+## How is Permissions Management priced?

+Permissions Management is $125 per resources/year ($10.40 per resource/month). Permissions Management requires licenses for workloads, which include any resource that uses compute or memory.

+## Do I need to pay for all resources?

+Although Permissions Management supports all resources, Microsoft only requires licenses for certain resources per cloud. To learn more about billable resources, visit [View billable resources listed in your authorization system](product-data-billable-resources.md)

+## How do I figure out how many resources I have?

+To find out how many resources you have across your multicloud infrastructure, view the Billable Resources tab in Permissions Management.

+ >[!NOTE]

+ >Default and GCP-managed service accounts are not included in the PCI calculation.

+ Title: View current billable resources in your authorization systems

+description: How to view current billable resources in your authorization system in Permissions Management.

+# View billable resources listed in your authorization system

+Gain insight into current billable resources listed in your authorization system. In Microsoft Entra Permissions Management, a billable resource is defined as a cloud service that uses compute or memory and requires a license. The Permissions Management Billable Resources tab shows you which resources are in your authorization system, and how many of them you're being billed for.

+Here is the current list of resources per cloud provider. This list is subject to change as cloud providers add more services in the future.

+## View resources in your authorization system

+1. To access your billable resource information, from the Permissions Management home page, select Settings (gear icon).

+1. Select the Billable Resources tab.

+1. Select your Authorization System:

+ - **AWS** for Amazon Web Services.

+ - **Azure** for Microsoft Azure.

+ - **GCP** for Google Cloud Platform.

+ The interface displays information showing which resource you have in your Authorization System per category.

+1. To change the columns displayed in the table, select **Columns**, and then select the information you want to display.

+ - To discard your changes, select **Reset to default**.

+## Next steps

+- For information about viewing and configuring settings for collecting data from your authorization system and its associated accounts, see [View and configure settings for data collection](product-data-sources.md).

+ Title: View and configure settings for data collection

+description: How to view and configure settings for collecting data from your authorization system.

+ Title: View and download the Permissions Analytics Report in Permissions Management

+description: How to view and download the Permissions Analytics Report in Permissions Management.

+# View and download the Permissions analytics report

+This article describes how to view and download the **Permissions analytics report** in Permissions Management for AWS, Azure, and GPC authorization systems.

+>[!NOTE]

+>The Permissions analytics report can be downloaded in Excel and PDF formats.

+## View the Permissions Analytics Report in the Permissions Management UI

+You can view the Permissions Analytics Report information directly in the Permissions Management UI.

+1. In Permissions Management, select **Reports** in the navigation menu.

+2. Locate the **Permissions Analytics Report** in the list, then select it.

+3. View detailed report information from the list of categories that are displayed.

+ >[!NOTE]

+ > Categories will vary depending on which Authorization System you are viewing.

+4. To view more detailed information into each category, select the drop-down arrow next to the category name.

+## Download the Permissions Analytics Report in Excel format

+1. From the Permissions Management home page, select the **Reports** tab, then select the **Systems Reports** subtab.

+

+ The **Systems Reports** subtab displays a list of report names in the **Reports** table.

+2. Locate the **Permissions Analytics Report** in the list.

+3. To download the report in Excel format, click on the ellipses **(...)**, the select **Generate & Download**.

+

+ The Permissions Analytics Report screen is displayed.

+4. Click on **Report Format** and make sure that **XLSX** is selected.

+5. Click on **Schedule** and, if you want to download this report regularly, select the frequency for which you want it downloaded. You can also leave this at the default setting of **None**.

+6. Click on **Authorization Systems** and select which system you want to download the report for (AWS, Azure, or GCP).

+ >[!NOTE]

+ > To download a report for all Authorization Systems, check the **Collate** box. This will combine all selected Authorization Systems into one report.

+7. Click **Save**

+ The following message displays: **Report has been created**.

+ Once the Excel file is generated, the report is automatically sent to your email.

+## Download the Permissions Analytics Report in PDF format

+1. From the Permissions Management home page, select the **Reports** tab, then select the **Systems Reports** subtab.

+

+ The **Systems Reports** subtab displays a list of reports names in the **Reports** table.

+2. Locate the **Permissions Analytics Report** in the list, then select it.

+3. Select which Authorization System you want to generate the PDF download for (AWS, Azure, or GCP).

+ >[!NOTE]

+ > The PDF can only be downloaded for one Authorization System at a time. If more than one Authorization System is selected, the **Export PDF** button will be disabled.

+4. To download the report in PDF format, click on **Export PDF**.

+

+ The following message displays: **Successfully started to generate PDF report**.

+

+ Once the PDF is generated, the report is automatically sent to your email.

+| Support for device writeback|ΓùÅ |Customers should use [Cloud Kerberos trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune) for this moving forward|

+There are multiple scenarios that organizations can now enable using filter for devices condition. The following scenarios provide examples of how to use this new condition.

+The filter for devices API is available in Microsoft Graph v1.0 endpoint and can be accessed using the endpoint `https://graph.microsoft.com/v1.0/identity/conditionalaccess/policies/`. You can configure a filter for devices when creating a new Conditional Access policy or you can update an existing policy to configure the filter for devices condition. To update an existing policy, you can do a patch call on the Microsoft Graph v1.0 endpoint by appending the policy ID of an existing policy and executing the following request body. The example here shows configuring a filter for devices condition excluding devices that aren't marked as SAW devices. The rule syntax can consist of more than one single expression. To learn more about the syntax, see [dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md).

+The filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Azure AD and hence it's important to understand under what circumstances the policy is applied or not applied. The following table illustrates the behavior when a filter for devices condition is configured.

+> If you want to specify an IP CIDR range for a single address, apply the /128 bit mask. If you see the IPv6 address 2001:db8:4a7d:3f57:a1e2:6b4a:8f3e:d17b and wanted to exclude that single address as a range, you would use 2001:db8:4a7d:3f57:a1e2:6b4a:8f3e:d17b/128.

+| Component/area | Tags |

+| -| |

+| Azure AD B2B / External Identities | [Azure Active Directory External Identities](/answers/tags/231/azure-active-directory-b2c) |

+| Azure AD B2C | [Azure Active Directory External Identities](/answers/tags/231/azure-active-directory-b2c) |

+| All other Azure Active Directory areas | [Azure Active Diretory](/answers/tags/49/azure-active-directory) |

+| Azure RBAC | [Azure Role-Based access control](/answers/tags/189/azure-rbac) |

+| Azure Key Vault | [Azure Key Vault](/answers/tags/5/azure-key-vault) |

+| Microsoft Security | [Microsoft Defender for Cloud](/answers/tags/392/defender-for-cloud) |

+| Microsoft Sentinel | [Microsoft Sentinel](/answers/tags/423/microsoft-sentinel) |

+| Azure AD Domain Services | [Azure Active Directory Domain Services](/answers/tags/222/azure-active-directory-domain) |

+| Azure Windows and Linux Virtual Machines | [Azure Virtual Machines](/answers/tags/94/azure-virtual-machines) |

+[MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) is thrown when the Identity Provider (Azure AD) returns an error. It's a translation of the server error.

+[MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) is type of [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) and indicates that user interaction is required, for example because MFA is required or because the user has changed their password and a token can't be acquired silently.

+If [MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) is thrown, it's an indication that an interactive flow needs to happen for the user to resolve the issue. In public client apps such as desktop and mobile app, this is resolved by calling `AcquireTokenInteractive`, which displays a browser. In confidential client apps, web apps should redirect the user to the authorization page, and web APIs should return an HTTP status code and header indicative of the authentication failure (401 Unauthorized and a WWW-Authenticate header).

+| [MsalUiRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) | AADSTS65001: The user or administrator hasn't consented to use the application with ID '{appId}' named '{appName}'. Send an interactive authorization request for this user and resource.| Get user consent first. If you aren't using .NET Core (which doesn't have any Web UI), call (once only) `AcquireTokeninteractive`. If you're using .NET core or don't want to do an `AcquireTokenInteractive`, the user can navigate to a URL to give consent: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read`. to call `AcquireTokenInteractive`: `app.AcquireTokenInteractive(scopes).WithAccount(account).WithClaims(ex.Claims).ExecuteAsync();`|

+| [MsalUiRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception) | AADSTS50079: The user is required to use [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md).| There's no mitigation. If MFA is configured for your tenant and Azure Active Directory (Azure AD) decides to enforce it, fall back to an interactive flow such as `AcquireTokenInteractive`.|

+| [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) | AADSTS70002: The request body must contain the following parameter: `client_secret or client_assertion`.| This exception can be thrown if your application wasn't registered as a public client application in Azure AD. In the Azure portal, edit the manifest for your application and set `allowPublicClient` to `true`. |

+| [MsalClientException](/dotnet/api/microsoft.identity.client.msalclientexception)| `unknown_user Message`: Couldn't identify logged in user| The library was unable to query the current Windows logged-in user or this user isn't AD or Azure AD joined (work-place joined users aren't supported). Mitigation 1: on UWP, check that the application has the following capabilities: Enterprise Authentication, Private Networks (Client and Server), User Account Information. Mitigation 2: Implement your own logic to fetch the username (for example, john@contoso.com) and use the `AcquireTokenByIntegratedWindowsAuth` form that takes in the username.|

+MSAL exposes a `Classification` field, which you can read to provide a better user experience. For example to tell the user that their password expired or that they'll need to provide consent to use some resources. The supported values are part of the [`UiRequiredExceptionClassification`](/dotnet/api/microsoft.identity.client.uirequiredexceptionclassification) enum:

+To handle the claim challenge, you'll need to use the `.WithClaim()` method of the [`PublicClientApplicationBuilder`](/dotnet/api/microsoft.identity.client.publicclientapplicationbuilder) class.

+Here's an example for a daemon application using the client credentials flow. You can adapt this to any of the methods for acquiring a token.

+You can monitor the source of the tokens by inspecting the `AuthenticationResult.AuthenticationResultMetadata.TokenSource` property.

+npm install @azure/msal-browser @azure/msal-react @azure/msal-common # Install the MSAL packages

+ https://myaccount.microsoft.com?tenantId=ab123456-cd12-ef12-gh12-ijk123456789. You might need to open this URL in a private browser session.

+Sometimes, the external guest user you're inviting conflicts with an existing [Contact object](/graph/api/resources/contact). When this occurs, the guest user is created without a proxyAddress. This means that the user won't be able to redeem this account using [just-in-time redemption](redemption-experience.md#redemption-through-a-direct-link) or [email one-time passcode authentication](one-time-passcode.md#user-experience-for-one-time-passcode-guest-users). Also, if the contact object you're synchronizing from on-premises AD conflicts with an existing guest user, the conflicting proxyAddress is removed from the existing guest user.

+- [Use audit logs and access reviews](auditing-and-reporting.md)

+Azure AD handles Core Store data based on usability, performance, residency and/or other requirements based on geo-location. Azure AD replicates each tenant through its scale unit, across data centers, based on the following criteria:

+- The Workflows won't run earlier than the time specified in the attribute, however the [tenant schedule (default 3h)](customize-workflow-schedule.md) may delay the workflow run. For instance, if you set the `employeeHireDate` to 8AM but the tenant schedule doesn't run until 9AM, the workflow won't be processed until then. If a new hire is starting at 8AM, you would want to set the time to something like (start time - tenant schedule) to ensure it had run before the employee arrives.

+## Create a custom sync rule in Azure AD Connect cloud sync for EmployeeHireDate

+## How to create a custom sync rule in Azure AD Connect for EmployeeHireDate

+> [!NOTE]

+> **msDS-cloudExtensionAttribute1** is an example source.

+> Detections are visible only to [Workload Identities Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz) customers. Customers without Workload Identities Premium licenses still receive all detections but the reporting of details is limited.

+ Title: Configure Azure AD Multi-Factor Authentication and SSO for Oracle JD Edwards applications using Datawiza Access Proxy

+description: Enable Azure AD MFA and SSO for Oracle JD Edwards application using Datawiza Access Proxy

+In this tutorial, learn how to enable Azure Active Directory (Azure AD) single sign-on (SSO) and Azure AD Multi-Factor Authentication (MFA) for an Oracle JD Edwards (JDE) application using Datawiza Access Proxy (DAP).

+Learn more [Datawiza Access Proxy](https://www.datawiza.com/)

+Benefits of integrating applications with Azure AD using DAP:

+* [Embrace proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) - a security model that adapts to modern environments and embraces hybrid workplace, while it protects people, devices, apps, and data

+* [Azure Active Directory single sign-on](https://azure.microsoft.com/solutions/active-directory-sso/#overview) - secure and seamless access for users and apps, from any location, using a device

+* [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) - users are prompted during sign-in for forms of identification, such as a code on their cellphone or a fingerprint scan

+* [What is Conditional Access?](../conditional-access/overview.md) - policies are if-then statements, if a user wants to access a resource, then they must complete an action

+* [Easy authentication and authorization in Azure AD with no-code Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/) - use web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, and home-grown apps

+* Use the [Datawiza Cloud Management Console](https://console.datawiza.com) (DCMC) - manage access to applications in public clouds and on-premises

+In legacy applications, due to the absence of modern protocol support, a direct integration with Azure AD SSO is difficult. DAP can bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

+* **Azure AD** - identity and access management service that helps users sign in and access external and internal resources

+* **Oracle JDE application** - legacy application protected by Azure AD

+* **Datawiza Access Proxy (DAP)** - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.

+* **Datawiza Cloud Management Console (DCMC)** -a console to manage DAP. Administrators use UI and RESTful APIs to configure DAP and access control policies.

+Learn more: [Datawiza and Azure AD Authentication Architecture](./datawiza-with-azure-ad.md#datawiza-with-azure-ad-authentication-architecture)

+* An Azure subscription.

+ * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free)

+* An Azure AD tenant linked to the Azure subscription

+ * See, [Quickstart: Create a new tenant in Azure Active Directory.](../fundamentals/active-directory-access-create-new-tenant.md)

+* Docker and Docker Compose

+ * Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install)

+* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory

+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An account with Azure AD and the Application administrator role

+ * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles)

+* An Oracle JDE environment

+* (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing.

+ 

+4. In the **Name** and **Description** fields, enter information.

+ 

+6. On the **Add Application** dialog, for **Platform**, select **Web**.

+7. For **App Name**, enter a unique application name.

+8. For **Public Domain**, for example enter `https://jde-external.example.com`. For testing the configuration, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the **Public Domain** port.

+9. For **Listen Port**, select the port that DAP listens on.

+10. For **Upstream Servers**, select the Oracle JDE implementation URL and port to be protected.

+11. Select **Next**.

+ 

+12. On the **Configure IdP** dialog, enter information.

+ >Use DCMC one-click integration to help complete Azure AD configuration. DCMC calls the Graph API to create an application registration on your behalf in your Azure AD tenant. Go to docs.datawiza.com for [One Click Integration With Azure AD](https://docs.datawiza.com/tutorial/web-app-azure-one-click.html).

+13. Select **Create**.

+ 

+14. The DAP deployment page appears.

+15. Make a note of the deployment Docker Compose file. The file includes the DAP image, Provisioning Key, and Provision Secret, which pulls the latest configuration and policies from DCMC.

+ 

+DAP gets user attributes from IdP and passes them to the upstream application with a header or cookie.

+The Oracle JDE application needs to recognize the user: using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.

+3. For **Field**, select **Email**.

+4. For **Expected**, select **JDE_SSO_UID**.

+5. For **Type**, select **Header**.

+ 

+ >This configuration uses the Azure AD user principal name as the sign-in username, used by Oracle JDE. To use another user identity, go to the **Mappings** tab.

+ 

+6. Select the **Advanced** tab.

+ 

+ 

+7. Select **Enable SSL**.

+8. From the **Cert Type** dropdown, select a type.

+ 

+9. For testing purposes, we'll be providing a self-signed certificate.

+ 

+ 

+10. Select **Save**.

+To provide more security for sign-ins, you can enforce MFA for user sign-in.

+See, [Tutorial: Secure user sign-in events with Azure AD MFA](../authentication/tutorial-enable-azure-mfa.md).

+1. Sign in to the Azure portal as a Global Administrator.

+4. Under **Enable Security defaults**, select **Yes**.

+5. Select **Save**.

+1. Sign in to the Oracle JDE EnterpriseOne Server Manager Management Console as an Administrator.

+3. In the **Configuration** tile, select **View as Advanced**.

+4. Select **Security**.

+5. Select the **Enable Oracle Access Manager** checkbox.

+6. In the **Oracle Access Manager Sign-Off URL** field, enter **datawiza/ab-logout**.

+7. In the **Security Server Configuration** section, select **Apply**.

+8. Select **Stop**.

+ >If a message states the web server configuration (jas.ini) is out-of-date, select **Synchronize Configuration**.

+9. Select **Start**.

+To test an Oracle JDE application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.

+To confirm Oracle JDE application access occurs, a prompt appears to use an Azure AD account for sign-in. Credentials are checked and the Oracle JDE appears.

+* Video [Enable SSO and MFA for Oracle JDE) with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)

+* [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md)

+* [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)

+* Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/)

+ Title: Configure Azure AD Multi-Factor Authentication and SSO for Oracle PeopleSoft applications using Datawiza Access Proxy

+description: Enable Azure AD MFA and SSO for Oracle PeopleSoft application using Datawiza Access Proxy

+In this tutorial, learn how to enable Azure Active Directory (Azure AD) single sign-on (SSO) and Azure AD Multi-Factor Authentication (MFA) for an

+Oracle PeopleSoft application using Datawiza Access Proxy (DAP).

+Learn more: [Datawiza Access Proxy](https://www.datawiza.com/)

+Benefits of integrating applications with Azure AD using DAP:

+* [Embrace proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) - a security model that adapts to modern environments and embraces hybrid workplace, while it protects people, devices, apps, and data

+* [Azure Active Directory single sign-on](https://azure.microsoft.com/solutions/active-directory-sso/#overview) - secure and seamless access for users and apps, from any location, using a device

+* [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) - users are prompted during sign-in for forms of identification, such as a code on their cellphone or a fingerprint scan

+* [What is Conditional Access?](../conditional-access/overview.md) - policies are if-then statements, if a user wants to access a resource, then they must complete an action

+* [Easy authentication and authorization in Azure AD with no-code Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/) - use web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, and home-grown apps

+* Use the [Datawiza Cloud Management Console](https://console.datawiza.com) (DCMC) - manage access to applications in public clouds and on-premises

+This scenario focuses on Oracle PeopleSoft application integration using HTTP authorization headers to manage access to protected content.

+In legacy applications, due to the absence of modern protocol support, a direct integration with Azure AD SSO is difficult. Datawiza Access Proxy (DAP) bridges the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

+* **Azure AD** - identity and access management service that helps users sign in and access external and internal resources

+* **Datawiza Access Proxy (DAP)** - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.

+* **Datawiza Cloud Management Console (DCMC)** - administrators manage DAP with UI and RESTful APIs to configure DAP and access control policies

+* **Oracle PeopleSoft application** - legacy application to be protected by Azure AD and DAP

+Learn more: [Datawiza and Azure AD authentication architecture](./datawiza-with-azure-ad.md#datawiza-with-azure-ad-authentication-architecture)

+* An Azure subscription

+ * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free)

+* An Azure AD tenant linked to the Azure subscription

+ * See, [Quickstart: Create a new tenant in Azure Active Directory](../fundamentals/active-directory-access-create-new-tenant.md)

+* Docker and Docker Compose

+ * Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install)

+* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory

+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An account with Azure AD and the Application Administrator role

+ * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles)

+* An Oracle PeopleSoft environment

+* (Optional) An SSL web certificate to publish services over HTTPS. You can use default Datawiza self-signed certs for testing.

+## Getting started with DAP

+1. Sign in to [Datawiza Cloud Management Console](https://console.datawiza.com/) (DCMC).

+ 

+4. In the **Name** and **Description** fields, enter information.

+ 

+6. The Add Application dialog appears.

+7. For **Platform**, select **Web**.

+8. For **App Name**, enter a unique application name.

+9. For **Public Domain**, for example use `https://ps-external.example.com`. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.

+10. For **Listen Port**, select the port that DAP listens on.

+11. For **Upstream Servers**, select the Oracle PeopleSoft implementation URL and port to be protected.

+ 

+8. On the **Configure IdP** dialog, enter information.

+ >DCMC has one-click integration to help complete Azure AD configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Azure AD tenant. Learn more at docs.datawiza.com in [One Click Integration with Azure AD](https://docs.datawiza.com/tutorial/web-app-azure-one-click.html#preview)

+ 

+10. The DAP deployment page appears.

+11. Make a note of the deployment Docker Compose file. The file includes the DAP image, the Provisioning Key and Provision Secret, which pulls the latest configuration and policies from DCMC.

+ 

+DAP gets user attributes from the identity provider (IdP) and passes them to the upstream application with a header or cookie.

+The Oracle PeopleSoft application needs to recognize the user. Using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.

+3. For **Field**, select **email**.

+4. For **Expected**, select **PS_SSO_UID**.

+5. For **Type**, select **Header**.

+ 

+ >This configuration uses Azure AD user principal name as the sign-in username for Oracle PeopleSoft. To use another user identity, go to the **Mappings** tab.

+ 

+ 

+3. From the **Cert Type** dropdown, select a type.

+ 

+4. For testing the configuration, there's a self-signed certificate.

+ 

+ >You can upload a certificate from a file.

+ 

+To provide more security for sign-ins, you can enforce Azure AD Multi-Factor Authentication (MFA).

+Learn more: [Tutorial: Secure user sign-in events with Azure AD MFA](../authentication/tutorial-enable-azure-mfa.md)

+1. Sign in to the Azure portal as a Global Administrator.

+3. Under **Properties**, select **Manage security defaults**.

+4. Under **Enable Security defaults**, select **Yes**

+5. Select **Save**.

+1. Sign in to the PeopleSoft Consol `http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start` using Admin credentials, for example, PS/PS.

+ 

+2. Add a default public access user to PeopleSoft.

+3. From the main menu, navigate to **PeopleTools > Security > User Profiles > User Profiles > Add a New Value**.

+4. Select **Add a new value**.

+5. Create user **PSPUBUSER**.

+6. Enter the password.

+ 

+7. Select the **ID** tab.

+8. For **ID Type**, select **None**.

+ 

+3. Navigate to **PeopleTools > Web Profile > Web Profile Configuration > Search > PROD > Security**.

+4. Under **Public Users**, select the **Allow Public Access** box.

+5. For **User ID**, enter **PSPUBUSER**.

+6. Enter the password.

+ 

+7. Select **Save**.

+8. To enable SSO, navigate to **PeopleTools > Security > Security Objects > Signon PeopleCode**.

+9. Select the **Sign on PeopleCode** page.

+10. Enable **OAMSSO_AUTHENTICATION**.

+11. Select **Save**.

+12. To configure PeopleCode using the PeopleTools application designer, navigate to **File > Open > Definition: Record > Name: `FUNCLIB_LDAP`**.

+13. Open **FUNCLIB_LDAP**.

+ 

+14. Select the record.

+15. Select **LDAPAUTH > View PeopleCode**.

+16. Search for the `getWWWAuthConfig()` function `Change &defaultUserId = ""; to &defaultUserId = PSPUBUSER`.

+17. Confirm the user Header is `PS_SSO_UID` for `OAMSSO_AUTHENTICATION` function.

+18. Save the record definition.

+ 

+To test an Oracle PeopleSoft application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.

+- Video: [Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)

+- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md)

+- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)

+- Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/)

+- Cross-tenant synchronization is supported within the commercial cloud. It is not supported within Azure Government or Azure China.

+### Microsoft Graph PowerShell

+Use the [New-MgDirectoryAdministrativeUnit](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdirectoryadministrativeunit) command to create a new administrative unit.

+```powershell

+Import-Module Microsoft.Graph.Identity.DirectoryManagement

+$params = @{

+ DisplayName = "Seattle District Technical Schools"

+ Description = "Seattle district technical schools administration"

+ Visibility = "HiddenMembership"

+}

+New-MgDirectoryAdministrativeUnit -BodyParameter $params

+```

+> | microsoft.directory/applicationPolicies/allProperties/read | Read all properties (including privileged properties) on application policies |

+> | microsoft.directory/applicationPolicies/allProperties/update | Update all properties (including privileged properties) on application policies |

+> | microsoft.directory/applicationPolicies/createAsOwner | Create application policies, and creator is added as the first owner |

+> | microsoft.directory/servicePrincipals/allProperties/read | Read all properties (including privileged properties) on servicePrincipals |

+> | microsoft.directory/servicePrincipals/allProperties/update | Update all properties (including privileged properties) on servicePrincipals |

+> | microsoft.directory/servicePrincipals/createAsOwner | Create service principals, with creator as the first owner |

+> | microsoft.directory/servicePrincipals/credentials/update | Update credentials of service principals |

+> | microsoft.directory/servicePrincipals/owners/read | Read owners of service principals |

+> | microsoft.directory/servicePrincipals/owners/update | Update owners of service principals |

+> | microsoft.directory/servicePrincipals/policies/read | Read policies of service principals |

+> | microsoft.directory/servicePrincipals/policies/update | Update policies of service principals |

+> | microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |

+> | microsoft.directory/servicePrincipals/tag/update | Update the tag property for service principals |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, including privileged properties |

+> | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |

+> | microsoft.directory/applications/applicationProxy/read | Read all application proxy properties |

+> | microsoft.directory/applications/applicationProxy/update | Update all application proxy properties |

+> | microsoft.directory/applications/applicationProxyAuthentication/update | Update authentication on all types of applications |

+> | microsoft.directory/applications/applicationProxyUrlSettings/update | Update URL settings for application proxy |

+> | microsoft.directory/applications/applicationProxySslCertificate/update | Update SSL certificate settings for application proxy |

+> | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs |

+> | microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with the application object |

+> | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Reply URL (Assertion Consumer Service URL)** text box, type a URL using the following pattern:

+ `https://<companyname>.saas.appdynamics.com/controller/saml-auth?accountName=<companyname>`

+ c. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<companyname>.saas.appdynamics.com/?accountName=<companyname>`

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [AppDynamics Client support team](https://www.appdynamics.com/support/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+Once you configure AppDynamics you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about Microsoft 365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. If you want to set up Atlassian Cloud manually, log in to your Atlassian Cloud company site as an administrator and perform the following steps.

+1. In the **ATLASSIAN Admin** portal, navigate to **Security** > **Identity providers** > **Microsoft Azure AD**.

+ 

+1. Enter the **Directory name** and click **Add** button.

+ 

+1. Select **Set up SAML single sign-on** button to connect your identity provider to Atlassian organization.

+ 

+ b. Copy **Login URL** value from Azure portal, paste it in the **Identity provider SSO URL** textbox in Atlassian.

+ c. Copy **Azure AD Identifier** value from Azure portal, paste it in the **Identity provider Entity ID** textbox in Atlassian.

+ 

+ 

+1. Save the SAML Configuration and click **Next** in Atlassian.

+ a. Copy **Service provider entity URL** value from Atlassian, paste it in the **Identifier (Entity ID)** box in Azure and set it as default.

+ b. Copy **Service provider assertion consumer service URL** value from Atlassian, paste it in the **Reply URL (Assertion Consumer Service URL)** box in Azure and set it as default.

+ c. Click **Next**.

+

+ 

+ 

+1. Click **Stop and save SAML** button.

+

+ 

+Once you configure Atlassian Cloud you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+## Release Notes

+|Plugin Version | Release Notes | Supported JIRA versions |

+|--|-|-|

+| 1.0.20 | Bug Fixes: | Jira Core and Software: |

+| | JIRA SAML SSO add-on redirects to incorrect URL from mobile browser. | 7.0.0 to 9.5.0 |

+| | The mark log section after enabling the JIRA plugin. | |

+| | The last login date for a user doesn't update when user signs in via SSO | |

+| | | |

+| 1.0.19 | New Feature: | Jira Core and Software: |

+| | Application Proxy Support - Checkbox on the configure plugin screen to toggle the App Proxy mode so as to make the Reply URL editable as per the need to point the App Proxy mode so as to make the Reply URL editable as per the need to point it to the proxy server URL | 6.0 to 9.3.1 |

+| | | Jira Service Desk: 3.0.0 to 4.22.1 |

+| | | |

+| 1.0.18 | Bug Fixes: | Jira Core and Software: |

+| | Bug fix for the 405 error upon clicking on the Configure button of the Jira Azure AD SSO Plugin.| 6.0 to 9.1.0. |

+| | JIRA server isn't rendering the "Project Setting Page" correctly. | Jira Service Desk: 3.0.0 to 4.22.1. |

+| | JIRA isn't forcing Azure AD Login. An extra button click was required. | |

+| | We have now resolved the security fix in this version. This will protect you from user impersonation vulnerability.| |

+| | JIRA Service Desk logout issue is resolved. | |

+

+

+

+* Slack supports **SP (service provider)** initiated SSO.

+ c. For **Reply URL**, enter one of the following URL patterns:

+3. If you want to set up Slack manually, in a different web browser window, sign in to your Slack company site as an administrator.

+1. If you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL (Optional)** text box, type a URL using the following pattern:

+ `https://login.valid8me.com/?idp=https://sts.windows.net/${TenantID}/`

+> [!NOTE]

+> All of the fields shown for each respective schedule type are required.

+Valid values for `weekIndex` are `First`, `Second`, `Third`, `Fourth`, and `Last`.

+* The Azure CLI version 2.28.0 and higher. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* The `aks-preview` extension 0.5.29 or higher.

+## Configure private DNS zone

+The following parameters can be used to configure private DNS zone.

+- **system** - This is the default value. If the `--private-dns-zone` argument is omitted, AKS creates a Private DNS zone in the node resource group.

+- **none** - the default is public DNS. AKS won't create a private DNS zone.

+- **CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID**, requires you to create a private DNS zone only in the following format for Azure global cloud: `privatelink.<region>.azmk8s.io` or `<subzone>.privatelink.<region>.azmk8s.io`. You'll need the Resource ID of that private DNS zone going forward. Additionally, you need a user assigned identity or service principal with at least the [Private DNS Zone Contributor][private-dns-zone-contributor-role] and [Network Contributor][network-contributor-role] roles. When deploying using API server VNet integration, a private DNS zone additionally supports the naming format of `private.<region>.azmk8s.io` or `<subzone>.private.<region>.azmk8s.io`.

+ - If the private DNS zone is in a different subscription than the AKS cluster, you need to register the Azure provider **Microsoft.ContainerServices** in both subscriptions.

+### Create a private AKS cluster with private DNS zone

+### Create a private AKS cluster with custom private DNS zone or private DNS subzone

+### Create a private AKS cluster with custom private DNS zone and custom subdomain

+[install-azure-cli]: /cli/azure/install-azure-cli

+[private-dns-zone-contributor-role]: ../role-based-access-control/built-in-roles.md#dns-zone-contributor

+[network-contributor-role]: ../role-based-access-control/built-in-roles.md#network-contributor

+> * Currently, API Management doesn't support TLS 1.3.

+By default, a successful sign-out redirects the client to the URL `/.auth/logout/complete`. You can change the post-sign-out redirect page by adding the `post_logout_redirect_uri` query parameter. For example:

+1. Follow the Google documentation at [Sign In with Google for Web - Setup](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) to create a client ID and client secret. There's no need to make any code changes. Just use the following information:

+ls "D:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework"

+ls "D:\Program Files (x86)\Reference Assemblies\Microsoft\Framework"

+This section shows how to connect Java applications deployed on Azure App Service with Azure Monitor Application Insights, NewRelic, and AppDynamics application performance monitoring (APM) platforms.

+ AZURE_WEBAPP_PACKAGE_PATH: 'my-app-path' # set this to the path to your web app project, defaults to the repository root

+ AZURE_WEBAPP_PACKAGE_PATH: 'my-app-path' # set this to the path to your web app project, defaults to the repository root

+> [!NOTE]

+> Swap with preview can't be used when one of the slots has site authentication enabled.

+>

+- [Getting Azure App Service authentication working with .NET Core (3rd party)](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication)

+> [!div class="nextstepaction"]

+> [App Template: ASP.NET Core app with SQL database and App Insights deployed using CI/CD GitHub Actions](https://github.com/Azure-Samples/app-templates-dotnet-azuresql-appservice)

+>

+* Response time

+[Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

+ 1. Select **Go**.

+ 1. Select **Go**.

+## Version 1.3.0

+This release contains new features, security vulnerability fixes, and updates to code samples.

+#### New Features

+* Added the capability for the Immersive Reader iframe to request microphone permissions for Reading Coach

+#### Improvements

+* Update code samples to use v1.3.0

+* Update code samples to demonstrate the usage of latest options from v1.2.0

+## Version 1.26 - January 2023

+## Version 1.25 - January 2023

+- [Can I have AOF persistence enabled if I have more than one replica?](#can-i-have-aof-persistence-enabled-if-i-have-more-than-one-replica)

+No, you can't use Append-only File (AOF) persistence with multiple replicas (more than one replica).

+- [Add replicas to Azure Cache for Redis](cache-how-to-multi-replicas.md)

+ > [!NOTE]

+ > Zone redundancy doesn't support Append-only File (AOF) persistence with multiple replicas (more than one replica).

+ > Zone redundancy doesn't work with geo-replication currently.

+ >

+No, updating an existing Premium cache to use zone redundancy isn't supported currently.

+When your cache uses zone redundancy configured with multiple Availability Zones, data is replicated from the primary cache node in one zone to the other node(s) in another zone(s). The data transfer charge is the network egress cost of data moving across the selected Availability Zones. For more information, see [Bandwidth Pricing Details](https://azure.microsoft.com/pricing/details/bandwidth/).

+ Title: How to create Azure Maps applications using the Java REST SDK (preview)

+description: How to develop applications that incorporate Azure Maps using the Java REST SDK Developers Guide.

+# Java REST SDK Developers Guide (preview)

+The Azure Maps Java SDK can be integrated with Java applications and libraries to build maps-related and location-aware applications. The Azure Maps Java SDK contains APIs for Search, Route, Render, Elevation, Geolocation, Traffic, Timezone, and Weather. These APIs support operations such as searching for an address, routing between different coordinates, obtaining the geo-location of a specific IP address etc.

+> [!NOTE]

+> Azure Maps Java SDK is baselined on Java 8, with testing and forward support up until the latest Java long-term support release (currently Java 18). For the list of Java versions for download, see [Java Standard Versions].

+## Prerequisites

+- [Azure Maps account].

+- [Subscription key] or other form of [authentication].

+- [Java Version 8] or above  

+- Maven (any version). For more information, see [Get started with Azure SDK and Apache Maven][maven].

+> [!TIP]

+> You can create an Azure Maps account programmatically, Here's an example using the Azure CLI:

+>

+> ```azurecli

+> az maps account create --kind "Gen2" --account-name "myMapAccountName" --resource-group "<resource group>" --sku "G2"

+> ```

+## Create a Maven project

+The following PowerShell code snippet demonstrates how to use PowerShell to create a maven project. First we'll run maven command to create maven project:

+```powershell

+mvn archetype:generate "-DgroupId=groupId" "-DartifactId=DemoProject" "-DarchetypeArtifactId=maven-archetype-quickstart" "-DarchetypeVersion=1.4" "-DinteractiveMode=false" 

+```

+| Parameter | Description |

+|-|--|

+| `-DGroupId` | Group ID uniquely identifies your project across all projects|

+| `-DartifactId` | Project name. It will be created as a new folder. |

+| `-DarchetypeArtifactId` | project type. `maven-archetype-quickstart` results in a sample project. |

+| `-DinteractiveMode` | Setting to `false` results in a blank Java project with default options. |

+### Install the packages

+To use the Azure Maps Java SDK, you will need to install all required packages. Each service in Azure Maps is available in its own package. Services include Search, Render, Traffic, Weather, etc. You only need to install the packages for the service or services you will be using in your project.

+After creating the maven project, there should be a `pom.xml` file with basic information such as group ID, name, artifact ID. This is where you will add a dependency for each of the Azure Maps services, as shown below:

+```xml

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-search</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-route</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-render</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-traffic</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-weather</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-timezone</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+<dependency> 

+  <groupId>com.azure</groupId> 

+  <artifactId>azure-maps-elevation</artifactId> 

+  <version>1.0.0-beta.1</version> 

+</dependency> 

+```

+Run `mvn clean install` on your project, then create a java file named `demo.java` and import what you need from Azure maps into the file:

+```powershell

+cd DemoProject

+New-Item demo.java

+```

+> [!TIP]

+> If running `mvn clean install` results in an error, try running `mvn clean install -U`.

+### Azure Maps services

+| Service Name  | Maven package  | Samples  |

+||-|--|

+| [Search][java search readme] | [azure-maps-search][java search package] | [search samples][java search sample] |

+| [Routing][java routing readme] | [azure-maps-routing][java routing package] | [routing samples][java routing sample] |

+| [Rendering][java rendering readme]| [azure-maps-rendering][java rendering package]|[rendering sample][java rendering sample] |

+| [Geolocation][java geolocation readme]|[azure-maps-geolocation][java geolocation package]|[geolocation sample][java geolocation sample] |

+| [Timezone][java timezone readme] | [azure-maps-timezone][java timezone package] | [timezone samples][java timezone sample] |

+| [Elevation][java elevation readme] | [azure-maps-elevation][java elevation package] | [elevation samples][java elevation sample] |

+## Create and authenticate a MapsSearchClient

+The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a TokenCredential object with the Azure Maps client ID when authenticating using Azure Active Directory (Azure AD). For more information on authentication, see [Authentication with Azure Maps][authentication].

+### Using an Azure AD credential

+You can authenticate with Azure AD using the [Azure Identity library][Identity library]. To use the [DefaultAzureCredential] provider, you'll need to add the mvn dependency in the `pom.xml` file:

+```xml

+<dependency>

+  <groupId>com.azure</groupId>

+  <artifactId>azure-identity</artifactId>

+</dependency>

+```

+You'll need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. During this process you'll get an Application (client) ID, a Directory (tenant) ID, and a client secret. Copy these values and store them in a secure place. You'll need them in the following steps.

+Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resource's client ID as environment variables:

+| Environment Variable | Description |

+|-||

+| AZURE_CLIENT_ID | Application (client) ID in your registered application |

+| AZURE_CLIENT_SECRET | The value of the client secret in your registered application |

+| AZURE_TENANT_ID | Directory (tenant) ID in your registered application |

+| MAPS_CLIENT_ID | The client ID in your Azure Map account |

+Now you can create environment variables in PowerShell to store these values:

+```powershell

+$Env:AZURE_CLIENT_ID="<client-id>"

+A$Env:AZURE_CLIENT_SECRET="<client-secret>"

+$Env:AZURE_TENANT_ID="<tenant-id>"

+$Env:MAPS_CLIENT_ID="<maps-client-id>"

+```

+After setting up the environment variables, you can use them in your program to instantiate the `AzureMapsSearch` client:

+```java

+import com.azure.identity.DefaultAzureCredential;

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.maps.search.MapsSearchClient;

+import com.azure.maps.search.MapsSearchClientBuilder;

+public class Demo {

+ public static void main( String[] args) {

+ MapsSearchClientBuilder builder = new MapsSearchClientBuilder();

+ DefaultAzureCredential tokenCredential = new DefaultAzureCredentialBuilder().build();

+ builder.credential(tokenCredential);

+ builder.mapsClientId(System.getenv("MAPS_CLIENT_ID"));

+ MapsSearchClient client = builder.buildClient();

+ }

+}

+```

+> [!IMPORTANT]

+> The other environment variables created above, while not used in the code sample here, are required by `DefaultAzureCredential()`. If you do not set these environment variables correctly, using the same naming conventions, you will get run-time errors. For example, if your `AZURE_CLIENT_ID` is missing or invalid you will get an `InvalidAuthenticationTokenTenant` error.

+### Using a subscription key credential

+You can authenticate with your Azure Maps subscription key. Your subscription key can be found in the **Authentication** section in the Azure Maps account as shown in the following screenshot:

+Now you can create environment variables in PowerShell to store the subscription key: 

+```powershell

+$Env:SUBSCRIPTION_KEY="<subscription-key>"

+```

+Once your environment variable is created, you can access it in your code:

+```java

+import com.azure.core.credential.AzureKeyCredential;

+import com.azure.maps.search.MapsSearchClient;

+import com.azure.maps.search.MapsSearchClientBuilder;

+public class Demo {

+ public static void main( String[] args) {

+ // Use Azure Maps subscription key authentication

+ MapsSearchClientBuilder builder = new MapsSearchClientBuilder();

+ AzureKeyCredential keyCredential = new AzureKeyCredential(System.getenv("SUBSCRIPTION_KEY"));

+ builder.credential(keyCredential);

+ MapsSearchClient client = builder.buildClient();

+ }

+}

+```

+## Fuzzy search an entity

+The following code snippet demonstrates how, in a simple console application, to import the `azure-maps-search` package and perform a fuzzy search on "Starbucks" near Seattle:

+```java

+import java.io.IOException;

+import com.azure.core.credential.AzureKeyCredential;

+import com.azure.core.models.GeoPosition;

+// Enable the 2 imports below if you want to use AAD authentication 

+// import com.azure.identity.DefaultAzureCredential;

+// import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.maps.search.MapsSearchClient;

+import com.azure.maps.search.MapsSearchClientBuilder;

+import com.azure.maps.search.models.FuzzySearchOptions;

+import com.azure.maps.search.models.SearchAddressResult;

+import com.azure.maps.search.models.SearchAddressResultItem;

+public class Demo {

+ public static void main( String[] args) throws IOException {

+ MapsSearchClientBuilder builder = new MapsSearchClientBuilder();

+

+ // Instantiate with key credential. Get SUBSCRIPTION_KEY from environment variable: 

+ AzureKeyCredential keyCredential = new AzureKeyCredential(System.getenv("SUBSCRIPTION_KEY"));

+ builder.credential(keyCredential);

+

+ // Or you can also instantiate with token credential: 

+ // DefaultAzureCredential tokenCredential = new DefaultAzureCredentialBuilder().build();

+ // builder.credential(tokenCredential);

+ // builder.mapsClientId(System.getenv("MAPS_CLIENT_ID"));

+ MapsSearchClient client = builder.buildClient();

+

+ // Fuzzy search with options: 

+ SearchAddressResult results = client.fuzzySearch(new FuzzySearchOptions("starbucks", new GeoPosition(-122.34255, 47.61010)));

+

+ // Print the search results:

+ for (SearchAddressResultItem item : results.getResults()) {

+         MapsSearchAddress address = item.getAddress();

+         GeoPosition coordinate = item.getPosition();

+         System.out.format(

+             "* %s, %s\\n" +

+             "  %s %s %s\\n" +

+             "  Coordinate: (%.4f, %.4f)\\n",

+             address.getStreetNumber(), address.getStreetName(),

+             address.getMunicipality(), address.getCountryCode(), address.getPostalCode(),

+             coordinate.getLatitude(), coordinate.getLongitude());

+ }

+ }

+}

+```

+This code snippet demonstrates how to create a `MapsSearchClient` object using Azure credentials. Start by instantiating `AzureKeyCredential` using your Azure Maps subscription key, then passes the credentials to instantiate `MapsSearchClient`. `MapsSearchClient` methods such as `FuzzySearch` can use the point of interest (POI) name "Starbucks" and coordinates GeoPosition(-122.31, 47.61).

+Execute the program from the project folder in the command line:

+```powershell

+java .\demo.java

+```

+You should see a list of Starbucks address and coordinate results:

+```text

+* 1912, Pike Place

+  Seattle US 98101

+  Coordinate: (47.6102, -122.3425)

+* 2118, Westlake Avenue

+  Seattle US 98121

+  Coordinate: (47.6173, -122.3378)

+* 2601, Elliott Avenue

+  Seattle US 98121

+  Coordinate: (47.6143, -122.3526)

+* 1730, Howell Street

+  Seattle US 98101

+  Coordinate: (47.6172, -122.3298)

+* 220, 1st Avenue South

+  Seattle US 98104

+  Coordinate: (47.6003, -122.3338)

+* 400, Occidental Avenue South

+  Seattle US 98104

+  Coordinate: (47.5991, -122.3328)

+* 1600, East Olive Way

+  Seattle US 98102

+  Coordinate: (47.6195, -122.3251)

+* 500, Mercer Street

+  Seattle US 98109

+  Coordinate: (47.6250, -122.3469)

+* 505, 5Th Ave S

+  Seattle US 98104

+  Coordinate: (47.5977, -122.3285)

+* 425, Queen Anne Avenue North

+  Seattle US 98109

+  Coordinate: (47.6230, -122.3571)

+```

+## Search an address

+Call the `SearchAddress` method to get the coordinate of an address. Modify the Main program from the sample as follows:

+```java

+import java.io.IOException;

+import com.azure.core.credential.AzureKeyCredential;

+import com.azure.core.models.GeoPosition;

+// Enable the 2 imports below if you want to use AAD authentication 

+// import com.azure.identity.DefaultAzureCredential;

+// import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.maps.search.MapsSearchClient;

+import com.azure.maps.search.MapsSearchClientBuilder;

+import com.azure.maps.search.models.SearchAddressOptions;

+import com.azure.maps.search.models.SearchAddressResult;

+import com.azure.maps.search.models.SearchAddressResultItem;

+public class Demo {

+ public static void main( String[] args) throws IOException {

+ MapsSearchClientBuilder builder = new MapsSearchClientBuilder();

+

+ // Instantiate with key credential: 

+ AzureKeyCredential keyCredential = new  

+ AzureKeyCredential(System.getenv("SUBSCRIPTION_KEY"));

+ builder.credential(keyCredential);

+

+ // Or you can also instantiate with token credential: 

+ // DefaultAzureCredential tokenCredential = new DefaultAzureCredentialBuilder().build();

+ // builder.credential(tokenCredential);

+ // builder.mapsClientId(System.getenv("MAPS_CLIENT_ID"));

+

+ MapsSearchClient client = builder.buildClient();

+ client.searchAddress(new SearchAddressOptions("15127 NE 24th Street, Redmond, WA 98052"));

+

+ // Search address with options and return top 5 results: 

+ SearchAddressResult results = client.searchAddress(new SearchAddressOptions("1  

+ Main Street").setCoordinates(new GeoPosition(-74.011454,  

+ 40.706270)).setRadiusInMeters(40000).setTop(5));

+

+ // Print results: 

+ if (results.getResults().size() > 0) {

+ SearchAddressResultItem item = results.getResults().get(0);

+ System.out.format("The coordinates is (%.4f, %.4f)", 

+     item.getPosition().getLatitude(), item.getPosition().getLongitude());

+ }

+ }

+}

+```

+In this sample, the `client.SearchAddress` method returns results ordered by confidence score and prints the coordinates of the first result.

+## Batch reverse search

+Azure Maps Search also provides some batch query methods. These methods will return Long Running Operations (LRO) objects. The requests might not return all the results immediately, so users can choose to wait until completion or query the result periodically as demonstrated in the batch reverse search method:

+```java

+import java.util.ArrayList;

+import java.util.List;

+import com.azure.core.credential.AzureKeyCredential;

+import com.azure.core.models.GeoPosition;

+// Enable the 2 imports below if you want to use AAD authentication

+// import com.azure.identity.DefaultAzureCredential;

+// import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.maps.search.MapsSearchClient;

+import com.azure.maps.search.MapsSearchClientBuilder;

+import com.azure.maps.search.models.BatchReverseSearchResult;

+import com.azure.maps.search.models.ReverseSearchAddressBatchItem;

+import com.azure.maps.search.models.ReverseSearchAddressOptions;

+import com.azure.maps.search.models.ReverseSearchAddressResultItem;

+public class Demo{

+ public static void main( String[] args) throws IOException {

+ MapsSearchClientBuilder builder = new MapsSearchClientBuilder();

+

+ // Instantiate with key credential:

+ AzureKeyCredential keyCredential = new 

+ AzureKeyCredential(System.getenv("SUBSCRIPTION_KEY"));

+ builder.credential(keyCredential);

+

+ // Or you can also instantiate with token credential: 

+ // DefaultAzureCredential tokenCredential = new DefaultAzureCredentialBuilder().build();

+ // builder.credential(tokenCredential);

+ // builder.mapsClientId(System.getenv("MAPS_CLIENT_ID"));

+

+ MapsSearchClient client = builder.buildClient();

+ List<ReverseSearchAddressOptions> reverseOptionsList = new ArrayList<>();

+ reverseOptionsList.add(new ReverseSearchAddressOptions(new GeoPosition(2.294911, 48.858561)));

+ reverseOptionsList.add(new ReverseSearchAddressOptions(new GeoPosition(-122.34255, 47.61010)));

+ reverseOptionsList.add(new ReverseSearchAddressOptions(new GeoPosition(-122.33817, 47.61559)).setRadiusInMeters(5000));

+ BatchReverseSearchResult batchReverseSearchResult = 

+ client.beginReverseSearchAddressBatch(reverseOptionsList).getFinalResult();

+ for (ReverseSearchAddressBatchItem item : batchReverseSearchResult.getBatchItems()) {

+ ΓÇ» ΓÇ» for (ReverseSearchAddressResultItem result : item.getResult().getAddresses()) {

+ ΓÇ» ΓÇ» ΓÇ» ΓÇ» System.out.println(result.getAddress().getFreeformAddress());

+ ΓÇ» ΓÇ» }

+ }

+ }

+}

+```

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Subscription key]: quick-demo-map-app.md#get-the-primary-key-for-your-account

+[authentication]: azure-maps-authentication.md

+[Java Standard Versions]: https://www.oracle.com/java/technologies/downloads/

+[Java Version 8]: /azure/developer/java/fundamentals/?view=azure-java-stable

+[maven]: /azure/developer/java/sdk/get-started-maven

+[Identity library]: /java/api/overview/azure/identity-readme?source=recommendations&view=azure-java-stable

+[defaultazurecredential]: /azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential

+[Host daemon]: /azure/azure-maps/how-to-secure-daemon-app#host-a-daemon-on-non-azure-resources

+<!-- Java SDK Developers Guide >

+[java search package]: https://repo1.maven.org/maven2/com/azure/azure-maps-search

+[java search readme]: https://github.com/Azure/azure-sdk-for-jav

+[java search sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-search/src/samples/java/com/azure/maps/search/samples

+[java routing package]: https://repo1.maven.org/maven2/com/azure/azure-maps-route

+[java routing readme]: https://github.com/Azure/azure-sdk-for-jav

+[java routing sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-route/src/samples/java/com/azure/maps/route/samples

+[java rendering package]: https://repo1.maven.org/maven2/com/azure/azure-maps-render

+[java rendering readme]: https://github.com/Azure/azure-sdk-for-jav

+[java rendering sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-render/src/samples/java/com/azure/maps/render/samples

+[java geolocation package]: https://repo1.maven.org/maven2/com/azure/azure-maps-geolocation

+[java geolocation readme]: https://github.com/Azure/azure-sdk-for-jav

+[java geolocation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-geolocation/src/samples/java/com/azure/maps/geolocation/samples

+[java timezone package]: https://repo1.maven.org/maven2/com/azure/azure-maps-timezone

+[java timezone readme]: https://github.com/Azure/azure-sdk-for-jav

+[java timezone sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-timezone/src/samples/java/com/azure/maps/timezone/samples

+[java elevation package]: https://repo1.maven.org/maven2/com/azure/azure-maps-elevation

+[java elevation readme]: https://github.com/Azure/azure-sdk-for-jav

+[java elevation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-elevation/src/samples/java/com/azure/maps/elevation/samples

+| [Render][js render readme] | [@azure-rest/maps-render][js render package]|[render sample][js render sample] |

+| [Geolocation][js geolocation readme]|[@azure-rest/maps-geolocation][js geolocation package]|[geolocation sample][js geolocation sample] |

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/v1-beta

+[js render readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-render-rest/README.md

+[js render package]: https://www.npmjs.com/package/@azure-rest/maps-render

+[js render sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-render-rest/samples/v1-beta

+[js geolocation readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-geolocation-rest/README.md

+[js geolocation package]: https://www.npmjs.com/package/@azure-rest/maps-geolocation

+[js geolocation sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-geolocation-rest/samples/v1-beta

+| [Render][js render readme] | [@azure-rest/maps-render][js render package]|[render sample][js render sample] |

+| [Geolocation][js geolocation readme]|[@azure-rest/maps-geolocation][js geolocation package]|[geolocation sample][js geolocation sample] |

+| [Timezone][java timezone readme] | [azure-maps-timezone][java timezone package] | [timezone samples][java timezone sample] |

+| [Elevation][java elevation readme] | [azure-maps-elevation][java elevation package] | [elevation samples][java elevation sample] |

+For more information, see the [Java SDK Developers Guide](how-to-dev-guide-java-sdk.md).

+[js render readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-render-rest/README.md

+[js render package]: https://www.npmjs.com/package/@azure-rest/maps-render

+[js render sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-render-rest/samples/v1-beta

+[js Geolocation readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-geolocation-rest/README.md

+[js Geolocation package]: https://www.npmjs.com/package/@azure-rest/maps-geolocation

+[js Geolocation sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-geolocation-rest/samples/v1-beta

+When you useΓÇ»[Azure Maps Services](index.yml), the API requests you make generate transactions. Your transaction usage is available for review in yourΓÇ»[Azure portal]( https://portal.azure.com) Metrics report. For more information, see [View Azure Maps API usage metrics](how-to-view-api-usage.md). These transactions can be either billable or non-billable usage, depending on the service and the feature. ItΓÇÖs important to understand which usage generates a billable transaction and how itΓÇÖs calculated so you can plan and budget for the costs associated with using Azure Maps. Billable transactions will show up in your Cost Analysis report within the Azure portal.

+The following table summarizes the Azure Maps services that generate transactions, billable and non-billable, along with any notable aspects that are helpful to understand in how the number of transactions are calculated.

+| [Data v1](/rest/api/maps/data)<br>[Data v2](/rest/api/maps/data-v2) | Yes, except for MapDataStorageService.GetDataStatus and MapDataStorageService.GetUserData, which are non-billable| One request = 1 transaction| <ul><li>Location Insights Data (Gen2 pricing)</li></ul>|

+| [Render v1](/rest/api/maps/render)<br>[Render v2](/rest/api/maps/render-v2) | Yes, except for Terra maps (MapTile.GetTerraTile and layer=terra) which are non-billable.|<ul><li>15 tiles = 1 transaction, except microsoft.dem is one tile = 50 transactions</li><li>One request for Get Copyright = 1 transaction</li><li>One request for Get Map Attribution = 1 transaction</li><li>One request for Get Static Map = 1 transaction</li><li>One request for Get Map Tileset = 1 transaction</li></ul> <br> For Creator related usage, see the [Creator table](#azure-maps-creator). |<ul><li>Maps Base Map Tiles (Gen2 pricing)</li><li>Maps Imagery Tiles (Gen2 pricing)</li><li>Maps Static Map Images (Gen2 pricing)</li><li>Maps Traffic Tiles (Gen2 pricing)</li><li>Maps Weather Tiles (Gen2 pricing)</li><li>Standard Hybrid Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard S1 Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Hybrid Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Rendering Transactions (Gen1 S1 pricing)</li><li>Standard S1 Tile Transactions (Gen1 S1 pricing)</li><li>Standard S1 Weather Tile Transactions (Gen1 S1 pricing)</li><li>Standard Tile Transactions (Gen1 S0 pricing)</li><li>Standard Weather Tile Transactions (Gen1 S0 pricing)</li><li>Maps Copyright (Gen2 pricing, Gen1 S0 pricing and Gen1 S1 pricing)</li></ul>|

+| [Route](/rest/api/maps/route) | Yes | One request = 1 transaction<br><ul><li>If using the Route Matrix, each cell in the Route Matrix request generates a billable Route transaction.</li><li>If using Batch Directions, each origin/destination coordinate pair in the Batch request call generates a billable Route transaction. Note, the billable Route transaction usage results generated by the batch request will have **-Batch** appended to the API name of your Azure portal metrics report.</li></ul> | <ul><li>Location Insights Routing (Gen2 pricing)</li><li>Standard S1 Routing Transactions (Gen1 S1 pricing)</li><li>Standard Services API Transactions (Gen1 S0 pricing)</li></ul> |

+| [Search v1](/rest/api/maps/search)<br>[Search v2](/rest/api/maps/search-v2) | Yes | One request = 1 transaction.<br><ul><li>If using Batch Search, each location in the Batch request generates a billable Search transaction. Note, the billable Search transaction usage results generated by the batch request will have **-Batch** appended to the API name of your Azure portal metrics report.</li></ul> | <ul><li>Location Insights Search</li><li>Standard S1 Search Transactions (Gen1 S1 pricing)</li><li>Standard Services API Transactions (Gen1 S0 pricing)</li></ul> |

+| [Spatial](/rest/api/maps/spatial) | Yes, except for `Spatial.GetBoundingBox`, `Spatial.PostBoundingBox` and `Spatial.PostPointInPolygonBatch`, which are non-billable.| One request = 1 transaction.<br><ul><li>If using Geofence, five requests = 1 transaction</li></ul> | <ul><li>Location Insights Spatial Calculations (Gen2 pricing)</li><li>Standard S1 Spatial Transactions (Gen1 S1 pricing)</li></ul> |

+| [Conversion](/rest/api/maps/v2/conversion) | Part of a provisioned Creator resource and not transactions based.| Not transaction-based | Map Provisioning (Gen2 pricing) |

+| [Dataset](/rest/api/maps/v2/dataset) | Part of a provisioned Creator resource and not transactions based.| Not transaction-based | Map Provisioning (Gen2 pricing)|

+| [Tileset](/rest/api/maps/v2/tileset) | Part of a provisioned Creator resource and not transactions based.| Not transaction-based | Map Provisioning    (Gen2 pricing) |

+| [SQL Best Practices Assessment](/sql/sql-server/azure-arc/assess/) | Generally available | | [Configure best practices assessment using Azure Monitor Agent](/sql/sql-server/azure-arc/assess#enable-best-practices-assessment) |

+| | SQL Best Practices Assessment | X | | |

+> If you're using an older version of TLS, Application Insights will not ingest any telemetry. For applications based on .NET Framework see [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) to support the newer TLS version.

+To manually configure Live Metrics:

+Live Metrics custom filters allow you to control which of your application's telemetry is streamed to the Live Metrics view in the Azure portal. The filters criteria are sent to the apps that are instrumented with the Application Insights SDK. The filter value could potentially contain sensitive information, such as the customer ID. To keep this value secured and prevent potential disclosure to unauthorized applications, you have two options:

+- PerfCounters are supported when the app is running on *any* Windows machine for apps that target .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.

+When navigating to Live Metrics, you may see a banner with the status message: "Data is temporarily inaccessible. The updates on our status are posted here https://aka.ms/aistatus"

+### Unexpected large number of requests to livediagnostics.monitor.azure.com

+Heavier traffic is expected while the LiveMetrics pane is open. Navigate away from the LiveMetrics pane to restore normal traffic flow of traffic.

+Application Insights SDKs poll QuickPulse endpoints with REST API calls once every five seconds to check if the LiveMetrics pane is being viewed.

+The SDKs will send new metrics to QuickPulse every one second while the LiveMetrics pane is open.

+### Notification experience

+The [Azure Video Indexer website](https://www.videoindexer.ai/) now has a notification panel where you can stay informed of important product updates, such as service impacting events, new releases, and more.

+**Textual logo detection** enables you to customize text logos to be detected within videos. For more information, see [Detect textual logo](detect-textual-logo.md).

+### Switching directories

+You can now switch Azure AD directories and manage Azure Video Indexer accounts across tenants using the [Azure Video Indexer website](https://www.videoindexer.ai/).

+When working with multiple tenants/directories in the Azure environment user might need to switch between the different directories.

+When logging in the Azure Video Indexer website, a default directory will load and the relevant accounts and list them in the **Account list**.

+> [!Note]

+> Trial accounts and Classic accounts are global and not tenant-specific. Hence, the tenant switching described in this article only applies to your ARM accounts.

+>

+> The option to switch directories is available only for users using Azure Active Directory (Azure AD) to log in.

+This article shows two options to solve the same problem - how to switch tenants:

+- When starting from within the Azure Video Indexer website.

+- When starting from outside of the Azure Video Indexer website.

+## Switch tenants from within the Azure Video Indexer website

+1. To switch between directories in the [Azure Video Indexer](https://www.videoindexer.ai/), open the **User menu** > select **Switch directory**.

+ > [!div class="mx-imgBorder"]

+ > 

+ Here user can view all detected directories listed. The current directory will be marked, once a different directory is selected the **Switch directory** button will be available.

+ > [!div class="mx-imgBorder"]

+ > 

+ Once clicked, the logged-in credentials will be used to relog-in to the Azure Video Indexer website with the new directory.

+## Switch tenants from outside the Azure Video Indexer website

+This section shows how to get the domain name from the Azure portal. You can then sign in with it into th the [Azure Video Indexer](https://www.videoindexer.ai/) website.

+### Get the domain name

+### Sign in with the correct domain name on the AVI website

+1. Enter the domain name you copied in the [Get the domain name from the Azure portal](#get-the-domain-name) section.

+|`widgets` | Strings separated by comma | Allows you to control the insights that you want to render.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?widgets=people,keywords` renders only people and keywords UI insights.<br/>Available options: `people`, `animatedCharacters`, `keywords`, `audioEffects`, `labels`, `sentiments`, `emotions`, `topics`, `keyframes`, `transcript`, `ocr`, `speakers`, `scenes`, `spokenLanguage`, `observedPeople`, `namedEntities`.|

+|`controls`|Strings separated by comma|Allows you to control the controls that you want to render.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?controls=search,download` renders only search option and download button.<br/>Available options: `search`, `download`, `presets`, `language`.|

+|`sort` | Strings separated by comma | Allows you to control the sorting of an insight.<br/>Each sort consists of 3 values: widget name, property and order, connected with '_' `sort=name_property_order`<br/>Available options:<br/>widgets: `keywords`, `audioEffects`, `labels`, `sentiments`, `emotions`, `keyframes`, `scenes`, `namedEntities` and `spokenLanguage`.<br/>property: `startTime`, `endTime`, `seenDuration`, `name` and `ID`.<br/>order: asc and desc.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?sort=labels_id_asc,keywords_name_desc` renders the labels sorted by ID in ascending order and keywords sorted by name in descending order.|

+The possible values are: `people`, `animatedCharacters` , `keywords`, `labels`, `sentiments`, `emotions`, `topics`, `keyframes`, `transcript`, `ocr`, `speakers`, `scenes`, `namedEntities`, `logos`.

+## Embed and customize Azure Video Indexer widgets in your app using npmjs package

+Using our [@azure/video-analyzer-for-media-widgets](https://www.npmjs.com/package/@azure/video-analyzer-for-media-widgets) package, you can add the insights widgets to your app and customize it according to your needs.

+1. Under **Associated cluster**, in the **Client cluster** field, select one or more clusters to associate the volume as a datastore.

+- **Can a single Azure NetApp Files datastore be added to multiple clusters within the same Azure VMware Solution SDDC?**

+ Yes, you can select multiple datastores at the time of datastore creation. Additional clusters may be added or removed after the initial creation as well.

+The JSON WebSocket subprotocol, `json.reliable.webpubsub.azure.v1`, enables the highly reliable exchange of publish/subscribe messages directly between clients through the service without a round trip to the upstream server.

+This document describes the subprotocol `json.reliable.webpubsub.azure.v1`.

+* recover a connection from intermittent network issues.

+* leave a group using [leave requests](#leave-groups).

+The JSON WebSocket subprotocol, `json.webpubsub.azure.v1`, enables the exchange of publish/subscribe messages between clients through the service without a round trip to the upstream server. A WebSocket connection using the `json.webpubsub.azure.v1` subprotocol is called a *PubSub WebSocket client*.

+A simple WebSocket connection triggers a `message` event when it sends messages and relies on the server-side to process messages and do other operations.

+* route messages to different upstream event handlers using [event requests](#send-custom-events).

+* system - Messages from the Web PubSub service.

+The Web PubSub service sends system-related messages to clients.

+The message sent to the client when the client successfully connects:

+The message sent to the client when the server closes the connection, or when the service declines the client.

+This article describes how to recover data from Azure Backup Server.

+You can use Azure Backup Server to recover the data you've backed-up to a Recovery Services vault. The process for doing so is integrated into the Azure Backup Server management console, and is similar to the recovery workflow for other Azure Backup components.

+## Recover the data

+To recover data from an Azure Backup Server, follow these steps:

+1. On the **Recovery** tab of the Azure Backup Server management console, select **'Add External DPM'** (at the top left of the screen).

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+## Troubleshoot error messages

+| Error Message | Cause | Resolution |

+|: |: |: |

+|This server is not registered to the vault specified by the vault credential. | This error appears when the vault credential file selected doesn't belong to the Recovery Services vault associated with Azure Backup Server on which the recovery is attempted. | Download the vault credential file from the Recovery Services vault to which the Azure Backup Server is registered. |

+|Either the recoverable data isn't available or the selected server isn't a DPM server. | There are no other Azure Backup Servers registered to the Recovery Services vault, or the servers haven't yet uploaded the metadata, or the selected server isn't an Azure Backup Server (using Windows Server or Windows Client). | If there are other Azure Backup Servers registered to the Recovery Services vault, ensure that the latest Azure Backup agent is installed. <br>If there are other Azure Backup Servers registered to the Recovery Services vault, wait for a day after installation to start the recovery process. The nightly job will upload the metadata for all the protected backups to cloud. The data will be available for recovery. |

+|No other DPM server is registered to this vault. | There are no other Azure Backup Servers that are registered to the vault from which the recovery is being attempted. | If there are other Azure Backup Servers registered to the Recovery Services vault, ensure that the latest Azure Backup agent is installed.<br>If there are other Azure Backup Servers registered to the Recovery Services vault, wait for a day after installation to start the recovery process. The nightly job uploads the metadata for all protected backups to cloud. The data will be available for recovery. |

+|The encryption passphrase provided does not match with passphrase associated with the following server: **\<server name>** | The encryption passphrase used in the process of encrypting the data from the Azure Backup ServerΓÇÖs data that's being recovered doesn't match the encryption passphrase provided. The agent is unable to decrypt the data, and so the recovery fails. | Provide the exact same encryption passphrase associated with the Azure Backup Server whose data is being recovered. |

+* [Azure gaming documentation](/gaming/azure/)

+|`/healthstatus`|GET|[HealthStatus_Get](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/HealthStatus_Get)|[GetHealthStatus](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetHealthStatus)|

+|`/healthstatus`|GET|[HealthStatus_Get](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/HealthStatus_Get)|[GetHealthStatus](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetHealthStatus)|

+> [!NOTE]

+> The `azureClientId` metadata field (the client ID of the managed identity) is **required** for any component authenticating with user-assigned managed identity.

+ - name: azureClientId # Only required for authenticating user-assigned managed identity

+ Title: Mitigate data exfiltration with dedicated data endpoints

+description: Azure Container Registry is introducing dedicated data endpoints available to mitigate data-exfiltration concerns.

+# Azure Container Registry mitigating data exfiltration with dedicated data endpoints

+Azure Container Registry introduces dedicated data endpoints. The feature enables tightly scoped client firewall rules to specific registries, minimizing data exfiltration concerns.

+Dedicated data endpoints feature is available in **Premium** service tier. For pricing information, see [container-registry-pricing.](https://azure.microsoft.com/pricing/details/container-registry/)

+Pulling content from a registry involves two endpoints:

+*Registry endpoint*, often referred to as the login URL, used for authentication and content discovery. A command like docker pulls `contoso.azurecr.io/hello-world` makes a REST request, which authenticates and negotiates the layers, which represent the requested artifact.

+*Data endpoints* serve blobs representing content layers.

+## Registry managed storage accounts

+Azure Container Registry is a multi-tenant service. The registry service manages the data endpoint storage accounts. The benefits of the managed storage accounts, include load balancing, contentious content splitting, multiple copies for higher concurrent content delivery, and multi-region support with [geo-replication.](container-registry-geo-replication.md)

+## Azure Private Link virtual network support

+The [Azure Private Link virtual network support](container-registry-private-link.md) enables the private endpoints for the managed registry service from Azure Virtual Networks. In this case, both the registry and data endpoints are accessible from within the virtual network, using private IPs.

+Once the managed registry service and storage accounts are both secured to access from within the virtual network, then the public endpoints are removed.

+Unfortunately, virtual network connection isnΓÇÖt always an option.

+> [!IMPORTANT]

+>[Azure Private Link](container-registry-private-link.md) is the most secure way to control network access between clients and the registry as network traffic is limited to the Azure Virtual Network, using private IPs. When Private Link isnΓÇÖt an option, dedicated data endpoints can provide secure knowledge in what resources are accessible from each client.

+## Client firewall rules and data exfiltration risks

+Client firewall rules limits access to specific resources. The firewall rules apply while connecting to a registry from on-premises hosts, IoT devices, custom build agents. The rules also apply when the Private Link support isn't an option.

+As customers locked down their client firewall configurations, they realized they must create a rule with a wildcard for all storage accounts, raising concerns for data-exfiltration. A bad actor could deploy code that would be capable of writing to their storage account.

+So, to address the data-exfiltration concerns, Azure Container Registry is making dedicated data endpoints available.

+## Dedicated data endpoints

+Dedicated data endpoints, help retrieve layers from the Azure Container Registry service, with fully qualified domain names representing the registry domain.

+As any registry may become geo-replicated, a regional pattern is used: `[registry].[region].data.azurecr.io`.

+For the Contoso example, multiple regional data endpoints are added supporting the local region with a nearby replica.

+With dedicated data endpoints, the bad actor is blocked from writing to other storage accounts.

+## Enabling dedicated data endpoints

+> [!NOTE]

+> Switching to dedicated data-endpoints will impact clients that have configured firewall access to the existing `*.blob.core.windows.net` endpoints, causing pull failures. To assure clients have consistent access, add the new data-endpoints to the client firewall rules. Once completed, existing registries can enable dedicated data-endpoints through the `az cli`.

+To use the Azure CLI steps in this article, Azure CLI version 2.4.0 or later is required. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli) or run in [Azure Cloud Shell](../cloud-shell/quickstart.md).

+* Run the [az acr update](/cli/azure/acr#az-acr-update) command to enable dedicated data endpoint.

+```azurecli-interactive

+az acr update --name contoso --data-endpoint-enabled

+```

+* Run the [az acr show](/cli/azure/acr#az-acr-show-endpoints) command to view the data endpoints, including regional endpoints for geo-replicated registries.

+```azurecli-interactive

+az acr show-endpoints --name contoso

+```

+Sample output:

+```json

+{

+ "loginServer": "contoso.azurecr.io",

+ "dataEndpoints": [

+ {

+ "region": "eastus",

+ "endpoint": "contoso.eastus.data.azurecr.io",

+ },

+ {

+ "region": "westus",

+ "endpoint": "contoso.westus.data.azurecr.io",

+ }

+ ]

+}

+

+```

+## Next steps

+* Configure to access an Azure container registry from behind a [firewall rules.](container-registry-firewall-access-rules.md)

+* Connect Azure Container Registry using [Azure Private Link](container-registry-private-link.md)

+ "apiVersion": "2020-11-01",

+ "apiVersion": "2020-11-01",

+ "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-12-01').loginServer]",

+description: Learn how to build a Python app to manage Azure Cosmos DB for NoSQL account resources and data.

+> The [example code snippets](https://github.com/azure-samples/cosmos-db-nosql-python-samples) are available on GitHub as a Python project.

+- In a command shell, run `python --version` to check that the version is 3.7 or later.

+This section walks you through creating an Azure Cosmos DB account and setting up a project that uses the Azure Cosmos DB for NoSQL client library for Python to manage resources.

+### Install packages

+Use the `pip install` command to install packages you'll need in the quickstart.

+### [Passwordless (Recommended)](#tab/passwordless)

+Add the [`azure-cosmos`](https://pypi.org/project/azure-cosmos) and [`azure-identity`](https://pypi.org/project/azure-identity) PyPI packages to the Python app.

+```bash

+pip install azure-cosmos

+pip install azure-identity

+```

+### [Connection String](#tab/connection-string)

+Add the [`azure-cosmos`](https://pypi.org/project/azure-cosmos) PyPI package to the Python app.

+The sample code described in this article creates a database named ``cosmicworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

+## [Passwordless (Recommended)](#tab/passwordless)

+#### Authenticate using DefaultAzureCredential

+From the project directory, open the *app.py* file. In your editor, add modules to work with Cosmos DB and authenticate to Azure. You'll authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` from the [`azure-identity`](https://pypi.org/project/azure-identity/) package. `DefaultAzureCredential` will automatically discover and use the account you signed-in with previously.

+Create an environment variable that specifies your Cosmos DB endpoint.

+Create a new client instance using the [`CosmosClient`](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient) class constructor and the `DefaultAzureCredential` object.

+## [Connection String](#tab/connection-string)

+From the project directory, open the *app.py* file. In your editor, import the `os` and `json` modules. Then, import the `CosmosClient` and `PartitionKey` classes from the `azure.cosmos` module.

+Create constants for the `COSMOS_ENDPOINT` and `COSMOS_KEY` environment variables using `os.environ`.

+Create constants for the database and container names.

+Create a new client instance using the [`CosmosClient`](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient) class constructor and the two variables you created as parameters.

+## [Passwordless (Recommended)](#tab/passwordless)

+The `Microsoft.Azure.Cosmos` client library enables you to perform *data* operations using [Azure RBAC](../role-based-access-control.md). However, to authenticate *management* operations, such as creating and deleting databases, you must use RBAC through one of the following options:

+> - [Azure CLI scripts](manage-with-cli.md)

+> - [Azure PowerShell scripts](manage-with-powershell.md)

+> - [Azure Resource Manager templates (ARM templates)](manage-with-templates.md)

+> - [Azure Resource Manager .NET client library](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

+The Azure CLI approach is used in for this quickstart and passwordless access. Use the [`az cosmosdb sql database create`](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) command to create a Cosmos DB for NoSQL database.

+```azurecli

+# Create a SQL API database `

+az cosmosdb sql database create `

+ --account-name <cosmos-db-account-name> `

+ --resource-group <resource-group-name> `

+ --name cosmicworks

+```

+The command line to create a database is for PowerShell, shown on multiple lines for clarity. For other shell types, change the line continuation characters as appropriate. For example, for Bash, use backslash ("\\"). Or, remove the continuation characters and enter the command on one line.

+## [Connection String](#tab/connection-string)

+Use the [`CosmosClient.create_database_if_not_exists`](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient#azure-cosmos-cosmos-client-cosmosclient-create-database-if-not-exists) method to create a new database if it doesn't already exist. This method will return a [`DatabaseProxy`](/python/api/azure-cosmos/azure.cosmos.databaseproxy) reference to the existing or newly created database.

+## [Passwordless (Recommended)](#tab/passwordless)

+The `Microsoft.Azure.Cosmos` client library enables you to perform *data* operations using [Azure RBAC](../role-based-access-control.md). However, to authenticate *management* operations such as creating and deleting databases you must use RBAC through one of the following options:

+> - [Azure CLI scripts](manage-with-cli.md)

+> - [Azure PowerShell scripts](manage-with-powershell.md)

+> - [Azure Resource Manager templates (ARM templates)](manage-with-templates.md)

+> - [Azure Resource Manager .NET client library](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

+The Azure CLI approach is used in this example. Use the [`az cosmosdb sql container create`](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) command to create a Cosmos DB container.

+```azurecli

+# Create a SQL API container

+az cosmosdb sql container create `

+ --account-name <cosmos-db-account-name> `

+ --resource-group <resource-group-name> `

+ --database-name cosmicworks `

+ --partition-key-path "/categoryId" `

+ --name products

+```

+The command line to create a container is for PowerShell, on multiple lines for clarity. For other shell types, change the line continuation characters as appropriate. For example, for Bash, use backslash ("\\"). Or, remove the continuation characters and enter the command on one line. For Bash, you'll also need to add `MSYS_NO_PATHCONV=1` before the command so that Bash deals with the partition key parameter correctly.

+After the resources have been created, use classes from the `Microsoft.Azure.Cosmos` client libraries to connect to and query the database.

+## [Connection String](#tab/connection-string)

+The [`PartitionKey`](/python/api/azure-cosmos/azure.cosmos.partitionkey) class defines a partition key path that you can use when creating a container.

+This feature still has significant limitations:

+* Compression is on disk, not in memory

+* Append-only (no UPDATE/DELETE support)

+* No space reclamation (for example, rolled-back transactions may still consume

+ disk space)

+* No index support, index scans, or bitmap index scans

+* No tidscans

+* No sample scans

+* No TOAST support (large values supported inline)

+* No support for ON CONFLICT statements (except DO NOTHING actions with no

+ target specified).

+* No support for tuple locks (SELECT ... FOR SHARE, SELECT ... FOR UPDATE)

+* No support for serializable isolation level

+* Support for PostgreSQL server versions 12+ only

+* No support for foreign keys, unique constraints, or exclusion constraints

+* No support for logical decoding

+* No support for intra-node parallel scans

+* No support for AFTER ... FOR EACH ROW triggers

+* No UNLOGGED columnar tables

+* No TEMPORARY columnar tables

+<a name="rememberpreviews"></a>

+## Remember preview features across sessions

+Cost Management now remembers preview features across sessions in the preview portal. Select the preview features you're interested in from the Try preview menu and you'll see them enabled by default the next time you visit the portal. No need to enable this option ΓÇô preview features will be remembered automatically.

+<a name="totalkpitooltip"></a>

+## Total KPI tooltip

+View additional details about what costs are included and not included in the Cost analysis preview. You can enable this option from the Try Preview menu.

+The Total KPI tooltip can be enabled from the [Try preview](https://aka.ms/costmgmt/trypreview) menu in the Azure portal. Use the **How would you rate the cost analysis preview?** option at the bottom of the page to share feedback about the preview.

+<a name="customersview"></a>

+Cloud Solution Provider (CSP) partners can view a breakdown of costs by customer and subscription in the Cost analysis preview. Note this view is only available for Microsoft Partner Agreement (MPA) billing accounts and billing profiles.

+The Customers view can be enabled from the [Try preview](https://aka.ms/costmgmt/trypreview) menu in the Azure portal. Use the **How would you rate the cost analysis preview?** option at the bottom of the page to share feedback about the preview.

+The effective transfer day can be on or after the start date of the target enrollment. The effective transfer date is the date that you want to transfer the old source enrollment to the new one. The date can be backdated to the first date of the current month, but not before it. For example, if todayΓÇÖs date is January 25, 2023 the enrollment transfer can be backdated to January 1, 2023 but not before it.

+Additionally, if individual subscriptions are deleted or transferred in the current month, then the deletion/transfer date becomes the new earliest possible effective transfer date.

+- Choose an enrollment transfer effective date.

+ - The date must be or after the start date of the new target enrollment.

+ - If you have an overage invoice that was already issued, the date that you choose doesnΓÇÖt affect usage.

+- You can install only one instance of a self-hosted integration runtime on any single machine. If you have two data factories that need to access on-premises data sources, either use the [self-hosted IR sharing feature](./create-shared-self-hosted-integration-runtime-powershell.md) to share the self-hosted IR, or install the self-hosted IR on two on-premises computers, one for each data factory or Synapse workspace. Synapse workspace does not support Integration Runtime Sharing.

+This section describes how to configure settings for supported forwarding rule actions, on either an OT sensor or the on-premises management console.

+- **22.1.3** - For locally managed sensors, [upload a diagnostics log](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support) from the **Sites and sensors** page in the Azure portal. This file is automatically sent to support when you open a ticket on a cloud-connected sensor.

+1. For a locally managed sensor, version 22.1.3 or higher, continue with [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support).

+|**Sensor health**| Displays a [sensor health message](sensor-health-messages.md). For more information, see [Understand sensor health](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health).|

+| :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-diagnostics.png" border="false"::: **Send diagnostic files to support** | Individual, locally managed OT sensors only. <br><br>Available from the **...** options menu. <br><br>For more information, see [Upload a diagnostics log for support](#upload-a-diagnostics-log-for-support).|

+## Understand sensor health

+## Upload a diagnostics log for support

+1. For your selected sensor, select the **...** options menu on the right > **Send diagnostic files to support**. For example:

+| 22.3.5 | 01/2023 | Patch | 12/2023 |

+| 22.2.9 | 01/2023 | Patch | 12/2023 |

+### 22.3.5

+**Release date**: 01/2023

+**Supported until**: 12/2023

+This version includes bug fixes for stability improvements.

+### 22.2.9

+**Release date**: 01/2023

+**Supported until**: 12/2023

+This version includes bug fixes for stability improvements.

+- [Upload diagnostic logs for support tickets from the Azure portal](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support)

+- [Sensor health widgets in the Azure portal](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health)

+For more information, see [Understand sensor health](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health).

+If a sensor fails to update for any reason, the software reverts back to the previous version installed, and a sensor health alert is triggered. For more information, see [Understand sensor health](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health) and [Sensor health message reference](sensor-health-messages.md).

+For more information, see [Understand sensor health](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health) and [Sensor health message reference](sensor-health-messages.md).

+- [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support)

+To ingest data from any source into Azure Digital Twins, you can use an [Azure function](../azure-functions/functions-overview.md). Learn more about this pattern in [Ingest telemetry from IoT Hub](how-to-ingest-iot-hub-data.md), or try it out yourself in the Azure Digital Twins [Connect an end-to-end solution](tutorial-end-to-end.md).

+You can also integrate Azure Digital Twins into a [Microsoft Power Platform](/power-platform) or [Azure Logic Apps](../logic-apps/logic-apps-overview.md) flow, using the [Azure Digital Twins Power Platform connector](how-to-use-power-platform-logic-apps-connector.md). For more information about connectors, see [Connectors overview](/connectors/connectors).

+# Mandatory fields.

+ Title: Integrate with Power Platform and Logic Apps

+description: Learn how to connect Power Platform and Logic Apps to Azure Digital Twins using the connector

+# Integrate with Power Platform and Logic Apps using the Azure Digital Twins connector

+You can integrate Azure Digital Twins into a [Microsoft Power Platform](/power-platform) or [Azure Logic Apps](../logic-apps/logic-apps-overview.md) flow, using the *Azure Digital Twins connector*.

+The connector is a wrapper around the Azure Digital Twins [data plane APIs](concepts-apis-sdks.md#data-plane-apis) for twin, model and query operations, which allows the underlying service to talk to [Microsoft Power Automate](/power-automate/getting-started), [Microsoft Power Apps](/power-apps/powerapps-overview), and [Azure Logic Apps](../logic-apps/logic-apps-overview.md). The connector provides a way for users to connect their accounts and leverage a set of prebuilt actions to build their apps and workflows.

+For more information about the Azure Digital Twins Power Platform connector, including a complete list of the connector's actions and their parameters, see the [Azure Digital Twins connector reference documentation](/connectors/azuredigitaltwins).

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+Sign in to the [Azure portal](https://portal.azure.com) with your account.

+Lastly, you'll need to set up any [Power Platform](/power-platform) services where you want to use the connector.

+## Set up the connector

+For Power Automate and Power Apps, set up the connection first before creating a flow. Follow the steps below to add the connection in Power Automate and Power Apps.

+1. Select **Connections** from the left navigation menu (in Power Automate, it's under the **Data** heading). On the Connections page, select **+ New connection**.

+1. Search for *Azure Digital Twins*, and select the **Azure Digital Twins (preview)** connector.

+1. Where the connector asks for **ADT Instance Name**, enter the [host name of your instance](how-to-set-up-instance-portal.md#verify-success-and-collect-important-values).

+1. Enter your authentication details when requested to finish setting up the connection.

+1. To verify that the connection has been created, look for it on the Connections page.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-connection.png" alt-text="Screenshot of Power Automate, showing the Azure Digital Twins connection on the Connections page." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-connection.png":::

+For Logic Apps, you can use the Azure Digital Twins built-in connection when you [create a flow](#create-a-flow) in the next section. For more information on built-in connectors, see [Built-in connectors in Azure Logic Apps](../connectors/built-in.md).

+## Create a flow

+You can incorporate Azure Digital Twins into Power Automate flows, Logic Apps flows, or Power Apps applications. Using the Azure Digital Twins connector and over 700 other Power Platform connectors, you can ingest data from other systems into your twins, or respond to system events.

+Follow the steps below to create a sample flow with the connector in Power Automate.

+1. In Power Automate, select **My flows** from the left navigation menu. Select **+ New flow** and **Instant cloud flow**.

+1. Enter a **Flow name** and select **Manually trigger a flow** from the list of triggers. **Create** the flow.

+1. Add a step to the flow, and search for *Azure Digital Twins* to find the connection. Select the Azure Digital Twins connection.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-1.png" alt-text="Screenshot of Power Automate, showing the Azure Digital Twins connector in a new flow." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-1-big.png":::

+1. You'll see a list of all the [actions](/connectors/azuredigitaltwins) that are available with the connector. Pick one of them to interact with the [Azure Digital Twins APIs](/rest/api/azure-digitaltwins/).

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-2.png" alt-text="Screenshot of Power Automate, showing all the actions for the Azure Digital Twins connector." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-2-big.png":::

+1. You can continue to edit or add more steps to your workflow, using other connectors to build out your integration scenario.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-3.png" alt-text="Screenshot of Power Automate, showing a Get twin by ID action from the Azure Digital Twins connector in a flow." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-automate-action-3.png":::

+Follow the steps below to create a sample flow with the connector in Power Apps.

+1. In Power Apps, select **+ Create** from the left navigation menu. Select **Blank app** and follow the prompts to create a new app.

+1. In the app builder, select **Data** from the left navigation menu. Select **Add data** and search for *Azure Digital Twins* to find the data connection. Select the Azure Digital Twins connection.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-apps-action-1.png" alt-text="Screenshot of Power Apps, showing the Azure Digital Twins connector as a data source." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-apps-action-1.png":::

+1. Now, the [actions](/connectors/azuredigitaltwins) from the Azure Digital Twins connector will be available as functions to use in your app.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/power-apps-action-2.png" alt-text="Screenshot of Power Apps, showing the Get twin by ID action being used in a function." lightbox="media/how-to-use-power-platform-logic-apps-connector/power-apps-action-2.png":::

+1. You can continue to build out your application with access to Azure Digital Twins data. For more information about building Power Apps, see [Overview of creating apps in Power Apps](/power-apps/maker/).

+Follow the steps below to create a sample flow with the connector in Logic Apps.

+1. Navigate to your logic app in the [Azure portal](https://portal.azure.com). Select **Workflows** from the left navigation menu, and **+ Add**. Follow the prompts to create a new workflow.

+1. Select your new flow and enter into the **Designer**.

+1. Add a trigger to your app.

+1. Select **Choose an operation** to add an action from the Azure Digital Twins connector. Search for *Azure Digital Twins* on the **Azure** tab to find the data connection. Select the Azure Digital Twins connection.

+ :::image type="content" source="media/how-to-use-power-platform-logic-apps-connector/logic-apps-action.png" alt-text="Screenshot of Logic Apps, showing the Azure Digital Twins connector." lightbox="media/how-to-use-power-platform-logic-apps-connector/logic-apps-action.png":::

+1. You'll see a list of all the [actions](/connectors/azuredigitaltwins) that are available with the connector. Pick one of them to interact with the [Azure Digital Twins APIs](/rest/api/azure-digitaltwins/).

+1. After selecting an action from the Azure Digital Twins connector, you'll be asked to enter authentication details to create the connection.

+1. You can continue to edit or add more steps to your workflow, using other connectors to build out your integration scenario.

+## Limitations and suggestions

+Here are some limitations of the connector and suggestions for working with them.

+* Some connector actions (such as Add Model) require input in the form of a literal string that starts with *@*. In these cases, escape the *@* character by using *@@* instead. This will keep the literal value from being interpreted as a JSON expression.

+* Since Azure Digital Twins deals with dynamic schema responses, you should parse the JSON received from the APIs before consuming it in your application. For example, here's a set of calls that parse the data before extracting the `dtId` value: `Set(jsonVal, AzureDigitalTwins.GetTwinById("your_twin_id").result); Set(parsedResp, ParseJSON(jsonVal)); Set( DtId, Text(parsedResp.'$dtId'));`.

+## Next steps

+For more information about Power Platform connectors, including how to use them in workflows across multiple products, see the [Power Platform and Azure Logic Apps connectors documentation](/connectors/connectors).

+For more information about ExpressRoute, see the [ExpressRoute FAQ](expressroute-faqs.md)

+ Title: Azure network rule name logging (preview)

+description: Learn about Azure network rule name logging (preview)

+# Azure network rule name logging (preview)

+> [!IMPORTANT]

+> This feature is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Currently, a network rule hit event shows the following attributes in the logs:

+ - Source and destination IP/port

+ - Action (allow, or deny)

+ With this new feature, the event logs for network rules also show the following attributes:

+ - Policy name

+ - Rule collection group

+ - Rule collection

+ - Rule name

+## Enable/disable network rule name logging

+To enable the Network Rule name Logging feature, the following commands need to be run in Azure PowerShell. For the feature to immediately take effect, an operation needs to be run on the firewall. This operation can be a rule change (least intrusive), a setting change, or a stop/start operation. Otherwise, the firewall/s is updated with the feature within several days.

+Run the following Azure PowerShell commands to configure Azure Firewall network rule name logging:

+```azurepowershell

+Connect-AzAccount

+Select-AzSubscription -Subscription "subscription_id or subscription_name"

+Register-AzProviderFeature -FeatureName AFWEnableNetworkRuleNameLogging -ProviderNamespace Microsoft.Network

+Register-AzResourceProvider -ProviderNamespace Microsoft.Network

+```

+Run the following Azure PowerShell command to turn off this feature:

+```azurepowershell

+Unregister-AzProviderFeature -FeatureName AFWEnableNetworkRuleNameLogging -ProviderNamespace Microsoft.Network

+```

+## Next steps

+- To learn more about Azure Firewall logs and metrics, see [Azure Firewall logs and metrics](logs-and-metrics.md)

+With this new feature, the event logs for network rules adds the following attributes:

+For more information, see [Azure network rule name logging (preview)](firewall-network-rule-logging.md).

+### Structured Firewall Logs (preview)

+With Structured Firewall Logs, you'll be able to choose to use Resource Specific tables instead of an existing AzureDiagnostics table. Structured Firewall Logs is required for Policy Analytics. This new method helps you with better log querying and is recommended because:

+- It's easier to work with the data in the log queries

+- It's easier to discover schemas and their structure

+- It improves performance across both ingestion latency and query times

+- It allows you to grant Azure RBAC rights on a specific table

+For more information, see [Azure Structured Firewall Logs (preview)](firewall-structured-logs.md).

+Enabling Policy Analytics on a Firewall Policy associated with a single firewall is billed per policy as described on the [Azure Firewall Manager pricing](https://azure.microsoft.com/pricing/details/firewall-manager/) page. Enabling Policy Analytics on a Firewall Policy associated with more than one firewall is offered at no added cost.

+You can now easily upgrade your existing Firewall Standard SKU to Premium SKU and downgrade from Premium to Standard SKU. The process is fully automated and has no service impact (zero service downtime).

+This new capability is available through the Azure portal as shown here, and via PowerShell and Terraform simply by changing the sku_tier attribute.

+ Title: Azure Structured Firewall Logs (preview)

+description: Learn about Azure Structured Firewall Logs (preview)

+# Azure Structured Firewall Logs (preview)

+> [!IMPORTANT]

+> This feature is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Currently, the following diagnostic log categories are available for Azure Firewall:

+- Application rule log

+- Network rule log

+- DNS proxy log

+These log categories use [Azure diagnostics mode](../azure-monitor/essentials/resource-logs.md#azure-diagnostics-mode). In this mode, all data from any diagnostic setting will be collected in the [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table.

+With this new feature, you'll be able to choose to use [Resource Specific Tables](../azure-monitor/essentials/resource-logs.md#resource-specific) instead of the existing [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table. In case both sets of logs are required, at least two diagnostic settings need to be created per firewall.

+## Resource specific mode

+In **Resource specific** mode, individual tables in the selected workspace are created for each category selected in the diagnostic setting. This method is recommended since it:

+- makes it much easier to work with the data in log queries

+- makes it easier to discover schemas and their structure

+- improves performance across both ingestion latency and query times

+- allows you to grant Azure RBAC rights on a specific table

+New resource specific tables are now available in Diagnostic setting that allows you to utilize the following newly added categories:

+- [Network rule log](/azure/azure-monitor/reference/tables/azfwnetworkrule) - Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

+- [NAT rule log](/azure/azure-monitor/reference/tables/azfwnatrule) - Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.

+- [Application rule log](/azure/azure-monitor/reference/tables/azfwapplicationrule) - Contains all Application rule log data. Each match between data plane and Application rule creates a log entry with the data plane packet and the matched rule's attributes.

+- [Threat Intelligence log](/azure/azure-monitor/reference/tables/azfwthreatintel) - Contains all Threat Intelligence events.

+- [IDPS log](/azure/azure-monitor/reference/tables/azfwidpssignature) - Contains all data plane packets that were matched with one or more IDPS signatures.

+- [DNS proxy log](/azure/azure-monitor/reference/tables/azfwdnsquery) - Contains all DNS Proxy events log data.

+- [Internal FQDN resolve failure log](/azure/azure-monitor/reference/tables/azfwinternalfqdnresolutionfailure) - Contains all internal Firewall FQDN resolution requests that resulted in failure.

+- [Application rule aggregation log](/azure/azure-monitor/reference/tables/azfwapplicationruleaggregation) - Contains aggregated Application rule log data for Policy Analytics.

+- [Network rule aggregation log](/azure/azure-monitor/reference/tables/azfwnetworkruleaggregation) - Contains aggregated Network rule log data for Policy Analytics.

+- [NAT rule aggregation log](/azure/azure-monitor/reference/tables/azfwnatruleaggregation) - Contains aggregated NAT rule log data for Policy Analytics.

+## Enable/disable structured logs

+By default, the new resource specific tables are disabled.

+Run the following Azure PowerShell commands to enable Azure Firewall Structured logs:

+```azurepowershell

+Connect-AzAccount

+Select-AzSubscription -Subscription "subscription_id or subscription_name"

+Register-AzProviderFeature -FeatureName AFWEnableStructuredLogs -ProviderNamespace Microsoft.Network

+Register-AzResourceProvider -ProviderNamespace Microsoft.Network

+```

+Run the following Azure PowerShell command to turn off this feature:

+```azurepowershell

+Unregister-AzProviderFeature -FeatureName AFWEnableStructuredLogs -ProviderNamespace Microsoft.Network

+```

+In addition, when setting up your log analytics workspace, you must select whether you want to work with the AzureDiagnostics table (default) or with Resource Specific Tables.

+Additional KQL log queries were added to query structured firewall logs.

+> [!NOTE]

+> Existing Workbooks and any Sentinel integration will be adjusted to support the new structured logs when **Resource Specific** mode is selected.

+## Next steps

+- For more information, see [Exploring the New Resource Specific Structured Logging in Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/exploring-the-new-resource-specific-structured-logging-in-azure/ba-p/3620530).

+- To learn more about Azure Firewall logs and metrics, see [Azure Firewall logs and metrics](logs-and-metrics.md)

+ Title: 'Tutorial: Deploy a firewall with Azure DDoS Protection Standard'

+description: In this tutorial, you learn how to deploy and configure Azure Firewall and policy rules using the Azure portal with Azure DDoS protection.

+#Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.

+# Tutorial: Deploy a firewall with Azure DDoS Protection Standard

+This article helps you create an Azure Firewall with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your firewall from large scale DDoS attacks.

+> [!IMPORTANT]

+> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).

+For this tutorial, you create a simplified single VNet with two subnets for easy deployment. Azure DDoS Protection Standard is enabled for the virtual network.

+* **AzureFirewallSubnet** - the firewall is in this subnet.

+* **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.

+

+For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Set up a test network environment

+> * Deploy a firewall and firewall policy

+> * Create a default route

+> * Configure an application rule to allow access to www.google.com

+> * Configure a network rule to allow access to external DNS servers

+> * Configure a NAT rule to allow a remote desktop to the test server

+> * Test the firewall

+If you prefer, you can complete this procedure using [Azure PowerShell](deploy-ps-policy.md).

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Set up the network

+First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and a test server.

+### Create a resource group

+The resource group contains all the resources for the tutorial.

+1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page, then select **Add**. Enter or select the following values:

+ | Setting | Value |

+ | -- | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Enter *Test-FW-RG*. |

+ | Region | Select a region. All other resources that you create must be in the same region. |

+

+1. Select **Review + create**.

+1. Select **Create**.

+### Create a DDoS protection plan

+1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**.

+1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information:

+ | Setting | Value |

+ |--|--|

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Test-FW-RG**. |

+ | **Instance details** | |

+ | Name | Enter **myDDoSProtectionPlan**. |

+ | Region | Select the region. |

+1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan.

+### Create a VNet

+This VNet will have two subnets.

+> [!NOTE]

+> The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).

+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

+1. Select **Networking**.

+1. Search for **Virtual network** and select it.

+1. Select **Create**, then enter or select the following values:

+ | Setting | Value |

+ | -- | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Test-FW-RG**. |

+ | Name | Enter *Test-FW-VN*. |

+ | Region | Select the same location that you used previously. |

+1. Select **Next: IP addresses**.

+1. For **IPv4 Address space**, accept the default **10.1.0.0/16**.

+1. Under **Subnet**, select **default**.

+1. For **Subnet name** change the name to **AzureFirewallSubnet**. The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.

+1. For **Address range**, type **10.1.1.0/26**.

+1. Select **Save**.

+ Next, create a subnet for the workload server.

+1. Select **Add subnet**.

+1. For **Subnet name**, type **Workload-SN**.

+1. For **Subnet address range**, type **10.1.2.0/24**.

+1. Select **Add**.

+1. Select **Next: Security**.

+1. In **DDoS Protection Standard** select **Enable**.

+1. Select **myDDoSProtectionPlan** in **DDoS protection plan**.

+1. Select **Review + create**.

+1. Select **Create**.

+### Create a virtual machine

+Now create the workload virtual machine, and place it in the **Workload-SN** subnet.

+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

+1. Select **Windows Server 2019 Datacenter**.

+1. Enter or select these values for the virtual machine:

+ | Setting | Value |

+ | - | -- |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Test-FW-RG**. |

+ | Virtual machine name | Enter *Srv-Work*.|

+ | Region | Select the same location that you used previously. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+1. Under **Inbound port rules**, **Public inbound ports**, select **None**.

+1. Accept the other defaults and select **Next: Disks**.

+1. Accept the disk defaults and select **Next: Networking**.

+1. Make sure that **Test-FW-VN** is selected for the virtual network and the subnet is **Workload-SN**.

+1. For **Public IP**, select **None**.

+1. Accept the other defaults and select **Next: Management**.

+1. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.

+1. Review the settings on the summary page, and then select **Create**.

+1. After the deployment completes, select the **Srv-Work** resource and note the private IP address for later use.

+## Deploy the firewall and policy

+Deploy the firewall into the VNet.

+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

+2. Type **firewall** in the search box and press **Enter**.

+3. Select **Firewall** and then select **Create**.

+4. On the **Create a Firewall** page, use the following table to configure the firewall:

+ | Setting | Value |

+ | - | -- |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Test-FW-RG**. |

+ | Name | Enter *Test-FW01*. |

+ | Region | Select the same location that you used previously. |

+ | Firewall management | Select **Use a Firewall Policy to manage this firewall**. |

+ | Firewall policy | Select **Add new**, and enter *fw-test-pol*. <br> Select the same region that you used previously.

+ | Choose a virtual network | Select **Use existing**, and then select **Test-FW-VN**. |

+ | Public IP address | Select **Add new**, and enter *fw-pip* for the **Name**. |

+5. Accept the other default values, then select **Review + create**.

+6. Review the summary, and then select **Create** to create the firewall.

+ This will take a few minutes to deploy.

+7. After deployment completes, go to the **Test-FW-RG** resource group, and select the **Test-FW01** firewall.

+8. Note the firewall private and public IP addresses. You'll use these addresses later.

+## Create a default route

+For the **Workload-SN** subnet, configure the outbound default route to go through the firewall.

+1. On the Azure portal menu, select **All services** or search for and select *All services* from any page.

+1. Under **Networking**, select **Route tables**.

+1. Select **Create**, then enter or select the following values:

+ | Setting | Value |

+ | - | -- |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Test-FW-RG**. |

+ | Region | Select the same location that you used previously. |

+ | Name | Enter *Firewall-route*. |

+1. Select **Review + create**.

+1. Select **Create**.

+After deployment completes, select **Go to resource**.

+1. On the **Firewall-route** page, select **Subnets** and then select **Associate**.

+1. Select **Virtual network** > **Test-FW-VN**.

+1. For **Subnet**, select **Workload-SN**. Make sure that you select only the **Workload-SN** subnet for this route, otherwise your firewall won't work correctly.

+1. Select **OK**.

+1. Select **Routes** and then select **Add**.

+1. For **Route name**, enter *fw-dg*.

+1. For **Address prefix**, enter *0.0.0.0/0*.

+1. For **Next hop type**, select **Virtual appliance**.

+ Azure Firewall is actually a managed service, but virtual appliance works in this situation.

+1. For **Next hop address**, enter the private IP address for the firewall that you noted previously.

+1. Select **OK**.

+## Configure an application rule

+This is the application rule that allows outbound access to `www.google.com`.

+1. Open the **Test-FW-RG** resource group, and select the **fw-test-pol** firewall policy.

+1. Select **Application rules**.

+1. Select **Add a rule collection**.

+1. For **Name**, enter *App-Coll01*.

+1. For **Priority**, enter *200*.

+1. For **Rule collection action**, select **Allow**.

+1. Under **Rules**, for **Name**, enter *Allow-Google*.

+1. For **Source type**, select **IP address**.

+1. For **Source**, enter *10.0.2.0/24*.

+1. For **Protocol:port**, enter *http, https*.

+1. For **Destination Type**, select **FQDN**.

+1. For **Destination**, enter *`www.google.com`*

+1. Select **Add**.

+Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see [Infrastructure FQDNs](infrastructure-fqdns.md).

+## Configure a network rule

+This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

+1. Select **Network rules**.

+2. Select **Add a rule collection**.

+3. For **Name**, enter *Net-Coll01*.

+4. For **Priority**, enter *200*.

+5. For **Rule collection action**, select **Allow**.

+1. For **Rule collection group**, select **DefaultNetworkRuleCollectionGroup**.

+1. Under **Rules**, for **Name**, enter *Allow-DNS*.

+1. For **Source type**, select **IP Address**.

+1. For **Source**, enter *10.0.2.0/24*.

+1. For **Protocol**, select **UDP**.

+1. For **Destination Ports**, enter *53*.

+1. For **Destination type** select **IP address**.

+1. For **Destination**, enter *209.244.0.3,209.244.0.4*.<br>These are public DNS servers operated by CenturyLink.

+2. Select **Add**.

+## Configure a DNAT rule

+This rule allows you to connect a remote desktop to the **Srv-Work** virtual machine through the firewall.

+1. Select the **DNAT rules**.

+2. Select **Add a rule collection**.

+3. For **Name**, enter *rdp*.

+1. For **Priority**, enter *200*.

+1. For **Rule collection group**, select **DefaultDnatRuleCollectionGroup**.

+1. Under **Rules**, for **Name**, enter *rdp-nat*.

+1. For **Source type**, select **IP address**.

+1. For **Source**, enter *\**.

+1. For **Protocol**, select **TCP**.

+1. For **Destination Ports**, enter *3389*.

+1. For **Destination Type**, select **IP Address**.

+1. For **Destination**, enter the firewall public IP address.

+1. For **Translated address**, enter the **Srv-work** private IP address.

+1. For **Translated port**, enter *3389*.

+1. Select **Add**.

+### Change the primary and secondary DNS address for the **Srv-Work** network interface

+For testing purposes in this tutorial, configure the server's primary and secondary DNS addresses. This isn't a general Azure Firewall requirement.

+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Select the **Test-FW-RG** resource group.

+2. Select the network interface for the **Srv-Work** virtual machine.

+3. Under **Settings**, select **DNS servers**.

+4. Under **DNS servers**, select **Custom**.

+5. Enter *209.244.0.3* in the **Add DNS server** text box, and *209.244.0.4* in the next text box.

+6. Select **Save**.

+7. Restart the **Srv-Work** virtual machine.

+## Test the firewall

+Now, test the firewall to confirm that it works as expected.

+1. Connect a remote desktop to firewall public IP address and sign in to the **Srv-Work** virtual machine.

+3. Open Internet Explorer and browse to `https://www.google.com`.

+4. Select **OK** > **Close** on the Internet Explorer security alerts.

+ You should see the Google home page.

+5. Browse to `https://www.microsoft.com`.

+ You should be blocked by the firewall.

+So now you've verified that the firewall rules are working:

+* You can browse to the one allowed FQDN, but not to any others.

+* You can resolve DNS names using the configured external DNS server.

+## Clean up resources

+You can keep your firewall resources for the next tutorial, or if no longer needed, delete the **Test-FW-RG** resource group to delete all firewall-related resources.

+## Next steps

+> [!div class="nextstepaction"]

+> [Deploy and configure Azure Firewall Premium](premium-deploy.md)

+Front Door is designed to be internet-facing, and this scenario is optimized for publicly available blobs. If you need to authenticate access to blobs, consider using [shared access signatures](../storage/common/storage-sas-overview.md), and ensure that you enable the [*Cache every unique URL* query string behavior](front-door-caching.md#query-string-behavior) to avoid Front Door from serving requests to unauthenticated clients. However, this approach might not make effective use of the Front Door cache, because each request with a different shared access signature must be sent to the origin separately.

+- `Microsoft.Kubernetes.Data` for managing Kubernetes clusters and components such as pods, containers, and ingresses. Supported for Azure Kubernetes Service clusters and [Azure Arc-enabled Kubernetes clusters](../../../aks/intro-kubernetes.md). Definitions

+- `Microsoft.ManagedHSM.Data` for managing [Managed HSM](../../../key-vault/managed-hsm/overview.md) keys using Azure Policy.

+### Microsoft.ManagedHSM.Data

+Policies with mode `Microsoft.ManagedHSM.Data` are applicable if the `type` condition of the policy rule evaluates to true. The `type` refers to component type:

+- Microsoft.ManagedHSM.Data/managedHsms/keys

+In this article, you'll learn how to enable diagnostic settings for the MedTech service to:

+> [!div class="checklist"]

+> - Create a diagnostic setting to export logs and metrics for audit, analysis, or troubleshooting of the MedTech service.

+> - Use the Azure Log Analytics workspace to view the MedTech service logs.

+> - Access the MedTech service pre-defined Azure Log Analytics queries.

+ |[Azure Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md)|Metrics are converted to log form. Sending the metrics to the Azure Monitor Logs store (which is searchable via Log Analytics) enables you to integrate them into queries, alerts, and visualizations with existing log data.|

+ |[Azure storage account](../../storage/index.yml)|Archiving logs and metrics to an Azure storage account is useful for audit, static analysis, or backup. Compared to Azure Monitor Logs and a Log Analytics workspace, Azure storage is less expensive, and logs can be kept there indefinitely.|

+ |[Azure event hub](../../event-hubs/index.yml)|Sending logs and metrics to an event hub allows you to stream data to external systems such as third-party Security Information and Event Managements (SIEMs) and other Log Analytics solutions.|

+## Use the Azure Log Analytics workspace to view the MedTech service logs

+If you choose to include your Log Analytics workspace as a destination option for your diagnostic setting, you can view the logs within **Logs** in your MedTech service. If there are any logs, they'll be a result of exceptions for your MedTech service (for example: *HealthCheck* exceptions).

+2. Copy the below table query string into your Log Analytics workspace query area and select **Run**. Using the *AHDSMedTechDiagnosticLogs* table will provide you with all logs contained in the entire table for the selected **Time range** setting (the default value is **Last 24 hours**). The MedTech service provides five pre-defined queries that will be addressed in the article section titled [Accessing the MedTech service pre-defined Azure Log Analytics queries](how-to-enable-diagnostic-settings.md#accessing-the-medtech-service-pre-defined-azure-log-analytics-queries).

+ ```Kusto

+> [!WARNING]

+> The above custom query is not saved and will have to be recreated if you leave your Log Analytics workspace without saving the custom query.

+>

+> To learn how to save a custom query in Log Analytics, see [Save a query in Azure Monitor Log Analytics](/azure/azure-monitor/logs/save-query)

+> [!TIP]

+> To learn how to use the Log Analytics workspace, see [Azure Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md).

+>

+> To learn how to troubleshoot the MedTech service error messages and conditions, see [Troubleshoot MedTech service errors](troubleshoot-errors.md).

+## Accessing the MedTech service pre-defined Azure Log Analytics queries

+The MedTech service comes with pre-defined queries that can be used anytime in your Log Analytics workspace to filter and summarize your logs for more precise investigation. The queries can also be customized and saved/shared.

+1. To access the pre-defined queries, select **Queries**, type *MedTech* in the **Search** area, select a pre-defined query by using a double-click, and select **Run** to execute the pre-defined query. In this example, we've selected *MedTech healthcheck exceptions*. You'll select a pre-defined query of your own choosing.

+ > [!TIP]

+ > You can click on each of the MedTech service pre-defined queries to see their description and access different options for running the query or placing it into the Log Analytics workspace query area.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/select-and-run-pre-defined-query.png" alt-text="Screenshot of searching, selecting, and running a MedTech service pre-defined query." lightbox="media/how-to-enable-diagnostic-settings/select-and-run-pre-defined-query.png":::

+2. Multiple pre-defined queries can be selected. In this example, we've additionally selected *Log count per MedTech log or exception type*. You'll select another pre-defined query of your own choosing.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/select-and-run-additional-pre-defined-query.png" alt-text="Screenshot of searching, selecting, and running a MedTech service and additional pre-defined query." lightbox="media/how-to-enable-diagnostic-settings/select-and-run-additional-pre-defined-query.png":::

+3. Only the highlighted pre-defined query will be executed.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/results-of-select-and-run-additional-pre-defined-query.png" alt-text="Screenshot of results of running a MedTech service and additional pre-defined query." lightbox="media/how-to-enable-diagnostic-settings/results-of-select-and-run-additional-pre-defined-query.png":::

+> [!WARNING]

+> Any changes that you've made to the pre-defined queries are not saved and will have to be recreated if you leave your Log Analytics workspace without saving custom changes you've made to the pre-defined queries.

+>

+> To learn how to save a query in Log Analytics, see [Save a query in Azure Monitor Log Analytics](/azure/azure-monitor/logs/save-query)

+> To learn how to use the Log Analytics workspace, see [Azure Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md).

+> To learn how to troubleshoot the MedTech service error messages and conditions, see [Troubleshoot MedTech service errors](troubleshoot-errors.md).

+In this article, you learned how to enable the diagnostics settings for the MedTech service and use the Log Analytics workspace to query and view the MedTech service logs.

+> [Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+1. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a service principal with *contributor* access to a specific resource group. Replace `<SUBSCRIPTION_ID>` and `<RESOURCE_GROUP_NAME>` with your own information.

+ This command requires owner or user access administrator roles in the subscription.

+ ```azurecli

+ az ad sp create-for-rbac --name github-actions-sp --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>

+ ```

+1. Copy the following items from the output of the service principal creation command to use in the next section:

+ * The *clientId*.

+ * The *clientSecret*. This is a generated password for the service principal that you won't be able to access again.

+ * The *tenantId*.

+1. Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign two more access roles to the service principal: *Device Provisioning Service Data Contributor* and *IoT Hub Data Contributor*. Replace `<SP_CLIENT_ID>` with the *clientId* value that you copied from the previous command's output.

+ ```azurecli

+ az role assignment create --assignee "<SP_CLIENT_ID>" --role "Device Provisioning Service Data Contributor" --resource-group "<RESOURCE_GROUP_NAME>"

+ ```

+ ```azurecli

+ az role assignment create --assignee "<SP_CLIENT_ID>" --role "IoT Hub Data Contributor" --resource-group "<RESOURCE_GROUP_NAME>"

+ ```

+ * **Secret**: Paste the *clientId* that you copied from the output of the service principal creation command.

+ * **Secret**: Paste the *clientSecret* that you copied from the output of the service principal creation command.

+ * **Secret**: Paste the *tenantId* that you copied from the output of the service principal creation command.

+* Create an individual enrollment on the DPS instance, and register a device to the IoT hub using symmetric key authentication via the DPS enrollment.

+1. Define the first job for our workflow, which we'll call the `provision` job. This job provisions the IoT Hub and DPS instances:

+ For more information about the commands run in this job, see:

+ * [az iot hub create](/cli/azure/iot/hub#az-iot-hub-create)

+ * [az iot dps create](/cli/azure/iot/dps#az-iot-dps-create)

+ For more information about the commands run in this job, see:

+ * [az iot dps linked-hub create](/cli/azure/iot/dps/linked-hub#az-iot-dps-linked-hub-create)

+ > [!NOTE]

+ > This job and others use the parameter `--auth-type login` in some commands to indicate that the operation should use the service principal from the current Azure AD session. The alternative, `--auth-type key` doesn't require the service principal configuration, but is less secure.

+ For more information about the commands run in this job, see:

+ * [az iot dps enrollment create](/cli/azure/iot/dps/enrollment#az-iot-dps-enrollment-create)

+ * [az iot device registration create](/cli/azure/iot/device/registration#az-iot-device-registration-create)

+ For more information about the commands run in this job, see:

+ * [az iot device simulate](/cli/azure/iot/device#az-iot-device-simulate)

+ For more information about the commands run in this job, see:

+ * [az iot hub monitor-events](/cli/azure/iot/hub#az-iot-hub-monitor-events)

+This article provides end-to-end instructions for registering and provisioning a Linux IoT Edge device, which includes installing IoT Edge.

+Each device that connects to an [IoT hub](../iot-hub/index.yml) has a device ID that's used to track [cloud-to-device](../iot-hub/iot-hub-devguide-c2d-guidance.md) or [device-to-cloud](../iot-hub/iot-hub-devguide-d2c-guidance.md) communications. You configure a device with its connection information, which includes:

+* IoT hub hostname

+* Device ID

+* Authentication details to connect to IoT Hub

+The steps in this article walk through a process called *manual provisioning*, where you connect a single device to its IoT hub. For manual provisioning, you have two options for authenticating IoT Edge devices:

+This article shows how to register your IoT Edge device and install IoT Edge (also called IoT Edge runtime) on your device. Make sure you have the device management tool of your choice, for example Azure CLI, and device requirements before you register and install your device.

+<!-- Azure IoT extensions for Visual Studio Code-->

+### Visual Studio Code extensions

+If you are using Visual Studio Code, there are helpful Azure IoT extensions that will make the device creation and management process easier.

+Install both the Azure IoT Edge and Azure IoT Hub extensions:

+* [Azure IoT Edge](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge)

+* [Azure IoT Hub](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit)

+<!-- Prerequisites end -->

+Now that the container engine and the IoT Edge runtime are installed on your device, you're ready to set up the device with its cloud identity and authentication information.

+1. You can quickly configure your IoT Edge device with symmetric key authentication using the following command. Replace `PASTE_DEVICE_CONNECTION_STRING_HERE` with your own connection string.

+ sudo iotedge config mp --connection-string `PASTE_DEVICE_CONNECTION_STRING_HERE`

+ This `iotedge config mp` command creates a configuration file on the device and enters your connection string in the configuration file.

+1. Apply the configuration changes.

+1. To view the configuration file, you can open it:

+Verify successful configuration

+## Deploy modules

+To deploy your IoT Edge modules, go to your IoT hub in the Azure portal, then:

+1. Select **Devices** from the IoT Hub menu.

+1. Select your device to open its page.

+1. Select the **Set Modules** tab.

+1. Since we want to deploy the IoT Edge default modules (edgeAgent and edgeHub), we don't need to add any modules to this pane, so select **Review + create** at the bottom.

+1. You see the JSON confirmation of your modules. Select **Create** to deploy the modules.<br>

+

+For more information, see [Deploy a module](quickstart-linux.md#deploy-a-module).

+> [!TIP]

+> You need elevated privileges to run `iotedge` commands. Once you sign out of your machine and sign back in the first time after installing the IoT Edge runtime, your permissions are automatically updated. Until then, use `sudo` in front of the commands.

+1. Check to see that the IoT Edge system service is running.

+ <!-- 1.1 -->

+ ::: moniker range="iotedge-2018-06"

+ ::: moniker-end

+ <!-- iotedge-2020-11 -->

+ ::: moniker range=">=iotedge-2020-11"

+ A successful status response shows the `aziot` services as running or ready.

+ ::: moniker-end

+1. To troubleshoot the service, retrieve the service logs.

+ <!-- 1.1 -->

+ ::: moniker range="iotedge-2018-06"

+ ::: moniker-end

+ <!-- iotedge-2020-11 -->

+ ::: moniker range=">=iotedge-2020-11"

+ ::: moniker-end

+1. Use the `check` tool to verify configuration and connection status of the device.

+ You can expect a range of responses that may include **OK** (green), **Warning** (yellow), or **Error** (red).

+ :::image type="content" source="media/how-to-provision-single-device-linux-symmetric/config-checks.png" alt-text="Screenshot of sample responses from the check command." lightbox="media/how-to-provision-single-device-linux-symmetric/config-checks.png":::

+ >[!TIP]

+ >Always use `sudo` to run the check tool, even after your permissions are updated. The tool needs elevated privileges to access the config file to verify configuration status.

+ >[!NOTE]

+ >On a newly provisioned device, you may see an error related to IoT Edge Hub:

+ >

+ >**× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error**

+ >**Could not check current state of edgeHub container**

+ >

+ >This error is expected on a newly provisioned device because the IoT Edge Hub module is not yet running. Be sure your IoT Edge modules were deployed in the previous steps. Deployment resolves this error.

+ >

+ >Alternatively, you may see a status code as `417 -- The device's deployment configuration is not set`. Once your modules are deployed, this status will change.

+ >

+1. When the service starts for the first time, you should only see the **edgeAgent** module running. The edgeAgent module runs by default and helps to install and start any additional modules that you deploy to your device.

+ Check that your device and modules are deployed and running, by viewing your device page in the Azure portal.

+ :::image type="content" source="media/how-to-provision-single-device-linux-symmetric/modules-deployed.png" alt-text="Screenshot of IoT Edge modules deployed and running confirmation in the Azure portal.":::

+ Once your modules are deployed and running, list them in your device or virtual machine with the following command:

+* Installing IoT Edge while offline

+* Installing a release candidate version

+Use the steps in this section if you want to install a [specific version of the Azure IoT Edge runtime](version-history.md) that isn't available through your package manager. The Microsoft package list only contains a limited set of recent versions and their sub-versions, so these steps are for anyone who wants to install an older version or a release candidate version.

+* Manage communication between:

+ - Downstream devices and IoT Edge devices

+ - Modules on an IoT Edge device

+ - An IoT Edge device and the cloud

+ - IoT Edge devices

+If you're running an older version of IoT Edge, then upgrading may resolve your issue. The `iotedge check` tool checks that the IoT Edge security daemon is the latest version, but doesn't check the versions of the IoT Edge hub and agent modules. To check the version of the runtime modules on your device, use the commands `iotedge logs edgeAgent` and `iotedge logs edgeHub`. The version number is declared in the logs when the module starts up.

+By default the Moby container engine doesn't set container log size limits. Over time extensive logs can lead to the device filling up with logs and running out of disk space. If large container logs are affecting your IoT Edge device performance, use the following command to force remove the container along with its related logs.

+While IoT Edge provides enhanced configuration for securing Azure IoT Edge runtime and deployed modules, it's still dependent on the underlying machine and network configuration. Hence, it's imperative to ensure proper network and firewall rules are set up for secure edge to cloud communication. The following table can be used as a guideline when configuration firewall rules for the underlying servers where Azure IoT Edge runtime is hosted:

+|MQTT|8883|BLOCKED (Default)|BLOCKED (Default)|<ul> <li>Configure Outgoing (Outbound) to be Open when using MQTT as the communication protocol.<li>1883 for MQTT isn't supported by IoT Edge. <li>Incoming (Inbound) connections should be blocked.</ul>|

+|AMQP|5671|BLOCKED (Default)|OPEN (Default)|<ul> <li>Default communication protocol for IoT Edge. <li> Must be configured to be Open if Azure IoT Edge isn't configured for other supported protocols or AMQP is the desired communication protocol.<li>5672 for AMQP isn't supported by IoT Edge.<li>Block this port when Azure IoT Edge uses a different IoT Hub supported protocol.<li>Incoming (Inbound) connections should be blocked.</ul></ul>|

+|HTTPS|443|BLOCKED (Default)|OPEN (Default)|<ul> <li>Configure Outgoing (Outbound) to be Open on 443 for IoT Edge provisioning. This configuration is required when using manual scripts or Azure IoT Device Provisioning Service (DPS). <li><a id="anchortext">Incoming (Inbound) connection</a> should be Open only for specific scenarios: <ul> <li> If you have a transparent gateway with downstream devices that may send method requests. In this case, Port 443 doesn't need to be open to external networks to connect to IoTHub or provide IoTHub services through Azure IoT Edge. Thus the incoming rule could be restricted to only open Incoming (Inbound) from the internal network. <li> For Client to Device (C2D) scenarios.</ul><li>80 for HTTP isn't supported by IoT Edge.<li>If non-HTTP protocols (for example, AMQP or MQTT) can't be configured in the enterprise; the messages can be sent over WebSockets. Port 443 will be used for WebSocket communication in that case.</ul>|

+Sometimes, a system might require significant special modification to work with existing networking or operating system constraints. For example, a system could require a different data disk mount and proxy settings. If you tried all previous steps and still get container failures, the docker system caches or persisted network settings might not up to date with the latest reconfiguration. In this case, the last resort option is to use [`docker prune`](https://docs.docker.com/engine/reference/commandline/system_prune/) get a clean start from scratch.

+The following command stops the IoT Edge system (and thus all containers), uses the "all" and "volume" option for `docker prune` to remove all containers and volumes. Review the warning that the command issues and confirm with `y` when ready.

+Once you've created your import manifest and saved it as a JSON file, you're ready to [import your update](import-update.md).

+### Generate import manifest

+The delta update feature uses a capability called [related files](related-files.md), which requires an import manifest that is version 5 or later.

+To create an import manifest for your delta update using the related files feature, you'll need to add [relatedFiles](import-schema.md#relatedfiles-object) and [downloadHandler](import-schema.md#downloadhandler-object) objects to your import manifest.

+Use the `relatedFiles` object to specify information about the delta update file, including the file name, file size and sha256 hash. Importantly, you also need to specify two properties which are unique to the delta update feature:

+Use the `downloadHandler` object to specify how the Device Update agent will orchestrate the delta update, using the related files feature. Unless you are customizing your own version of the Device Update agent for delta functionality, you should only use this downloadHandler:

+You can use the Azure Command Line Interface (CLI) to generate an import manifest for your delta update. If you haven't used the Azure CLI to create an import manifest before, see [Create a basic import manifest](create-update.md#create-a-basic-device-update-import-manifest).

+az iot du update init v5

+--update-provider <replace with your Provider> --update-name <replace with your update Name> --update-version <replace with your update Version> --compat manufacturer=<replace with the value your device will report> model=<replace with the value your device will report> --step handler=microsoft/swupdate:2 properties=<replace with any desired handler properties (JSON-formatted), such as '{"installedCriteria": "1.0"}'> --file path=<replace with path(s) to your update file(s), including the full file name> downloadHandler=microsoft/delta:1 --related-file path=<replace with path(s) to your delta file(s), including the full file name> properties='{"microsoft.sourceFileHashAlgorithm": "sha256", "microsoft.sourceFileHash": "<replace with the source SWU image file hash>"}'

+For more information, see [Use the related files feature to reference multiple update files](related-files.md).

+To import an update, you first upload the update files and import manifest into an Azure Storage container. Then, you import the update from Azure Storage into Device Update for IoT Hub, where it will be stored for you to deploy to devices.

+ Title: Related files for Device Update for Azure IoT Hub

+description: Create import manifests that reference multiple update files using the Device Update for IoT Hub related files feature.

+# Use the related files feature to reference multiple update files

+When importing an update to Device Update for IoT Hub, an import manifest containing metadata about the update payload is required. The file-level metadata in the import manifest can be a flat list of update payload files in the simplest case. However, for more advanced scenarios, the related files feature provides a way for you to specify relationships between multiple update files.

+## How to define related files

+The related files feature is available for import manifests that are version 5 or later.

+When you add related files to an import manifest, include the following information:

+* File details

+ Define the related files by providing the filename, size, and hash.

+* A download handler

+ Specify how to process these related files to produce the target file. You specify the processing approach by including a `downloadHandler` property in your import manifest. Including `downloadHandler` is required if you specify a non-empty collection of `relatedFiles` in a `file` element. You can specify a `downloadHandler` using a simple `id` property. The Download handler `id` has a limit of 64 ASCII characters.

+* Related files properties

+ You can provide extra metadata for the update handler on your device to know how to interpret and properly use the files that you've specified as related files. This metadata is added as part of a `properties` property bag to the `file` and `relatedFile` objects.

+For more information about the import schema for related files, see [relatedFiles object](import-schema.md#relatedfiles-object).

+## Example import manifest using related files

+The following sample import manifest demonstrates how the related files feature is used to import a delta update. In this example, you can see that in the `files` section, there's a full image specified (`full-image-file-name`) with a `properties` item. The `properties` item in turn has an associated `relatedFiles` item below it. Within the `relatedFiles` section, you can see another `properties` section for the delta update file (`delta-from-v1-file-name`), and also a `downloadHandler` item with the appropriate `id` listed (`microsoft/delta:1`).

+>[!NOTE]

+>This example uses delta updates to demonstrate how to reference related files. If you want to use delta updates as a feature, learn more in the [delta update documentation](delta-updates.md).

+## Example init command using related files

+The [az iot du init v5](/cli/azure/iot/du/update/init#az-iot-du-update-init-v5) command for creating an import manifest supports an optional `--related-file` parameter.

+The `--related-file` parameter takes a `path` and `properties` key:

+```azurecli

+--related-file path=<replace with path(s) to your delta file(s), including the full file name> properties='{"microsoft.sourceFileHashAlgorithm": "sha256", "microsoft.sourceFileHash": "<replace with the source SWU image file hash>"}'

+```

+For example:

+```azurecli

+az iot du update init v5 \

+--update-provider Microsoft --update-name myBundled --update-version 2.0 \

+--compat manufacturer=Contoso model=SpaceStation \

+--step handler=microsoft/script:1 properties='{"arguments": "--pre"}' description="Pre-install script" \

+--file path=/my/update/scripts/preinstall.sh downloadHandler=microsoft/delta:1 \

+--related-file path=/my/update/scripts/related_preinstall.json properties='{"microsoft.sourceFileHashAlgorithm": "sha256"}' \

+--step updateId.provider=Microsoft updateId.name=SwUpdate updateId.version=1.1 \

+--step handler=microsoft/script:1 properties='{"arguments": "--post"}' description="Post-install script" \

+--file path=/my/update/scripts/postinstall.sh

+```

+* Learn about [import manifest schema](import-schema.md)

+* Learn about [delta updates](delta-updates.md)

+Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys. Managed HSMs only support HSM-protected keys.

+A Key Vault customer would like to securely transfer a key from their on-premises HSM outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is referred to as Bring Your Own Key (BYOK).

+Wrapping Key|AES|Vendor HSM|An [ephemeral] AES key generated by HSM on-premises

+* In some cases, the KEK and wrapping key may need to be marked as CKA_TRUSTED, which allows it to be used to wrap keys in the HSM.

+> Several of these steps can be performed using other interfaces such as Azure PowerShell and Azure Portal. They can also be performed programmatically using equivalent functions in Key Vault SDK.

+### Generate KEK

+### Retrieve the public key of the KEK

+### Generate key transfer blob using HSM vendor provided BYOK tool

+* dir = Direct mode, that is, the referenced kid is used to directly protect the ciphertext that is an accurate representation of CKM_RSA_AES_KEY_WRAP

+### Upload key transfer blob to import HSM-key

+To import an RSA key, use this command:

+> This functionality is not available for Azure China 21Vianet.

+>

+> This import method is available only for [supported HSMs](#supported-hsms).

+* In the offline computer, use the BYOK tool provided by your HSM vendor to create a BYOK file.

+* [Step 1: Generate a KEK](#generate-a-kek)

+* [Step 2: Download the KEK public key](#download-the-kek-public-key)

+* [Step 3: Generate and prepare your key for transfer](#generate-and-prepare-your-key-for-transfer)

+* [Step 4: Transfer your key to Azure Key Vault](#transfer-your-key-to-azure-key-vault)

+### Generate a KEK

+Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You will use the `kid` value in [Step 3](#generate-and-prepare-your-key-for-transfer).)

+### Download the KEK public key

+### Generate and prepare your key for transfer

+Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the `kid` from [Step 1](#generate-a-kek) and the KEKforBYOK.publickey.pem file you downloaded in [Step 2](#download-the-kek-public-key) to generate an encrypted target key in a BYOK file.

+### Transfer your key to Azure Key Vault

+Use this article to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

+This functionality isn't available for Azure China 21Vianet.

+* The key is encrypted with a Key Exchange Key (KEK), which stays encrypted until it's transferred to the Azure Key Vault HSMs. Only the encrypted version of your key leaves the original workstation.

+* The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. This attestation demonstrates that Microsoft is using genuine hardware.

+nCipher Security, an Entrust Datacard company, is a leader in the general purpose HSM market, empowering world-leading organizations by delivering trust, integrity and control to their business critical information and applications. nCipher's cryptographic solutions secure emerging technologies ΓÇô cloud, IoT, blockchain, digital payments ΓÇô and help meet new compliance mandates, using the same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. nCipher delivers trust for business critical applications, ensuring the integrity of data and putting customers in complete control ΓÇô today, tomorrow, always.

+Use the following information and procedures if you will generate your own HSM-protected key and then transfer it to Azure Key Vault. This is known as the Bring Your Own Key (BYOK) scenario.

+| The following hardware and software:<ol><li>An offline x64 workstation with a minimum Windows operation system of Windows 7 and nCipher nShield software that is at least version 11.50.<br/><br/>If this workstation runs Windows 7, you must [install Microsoft .NET Framework 4.5](https://download.microsoft.com/download/b/a/4/ba4a7e71-2906-4b2d-a0e1-80cf16844f5f/dotnetfx45_full_x86_x64.exe).</li><li>A workstation that is connected to the Internet and has a minimum Windows operating system of Windows 7 and [Azure PowerShell](/powershell/azure/) **minimum version 1.1.0** installed.</li><li>A USB drive or other portable storage device that has at least 16-MB free space.</li></ol> |For security reasons, we recommend that the first workstation is not connected to a network. However, this recommendation is not programmatically enforced.<br/><br/>In the instructions that follow, this workstation is referred to as the disconnected workstation.</p></blockquote><br/>In addition, if your tenant key is for a production network, we recommend that you use a second, separate workstation to download the toolset, and upload the tenant key. But for testing purposes, you can use the same workstation as the first one.<br/><br/>In the instructions that follow, this second workstation is referred to as the Internet-connected workstation.</p></blockquote><br/> |

+You'll use the following five steps to generate and transfer your key to an Azure Key Vault HSM:

+* [Step 1: Prepare your Internet-connected workstation](#prepare-your-internet-connected-workstation)

+* [Step 2: Prepare your disconnected workstation](#prepare-your-disconnected-workstation)

+* [Step 3: Generate your key](#generate-your-key)

+* [Step 4: Prepare your key for transfer](#prepare-your-key-for-transfer)

+* [Step 5: Transfer your key to Azure Key Vault](#transfer-your-key-to-azure-key-vault)

+## Prepare your Internet-connected workstation

+### Install Azure PowerShell

+### Get your Azure subscription ID

+From the output, locate the ID for the subscription you will use for Azure Key Vault. You'll need this subscription ID later.

+### Download the BYOK toolset for Azure Key Vault

+## Prepare your disconnected workstation

+### Prepare the disconnected workstation with nCipher nShield HSM

+Ensure that the nCipher tools are in your path (**%nfast_home%\bin**). For example, type :

+### Install the BYOK toolset on the disconnected workstation

+Copy the BYOK toolset package from the USB drive or other portable storage, and then:

+## Generate your key

+### Change the HSM mode to 'I'

+### Create a security world

+> If your HSM does not support the newer cypher suite DLf3072s256mRijndael, you can replace `--cipher-suite= DLf3072s256mRijndael` with `--cipher-suite=DLf1024s160mRijndael`.

+Then:

+### Change the HSM mode to 'O'

+### Validate the downloaded package

+### Create a new key

+## Prepare your key for transfer

+### Create a copy of your key with reduced permissions

+When you run this command, replace *contosokey* with the same value you specified in **Step 3.5: Create a new key** from the [Generate your key](#generate-your-key) step.

+ When you run these commands, replace contosokey with the same value you specified in **Step 3.5: Create a new key** from the [Generate your key](#generate-your-key) step.

+### Encrypt your key by using Microsoft's Key Exchange Key

+* Replace *contosokey* with the identifier that you used to generate the key in **Step 3.5: Create a new key** from the [Generate your key](#generate-your-key) step.

+* Replace *SubscriptionID* with the ID of the Azure subscription that contains your key vault. You retrieved this value previously, in **Step 1.2: Get your Azure subscription ID** from the [Prepare your Internet-connected workstation](#prepare-your-internet-connected-workstation) step.

+### Copy your key transfer package to the Internet-connected workstation

+## Transfer your key to Azure Key Vault

+Transferring HSM-protected keys to Key Vault is supported via two different methods depending on the HSMs you use. Use this table to determine which method should be used for your HSMs to generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

+|[nCipher](https://www.ncipher.com/products/key-management/cloud-microsoft-azure)|Manufacturer,<br/>HSM as a Service|<ul><li>nShield family of HSMs</li><li>nShield as a service</ul>|**Method 1:** [nCipher BYOK](hsm-protected-keys-ncipher.md) (deprecated). This method will not be supported after <strong>June 30, 2021</strong><br/>**Method 2:** [Use new BYOK method](hsm-protected-keys-byok.md) (recommended)<br/>See the Entrust row. |

+ Title: Set up an ethical hacking lab

+description: Learn how to set up a lab to teach ethical hacking using Azure Lab Services.

+# Set up a lab to teach ethical hacking class by using Azure Lab Services

+This article shows you how to set up a class that focuses on the forensics side of ethical hacking with Azure Lab Services. In an ethical hacking class, students can learn modern techniques for defending against vulnerabilities. Penetration testing, a practice that the ethical hacking community uses, occurs when someone attempts to gain access to the system or network to demonstrate vulnerabilities that a malicious attacker may exploit.

+Each student gets a Windows Server host virtual machine (VM) that has two nested virtual machines: one VM with [Metasploitable3](https://github.com/rapid7/metasploitable3) image and another VM with the [Kali Linux](https://www.kali.org/) image. You use the Metasploitable VM for exploiting purposes. The Kali VM provides access to the tools you need to execute forensic tasks.

+## Prerequisites

+## Lab configuration

+To configure the template VM, complete the following three tasks:

+1. Set up the machine for nested virtualization. You enable all the appropriate windows features, like Hyper-V, and set up the networking for the Hyper-V images to be able to communicate with each other and the internet.

+3. Set up the Metasploitable image. For this example, you use the [Metasploitable3](https://github.com/rapid7/metasploitable3) image. This image is created to purposely have security vulnerabilities.

+You can complete these tasks in either of two ways:

+- Run the following PowerShell scripts on the template machine: [Lab Services Hyper-V Script](https://aka.ms/azlabs/scripts/hyperV) and [Lab Services Ethical Hacking Script](https://aka.ms/azlabs/scripts/EthicalHacking). Once the scripts have completed, continue to the [Next steps](#next-steps).

+- Set up the template machine manually by completing the steps outlined below.

+Follow the instructions to [enable nested virtualization](how-to-enable-nested-virtualization-template-vm.md) to prepare your template VM for nested virtualization.

+### Set up a nested virtual machine with Kali Linux image

+Kali is a Linux distribution that includes tools for penetration testing and security auditing. To install the Kali nested VM on the template VM:

+1. Connect to the template VM by using remote desktop.

+1. Download the image from [Offensive Security Kali Linux VM images](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/). Remember the default username and password noted on the download page.

+1. Convert the extracted vmdk file to a Hyper-V vhdx file with StarWind V2V Converter.

+ 1. Download and install [StarWind V2V Converter](https://www.starwindsoftware.com/starwind-v2v-converter#download).

+### Set up a nested VM with Metasploitable image

+The Rapid7 Metasploitable image is an image purposely configured with security vulnerabilities. You use this image to test and find issues. The following instructions show you how to use a pre-created Metasploitable image. However, if a newer version of the Metasploitable image is needed, see [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).

+To install the Metasploitable nested VM on the template VM:

+1. Connect to the template VM by using remote desktop.

+

+ > [!NOTE]

+ > You can check for newer versions of the Metasploitable image on [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).

+ 3. When the download finishes, extract the zip file, and remember the location of the *Metasploitable.vmdk* file.

+1. Convert the extracted vmdk file to a Hyper-V vhdx file with StarWind V2V Converter.

+ 1. Download and install [StarWind V2V Converter](https://www.starwindsoftware.com/starwind-v2v-converter#download).

+The template is now updated and has the nested VM images needed for an ethical hacking penetration testing class: an image with tools to do the penetration testing, and another image with security vulnerabilities to discover. You can now [publish the template VM](how-to-create-manage-template.md#publish-the-template-vm) to the class.

+>This cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+In this article, you went through the steps to create a lab for ethical hacking class. The lab VM contains two nested virtual machines to practice penetrating testing.

+ For example, when you use the `replace` filter, use `Replace`, not `replace`. The same rule applies if you try out examples at [DotLiquid online](https://github.com/dotliquid/dotliquid/tree/master/src/DotLiquid.Website/Views/TryOnline). For more information, see [Shopify Liquid filters](https://shopify.dev/docs/themes/liquid/reference/filters) and [DotLiquid Liquid filters](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Developers#create-your-own-filters). The Shopify specification includes examples for each filter, so for comparison, you can try these examples at [DotLiquid - Try online](https://github.com/dotliquid/dotliquid/tree/master/src/DotLiquid.Website/Views/TryOnline).

+* [DotLiquid](https://github.com/dotliquid/dotliquid/)

+* [DotLiquid - Try online](https://github.com/dotliquid/dotliquid/tree/master/src/DotLiquid.Website/Views/TryOnline)

+## DeepSpeed

+[DeepSpeed](https://www.deepspeed.ai/tutorials/azure/) is supported as a first-class citizen within Azure Machine Learning to run distributed jobs with near linear scalabibility in terms of 

+* Increase in model size

+* Increase in number of GPUs

+`DeepSpeed` can be enabled using either Pytorch distribution or MPI for running distributed training. Azure Machine Learning supports the `DeepSpeed` launcher to launch distributed training as well as autotuning to get optimal `ds` configuration.

+You can use a [curated environment](resource-curated-environments.md#azure-container-for-pytorch-acpt-preview) for an out of the box environment with the latest state of art technologies including `DeepSpeed`, `ORT`, `MSSCCL`, and `Pytorch` for your DeepSpeed training jobs.

+* [Reference architecture for distributed deep learning training in Azure](/azure/architecture/reference-architectures/ai/training-deep-learning)

+* Base image

+ * Provide base image name, repository from which to pull it, and credentials if needed

+ * Provide a conda specification

+* Base Dockerfile

+ * Provide a Dockerfile

+ * Provide a conda specification

+* Docker build context

+ * Provide the location of the build context (URL)

+ * The build context must contain at least a Dockerfile, but may contain other files as well

+* Docker image

+ * Provide the image URI of the image hosted in a registry such as Docker Hub or Azure Container Registry

+ * [Sample here](https://aka.ms/azureml/environment/create-env-docker-image-v2)

+* Docker build context

+ * Specify the directory that will serve as the build context

+ * The directory should contain a Dockerfile and any other files needed to build the image

+ * [Sample here](https://aka.ms/azureml/environment/create-env-build-context-v2)

+* Conda specification

+ * You must specify a base Docker image for the environment; the conda environment will be built on top of the Docker image provided

+ * Provide the relative path to the conda file

+ * [Sample here](https://aka.ms/azureml/environment/create-env-conda-spec-v2)

+```python

+* `base_image`

+* `base_dockerfile`

+* `build_context`

+* See [DockerSection](https://aka.ms/azureml/environment/docker-section-class)

+* `image`

+* `build`

+* See [azure.ai.ml.entities.Environment](https://aka.ms/azureml/environment/environment-class-v2)

+```python

+* `base_image`

+* `base_dockerfile`

+* `build_context`

+* See [DockerSection](https://aka.ms/azureml/environment/docker-section-class)

+* `image`

+* `build`

+* See [azure.ai.ml.entities.Environment](https://aka.ms/azureml/environment/environment-class-v2)

+```python

+```python

+```python

+```python

+```python

+```python

+```python

+<!--issueDescription-->

+**Potential causes:**

+* You specified a location type for your Docker build context that isn't supported or is unknown

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK v1*

+The following are accepted location types:

+* Git

+ * Git URLs can be provided to AzureML, but images can't yet be built using them. Use a storage account until builds have Git support

+* Storage account

+ * See this [storage account overview](../storage/common/storage-account-overview.md)

+ * See how to [create a storage account](../storage/common/storage-account-create.md)

+

+**Resources**

+* See [DockerBuildContext Class](/python/api/azureml-core/azureml.core.environment.dockerbuildcontext)

+* [Understand build context](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#understand-build-context)

+<!--issueDescription-->

+**Potential causes:**

+* The specified location of your Docker build context is invalid

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK v1*

+For scenarios in which you're storing your Docker build context in a storage account

+* The path of the build context must be specified as `https://<storage-account>.blob.core.windows.net/<container>/<path>`

+* Ensure that the location you provided is a valid URL

+* Ensure that you've specified a container and a path

+

+**Resources**

+* See [DockerBuildContext Class](/python/api/azureml-core/azureml.core.environment.dockerbuildcontext)

+* [Python SDK/Azure CLI v2 sample](https://aka.ms/azureml/environment/create-env-build-context-v2)

+* [Understand build context](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#understand-build-context)

+<!--issueDescription-->

+**Potential causes:**

+* You used a deprecated base image

+ * AzureML can't provide troubleshooting support for failed builds with deprecated images

+ * These images aren't updated or maintained, so they're at risk of vulnerabilities

+The following base images are deprecated:

+* `azureml/base`

+* `azureml/base-gpu`

+* `azureml/base-lite`

+* `azureml/intelmpi2018.3-cuda10.0-cudnn7-ubuntu16.04`

+* `azureml/intelmpi2018.3-cuda9.0-cudnn7-ubuntu16.04`

+* `azureml/intelmpi2018.3-ubuntu16.04`

+* `azureml/o16n-base/python-slim`

+* `azureml/openmpi3.1.2-cuda10.0-cudnn7-ubuntu16.04`

+* `azureml/openmpi3.1.2-ubuntu16.04`

+* `azureml/openmpi3.1.2-cuda10.0-cudnn7-ubuntu18.04`

+* `azureml/openmpi3.1.2-cuda10.1-cudnn7-ubuntu18.04`

+* `azureml/openmpi3.1.2-cuda10.2-cudnn7-ubuntu18.04`

+* `azureml/openmpi3.1.2-cuda10.2-cudnn8-ubuntu18.04`

+* `azureml/openmpi3.1.2-ubuntu18.04`

+* `azureml/openmpi4.1.0-cuda11.0.3-cudnn8-ubuntu18.04`

+* `azureml/openmpi4.1.0-cuda11.1-cudnn8-ubuntu18.04`

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+Upgrade your base image to a latest version of supported images

+* See available [base images](https://github.com/Azure/AzureML-Containers/tree/master/base)

+<!--issueDescription-->

+**Potential causes:**

+* You didn't include a version tag or a digest on your specified base image

+* Without one of these, the environment isn't reproducible

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+Include at least one of the following on your specified base image

+* Version tag

+* Digest

+* See [image with immutable identifier](https://aka.ms/azureml/environment/pull-image-by-digest)

+<!--issueDescription-->

+**Potential causes:**

+* You specified runtime variables in your environment definition

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK v1*

+Use the `environment_variables` attribute on the [RunConfiguration object](https://aka.ms/azureml/environment/environment-variables-on-run-config) instead

+<!--issueDescription-->

+**Potential causes:**

+* Your environment definition doesn't have a Python section

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK v1*

+Populate the Python section of your environment definition

+* See [PythonSection class](https://aka.ms/azureml/environment/environment-python-section)

+<!--issueDescription-->

+**Potential causes:**

+* You haven't specified a Python version in your environment definition

+**Affected areas (symptoms):**

+* Failure in registering your environment

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK v1*

+Add Python as a conda package and specify the version

+*Applies to: all scenarios*

+If you're using a yaml for your conda specification, include Python as a dependency

+```yaml

+name: project_environment

+dependencies:

+ - python=3.8

+ - pip:

+ - azureml-defaults

+channels:

+ - anaconda

+```

+**Resources**

+* [Add conda package v1](https://aka.ms/azureml/environment/add-conda-package-v1)

+```python

+```yaml

+```yaml

+```yaml

+ - conda-forge

+ - anaconda

+ - python = 3.8

+ - tensorflow = 2.8

+```python

+* Get credentials for your workspace ACR from the Azure portal

+| `api_version` | The API version to use with REST API calls. Defaults to `2022-10-01` | `2022-10-01` |

+| `endpoint_output_uri` | The endpoint's output data file. It must be a path to an output file in a Data Store attached to the Machine Learning workspace. Not other type of URIs is supported. You can use the default Azure Machine Learning data store, named `workspaceblobstore`. | `azureml://datastores/workspaceblobstore/paths/batch/predictions.csv` |

+| `api_version` | The API version to use with REST API calls. Defaults to `2022-10-01` | `2022-10-01` |

+| `endpoint_output_uri` | The endpoint's output data file. It must be a path to an output file in a Data Store attached to the Machine Learning workspace. Not other type of URIs is supported. You can use the default Azure Machine Learning data store, named `workspaceblobstore`. | `azureml://datastores/workspaceblobstore/paths/batch/predictions.csv` |

+# Best practices for monitoring Azure Database for MySQL

+ Title: Performance benchmarking considerations and best practices - Azure Database for MySQL

+description: This article describes some considerations and best practices to apply when conducting performance benchmarks on Azure Database for MySQL servers.

+# Best practices for benchmarking the performance of Azure Database for MySQL servers

+Performance is a hallmark of any application, and itΓÇÖs vital to define a clear strategy for analyzing and assessing how a database performs when handling an application's variable workload requirements.

+This article provides considerations and best practices for running performance benchmarks against Azure Database for MySQL servers.

+## Performance testing

+Benchmarking the performance of relational database systems synthetically may at first seem like a trivial task. After all, itΓÇÖs relatively easy to assess the performance of individual queries manually and even to launch simple synthetic tests using one of the available benchmarking tools. These types of tests take little time and quickly produce easy to understand results.

+However, benchmarking the performance of real-world production systems requires a lot of additional effort. ItΓÇÖs not easy to design, implement, and run tests that are truly representative of production workloads. ItΓÇÖs even more difficult to make decisions about production data stacks based on the results of a series of benchmarks that are performed in an isolated environment.

+## Performance testing methodologies

+### Synthetic benchmarks

+Synthetic testing is designed to put stress on a database system using artificial workload samples that simulate repeatable results in a database environment. This allows customers to perform comparisons between multiple environments to gauge the right database resource for their production deployments.

+There are several benefits associated with using synthetic benchmarks. For example, they:

+- Are predictable, repeatable, and allow for selective testing (e.g., write-only tests, read-only tests, a mix of write and read tests, and targeted tests against a table).

+- Provide overall results that can be represented using simple metrics (e.g., ΓÇ£queries per secondΓÇ¥, ΓÇ£transactions per secondΓÇ¥ etc.).

+- DonΓÇÖt require application or environment-specific knowledge to build and run.

+- Can be performed quickly and with little to no preparation.

+However, there are also associated drawbacks, in that:

+- Artificial workload samples aren't representative of real-world application traffic.

+- Results can't be used to accurately predict the performance of production workloads.

+- They may not expose product-specific performance characteristics when used to test different database products.

+- ItΓÇÖs easy to perform the tests incorrectly and produce results that are even less representative.

+Synthetic tests are handy for quick comparisons between products. You can also use them to implement continuous performance monitoring mechanisms. For example, you may run a test suite every weekend to validate the baseline performance of your database system, detect anomalies, and predict long-term performance patterns (e.g., query latency degradation as a result of data growth).

+### Real-world benchmarks

+With real-world testing, the database is presented with workload samples that closely resemble production traffic. You can achieve this directly, by replaying a log of production queries and measuring database performance. You can also achieve this indirectly, by running the test at the application level and measuring application performance on a given database server.

+There are several benefits associated with using real-world benchmarks, in that they:

+- Provide an accurate view of system performance in real production conditions.

+- May reveal application or database-specific characteristics that simplified synthetic tests wouldn't.

+- Help with capacity planning related to application growth.

+There are also certain disadvantages: Real-world benchmarks:

+- Are difficult to design and run.

+- Must be maintained to ensure relevancy as the application evolves.

+- Provide results that are meaningful only in the context of a given application.

+When you're preparing for a major change to your environment, e.g., when deploying a new database product, it's strongly recommended to use real-world tests. In such a situation, a comprehensive benchmark run using actual production workload will be of significant help. It will not only provide accurate results you can trust, but also remove or at least greatly reduce the number of ΓÇ£unknownsΓÇ¥ about your system.

+## Choosing the ΓÇ£rightΓÇ¥ test methodology

+The ΓÇ£rightΓÇ¥ test methodology for your purposes depends entirely on the objective of your testing.

+If youΓÇÖre looking to quickly compare different database products using artificial data and workload samples, you can safely use an existing benchmark program that will generate data and run the test for you.

+To accurately assess the performance of an actual application that you intend to run on a new database product, you should perform real-world benchmark tests. Each application has a unique set of requirements and performance characteristics, and it's strongly suggested that you include real-world benchmark testing in all performance evaluations.

+For guidelines on preparing and running synthetic and real-world benchmarks, see the following sections later in this post:

+- Preparing and running synthetic tests

+- Preparing and run real-world tests

+## Performance testing best practices

+### Server-specific recommendations

+#### Server sizing

+When launching Azure Database for MySQL instances to perform benchmarking, use an Azure Database for MySQL instance tier, SKU, and instance count that matches your current database environment.

+For example:

+- If your current server has eight CPU cores and 64 GB of memory, itΓÇÖs best to choose an instance based on the Standard_E8ds_v4 SKU.

+- If your current database environment uses Read Replicas, use Azure Database for MySQL read replicas.

+Depending on the results of your benchmark testing, you may decide to use different instance sizes and counts in production. However, itΓÇÖs still a good practice to ensure that the initial specifications of test instances are close to your current server specifications to provide a more accurate, ΓÇ£apples-to-applesΓÇ¥ comparison.

+#### Server configuration

+If the application/benchmark requires that certain database features be enabled, then prior to running the benchmark test, adjust the server parameters accordingly. For example, you may need to:

+- Set a non-default server time zone.

+- Set a custom ΓÇ£max_connectionsΓÇ¥ parameter if the default value isn't sufficient.

+- Configure the thread pool if your Azure Database for MySQL flexible server is running version 8.0.

+- Enable Slow Query Logs if you expect to use them in production so you can analyze any bottleneck queries.

+Other parameters, such as those related to the size of various database buffers and caches, are already pre-tuned in Azure Database for MySQL, and you can initially leave them set at their default values. While you can modify them, itΓÇÖs best to avoid making server parameter changes unless your performance benchmarks show that a given change does in fact improve performance.

+When performing tests comparing Azure Database for MySQL to other database products, be sure to enable all features that you expect to use in production on your test databases. For example, if you donΓÇÖt enable zone redundant HA, backups, and Read Replicas in your test environment, then your results may not accurately reflect real-world performance.

+### Client-specific recommendations

+All performance benchmarks involve the use of a client, so regardless of your chosen benchmarking methodology, be sure to consider the following client-side recommendations.

+- Make sure client instances exist in the same Azure Virtual Network (VNet) as the Azure Database for MySQL instance you are testing. For latency-sensitive applications, itΓÇÖs a good practice to place client instances in the same Availability Zone (AZ) as the database server.

+- If a production application is expected to run on multiple instances (e.g., an app server fleet behind a Load Balancer), itΓÇÖs a good practice to use multiple client instances when performing the benchmark.

+- Ensure that all client instances have adequate compute, memory, I/O, and network capacity to handle the benchmark. In other words, the clients must be able to produce requests faster than the database engine can handle them. All operating systems provide diagnostic tools (such as ΓÇ£topΓÇ¥, ΓÇ£htopΓÇ¥, ΓÇ£dstatΓÇ¥ or ΓÇ£iostatΓÇ¥ on Linux) that can help you diagnose resource utilization on client instances. It's strongly recommended that you leverage these tools and ensure that all client instances always have spare CPU, memory, network, and IO capacity while the benchmark is running.

+Note that even with a very large SKU, a single client instance may not always be able to generate requests quickly enough to saturate the database. Depending on the test configuration, Azure Database for MySQL can be capable of handling hundreds of thousands of read/write requests per second, which may be more than a single client can accommodate. To avoid client-side contention during heavy performance tests, itΓÇÖs therefore a common practice to run a benchmark from multiple client instances in parallel.

+> [!IMPORTANT]

+> If youΓÇÖre benchmarking your application using a traffic generator script or third-party tool (such as Apache Benchmark, Apache JMeter, or Siege), you should also evaluate the instance on which the tool is running using the recommendations called out previously.

+## Preparing and running synthetic tests

+Synthetic benchmarking tools such as sysbench are easy to install and run, but they typically require a certain degree of configuration and tuning before any given benchmark can achieve optimal results.

+### Table count and size

+The number and size of tables generated prior to benchmarking should be realistically large. For example, tests conducted on a single table with 100,000 rows are unlikely to yield useful results because such data set is likely smaller than virtually any real-world database. For comparison, a benchmark using several tables (e.g., 10-25) with 5 million rows each might be a more realistic representation of real time workload.

+### Test mode

+With most benchmark tools (including the popular sysbench), you can define the type of workload that you want to run against the server. For example, the tool can generate:

+- Read-only queries with identical syntax but different parameters.

+- Read-only queries of different types (point selects, range selects, selects with sorts, etc.).

+- Write-only statements that modify individual rows or ranges of rows.

+- A mix of read/write statements.

+You can use read-only or write-only workloads if youΓÇÖd like to test database performance and scalability in these specific scenarios. However, a representative benchmark should typically include a good mix of read/write statements, because this is the type of workload most OLTP databases have to handle.

+### Concurrency level

+Concurrency level is the number of threads simultaneously executing operations against the database. Most benchmark tools use a single thread by default, which isn't representative of real-world database environments, as databases are rarely used by a single client at a time.

+To test the theoretical peak performance of a database, use the following process:

+1. Run multiple tests using a different thread count for each test. For example, start with 32 threads, and then increase the thread count for each subsequent test (64, 128, 256, and so on).

+2. Continue to increase the thread count until database performance stabilizes - this is your peak theoretical performance.

+3. When you determine that database performance stops increasing at a given concurrency level, you can still attempt to increase the thread count a couple more times, which will show whether performance remains stable or begins to degrade.

+For more information, see the blog post [Benchmarking Azure Database for MySQL ΓÇô Flexible Server using Sysbench](https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/benchmarking-azure-database-for-mysql-flexible-server-using/ba-p/3108799).

+## Preparing and running real-world tests

+Every application is unique in terms of data characteristics and performance requirements. As a result, itΓÇÖs somewhat difficult to come up with a single, universal list of steps that would be sufficient to prepare and run a representative, real-world benchmark in an arbitrary database environment.

+The ideas presented in this section are intended to make performance testing projects a little easier.

+### Preparing test data

+Before conducting performance benchmarks against your Azure Database for MySQL server, be sure that the server is populated with a representative sample of your production data set.

+Whenever possible, use a full copy of the production set. When this isnΓÇÖt possible, use the following suggestions to help you determine which portions of data you should always include and which data you can leave out.

+- The test server needs to include all objects (i.e., schemas, tables, functions, and procedures) that are directly used by the benchmark. Each table should be fully populated, i.e., it should contain all the rows it contains in production. If tables aren't fully populated (e.g., they only contain a small sample of the row set), benchmark results won't be representative.

+- Exclude tables that are used by production applications but that arenΓÇÖt part of continuous operational traffic. For example, if a database contains a live, operational data set as well as historical data used for analytics, the historical data may not be required to run benchmarks.

+- Populate all tables that you copy to the test server with real production data rather than artificial, programmatically generated samples.

+### Designing application benchmarks

+The high-level process for performing application benchmarks is as follows:

+1. Create an Azure Database for MySQL server and populate it with a copy of your production data.

+2. Deploy a copy of the application in Azure.

+3. Configure the application to use the Azure Database for MySQL server.

+4. Run load tests against the application and assess the results.

+This approach is primarily useful when you can easily deploy a copy of your application in Azure. It allows you to conduct performance assessment in the most thorough and accurate way, but there are still certain recommendations to keep in mind.

+- The tool used to generate application traffic must be able to generate a mix of requests representative of your production workload. For example, don't test by repeatedly accessing the same application URL, as this likely isn't representative of how your clients will use the application in the real world.

+- The pool of client and application instances must be powerful enough to generate requests, handle them, and receive responses from the database without introducing any bottlenecks.

+- Concurrency level (the number of parallel requests generated by the benchmark tool) should match or slightly exceed the expected peak concurrency level observed in your application.

+### Designing database benchmarks

+If you canΓÇÖt easily deploy a copy of your application in Azure, you'll need to perform the benchmark by running SQL statements directly against the database. To accomplish this, use the following high-level procedure:

+1. Identify the SQL statements that most commonly appear in your production workload.

+2. Based on the information gathered in the first step, prepare a large sample of SQL statements to test.

+3. Create an Azure Database for MySQL node and populate it with a copy of your production data.

+4. Launch Azure virtual machine (VM) client instance(s) in Azure.

+5. From the VMs, run the SQL workload sample against your Azure Database for MySQL server and assess the results.

+There are two main approaches to generating the test payload (SQL statement samples):

+- Observe/record the SQL traffic occurring in your current database, then generate SQL samples based on those observations. For details on how to record query traffic by leveraging a combination of audit logs and slow query logging in Azure Database for MySQL.

+- Use actual query logs as the payload. Third party tools such as ΓÇ£Percona PlaybackΓÇ¥ can generate multi-threaded workloads based on MySQL Slow Query Logs.

+If you decide to generate SQL sample manually, be sure that the sample contains:

+- **A large enough number of unique statements**.

+ Example: if you determine that the production workload uses 15 main types of statements, it isn't enough for the sample to contain a total of 15 statements (one per type). For such a small sample, the database would easily cache the required data in memory, making the benchmark non-representative. Instead, provide a large query sample for each statement type and the use the following additional recommendations.

+- **Statements of different types in the right proportions.**

+ Example: if you determine that your production workload uses 12 types of statements, it is likely that some types of statements appear more often than others. Your sample should reflect these proportions: if query A appears 10 times more often than query B in production workload, it should also appear 10 times more often in your sample.

+- **Query parameters that are realistically randomized.**

+ If you followed earlier recommendations and your query sample contains groups of queries of the same type/syntax, parameters of such queries should be randomized. If the sample contains one million queries of the same type and they're all identical (including parameters in WHERE conditions), the required data will easily be cached in database memory, making the benchmark non-representative.

+- **A statement execution order that is realistically randomized.**

+ If you follow the previous recommendations and your test payload contains many queries of different types, you should execute these queries in a realistic order. For example, the sample may contain 10 million SELECTs and 1 million UPDATES. In such a case, executing all SELECTs before all UPDATEs may not be the best choice as this is likely not how your application executes queries in real world. More likely, the application interleaves SELECTs and UPDATEs and your test should try to simulate that.

+When the query sample is ready, run it against the server by using a command line MySQL client or a tool such as mysqlslapv.

+## Running tests

+Regardless of whether youΓÇÖre running a synthetic benchmark or a real-world application performance test, there are several rules of thumb to follow to help ensure that you achieve more representative results.

+### Run tests against multiple instance types

+Assume that you decide to run benchmarks against a db.r3.2xlarge server and find that the application/query performance already meets your requirements. It's recommended also to run tests both against smaller and larger instance types, which provides two benefits:

+- Testing with smaller instance types may still yield good performance results and reveal potential cost saving opportunities.

+- Testing with larger instance types may provide ideas or insight about future scalability options.

+### Measure both sustained and peak performance

+The test strategy you choose should provide you with answers to whether the database will provide adequate:

+- Sustained performance - Will it perform as expected under the normal workload, when user traffic is smooth and well within expected levels?

+- Peak performance - Will it ensure application responsiveness during traffic spikes?

+Consider the following guidelines:

+- Ensure that test runs are long enough to assess database performance in a stable state. For example, a complex test that only lasts for 10 minutes will likely produce inaccurate results, as the database caches and buffers may not be able to warm up in such a short time.

+- Benchmarks can be a lot more meaningful and informative if the workload levels vary throughout the test. For example, if your application typically receives traffic from 64 simultaneous clients, start the benchmark with 64 clients. Then, while the test is still running, add 64 additional clients to determine how the server behaves during a simulated traffic spike.

+### Include blackout/brownout tests in the benchmark procedure

+Sustained server performance is a particularly important metric, likely to become the main point of focus during your tests. For mission-critical applications however, performance testing shouldn't stop at measuring server behavior in steady state.

+Consider including the following scenarios in your tests.

+- ΓÇ£BlackoutΓÇ¥ tests, which are designed to determine how the database behaves during a reboot or a crash. Azure Database for MySQL introduces significant improvements around crash recovery times, and reboot/crash tests are instrumental in understanding how Azure Database for MySQL contributes to reducing your application downtime in such scenarios.

+- ΓÇ£BrownoutΓÇ¥ tests, which are designed to gauge how quickly a database achieves nominal performance levels after a reboot or crash. Databases often need time to achieve optimal performance, and Azure Database for MySQL introduces improvements in this area as well.

+In the event of stability issues affecting your database, any information gathered during the performance benchmarks will help identify bottlenecks or further tune the application to cater to the workload needs.

+## Next steps

+- [Best practices for optimal performance of Azure Database for servers](concept-performance-best-practices.md)

+- [Best practices for server operations using Azure Database for MySQL](concept-operation-excellence-best-practices.md)

+- [Best practices for monitoring your Azure Database for MySQL](concept-monitoring-best-practices.md)

+- [Get started with Azure Database for MySQL](quickstart-create-mysql-server-database-using-azure-portal.md)

+# Best practices for optimal performance of Azure Database for MySQL servers

+$sourcevmid1 = New-AzNetworkWatcherConnectionMonitorEndpointObject -AzureVM -Name MyAzureVm -ResourceID /subscriptions/<your-subscription>/resourceGroups/<your resourceGroup>/providers/Microsoft.Compute/virtualMachines/<vm-name>

+$bingEndpoint = New-AzNetworkWatcherConnectionMonitorEndpointObject -ExternalAddress -Name Bing -Address www.bing.com # Destination URL

+ Title: Use Azure Key Vault Provider for Secrets Store CSI Driver on Azure Red Hat OpenShift

+ --version v1.3.1 \

+ --version=v1.4.1

+ oc delete project k8s-secrets-store-csi

+ ```

+| Aura Direct Broadcast | aura_direct_broadcast | This is NASA Aura's 15-Mbps direct broadcast service |

+| Terra Direct Broadcast | terra_direct_broadcast | This is NASA Terra's 8.3-Mbps direct broadcast service |

+| SNPP Direct Broadcast | snpp_direct_broadcast | This is NASA SNPP 15-Mbps direct broadcast service |

+| JPSS-1 Direct Broadcast | jpss-1_direct_broadcast | This is NASA JPSS-1 15-Mbps direct broadcast service |

+> We recommend using the Aqua Direct Broadcast modem configuration when testing with Aqua.

+>

+> Orbital does not have control over the downlink schedules for these public satellites. NASA conducts their own operations which may interrupt the downlink availabilities.

+- [Schedule a contact](schedule-contact.md)

+ >

+ Use a different subscription. Or, check if your EA subscription is enabled for Marketplace purchase. For more information, see [Enable Marketplace purchases](/azure/cost-management-billing/manage/ea-azure-marketplace#enabling-azure-marketplace-purchases). If those options don't solve the problem, contact [Datadog support](https://www.datadoghq.com/support).

+- Learn about [managing your instance](manage.md) of Datadog.

+For help with configuring and using your file system, see the [Qumulo documentation hub](https://docs.qumulo.com/azure-guide/).

+| Azure Active Directory Support(AAD) | Yes | Yes |

+| Customer managed encryption key(BYOK) | Yes | Yes |

+>Important to note, that after choosing **disable public access** option in Azure Key Vault networking and allowing only *trusted Microsoft* services you may see error similar to following : *You have enabled the network access control. Only allowed networks will have access to this key vault* while attempting to administer Azure Key Vault via portal through public access. This doesn't preclude ability to provide key during CMK setup or fetch keys from Azure Key Vault during server operations.

+>[!NOTE]

+> You'll need to be a Data Source Admin and one of the other Purview roles (for example, Data Reader or Data Share Contributor) to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details on roles and adding permissions.

+Use the following steps to register a new source:

+The easiest way to create search service is using the [Azure portal](https://portal.azure.com/), which is covered in this article. You can also use [Azure PowerShell](search-manage-powershell.md#create-or-delete-a-service), [Azure CLI](search-manage-azure-cli.md#create-or-delete-a-service), the [Management REST API](search-manage-rest.md#create-or-update-a-service), an [Azure Resource Manager service template](search-get-started-arm.md), or a [Bicep file](search-get-started-bicep.md).

+To try search for free, [open a free Azure account](https://azure.microsoft.com/pricing/free-trial/?WT.mc_id=A261C142F) and then create your search service using the **Free** tier. Because the tier is fixed, it will never transition to become a billable tier.

+Alternatively, you can use free credits to try out paid Azure services, which means you can create your search service at **Basic** or above to get more capacity. Your credit card is never charged unless you explicitly change your settings and ask to be charged. Another approach is to [activate Azure credits in a Visual Studio subscription](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/?WT.mc_id=A261C142F). A Visual Studio subscription gives you credits every month you can use for paid Azure services.

+Paid (or billable) search occurs when you choose a billable tier (Basic or above) when creating the resource on a billable Azure subscription.

+ :::image type="content" source="media/search-create-service-portal/region-availability.png" lightbox="media/search-create-service-portal/region-availability.png" alt-text="Screenshot of the regional availability page." border="true":::

+## Configure authentication

+Unless you're using the portal, programmatic access to your new service requires that you provide the URL endpoint and an authenticated connection. You can use either or both of these options:

+1. When setting up a programmatic connection, you'll need the search service endpoint. On the **Overview** page, locate and copy the URL endpoint on the right side of the page.

+ :::image type="content" source="media/search-create-service-portal/get-endpoint.png" lightbox="media/search-create-service-portal/get-endpoint.png" alt-text="Screenshot of the service overview page with URL endpoint." border="true":::

+1. To set authentication options, use the **Keys** page. Most quickstarts and tutorials use API keys for simplicity, but if you're setting up a service for production workloads, consider using Azure roles. You can copy keys from this page.

+ :::image type="content" source="media/search-create-service-portal/set-authentication-options.png" lightbox="media/search-create-service-portal/set-authentication-options.png" alt-text="Screenshot of the keys page with authentication options." border="true":::

+> [!IMPORTANT]

+[**az search service delete**](/cli/azure/search/service#az-search-service-delete-required-parameters) removes the service and its data.

+```azurecli-interactive

+az search service delete --name <service-name> \

+ --resource-group <search-service-resource-group-name> \

+```

+```azurepowershell

+[**Remove-AzSearchService**](/powershell/module/az.search/remove-azsearchservice) is used to delete a service and its data.

+```azurepowershell-interactive

+Remove-AzSearchService -ResourceGroupName <resource-group-name> -Name <search-service-name>

+```

+You'll be asked to confirm the action.

+```azurepowershell

+Confirm

+Are you sure you want to remove Search Service 'pstestazuresearch01'?

+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

+```

+For the next step, you'll need to know the name of your search service and its API Key. If you're unsure how to find those items, check out this [REST quickstart](search-get-started-rest.md).

+1. From the table, select the hunting query you want to modify.

+**To modify an existing custom query**:

+1. From the table, select the hunting query that you wish to modify. Note that only queries that from a custom content source can be edited. Other content sources have to be edited at that source.

+1. Select the ellipsis (...) in the line of the query you want to modify, and select **Edit query**.

+1. Modify the **Custom query** field with the updated query. You can also modify the entity mapping and techniques as explained in the "**To create a new query**" section of this documentation.

+| <a name="eventtype"></a> **EventType** | Mandatory | Enumerated | Describes the operation audited by the event using a normalized value. Use [EventSubType](#eventsubtype) to provide further details, which the normalized value does not convey, and [Operation](#operation). to store the operation as reported by the reporting device.<br><br> For Audit Event records, the allowed values are:<br> - `Set`<br>- `Read`<br>- `Create`<br>- `Delete`<br>- `Execute`<br>- `Install`<br>- `Clear`<br>- `Enable`<br>- `Disable`<br>- `Other` <br><br>Audit events represent a large variety of operations, and the `Other` value enables mapping operations that have no corresponding `EventType`. However, the use of `Other` limits the usability of the event and should be avoided if possible. |

+| **ValueType** | Optional | Enumerated | The type of the old and new values. Allowed values are<br>- Other |

+| <a name='eventtype'></a>**EventType** | Mandatory | Enumerated | Describes the operation reported by the record. Allowed values are:<br> - `HTTPsession`: Denotes a network session used for HTTP or HTTPS, typically reported by an intermediary device, such as a proxy or a Web security gateway.<br> - `WebServerSession`: Denotes an HTTP request reported by a web server. Such an event typically has less network related information. The URL reported should not include a schema and a server name, but only the path and parameters part of the URL. <br> - `ApiRequest`: Denotes an HTTP request reported associated with an API call, typically reported by an application server. Such an event typically has less network related information. When reported by the application server, the URL reported should not include a schema and a server name, but only the path and parameters part of the URL. |

+- Azure Active Directory

+- Microsoft Defender for Endpoint

+- Microsoft Defender for Cloud Apps

+## AbuseIPDB

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **AbuseIPDB**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Enrich incident by IP info, <br>Report IP to Abuse IP DB, <br>Deny list to Threat intelligence |

+|

+

+

+## AWS IAM

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **AWS IAM**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Add User Tags, <br>Delete Access Keys, <br>Enrich incidents |

+|

+

+## Checkphish by Bolster

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **Checkphish by Bolster**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Get URL scan results |

+|

+

+

+## Elastic Search

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **Elastic search**<br>(Available as solution) | Playbooks | Microsoft | Enrich incident |

+|

+| **Fortiweb Cloud**<br>(Available as solution) | Custom Logic Apps connector<br><br>Azure Function<br><br>Playbooks | Microsoft | Block IPs and URLs , <br>Incident enrichment |

+|

+## GCP IAM

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **GCP IAM**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Disable service account, <br>Disable service account key, <br>Enrich Service account info |

+|

+## InsightVM Cloud API

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **InsightVM Cloud API** | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Enrich incident with asset info, <br>Enrich vulnerability info, <br>Run VM scan |

+|

+

+

+## Minemeld

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **Minemeld**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Create indicator, <br>Enrich incident |

+|

+

+## Neustar IP GEO Point

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **Neustar IP GEO Point**<br>(Available as solution) | Playbooks | Microsoft | Get IP Geo Info |

+|

+

+## OpenCTI

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **OpenCTI**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Create Indicator, <br>Enrich incident, <br>Get Indicator stream, <br>Import to Sentinel |

+|

+## Qualys VM

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **Qualys VM**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Get asset details, <br>Get asset by CVEID, <br>Get asset by Open port, <br>Launch VM scan |

+|

+

+## TheHive

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **TheHive**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Create alert, <br>Create Case, <br>Lock User |

+|

+

+## ThreatX WAF

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **ThreatX WAF**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Block IP / URL, <br>Incident enrichment |

+|

+

+## URLhaus

+| Product | Integration components | Supported by | Scenarios |

+| | | | |

+| **URLhaus**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Check host and enrich incident, <br>Check hash and enrich incident, <br>Check URL and enrich incident |

+|

+ Title: Discover and deploy Microsoft Sentinel out-of-the-box content from Content hub

+# Discover and manage Microsoft Sentinel out-of-the-box content (Public preview)

+The Microsoft Sentinel Content hub is your centralized location to discover and manage out-of-the-box (built-in) content. There you'll find packaged solutions for end-to-end products by domain or industry. You'll also have access to the vast number of standalone contributions hosted in our GitHub repository and feature blades.

+- Discover solutions and standalone content with a consistent set of filtering capabilities based on status, content type, support, provider and category.

+- Install content in your workspace all at once or individually.

+- View content in list view and quickly see which solutions have updates. Update solutions all at once while standalone content updates automatically.

+- Configure standalone content to create new active items based on the most up-to-date template.

+> Microsoft Sentinel solutions and standalone content in the Microsoft Sentinel Content Hub are currently in **PREVIEW**, as are all individual solution packages. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+In order to install, update and delete standalone content or solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](../role-based-access-control/built-in-roles.md#template-spec-contributor) for details on this role.

+## Discover content

+The content hub offers the best way to find new content or manage the solutions you already have installed.

+1. The **Content hub** page displays a searchable grid or list of solutions and standalone content.

+ Filter the list displayed, either by selecting specific values from the filters, or entering any part of a content name or description in the **Search** field.

+Each content item shows categories that apply to it, and solutions show the types of content included.

+For example, in the following image, the **Cisco Umbrella** solution lists one of its categories as **Security - Cloud Security**, and indicates it includes a data connector, analytics rules, hunting queries, playbooks, and more.

+## Install or update content

+Standalone content and solutions can be installed individually or all together in bulk. For more information on bulk operations, see [Bulk install and update content](#bulk-install-and-update-content) in the next section. Here's an example showing the install of an individual solution.

+1. In the content hub, select a solution to view more information on the right. Then select **Install**, or **Update**.

+## Bulk install and update content

+Content hub supports a list view in addition to the default card view. Multiple solutions and standalone content can be selected with this view to install and update them all at once. Standalone content is kept up-to-date automatically. Any active or

+custom content created based on solutions or standalone content installed from content hub remains untouched.

+1. The list view is paginated, so choose a filter to ensure the content you want to bulk install are in view. Select their checkboxes and click the **Install/Update** button.

+1. The content hub interface will indicate *in progress* for installs and updates. Azure notifications will also indicate the action taken. If a solution or standalone content that was already installed or updated was selected, no action will be taken on that item and it won't interfere with the update and install of the other items.

+Below are some tips on how to interact with various content types when managing a solution.

+## Find the support model for your content

+In this document, you learned how to find and deploy built-in solutions and standalone content for Microsoft Sentinel.

+ Manage [updates for out-of-the-box content](sentinel-solutions-deploy.md#install-or-update-content) via the Microsoft Sentinel **Content hub**, and for custom content via the **Repositories** page.

+## Resource provider

+Add [Azure Front Door](../frontdoor/front-door-overview.md) as the CDN for your static web app. Azure Front Door is a scalable and secure entry point for fast delivery of your web applications.

+In this tutorial, learn how to create an Azure Front Door Standard/Premium instance and associate Azure Front Door with your Azure Static Web Apps site.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

+- An Azure Static Web Apps site. [Build your first static web app](get-started-portal.md)

+- Azure Static Web Apps Standard and Azure Front Door Standard / Premium plans. For more information, see [Static Web Apps pricing](https://azure.microsoft.com/pricing/details/app-service/static/)

+- Consider using [enterprise-grade edge](enterprise-edge.md) for faster page loads, enhanced security, and optimized reliability for global applications.

+<!--

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Open the static web app that you want to apply Azure Front Door.

+3. Go to the *Overview* section.

+4. Copy the *URL* to your clipboard for later use.

+ :::image type="content" source="media/front-door-manual/copy-url-static-web-app.png" alt-text="Screenshot of Static Web App Overview page.":::

+-->

+## Create an Azure Front Door

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. From the home page or the Azure menu, selectΓÇ»**+ Create a resource**. Search forΓÇ»*Front Door and CDN profiles*, and then select **Create** > **Front Door and CDN profiles**.

+3. On the Compare offerings page, select **Quick create**, and then select **Continue to create a Front Door**.

+4. On the **Create a Front Door profile** page, enter or select the following settings.

+ > [!NOTE]

+ > When you create an Azure Front Door profile, you must select an origin from the same subscription the Front Door is created in.

+5. Select **Review + create**, and then select **Create**. The creation process may take a few minutes to complete.

+6. When deployment completes, select **Go to resource**.

+7. [Add a condition](#add-a-condition).

+1. From your Front Door, under *Settings*, select **Rule set**.

+2. Select **Add**.

+3. In the *Rule set name* textbox, enter **Security**.

+4. In the *Rule name* textbox, enter **NoCacheAuthRequests**.

+5. Select **Add a condition**.

+6. Select **Request path**.

+7. Select the *Operator* drop-down, and then **Begins With**.

+8. Select the **Edit** link above the *Value* textbox.

+9. Enter `/.auth` in the textbox, and then select **Update**.

+10. Select no options from the *String transform* dropdown.

+2. Select **Route configuration override**.

+3. Select **Disabled** in the *Caching* dropdown.

+4. Select **Save**.

+Now that the rule is created, apply the rule to a Front Door endpoint.

+1. From your Front Door, select **Rule set**, and then the **Unassociated** link.

+ :::image type="content" source="media/front-door-manual/rule-set-select-unassociated.png" alt-text="Screenshot showing selections for Rule set and Unassociated links.":::

+2. Select the endpoint name to which you want to apply the caching rule, and then select **Next**.

+ :::image type="content" source="media/front-door-manual/associate-route.png" alt-text="Screenshot showing highlighted button, Associate.":::

+1. From your Front Door, select the **Overview** link on the left-hand navigation.

+1. Copy the value labeled **Front Door ID** and paste it into a file for later use.

+ :::image type="content" source="media/front-door-manual/copy-front-door-id.png" alt-text="Screenshot showing highlighted Overview item and highlighted Front Door ID number.":::

+To complete the integration with Front Door, you need to update the application configuration file to do the following functions:

+- **Custom domains**: Now that Front Door is managing your site, you no longer use the Azure Static Web Apps custom domain feature. Azure Front Door has a separate process for adding a custom domain. Refer to [Add a custom domain to your Front Door](../frontdoor/front-door-custom-domain.md). When you add a custom domain to Front Door, you'll need to update your static web app configuration file to include it in the `allowedForwardedHosts` list.

+| Storage | ΓÇó 500 MB max for all staging and production environments<br><br>ΓÇó 250 MB max per app | ΓÇó 2 GB max for all staging and production environments<br><br>ΓÇó 500 MB max per app |

+| prefixMatch | An array of strings for prefixes to be matched. Each rule can define up to 10 case-sensitive prefixes. A prefix string must start with a container name. For example, if you want to match all blobs under `https://myaccount.blob.core.windows.net/sample-container/blob1/...` for a rule, the prefixMatch is `sample-container/blob1`.<br /><br />To match the blob name exactly, include the trailing forward slash ('/'), *e.g.*, `sample-container/blob1/`. To match the name pattern, omit the trailing forward slash, *e.g.*, `sample-container/blob1`. | If you don't define prefixMatch, the rule applies to all blobs within the storage account. | No |

+If your storage account has object replication policies in effect, you cannot disable blob versioning for that account. You must delete any object replication policies on the account before disabling blob versioning.

+- Point-in-time restore is not supported when the storage account's **AllowedCopyScope** property is set to restrict copy scope to the same Azure AD tenant or virtual network. For more information, see [About Permitted scope for copy operations (preview)](../common/security-restrict-copy-operations.md?toc=/azure/storage/blobs/toc.json&tabs=portal#about-permitted-scope-for-copy-operations-preview).

+az login

+You can enable blob versioning with the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manager template.

+ :::image type="content" source="media/versioning-enable/portal-enable-versioning.png" alt-text="Screenshot showing how to enable blob versioning in Azure portal":::

+## List blob versions

+To display a blob's versions, use the Azure portal, PowerShell, or Azure CLI. You can also list a blob's versions using one of the Blob Storage SDKs.

+# [Azure portal](#tab/portal)

+To list a blob's versions in the Azure portal:

+1. Navigate to your storage account in the portal, then navigate to the container that contains your blob.

+1. Select the blob for which you want to list versions.

+1. Select the **Versions** tab to display the blob's versions.

+ :::image type="content" source="media/versioning-enable/portal-list-blob-versions.png" alt-text="Screenshot showing how to list blob versions in the Azure portal":::

+# [PowerShell](#tab/powershell)

+To list a blob's versions with PowerShell, call the [Get-AzStorageBlob](/powershell/module/az.storage/get-azstorageblob) command with the `-IncludeVersion` parameter:

+```azurepowershell

+$account = Get-AzStorageAccount -ResourceGroupName <resource-group> -Name <storage-account>

+$ctx = $account.Context

+$container = "<container-name>"

+$blobs = Get-AzStorageBlob -Container $container -Prefix "ab" -IncludeVersion -Context $ctx

+foreach($blob in $blobs)

+{

+ Write-Host $blob.Name

+ Write-Host $blob.VersionId

+ Write-Host $blob.IsLatestVersion

+}

+```

+# [Azure CLI](#tab/azure-cli)

+To list a blob's versions with Azure CLI, call the [az storage blob directory list](/cli/azure/storage/blob/directory#az-storage-blob-directory-list) command with the `--include v` parameter:

+```azurecli

+storageAccount="<storage-account>"

+containerName="<container-name>"

+az storage blob list \

+ --container-name $containerName \

+ --prefix "ab" \

+ --query "[[].name, [].versionId]" \

+ --account-name $storageAccount \

+ --include v \

+ --auth-mode login \

+ --output tsv

+```

+# [Template](#tab/template)

+N/A

+## List blob versions with .NET

+Object replication relies on blob versioning. Before you can disable blob versioning, you must delete any object replication policies on the account. For more information about object replication, see [Object replication for block blobs](object-replication-overview.md).

+1. Navigate to the [list of your storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) in the Azure portal.

+ :::image type="content" source="media/storage-account-recover/restore-button-portal.png" alt-text="Screenshot showing the Restore button in the Azure portal.":::

+Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. You have several options for storing your account access keys or connection string:

+- You can store your account keys securely in Azure Key Vault. For more information, see [About Azure Key Vault managed storage account keys](../../key-vault/secrets/about-managed-storage-account-keys.md).

+- An application can store the connection string in an **app.config** or **web.config** file. Add the connection string to the **AppSettings** section in these files.

+> [!WARNING]

+> Storing your account access keys or connection string in clear text presents a security risk and is not recommended. Store your account keys in an encrypted format, or migrate your applications to use Azure AD authorization for access to your storage account.

+## Authorizing access with Shared Key

+To learn how to authorize access to Azure Storage with the account key or with a connection string, see one of the following articles:

+- [Authorize access and connect to Blob Storage with .NET](../blobs/storage-blob-dotnet-get-started.md?tabs=account-key#authorize-access-and-connect-to-blob-storage)

+- [Authorize access and connect to Blob Storage with Java](../blobs/storage-blob-java-get-started.md?tabs=account-key#authorize-access-and-connect-to-blob-storage)

+- [Use the Azure Identity library to get an access token for authorization](identity-library-acquire-token.md)

+- [Use the Azurite emulator for local Azure Storage development](storage-use-azurite.md)

+ Title: Create a table in the Azure portal

+description: Learn how to use the Azure portal to create a new table in Azure Table storage.

+# Quickstart: Create a table in the Azure portal

+To create a table in the Azure portal:

+1. Navigate to your storage account in the Azure portal.

+1. Select **Storage Browser** in the left-hand navigation panel.

+1. In the Storage Browser tree, select select **Tables**.

+1. Select the **Add table** button to add a new table.

+1. In the **Add table** dialog, provide a name for the new table.

+ :::image type="content" source="media/table-storage-quickstart-portal/storage-browser-table-create.png" alt-text="Screenshot showing how to create a table in Storage Browser in the Azure portal.":::

+1. Select **Ok** to create the new table.

+## Add an entity to the table

+To add an entity to your table from the Azure portal:

+1. In the Storage Browser in the Azure portal, select the table you created previously.

+1. Select the **Add entity** button to add a new entity.

+ :::image type="content" source="media/table-storage-quickstart-portal/storage-browser-table-add-entity.png" alt-text="Screenshot showing how to add a new entity to a table in Storage Browser in the Azure portal.":::

+1. In the **Add entity** dialog, provide a partition key and a row key, then add any additional properties for data that you want to write to the entity.

+ :::image type="content" source="media/table-storage-quickstart-portal/storage-browser-table-add-properties.png" alt-text="Screenshot showing how to add properties to an entity in Storage Browser in the Azure portal.":::

+For more information on working with entities and properties, see [Understanding the Table service data model](/rest/api/storageservices/understanding-the-table-service-data-model).

+## Windows OS activation

+Windows VMs must be licensed and activated before you can use them on Azure Stack HCI.

+For activating your multi-session OS VMs (Windows 10, Windows 11, or later), enable Azure Benefits on the VM once it is created. Make sure that Azure Benefits are also enabled on the host computer. For more information, see [Azure Benefits on Azure Stack HCI](/azure-stack/hci/manage/azure-benefits).

+> [!NOTE]

+> You must manually enable access for each VM that requires Azure Benefits.

+For all other OS images (such as Windows Server or single-session OS), Azure Benefits is not required. Continue to use the existing activation methods. For more information, see [Activate Windows Server VMs on Azure Stack HCI](/azure-stack/hci/manage/vm-activate).

+In Windows 11, version 22H2 or later, you can enable screen capture protection on session host VMs as well as remote clients. Protection on session host VMs works just like protection for remote clients.

+- The Windows Desktop client supports screen capture protection for full desktops.

+- The Windows Desktop client supports screen capture protection for RemoteApps in VMs running Windows 11, Version 22H2 or later.

+5. Open the **"Enable screen capture protection"** policy and set it to **"Enabled"**.

+6. To configure screen capture for client and server, set the **"Enable screen capture protection"** policy to **"Block Screen capture on client and server"**. By default, the policy will be set to **"Block Screen capture on client"**.

+ >[!NOTE]

+ >You can only use screen capture protection on session host VMs that use Windows 11, version 22H2 or later.

+## Video Introduction

+<!-- markdownlint-disable MD034 -->

+> [!VIDEO https://www.youtube.com/embed/Lk9mA1WzfAQ]

+<!-- markdownlint-enable MD034 -->

+There are two options for copying an incremental snapshot across regions. The first option, a managed process (recommended), that will perform the copy for you. This process is handled by Azure and removes the maintenance overhead of managing the copy process by staging a storage account in the target region. Azure ensures that only changes since the last snapshot in the target region are copied to the target region to reduce the data footprint, reducing the recovery point objective. You can check the process of a copy so you know when a target snapshot is ready to restore disks. For this managed process, you're only billed for the bandwidth cost of the data transfer across the region, and the read transactions on the source snapshot. Don't delete your source snapshot while the target snapshot is being copied.

+The second option is a [manual copy](#manual-copy), where you get the changes between two incremental snapshots, down to the block level, and manually copy it from one region to another. Most users should use the managed process but, if you're interested in improving the copy speed, the second option allows you to use your compute resources to make the copy faster.

+## Managed copy

+You can use the Azure PowerShell module to copy an incremental snapshot. You'll need the latest version of the Azure PowerShell module. The following command will either install it or update your existing installation to latest:

+Once that is installed, sign in to your PowerShell session with `Connect-AzAccount`.

+## Manual copy

+Incremental snapshots offer a differential capability. They enable you to get the changes between two incremental snapshots of the same managed disk, down to the block level. You can use this to reduce your data footprint when copying snapshots across regions. For example, you can download the first incremental snapshot as a base blob in another region. For the subsequent incremental snapshots, you can copy only the changes since the last snapshot to the base blob. After copying the changes, you can take snapshots on the base blob that represent your point in time backup of the disk in another region. You can restore your disk either from the base blob or from a snapshot on the base blob in another region.

+Ultra disks deployed in select regions must be deployed without any redundancy options, for now. However, not every disk size that supports ultra disks may be in these regions. To determine which disk sizes support ultra disks, you can use either of the following code snippets. Make sure to replace the `vmSize` and `subscription` values first:

+You can use the Azure CLI to create an incremental snapshot. You'll need the latest version of the Azure CLI. See the following articles to learn how to either [install](/cli/azure/install-azure-cli) or [update](/cli/azure/update-azure-cli) the Azure CLI.

+> [!IMPORTANT]

+> After taking a snapshot of an Ultra Disk, you must wait for the snapshot to complete before you can use it. See the [Check status of snapshots or disks](#check-status-of-snapshots-or-disks) section for details.

+You can use the Azure PowerShell module to create an incremental snapshot. You'll need the latest version of the Azure PowerShell module. The following command will either install it or update your existing installation to latest:

+Once that is installed, sign in to your PowerShell session with `Connect-AzAccount`.

+> [!IMPORTANT]

+> After taking a snapshot of an Ultra Disk, you must wait for the snapshot to complete before you can use it. See the [Check status of snapshots or disks](#check-status-of-snapshots-or-disks) section for details.

+You can identify incremental snapshots from the same disk with the `SourceResourceId` and the `SourceUniqueId` properties of snapshots. `SourceResourceId` is the Azure Resource Manager resource ID of the parent disk. `SourceUniqueId` is the value inherited from the `UniqueId` property of the disk. If you delete a disk and then create a new disk with the same name, the value of the `UniqueId` property changes.

+> [!IMPORTANT]

+> After taking a snapshot of an Ultra Disk, you must wait for the snapshot to complete before you can use it. See the [Check status of snapshots or disks](#check-status-of-snapshots-or-disks) section for details.

+You can also use Azure Resource Manager templates to create an incremental snapshot. You'll need to make sure the apiVersion is set to **2022-03-22** and that the incremental property is also set to true. The following snippet is an example of how to create an incremental snapshot with Resource Manager templates:

+ "apiVersion": "2022-03-22",

+> [!IMPORTANT]

+> After taking a snapshot of an Ultra Disk, you must wait for the snapshot to complete before you can use it. See the [Check status of snapshots or disks](#check-status-of-snapshots-or-disks) section for details.

+## Check status of snapshots or disks

+Incremental snapshots of Ultra Disks (preview) can't be used to create new disks until the background process copying the data into the snapshot has completed. Similarly, Ultra Disks created from incremental snapshots can't be attached to a VM until the background process copying the data into the disk has completed.

+You can use either the [CLI](#cli) or [PowerShell](#powershell) sections to check the status of the background copy from a disk to a snapshot and you can use the [Check disk creation status](#check-disk-creation-status) section to check the status of a background copy from a snapshot to a disk.

+### CLI

+First, get a list of all snapshots associated with a particular disk. Replace `yourResourceGroupNameHere` with your value and then you can use the following script to list your existing incremental snapshots of Ultra Disks:

+```azurecli

+# Declare variables and create snapshot list

+subscriptionId="yourSubscriptionId"

+resourceGroupName="yourResourceGroupNameHere"

+diskName="yourDiskNameHere"

+az account set --subscription $subscriptionId

+diskId=$(az disk show -n $diskName -g $resourceGroupName --query [id] -o tsv)

+az snapshot list --query "[?creationData.sourceResourceId=='$diskId' && incremental]" -g $resourceGroupName --output table

+```

+Now that you have a list of snapshots, you can check the `CompletionPercent` property of an individual snapshot to get its status. Replace `$sourceSnapshotName` with the name of your snapshot. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+```azurecli

+az snapshot show -n $sourceSnapshotName -g $resourceGroupName --query [completionPercent] -o tsv

+```

+### PowerShell

+The following script creates a list of all incremental snapshots associated with a particular disk that haven't completed their background copy. Replace `yourResourceGroupNameHere` and `yourDiskNameHere`, then run the script.

+```azurepowershell

+$resourceGroupName = "yourResourceGroupNameHere"

+$snapshots = Get-AzSnapshot -ResourceGroupName $resourceGroupName

+$diskName = "yourDiskNameHere"

+$yourDisk = Get-AzDisk -DiskName $diskName -ResourceGroupName $resourceGroupName

+$incrementalSnapshots = New-Object System.Collections.ArrayList

+foreach ($snapshot in $snapshots)

+{

+ if($snapshot.Incremental -and $snapshot.CreationData.SourceResourceId -eq $yourDisk.Id -and $snapshot.CreationData.SourceUniqueId -eq $yourDisk.UniqueId)

+ {

+ $targetSnapshot=Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName

+ {

+ if($targetSnapshot.CompletionPercent -lt 100)

+ {

+ $incrementalSnapshots.Add($targetSnapshot)

+ }

+ }

+ }

+}

+$incrementalSnapshots

+```

+Now that you have a list of snapshots, you can check the `CompletionPercent` property of an individual snapshot to get its status. Replace `yourResourceGroupNameHere` and `yourSnapshotName` then run the script. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+```azurepowershell

+$resourceGroupName = "yourResourceGroupNameHere"

+$snapshotName = "yourSnapshotName"

+$targetSnapshot=Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName

+$targetSnapshot.CompletionPercent

+```

+### Check disk creation status

+When creating a disk from an Ultra Disk snapshot, you must wait for the background copy process to complete before you can attach it. Currently, you must use the Azure CLI to check the progress of the copy process.

+The following script gives you the status of an individual disk's copy process. The value of `completionPercent` must be 100 before the disk can be attached.

+```azurecli

+subscriptionId=yourSubscriptionID

+resourceGroupName=yourResourceGroupName

+diskName=yourDiskName

+az account set --subscription $subscriptionId

+az disk show -n $diskName -g $resourceGroupName --query [completionPercent] -o tsv

+```

+## Check sector size

+Snapshots with a 4096 logical sector size can only be used to create Ultra Disks. They can't be used to create other disk types. Snapshots of disks with 4096 logical sector size are stored as VHDX, whereas snapshots of disks with 512 logical sector size are stored as VHD. Snapshots inherit the logical sector size from the parent disk.

+To determine whether or your Ultra Disk snapshot is a VHDX or a VHD, get the `LogicalSectorSize` property of the snapshot.

+The following command displays the logical sector size of a snapshot:

+```azurecli

+az snapshot show -g resourcegroupname -n snapshotname --query [creationData.logicalSectorSize] -o tsv

+```

+- Unmanaged disks or page blobs

+- Ultra Disks

+- Standard solid-state drives (SSDs) or standard hard-disk drives (HDDs)

+- Premium SSD SKUs smaller than P30: P1, P2, P3, P4, P6, P10, P15, and P20 SSD SKUs

+- Disks in Azure Government, Azure Germany, or Azure China regions

+|[Dav4-series](dav4-dasv4-series.md) | :heavy_check_mark: | :heavy_check_mark: |

+You may be able to expand your managed disks without deallocating your VM.

+> If your disk meets the requirements in [Expand without downtime](#expand-without-downtime), you can skip step 1 and 3.

+If you choose to install and use the CLI locally, this tutorial requires that you're running the Azure CLI version 2.35.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

+The Azure Compute Gallery lets you share your custom VM images with others. Choose which images you want to share, which regions you want them to be available in, and who you want to share them with.

+The following steps show how to take an existing VM and turn it into a reusable custom image that you can use to create new VM instances.

+Allowed characters for gallery name are uppercase or lowercase letters, digits, dots, and periods. The gallery name can't contain dashes. Gallery names must be unique within your subscription.

+Image definitions create a logical grouping for images. They're used to manage information about the image versions that are created within them.

+In this example, the version of our image is *1.0.0* and we're going to create two replicas in the *West Central US* region, one replica in the *South Central US* region and one replica in the *East US 2* region using zone-redundant storage. The replication regions must include the region the source VM is located.

+Create the VM using [az vm create](/cli/azure/vm#az-vm-create) using the `--specialized` parameter to indicate the image is a specialized image.

+In this example, we're creating a VM from the latest version of the *myImageDefinition* image.

+Azure also offers a service, built on Packer, [Azure VM Image Builder](../image-builder-overview.md). Describe your customizations in a template, and it will handle the image creation.

+On Azure Linux VMs, the temporary disk is typically /dev/sdb and on Windows VMs the temporary disk is D: by default. The temporary disk is not encrypted unless (for server side encryption) you enable encryption at host or (for Azure Disk Encryption) with the [VolumeType parameter set to All on Windows](./windows/disk-encryption-windows.md#enable-encryption-on-a-newly-added-data-disk) or [EncryptFormatAll on Linux](./linux/disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms).

+> [Select a disk type for IaaS VMs](disks-types.md)

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](classic-vm-deprecation.md#how-does-this-affect-me).

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](classic-vm-deprecation.md#how-does-this-affect-me).

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](./classic-vm-deprecation.md#how-does-this-affect-me).

+* [Review the most frequently asked questions about migrating IaaS resources from classic to Azure Resource Manager](migration-classic-resource-manager-faq.yml)

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](classic-vm-deprecation.md#how-does-this-affect-me).

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](classic-vm-deprecation.md#how-does-this-affect-me).

+While Azure Resource Manager offers numerous amazing features, it's critical to plan out your migration journey to make sure things go smoothly. Spending time on planning will ensure that you don't encounter issues while executing migration activities.

+7. What are the communications plan to alert stakeholders (end users, application owners, and infrastructure owners)?

+The following were issues discovered in many of the larger migrations. This isn't an exhaustive list and you should refer to the [unsupported features and configurations](migration-classic-resource-manager-overview.md) for more detail. You may or may not encounter these technical issues but if you do solving these before attempting migration will ensure a smoother experience.

+- **Do a Validate/Prepare/Abort Dry Run** - This is perhaps the most important step to ensure Classic to Azure Resource Manager migration success. The migration API has three main steps: Validate, Prepare and Commit. Validate will read the state of your classic environment and return a result of all issues. However, because some issues might exist in the Azure Resource Manager stack, Validate won't catch everything. The next step in migration process, Prepare will help expose those issues. Prepare will move the metadata from Classic to Azure Resource Manager, but won't commit the move, and won't remove or change anything on the Classic side. The dry run involves preparing the migration, then aborting (**not committing**) the migrations prepare. The goal of validate/prepare/abort dry run is to see all of the metadata in the Azure Resource Manager stack, examine it (*programmatically or in Portal*), and verify that everything migrates correctly, and work through technical issues. It will also give you a sense of migration duration so you can plan for downtime accordingly. A validate/prepare/abort does not cause any user downtime; therefore, it is non-disruptive to application usage.

+ - When prepare is running, the control plane (Azure management operations) will be locked for the whole virtual network, so no changes can be made to VM metadata during validate/prepare/abort. But otherwise any application function (RD, VM usage, etc.) will be unaffected. Users of the VMs won't know that the dry run is being executed.

+ - **Remediation Option 1**. If you know your VMs won't have outbound internet access, a working DNS service, and working Azure agents on the VMs, then uninstall all VM extensions as part of the migration before Prepare, then reinstall the VM Extensions after migration.

+- Revisit the technical and business reasons for Azure Resource Manager; enable the additional services available only on Azure Resource Manager that applies to your environment.

+> Today, about 90% of IaaS VMs are using [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/). As of February 28, 2020, classic VMs have been deprecated and will be fully retired on September 1, 2023. [Learn more]( https://aka.ms/classicvmretirement) about this deprecation and [how it affects you](classic-vm-deprecation.md#how-does-this-affect-me).

+- Redhat Enterprise Linux 8.3, 8.4, 8.5, 8.6, 9.0, 9.1 LVM

+- All Fairfax regions

+- Azure Automanage

+Trusted launch is integrated with Microsoft Defender for Cloud to ensure your VMs are properly configured. Microsoft Defender for Cloud will continually assess compatible VMs and issue relevant recommendations.

+- **Recommendation to enable Secure Boot** - This Recommendation only applies for VMs that support trusted launch. Mirosoft Defender for Cloud will identify VMs that can enable Secure Boot, but have it disabled. It will issue a low severity recommendation to enable it.

+- **Recommendation to enable vTPM** - If your VM has vTPM enabled, Microsoft Defender for Cloud can use it to perform Guest Attestation and identify advanced threat patterns. If Microsoft Defender for Cloud identifies VMs that support trusted launch and have vTPM disabled, it will issue a low severity recommendation to enable it.

+- **Recommendation to install guest attestation extension** - If your VM has secure boot and vTPM enabled but it doesn't have the guest attestation extension installed, Microsoft Defender for Cloud will issue a low severity recommendation to install the guest attestation extension on it. This extension allows Microsoft Defender for Cloud to proactively attest and monitor the boot integrity of your VMs. Boot integrity is attested via remote attestation.

+- **Attestation health assessment or Boot Integrity Monitoring** - If your VM has Secure Boot and vTPM enabled and attestation extension installed, Microsoft Defender for Cloud can remotely validate that your VM booted in a healthy way. This is known as boot integrity monitoring. Microsoft Defender for Cloud issues an assessment, indicating the status of remote attestation.

+Trusted launch for Azure virtual machines is monitored for advanced threats. If such threats are detected, an alert will be triggered. Alerts are only available in the [Standard Tier](../security-center/security-center-pricing.md) of Microsoft Defender for Cloud.

+Microsoft Defender for Cloud periodically performs attestation. If the attestation fails, a medium severity alert will be triggered. Trusted launch attestation can fail for the following reasons:

+If you want to use Azure Resource Manager, Terraform or other tools to deploy the VM Extension for SAP, you can also deploy the VM Extension for SAP manually i.e. without using the dedicated PowerShell or Azure CLI commands.

+Before deploying the VM Extension for SAP, please make sure to assign a user or system assigned managed identity to the virtual machine. For more information, read the following guides:

+* [Configure managed identities for Azure resources on a VM using the Azure portal](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm)

+* [Configure managed identities for Azure resources on an Azure VM using Azure CLI](/azure/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm)

+* [Configure managed identities for Azure resources on an Azure VM using PowerShell](/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm)

+* [Configure managed identities for Azure resources on an Azure VM using templates](/azure/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm)

+* [Terraform VM Identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#identity)

+After assigning an identity to the virtual machine, give the VM read access to either the resource group or the individual resources associated to the virtual machine (VM, Network Interfaces, OS Disks and Data Disks). It is recommended to use the built-in Reader role to grant the access to these resources. You can also grant this access by adding the VM identity to an Azure Active Directory group that already has read access to the required resources. It is then no longer needed to have Owner privileges when deploying the VM Extension for SAP if you use a user assigned identity that already has the required permissions.

+There are different ways how to deploy the VM Extension for SAP manually. Please find a few examples in the next chapters.

+The extension currently supports the following configuration keys. In the example below, the msi_res_id is shown.

+* msi_res_id: ID of the user assigned identity the extension should use to get the required information about the VM and its resources

+* proxy: URL of the proxy the extension should use to connect to the internet, for example to retrieve information about the virtual machine and its resources.

+### Deploy manually with Azure PowerShell

+The following code contains four examples. It shows how to deploy the extension on Windows and Linux, using a system or user assigned identity. Make sure to replace the name of the resource group, the location and VM name in the example.

+``` powershell

+# Windows VM - user assigned identity

+Set-AzVMExtension -Publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" -ExtensionType "MonitorX64Windows" -ResourceGroupName "<rg name>" -VMName "<vm name>" `

+ -Name "MonitorX64Windows" -TypeHandlerVersion "1.0" -Location "<location>" -SettingString '{"cfg":[{"key":"msi_res_id","value":"<user assigned resource id>"}]}'

+# Windows VM - system assigned identity

+Set-AzVMExtension -Publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" -ExtensionType "MonitorX64Windows" -ResourceGroupName "<rg name>" -VMName "<vm name>" `

+ -Name "MonitorX64Windows" -TypeHandlerVersion "1.0" -Location "<location>" -SettingString '{"cfg":[]}'

+# Linux VM - user assigned identity

+Set-AzVMExtension -Publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" -ExtensionType "MonitorX64Linux" -ResourceGroupName "<rg name>" -VMName "<vm name>" `

+ -Name "MonitorX64Linux" -TypeHandlerVersion "1.0" -Location "<location>" -SettingString '{"cfg":[{"key":"msi_res_id","value":"<user assigned resource id>"}]}'

+# Linux VM - system assigned identity

+Set-AzVMExtension -Publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" -ExtensionType "MonitorX64Linux" -ResourceGroupName "<rg name>" -VMName "<vm name>" `

+ -Name "MonitorX64Linux" -TypeHandlerVersion "1.0" -Location "<location>" -SettingString '{"cfg":[]}'

+```

+### Deploy manually with Azure CLI

+The following code contains four examples. It shows how to deploy the extension on Windows and Linux, using a system or user assigned identity. Make sure to replace the name of the resource group, the location and VM name in the example.

+``` bash

+# Windows VM - user assigned identity

+az vm extension set --publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" --name "MonitorX64Windows" --resource-group "<rg name>" --vm-name "<vm name>" \

+ --extension-instance-name "MonitorX64Windows" --settings '{"cfg":[{"key":"msi_res_id","value":"<user assigned resource id>"}]}'

+# Windows VM - system assigned identity

+az vm extension set --publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" --name "MonitorX64Windows" --resource-group "<rg name>" --vm-name "<vm name>" \

+ --extension-instance-name "MonitorX64Windows" --settings '{"cfg":[]}'

+

+# Linux VM - user assigned identity

+az vm extension set --publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" --name "MonitorX64Linux" --resource-group "<rg name>" --vm-name "<vm name>" \

+ --extension-instance-name "MonitorX64Linux" --settings '{"cfg":[{"key":"msi_res_id","value":"<user assigned resource id>"}]}'

+# Linux VM - system assigned identity

+az vm extension set --publisher "Microsoft.AzureCAT.AzureEnhancedMonitoring" --name "MonitorX64Linux" --resource-group "<rg name>" --vm-name "<vm name>" \

+ --extension-instance-name "MonitorX64Linux" --settings '{"cfg":[]}'

+```

+### Deploy manually with Terraform

+The following manifest contains four examples. It shows how to deploy the extension on Windows and Linux, using a system or user assigned identity. Make sure to replace the ID of the VM and ID of the user assigned identity in the example.

+```terraform

+# Windows VM - user assigned identity

+resource "azurerm_virtual_machine_extension" "example" {

+ name = "MonitorX64Windows"

+ virtual_machine_id = "<vm id>"

+ publisher = "Microsoft.AzureCAT.AzureEnhancedMonitoring"

+ type = "MonitorX64Windows"

+ type_handler_version = "1.0"

+ auto_upgrade_minor_version = true

+ settings = <<SETTINGS

+{

+ "cfg":[

+ {

+ "key":"msi_res_id",

+ "value":"<user assigned resource id>"

+ }

+ ]

+}

+SETTINGS

+}

+# Windows VM - system assigned identity

+resource "azurerm_virtual_machine_extension" "example" {

+ name = "MonitorX64Windows"

+ virtual_machine_id = "<vm id>"

+ publisher = "Microsoft.AzureCAT.AzureEnhancedMonitoring"

+ type = "MonitorX64Windows"

+ type_handler_version = "1.0"

+ auto_upgrade_minor_version = true

+ settings = <<SETTINGS

+{

+ "cfg":[

+ ]

+}

+SETTINGS

+}

+# Linux VM - user assigned identity

+resource "azurerm_virtual_machine_extension" "example" {

+ name = "MonitorX64Linux"

+ virtual_machine_id = "<vm id>"

+ publisher = "Microsoft.AzureCAT.AzureEnhancedMonitoring"

+ type = "MonitorX64Linux"

+ type_handler_version = "1.0"

+ auto_upgrade_minor_version = true

+ settings = <<SETTINGS

+{

+ "cfg":[

+ {

+ "key":"msi_res_id",

+ "value":"<user assigned resource id>"

+ }

+ ]

+}

+SETTINGS

+}

+# Linux VM - system assigned identity

+resource "azurerm_virtual_machine_extension" "example" {

+ name = "MonitorX64Linux"

+ virtual_machine_id = "<vm id>"

+ publisher = "Microsoft.AzureCAT.AzureEnhancedMonitoring"

+ type = "MonitorX64Linux"

+ type_handler_version = "1.0"

+ auto_upgrade_minor_version = true

+ settings = <<SETTINGS

+{

+ "cfg":[

+ ]

+}

+SETTINGS

+}

+```

+### Versions of the VM Extension for SAP

+If you want to disable automatic updates for the VM extension or want to deploy a specific version of the extension, you can retrieve the available versions with Azure CLI or Azure PowerShell.

+ Title: 'Tutorial: Protect your NAT gateway with Azure DDoS Protection Standard'

+description: Learn how to create an NAT gateway in an Azure DDoS Protection Standard protected virtual network.

+# Tutorial: Protect your NAT gateway with Azure DDoS Protection Standard

+This article helps you create an Azure Virtual Network NAT gateway with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your NAT gateway from large scale DDoS attacks.

+> [!IMPORTANT]

+> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../../ddos-protection/ddos-protection-overview.md).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a NAT gateway

+> * Create a DDoS protection plan

+> * Create a virtual network and associate the DDoS protection plan

+> * Create a test virtual machine

+> * Test the NAT gateway

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create a NAT gateway

+Before you deploy the NAT gateway resource and the other resources, a resource group is required to contain the resources deployed. In the following steps, you'll create a resource group, NAT gateway resource, and a public IP address. You can use one or more public IP address resources, public IP prefixes, or both.

+For information about public IP prefixes and a NAT gateway, see [Manage NAT gateway](./manage-nat-gateway.md?tabs=manage-nat-portal#add-or-remove-a-public-ip-prefix).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+3. Select **+ Create**.

+4. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **Create new**. </br> Enter **myResourceGroupNAT**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway** |

+ | Region | Select **West Europe** |

+ | Availability Zone | Select **No Zone**. |

+ | Idle timeout (minutes) | Enter **10**. |

+ For information about availability zones and NAT gateway, see [NAT gateway and availability zones](./nat-availability-zones.md).

+5. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+6. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myPublicIP**. </br> Select **OK**. |

+7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+8. Select **Create**.

+## Create a DDoS protection plan

+1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**.

+1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information:

+ | Setting | Value |

+ |--|--|

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Enter **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Name | Enter **myDDoSProtectionPlan**. |

+ | Region | Select **West Europe**. |

+1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan.

+## Create a virtual network

+Before you deploy a virtual machine and can use your NAT gateway, you need to create the virtual network. This virtual network will contain the virtual machine created in later steps.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **Create**.

+3. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **(Europe) West Europe** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. Accept the default IPv4 address space of **10.1.0.0/16**.

+6. In the subnet section in **Subnet name**, select the **default** subnet.

+7. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **mySubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+ | **NAT GATEWAY** |

+ | NAT gateway | Select **myNATgateway**. |

+8. Select **Save**.

+9. Select the **Security** tab.

+10. In **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. In **DDoS protection** select **Enable**. Select **myDDoSProtectionPlan** in DDoS protection plan.

+12. Select the **Review + create** tab or select the **Review + create** button.

+13. Select **Create**.

+It can take a few minutes for the deployment of the virtual network to complete. Proceed to the next steps when the deployment completes.

+

+## Create test virtual machine

+In this section, you'll create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** > **Azure virtual machine**.

+2. In the **Create a virtual machine** page in the **Basics** tab, enter, or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM**. |

+ | Region | Select **(Europe) West Europe**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Username | Enter a username for the virtual machine. |

+ | Password | Enter a password. |

+ | Confirm password | Confirm password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+3. Select the **Disks** tab, or select the **Next: Disks** button at the bottom of the page.

+4. Leave the default in the **Disks** tab.

+5. Select the **Networking** tab, or select the **Next: Networking** button at the bottom of the page.

+6. In the **Networking** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **mySubnet (10.1.0.0/24)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **None**. |

+7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+8. Select **Create**.

+## Test NAT gateway

+In this section, you'll test the NAT gateway. You'll first discover the public IP of the NAT gateway. You'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. Select **myPublicIP**.

+3. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Screenshot of discover public IP address of NAT gateway." border="true":::

+4. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+5. Select **myVM**.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+6. Enter the username and password entered during VM creation. Select **Connect**.

+7. Open **Microsoft Edge** on **myTestVM**.

+8. Enter **https://whatsmyip.com** in the address bar.

+9. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Screenshot of Internet Explorer showing external outbound IP." border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **myResourceGroupNAT** resource group.

+3. Select **Delete resource group**.

+4. Enter **myResourceGroupNAT** and select **Delete**.

+## Next steps

+For more information on Azure Virtual Network NAT, see:

+> [!div class="nextstepaction"]

+> [Virtual Network NAT overview](nat-overview.md)

+* Currently, using Azure Firewall to inspect inter-hub traffic is available for Virtual WAN hubs that are deployed in the **same** Azure Region.

+ Title: 'Tutorial: Protect your VPN gateway with Azure DDoS Protection Standard'

+description: Learn how to set up a VPN gateway and protect it with Azure DDoS protection

+# Tutorial: Protect your VPN gateway with Azure DDoS Protection Standard

+This article helps you create an Azure VPN Gateway with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your VPN gateway from large scale DDoS attacks.

+> [!IMPORTANT]

+> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a DDoS protection plan

+> * Create a virtual network

+> * Enable DDoS protection on the virtual network

+> * Create a VPN gateway

+> * View the gateway public IP address

+> * Resize a VPN gateway (resize SKU)

+> * Reset a VPN gateway

+The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

+## Prerequisites

+An Azure account with an active subscription. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+## <a name="CreatVNet"></a>Create a virtual network

+Create a VNet using the following values:

+* **Resource group:** TestRG1

+* **Name:** VNet1

+* **Region:** (US) East US

+* **IPv4 address space:** 10.1.0.0/16

+* **Subnet name:** FrontEnd

+* **Subnet address space:** 10.1.0.0/24

+## Create a DDoS protection plan

+1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**.

+1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information:

+ | Setting | Value |

+ |--|--|

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **TestRG1**. |

+ | **Instance details** | |

+ | Name | Enter **myDDoSProtectionPlan**. |

+ | Region | Select **East US**. |

+1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan.

+## Enable DDoS protection

+Azure DDoS protection Standard is enabled at the virtual network where the resource you want to protect reside.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **VNet1**.

+3. Select **DDoS protection** in **Settings**.

+4. Select **Enable**.

+5. In the pull-down box in DDoS protection plan, select **myDDoSProtectionPlan**.

+6. Select **Save**.

+## <a name="VNetGateway"></a>Create a VPN gateway

+In this step, you create the virtual network gateway (VPN gateway) for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

+Create a virtual network gateway using the following values:

+* **Name:** VNet1GW

+* **Region:** East US

+* **Gateway type:** VPN

+* **VPN type:** Route-based

+* **SKU:** VpnGw2

+* **Generation:** Generation 2

+* **Virtual network:** VNet1

+* **Gateway subnet address range:** 10.1.255.0/27

+* **Public IP address:** Create new

+* **Public IP address name:** VNet1GWpip

+A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

+## <a name="view"></a>View the public IP address

+You can view the gateway public IP address on the **Overview** page for your gateway.

+To see additional information about the public IP address object, select the name/IP address link next to **Public IP address**.

+## <a name="resize"></a>Resize a gateway SKU

+There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see [Gateway settings - resizing and changing SKUs](vpn-gateway-about-vpn-gateway-settings.md#resizechange).

+## <a name="reset"></a>Reset a gateway

+## Clean up resources

+If you're not going to continue to use this application or go to the next tutorial, delete

+these resources using the following steps:

+1. Enter the name of your resource group in the **Search** box at the top of the portal and select it from the search results.

+1. Select **Delete resource group**.

+1. Enter your resource group for **TYPE THE RESOURCE GROUP NAME** and select **Delete**.

+## Next steps

+Once you have a VPN gateway, you can configure connections. The following articles will help you create a few of the most common configurations:

+> [!div class="nextstepaction"]

+> [Site-to-Site VPN connections](./tutorial-site-to-site-portal.md)

+> [!div class="nextstepaction"]

+> [Point-to-Site VPN connections](vpn-gateway-howto-point-to-site-resource-manager-portal.md)