+If you're using Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to push notifications with Microsoft Authenticator.

+> There are two open source ingress controllers for Kubernetes based on Nginx: one is maintained by the Kubernetes community ([kubernetes/ingress-nginx][nginx-ingress]), and one is maintained by NGINX, Inc. ([nginxinc/kubernetes-ingress]). This article uses the *Kubernetes community ingress controller*.

+ * For more information on configuring and using Helm, see [Install applications with Helm in AKS][use-helm]. For upgrade instructions, see the [Helm install docs][helm-install].

+* This article assumes you have an existing AKS cluster with an integrated Azure Container Registry (ACR). For more information on creating an AKS cluster with an integrated ACR, see [Authenticate with ACR from AKS][aks-integrated-acr].

+To use TLS with your own certificates with Secrets Store CSI Driver, you need an AKS cluster with the Secrets Store CSI Driver configured and an Azure Key Vault instance.

+For more information, see [Set up Secrets Store CSI Driver to enable NGINX Ingress Controller with TLS][aks-nginx-tls-secrets-store].

+> You can also import Helm charts into your ACR. For more information, see [Push and pull Helm charts to an ACR][acr-helm].

+You can configure your NGINX ingress controller using either a static public IP address or a dynamic public IP address. If you're using a custom domain, you need to add an A record to your DNS zone. If you're not using a custom domain, you can configure a fully qualified domain name (FQDN) for the ingress controller IP address.

+### Create a static or dynamic public IP address

+#### Use a static public IP address

+You can configure your ingress controller with a static public IP address. The static public IP address remains if you delete your ingress controller. The IP address *doesn't* remain if you delete your AKS cluster.

+When you upgrade your ingress controller, you must pass a parameter to the Helm release to ensure the ingress controller service is made aware of the load balancer that will be allocated to it. For the HTTPS certificates to work correctly, you use a DNS label to configure an FQDN for the ingress controller IP address.

+1. Get the resource group name of the AKS cluster with the [`az aks show`][az-aks-show] command.

+2. Create a public IP address with the *static* allocation method using the [`az network public-ip create`][az-network-public-ip-create] command. The following example creates a public IP address named *myAKSPublicIP* in the AKS cluster resource group obtained in the previous step.

+> [!NOTE]

+> Alternatively, you can create an IP address in a different resource group, which you can manage separately from your AKS cluster. If you create an IP address in a different resource group, ensure the following are true:

+>

+> * The cluster identity used by the AKS cluster has delegated permissions to the resource group, such as *Network Contributor*.

+> * Add the `--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-resource-group"="<RESOURCE_GROUP>"` parameter. Replace `<RESOURCE_GROUP>` with the name of the resource group where the IP address resides.

+3. Add the `--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="<DNS_LABEL>"` parameter. The DNS label can be set either when the ingress controller is first deployed, or it can be configured later.

+4. Add the `--set controller.service.loadBalancerIP="<STATIC_IP>"` parameter. Specify your own public IP address that was created in the previous step.

+```azurecli-interactive

+DNS_LABEL="<DNS_LABEL>"

+NAMESPACE="ingress-basic"

+STATIC_IP=<STATIC_IP>

+helm upgrade ingress-nginx ingress-nginx/ingress-nginx \

+ --namespace $NAMESPACE \

+ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL \

+ --set controller.service.loadBalancerIP=$STATIC_IP

+```

+1. Get the resource group name of the AKS cluster with the [`Get-AzAksCluster`][get-az-aks-cluster] command.

+2. Create a public IP address with the *static* allocation method using the [`New-AzPublicIpAddress`][new-az-public-ip-address] command. The following example creates a public IP address named *myAKSPublicIP* in the AKS cluster resource group obtained in the previous step.

+> Alternatively, you can create an IP address in a different resource group, which you can manage separately from your AKS cluster. If you create an IP address in a different resource group, ensure the following are true:

+3. Add the --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="<DNS_LABEL>" parameter. The DNS label can be set either when the ingress controller is first deployed, or it can be configured later.

+4. Add the --set controller.service.loadBalancerIP="<STATIC_IP>" parameter. Specify your own public IP address that was created in the previous step.

+```azurepowershell-interactive

+$DnsLabel = "<DNS_LABEL>"

+helm upgrade ingress-nginx ingress-nginx/ingress-nginx `

+#### Use a dynamic public IP address

+An Azure public IP address is created for your ingress controller upon creation. The public IP address is static for the lifespan of your ingress controller. The public IP address *doesn't* remain if you delete your ingress controller. If you create a new ingress controller, it will be assigned a new public IP address.

+Use the `kubectl get service` command to get the public IP address for your ingress controller.

+Your output should look similar to the following example output:

+If you're using a custom domain, you need to add an *A* record to your DNS zone. If you're not using a custom domain, you can configure the public IP address with an FQDN.

+Add an *A* record to your DNS zone with the external IP address of the NGINX service using [`az network dns record-set a add-record`][az-network-dns-record-set-a-add-record].

+Add an *A* record to your DNS zone with the external IP address of the NGINX service using [`New-AzDnsRecordSet`][new-az-dns-recordset-create-a-record].

+### Configure an FQDN for your ingress controller

+Optionally, you can configure an FQDN for the ingress controller IP address instead of a custom domain by setting a DNS label. Your FQDN should follow this form: `<CUSTOM LABEL>.<AZURE REGION NAME>.cloudapp.azure.com`. Your DNS label must be unique within its Azure location.

+You can configure your FQDN using one of the following methods:

+* Set the DNS label using Azure CLI or Azure PowerShell.

+* Set the DNS label using Helm chart settings.

+For more information, see [Public IP address DNS name labels](../virtual-network/ip-services/public-ip-addresses.md#dns-name-label).

+#### Set the DNS label using Azure CLI or Azure PowerShell

+#### Set the DNS label using Helm chart settings

+You can pass an annotation setting to your Helm chart configuration using the `--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"` parameter. This parameter can be set when the ingress controller is first deployed, or it can be configured later.

+DNS_LABEL="<DNS_LABEL>"

+helm upgrade ingress-nginx ingress-nginx/ingress-nginx \

+$DnsLabel = "<DNS_LABEL>"

+helm upgrade ingress-nginx ingress-nginx/ingress-nginx `

+Before certificates can be issued, cert-manager requires one of the following issuers:

+>

+Next, a certificate resource must be created. The certificate resource defines the desired X.509 certificate. For more information, see [cert-manager certificates][cert-manager-certificates].

+Cert-manager automatically creates a certificate object for you using ingress-shim, which is automatically deployed with cert-manager since v0.2.2. For more information, see the [ingress-shim documentation][ingress-shim].

+To verify that the certificate was created successfully, use the `kubectl get certificate --namespace ingress-basic` command and verify *READY* is *True*. It may take several minutes to get the output.

+To delete the entire sample namespace, use the `kubectl delete` command and specify your namespace name. All the resources in the namespace will be deleted.

+Alternatively, you can delete the resource individually.

+First, remove the cluster issuer resources.

+* [Helm CLI][helm-cli]

+* [NGINX ingress controller][nginx-ingress]

+* [cert-manager][cert-manager]

+* [Enable the HTTP application routing add-on][aks-http-app-routing]

+Your AKS cluster has regular maintenance performed on it automatically. By default, this work can happen at any time. Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, maintenance will occur only during the window you selected.

+You also need the *aks-preview* Azure CLI extension version 0.5.124 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

+## Understanding maintenance window configuration types

+There are currently two available configuration types: `default` and `aksManagedAutoUpgradeSchedule`:

+- `default` corresponds to a basic configuration that will update your control plane and your kube-system pods on a virtual machine scale sets instance. It is a legacy configuration that is mostly suitable for basic scheduling of [weekly releases][release-tracker].

+- `aksManagedAutoUpgradeSchedule` is a more complex configuration that controls when upgrades scheduled by your designated auto-upgrade channel are performed. More finely controlled cadence and recurrence settings are possible. For more information on cluster auto-upgrade, see [Automatically an Azure Kubernetes Service (AKS) cluster][aks-upgrade].

+### Choosing between configuration types

+We recommend using `aksManagedAutoUpgradeSchedule` for all maintenance and upgrade scenarios, while `default` is meant exclusively for weekly releases. You can port `default` configurations to `aksManagedAutoUpgradeSchedule` configurations via the `az aks maintenanceconfiguration update` command.

+> [!NOTE]

+> When using auto-upgrade, to ensure proper functionality, use a maintenance window with a duration of four hours or more.

+## Creating a maintenance window

+To create a maintenance window, you can use the `az aks maintenanceconfiguration add` command using the `--name` value `default` or `aksManagedAutoUpgradeSchedule`. The name value should reflect the desired configuration type. Using any other name will cause your maintenance window not to run.

+Planned Maintenance windows are specified in Coordinated Universal Time (UTC).

+A `default` maintenance window has the following properties:

+|Name|Description|Default value|

+|--|--|--|

+|`timeInWeek`|In a `default` configuration, this property contains the `day` and `hourSlots` values defining a maintenance window|N/A|

+|`timeInWeek.day`|The day of the week to perform maintenance in a `default` configuration|N/A|

+|`timeInWeek.hourSlots`|A list of hour-long time slots to perform maintenance on a given day in a `default` configuration|N/A|

+|`notAllowedTime`|Specifies a range of dates that maintenance cannot run, determined by `start` and `end` child properties. Only applicable when creating the maintenance window using a config file|N/A|

+An `aksManagedAutoUpgradeSchedule` has the following properties:

+|Name|Description|Default value|

+|--|--|--|

+|`utcOffset`|Used to determine the timezone for cluster maintenance|`+00:00`|

+|`startDate`|The date on which the maintenance window will begin to take effect|The current date at creation time|

+|`startTime`|The time for maintenance to begin, based on the timezone determined by `utcOffset`|N/A|

+|`schedule`|Used to determine frequency. Three types are available: `Weekly`, `AbsoluteMonthly`, and `RelativeMonthly`|N/A|

+|`intervalWeeks`|The interval in weeks for maintenance runs|N/A|

+|`intervalMonths`|The interval in months for maintenance runs|N/A|

+|`dayOfWeek`|The specified day of the week for maintenance to begin|N/A|

+|`durationHours`|The duration of the window for maintenance to run|N/A|

+|`notAllowedDates`|Specifies a range of dates that maintenance cannot run, determined by `start` and `end` child properties. Only applicable when creating the maintenance window using a config file|N/A|

+### Understanding schedule types

+There are currently three available schedule types: `Weekly`, `AbsoluteMonthly`, and `RelativeMonthly`. These schedule types are only applicable to `aksManagedClusterAutoUpgrade` configurations.

+#### Weekly schedule

+A `Weekly` schedule may look like *"every two weeks on Friday"*:

+```json

+"schedule": {

+ "weekly": {

+ "intervalWeeks": 2,

+ "dayOfWeek": "Friday"

+ }

+}

+```

+#### AbsoluteMonthly schedule

+An `AbsoluteMonthly` schedule may look like *"every three months, on the first day of the month"*:

+```json

+"schedule": {

+ "absoluteMonthly": {

+ "intervalMonths": 3,

+ "dayOfMonth": 1

+ }

+}

+```

+#### RelativeMonthly schedule

+A `RelativeMonthly` schedule may look like *"every two months, on the last Monday"*:

+```json

+"schedule": {

+ "relativeMonthly": {

+ "intervalMonths": 2,

+ "dayOfWeek": "Monday",

+ "weekIndex": "Last"

+ }

+}

+```

+## Add a maintenance window configuration with Azure CLI

+The following example shows a command to add a new `default` configuration that schedules maintenance to run from 1:00am to 2:00am every Monday:

+az aks maintenanceconfiguration add -g myResourceGroup --cluster-name myAKSCluster --name default --weekday Monday --start-hour 1

+> [!NOTE]

+> When using a `default` configuration type, to allow maintenance anytime during a day omit the `--start-time` parameter.

+The following example shows a command to add a new `aksManagedAutoUpgradeSchedule` configuration that schedules maintenance to run every third Friday between 12:00 AM and 8:00 AM in the `UTC+5:30` timezone:

+```azurecli-interactive

+az aks maintenanceconfiguration add -g myResourceGroup --cluster-name myAKSCluster -n aksManagedAutoUpgradeSchedule --schedule-type Weekly --day-of-week Friday --interval-weeks 3 --duration 8 --utc-offset +05:30 --start-time 00:00

+```

+## Add a maintenance window configuration with a JSON file

+You can also use a JSON file create a maintenance configuration instead of using parameters. This method has the added benefit of allowing maintenance to be prevented during a range of dates, specified by `notAllowedTimes` for `default` configurations and `notAllowedDates` for `aksManagedAutoUpgradeSchedule` configurations.

+Create a `default.json` file with the following contents:

+ "day": "Tuesday",

+ "hour_slots": [

+ 1,

+ 2

+ ]

+ },

+ {

+ "day": "Wednesday",

+ "hour_slots": [

+ 1,

+ 6

+ "notAllowedTime": [

+ {

+ "start": "2021-05-26T03:00:00Z",

+ "end": "2021-05-30T12:00:00Z"

+ }

+ ]

+The above JSON file specifies maintenance windows every Tuesday at 1:00am - 3:00am and every Wednesday at 1:00am - 2:00am and at 6:00am - 7:00am in the `UTC` timezone. There is also an exception from *2021-05-26T03:00:00Z* to *2021-05-30T12:00:00Z* where maintenance isn't allowed even if it overlaps with a maintenance window.

+Create an `autoUpgradeWindow.json` file with the following contents:

+{

+ "properties": {

+ "maintenanceWindow": {

+ "schedule": {

+ "absoluteMonthly": {

+ "intervalMonths": 3,

+ "dayOfMonth": 1

+ }

+ },

+ "durationHours": 4,

+ "utcOffset": "-08:00",

+ "startTime": "09:00",

+ "notAllowedDates": [

+ {

+ "start": "2023-12-23",

+ "end": "2024-01-05"

+ }

+ }

+ }

+The above JSON file specifies maintenance windows every three months on the first of the month between 9:00 AM - 1:00 PM in the `UTC-08` timezone. There is also an exception from *2023-12-23* to *2024-01-05* where maintenance isn't allowed even if it overlaps with a maintenance window.

+The following command adds the maintenance windows from `default.json` and `autoUpgradeWindow.json`:

+az aks maintenanceconfiguration add -g myResourceGroup --cluster-name myAKSCluster --name default --config-file ./test.json

+az aks maintenanceconfiguration add -g myResourceGroup --cluster-name myAKSCluster --name aksManagedAutoUpgradeSchedule --config-file ./autoUpgradeWindow.json

+az aks maintenanceconfiguration update -g myResourceGroup --cluster-name myAKSCluster --name default --weekday Monday --start-hour 2

+az aks maintenanceconfiguration list -g myResourceGroup --cluster-name myAKSCluster

+az aks maintenanceconfiguration show -g myResourceGroup --cluster-name myAKSCluster --name aksManagedAutoUpgradeSchedule

+The following example output shows the maintenance window for *aksManagedAutoUpgradeSchedule*:

+ "id": "/subscriptions/<subscription>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster/maintenanceConfigurations/aksManagedAutoUpgradeSchedule",

+ "maintenanceWindow": {

+ "durationHours": 4,

+ "notAllowedDates": [

+ {

+ "end": "2024-01-05",

+ "start": "2023-12-23"

+ }

+ ],

+ "schedule": {

+ "absoluteMonthly": {

+ "dayOfMonth": 1,

+ "intervalMonths": 3

+ },

+ "daily": null,

+ "relativeMonthly": null,

+ "weekly": null

+ },

+ "startDate": "2023-01-20",

+ "startTime": "09:00",

+ "utcOffset": "-08:00"

+ },

+ "name": "aksManagedAutoUpgradeSchedule",

+ "resourceGroup": "myResourceGroup",

+ "timeInWeek": null,

+az aks maintenanceconfiguration delete -g MyResourceGroup --cluster-name myAKSCluster --name autoUpgradeSchedule

+[release-tracker]: release-tracker.md

+[auto-upgrade]: auto-upgrade-cluster.md

+ Title: Deploy Serverless Java Apps with Quarkus on Azure Functions

+description: Deploy Serverless Java Apps with Quarkus on Azure Functions

+ms.devlang: java

+# Deploy Serverless Java Apps with Quarkus on Azure Functions

+In this article, you'll develop, build, and deploy a serverless Java app with Quarkus on Azure Functions. This article uses Quarkus Funqy and its built-in support for Azure Functions HTTP trigger for Java. Using Quarkus with Azure Functions gives you the power of the Quarkus programming model with the scale and flexibility of Azure Functions. When you're finished, you'll run serverless [Quarkus](https://quarkus.io) applications on Azure Functions and continuing to monitor the application on Azure.

+## Prerequisites

+* [Azure CLI](/cli/azure/overview), installed on your own computer.

+* [An Azure Account](https://azure.microsoft.com/)

+* [Java JDK 17](/azure/developer/java/fundamentals/java-support-on-azure) with JAVA_HOME configured appropriately. This article was written with Java 17 in mind, but Azure functions and Quarkus support older versions of Java as well.

+* [Apache Maven 3.8.1+](https://maven.apache.org)

+## A first look at the sample application

+Clone the sample code for this guide. The sample is on [GitHub](https://github.com/Azure-Samples/quarkus-azure).

+```bash

+git clone https://github.com/Azure-Samples/quarkus-azure

+```

+Explore the sample function. Open the file *functions-quarkus/src/main/java/io/quarkus/GreetingFunction.java*. The `@Funq` annotation makes your method (e.g. `funqyHello`) a serverless function. Azure Functions Java has its own set of Azure-specific annotations, but these annotations are not necessary when using Quarkus on Azure Functions in a simple capacity as we're doing here. For more information on the Azure Functions Java annotations, see [Azure Functions Java developer guide](/azure/azure-functions/functions-reference-java).

+```java

+@Funq

+public String funqyHello() {

+ return "hello funqy";

+}

+```

+Unless you specify otherwise, the function's name is taken to be same as the method name. You can also define the function name with a parameter to the annotation, as shown here.

+```java

+@Funq("alternateName")

+public String funqyHello() {

+ return "hello funqy";

+}

+```

+The name is important: the name becomes a part of the REST URI to invoke the function, as shown later in the article.

+## Test the Serverless Function locally

+Use `mvn` to run `Quarkus Dev mode` on your local terminal. Running Quarkus in this way enables live reload with background compilation. When you modify your Java files and/or your resource files and refresh your browser, these changes will automatically take effect.

+A browser refresh triggers a scan of the workspace. If any changes are detected, the Java files are recompiled and the application is redeployed. Your redeployed application services the request. If there are any issues with compilation or deployment an error page will let you know.

+Replace `yourResourceGroupName` with a resource group name. Function app names must be globally unique across all of Azure. Resource group names must be globally unique within a subscription. This article achieves the necessary uniqueness by prepending the resource group name to the function name. For this reason, consider prepending some unique identifier to any names you create that must be unique. A useful technique is to use your initials followed by today's date in `mmdd` format. The resourceGroup is not necessary for this part of the instructions, but it's required later. For simplicity, the maven project requires the property be defined.

+1. Invoke Quarkus dev mode.

+ ```bash

+ cd functions-azure

+ mvn -DskipTests -DresourceGroup=<yourResourceGroupName> quarkus:dev

+ ```

+ The output should look like this.

+ ```output

+ ...

+ --/ __ \/ / / / _ | / _ \/ //_/ / / / __/

+ -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \

+ --\___\_\____/_/ |_/_/|_/_/|_|\____/___/

+ INFO [io.quarkus] (Quarkus Main Thread) quarkus-azure-function 1.0-SNAPSHOT on JVM (powered by Quarkus xx.xx.xx.) started in 1.290s. Listening on: http://localhost:8080

+

+ INFO [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.

+ INFO [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, funqy-http, smallrye-context-propagation, vertx]

+

+ --

+ Tests paused

+ Press [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

+ ```

+1. Access the function using the `CURL` command on your local terminal.

+ ```bash

+ curl localhost:8080/api/funqyHello

+ ```

+ The output should look like this.

+ ```output

+ "hello funqy"

+ ```

+### Add Dependency injection to function

+Dependency injection in Quarkus is provided by the open standard technology Jakarta EE Contexts and Dependency Injection (CDI). For a high level overview on injection in general, and CDI in specific, see the [Jakarta EE tutorial](https://eclipse-ee4j.github.io/jakartaee-tutorial/#injection).

+1. Add a new function that uses dependency injection

+ Create a *GreetingService.java* file in the *functions-quarkus/src/main/java/io/quarkus* directory. Make the source code of the file be the following.

+ ```java

+ package io.quarkus;

+ import javax.enterprise.context.ApplicationScoped;

+ @ApplicationScoped

+ public class GreetingService {

+ public String greeting(String name) {

+ return "Welcome to build Serverless Java with Quarkus on Azure Functions, " + name;

+ }

+

+ }

+ ```

+ Save the file.

+ `GreetingService` is an injectable bean that implements a `greeting()` method returning a string `Welcome...` message with a parameter `name`.

+1. Open the existing the *functions-quarkus/src/main/java/io/quarkus/GreetingFunction.java* file. Replace the class with the below code to add a new field `gService` and method `greeting`.

+ ```java

+ package io.quarkus;

+ import javax.inject.Inject;

+ import io.quarkus.funqy.Funq;

+ public class GreetingFunction {

+ @Inject

+ GreetingService gService;

+ @Funq

+ public String greeting(String name) {

+ return gService.greeting(name);

+ }

+ @Funq

+ public String funqyHello() {

+ return "hello funqy";

+ }

+ }

+ ```

+ Save the file.

+1. Access the new function `greeting` using the `CURL` command on your local terminal.

+ ```bash

+ curl -d '"Dan"' -X POST localhost:8080/api/greeting

+ ```

+ The output should look like this.

+ ```output

+ "Welcome to build Serverless Java with Quarkus on Azure Functions, Dan"

+ ```

+ > [!IMPORTANT]

+ > `Live Coding` (also referred to as dev mode) allows you to run the app and make changes on the fly. Quarkus will automatically re-compile and reload the app when changes are made. This is a powerful and efficient style of developing that you'll use throughout the tutorial.

+ Before moving forward to the next step, stop Quarkus Dev Mode by pressing `CTRL-C`.

+## Deploy the Serverless App to Azure Functions

+1. If you haven't already, sign in to your Azure subscription by using the [az login](/cli/azure/reference-index) command and follow the on-screen directions.

+ ```azurecli

+ az login

+ ```

+ > [!NOTE]

+ > If you've multiple Azure tenants associated with your Azure credentials, you must specify which tenant you want to sign in to. You can do this with the `--tenant` option. For example, `az login --tenant contoso.onmicrosoft.com`.

+ > Continue the process in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.

+ Once you've signed in successfully, the output on your local terminal should look similar to the following.

+ ```output

+ xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx 'Microsoft'

+ [

+ {

+ "cloudName": "AzureCloud",

+ "homeTenantId": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx",

+ "id": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",

+ "isDefault": true,

+ "managedByTenants": [],

+ "name": "Contoso account services",

+ "state": "Enabled",

+ "tenantId": "xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxx",

+ "user": {

+ "name": "user@contoso.com",

+ "type": "user"

+ }

+ }

+ ]

+ ```

+1. Build and deploy the functions to Azure

+ The *pom.xml* you generated in the previous step uses the `azure-functions-maven-plugin`. Running `mvn install` generates config files and a staging directory required by the `azure-functions-maven-plugin`. For `yourResourceGroupName`, use the value you used previously.

+ ```bash

+ mvn clean install -DskipTests -DtenantId=<your tenantId from shown previously> -DresourceGroup=<yourResourceGroupName> azure-functions:deploy

+ ```

+1. During deployment, sign in to Azure. The `azure-functions-maven-plugin` is configured to prompt for Azure sign in each time the project is deployed. Examine the build output. During the build, you'll see output similar to the following.

+ ```output

+ [INFO] Auth type: DEVICE_CODE

+ To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AXCWTLGMP to authenticate.

+ ```

+ Do as the output says and authenticate to Azure using the browser and provided device code. Many other authentication and configuration options are available. The complete reference documentation for `azure-functions-maven-plugin` is available at [Azure Functions: Configuration Details](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Functions:-Configuration-Details).

+1. After authenticating, the build should continue and complete. The output should include `BUILD SUCCESS` near the end.

+ ```output

+ Successfully deployed the artifact to https://quarkus-demo-123451234.azurewebsites.net

+ ```

+ You can also find the `URL` to trigger your function on Azure in the output log.

+ ```output

+ [INFO] HTTP Trigger Urls:

+ [INFO] quarkus : https://quarkus-azure-functions-http-archetype-20220629204040017.azurewebsites.net/api/{*path}

+ ```

+ It will take a while for the deployment to complete. In the meantime, let's explore Azure Functions in the portal.

+## Access and Monitor the Serverless Function on Azure

+Sign in to the Portal and ensure you've selected the same tenant and subscription used in the Azure CLI. You can visit the portal at [https://aka.ms/publicportal](https://aka.ms/publicportal).

+1. Type `Function App` in the search bar at the top of the Azure portal and press Enter. Your function should be deployed and show up with the name `<yourResourceGroupName>-function-quarkus`.

+ :::image type="content" source="media/functions-create-first-quarkus/azure-function-app.png" alt-text="The function app in the portal":::

+ Select the `function name`. you'll see the function app's detail information such as **Location**, **Subscription**, **URL**, **Metrics**, and **App Service Plan**.

+1. In the detail page, select the `URL`.

+ :::image type="content" source="media/functions-create-first-quarkus/azure-function-app-detail.png" alt-text="The function app detail page in the portal":::

+ Then, you'll see if your function is "up and running" now.

+ :::image type="content" source="media/functions-create-first-quarkus/azure-function-app-ready.png" alt-text="The function welcome page":::

+1. Invoke the `greeting` function using `CURL` command on your local terminal.

+ > [!IMPORTANT]

+ > Replace `YOUR_HTTP_TRIGGER_URL` with your own function URL that you find in Azure portal or output.

+ ```bash

+ curl -d '"Dan on Azure"' -X POST https://YOUR_HTTP_TRIGGER_URL/api/greeting

+ ```

+ The output should look similar to the following.

+ ```output

+ "Welcome to build Serverless Java with Quarkus on Azure Functions, Dan on Azure"

+ ```

+ You can also access the other function (`funqyHello`).

+ ```bash

+ curl https://YOUR_HTTP_TRIGGER_URL/api/funqyHello

+ ```

+ The output should be the same as you observed above.

+ ```output

+ "hello funqy"

+ ```

+ If you want to exercise the basic metrics capability in the Azure portal, try invoking the function within a shell for loop, as shown here.

+ ```bash

+ for i in {1..100}; do curl -d '"Dan on Azure"' -X POST https://YOUR_HTTP_TRIGGER_URL/api/greeting; done

+ ```

+ After a while, you'll see some metrics data in the portal, as shown next.

+ :::image type="content" source="media/functions-create-first-quarkus/portal-metrics.png" alt-text="Function metrics in the portal":::

+ Now that you've opened your Azure function in the portal, here are some more features accessible from the portal.

+ * Monitor the performance of your Azure function. For more information, see [Monitoring Azure Functions](/azure/azure-functions/monitor-functions).

+ * Explore telemetry. For more information, see [Analyze Azure Functions telemetry in Application Insights](/azure/azure-functions/analyze-telemetry-data).

+ * Set up logging. For more information, see [Enable streaming execution logs in Azure Functions](/azure/azure-functions/streaming-logs).

+## Clean up resources

+If you don't need these resources, you can delete them by running the following command in the Cloud Shell or on your local terminal:

+```azurecli

+az group delete --name <yourResourceGroupName> --yes

+```

+## Next steps

+In this guide, you learned how to:

+> [!div class="checklist"]

+>

+> * Run Quarkus dev mode

+> * Deploy a Funqy app to Azure functions using the `azure-functions-maven-plugin`

+> * Examine the performance of the function in the portal

+To learn more about Azure Functions and Quarkus, see the following articles and references.

+* [Azure Functions Java developer guide](/azure/azure-functions/functions-reference-java)

+* [Quickstart: Create a Java function in Azure using Visual Studio Code](/azure/azure-functions/create-first-function-vs-code-java)

+* [Azure Functions documentation](/azure/azure-functions/)

+* [Quarkus guide to deploying on Azure](https://quarkus.io/guides/deploying-to-azure-cloud)

+[Azure Functions](./functions-overview.md) allows you to implement your system's logic as event-driven, readily available blocks of code. These code blocks are called "functions".

+| **Create your first function** | Using one of the following tools:<br><br><li>[Eclipse](./functions-create-maven-eclipse.md)<li>[Gradle](./functions-create-first-java-gradle.md)<li>[IntelliJ IDEA](./functions-create-maven-intellij.md)<li>[Maven with terminal/command prompt](./create-first-function-cli-java.md)<li>[Spring Cloud](/azure/developer/jav) |

+## Frequently asked questions

+**When will STIG-compliant VMs reach general availability (GA)?** </br>

+The Azure STIG-compliant VM offering is expected to remain in Preview instead of reaching GA because of the release cadence for DISA STIGs. Every quarter, the offering is upgraded with latest guidance, and this process is expected to continue in the future. See previous section for support options that most customers require for production workloads, including creating support tickets.

+**Can Azure Update Management be used with STIG images?** </br>

+Yes, [Update Management](../automation/update-management/overview.md) in Azure Automation supports STIG images.

+## Frequently asked questions

+**When will STIG-compliant VMs reach general availability (GA)?** </br>

+The Azure STIG-compliant VM offering is expected to remain in Preview instead of reaching GA because of the release cadence for DISA STIGs. Every quarter, the offering is upgraded with latest guidance, and this process is expected to continue in the future. See previous section for support options that most customers require for production workloads, including creating support tickets.

+**Can Azure Update Management be used with STIG images?** </br>

+Yes, [Update Management](../automation/update-management/overview.md) in Azure Automation supports STIG images.

+| Nov-Dec 2022 | <ul><li>Support for air-gapped clouds added for [Windows MSI installer for clients](./azure-monitor-agent-windows-client.md) </li><li>Reliability improvements for using AMA with Custom Metrics destination</li><li>Performance and internal logging improvements</li></ul> | 1.11.0.0 | None |

+#### monitoringService = Actual Cost Budget

+**Sample values**

+```json

+{

+ "schemaId": "azureMonitorCommonAlertSchema",

+ "data": {

+ "essentials": {

+ "monitoringService": "CostAlerts",

+ "firedDateTime": "2022-12-07T21:13:20.645Z",

+ "description": "Your spend for budget Test_actual_cost_budget is now $11,111.00 exceeding your specified threshold $25.00.",

+ "essentialsVersion": "1.0",

+ "alertContextVersion": "1.0",

+ "alertId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.CostManagement/alerts/Test_Alert",

+ "alertRule": null,

+ "severity": null,

+ "signalType": null,

+ "monitorCondition": null,

+ "alertTargetIDs": null,

+ "configurationItems": ["budgets"],

+ "originAlertId": null

+ },

+ "alertContext": {

+ "AlertCategory": "budgets",

+ "AlertData": {

+ "Scope": "/subscriptions/11111111-1111-1111-1111-111111111111/",

+ "ThresholdType": "Actual",

+ "BudgetType": "Cost",

+ "BudgetThreshold": "$50.00",

+ "NotificationThresholdAmount": "$25.00",

+ "BudgetName": "Test_actual_cost_budget",

+ "BudgetId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Consumption/budgets/Test_actual_cost_budget",

+ "BudgetStartDate": "2022-11-01",

+ "BudgetCreator": "test@sample.test",

+ "Unit": "USD",

+ "SpentAmount": "$11,111.00"

+ }

+ }

+ }

+}

+```

+#### monitoringService = Forecasted Budget

+**Sample values**

+```json

+{

+ "schemaId": "azureMonitorCommonAlertSchema",

+ "data": {

+ "essentials": {

+ "monitoringService": "CostAlerts",

+ "firedDateTime": "2022-12-07T21:13:29.576Z",

+ "description": "The total spend for your budget, Test_forcasted_budget, is forecasted to reach $1111.11 before the end of the period. This amount exceeds your specified budget threshold of $50.00.",

+ "essentialsVersion": "1.0",

+ "alertContextVersion": "1.0",

+ "alertId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.CostManagement/alerts/Test_Alert",

+ "alertRule": null,

+ "severity": null,

+ "signalType": null,

+ "monitorCondition": null,

+ "alertTargetIDs": null,

+ "configurationItems": ["budgets"],

+ "originAlertId": null

+ },

+ "alertContext": {

+ "AlertCategory": "budgets",

+ "AlertData": {

+ "Scope": "/subscriptions/11111111-1111-1111-1111-111111111111/",

+ "ThresholdType": "Forecasted",

+ "BudgetType": "Cost",

+ "BudgetThreshold": "$50.00",

+ "NotificationThresholdAmount": "$50.00",

+ "BudgetName": "Test_forcasted_budget",

+ "BudgetId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Consumption/budgets/Test_forcasted_budget",

+ "BudgetStartDate": "2022-11-01",

+ "BudgetCreator": "test@sample.test",

+ "Unit": "USD",

+ "SpentAmount": "$999.99",

+ "ForecastedTotalForPeriod": "$1111.11"

+ }

+ }

+ }

+}

+```

+#### `monitoringService` = `Actual Cost Budget` or `Forecasted Budget`

+**Sample values**

+```json

+{

+ "schemaId": "AIP Budget Notification",

+ "data": {

+ "SubscriptionName": "test-subscription",

+ "SubscriptionId": "11111111-1111-1111-1111-111111111111",

+ "EnrollmentNumber": "",

+ "DepartmentName": "test-budgetDepartmentName",

+ "AccountName": "test-budgetAccountName",

+ "BillingAccountId": "",

+ "BillingProfileId": "",

+ "InvoiceSectionId": "",

+ "ResourceGroup": "test-RG",

+ "SpendingAmount": "1111.32",

+ "BudgetStartDate": "2023-01-20T23:49:40.216Z",

+ "Budget": "10000",

+ "Unit": "USD",

+ "BudgetCreator": "email@domain.com",

+ "BudgetName": "test-budgetName",

+ "BudgetType": "Cost",

+ "NotificationThresholdAmount": "8000.0"

+ }

+}

+```

+|valueCount|int|ItemCount|int|

+1. List all data sources connected to the workspace using the [Data Sources - List By Workspace API](/rest/api/loganalytics/data-sources/list-by-workspace?tabs=HTTP#code-try-0) and filter for activity logs by setting `kind eq 'AzureActivityLog'`.

+Azure Monitor managed service for Prometheus supports recording rules and alert rules using PromQL queries. Metrics recorded by recording rules are stored back in the Azure Monitor workspace and can be queried by dashboard or by other rules. Alert rules and recording rules can be created and managed using [Azure Managed Prometheus rule groups](prometheus-rule-groups.md). For your AKS cluster, a set of [predefined Prometheus alert rules](../containers/container-insights-metric-alerts.md) and [recording rules](./prometheus-metrics-scrape-default.md#recording-rules) is provided to allow easy quick start.

+Alerts fired by alert rules can trigger actions or notifications, as defined in the [action groups](../alerts/action-groups.md) configured for the alert rule. You can also view fired and resolved Prometheus alerts in the Azure portal along with other alert types.

+- [Customize scraping of Prometheus metrics](prometheus-metrics-scrape-configuration.md).

+ 1. For Network policy for private endpoints, select **edit** if you want to apply Network security groups and/or Route tables to the subnet that contains the private endpoint. In **Edit subnet network policy**, select the checkbox next to **Network security groups** and **Route Tables**. Select **Save**.

+

+ For more information, see [Manage network policies for private endpoints](../../private-link/disable-private-endpoint-network-policy.md).

+ 1. For Private IP configuration, by default, **Dynamically allocate IP address** is selected. If you want to assign a static IP address, select **Statically allocate IP address** and then enter a **Name** and **Private IP**.

+ 1. Optionally, you can select or create an **Application security group**. Application security groups allow you to group virtual machines and define network security policies based on those groups.

+> Permissions below apply to NSX-T's Policy API. Manager API functionality may be limited.

+ Title: Game development with Azure Cognitive Service for Speech - Speech service

+description: Concepts for game development with Azure Cognitive Service for Speech.

+# Game development with Azure Cognitive Service for Speech

+Azure Cognitive Services for Speech can be used to improve various gaming scenarios, both in- and out-of-game.

+Here are a few Speech features to consider for flexible and interactive game experiences:

+- Bring everyone into the conversation by synthesizing audio from text. Or by displaying text from audio.

+- Make the game more accessible for players who are unable to read text in a particular language, including young players who haven't learned to read and write. Players can listen to storylines and instructions in their preferred language.

+- Create game avatars and non-playable characters (NPC) that can initiate or participate in a conversation in-game.

+- Prebuilt neural voice can provide highly natural out-of-box voices with leading voice variety in terms of a large portfolio of languages and voices.

+- Custom neural voice for creating a voice that stays on-brand with consistent quality and speaking style. You can add emotions, accents, nuances, laughter, and other para linguistic sounds and expressions.

+- Use game dialogue prototyping to shorten the amount of time and money spent in product to get the game to market sooner. You can rapidly swap lines of dialog and listen to variations in real-time to iterate the game content.

+You can use the [Speech SDK](speech-sdk.md) or [Speech CLI](spx-overview.md) for real-time low latency speech-to-text, text-to-speech, language identification, and speech translation. You can also use the [Batch transcription API](batch-transcription.md) to transcribe pre-recorded speech to text. To synthesize a large volume of text input (long and short) to speech, use the [Batch synthesis API](batch-synthesis.md).

+For information about locale and regional availability, see [Language and voice support](language-support.md) and [Region support](regions.md).

+## Text-to-speech

+Help bring everyone into the conversation by converting text messages to audio using [Text-to-Speech](text-to-speech.md) for scenarios, such as game dialogue prototyping, greater accessibility, or non-playable character (NPC) voices. Text-to-Speech includes [prebuilt neural voice](language-support.md?tabs=tts#prebuilt-neural-voices) and [custom neural voice](language-support.md?tabs=tts#custom-neural-voice) features. Prebuilt neural voice can provide highly natural out-of-box voices with leading voice variety in terms of a large portfolio of languages and voices. Custom neural voice is an easy-to-use self-service for creating a highly natural custom voice.

+When enabling this functionality in your game, keep in mind the following benefits:

+- Voices and languages supported - A large portfolio of [locales and voices](language-support.md?tabs=tts#supported-languages) are supported. You can also [specify multiple languages](speech-synthesis-markup-voice.md#adjust-speaking-languages) for Text-to-Speech output. For [custom neural voice](custom-neural-voice.md), you can [choose to create](how-to-custom-voice-create-voice.md?tabs=neural#choose-a-training-method) different languages from single language training data.

+- Emotional styles supported - [Emotional tones](language-support.md?tabs=tts#voice-styles-and-roles), such as cheerful, angry, sad, excited, hopeful, friendly, unfriendly, terrified, shouting, and whispering. You can [adjust the speaking style](speech-synthesis-markup-voice.md#speaking-styles-and-roles), style degree, and role at the sentence level.

+- Visemes supported - You can use visemes during real-time synthesizing to control the movement of 2D and 3D avatar models, so that the mouth movements are perfectly matched to synthetic speech. For more information, see [Get facial position with viseme](how-to-speech-synthesis-viseme.md).

+- Fine-tuning Text-to-Speech output with Speech Synthesis Markup Language (SSML) - With SSML, you can customize Text-to-Speech outputs, with richer voice tuning supports. For more information, see [Speech Synthesis Markup Language (SSML) overview](speech-synthesis-markup.md).

+- Audio outputs - Each prebuilt neural voice model is available at 24 kHz and high-fidelity 48 kHz. If you select 48-kHz output format, the high-fidelity voice model with 48 kHz will be invoked accordingly. The sample rates other than 24 kHz and 48 kHz can be obtained through upsampling or downsampling when synthesizing. For example, 44.1 kHz is downsampled from 48 kHz. Each audio format incorporates a bitrate and encoding type. For more information, see the [supported audio formats](rest-text-to-speech.md?tabs=streaming#audio-outputs). For more information on 48-kHz high-quality voices, see [this introduction blog](https://techcommunity.microsoft.com/t5/ai-cognitive-services-blog/azure-neural-tts-voices-upgraded-to-48khz-with-hifinet2-vocoder/ba-p/3665252).

+For an example, see the [Text-to-speech quickstart](get-started-text-to-speech.md).

+## Speech-to-text

+You can use [speech-to-text](speech-to-text.md) to display text from the spoken audio in your game. For an example, see the [Speech-to-text quickstart](get-started-speech-to-text.md).

+## Language identification

+With [language identification](language-identification.md), you can detect the language of the chat string submitted by the player.

+## Speech translation

+It's not unusual that players in the same game session natively speak different languages and may appreciate receiving both the original message and its translation. You can use [speech translation](speech-translation.md) to translate text between languages so players across the world can communicate with each other in their native language.

+For an example, see the [Speech translation quickstart](get-started-speech-translation.md).

+> [!NOTE]

+> Besides the Speech service, you can also use the [Translator service](/azure/cognitive-services/translator/translator-overview). To execute text translation between supported source and target languages in real time see [Text translation](/azure/cognitive-services/translator/text-translation-overview).

+## Next steps

+* [Text-to-speech quickstart](get-started-text-to-speech.md)

+* [Speech-to-text quickstart](get-started-speech-to-text.md)

+* [Speech translation quickstart](get-started-speech-translation.md)

+**Recent and pinned views are available by default in the cost analysis preview.** Use the **How would you rate the cost analysis preview?** option at the bottom of the page to share feedback.

+1. Review the list of custom policies already created in your organization, and select **Add** to assign a policy to your subscription.

+If there isn't an initiative in the list that meets your needs, you can create one.

+**To create a new custom initiative**:

+1. Select **Create new**.

+1. Enter the definition's location and custom name.

+ > [!NOTE]

+ > Custom initiatives shouldn't have the same name as other initiatives (custom or built-in). If you create a custom initiative with the the same name, it will cause a conflict in the information displayed in the dashboard.

+1. Select the policies to include and select **Add**.

+1. Enter any desired parameters.

+1. Select **Save**.

+1. In the Add custom initiatives page, select refresh. Your new initiative will be available.

+1. Select **Add** and assign it to your subscription.

+ Your new initiative takes effect and you can see the results in the following two ways:

+Here's another example of a custom policy including the metadata/securityCenter property:

+To view the effect rules on specific scope, use the ΓÇ£scopeΓÇ¥ filter and select a desired scope.

+Conflicting rules are applied in priority order. For example, rules on a management scope, (Azure management groups, AWS master accents and GCP organizations) take effect before rules on scopes (for example, Azure subscriptions, AWS accounts, or GCP projects).

+ Title: "Quickstart: Your first .NET query"

+description: In this quickstart, you follow the steps to enable the Resource Graph NuGet packages for .NET and run your first query.

+# Quickstart: Run your first Resource Graph query using .NET

+The first step to using Azure Resource Graph is to check that the required NuGet packages are installed. This quickstart walks you through the process of adding the packages to your .NET application.

+At the end of this process, you'll have added the packages to your .NET application and run your first Resource Graph query.

+- [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download/dotnet)

+ [free](https://azure.microsoft.com/free/dotnet/) account before you begin.

+ Skip the step to install the NuGet packages, as we'll do that in the next steps.

+To enable .NET to query Azure Resource Graph, create a new console application and install the

+1. Create a new .NET console application named "argQuery":

+1. Change directories into the new project folder. Install the packages for the Azure Resource Graph and Azure Identity client libraries:

+ dotnet add package Azure.ResourceManager.ResourceGraph

+ dotnet add package Azure.Identity

+ ```csharp

+ using Azure.Identity;

+ using Azure.ResourceManager;

+ using Azure.ResourceManager.ResourceGraph;

+ using Azure.ResourceManager.ResourceGraph.Models;

+

+ string strTenant = args[0];

+ string strClientId = args[1];

+ string strClientSecret = args[2];

+ string strQuery = args[3];

+

+ var client = new ArmClient(

+ new ClientSecretCredential(strTenant, strClientId, strClientSecret));

+ var tenant = client.GetTenants().First();

+ //Console.WriteLine($"{tenant.Id} {tenant.HasData}");

+ var queryContent = new ResourceQueryContent(strQuery);

+ var response = tenant.GetResources(queryContent);

+ var result = response.Value;

+ Console.WriteLine($"Count: {result.Data.ToString()}");

+ ```

+With the .NET console application built and published, it's time to try out a simple

+In each call to `argQuery`, replace the variables with your own values:

+1. Run your first Azure Resource Graph query using the compiled .NET console application:

+If you wish to remove the .NET console application and installed packages, you can do so by

+In this quickstart, you've created a .NET console application with the required Resource Graph

+For example, the following commands create a GPU-enabled virtual machine with either an NVIDIA A2 GPU or Intel Iris Xe Graphics card.

+#Deploys EFLOW with NVIDIA A2 assigned to the EFLOW VM

+Deploy-Eflow -gpuPassthroughType DirectDeviceAssignment -gpuCount 1 -gpuName "NVIDIA A2"

+#Deploys EFLOW with Intel(R) Iris(R) Xe Graphics assigned to the EFLOW VM

+Deploy-Eflow -gpuPassthroughType ParaVirtualization -gpuCount 1 -gpuName ΓÇ£Intel(R) Iris(R) Xe GraphicsΓÇ¥

+```

+To find the name of your GPU, you can run the following command or look for Display adapters in Device Manager.

+```powershell

+(Get-WmiObject win32_VideoController).caption

+## Configure GPU acceleration in an existing Azure IoT Edge Linux on Windows deployment

+Assigning the GPU at deployment time will result in the most straightforward experience. However, to enable or disable the GPU after deployment use the 'set-eflowvm' command. When using 'set-eflowvm' the default parameter will be used for any argument not specified. For example,

+```powershell

+#Deploys EFLOW without a GPU assigned to the EFLOW VM

+Deploy-Eflow -cpuCount 4 -memoryInMB 16384

+#Assigns NVIDIA A2 GPU to the existing deployment (cpu and memory must still be specified, otherwise they will be set to the default values)

+Set-EflowVM -cpuCount 4 -memoryInMB 16384 -gpuName "NVIDIA A2" -gpuPassthroughType DirectDeviceAssignment -gpuCount 1

+#Reduces the cpuCount and memory (GPU must still be specified, otherwise the GPU will be removed)

+Set-EflowVM -cpuCount 2 -memoryInMB 4096 -gpuName "NVIDIA A2" -gpuPassthroughType DirectDeviceAssignment -gpuCount 1

+#Removes NVIDIA A2 GPU from the existing deployment

+Set-EflowVM -cpuCount 2 -memoryInMB 4096

+```

+### Get Started with Samples

+Visit our [EFLOW Samples Page](https://github.com/Azure/iotedge-eflow/tree/main/samples) to discover several GPU samples which you can try and use. These samples illustrate common manufacturing and retail scenarios such as defect detection, worker safety, and inventory management. Thee open-source samples can serve as a solution template for building your own vision-based machine learning application.

+### Learn More from our Partners

+Several GPU vendors have provided user guides on getting the most of their hardware and software with EFLOW.

+* Learn how to run Intel OpenVINOΓäó applications on EFLOW by following [Intel's guide on iGPU with Azure IoT Edge for Linux on Windows (EFLOW) & OpenVINOΓäó Toolkit](https://community.intel.com/t5/Blogs/Tech-Innovation/Artificial-Intelligence-AI/Witness-the-power-of-Intel-iGPU-with-Azure-IoT-Edge-for-Linux-on/post/1382405) and [reference implementations](https://www.intel.com/content/www/us/en/developer/articles/technical/deploy-reference-implementation-to-azure-iot-eflow.html).

+* Get started with deploying CUDA-accelerated applications on EFLOW by following [NVIDIA's EFLOW User Guide for GeForce/Quadro/RTX GPUs](https://docs.nvidia.com/cuda/eflow-users-guide/https://docsupdatetracker.net/index.html).

+> [!NOTE]

+> This guide does not cover DDA-based GPUs such as NVIDIA T4 or A2.

+### Dive into the Technology

+Learn more about GPU passthrough technologies by visiting the [DDA documentation](/windows-server/virtualization/hyper-v/plan/plan-for-gpu-acceleration-in-windows-server#discrete-device-assignment-dda) and [GPU-PV blog post](https://devblogs.microsoft.com/directx/directx-heart-linux/#gpu-virtualization).

+1. Identify the folder where your MLflow model is placed.

+ a. Go to [Azure Machine Learning portal](https://ml.azure.com).

+ b. Go to the section __Models__.

+ c. Select the model you are trying to deploy and click on the tab __Artifacts__.

+ d. Take note of the folder that is displayed. This folder was indicated when the model was registered.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/mlflow-model-folder-name.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/mlflow-model-folder-name.png" alt-text="Screenshot showing the folder where the model artifacts are placed.":::

+1. Create a scoring script. Notice how the folder name `model` you identified before has been included in the `init()` function.

+1. Identify the folder where your MLflow model is placed.

+ a. Go to [Azure Machine Learning portal](https://ml.azure.com).

+ b. Go to the section __Models__.

+ c. Select the model you are trying to deploy and click on the tab __Artifacts__.

+ d. Take note of the folder that is displayed. This folder was indicated when the model was registered.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/mlflow-model-folder-name.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/mlflow-model-folder-name.png" alt-text="Screenshot showing the folder where the model artifacts are placed.":::

+1. Create a scoring script. Notice how the folder name `model` you identified before has been included in the `init()` function.

+ Title: Introduction to NSG Diagnostics in Azure Network Watcher

+description: Learn about Network Security Group (NSG) Diagnostics tool in Azure Network Watcher

+The Network Security Group (NSG) Diagnostics is an Azure Network Watcher tool that helps you understand which network traffic is allowed or denied in your Azure Virtual Network along with detailed information for debugging. It can help you in understanding if your NSG rules are configured correctly.

+> [!NOTE]

+> To use NSG Diagnostics, Network Watcher must be enabled in your subscription. See [Create an Azure Network Watcher instance](./network-watcher-create.md) to enable.

+- Your resources in Azure are connected via [virtual networks (VNets)](../virtual-network/virtual-networks-overview.md) and subnets. The security of these VNets and subnets can be managed using [network security groups (NSGs)](../virtual-network/network-security-groups-overview.md).

+- An NSG contains a list of [security rules](../virtual-network/network-security-groups-overview.md#security-rules) that allow or deny network traffic to resources it's connected to. An NSG can be associated to a virtual network subnet or individual network interface (NIC) attached to a virtual machine (VM).

+- Rules are evaluated based on priority number from lowest to highest.

+For a given flow, after you provide details like source and destination, the NSG Diagnostics tool runs a simulation of the flow and returns whether the flow would be allowed or denied with detailed information about the security rule allowing or denying the flow.

+Antimalware protection helps identify and remove viruses, spyware, and other malicious software. You can install [Microsoft Antimalware](../fundamentals/antimalware.md) or a Microsoft partner's endpoint protection solution ([Trend Micro](https://www.trendmicro.com/azure/), [Broadcom](https://www.broadcom.com/products), [McAfee](https://www.mcafee.com/us/products.aspx), [Microsoft Defender Antivirus in Windows](/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), and [Endpoint Protection](/configmgr/protect/deploy-use/endpoint-protection)).

+You can build a picture of the attack surface by scanning the application. Microsoft offers an attack surface analysis tool called [Attack Surface Analyzer](https://www.microsoft.com/download/details.aspx?id=58105). You can choose from many commercial dynamic testing and vulnerability scanning tools or services, including [OWASP Zed Attack Proxy Project](https://owasp.org/www-project-zap/), [Arachni](http://arachni-scanner.com/), and [w3af](http://w3af.sourceforge.net/). These scanning tools crawl your app and map the parts of the application that are accessible over the web. You can also search the Azure Marketplace for similar [developer tools](https://azuremarketplace.microsoft.com/marketplace/apps/category/developer-tools?page=1).

+[Azure Tenant Security Solution (AzTS)](https://github.com/azsk/AzTS-docs/#readme) from the Secure DevOps Kit for Azure (AzSK) contains SVTs for multiple services of the Azure platform. You run these SVTs periodically to ensure that your Azure subscription and the different resources that comprise your application are in a secure state. You can also automate these tests by using the continuous integration/continuous deployment (CI/CD) extensions feature of AzSK, which makes SVTs available as a Visual Studio extension.

+- In transit: When data is being transferred between components, locations, or programs, it's in transit. Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.

+**Detail**: Use Azure RBAC predefined roles. For example, to grant access to a user to manage key vaults, you would assign the predefined role [Key Vault Contributor](../../role-based-access-control/built-in-roles.md#key-vault-contributor) to this user at a specific scope. The scope in this case would be a subscription, a resource group, or just a specific key vault. If the predefined roles don't fit your needs, you can [define your own roles](../../role-based-access-control/custom-roles.md).

+**Best practice**: Store certificates in your key vault. Your certificates are of high value. In the wrong hands, your application's security or the security of your data can be compromised.

+Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack. An attacker who compromises the endpoint can use the user's credentials to gain access to the organization's data. Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.

+[Data encryption at rest](encryption-atrest.md) is a mandatory step toward data privacy, compliance, and data sovereignty.

+Organizations that don't enforce data encryption are more exposed to data-confidentiality issues. For example, unauthorized or rogue users might steal data in compromised accounts or gain unauthorized access to data coded in Clear Format. Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.

+For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use [Azure VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md).

+**Detail**: All transactions occur via HTTPS. You can also use [Storage REST API](/rest/api/storageservices/) over HTTPS to interact with [Azure Storage](../../storage/common/storage-introduction.md).

+You want to control and secure email, documents, and sensitive data that you share outside your company. [Azure Information Protection](/azure/information-protection/what-is-information-protection) is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.

+Classification is identifiable at all times, regardless of where the data is stored or with whom it's shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.

+The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Microsoft 365 and Azure Active Directory. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location-inside or outside your organization, networks, file servers, and applications.

+This information protection solution keeps you in control of your data, even when it's shared with other people. You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.

+- Apply labels that reflect your business requirements. For example: Apply a label named "highly confidential" to all documents and emails that contain top-secret data, to classify and protect this data. Then, only authorized users can access this data, with any restrictions that you specify.

+See [Azure security best practices and patterns](best-practices-and-patterns.md) for more security best practices to use when you're designing, deploying, and managing your cloud solutions by using Azure.

+Azure keeps your data durable in two locations. You can choose the location of the backup site. In the primary location, Azure constantly maintains three healthy replicas of your data.

+Azure Active Directory Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method. It adds a critical second layer of security to user sign-ins and transactions.

+* [Multi-Factor Authentication](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication)

+* [Start using Privileged Identity Management](../../active-directory/privileged-identity-management/pim-getting-started.md)

+* [Azure Active Directory Identity Protection](../../active-directory/identity-protection/concept-identity-protection-security-overview.md)

+ - Your organization's security needs.

+ - Any industry or regulatory standards or benchmarks you apply to your subscriptions.

+* [Introduction to Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md)

+* [Improve your secure score in Microsoft Defender for Cloud](../../defender-for-cloud/secure-score-security-controls.md)

+- Accelerate innovation with the cloud

+- Power business decisions & apps with insights

+- Build freely and deploy anywhere

+- Protect their business

+Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud, enabling additional levels of validation such as multi-factor authentication and Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing and alerting helps mitigate potential security issues. [Azure Active Directory Premium](../../active-directory/fundamentals/active-directory-get-started-premium.md) provides single sign-on to thousands of cloud apps and access to web apps you run on-premises.

+[Single sign-on (SSO)](../../active-directory/manage-apps/what-is-single-sign-on.md) means being able to access all the applications and resources that you need to do business, by signing in only once using a single user account. Once signed in, you can access all the applications you need without being required to authenticate (for example, type a password) a second time.

+Azure AD extends on-premises Active Directory into the cloud, enabling users to use their primary organizational account to not only sign in to their domain-joined devices and company resources, but also all the web and SaaS applications needed for their job.

+Not only do users not have to manage multiple sets of usernames and passwords, application access can be automatically provisioned or de-provisioned based on organizational groups and their status as an employee. Azure AD introduces security and access governance controls that enable you to centrally manage users' access across SaaS applications.

+[Azure AD Multi-Factor Authentication (MFA)](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. [MFA helps safeguard](../../active-directory/authentication/concept-mfa-howitworks.md) access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification optionsΓÇöphone call, text message, or mobile app notification or verification code and third-party OAuth tokens.

+[Azure Active Directory B2C](../../active-directory-b2c/overview.md) is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities. It can be integrated across mobile and web platforms. Your consumers can log on to all your applications through customizable experiences by using their existing social accounts or by creating new credentials.

+In the past, application developers who wanted to sign up and sign in consumers into their applications would have written their own code. And they would have used on-premises databases or systems to store usernames and passwords. Azure Active Directory B2C offers your organization a better way to integrate consumer identity management into applications with the help of a secure, standards-based platform, and a large set of extensible policies.

+Access control in Azure starts from a billing perspective. The owner of an Azure account, accessed by visiting the Azure portal, is the Account Administrator (AA). Subscriptions are a container for billing, but they also act as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify Azure resources in that subscription by using the Azure portal. The default SA of a new subscription is the AA, but the AA can change the SA in the Azure portal.

+Encryption at rest is discussed in detail in [Azure Data Encryption at Rest](encryption-atrest.md).

+Larger data sets can be moved over a dedicated high-speed WAN link such as [ExpressRoute](../../expressroute/expressroute-introduction.md). If you choose to use ExpressRoute, you can also encrypt the data at the application-level using SSL/TLS or other protocols for added protection.

+If you are interacting with Azure Storage through the Azure portal, all transactions occur via HTTPS. [Storage REST API](/rest/api/storageservices/) over HTTPS can also be used to interact with [Azure Storage](../../storage/index.yml) and [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview).

+[Azure Rights Management](/azure/information-protection/what-is-azure-rms) (Azure RMS) uses encryption, identity, and authorization policies to help secure your files and email. Azure RMS works across multiple devicesΓÇöphones, tablets, and PCs by protecting both within your organization and outside your organization. This capability is possible because Azure RMS adds a level of protection that remains with the data, even when it leaves your organizationΓÇÖs boundaries.

+Web application firewall is based on rules from the [OWASP core rule sets](https://owasp.org/www-project-modsecurity-core-rule-set/). Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a web application firewall enabled application gateway easily.

+> For a more detailed list of rules and their protections see the following [Core rule sets](../../web-application-firewall/ag/ag-overview.md).

+Azure provides several easy-to-use features to help secure both inbound and outbound traffic for your app. Azure helps customers secure their application code by providing externally provided functionality to scan your web application for vulnerabilities. See [Azure App Services](../../app-service/overview.md) to learn more.

+The Azure network infrastructure enables you to securely connect Azure resources to each other with [virtual networks (VNets)](../../virtual-network/virtual-networks-overview.md). A VNet is a representation of your own network in the cloud. A VNet is a logical isolation of the Azure cloud network dedicated to your subscription. You can connect VNets to your on-premises networks.

+If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can use [Network Security Groups](../../virtual-network/network-security-groups-overview.md). A Network Security Group (NSG) is a basic stateful packet filtering firewall that enables you to control access.

+[Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

+[Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is an [Azure Active Directory Premium P2](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) edition feature that provides an overview of the risk detections and potential vulnerabilities that can affect your organizationΓÇÖs identities. Identity Protection uses existing Azure AD anomaly-detection capabilities that are available through [Azure AD Anomalous Activity Reports](../../active-directory/reports-monitoring/overview-reports.md), and introduces new risk detection types that can detect real time anomalies.

+[Azure Monitor logs](../../azure-monitor/logs/data-platform-logs.md) is a Microsoft cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. Because Azure Monitor logs is implemented as a cloud-based service, you can have it up and running quickly with minimal investment in infrastructure services. New security features are delivered automatically, saving ongoing maintenance and upgrade costs.

+[Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) provides a comprehensive view into your organization's IT security posture, with built-in search queries for notable issues that require your attention. It provides high-level insight into the security state of your computers. You can also view all events from the past 24 hours, 7 days, or any other custom time-frame.

+[Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) helps protect your hybrid cloud environment. By performing continuous security assessments of your connected resources, it's able to provide detailed security recommendations for the discovered vulnerabilities.

+### Microsoft Defender for Storage

+[Microsoft Defender for Storage](../../storage/common/azure-defender-storage-configure.md) is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

+[Web application firewall (WAF)](../../web-application-firewall/ag/ag-overview.md) is a feature of [Application Gateway](../../application-gateway/overview.md) that provides protection to web applications that use an application gateway for standard [application delivery control](https://kemptechnologies.com/in/application-delivery-controllers) functions. Web Application Firewall does this by protecting them against most of the [Open Web Application Security Project (OWASP) top 10 common web vulnerabilities](https://owasp.org/www-project-top-ten/).

+For examples of web application firewalls that are available in the Azure Marketplace, see [Barracuda WAF, Brocade virtual web application firewall (vWAF), Imperva SecureSphere, and the ThreatSTOP IP firewall](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/category/networking?page=1).

+## Next step

+- [Responding to today's threats](../../defender-for-cloud/managing-and-responding-alerts.md): Helps identify active threats that target your Azure resources and provides the insights you need to respond quickly.

+**Are my SAP systems running correctly?**

+[Are the SAP systems managed by your organization running correctly](monitor-sap-system-health.md)?. Are the systems up and running, or ar they unreachable? Does Microsoft Sentinel identify these systems as production systems?

+The following features allow you to perform this monitoring from within Microsoft Sentinel:

+- **Data connectors health monitoring workbook**: This workbook provides additional monitors, detects anomalies, and gives insight regarding the workspaceΓÇÖs data ingestion status. You can use the workbookΓÇÖs logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.

+- ***SentinelHealth* data table (Preview)**: Querying this table provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions. The *SentinelHealth* data table is currently supported only for [selected data connectors](#supported-data-connectors).

+- [**View the health and status of your connected SAP systems**](monitor-sap-system-health.md): Review health information for your SAP systems under the SAP data connector, and use an alert rule template to get information about the health of the SAP agent's data collection.

+ Title: Monitor the health and role of your Microsoft Sentinel SAP systems

+description: Use the SAP connector page and a dedicated alert rule template to keep track of your SAP systems' connectivity and performance.

+# Monitor the health and role of your SAP systems

+After you [deploy the SAP solution](sap/deployment-overview.md), you want to ensure proper functioning and performance of your SAP systems, and keep track of your system health, connectivity, and performance.

+This article describes how to use the following features, which allow you to perform this monitoring from within Microsoft Sentinel:

+- [**Use the SAP data connector page**](#use-the-sap-data-connector). Review the **System Health** area under the Microsoft Sentinel for SAP connector to get information on the health of your connected SAP systems.

+- [**Use the Data collection health check alert rule**](#use-an-alert-rule-template). Get proactive alerts on the health of the SAP agent's data collection.

+> [!IMPORTANT]

+> Monitoring the health of your SAP systems is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Use the SAP data connector

+1. From the Microsoft Sentinel portal, select **Data connectors**.

+1. In the search bar, type *Microsoft Sentinel for SAP*.

+1. Select the **Microsoft Sentinel for SAP** connector and select **Open connector**.

+1. In the **Configuration > System Health** area, you can view information on the health of your SAP systems.

+|Field |Description |Values |Notes |

+|||||

+|Agent name |Unique ID of the installed data connector agent. | | |

+|SID |The name of the connected SAP system ID (SID). | | |

+|Health |Indicates whether the SID is healthy. To troubleshoot health issues, [review the container execution logs](sap/sap-deploy-troubleshoot.md#view-all-container-execution-logs) and review other [troubleshooting steps](sap/sap-deploy-troubleshoot.md). |The **System healthy** status indicates that Microsoft Sentinel identified both logs and a heartbeat from the system. Other statuses, like **System unreachable for over 1 day**, indicate the connectivity status. | |

+|System role |Indicates whether the system is productive or not. The data connector agent retrieves the value by reading the SAP T000 table. This value also impacts billing. To change the role, an SAP admin needs to change the configuration in the SAP system. |ΓÇó **Production**. The system is defined by the SAP admin as a production system.<br>ΓÇó **Unknown (Production)**. Microsoft Sentinel couldn't retrieve the system status. Microsoft Sentinel regards this type of system as a production system for both security and billing purposes.<br>ΓÇó **Non production**. Indicates roles like developing, testing, and customizing.<br>ΓÇó **Agent update available**. Displayed in addition to the health status to indicate that a newer SAP connector version exists. In this case, we recommended that you [update the connector](sap/update-sap-data-connector.md). | If the system role is **Production (unknown)**, check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version. |

+## Use an alert rule template

+The Microsoft Sentinel for SAP solution includes an alert rule template designed to give you insight into the health of your SAP agent's data collection.

+To turn on the analytics rule:

+1. From the Microsoft Sentinel portal, select **Analytics**.

+1. Under **Rule templates**, locate the *SAP - Data collection health check* alert rule.

+The analytics rule:

+- Evaluates signals sent from the agent.

+- Evaluates telemetry data.

+- Evaluates alerts on log continuation and other system connectivity issues, if any are found.

+- Learns the log ingestion history, and therefore works better with time.

+The rule needs at least seven days of loading history to detect the different seasonality patterns. We recommend a value of 14 days for the alert rule **Look back** parameter to allow detection of weekly activity profiles.

+Once activated, the rule judges the recent telemetry and log volume observed on the workspace according to the history learned. The rule then alerts on potential issues, dynamically assigning severities according to the scope of the problem.

+This screenshot shows an example of an alert generated by the *SAP - Data collection health check* alert rule.

+## Next steps

+- Learn what [health monitoring in Microsoft Sentinel](health-audit.md) can do for you.

+- [Turn on health monitoring](enable-monitoring.md) in Microsoft Sentinel.

+- Monitor the health of your [automation rules and playbooks](monitor-automation-health.md).

+- See more information about the [*SentinelHealth* table schema](health-table-reference.md).

+

+This article introduces you to the process of deploying the Microsoft Sentinel Solution for SAP. The full process is detailed in a whole set of articles linked under [Deployment milestones](#deployment-milestones).

+> - [View the roles of your connected production systems](../monitor-sap-system-health.md).

+The Microsoft Sentinel for SAP data connector is an agent, installed on a VM or a physical server that collects application logs from across the entire SAP system landscape. It then sends those logs to your Log Analytics workspace in Microsoft Sentinel. You can then use the other content in the Threat Monitoring for SAP solution ΓÇô the analytics rules, workbooks, and watchlists ΓÇô to gain insight into your organization's SAP environment and to detect and respond to security threats.

+- [Monitor SAP system health (Preview)](#monitor-sap-system-health-and-role-preview)

+### Monitor SAP system health and role (Preview)

+To ensure proper functioning and performance of your SAP systems, you can now use the SAP data connector page to [monitor information about the health of your SAP systems](monitor-sap-system-health.md) and the status of the SAP roles for the system. You can also use an alert rule template to get information about the health of the SAP agent's data collection.

+You can now add OR conditions or condition groups to automation rules. These conditions allow you to combine several rules with identical actions into a single rule, greatly increasing your SOC's efficiency.

+However, in some cases, data from sources *not ingested into Microsoft Sentinel*, or events not recorded in any log, may justify launching an investigation. For this reason, Microsoft Sentinel now allows security analysts to manually create incidents from scratch for any type of event, regardless of its source or associated data, in order to manage and document the investigation.

+ Title: Best practices for using blob access tiers

+description: Learn about best practice guidelines that help you use access tiers to optimize performance and reduce costs.

+# Best practices for using blob access tiers

+This article provides best practice guidelines that help you use access tiers to optimize performance and reduce costs. To learn more about access tiers, see [Hot, cool, and archive access tiers for blob data](access-tiers-overview.md?tabs=azure-portal).

+## Choose the most cost-efficient access tiers

+You can reduce costs by placing blob data into the most cost-efficient access tiers. Choose from three tiers that are designed to optimize your costs around data use. For example, the hot tier has a higher storage cost but lower read cost. Therefore, if you plan to access data frequently, the hot tier might be the most cost-efficient choice. If you plan to read data less frequently, the cool or archive tier might make the most sense because it raises the cost of reading data while reducing the cost of storing data.

+To identify the most optimal access tier, try to estimate what percentage of the data will be read on a monthly basis. The following chart shows the impact on monthly spending given various read percentages.

+> [!div class="mx-imgBorder"]

+> 

+To model and analyze the cost of using cool versus archive storage, see [Archive versus cool](archive-cost-estimation.md#archive-versus-cool). You can apply similar modeling techniques to compare the cost of hot to cool or archive.

+## Migrate data directly to the most cost-efficient access tiers

+Choosing the most optimal tier up front can reduce costs. If you change the tier of a block blob that you've already uploaded, then you'll pay the cost of writing to the initial tier when you first upload the blob, and then pay the cost of writing to the desired tier. If you change tiers by using a lifecycle management policy, then that policy will require a day to take effect and a day to complete execution. You'll also incur the capacity cost of storing data in the initial tier prior to the tier change.

+- For guidance about how to upload to a specific access tier, see [Set a blob's access tier](access-tiers-online-manage.md).

+- For offline data movement to the desired tier, see [Azure Data Box](/products/databox/).

+## Move data into the most cost-efficient access tiers

+After data is uploaded, you should periodically analyze your containers and blobs to understand how they are stored, organized, and used in production. Then, use lifecycle management policies to move data to the most cost-efficient tiers. For example, data that has not been accessed for more than 30 days might be more cost efficient if placed into the cool tier. Consider archiving data that has not been accessed for over 180 days.

+To gather telemetry, enable [blob inventory reports](blob-inventory.md) and enable [last access time tracking](lifecycle-management-policy-configure.md#optionally-enable-access-time-tracking). Analyze use patterns based on the last access time by using tools such as Azure Synapse or Azure Databricks. To learn about ways to analyze your data, see any of these articles:

+- [Tutorial: Analyze blob inventory reports](storage-blob-inventory-report-analytics.md)

+- [Calculate blob count and total size per container using Azure Storage inventory](calculate-blob-count-size.md)

+- [How to calculate Container Level Statistics in Azure Blob Storage with Azure Databricks](https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-calculate-container-level-statistics-in-azure-blob/ba-p/3614650)

+## Tier append and page blobs

+Your analysis might reveal append or page blobs that are not actively used. For example, you might have log files (append blobs) that are no longer being read or written to, but you'd like to store them for compliance reasons. Similarly, you might want to back up disks or disk snapshots (page blobs). You can move these blobs into cooler tiers as well. However, you must first convert them to block blobs.

+For information about how to convert append and page blobs to block blobs, see [Convert append blobs and page blobs to block blobs](convert-append-and-page-blobs-to-block-blobs.md).

+## Pack small files before moving data to cooler tiers

+Each read or write operation incurs a cost. To reduce the cost of reading and writing data, consider packing small files into larger ones by using file formats such as TAR or ZIP. Fewer files reduce the number of operations required to transfer data.

+The following chart shows the relative impact of packing files for the cool tier. The read cost assumes a monthly read percentage of 30%.

+> [!div class="mx-imgBorder"]

+> 

+The following chart shows the relative impact of packing files for the archive tier. The read cost assumes a monthly read percentage of 30%.

+> [!div class="mx-imgBorder"]

+> 

+> [!TIP]

+> To facilitate search and read scenarios, consider creating an index that maps packed file paths with original file paths, and then storing these indexes as block blobs in the hot tier.

+## Next steps

+- [Set a blob's access tier](access-tiers-online-manage.md)

+- [Archive a blob](archive-blob.md)

+- [Optimize costs by automatically managing the data lifecycle](lifecycle-management-overview.md)

+- [Estimate the cost of archiving data](archive-cost-estimation.md)

+ Title: Convert append and page blobs into block blobs (Azure Storage)

+description: Learn how to convert an append blob or a page blob into a block blob in Azure Blob Storage.

+ms.devlang: powershell, azurecli

+# Convert append blobs and page blobs into block blobs

+To convert blobs, copy them to a new location by using PowerShell, Azure CLI, or AzCopy. You'll use command parameters to ensure that the destination blob is a block blob. All metadata from the source blob is copied to the destination blob.

+## Convert append and page blobs

+### [PowerShell](#tab/azure-powershell)

+1. Open a Windows PowerShell command window.

+2. Sign in to your Azure subscription with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command and follow the on-screen directions.

+ ```powershell

+ Connect-AzAccount

+ ```

+3. If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account which contains the append or page blobs.

+ ```powershell

+ $context = Get-AzSubscription -SubscriptionId '<subscription-id>'

+ Set-AzContext $context

+ ```

+ Replace the `<subscription-id>` placeholder value with the ID of your subscription.

+4. Create the storage account context by using the [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext) command. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Azure Active Directory (Azure AD) credentials.

+ ```powershell

+ $ctx = New-AzStorageContext -StorageAccountName '<storage account name>' -UseConnectedAccount

+ ```

+5. Use the [Copy-AzStorageBlob](/powershell/module/az.storage/copy-azstorageblob) command and set the `-DestBlobType` parameter to `Block`.

+ ```powershell

+ $containerName = '<source container name>'

+ $srcblobName = '<source append or page blob name>'

+ $destcontainerName = '<destination container name>'

+ $destblobName = '<destination block blob name>'

+ $destTier = '<destination block blob tier>'

+ Copy-AzStorageBlob -SrcContainer $containerName -SrcBlob $srcblobName -Context $ctx -DestContainer $destcontainerName -DestBlob $destblobName -DestContext $ctx -DestBlobType Block -StandardBlobTier $destTier

+ ```

+ > [!TIP]

+ > The `-StandardBlobTier` parameter is optional. If you omit that parameter, then the destination blob infers its tier from the [default account access tier setting](access-tiers-overview.md#default-account-access-tier-setting). To change the tier after you've created a block blob, see [Change a blob's tier](access-tiers-online-manage.md#change-a-blobs-tier).

+### [Azure CLI](#tab/azure-cli)

+1. First, open the [Azure Cloud Shell](../../cloud-shell/overview.md), or if you've [installed](/cli/azure/install-azure-cli) the Azure CLI locally, open a command console application such as Windows PowerShell.

+ > [!NOTE]

+ > If you're using a locally installed version of the Azure CLI, ensure that you are using version 2.44.0 or later.

+2. If your identity is associated with more than one subscription, then set your active subscription to subscription of storage account which contains the append or page blobs.

+ ```azurecli-interactive

+ az account set --subscription <subscription-id>

+ ```

+ Replace the `<subscription-id>` placeholder value with the ID of your subscription.

+3. Use the [az storage blob copy start](/cli/azure/storage/blob/copy#az-storage-blob-copy-start) command and set the `--destination-blob-type` parameter to `blockBlob`.

+ ```azurecli

+ containerName = '<source container name>'

+ srcblobName = '<source append or page blob name>'

+ destcontainerName = '<destination container name>'

+ destblobName = '<destination block blob name>'

+ destTier = '<destination block blob tier>'

+ az storage blob copy start --account-name $accountName --destination-blob $destBlobName --destination-container $destcontainerName --destination-blob-type BlockBlob --source-blob $srcblobName --source-container $containerName --tier $destTier

+ ```

+ > [!TIP]

+ > The `--tier` parameter is optional. If you omit that parameter, then the destination blob infers its tier from the [default account access tier setting](access-tiers-overview.md#default-account-access-tier-setting). To change the tier after you've created a block blob, see [Change a blob's tier](access-tiers-online-manage.md#change-a-blobs-tier).

+ > [!WARNING]

+ > The optional `--metadata` parameter overwrites any existing metadata. Therefore, if you specify metadata by using this parameter, then none of the original metadata from the source blob will be copied to the destination blob.

+### [AzCopy](#tab/azcopy)

+Use the [azcopy copy](../common/storage-ref-azcopy-copy.md) command. Specify the source and destination paths. Set the `blob-type` parameter to `BlockBlob`.

+```azcopy

+azcopy copy 'https://<storage-account-name>.<blob or dfs>.core.windows.net/<container-name>/<append-or-page-blob-name>' 'https://<storage-account-name>.<blob or dfs>.core.windows.net/<container-name>/<name-of-new-block-blob>' --blob-type BlockBlob --block-blob-tier <destination-tier>

+```

+> [!TIP]

+> The `--block-blob-tier` parameter is optional. If you omit that parameter, then the destination blob infers its tier from the [default account access tier setting](access-tiers-overview.md#default-account-access-tier-setting). To change the tier after you've created a block blob, see [Change a blob's tier](access-tiers-online-manage.md#change-a-blobs-tier).

+> [!WARNING]

+> The optional `--metadata` parameter overwrites any existing metadata. Therefore, if you specify metadata by using this parameter, then none of the original metadata from the source blob will be copied to the destination blob.

+## See also

+- [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md)

+- [Set a blob's access tier](access-tiers-online-manage.md)

+- [Best practices for using blob access tiers](access-tiers-best-practices.md)

+ Title: Tutorial - Create custom .NET deserializers for Azure Stream Analytics cloud jobs using Visual Studio Code (Preview)

+# Tutorial: Custom .NET deserializers for Azure Stream Analytics in Visual Studio Code (Preview)

+> * [Test Azure Stream Analytics jobs locally with live input using Visual Studio Code](visual-studio-code-local-run-live-input.md)

+You can change the behavior when you delete a VM.

+The following example updates the VM to delete the NIC, OS disk, and data disk when the VM is deleted.

+## Force Delete for scale sets

+Force delete allows you to forcefully delete your **Uniform** Virtual Machine Scale Set, reducing delete latency and immediately freeing up attached resources. . Force Delete will not immediately free the MAC address associated with a VM, as this is a physical resource that may take up to 10 min to free. If you need to immediately re-use the MAC address on a new VM, Force Delete is not recommended. Force delete should only be used when you are not intending to re-use virtual hard disks. You can use force delete through Portal, CLI, PowerShell, and REST API.

+When you go to delete an existing scale set, you will find an option to apply force delete in the delete pane.

+1. Navigate to your Virtual Machine Scale Set.

+1. In the **Delete Virtual Machine Scale Set** pane, select the checkbox for **Apply force delete**.

+You can use the Azure REST API to apply force delete to your scale set. Use the `forceDeletion` parameter for [Virtual Machines Scale Sets - Delete](/rest/api/compute/virtual-machine-scale-sets/delete).

+### Q: How does this feature work with Flexible Virtual Machine Scale Set?

+A: For Flexible Virtual Machine Scale Set the disks, NICs, and PublicIPs have `deleteOption` set to `Delete` by default so these resources are automatically cleaned up when the VMs are deleted.