message indicating that this action can't be performed. You must first resolve the VM NIC failed state before you can attach a NAT gateway to the subnet.

+* /28 (16 addresses)

+* /29 (8 addresses)

+* /30 (4 addresses)

+* /31 (2 addresses)

+[NAT gateway](nat-overview.md) supports IPv4 UDP and TCP protocols. NAT gateway can't be associated to an IPv6 Public IP address or IPv6 Public IP Prefix. NAT gateway can be deployed on a dual stack subnet, but only uses IPv4 Public IP addresses for directing outbound traffic. Deploy NAT gateway on a dual stack subnet when you need IPv6 resources to exist in the same subnet as IPv4 resources. See [Configure dual stack outbound connectivity with NAT gateway and public Load balancer](/azure/virtual-network/nat-gateway/tutorial-dual-stack-outbound-nat-load-balancer?tabs=dual-stack-outbound-portal) to learn how to provide IPv4 and IPv6 outbound connectivity from your dual stack subnet.

+NAT gateway can be used with public IP addresses designated to a specific zone, no zone, all zones (zone-redundant) depending on its own availability zone configuration.

+## More troubleshooting guidance

+If the issue you're experiencing isn't covered by this article, refer to the other NAT gateway troubleshooting articles:

+* [Troubleshoot outbound connectivity with NAT Gateway](/azure/nat-gateway/troubleshoot-nat-connectivity)

+* [Troubleshoot outbound connectivity with NAT Gateway and other Azure services](/azure/nat-gateway/troubleshoot-nat-and-azure-services)

+This article shows you how to quickly stand up JBoss EAP on Azure Red Hat OpenShift (ARO) using the Azure portal.

+This article uses the Azure Marketplace offer for JBoss EAP to accelerate your journey to ARO. The offer automatically provisions a number of resources including an ARO cluster with a built-in OpenShift Container Registry (OCR), the JBoss EAP Operator, and optionally a container image including JBoss EAP and your application using Source-to-Image (S2I). To see the offer, visit the [Azure portal](https://aka.ms/eap-aro-portal). If you prefer manual step-by-step guidance for running JBoss EAP on ARO that doesn't utilize the automation enabled by the offer, see [Deploy a Java application with Red Hat JBoss Enterprise Application Platform (JBoss EAP) on an Azure Red Hat OpenShift 4 cluster](/azure/developer/java/ee/jboss-eap-on-aro).

+This article shows you how to quickly stand up IBM WebSphere Liberty and Open Liberty on Azure Red Hat OpenShift (ARO) using the Azure portal.

+This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to ARO. The offer automatically provisions a number of resources including an ARO cluster with a built-in OpenShift Container Registry (OCR), the Liberty Operator, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aro). If you prefer manual step-by-step guidance for running Liberty on ARO that doesn't utilize the automation enabled by the offer, see [Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift cluster](/azure/developer/java/ee/liberty-on-aro).

+## Next steps

+- [Network Fabric Services](concepts-network-fabric-services.md)

+ Title: Azure Operator Nexus Network Fabric Services

+description: Overview of Network Fabric Services for Azure Operator Nexus.

+# Network Fabric Services overview

+The Network Fabric Controller (NFC) serves as the host for Nexus Network Fabric (NNF) services, illustrated in the diagram below. These services enable secure internet access for on-premises applications and services. Communication between on-premises applications and NNF services is facilitated through a specialized Express Route service (VPN). This setup allows on-premises services to connect to the NNF services via Express Route at one end, and access internet-based services at the other end.

+## Enhanced Security with Nexus Network Fabric Proxy Management

+The Nexus Network Fabric employs a robust, cloud-native proxy designed to protect the Nexus infrastructure and its associated workloads. This proxy is primarily focused on preventing data exfiltration attacks and maintaining a controlled allowlist of URLs for NNF instance connections. In combination with the under-cloud proxy, the NNF proxy delivers comprehensive security for workload networks. There are two distinct aspects of this system: the Infrastructure Management Proxy, which handles all infrastructure traffic, and the Workload Management Proxy, dedicated to facilitating communication between workloads and public or Azure endpoints.

+## Optimized Time Synchronization with Managed Network Time Protocol (NTP)

+The Network Time Protocol (NTP) is an essential network protocol that aligns the time settings of computer systems over packet-switched networks. In the Azure Operator Nexus instance, NTP is instrumental in ensuring the consistent time settings across all compute nodes and network devices. This level of synchronization is critical for the Network Functions (NFs) operating within the infrastructure. It significantly contributes to the effectiveness of telemetry and security measures, maintaining the integrity and coordination of the system.

+## Nexus Network Fabric Resources

+The following are key resources for Nexus Network Fabric.

+### InternetGateways

+*InternetGateways* is a critical resource in network architecture, acting as the connecting bridge between a virtual network and the Internet. It enables virtual machines and other entities within a virtual network to communicate seamlessly with external services. These services range from websites and APIs to various cloud services, making InternetGateways a versatile and essential component.

+#### Properties

+| Property | Description |

+|||

+| Name | Serves as the unique identifier for the Internet Gateway. |

+| Location | Specifies the Azure region where the Internet Gateway is deployed, ensuring regional compliance and optimization. |

+| Subnets | Defines the subnets linked with the Internet Gateway, determining the network segments it services. |

+| Public IP Address| Assigns a public IP address to the gateway, enabling external network interactions. |

+| Routes | Outlines the routing rules and configurations for managing traffic through the gateway. |

+#### Use cases

+* **Internet Access:** Facilitates Internet connectivity for virtual network resources, crucial for updates, downloads, and accessing external services.

+* **Hybrid Connectivity:** Ideal for hybrid scenarios, allowing secure connections between on-premises networks and Azure resources.

+* **Load Balancing:** Enhances network performance and availability by evenly distributing traffic across multiple gateways.

+* **Security Enforcement:** Enables the implementation of robust security policies, such as outbound traffic restrictions and encryption mandates.

+### InternetGatewayRules

+*InternetGatewayRules* represents a set of rules associated with an Internet Gateway in the Managed Network Fabric. These rules establish guidelines for either permitting or restricting traffic as it moves through the Internet Gateway, providing a framework for network traffic management.

+#### Properties

+| Property | Description |

+||--|

+| Name | Acts as the unique identifier for each rule. |

+| Priority | Sets the evaluation order of the rules, with higher priority rules taking precedence.|

+| Action | Determines the action (e.g., allow, deny) for traffic that matches the rule criteria.|

+| Source IP Address Range | Identifies the originating IP address range applicable to the rule. |

+| Destination IP Address Range | Defines the targeted IP address range for the rule. |

+| Protocol | Specifies the network protocol (e.g., TCP, UDP) relevant to the rule. |

+| Port Range | Details the port range for the rule, if applicable. |

+#### Use cases

+* **Traffic Filtering:** InternetGatewayRules enable organizations to control both incoming and outgoing network traffic based on specific criteria. For example, they can block certain IP ranges or allow only particular protocols.

+* **Enforcing Security Policies:** These rules are instrumental in implementing security measures, such as restricting traffic to enhance network security. An organization might block known malicious IP ranges or limit traffic to specific ports for certain services.

+* **Compliance Assurance:** The rules can also be utilized to comply with regulatory standards by limiting types of traffic, thereby aiding in data privacy and access control.

+* **Traffic Load Balancing:** InternetGatewayRules can distribute network traffic across multiple gateways to optimize resource utilization. This includes prioritizing or throttling traffic based on business needs.

+## FAQs

+**Is Support Available for HTTP Endpoints?**

+Azure's default configuration supports only HTTPS endpoints to ensure secure communication. HTTP endpoints are not supported as part of this security measure. By prioritizing HTTPS, Azure maintains high standards of data integrity and privacy.

+**How Can I Safeguard Against Data Exfiltration?**

+To strengthen security against data exfiltration, Azure supports the allowance of specific Fully Qualified Domain Names (FQDNs) on the proxy. This additional security measure ensures that your network can only be accessed by approved traffic, greatly minimizing the potential for unauthorized data movement.

+- The tool migrates only user databases. System databases like azure_sys, azure_maintenance or template databases such as template0, template1 will not be migrated.

+> If TIMESCALEDB, POSTGIS_TOPOLOGY, POSTGIS_TIGER_GEOCODER, POSTGRES_FDW or PG_PARTMAN extensions are used in your single server, please raise a support request since the migration tool does not handle these extensions.

+| `dbsToMigrate` | Required | Specify the list of databases that you want to migrate to Flexible Server. Note only user databases are migrated. System databases or template databases such as template0, template1 will not be migrated. |

+> The tool migrates only user databases. System databases or template databases such as template0, template1 will not be migrated.

+### Review

+#### <a name="01885ad6-88cf-4d5a-bdb5-6d43a6eed53e"></a>Backup and Restore with Azure Backup

+You can also integrate MaxDB backup with **Azure Backup** using the third-party backup tool **Maxback** (https://maxback.io). MaxBack allows you to backup and restore MaxDB on Windows with VSS integration, which is also used by Azure Backup. The advantage of using Azure Backup is that backup and restore is done at the storage level. MaxBack ensures that the database is in the right state for backup and restore, and automatically handles log volume backups.

+### Supported regions

+Support for availability zones depends on infrastructure and storage. Currently, two zones that were announced in October 2023 have insufficient storage and don't provide an availability zone for Azure AI Search:

+Otherwise, availability zones for Azure AI Search are supported in the following regions:

+ Title: Compare available plans in Azure Spring Apps

+description: Understand and compare all plans in the Azure Spring Apps.

+# Compare available plans in Azure Spring Apps

+> [!NOTE]

+> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

+This article provides a comparison of plans available in Azure Spring Apps. Each plan is designed to cater to different customer scenarios and purposes, as described in the following list:

+- Enterprise plan: This plan is designed to expedite the development and deployment of mission-critical and large-scale enterprise applications with higher SLA and large application cluster support. This plan also addresses enterprise requirements around configuration management, service discovery, API gateway, API portal, ease of integration, portability, and flexibility with on-demand managed Tanzu commercial components and Tanzu Spring Runtime support, built on top of strong partnership between VMware and Microsoft.

+- Basic plan: An entry-level plan for individual development and testing.

+- Standard plan: A Spring-centric and opinionated application hosting platform with built-in and pre-configured settings for build, service registry, storage, and more.

+- Standard consumption and dedicated plan: This plan is hosted in an Azure Container Apps environment and is designed to seamlessly interact with other apps running in the same environment with simplified networking and unified observability.

+The following table shows the differences between each plan:

+| Feature | Description | Enterprise | Basic | Standard | Standard consumption and dedicated |

+|--|--||-|-|--|

+| **Application management** | Application management with hassle-free infrastructure operations. | | | | |

+| App lifecycle management | Create, deploy, stop, and restart apps easily without knowledge of the underlying infrastructure. | ✔️ | ✔️ | ✔️ | ✔️ |

+| SLA | The ensured SLA for both apps and managed components. | **99.95%** | n/a | 99.90% | Not available during preview. |

+| Max App instance size | The maximum application instance size. | **8 vCPU, 32 GB** | 1 vCPU, 2 GB | 4 vCPU, 8 GB | 4 vCPU, 8 GB in consumption, up to 16 vCPU, 128 GB in dedicated |

+| Max App instances | The maximum number of application instances. | **1000** | 25 | 500 | 400 in consumption, 1000 in dedicated. |

+| Auto and manual scaling | Automatic and manual app scaling in/out and up/down. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Deploy from source code, artifact and custom image | Deploy from source code, artifact, and custom image for apps. | ✔️ | ✔️ | ✔️ | Artifact and custom image. |

+| Java app support | Build and deploy Java apps, mainly Spring Apps. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Java native image support | Build and deploy Java native image apps. | ✔️ | ❌ | ❌ | ❌ |

+| .NET Core app support | Build and deploy .NET Core apps. | ✔️ | ❌ | ❌ | ❌ |

+| Node.js app support | Build and deploy Node.js apps. | ✔️ | ❌ | ❌ | ❌ |

+| GO app support | Build and deploy Go apps. | ✔️ | ❌ | ❌ | ❌ |

+| Python app support | Build and deploy Python apps. | ✔️ | ❌ | ❌ | ❌ |

+| PHP app support | Build and deploy PHP apps. | ✔️ | ❌ | ❌ | ❌ |

+| Static web app support | Build and deploy static web apps with static web content, like CSS, JS, and HTML files. | ✔️ | ❌ | ❌ | ❌ |

+| Zero downtime deployment | Rolling update and blue/green deployment strategies with assured zero downtime and affect for apps. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Custom domain | Support multiple custom domains on apps. | ✔️ | ❌ | ✔️ | ✔️ |

+| Bring your own storage | Support to mount Azure storage for apps to use. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Custom health probes | Support to customize apps on health probes, like liveness, readiness, and startup probes, and graceful termination periods. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Auto patching | Automatic patching of the base OS, language runtime (such as the JDK), and APM agents in maintaining images for apps. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Spring Runtime Support | Built-in Tanzu Spring Runtime support with extended support period on Spring projects and 24/7 VMware support. | ✔️ | ❌ | ❌ | ❌ |

+| **Troubleshooting and monitoring** | Troubleshooting and monitoring. | | | | |

+| Remote debugging | Remote debugging. | ✔️ | ✔️ | ✔️ | n/a |

+| Thread/heap/JFR dump | Thread/heap/JFR dump. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Web shell support | Use a web shell to connect to any running app instance to directly run JDK commands. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Out-of-box APM integration | Out-of-box APM integration (Azure Application Insights and popular third-party APMs like Dynatrace, AppDynamics, New Relic, and Elastic APM). | ✔️ | ✔️ | ✔️ | ✔️ |

+| **Security** | Secure networking and identity management. | | | | |

+| Secure communication along whole traffic path | Secure communication along the whole traffic path, including ingress controller to apps, app to app, and apps to backing services such as databases. | ✔️ | ✔️ | ✔️ | ✔️ |

+| VNET injection | Virtual network (VNET) injection. | ✔️ | ❌ | ✔️ | ✔️ |

+| Private endpoint | Support to connect with backing services like Azure databases, Key Vault, and so on using a private endpoint. | ✔️ | ❌ | ✔️ | ✔️ |

+| Managed identity | Support both Azure system and user-assigned managed identity. | ✔️ | ✔️ | ✔️ | ✔️ |

+| **Integration** | Integration capability with backing services, CICD, and IDEs. | | | | |

+| Easy integration with any Azure services | Integration with any Azure services on top of Azure SDK and Spring Cloud Azure. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Out-of-box CICD integration | Out-of-box CICD integration with Azure DevOps, Jenkins, and GitHub Actions, and so forth. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Out-of-box integration with popular IDEs | Out-of-box integration with popular IDEs like VS Code and IntelliJ, to allow in-place interaction with Azure Spring Apps. | ✔️ | ✔️ | ✔️ | ✔️ |

+| **Managed components** | Fully managed components with ensured SLA, timely maintenance, and well-tuned configuration to support app development and operation. | | | | |

+| SLA | The ensured SLA for both apps and managed components. | **99.95%** | n/a | 99.90% | Not available during preview. |

+| Build and maintain images from source code | A build service to centrally manage building and maintaining Open Container Initiative (OCI) images from source code. | Γ£ö∩╕Å **(configurable build service¹)** | Γ£ö∩╕Å (default build service) | Γ£ö∩╕Å (default build service) | Γ¥î |

+| An API gateway to route requests to backend apps | Spring Cloud Gateway to route requests with cross-cutting concerns addressed centrally (throttling, request/response filters, authentication and authorization, and so forth). | ✔️ | ❌ | ❌ | ❌ |

+| An API portal to browse and try out APIs | An API portal to view detailed API documentation, and to try out APIs. | ✔️ | ❌ | ❌ | ❌ |

+| App configuration management | A configuration service to distribute app configurations from Git host repositories to apps. | ✔️ **(supports polyglot apps)** | ✔️ (supports Spring apps only) | ✔️ (supports Spring apps only) | ✔️ (supports Spring apps only) |

+| Service registry and discovery | A service registry to provide service registration and discovery capabilities for microservices-based Spring applications. | ✔️ | ✔️ | ✔️ | ✔️ |

+| Real-time monitoring and troubleshooting apps | A lightweight insights and troubleshooting tool that helps app developers and app operators to look inside running Spring applications. | ✔️ | ❌ | ❌ | ❌ |

+| Expedite development with distributable project templates | A project bootstrapping tool to build and distribute templates/accelerators that codify enterprise-conformant code and configurations in a discoverable and repeatable way. | ✔️ | ❌ | ❌ | ❌ |

+¹ The configurable build service enables the following features:

+- Bring your own container registry: configure your own Azure Container Registry (ACR) to store built images instead of using the Azure Spring Apps managed ACR to deploy to other Azure Spring Apps Enterprise-plan environments with verified images.

+- Configure resources for the whole build pool, up to 64 vCPU and 128 GB.

+- Configure which OS stack to use as the base image for your apps.

+### Inventory and Immutable Storage

+In instances where immutable storage is enabled, it's essential to be aware of a specific limitation pertaining to Inventory reports. Due to the inherent characteristics of immutable storage, notably its write-once, read-many (WORM) nature, the execution of Inventory reports is constrained. The results cannot be written when immutable storage is active. This stands as a known limitation, and we recommend planning your reporting activities accordingly.

+| [Storage Analytics metrics (classic)](../common/storage-metrics-migration.md?toc=/azure/storage/blobs/toc.json)³ | &nbsp;&#x2B24; | &nbsp;&#x2B24; | &nbsp;&#x2B24; | &nbsp;&#x2B24; |

+³ Storage Analytics metrics is retired. See [Transition to metrics in Azure Monitor](../common/storage-analytics-metrics.md?toc=/azure/storage/blobs/toc.json).

+| [Storage Analytics metrics (classic)](../common/storage-metrics-migration.md?toc=/azure/storage/blobs/toc.json)³ | &nbsp;&#x2B24; | &nbsp;&#x2B24; | &nbsp;&#x2B24; | &nbsp;&#x2B24; |

+³ Storage Analytics metrics is retired. See [Transition to metrics in Azure Monitor](../common/storage-analytics-metrics.md?toc=/azure/storage/blobs/toc.json).

+To estimate the cost of storing and accessing blob data in a general-purpose v2 storage account in a particular tier, evaluate your existing usage pattern or approximate your expected usage pattern. In general, you want to know:

+- Your Blob storage consumption, in gigabytes, including:

+ - How much data is being stored in the storage account?

+ - How does the data volume change on a monthly basis; does new data constantly replace old data?

+- The primary access pattern for your Blob storage data, including:

+ - How much data is being read from and written to the storage account?

+ - How many read operations versus write operations occur on the data in the storage account?

+To decide on the best access tier for your needs, it can be helpful to determine your blob data capacity, and how that data is being used. This can be best done by looking at the monitoring metrics for your account.

+### Monitoring existing storage accounts

+To monitor your existing storage accounts and gather this data, you can make use of storage metrics in Azure Monitor. Azure Monitor stores metrics that include aggregated transaction statistics and capacity data about requests to the storage service. Azure Storage sends metric data to the Azure Monitor back end. Azure Monitor provides a unified monitoring experience that includes data from the Azure portal as well as data that is ingested. For more information, see any of these articles:

+- [Monitoring Azure Blob Storage](../blobs/monitor-blob-storage.md)

+- [Monitoring Azure Files](../files/storage-files-monitoring.md)

+- [Monitoring Azure Queue Storage](../queues/monitor-queue-storage.md)

+- [Monitoring Azure Table storage](../tables/monitor-table-storage.md)

+- The amount of data retrieved from the storage account can be estimated by looking at the sum of the *'Ingress'* metric for primarily the *'GetBlob'* and *'CopyBlob'* operations.

+- The amount of data written to the storage account can be estimated by looking at the sum of *'Egress'* metrics for primarily the *'PutBlob'*, *'PutBlock'*, *'CopyBlob'* and *'AppendBlock'* operations.

+To determine the price of each operation against the blob storage service, see [Map each REST operation to a price](../blobs/map-rest-apis-transaction-categories.md).

+ Title: Use Azure Storage analytics to collect log data

+Azure Storage Analytics performs logging for a storage account. You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account.

+> [!NOTE]

+> Storage Analytics supports only logs. Storage Analytics metrics are retired. See [Transition to metrics in Azure Monitor](../common/storage-analytics-metrics.md?toc=/azure/storage/blobs/toc.json). While Storage Analytics logs are still suppported, we recommend that you use Azure Storage logs in Azure Monitor instead of Storage Analytics logs. To learn more, see any of the following articles:

+>

+> - [Monitoring Azure Blob Storage](../blobs/monitor-blob-storage.md)

+> - [Monitoring Azure Files](../files/storage-files-monitoring.md)

+> - [Monitoring Azure Queue Storage](../queues/monitor-queue-storage.md)

+> - [Monitoring Azure Table storage](../tables/monitor-table-storage.md)

+The aggregated log data is stored in a well-known blob, which may be accessed using the Blob service and Table service APIs.

+The amount of storage used by logs data is billable. You're also billed for requests to create blobs for logging.

+If you have configured a data retention policy, you can reduce the spending by deleting old log data. For more information about retention policies, see [Setting a Storage Analytics Data Retention Policy](/rest/api/storageservices/Setting-a-Storage-Analytics-Data-Retention-Policy).

+Every request made to an account's storage service is either billable or non-billable. Storage Analytics logs each individual request made to a service, including a status message that indicates how the request was handled. See [Understanding Azure Storage Billing - Bandwidth, Transactions, and Capacity](/archive/blogs/windowsazurestorage/understanding-windows-azure-storage-billing-bandwidth-transactions-and-capacity).

+When looking at Storage Analytics data, you can use the tables in the [Storage Analytics Logged Operations and Status Messages](/rest/api/storageservices/storage-analytics-logged-operations-and-status-messages) topic to determine what requests are billable. Then you can compare your log data to the status messages to see if you were charged for a particular request. You can also use the tables in the previous topic to investigate availability for a storage service or individual API operation.

+- **Accessible.** Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides client libraries for Azure Storage in a variety of languages, including .NET, Java, Node.js, Python, Go, and others, as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

+Objects in Blob Storage can be accessed from anywhere in the world via HTTP or HTTPS. Users or client applications can access blobs via URLs, the [Azure Storage REST API](/rest/api/storageservices/blob-service-rest-api), [Azure PowerShell](/powershell/module/azure.storage), [Azure CLI](/cli/azure/storage), or an Azure Storage client library. The storage client libraries are available for multiple languages, including [.NET](/dotnet/api/overview/azure/storage), [Java](/java/api/overview/azure/storage), [Node.js](https://azure.github.io/azure-storage-node), and [Python](/python/api/overview/azure/storage).

+On **January 9, 2024** Storage Analytics metrics, also referred to as *classic metrics* retired. If you used classic metrics, this article helps you transition to metrics in Azure Monitor.

+|Maximum total capacity units (TiB) |100 |100 |600 |600|600|600| |600 |600 |600 | 100 | 100 |

+|Maximum base capacity units (TiB) |100 |100 |400 |400 | 400|400 |400 |400 |400 |400 | 100 |100 |

+|Minimum total SAN capacity (TiB) |1 |1 |1 |1 |1 |1 |1 |1 | 1 | 1 | 1 |1|

+|Maximum total capacity units (TiB) |200 |200 |200 |200 |

+|Maximum base capacity units (TiB) |100 |100 |100 |100 |

+|Minimum total SAN capacity (TiB) |1 |1 |1 |1 |

+The 'Build Replicated Table Cache' operation can execute up to two operations simultaneously. For example, if you attempt to rebuild the cache for five tables, the system will utilize a staticrc20 (which cannot be modified) to concurrently build two tables at the time. Therefore, it is recommended to avoid using large replicated tables exceeding 2 GB, as this may slow down the cache rebuild across the nodes and increase the overall time.

+To monitor the rebuild process, you can use [sys.dm_pdw_exec_requests](/sql/relational-databases/system-dynamic-management-views/sys-dm-pdw-exec-requests-transact-sql?view=azure-sqldw-latest&preserve-view=true), where the `command` will start with 'BuildReplicatedTableCache'. For example:

+```sql

+-- Monitor Build Replicated Cache

+SELECT *

+FROM sys.dm_pdw_exec_requests

+WHERE command like 'BuildReplicatedTableCache%'

+```

+> [!TIP]

+> [Table size queries](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-overview#table-size-queries) can be used to verify which table(s) have a replicated distribution policy and which are larger than 2 GB.

+ Title: Disable geo-backups

+# Disable geo-backups for a dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics

+In this article, you learn to disable geo-backups for your [dedicated SQL pool (formerly SQL DW)](sql-data-warehouse-overview-what-is.md) in the Azure portal.

+1. Select the dedicated SQL pool (formerly SQL DW) resource where you would like to disable geo-backups.

+ :::image type="content" source="media/sql-data-warehouse-restore-from-geo-backup/disable-geo-backup-menu.png" alt-text="A screenshot from the Azure portal, of the navigation menu, showing where to find the geo-backup policy page.":::

+ :::image type="content" source="media/sql-data-warehouse-restore-from-geo-backup/disable-geo-backup-option.png" alt-text="A screenshot from the Azure portal, of the disable geo-backup option.":::

+1. Select **Save** to ensure that your settings are saved.

+ :::image type="content" source="media/sql-data-warehouse-restore-from-geo-backup/disable-geo-backup-save.png" alt-text="A screenshot from the Azure portal, showing the Save geo-backup settings button.":::

+## Related content

+- [Restore a deleted dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics](sql-data-warehouse-restore-deleted-dw.md)

+ Title: Publish applications with RemoteApp in Azure Virtual Desktop - Azure

+ > [!TIP]

+ > When searching for an application name on Azure, use search terms that begin with the application name in order instead of keywords the application name contains out of order. For example, when you want to use Azure Virtual Desktop, you need to enter 'Azure Virtual` in that order. If you enter `virtual` by itself, the search won't return the desired application.

+- Service Fabric ΓÇô [Linux](../service-fabric/service-fabric-tutorial-create-vnet-and-linux-cluster.md#service-fabric-extension)

+The supported method of installing and upgrading the Azure Linux VM Agent uses an RPM or a DEB package from your distribution's package repository. All the [endorsed distribution providers](../linux/endorsed-distros.md) integrate the Azure Linux VM Agent package into their images and repositories.

+Some Linux distributions might disable the Azure Linux VM Agent **Auto Update** feature and some of the repositories might also contain older versions, those might have issues with modern extensions so, we recommend to have the latest stable version installed.

+To make sure the Azure Linux VM Agent is updating properly we recommend having the option `AutoUpdate.Enabled=Y` in the `/etc/waagent.conf` file or simply commenting out that option will result in its defaults too. Having `AutoUpdate.Enabled=N` will not allow the Azure Linux VM Agent to update properly.

+For advanced installation options, such as installing from a source or to custom locations or prefixes, see [Microsoft Azure Linux VM Agent](https://github.com/Azure/WALinuxAgent). Other than these scenarios, we do not support or recommend upgrading or reinstalling the Azure Linux VM Agent from source.

+- The [NC 100 v4-series](nc-a100-v4-series.md) sizes are focused on midrange AI training and batch inference workload. The NC A100 v4-series offers flexibility to select one, two, or four NVIDIA A100 80GB PCIe Tensor Core GPUs per VM to leverage the right-size GPU acceleration for your workload.

+- The [ND A100 v4-series](nda100-v4-series.md) sizes are focused on scale-up and scale-out deep learning training and accelerated HPC applications. The ND A100 v4-series uses 8 NVIDIA A100 TensorCore GPUs, each available with a 200 Gigabit Mellanox InfiniBand HDR connection and 40 GB of GPU memory.

+- [NGads V620-series](ngads-v-620-series.md) VM sizes are optimized for high performance, interactive gaming experiences hosted in Azure. They're powered by AMD Radeon PRO V620 GPUs and AMD EPYC 7763 (Milan) CPUs.

+In this article, you learn about cross-tenant support in Azure Virtual Network Manager. Cross-tenant supports allows organizations to use a central Network Manager instance for managing virtual networks across different tenants and subscriptions.

+Cross-tenant support in Azure Virtual Network Manager allows you to add subscriptions or management groups from other tenants to your network manager. This is done by establishing a two-way connection between the network manager and target tenants. Once connected, the central manager can deploy connectivity and/or security admin rules to virtual networks across those connected subscriptions or management groups. This support assists organizations that fit the following scenarios:

+- Managed service provider ΓÇô In managed service provider scenarios, an organization can manage the resources of other organizations. Cross-tenant support allows central management of virtual networks by a central service provider for multiple clients.

+Once both cross-tenant connections exist and the scopes are exactly the same, a true connection is established. Administrators can use their network manager to add cross-tenant resources to their [network groups](concept-network-groups.md) and to manage virtual networks included in the connection scope. Existing connectivity and/or security admin rules are applied to the resources based on existing configurations.

+A cross-tenant connection can only be established and maintained when both objects from each party exist. When one of the connections is removed, the cross-tenant connection is broken. If you need to delete a cross-tenant connection, you perform the following:

+- Remove cross-tenant connection from the network manager side via Cross-tenant connections settings in the Azure portal.

+- Remove cross-tenant connection from the tenant side via Virtual network manager hub's Cross-tenant connections settings in the Azure portal.

+* Pending: One of the two approval resources hasn't been created. The scope hasn't yet been added to the Network Manager's scope.

+* Conflict: There's already a network manager with this subscription or management group defined within its scope. Two network managers with the same scope access can't directly manage the same scope, therefore this subscription/management group can't be added to the Network Manager scope. To resolve the conflict, remove the scope from the conflicting network manager's scope and recreate the connection resource.

+| **Scuba** | Data connectors for Microsoft security products (Sentinel, Defender, etc). | Inbound | No | No|

+| **SerialConsole** | Limit access to boot diagnostics storage accounts from only Serial Console service tag | Inbound | No | Yes |

+A virtual hub route table can contain one or more routes. A route includes its name, a label, a destination type, a list of destination prefixes, and next hop information for a packet to be routed. A **Connection** typically has a routing configuration that associates or propagates to a route table.

+Routing Intent and Routing policies allow you to configure your Virtual WAN hub to send Internet-bound and Private (Point-to-site, Site-to-site, ExpressRoute, Network Virtual Appliances inside the Virtual WAN Hub and Virtual Network) Traffic via an Azure Firewall, Next-Generation Firewall NVA or software-as-a-service solution deployed in the Virtual WAN hub. There are two types of Routing Policies: Internet Traffic and Private Traffic Routing Policies. Each Virtual WAN Hub can have, at most, one Internet Traffic Routing Policy and one Private Traffic Routing Policy, each with a Next Hop resource.

+Each connection is associated to one route table. Associating a connection to a route table allows the traffic (from that connection) to be sent to the destination indicated as routes in the route table. The routing configuration of the connection shows the associated route table. Multiple connections can be associated to the same route table. All VPN, ExpressRoute, and User VPN connections are associated to the same (default) route table.

+* You can specify multiple next hop IP addresses on a single Virtual Network connection. However, Virtual Network Connection doesn't support ΓÇÿmultiple/uniqueΓÇÖ next hop IP to the ΓÇÿsameΓÇÖ network virtual appliance in a SPOKE Virtual Network 'if' one of the routes with next hop IP is indicated to be public IP address or 0.0.0.0/0 (internet)

+* While it's true that 2 hubs on the same virtual WAN will announce routes to each other (as long as the propagation is enabled to the same labels), this only applies to dynamic routing. Once you define a static route, this isn't the case.

+1. In the left pane, under Routing, select **Route-Maps**.

+1. Select **Route Map Dashboard** from the Settings section to open the **Route Map Dashboard**.

+* [About Route Maps](route-maps-about.md)

+The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables a [global transit network architecture](virtual-wan-global-transit-network-architecture.md), where the cloud hosted network 'hub' enables transitive connectivity between endpoints that might be distributed across different types of 'spokes'.

+* ExpressRoute Global Reach and Virtual WAN

+* Branch-to-VNet secure transit (c)

+* Branch-to-VNet secure transit across Virtual hubs (g), supported with [Routing Intent](../virtual-wan/how-to-routing-policies.md)

+* VNet-to-VNet secure transit across Virtual Hubs (h), supported with [Routing Intent](../virtual-wan/how-to-routing-policies.md)

+* Branch-to-Branch secure transit (b), supported with [Routing Intent](../virtual-wan/how-to-routing-policies.md)

+* Branch-to Branch secure transit across Virtual Hubs (f), supported with [Routing Intent](../virtual-wan/how-to-routing-policies.md)

+### VNet-to-VNet secured transit (e), VNet-to-VNet secure transit cross-region(h)

+The VNet-to-VNet secured transit enables VNets to connect to each other via security appliances (Azure Firewall, select NVA and SaaS) deployed in the Virtual WAN hub.

+The VNet-to-Internet enables VNets to connect to the internet via the via security appliances (Azure Firewall, select NVA and SaaS) in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through a security appliance and is routed straight to the third-party security service. You can configure Vnet-to-Internet path via supported third-party security service using Azure Firewall Manager.

+The Branch-to-Internet enables branches to connect to the internet via the Azure Firewall in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through a security appliance and is routed straight to the third-party security service. You can configure Branch-to-Internet path via supported third-party security service using Azure Firewall Manager.

+### Branch-to-branch secured transit, Branch-to-branch secured transit cross-region (b), (f)

+Branches can be connected to a secured virtual hub with Azure Firewall using ExpressRoute circuits and/or site-to-site VPN connections. You can connect the branches to the virtual WAN hub that is in the region closest to the branch. Configuring [Routing Intent](../virtual-wan/how-to-routing-policies.md) on Virtual WAN hubs allows for branch-to-branch same hub or branch-to-branch inter-hub/inter-region inspection by security appliances (Azure Firewall, select NVA and SaaS) deployed in the Virtual WAN Hub.

+### Branch-to-VNet secured transit (c), Branch-to-VNet secured transit cross-region (g)

+The Branch-to-VNet secured transit enables branches to communicate with virtual networks in the same region as the virtual WAN hub as well as another virtual network connected to another virtual WAN hub in another region (inter-hub traffic inspection supported only with [Routing Intent](../virtual-wan/how-to-routing-policies.md)).