+API Management provides the capability to secure access to APIs (that is, client to API Management) using client certificates and mutual TLS authentication. You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.

+For information about securing access to the backend service of an API using client certificates (that is, API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md).

+## Certificate options

+For certificate validation, API Management can check against certificates managed in your API Management instance. If you choose to use API Management to manage client certificates, you have the following options:

+* Reference a certificate managed in [Azure Key Vault](../key-vault/general/overview.md)

+* Add a certificate file directly in API Management

+Using key vault certificates is recommended because it helps improve API Management security:

+* Certificates stored in key vaults can be reused across services

+* Granular [access policies](../key-vault/general/security-features.md#privileged-access) can be applied to certificates stored in key vaults

+* Certificates updated in the key vault are automatically rotated in API Management. After update in the key vault, a certificate in API Management is updated within 4 hours. You can also manually refresh the certificate using the Azure portal or via the management REST API.

+## Prerequisites

+* If you have not created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).

+* You need access to the certificate and the password for management in an Azure key vault or upload to the API Management service. The certificate must be in **PFX** format. Self-signed certificates are allowed.

+ If you use a self-signed certificate, also install trusted root and intermediate [CA certificates](api-management-howto-ca-certificates.md) in your API Management instance.

+

+ > [!NOTE]

+ > CA certificates for certificate validation are not supported in the Consumption tier.

+## Enable API Management instance to receive and verify client certificates

+### Developer, Basic, Standard, or Premium tier

+To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.

+### Consumption tier

+To receive and verify client certificates in the Consumption tier, you must enable the **Request client certificate** setting on the **Custom domains** blade as shown below.

+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.

+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.

+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.

+- [How to secure backend services using client certificate authentication](./api-management-howto-mutual-certificates.md)

+- [How to add a custom CA certificate in Azure API Management](./api-management-howto-ca-certificates.md)

+- Learn about [policies in API Management](api-management-howto-policies.md)

+API Management allows you to secure access to the backend service of an API using client certificates and mutual TLS authentication. This guide shows how to manage certificates in an Azure API Management service instance using the Azure portal. It also explains how to configure an API to use a certificate to access a backend service.

+* If you have not created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).

+* You need access to the certificate and the password for management in an Azure key vault or upload to the API Management service. The certificate must be in **PFX** format. Self-signed certificates are allowed.

+ If you use a self-signed certificate:

+ * Install trusted root and intermediate [CA certificates](api-management-howto-ca-certificates.md) in your API Management instance.

+ > [!NOTE]

+ > CA certificates for certificate validation are not supported in the Consumption tier.

+ * [Disable certificate chain validation](#disable-certificate-chain-validation-for-self-signed-certificates)

+## Disable certificate chain validation for self-signed certificates

+* [How to add a custom CA certificate in Azure API Management](./api-management-howto-ca-certificates.md)

+## Prerequisites

+* If you have not created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).

+ - If you don't already have a key vault, create one. For steps to create a key vault, see [Quickstart: Create a key vault using the Azure portal](../key-vault/general/quick-create-portal.md).

+ To create or import a secret to the key vault, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../key-vault/secrets/quick-create-portal.md).

+- Enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md) in the API Management instance.

+### Add a key vault secret to API Management

+> [!IMPORTANT]

+> When adding a key vault secret to your API Management instance, you must have permissions to list secrets from the key vault.

+### Add a plain or secret value to API Management

+The following configurations are needed for API Management to access secrets and certificates from an Azure key vault.

+> [!WARNING]

+ 1. On the **Managed identities** page of your API Management instance, enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). Note the principal ID on that page.

+ 1. Assign permissions to the managed identity to access the key vault. Use steps in the following section.

+

+ [!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]

+- [Manage your alerts programmatically](alerts-manage-alert-instances.md#manage-your-alerts-programmatically)

+## Virtual network changes

+Knowing what changed in your application's networking resources is critical due to their effect on connectivity, availability, and performance. Change Analysis supports all network resource changes and captures those changes immediately. Networking changes include:

+- Firewalls created or edited

+- Network critical changes (for example, blocking port 22 for TCP connections)

+- Load balancer changes

+- Virtual network changes

+The sample application includes a virtual network to make sure the application remains secure. Via the Azure portal, you can view and assess the network changes captured by Change Analysis.

+> This solution is no longer in active development and may not work as expected. We suggest you try using [Azure Resource Graph to query Azure Monitor alerts](../alerts/alerts-manage-alert-instances.md#manage-your-alerts-programmatically).

+- Custom logs created via [HTTP Data Collector API](./data-collector-api.md), or 'dataSources' API won't be supported in export. This includes text logs consumed by MMA. Custom log created using [data collection rule](./logs-ingestion-api-overview.md) can be exported, including text based logs.

+For the `-c backup` command, AzAcSnap writes to a *\*.result* file. The purpose of the *\*.result* file is to provide high-level confirmation of success/failure. If the *\*.result* file is empty, then assume failure. Any output written to the *\*.result* file is also output to the system log (for example, `/var/log/messages`) by using the `logger` command. The *\*.result* filename has the same base name as the log file to allow for matching the result file with the configuration file and the backup log file. The *\*.result* file goes into the same location as the other log files and is a simple one line output file, such as the following example:

+Azure SQL Edge is a relational database engine optimized for IoT and Azure IoT Edge deployments. It provides capabilities to create a high-performance data storage and processing layer for IoT applications and solutions. This quickstart shows you how to get started with creating an Azure SQL Edge module through Azure IoT Edge using the Azure portal.

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).

+- Sign in to the [Azure portal](https://portal.azure.com/).

+- Create an [Azure IoT Hub](../iot-hub/iot-hub-create-through-portal.md).

+- Create an [Azure IoT Edge device](../iot-edge/how-to-provision-single-device-linux-symmetric.md).

+Azure Marketplace is an online applications and services marketplace where you can browse through a wide range of enterprise applications and solutions that are certified and optimized to run on Azure, including [IoT Edge modules](https://azuremarketplace.microsoft.com/marketplace/apps/category/internet-of-things?page=1&subcategories=iot-edge-modules). Azure SQL Edge can be deployed to an edge device through the marketplace.

+1. Find the Azure SQL Edge module on the Azure Marketplace.

+ :::image type="content" source="media/deploy-portal/find-offer-marketplace.png" alt-text="Screenshot of SQL Edge in the Azure Marketplace.":::

+ | | |

+ | **Subscription** | The Azure subscription under which the IoT Hub was created |

+ | **IoT Hub** | Name of the IoT Hub where the IoT Edge device is registered and then select "Deploy to a device" option |

+ | **IoT Edge Device Name** | Name of the IoT Edge device where SQL Edge would be deployed |

+1. On the **Set Modules on device:** page, select the Azure SQL Edge module under **IoT Edge Modules**. The default module name is set to *AzureSQLEdge*.

+1. On the *Environment Variables* section of the **Update IoT Edge Module** pane, specify the desired values for the environment variables. For a complete list of Azure SQL Edge environment variables, see [Configure using environment variables](configure.md#configure-by-using-environment-variables). The following default environment variables are defined for the module.

+ | **Parameter** | **Description** |

+ | | |

+ | MSSQL_SA_PASSWORD | Change the default value to specify a strong password for the SQL Edge admin account. |

+ | MSSQL_LCID | Change the default value to set the desired language ID to use for SQL Edge. For example, 1036 is French. |

+ | MSSQL_COLLATION | Change the default value to set the default collation for SQL Edge. This setting overrides the default mapping of language ID (LCID) to collation. |

+ If you need to deploy more than one SQL Edge module, ensure that you update the mounts option to create a new source and target pair for the persistent volume. For more information on mounts and volume, refer [Use volumes](https://docs.docker.com/storage/volumes/) on Docker documentation.

+ "HostConfig": {

+ "CapAdd": [

+ "SYS_PTRACE"

+ ],

+ "Binds": [

+ "sqlvolume:/sqlvolume"

+ ],

+ "PortBindings": {

+ "1433/tcp": [

+ {

+ "HostPort": "1433"

+ }

+ ]

+ },

+ "Mounts": [

+ {

+ "Type": "volume",

+ "Source": "sqlvolume",

+ "Target": "/var/opt/mssql"

+ }

+ ]

+ },

+ "Env": [

+ "MSSQL_AGENT_ENABLED=TRUE",

+ "ClientTransportType=AMQP_TCP_Only",

+ "PlanId=asde-developer-on-iot-edge"

+ ]

+ > Do not change the `PlanId` environment variable defined in the create config setting. If this value is changed, the Azure SQL Edge container will fail to start.

+The following steps use the Azure SQL Edge command-line tool, **sqlcmd**, inside the container to connect to Azure SQL Edge.

+> SQL Server command line tools, including **sqlcmd**, are not available inside the ARM64 version of Azure SQL Edge containers.

+1. Use the `docker exec -it` command to start an interactive bash shell inside your running container. In the following example, `AzureSQLEdge` is name specified by the `Name` parameter of your IoT Edge Module.

+You can connect and run SQL queries against your Azure SQL Edge instance from any external Linux, Windows, or macOS tool that supports SQL connections. For more information on connecting to a SQL Edge container from outside, refer [Connect and Query Azure SQL Edge](./connect.md).

+In this quickstart, you deployed a SQL Edge Module on an IoT Edge device.

+This image consists of SQL Edge based on Ubuntu 18.04. It can be used with the Docker Engine 1.8+ on Linux.

+Azure SQL Edge containers aren't supported on the following platforms for production workloads:

+- Windows

+- macOS

+- Azure IoT Edge for Linux on Windows (EFLOW)

+- Docker Engine 1.8+ on any supported Linux distribution. For more information, see [Install Docker](https://docs.docker.com/engine/installation/). Since the SQL Edge images are based on Ubuntu 18.04, we recommended that you use an Ubuntu 18.04 Docker host.

+- Docker **overlay2** storage driver. This is the default for most users. If you find that you aren't using this storage provider and need to change, see the instructions and warnings in the [Docker documentation for configuring overlay2](https://docs.docker.com/storage/storagedriver/overlayfs-driver/#configure-docker-with-the-overlay-or-overlay2-storage-driver).

+> [!NOTE]

+> For the bash commands in this article `sudo` is used. If you don't want to use `sudo` to run Docker, you can configure a Docker group and add users to that group. For more information, see [Post-installation steps for Linux](https://docs.docker.com/engine/install/linux-postinstall/).

+ ```bash

+ sudo docker pull mcr.microsoft.com/azure-sql-edge:latest

+ ```

+ The previous command pulls the latest SQL Edge container image. To see all available images, see the [azure-sql-edge Docker hub page](https://hub.docker.com/_/microsoft-azure-sql-edge).

+1. To run the container image with Docker, use the following command from a bash shell:

+ - Start an Azure SQL Edge instance running as the Developer edition:

+ ```bash

+ sudo docker run --cap-add SYS_PTRACE -e 'ACCEPT_EULA=1' -e 'MSSQL_SA_PASSWORD=yourStrong(!)Password' -p 1433:1433 --name azuresqledge -d mcr.microsoft.com/azure-sql-edge

+ ```

+ - Start an Azure SQL Edge instance running as the Premium edition:

+ ```bash

+ sudo docker run --cap-add SYS_PTRACE -e 'ACCEPT_EULA=1' -e 'MSSQL_SA_PASSWORD=yourStrong(!)Password' -e 'MSSQL_PID=Premium' -p 1433:1433 --name azuresqledge -d mcr.microsoft.com/azure-sql-edge

+ ```

+ > [!IMPORTANT]

+ > The password should follow the Microsoft SQL Database Engine default password policy, otherwise the container can't set up the SQL Database Engine and will stop working. By default, the password must be at least 8 characters long and contain characters from three of the following four sets: uppercase letters, lowercase letters, base-10 digits, and symbols. You can examine the error log by executing the [docker logs](https://docs.docker.com/engine/reference/commandline/logs/) command.

+ The following table provides a description of the parameters in the previous `docker run` examples:

+ | Parameter | Description |

+ | | |

+ | **-e "ACCEPT_EULA=Y"** | Set the **ACCEPT_EULA** variable to any value to confirm your acceptance of the [End-User Licensing Agreement](https://go.microsoft.com/fwlink/?linkid=2139274). Required setting for the SQL Edge image. |

+ | **-e "MSSQL_SA_PASSWORD=yourStrong(!)Password"** | Specify your own strong password that is at least 8 characters and meets the [Azure SQL Edge password requirements](/sql/relational-databases/security/password-policy). Required setting for the SQL Edge image. |

+ | **-p 1433:1433** | Map a TCP port on the host environment (first value) with a TCP port in the container (second value). In this example, SQL Edge is listening on TCP 1433 in the container and this is exposed to the port, 1433, on the host. |

+ | **--name azuresqledge** | Specify a custom name for the container rather than a randomly generated one. If you run more than one container, you can't reuse this same name. |

+ | **-d** | Run the container in the background (daemon) |

+ For a complete list of all Azure SQL Edge environment variable, see [Configure Azure SQL Edge with Environment Variables](configure.md#configure-by-using-environment-variables).You can also use a [mssql.conf file](configure.md#configure-by-using-an-mssqlconf-file) to configure SQL Edge containers.

+1. To view your Docker containers, use the `docker ps` command.

+1. If the **STATUS** column shows a status of **Up**, then SQL Edge is running in the container and listening on the port specified in the **PORTS** column. If the **STATUS** column for your SQL Edge container shows **Exited**, see the Troubleshooting section of Azure SQL Edge documentation.

+ The `-h` (host name) parameter is also useful, but it isn't used in this tutorial for simplicity. This changes the internal name of the container to a custom value. This is the name you'll see returned in the following Transact-SQL query:

+ ```sql

+ SELECT @@SERVERNAME,

+ SERVERPROPERTY('ComputerNamePhysicalNetBIOS'),

+ SERVERPROPERTY('MachineName'),

+ SERVERPROPERTY('ServerName')

+ ```

+ Setting `-h` and `--name` to the same value is a good way to easily identify the target container.

+1. As a final step, change your SA password because the `MSSQL_SA_PASSWORD` is visible in `ps -eax` output and stored in the environment variable of the same name. See the following steps.

+The **SA** account is a system administrator on the Azure SQL Edge instance that gets created during setup. After creating your SQL Edge container, the `MSSQL_SA_PASSWORD` environment variable you specified is discoverable by running `echo $MSSQL_SA_PASSWORD` in the container. For security purposes, change your SA password.

+1. Use `docker exec` to run **sqlcmd** to change the password using Transact-SQL. In the following example, replace the old password, `<YourStrong!Passw0rd>`, and the new password, `<YourNewStrong!Passw0rd>`, with your own password values.

+The following steps use the Azure SQL Edge command-line tool, **sqlcmd**, inside the container to connect to SQL Edge.

+> [!NOTE]

+> **sqlcmd** is not available inside the ARM64 version of SQL Edge containers.

+1. Use the `docker exec -it` command to start an interactive bash shell inside your running container. In the following example, `azuresqledge` is the name specified by the `--name` parameter when you created the container.

+1. Once inside the container, connect locally with sqlcmd. Sqlcmd isn't in the path by default, so you have to specify the full path.

+ > [!TIP]

+1. If successful, you should get to a **sqlcmd** command prompt: `1>`.

+The following sections walk you through using **sqlcmd** and Transact-SQL to create a new database, add data, and run a query.

+1. On the next line, write a query to return the name of all of the databases on your server:

+1. Create new table named `Inventory`:

+ CREATE TABLE Inventory (id INT, name NVARCHAR(50), quantity INT);

+1. Insert data into the new table:

+1. Type `GO` to execute the previous commands:

+1. Execute the command:

+1. To exit the interactive command-prompt in your container, type `exit`. Your container continues to run after you exit the interactive bash shell.

+You can also connect to the SQL Edge instance on your Docker machine from any external Linux, Windows, or macOS tool that supports SQL connections. For more information on connecting to a SQL Edge container from outside, refer [Connect and Query Azure SQL Edge](connect.md).

+If you want to remove the SQL Edge container used in this tutorial, run the following commands:

+> [!WARNING]

+> Stopping and removing a container permanently deletes any SQL Edge data in the container. If you need to preserve your data, [create and copy a backup file out of the container](backup-restore.md) or use a [container data persistence technique](configure.md#persist-your-data).

+## Next steps

+# Supported features of Azure SQL Edge

+ | **Plan** | **Description** |

+ | | |

+ | Azure SQL Edge Developer | For development only. Each Azure SQL Edge Developer container is limited to a maximum of 4 cores and 32 GB of RAM. |

+ | Azure SQL Edge | For production. Each Azure SQL Edge container is limited to a maximum of 8 cores and 64 GB of RAM. |

+Azure SQL Edge containers are based on Ubuntu 18.04, and as such are only supported to run on Docker hosts running either Ubuntu 18.04 LTS (recommended) or Ubuntu 20.04 LTS. It's possible to run Azure SQL Edge containers on other operating system hosts, for example, it can run on other distributions of Linux or on Windows (using Docker CE or Docker EE), however Microsoft doesn't recommend that you do this, as this configuration may not be extensively tested.

+Azure SQL Edge requires a 64-bit processor (either x64 or ARM64), with a minimum of 1 CPU and 1 GB of RAM on the host. While the startup memory footprint of Azure SQL Edge is close to 450 MB, the additional memory is needed for other IoT Edge modules or processes running on the edge device. The actual memory and CPU requirements for Azure SQL Edge will vary based on the complexity of the workload and volume of data being processed. When choosing hardware for your solution, Microsoft recommends that you run extensive performance tests to ensure that the required performance characteristics for your solution are met.

+In addition to supporting a subset of features of SQL Server on Linux, Azure SQL Edge includes support for the following new features:

+- SQL streaming, which is based on the same engine that powers Azure Stream Analytics, provides real-time data streaming capabilities in Azure SQL Edge.

+| | |

+| | `HierarchyID` data type, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| | `Spatial` data type, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| | Stretch DB, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| | Full-text indexes and search, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| | `FileTable`, `FILESTREAM`, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| **Database Engine** | Replication. You can configure Azure SQL Edge as a push subscriber of a replication topology. |

+| | PolyBase. You can configure Azure SQL Edge as a target for external tables in PolyBase. |

+| | Language extensibility through Java and Spark. |

+| | Active Directory integration. |

+| | Database Auto Shrink. The Auto shrink property for a database can be set using the `ALTER DATABASE <database_name> SET AUTO_SHRINK ON` command, however that change has no effect. The automatic shrink task won't run against the database. Users can still shrink the database files using the 'DBCC' commands. |

+| | Database snapshots. |

+| | Support for persistent memory. |

+| | Microsoft Distributed Transaction Coordinator. |

+| | Resource governor and IO resource governance. |

+| | Buffer pool extension. |

+| | Distributed query with third-party connections. |

+| | Linked servers. |

+| | System extended stored procedures (such as `XP_CMDSHELL`). |

+| | CLR assemblies, and related DDL commands and Transact-SQL functions, catalog views, and dynamic management views. |

+| | CLR-dependent T-SQL functions, such as `ASSEMBLYPROPERTY`, `FORMAT`, `PARSE`, and `TRY_PARSE`. |

+| | CLR-dependent date and time catalog views, functions, and query clauses. |

+| | Buffer pool extension. |

+| | Database mail. |

+| | Service Broker |

+| | Policy Based Management |

+| | Management Data Warehouse |

+| | Contained Databases |

+| **SQL Server Agent** | Subsystems: CmdExec, PowerShell, Queue Reader, SSIS, SSAS, and SSRS. |

+| | Alerts. |

+| | Managed backup. |

+| **High Availability** | Always On availability groups. |

+| | Basic availability groups. |

+| | Always On failover cluster instance. |

+| | Database mirroring. |

+| | Hot add memory and CPU. |

+| | Active Directory integration. |

+| | Support for secure enclaves. |

+| | Machine Learning through R and Python. |

+| | StreamInsight. |

+| | Analysis Services. |

+| | Reporting Services. |

+| | Data Quality Services. |

+| | Master Data Services. |

+| | Distributed Replay. |

+- [Backup and restore databases in Azure SQL Edge](backup-restore.md)

+The [Translator][tr-containers] container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/translator` repository and is named `text-translation`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/translator/text-translation`.

+| `latest` | Docker Hub URL: https://hub.docker.com/_/microsoft-azure-cognitive-services-translator-text-translation |

+URI: `https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings/WDATP_UNIFIED_SOLUTION?api-version=2022-05-01`

+Azure Front Door is a modern content delivery network (CDN), with dynamic site acceleration and load balancing capabilities. When caching is configured on your route, the edge site that receives each request checks its cache for a valid response. Caching helps to reduce the amount of traffic sent to your origin server. If no cached response is available, the request is forwarded to the origin.

+Each Front Door edge site manages its own cache, and requests might be served by different edge sites. As a result, you might still see some traffic reach your origin, even if you served cached responses.

+Only requests that use the `GET` request method are cacheable. All other request methods are always proxied through the network.

+Azure Front Door delivers large files without a cap on file size. If caching is enabled, Front Door uses a technique called *object chunking*. When a large file is requested, Front Door retrieves smaller pieces of the file from the origin. After receiving a full or byte-range file request, the Front Door environment requests the file from the origin in chunks of 8 MB.

+After the chunk arrives at the Front Door environment, it's cached and immediately served to the user. Front Door then pre-fetches the next chunk in parallel. This pre-fetch ensures that the content stays one chunk ahead of the user, which reduces latency. This process continues until the entire file gets downloaded (if requested) or the client closes the connection. For more information on the byte-range request, read [RFC 7233](https://www.rfc-editor.org/info/rfc7233).

+Front Door caches any chunks as they're received so the entire file doesn't need to be cached on the Front Door cache. Ensuing requests for the file or byte ranges are served from the cache. If the chunks aren't all cached, pre-fetching is used to request chunks from the origin. This optimization relies on the origin's ability to support byte-range requests. If the origin doesn't support byte-range requests, this optimization isn't effective.

+If a request supports gzip and Brotli compression, Brotli compression takes precedence.

+When a request for an asset specifies compression and the request results in a cache miss, Azure Front Door (classic) does compression of the asset directly on the POP server. Afterward, the compressed file is served from the cache. The resulting item is returned with a `Transfer-Encoding: chunked` response header.

+If the origin uses Chunked Transfer Encoding (CTE) to send compressed data to the Azure Front Door PoP, then response sizes greater than 8 MB aren't supported.

+> Range requests may be compressed into different sizes. Azure Front Door requires the content-length values to be the same for any GET HTTP request. If clients send byte range requests with the `Accept-Encoding` header that leads to the Origin responding with different content lengths, then Azure Front Door will return a 503 error. You can either disable compression on the origin, or create a Rules Engine rule to remove the `Accept-Encoding` header from the request for byte range requests.

+With Azure Front Door, you can control how files are cached for a web request that contains a query string.

+In a web request with a query string, the query string is that portion of the request that occurs after a question mark (`?`). A query string can contain one or more key-value pairs, in which the field name and its value are separated by an equals sign (`=`). Each key-value pair is separated by an ampersand (&).

+For example, the URL `http://www.contoso.com/content.mov?field1=value1&field2=value2` contains two query strings:

+- `field1`, with a value of `value1`.

+- `field2`, with a value of `value2`.

+If there's more than one key-value pair in a query string of a request then their order doesn't matter.

+When you configure caching, you specify how the cache should handle query strings. The following behaviors are supported:

+* **Ignore query strings**: In this mode, Azure Front Door passes the query strings from the client to the origin on the first request and caches the asset. All ensuing requests for the asset that are served from the Front Door environment ignore the query strings until the cached asset expires.

+* **Cache every unique URL**: In this mode, each request with a unique URL, including the query string, is treated as a unique asset with its own cache. For example, the response from the origin for a request for `www.example.ashx?q=test1` is cached at the Front Door environment and returned for ensuing caches with the same query string. A request for `www.example.ashx?q=test2` is cached as a separate asset with its own time-to-live setting.

+* **Specify cache key query string** behavior to include or exclude specified parameters when the cache key is generated.

+ For example, suppose that the default cache key is `/foo/image/asset.html`, and a request is made to the URL `https://contoso.com//foo/image/asset.html?language=EN&userid=100&sessionid=200`. If there's a rules engine rule to exclude the `userid` query string parameter, then the query string cache key would be `/foo/image/asset.html?language=EN&sessionid=200`.

+Configure the query string behavior on the Front Door route.

+The following order of headers is used to determine how long an item will be stored in our cache:

+1. `Cache-Control: s-maxage=<seconds>`

+1. `Cache-Control: max-age=<seconds>`

+1. `Expires: <http-date>`

+Some `Cache-Control` response header values indicate that the response isn't cacheable. These values include `private`, `no-cache`, and `no-store`. Front Door honors these header values and won't cache the responses, even if you override the caching behavior by using the Rules Engine.

+If the `Cache-Control` header isn't present on the response from the origin, by default Front Door will randomly determine a cache duration between one and three days.

+The following request headers won't be forwarded to the origin when caching is enabled:

+- `Content-Length`

+- `Transfer-Encoding`

+- `Accept`

+- `Accept-Charset`

+- `Accept-Language`

+If the origin response is cacheable, then the `Set-Cookie` header is removed before the response is sent to the client. If an origin response isn't cacheable, Front Door doesn't strip the header. For example, if the origin response includes a `Cache-Control` header with a `max-age` value, this indicates to Front Door that the response is cacheable, and the `Set-Cookie` header is stripped.

+In addition, Front Door attaches the `X-Cache` header to all responses. The `X-Cache` response header includes one of the following values:

+- `TCP_HIT` or `TCP_REMOTE_HIT`: The first 8MB chunk of the response is a cache hit, and the content is served from the Front Door cache.

+- `TCP_MISS`: The first 8MB chunk of the response is a cache miss, and the content is fetched from the origin.

+- `PRIVATE_NOSTORE`: Request can't be cached because the *Cache-Control* response header is set to either *private* or *no-store*.

+- `CONFIG_NOCACHE`: Request is configured to not cache in the Front Door profile.

+## Logs and reports

+The [Front Door Access Log](standard-premium/how-to-logs.md#access-log) includes the cache status for each request. Also, [reports](standard-premium/how-to-reports.md#caching) include information about how Front Door's cache is used in your application.

+Cache behavior and duration can be configured in Rules Engine. Rules Engine caching configuration always overrides the route configuration.

+* **When caching is disabled**, Azure Front Door doesnΓÇÖt cache the response contents, irrespective of the origin response directives.

+* **When caching is enabled**, the cache behavior is different based on the cache behavior value applied by the Rules Engine:

+ * **Honor origin**: Azure Front Door will always honor origin response header directive. If the origin directive is missing, Azure Front Door will cache contents anywhere from one to three days.

+> * Azure Front Door makes no guarantees about the amount of time that the content is stored in the cache. Cached content may be removed from the edge cache before the content expiration if the content is not frequently used. Front Door might be able to serve data from the cache even if the cached data has expired. This behavior can help your site to remain partially available when your origins are offline.

+* **When caching is disabled**, Azure Front Door (classic) doesnΓÇÖt cache the response contents, irrespective of origin response directives.

+* **When caching is enabled**, the cache behavior is different for different values of *Use cache default duration*.

+ * When *Use cache default duration* is set to **Yes**, Azure Front Door (classic) will always honor origin response header directive. If the origin directive is missing, Front Door will cache contents anywhere from one to three days.

+> * Azure Front Door (classic) makes no guarantees about the amount of time that the content is stored in the cache. Cached content may be removed from the edge cache before the content expiration if the content is not frequently used. Azure Front Door (classic) might be able to serve data from the cache even if the cached data has expired. This behavior can help your site to remain partially available when your origins are offline.

+> * The *cache duration* set in the Front Door designer routing rule is the **minimum cache duration**. This override won't work if the cache control header from the origin has a greater TTL than the override value.

+Any headers sent to Azure Front Door from the backend are also passed through to the client. Front Door also attaches the following headers to all responses to the client:

+| X-Cache | *X-Cache:* This header describes the caching status of the request. For more information, see [Caching with Azure Front Door](front-door-caching.md#response-headers). |

+ Title: 'Configure caching - Azure Front Door'

+description: This article shows you how to configure caching on Azure Front Door.

+# Configure caching on Azure Front Door

+This article shows you how to configure caching on Azure Front Door. To learn more about caching, see [Caching with Azure Front Door](front-door-caching.md).

+## Prerequisites

+Before you can create an Azure Front Door endpoint with Front Door manager, you must have an Azure Front Door profile created. The profile must have at least one or more endpoints. To organize your Azure Front Door endpoints by internet domains, web applications, or other criteria, you can use multiple profiles.

+To create an Azure Front Door profile and endpoint, see [Create an Azure Front Door profile](create-front-door-portal.md).

+## Configure caching by using the Azure portal

+1. Sign in to the [Azure portal](https://portal.azure.com?azure-portal=true) and navigate to your Azure Front Door profile.

+1. Select **Front Door manager** and then select your route.

+

+ :::image type="content" source="./media/how-to-configure-caching/select-route.png" alt-text="Screenshot of endpoint landing page.":::

+1. Select **Enable caching**.

+1. Specify the query string caching behavior. For more information, see [Caching with Azure Front Door](front-door-caching.md#query-string-behavior).

+1. Optionally, select **Enable compression** for Front Door to compress responses to the client.

+1. Select **Update**.

+ :::image type="content" source="./media/how-to-configure-caching/update-route.png" alt-text="Screenshot of route with caching configured.":::

+## Next steps

+* Learn about the use of [origins and origin groups](origin.md) in an Azure Front Door configuration.

+* Learn about [rules match conditions](rules-match-conditions.md) in an Azure Front Door rule set.

+* Learn more about [policy settings](../web-application-firewall/afds/waf-front-door-policy-settings.md) for WAF with Azure Front Door.

+* Learn how to create [custom rules](../web-application-firewall/afds/waf-front-door-custom-rules.md) to protect your Azure Front Door profile.

+> Range requests may be compressed into different sizes. Azure Front Door requires the `Content-Length` response header values to be the same for any GET HTTP request. If clients send byte range requests with the `Accept-Encoding` header that leads to the origin responding with different content lengths, then Azure Front Door returns a 503 error. You can either disable compression on the origin/Azure Front Door, or create a Rules Engine rule to remove the `Accept-Encoding` header from byte range requests.

+* In Front Door manager.

+### Enable compression in Front Door manager

+1. From the Azure Front Door Standard/Premium profile page, go to **Front Door manager** and select the endpoint you want to enable compression.

+1. Within the endpoint, select the **route** you want to enable compression on.

+ :::image type="content" source="../media/how-to-compression/front-door-compression-endpoint-manager-1.png" alt-text="Screenshot of the Front Door manager landing page." lightbox="../media/how-to-compression/front-door-compression-endpoint-manager-1-expanded.png":::

+1. Ensure **Enable caching** is checked, then select the checkbox for **Enable compression**.

+ :::image type="content" source="../media/how-to-compression/front-door-compression-endpoint-manager-2.png" alt-text="Screenshot of Front Door Manager showing the 'Enable compression' radio button.":::

+### Enable compression in Optimizations

+ :::image type="content" source="../media/how-to-compression/front-door-compression-optimization-1.png" alt-text="Screenshot of the Optimizations page." lightbox="../media/how-to-compression/front-door-compression-optimization-1-expanded.png":::

+1. Ensure **Enable caching** is checked, then select the checkbox for **Enable compression**.

+ :::image type="content" source="../media/how-to-compression/front-door-compression-endpoint-manager-2.png" alt-text="Screenshot of the Optimizations page showing the 'Enable compression' radio button.":::

+1. Select **Save** to update the compression configuration.

+* Disable compression in Front Door manager route.

+* Disable compression in Optimizations page.

+### Disable compression in Front Door manager

+1. From the Azure Front Door Standard/Premium profile page, go to **Front Door manager** under Settings.

+1. Select the **route** you want to disable compression on. Uncheck the **Enable compression** box.

+* Health probe logs provide the logs for every failed probe to your origin.

+* Web Application Firewall (WAF) logs provide detailed information of requests that gets logged through either detection or prevention mode of an Azure Front Door endpoint. A custom domain that gets configured with WAF can also be viewed through these logs. For more information on WAF logs, see [Azure Web Application Firewall monitoring and logging](../../web-application-firewall/afds/waf-front-door-monitor.md#waf-logs).

+Access logs, health probe logs and WAF logs aren't enabled by default. Use the steps below to enable logging. Activity log entries are collected by default, and you can view them in the Azure portal. Logs can have delays up to a few minutes.

+## Configure logs

+## Access log

+| HttpStatusCode | The HTTP status code returned from Azure Front Door. If a request to the origin times out, the value for HttpStatusCode is set to **0**.|

+| Cache Status | Provides the status code of how the request gets handled by the CDN service when it comes to caching. Possible values are:<ul><li>`HIT` and `REMOTE_HIT`: The HTTP request was served from the Front Door cache.</li><li>`MISS`: The HTTP request was served from the origin.</li><li> `PARTIAL_HIT`: Some of the bytes from a request were served from the Front Door cache, and some of the bytes were served from origin. This status occurs in [object chunking](../front-door-caching.md#delivery-of-large-files) scenarios.</li><li>`CACHE_NOCONFIG`: Request was forwarded without caching settings, including bypass scenario.</li><li>`PRIVATE_NOSTORE`: No cache configured in caching settings by customers.</li><li>`N/A`: The request was denied by a signed URL or the rules engine.</li></ul> |

+| TimeToFirstByte | The length of time in milliseconds from AFD receives the request to the time the first byte gets sent to client, as measured on Azure Front Door. This property doesn't measure the client data. |

+| ErrorInfo | This field provides detailed info of the error token for each response. Possible values are:<ul><li>`NoError`: Indicates no error was found.</li><li>`CertificateError`: Generic SSL certificate error.</li><li>`CertificateNameCheckFailed`: The host name in the SSL certificate is invalid or doesn't match.</li><li>`ClientDisconnected`: Request failure because of client network connection.</li><li>`ClientGeoBlocked`: The client was blocked due geographical location of the IP.</li><li>`UnspecifiedClientError`: Generic client error.</li><li>`InvalidRequest`: Invalid request. It might occur because of malformed header, body, and URL.</li><li>`DNSFailure`: DNS Failure.</li><li>`DNSTimeout`: The DNS query to resolve the backend timed out.</li><li>`DNSNameNotResolved`: The server name or address couldn't be resolved.</li><li>`OriginConnectionAborted`: The connection with the origin was disconnected abnormally.</li><li>`OriginConnectionError`: Generic origin connection error.</li><li>`OriginConnectionRefused`: The connection with the origin wasn't established.</li><li>`OriginError`: Generic origin error.</li><li>`OriginInvalidRequest`: An invalid request was sent to the origin.</li><li>`ResponseHeaderTooBig`: The origin returned a too large of a response header.</li><li>`OriginInvalidResponse`:` Origin returned an invalid or unrecognized response.</li><li>`OriginTimeout`: The timeout period for origin request expired.</li><li>`ResponseHeaderTooBig`: The origin returned a too large of a response header.</li><li>`RestrictedIP`: The request was blocked because of restricted IP.</li><li>`SSLHandshakeError`: Unable to establish connection with origin because of SSL hand shake failure.</li><li>`SSLInvalidRootCA`: The RootCA was invalid.</li><li>`SSLInvalidCipher`: Cipher was invalid for which the HTTPS connection was established.</li><li>`OriginConnectionAborted`: The connection with the origin was disconnected abnormally.</li><li>`OriginConnectionRefused`: The connection with the origin wasn't established.</li><li>`UnspecifiedError`: An error occurred that didnΓÇÖt fit in any of the errors in the table.</li></ul> |

+| OriginURL | The full URL of the origin where requests are being sent. Composed of the scheme, host header, port, path, and query string. <br> **URL rewrite**: If there's a URL rewrite rule in Rule Set, path refers to rewritten path. <br> **Cache on edge POP** If it's a cache hit on edge POP, the origin is N/A. <br> **Large request** If the requested content is large with multiple chunked requests going back to the origin, this field will correspond to the first request to the origin. For more information, see [Caching with Azure Front Door](../front-door-caching.md#delivery-of-large-files). |

+| OriginIP | The origin IP that served the request. <br> **Cache hit on edge POP** If it's a cache hit on edge POP, the origin is N/A. <br> **Large request** If the requested content is large with multiple chunked requests going back to the origin, this field will correspond to the first request to the origin. For more information, see [Caching with Azure Front Door](../front-door-caching.md#delivery-of-large-files) |

+| OriginName| The full DNS name (hostname in origin URL) to the origin. <br> **Cache hit on edge POP** If it's a cache hit on edge POP, the origin is N/A. <br> **Large request** If the requested content is large with multiple chunked requests going back to the origin, this field will correspond to the first request to the origin. For more information, see [Caching with Azure Front Door](../front-door-caching.md#delivery-of-large-files) |

+### Health probe log properties

+The following example shows a health probe log entry, in JSON format.

+```json

+{

+ "records": [

+ {

+ "time": "2021-02-02T07:15:37.3640748Z",

+ "properties": {

+ "healthProbeId": "9642AEA07BA64675A0A7AD214ACF746E",

+ "DNSLatencyMicroseconds": "1814"

+ }

+ }

+ ]

+}

+```

+## Activity logs

+* The requested content was cached on a Front Door PoP.

+<details>

+ <summary> Click to expand! </summary>

+> [!NOTE]

+> This is another option to using "SMART on FHIR using AHDS Samples OSS" mentioned above. SMART on FHIR Proxy option only enables EHR launch sequence.

+</details>

+

+## Next steps

+Now that you've learned about enabling SMART on FHIR functionality, see the search samples page for details about how to search using search parameters, modifiers, and other FHIR search methods.

+>[!div class="nextstepaction"]

+>[FHIR search examples](search-samples.md)

+

+

+## Next steps

+Now that you've learned about enabling SMART on FHIR functionality, see the search samples page for details about how to search using search parameters, modifiers, and other FHIR search methods.

+>[!div class="nextstepaction"]

+>[FHIR search examples](search-samples.md)

+

+Azure Peering Service is a networking service that enhances the connectivity to Microsoft cloud services such as Microsoft 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet. Microsoft has partnered with internet service providers (ISPs), internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers worldwide to provide reliable and high-performing public connectivity with optimal routing from the customer to the Microsoft network.

+For instructions on how to register a Peering Service, see [Create, change, or delete a Peering Service connection using the Azure portal](azure-portal.md).

+> Peering Service isn't a private connectivity product like Azure ExpressRoute or Azure VPN. For more information, see:

+> - [What is Azure ExpressRoute?](../expressroute/expressroute-introduction.md)

+> - [What is Azure VPN Gateway?](../vpn-gateway/vpn-gateway-about-vpngateways.md)

+ :::image type="content" source="./media/peering-service-about/peering-service-geo-shortest.png" alt-text="Diagram showing geo-redundancy.":::

+ :::image type="content" source="./media/peering-service-about/peering-service-cold-potato.png" alt-text="Diagram showing cold-potato routing.":::

+ Monitoring captures the events if there's any service degradation.

+ :::image type="content" source="./media/peering-service-about/peering-service-latency-report.png" alt-text="Diagram showing monitoring platform for Peering Service.":::

+- To register Peering Service, see [Create, change, or delete a Peering Service connection using the Azure portal](azure-portal.md).

+ Title: Configure search apps for Azure AD

+description: Acquire a token from Azure Active Directory to authorize search requests to an app built on Azure Cognitive Search.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot of Access control (IAM) page with Add role assignment menu open." border="true":::

+### Local testing

+User-assigned managed identities work only in Azure environments. If you run this code locally, `DefaultAzureCredential` will fall back to authenticating with your credentials. Make sure you've also given yourself the required access to the search service if you plan to run the code locally.

+1. Verify your account has role assignments to run all of the operations in the quickstart sample. To both create and query an index, you'll need "Search Index Data Reader" and "Search Index Data Contributor".

+1. Go to **Tools** > **Options** > **Azure Service Authentication** to choose your Azure sign-on account.

+You should now be able to run the project from Visual Studio on your local system, using role-based access control for authorization.

+> [!NOTE]

+> The Azure.Identity documentation has more details about `DefaultAzureCredential` and using [Azure AD authentication with the Azure SDK for .NET](/dotnet/api/overview/azure/identity-readme). `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.

+Key authentication is built in so no action is required. By default, the portal uses API keys to authenticate the request automatically. However, if you [disable API keys](search-security-rbac.md#disable-api-key-authentication) and set up role assignments, the portal uses role assignments instead.

+In Cognitive Search, most tasks can be performed in Azure portal, including object creation, indexing through the Import data wizard, and queries through Search explorer.

+Set API keys in the request header using the following syntax:

+```azurepowershell

+$headers = @{

+'api-key' = '<YOUR-ADMIN-OR-QUERY-API-KEY>'

+'Content-Type' = 'application/json'

+'Accept' = 'application/json' }

+```

+Set an admin key in the request header using the syntax `api-key` equal to your key. Admin keys are used for most operations, including create, delete, and update. Admin keys are also used on requests issued to the search service itself, such as listing objects or requesting service statistics. see [Connect to Azure Cognitive Search using REST APIs](search-get-started-rest.md#connect-to-azure-cognitive-search) for a more detailed example.

+Query keys are used for search, suggestion, or lookup operations that target the `index/docs` collection. For POST, set `api-key` in the request header. Or, put the key on the URI for a GET: `GET /indexes/hotels/docs?search=*&$orderby=lastRenovationDate desc&api-version=2020-06-30&api-key=[query key]`

+1. Install the `Az.Search` module:

+ Title: Connect using Azure roles

+# Connect to Azure Cognitive Search using Azure role-based access control (Azure RBAC)

+Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service receives evidence from the platform, validates it with security standards, evaluates it against configurable policies, and produces an attestation token for claims-based applications (e.g., relying parties, auditing authorities).

+For more information, see Azure Attestation [public documentation](../../attestation/overview.md).

+The infrastructure is designed to bring applications closer to users around the world, preserving data residency, and offering comprehensive compliance and resiliency options for customers. Azure has over 60 regions worldwide, and is available in 140 countries/regions.

+- **Visitor access.** Temporary access badges are stored within the access-controlled SOC and inventoried at the beginning and end of each shift. All visitors that have approved access to the datacenter are designated as *Escort Only* on their badges and are required to always remain with their escorts. Escorted visitors do not have any access levels granted to them and can only travel on the access of their escorts. The escort is responsible for reviewing the actions and access of their visitor during their visit to the datacenter. Microsoft requires visitors to surrender badges upon departure from any Microsoft facility. All visitor badges have their access levels removed before they are reused for future visits.

+- **Facility's perimeter.** When you arrive at a datacenter, you're required to go through a well-defined access point. Typically, tall fences made of steel and concrete encompass every inch of the perimeter. There are cameras around the datacenters, with a security team monitoring their videos at all times. Security guard patrols ensure entry and exit are restricted to designated areas. Bollards and other measures protect the datacenter exterior from potential threats, including unauthorized access.

+For a full list of compliance standards that Azure adheres to, see the [Compliance offerings](/azure/compliance/).

+1. Select the **Upload** button to open the upload blade and browse your local file system to find a file to upload as a block blob. You can optionally expand the **Advanced** section to configure other settings for the upload operation. You can, for example, upload a blob into a new or existing virtual folder or by supplying a value in the **Upload to folder** field.

+5. **NVMe Disk throughput**: Hyper-V NVMe Direct technology provides unthrottled access to local NVMe drives mapped securely into the guest VM space. Lsv3 NVMe disk throughput can go higher than the specified numbers, but higher performance isn't guaranteed. To achieve maximum performance, see how to optimize performance on the Lsv3-series [Windows-based VMs](../virtual-machines/windows/storage-performance.md) or [Linux-based VMs](../virtual-machines/linux/storage-performance.md). Read/write performance varies based on IO size, drive load, and capacity utilization.

+6. **Max burst uncached data disk throughput**: Lsv3-series VMs can [burst their disk performance](./disk-bursting.md) for up to 30 minutes at a time.