+Add new orchestration steps that refer to the technical profiles.

+1. Identify the policy file that contains your user journey, such as `SocialAndLocalAccounts/SignUpOrSignin.xml`, then open it.

+1. Before the `SendClaims` orchestration step, add a new step that calls `AppInsights-UserSignup`. It's triggered when the user selects the sign-up button in a sign-up or sign-in journey. You may need to update the orchestration step, `Order="8"`,to make sure you don't skip any integer from the first to the last orchestration step.

+ <!-- Handles the user selecting the sign-up link in the local account sign-in page

+ The `SendClaims` orchestration step comes after this one,

+ -->

+1. After the `SendClaims` orchestration step, call `AppInsights-SignInComplete`. This step shows a successfully completed journey. You may need to update the orchestration step, `Order="10"`, to make sure you don't skip any integer from the first to the last orchestration step.

+ <!-- Track that we have successfully sent a token

+ The `SendClaims` orchestration step come before this one,

+ -->

+#customer intent: I'm a developer, and I need to understand how to build a global identity solution using a funnel-based approach, so I can implement it in my organization's Azure AD B2C environment.

+#customer intent: As a developer, I want to understand how to build a global identity solution using a funnel-based approach, so I can implement it in my organization's Azure AD B2C environment.

+#customer intent: I'm a developer implementing Azure Active Directory B2C, and I want to configure region-based sign-up, sign-in, and password reset journeys. My goal is for users to be directed to the correct region and their data managed accordingly.

+#customer intent: I'm a developer implementing a global identity solution. I need to understand the different scenarios and workflows for region-based design approach in Azure AD B2C. My goal is to design and implement the authentication and sign-up processes effectively for users from different regions.

+#customer intent: I'm a developer building a customer-facing application. I need to understand the different approaches to implement an identity platform using Azure AD B2C tenants for a globally operating business model. I want to make an informed decision about the architecture that best suits my application's requirements.

+#Customer intent: As an Azure AD B2C application developer, I want to update the redirect URLs in my identity provider's applications to reference b2clogin.com or a custom domain, so that I can authenticate users with Azure AD B2C using the updated endpoints.

+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize<b>?p=\<policy-name\></b></code> for `/authorize` endpoint.

+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout<b>?p=\<policy-name\></b></code> for `/logout` endpoint.

+A corresponding updated endpoint would look similar to the following endpoints:

+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code> for the `/authorize` endpoint.

+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout?<b>p=\<policy-name\></b></code> for the `/logout` endpoint.

+With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated endpoint would look similar to the following endpoints. You can use either of these endpoints:

+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code> for the `/authorize` endpoint.

+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/logout</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/logout?<b>p=\<policy-name\></b></code> for the `/logout` endpoint.

+However, if you only want to obtain a token to authenticate users, then you can specify the policy that your application wishes to use to authenticate users. In this case, the updated `/token` endpoints would look similar to the following examples.

+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/token</code> or <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/token?<b>p=\<policy-name\></b></code> when you use *b2clogin.com*.

+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/token</code> or <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/token?<b>p=\<policy-name\></b></code> when you use a custom domain.

+[msal-js-b2c]: ../active-directory/develop/msal-b2c-overview.md

+- Replace &lt;`custom-domain-name`&gt; with your custom domain name.

+- Replace &lt;`tenant-name`&gt; with the name of your tenant, or your tenant ID.

+- &lt;`custom-domain`&gt; with your custom domain

+- &lt;`tenant-name`&gt; with your tenant name or tenant ID

+- &lt;`policy-name`&gt; with your policy name.

+#customer intent: I'm a developers working with Azure Active Directory B2C. I need videos that provide a deep-dive into the architecture and features of the service. My goal is to gain a better understanding of how to implement and utilize Azure AD B2C in my applications.

+#customer intent: I'm a developer integrating Azure AD B2C, and I want to configure an identity verification and proofing provider. I need to combat identity fraud and create a trusted user experience for account registration.

+#customer intent: I'm an IT admin, and I want to configure Azure Active Directory B2C with Akamai Enterprise Application Access for SSO and secure hybrid access. I want to enable Azure AD B2C authentication for end users accessing private applications secured by Akamai Enterprise Application Access.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with the Arkose Labs platform. I need to configure the integration, so I can protect against bot attacks, account takeover, and fraudulent account openings.

+#customer intent: I'm a developer integrating Asignio with Azure AD B2C for multifactor authentication. I want to configure an application with Asignio and set it up as an identity provider (IdP) in Azure AD B2C, so I can provide a passwordless, soft biometric, and multifactor authentication experience to customers.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with Transmit Security BindID. I need instructions to configure integration, so I can enable passwordless authentication using FIDO2 biometrics for my application.

+#customer intent: I'm a developer integrating Azure AD B2C authentication with BioCatch technology. I need to configure the custom UI, policies, and user journey. My goal is to enhance the security of my Customer Identity and Access Management (CIAM) system by analyzing user physical and cognitive behaviors.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with BlokSec for passwordless authentication. I need to configure integration, so I can simplify user sign-in and protect against identity-related attacks.

+#customer intent: I'm a developer configuring Azure AD B2C with Cloudflare WAF. I need to enable and configure the Web Application Firewall, so I can protect my application from malicious attacks such as SQL Injection and cross-site scripting (XSS).

+#customer intent: I'm a developer, and I want to integrate Azure Active Directory B2C with Datawiza Access Proxy (DAP). My goal is to enable single sign-on (SSO) and granular access control for on-premises legacy applications, without rewriting them.

+#customer intent: As an Azure AD B2C administrator, I want to integrate Deduce with Azure AD B2C authentication. I want to combat identity fraud and create a trusted user experience for my organization.

+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)

+#customer intent: I'm a developer, and I want to integrate Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C. I need to assess risk during attempts to create fraudulent accounts and sign-ins, and then block or challenge suspicious attempts.

+#customer intent: I'm an Azure AD B2C administrator, and I want to configure eID-Me as an identity provider (IdP). My goal is to enable users to verify their identity and sign in using eID-Me.

+#customer intent: I'm an Azure AD B2C administrator, and I want to integrate Experian CrossCore with Azure AD B2C. I need to verify user identification and perform risk analysis based on user attributes during sign-up.

+#customer intent: As an IT admin responsible for securing applications, I want to integrate Azure Active Directory B2C with F5 BIG-IP Access Policy Manager. I want to expose legacy applications securely to the internet with preauthentication, Conditional Access, and single sign-on (SSO) capabilities.

+#customer intent: I'm an application developer using header-based authentication, and I want to migrate my legacy application to Azure Active Directory B2C with Grit app proxy. I need to enable modern authentication experiences, enhance security, and save on licensing costs.

+#customer intent: As an application developer using header-based authentication, I want to migrate my legacy application to Azure Active Directory B2C with Grit app proxy. I want to enable modern authentication experiences, enhance security, and save on licensing costs.

+#customer intent: I'm an Azure AD B2C administrator, and I want to use the Visual IEF Editor tool to create, modify, and deploy Azure AD B2C policies, without writing code.

+#customer intent: I'm a developer, and I want to integrate Azure Active Directory B2C authentication with the Grit IAM B2B2C solution. I need to provide secure and user-friendly identity and access management for my customers.

+#customer intent: I'm a developer integrating Haventec Authenticate with Azure AD B2C. I need instructions to configure integration, so I can enable single-step, multi-factor passwordless authentication for my web and mobile applications.

+#customer intent: I'm a developer integrating HYPR with Azure AD B2C. I want a tutorial to configure the Azure AD B2C policy to enable passwordless authentication using HYPR for my customer applications.

+#customer intent: I'm an Azure AD B2C administrator, and I want to configure IDEMIA Mobile ID integration with Azure AD B2C. I want users to authenticate using biometric authentication services and benefit from a trusted, government-issued digital ID.

+#customer intent: I'm an Azure AD B2C administrator, and I want to integrate Jumio with Azure AD B2C. I need to enable real-time automated ID verification for user accounts and protect customer data.

+#customer intent: I'm a developer integrating Azure AD B2C with Keyless for passwordless authentication. I need to configure Keyless with Azure AD B2C, so I can provide a secure and convenient passwordless authentication experience for my customer applications.

+Learn to configure Azure Active Directory B2C (Azure AD B2C) with the Sift Keyless passwordless solution. With Azure AD B2C as an identity provider (IdP), integrate Keyless with customer applications to provide passwordless authentication. The Keyless Zero-Knowledge Biometric (ZKB) is passwordless multifactor authentication that helps eliminate fraud, phishing, and credential reuse, while enhancing the customer experience and protecting privacy.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with LexisNexis ThreatMetrix. I want to configure the API and UI components, so I can verify user identities and perform risk analysis based on user attributes and device profiling information.

+#customer intent: As an administrator managing customer accounts in Azure AD B2C, I want to configure TheAccessHub Admin Tool with Azure AD B2C. My goal is to migrate customer accounts, administer CSR requests, synchronize data, and customize notifications.

+#customer intent: I'm a developer, and I want to configure Nevis with Azure Active Directory B2C for passwordless authentication. I need to enable customer authentication and comply with Payment Services Directive 2 (PSD2) transaction requirements.

+In this tutorial, learn to enable passwordless authentication in Azure Active Directory B2C (Azure AD B2C) with the Nevis Access app to enable customer authentication and comply with Payment Services Directive 2 (PSD2) transaction requirements. PSD2 is a European Union (EU) directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the EU and European Economic Area (EEA).

+#customer intent: I'm a developer integrating Azure Active Directory B2C with a third-party authentication provider. I want to learn how to configure Nok Nok Passport as an identity provider (IdP) in Azure AD B2C. My goal is to enable passwordless FIDO authentication for my users.

+Learn to integrate the Nok Nok S3 Authentication Suite into your Azure Active Directory B2C (Azure AD B2C) tenant. The Nok Nok solutions enable FIDO certified multi-factor authentication such as FIDO UAF, FIDO U2F, WebAuthn, and FIDO2 for mobile and web applications. Nok Nok solutions improve security posture while balancing user the experience.

+Go to noknok.com to learn more: [Nok Nok Labs, Inc.](https://noknok.com/)

+* Go to [noknok.com](https://noknok.com/).

+ * On the top menu, select **Demo**.

+To enable passwordless FIDO authentication for your users, enable Nok Nok as an identity provider (IdP) in your Azure AD B2C tenant. The Nok Nok solution integration includes the following components:

+The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2C by using OpenID Connect (OIDC) for passwordless authentication.

+1. At the sign-in page, select sign-in or sign-up and enters the username.

+2. Azure AD B2C redirects to the Nok Nok OIDC authentication provider.

+4. Scan the QR code with the Nok Nok app SDK or Passport app. Or, username is the sign-in page input.

+5. A prompt appears for authentication. Perform passwordless authentication: biometrics, device PIN, or any roaming authenticator.

+6. The authentication prompt appears on the web application.

+7. Perform passwordless authentication: biometrics, device PIN, or any roaming authenticator.

+8. The Nok Nok server validates FIDO assertion and sends OIDC authentication response to Azure AD B2C.

+9. The user is granted or denied access.

+1. Go to noknok.com [Contact](https://noknok.com/contact/).

+Use the following instructions to add and configure an IdP, and then configure a user flow.

+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as Global Administrator of the Azure AD B2C tenant.

+2. For **Name**, enter the Nok Nok Authentication Provider, or another name.

+3. For **Metadata URL**, enter the hosted Nok Nok Authentication app URI, followed by the path such as `https://demo.noknok.com/mytenant/oidc/.well-known/openid-configuration`.

+5. For **Client ID**, use the Client ID provided by Nok Nok.

+1. Open the Azure AD B2C tenant. Under **Policies** select **Identity Experience Framework**.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with Onfido. I need to configure the Onfido service to verify identity in the sign-up or sign-in flow. My goal is to meet Know Your Customer and identity requirements and provide a reliable onboarding experience, while reducing fraud.

+#customer intent: I'm a developer, and I want to learn how to configure Ping Identity with Azure Active Directory B2C for secure hybrid access (SHA). I need to extend the capabilities of Azure AD B2C and enable secure hybrid access using PingAccess and PingFederate.

+#customer intent: As a security manager, I want to integrate Azure Active Directory B2C with Saviynt. I need visibility, security, and governance over user life-cycle management and access control.

+#customer intent: As an IT admin, I want to integrate Azure Active Directory B2C with StrataMaverics Identity Orchestrator. I need to protect on-premises applications and enable customer single sign-on (SSO) to hybrid apps.

+4. The IdP challenges the user for credential. Multifactor authentication (MFA) might be required.

+#customer intent: I'm a developer integrating Azure AD B2C authentication with Trusona Authentication Cloud. I want to configure Trusona Authentication Cloud as an identity provider (IdP) in Azure AD B2C, so I can enable passwordless authentication and provide a better user experience for my web application users.

+#customer intent: I'm an Azure AD B2C administrator, and I want to integrate TypingDNA with Azure AD B2C. I need to comply with Payment Services Directive 2 (PSD2) transaction requirements through keystroke dynamics and strong customer authentication.

+#customer intent: I'm a developer configuring Azure Active Directory B2C with Azure Web Application Firewall. I want to enable the WAF service for my B2C tenant with a custom domain, so I can protect my web applications from common exploits and vulnerabilities.

+#customer intent: I'm a developer integrating WhoIAM Rampart with Azure AD B2C. I need to configure and integrate Rampart with Azure AD B2C using custom policies. My goal is to enable an integrated helpdesk and invitation-gated user registration experience for my application.

+#customer intent: I'm a developer integrating Azure Active Directory B2C with a third-party identity management system. I need a tutorial to configure WhoIAM Branded Identity Management System (BRIMS) with Azure AD B2C. My goal is to enable user verification with voice, SMS, and email in my application.

+#customer intent: As an Azure AD B2C administrator, I want to configure xID as an identity provider, so users can sign in using xID and authenticate with their digital identity on their device.

+#customer intent: As an IT admin, I want to integrate Azure Active Directory B2C authentication with Zscaler Private Access. I need to provide secure access to private applications and assets without the need for a virtual private network (VPN).

+To improve your production environment performance and better user experience, it's important to configure your policy to ignore messages that are unimportant. You also need to make sure that you don't log Personally Identifiable Information (PII). Use the following configuration in production environments and no logs are sent to your application insights.

+#Customer intent: As an Azure AD B2C administrator, I want to access and view the audit logs for my Azure AD B2C tenant, so that I can monitor activity, track user sign-ins, and troubleshoot any issues related to B2C resources and applications.

+> [!IMPORTANT]

+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

+> [!IMPORTANT]

+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

+> [!NOTE]

+> In order to use the video prompt enhancement, you need both an Azure AI Vision resource and an Azure Video Indexer resource, in the paid (S0) tier, in addition to your Azure OpenAI resource.

+

+| Model | Regions where model is available to all subscriptions with Azure OpenAI access | Regions where model is available only to subscriptions with previous access to that model/region |

+||:|:|

+| gpt-4 (0314) | | East US <br> France Central <br> South Central US <br> UK South |

+| gpt-4 (0613) | Australia East <br> Canada East <br> France Central <br> Sweden Central <br> Switzerland North | East US <br> East US 2 <br> Japan East <br> UK South |

+| gpt-4 (1106-preview) | Australia East <br> Canada East <br> East US 2 <br> France Central <br> Norway East <br> South India <br> Sweden Central <br> UK South <br> West US | |

+| gpt-4 (vision-preview) | | Sweden Central <br> Switzerland North<br>Australia East <br> West US |

+> [!NOTE]

+> As a temporary measure, GPT-4 Turbo with Vision is currently unavailable to new customers.

+The following command shows the most basic way to use the GPT-4 Turbo with Vision model with code. If this is your first time using these models programmatically, we recommend starting with our [GPT-4 Turbo with Vision quickstart](../gpt-v-quickstart.md).

+#### [REST](#tab/rest)

+The following is a sample request body. The format is the same as the chat completions API for GPT-4, except that the message content can be an array containing text and images (either a valid HTTP or HTTPS URL to an image, or a base-64-encoded image).

+> [!IMPORTANT]

+> Remember to set a `"max_tokens"` value, or the return output will be cut off.

+ "url": "<image URL>"

+#### [Python](#tab/python)

+1. Define your Azure OpenAI resource endpoint and key.

+1. Enter the name of your GPT-4 Turbo with Vision model deployment.

+1. Create a client object using those values.

+ ```python

+ api_base = '<your_azure_openai_endpoint>' # your endpoint should look like the following https://YOUR_RESOURCE_NAME.openai.azure.com/

+ api_key="<your_azure_openai_key>"

+ deployment_name = '<your_deployment_name>'

+ api_version = '2023-12-01-preview' # this might change in the future

+

+ client = AzureOpenAI(

+ api_key=api_key,

+ api_version=api_version,

+ base_url=f"{api_base}openai/deployments/{deployment_name}/extensions",

+ )

+ ```

+1. Then call the client's **create** method. The following code shows a sample request body. The format is the same as the chat completions API for GPT-4, except that the message content can be an array containing text and images (either a valid HTTP or HTTPS URL to an image, or a base-64-encoded image).

+ > [!IMPORTANT]

+ > Remember to set a `"max_tokens"` value, or the return output will be cut off.

+

+ ```python

+ response = client.chat.completions.create(

+ model=deployment_name,

+ messages=[

+ { "role": "system", "content": "You are a helpful assistant." },

+ { "role": "user", "content": [

+ {

+ "type": "text",

+ "text": "Describe this picture:"

+ },

+ {

+ "type": "image_url",

+ "image_url": {

+ "url": "<image URL>"

+ }

+ }

+ ] }

+ ],

+ max_tokens=2000

+ )

+ print(response)

+ ```

+> [!TIP]

+> ### Use a local image

+>

+> If you want to use a local image, you can use the following Python code to convert it to base64 so it can be passed to the API. Alternative file conversion tools are available online.

+>

+> ```python

+> import base64

+> from mimetypes import guess_type

+>

+> # Function to encode a local image into data URL

+> def local_image_to_data_url(image_path):

+> # Guess the MIME type of the image based on the file extension

+> mime_type, _ = guess_type(image_path)

+> if mime_type is None:

+> mime_type = 'application/octet-stream' # Default MIME type if none is found

+>

+> # Read and encode the image file

+> with open(image_path, "rb") as image_file:

+> base64_encoded_data = base64.b64encode(image_file.read()).decode('utf-8')

+>

+> # Construct the data URL

+> return f"data:{mime_type};base64,{base64_encoded_data}"

+>

+> # Example usage

+> image_path = '<path_to_image>'

+> data_url = local_image_to_data_url(image_path)

+> print("Data URL:", data_url)

+> ```

+>

+> When your base64 image data is ready, you can pass it to the API in the request body like this:

+>

+> ```json

+> ...

+> "type": "image_url",

+> "image_url": {

+> "url": "data:image/jpeg;base64,<your_image_data>"

+> }

+> ...

+> ```

+Every response includes a `"finish_details"` field. It has the following possible values:

+The _detail_ parameter in the model offers three choices: `low`, `high`, or `auto`, to adjust the way the model interprets and processes images. The default setting is auto, where the model decides between low or high based on the size of the image input.

+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

+#### [REST](#tab/rest)

+You must also include the `enhancements` and `dataSources` objects. `enhancements` represents the specific Vision enhancement features requested in the chat. It has a `grounding` and `ocr` property, which both have a boolean `enabled` property. Use these to request the OCR service and/or the object detection/grounding service. `dataSources` represents the Computer Vision resource data that's needed for Vision enhancement. It has a `type` property which should be `"AzureComputerVision"` and a `parameters` property. Set the `endpoint` and `key` to the endpoint URL and access key of your Computer Vision resource.

+> [!IMPORTANT]

+> Remember to set a `"max_tokens"` value, or the return output will be cut off.

+ "url":"<image URL>"

+#### [Python](#tab/python)

+You call the same method as in the previous step, but include the new *extra_body* parameter. It contains the `enhancements` and `dataSources` fields.

+`enhancements` represents the specific Vision enhancement features requested in the chat. It has a `grounding` and `ocr` field, which both have a boolean `enabled` property. Use these to request the OCR service and/or the object detection/grounding service.

+`dataSources` represents the Computer Vision resource data that's needed for Vision enhancement. It has a `type` field which should be `"AzureComputerVision"` and a `parameters` field. Set the `endpoint` and `key` to the endpoint URL and access key of your Computer Vision resource. R

+> [!IMPORTANT]

+> Remember to set a `"max_tokens"` value, or the return output will be cut off.

+```python

+response = client.chat.completions.create(

+ model=deployment_name,

+ messages=[

+ { "role": "system", "content": "You are a helpful assistant." },

+ { "role": "user", "content": [

+ {

+ "type": "text",

+ "text": "Describe this picture:"

+ },

+ {

+ "type": "image_url",

+ "image_url": {

+ "url": "<image URL>"

+ }

+ }

+ ] }

+ ],

+ extra_body={

+ "dataSources": [

+ {

+ "type": "AzureComputerVision",

+ "parameters": {

+ "endpoint": "<your_computer_vision_endpoint>",

+ "key": "<your_computer_vision_key>"

+ }

+ }],

+ "enhancements": {

+ "ocr": {

+ "enabled": True

+ },

+ "grounding": {

+ "enabled": True

+ }

+ }

+ },

+ max_tokens=2000

+)

+print(response)

+```

+Every response includes a `"finish_details"` field. It has the following possible values:

+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

+### Set up video retrieval

+Follow these steps to set up a video retrieval system to integrate with your AI chat model:

+### Call the Chat Completion API

+#### [REST](#tab/rest)

+#### [Python](#tab/python)

+Call the client's **create** method as in the previous sections, but include the *extra_body* parameter. Here, it contains the `enhancements` and `dataSources` fields. `enhancements` represents the specific Vision enhancement features requested in the chat. It has a `video` field, which has a boolean `enabled` property. Use this to request the video retrieval service.

+`dataSources` represents the external resource data that's needed for Vision enhancement. It has a `type` field which should be `"AzureComputerVisionVideoIndex"` and a `parameters` field.

+Set the `computerVisionBaseUrl` and `computerVisionApiKey` to the endpoint URL and access key of your Computer Vision resource. Set `indexName` to the name of your video index. Set `videoUrls` to a list of SAS URLs of your videos.

+> [!IMPORTANT]

+> Remember to set a `"max_tokens"` value, or the return output will be cut off.

+```python

+response = client.chat.completions.create(

+ model=deployment_name,

+ messages=[

+ { "role": "system", "content": "You are a helpful assistant." },

+ { "role": "user", "content": [

+ {

+ "type": "text",

+ "text": "Describe this video:"

+ },

+ {

+ "type": "acv_document_id",

+ "acv_document_id": "<your_video_ID>"

+ }

+ ] }

+ ],

+ extra_body={

+ "dataSources": [

+ {

+ "type": "AzureComputerVisionVideoIndex",

+ "parameters": {

+ "computerVisionBaseUrl": "<your_computer_vision_endpoint>", # your endpoint should look like the following https://YOUR_RESOURCE_NAME.cognitiveservices.azure.com/computervision

+ "computerVisionApiKey": "<your_computer_vision_key>",

+ "indexName": "<name_of_your_index>",

+ "videoUrls": ["<your_video_SAS_URL>"]

+ }

+ }],

+ "enhancements": {

+ "video": {

+ "enabled": True

+ }

+ }

+ },

+ max_tokens=100

+)

+print(response)

+```

+Every response includes a `"finish_details"` field. It has the following possible values:

+The steps are the same as in the previous example, but you'll increase the **amount to commit (PTU)** value. The value shown here is the total amount of PTUs purchased not incremental. The additional price charge displayed will represent a pro-rated amount to pay for the added PTUs over the remaining time in the time period.

+- **Microsoft Entra ID authentication**: You can authenticate an API call using a Microsoft Entra token. Authentication tokens are included in a request as the ```Authorization``` header. The token provided must be preceded by ```Bearer```, for example ```Bearer YOUR_AUTH_TOKEN```. You can read our how-to guide on [authenticating with Microsoft Entra ID](./how-to/managed-identity.md).

+You can make requests using [Azure AI Search](./concepts/use-your-data.md?tabs=ai-search#ingesting-your-data), [Azure Cosmos DB for MongoDB vCore](./concepts/use-your-data.md?tabs=mongo-db#ingesting-your-data), [Azure Machine Learning](/azure/machine-learning/overview-what-is-azure-machine-learning), [Pinecone](https://www.pinecone.io/), and [Elasticsearch](https://www.elastic.co/).

+### Azure Cosmos DB for MongoDB vCore parameters

+| `contentFieldsSeparator` (found inside of `fieldsMapping`) | string | Required | null | The separator for your content fields. Use `\n` by default. |

+- Vision enhancement using GPT-4 Turbo with Vision is now available in the [Azure Open AI Playground](https://oai.azure.com/) and includes support for Optical Character Recognition, object grounding, image support for "add your data," and support for video prompt.

+- The English (United Kingdom) voice `en-GB-MiaNeural` is retired on October 30, 2021. All service requests to `en-GB-MiaNeural` will be redirected to `en-GB-SoniaNeural` automatically as of October 30, 2021. If you're using container Neural TTS, [download](speech-container-ntts.md#get-the-container-image-with-docker-pull) and deploy the latest version. All requests with previous versions won't succeed starting from October 30, 2021.

+- The `en-US-JessaNeural` voice is retired and replaced by `en-US-AriaNeural`. If you were using "Jessa" before, convert to "Aria."

+- The Chinese (Mandarin, Simplified) voice `zh-CN-XiaoxuanNeural` is retired on Feburary 29, 2024. All service requests to `zh-CN-XiaoxuanNeural` will be redirected to `zh-CN-XiaozhenNeural` automatically as of Feburary 29, 2024. If you're using container Neural TTS, [download](speech-container-ntts.md#get-the-container-image-with-docker-pull) and deploy the latest version. All requests with previous versions won't succeed starting from Feburary 29, 2024.

+> [!div class="nextstepaction"]

+> [Custom voice API specification - 2023-12-01-preview](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/Speech/TextToSpeech/preview/2023-12-01-preview/texttospeech.json/)

+For information on planning IP addressing for your AKS cluster, see [Plan IP addressing for your cluster](./azure-cni-overview.md#plan-ip-addressing-for-your-cluster).

+When you specify an IP address for the load balancer, the specified IP address must reside in the same virtual network as the AKS cluster, but it can't already be assigned to another resource in the virtual network. For example, you shouldn't use an IP address in the range designated for the Kubernetes subnet within the AKS cluster. Using an IP address that's already assigned to another resource in the same virtual network can cause issues with the load balancer.

+| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional⁵ | Optional⁵ | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/ip-addresses.md#outgoing-ports) |

+ If you enabled [Azure Application Insights](api-management-howto-app-insights.md) monitoring on API Management, allow outbound connectivity to the [telemetry endpoint](../azure-monitor/ip-addresses.md#outgoing-ports) from the VNet.

+## January 2024

+### Public Preview: Azure Automation Runtime environment & support for Azure CLI commands in runbooks

+Azure Automation introduces [Runtime environment](runtime-environment-overview.md) (preview) that provides a simple and hassle-free experience for [updating scripts](quickstart-update-runbook-in-runtime-environment.md) to the latest language versions. It also provides complete control to configure the script execution environment, without worrying about conflicting module versions in a single Automation account. All existing runbooks are automatically available in the new Runtime environment experience with zero manual effort. You can navigate seamlessly between the old and new experience with a single click. [Learn more](manage-runtime-environment.md).

+Additionally, this feature enables support for [Azure CLI commands](quickstart-cli-support-powershell-runbook-runtime-environment.md) (preview) in PowerShell 7.2 runbooks. Now reap combined benefits of the rich command set of Azure CLI in Azure Automation runbooks to streamline management of Azure resources.

+ Title: "Deploy and manage applications from Azure Marketplace on Azure Arc-enabled Kubernetes clusters"

+description: "Learn how to discover Kubernetes applications in Azure Marketplace and deploy them to your Arc-enabled Kubernetes clusters."

+# Deploy and manage applications from Azure Marketplace on Azure Arc-enabled Kubernetes clusters

+[Azure Marketplace](/marketplace/azure-marketplace-overview) is an online store that contains thousands of IT software applications and services built by industry-leading technology companies. In Azure Marketplace, you can find, try, buy, and deploy the software and services that you need to build new solutions and manage your cloud infrastructure. The catalog includes solutions for different industries and technical areas, free trials, and consulting services from Microsoft partners.

+Included among these solutions are Kubernetes application-based container offers. These offers contain applications that can run on Azure Arc-enabled Kubernetes clusters, represented as [cluster extensions](conceptual-extensions.md). Deploying an offer from Azure Marketplace creates a new instance of the extension on your Arc-enabled Kubernetes cluster.

+This article shows you how to:

+- Discover applications that support Azure Arc-enabled Kubernetes clusters.

+- Purchase an application.

+- Deploy the application on your cluster.

+- Monitor usage and billing information.

+You can use Azure CLI or the Azure portal to perform these tasks.

+## Prerequisites

+To deploy an application, you must have an existing Azure Arc-enabled Kubernetes connected cluster, with at least one node of operating system and architecture type `linux/amd64`. If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md). Be sure to [upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version before you get started.

+- An existing Azure Arc-enabled Kubernetes connected cluster, with at least one node of operating system and architecture type `linux/amd64`. If deploying [Flux (GitOps)](extensions-release.md#flux-gitops), you can use an ARM64-based cluster without a `linux/amd64` node.

+ - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).

+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+- If using Azure CLI to review, deploy, and manage Azure Marketplace applications:

+ - The latest version of [Azure CLI](/cli/azure/install-azure-cli).

+ - The latest version of the `k8s-extension` Azure CLI extension. Install the extension by running `az extension add --name k8s-extension`. If the `k8s-extension` extension is already installed, make sure it's updated to the latest version by running `az extension update --name k8s-extension`.

+> [!NOTE]

+> This feature is currently supported only in the following regions:

+>

+>- East US, East US2, EastUS2 EUAP, West US, West US2, Central US, West Central US, South Central US, West Europe, North Europe, Canada Central, South East Asia, Australia East, Central India, Japan East, Korea Central, UK South, UK West, Germany West Central, France Central, East Asia, West US3, Norway East, South African North, North Central US, Australia South East, Switzerland North, Japan West, South India

+## Discover Kubernetes applications that supports Azure Arc-enabled clusters

+### [Azure portal](#tab/azure-portal)

+To discover Kubernetes applications in the Azure Marketplace from within the Azure portal:

+1. In the Azure portal, search for **Marketplace**. In the results, under **Services**, select **Marketplace**.

+1. From **Marketplace**, you can search for an offer or publisher directly by name, or you can browse all offers. To find Kubernetes application offers, select **Containers** from the **Categories** section in the left menu.

+ > [!IMPORTANT]

+ > The **Containers** category includes both Kubernetes applications and standalone container images. Be sure to select only Kubernetes application offers when following these steps. Container images have a different deployment process, and generally can't be deployed on Arc-enabled Kubernetes clusters.

+ :::image type="content" source="media/deploy-marketplace/marketplace-containers.png" alt-text="Screenshot of Azure Marketplace showing the Containers menu item." lightbox="media/deploy-marketplace/marketplace-containers.png":::

+1. You'll see several Kubernetes application offers displayed on the page. To view all of the Kubernetes application offers, select **See more**.

+ :::image type="content" source="media/deploy-marketplace/marketplace-see-more.png" alt-text="Screenshot showing the See more link for the Containers category in Azure Marketplace." lightbox="media/deploy-marketplace/marketplace-see-more.png":::

+1. Alternately, you can search for a specific `publisherId` to view that publisher's Kubernetes applications in Azure Marketplace. For details on how to find publisher IDs, see the Azure CLI tab for this article.

+ :::image type="content" source="media/deploy-marketplace/marketplace-search-by-publisher.png" alt-text="Screenshot showing the option to search by publisher in Azure Marketplace." lightbox="media/deploy-marketplace/marketplace-search-by-publisher.png":::

+Once you find an application that you want to deploy, move on to the next section.

+### [Azure CLI](#tab/azure-cli)

+You can use Azure CLI to get a list of extensions, including Azure Marketplace applications, that can be deployed on Azure Arc-enabled connected clusters. To do so, run this command, providing the name of your connected cluster and the resource group where the cluster is located.

+```azurecli-interactive

+az k8s-extension extension-types list-by-cluster --cluster-type connectedClusters --cluster-name <clusterName> --resource-group <resourceGroupName>

+```

+The command will return a list of extension types that can be deployed on the connected clusters, similar to the example shown here.

+```json

+"id": "/subscriptions/{sub}/resourceGroups/{rg} /providers/Microsoft.Kubernetes/connectedClusters/{clustername} /providers/Microsoft.KubernetesConfiguration/extensiontypes/contoso",

+"name": "contoso",

+"type": "Microsoft.KubernetesConfiguration/extensionTypes",

+"properties": {

+ "extensionType": "contoso",

+ "description": "Contoso extension",

+ "isSystemExtension": false,

+ "publisher": "contoso",

+ "isManagedIdentityRequired": false,

+ "supportedClusterTypes": [

+ "managedclusters",

+ "connectedclusters"

+ ],

+ "supportedScopes": {

+ "defaultScope": "namespace",

+ "clusterScopeSettings": {

+ "allowMultipleInstances": false,

+ "defaultReleaseNamespace": null

+ }

+ },

+ "planInfo": {

+ "offerId": "contosoOffer",

+ "planId": "contosoPlan",

+ "publisherId": "contoso"

+ }

+}

+```

+When you find an application that you want to deploy, note the following values from the response received: `planId`, `publisherId`, `offerID`, and `extensionType`. You'll need these values to accept the application's terms and deploy the application.

+## Deploy a Kubernetes application

+### [Azure portal](#tab/azure-portal)

+Once you've identified an offer you want to deploy, follow these steps:

+1. In the **Plans + Pricing** tab, review the options. If there are multiple plans available, find the one that meets your needs. Review the terms on the page to make sure they're acceptable, and then select **Create**.

+ :::image type="content" source="media/deploy-marketplace/marketplace-plans-pricing.png" alt-text="Screenshot of the Plans + Pricing page for a Kubernetes offer in Azure Marketplace." lightbox="media/deploy-marketplace/marketplace-plans-pricing.png":::

+1. Select the resource group and Arc-enabled cluster to which you want to deploy the application.

+ :::image type="content" source="media/deploy-marketplace/marketplace-select-cluster.png" alt-text="Screenshot showing the option to select a resource group and cluster for the Marketplace offer.":::

+1. Complete all pages of the deployment wizard to specify all configuration options that the application requires.

+ :::image type="content" source="media/deploy-marketplace/marketplace-configuration.png" alt-text="Screenshot showing configuration options for an Azure Marketplace offer.":::

+1. When you're finished, select **Review + Create**, then select **Create** to deploy the offer.

+### [Azure CLI](#tab/azure-cli)

+#### Accept terms and agreements

+Before you can deploy a Kubernetes application, you need to accept its terms and agreements. Be sure to read these terms carefully so that you understand costs and any other requirements.

+To view the details of the terms, run the following command, providing the values for `offerID`, `planID`, and `publisherID`:

+```azurecli-interactive

+az vm image terms show --offer <offerID> --plan <planId> --publisher <publisherId>

+```

+To accept the terms, run the following command, using the same values for `offerID`, `planID`, and `publisherID`.

+```azurecli-interactive

+az vm image terms accept --offer <offerID> --plan <planId> --publisher <publisherId>

+```

+> [!NOTE]

+> Although this command is for VMs, it also works for containers, including Arc-enabled Kubernetes clusters. For more information, see the [az vm image terms](/cli/azure/vm/image/terms) reference.

+#### Deploy the application

+To deploy the application (extension) through Azure CLI, follow the steps outlined in [Deploy and manage Azure Arc-enabled Kubernetes cluster extensions](extensions.md). An example command might look like this:

+```azurecli-interactive

+az k8s-extension create --name <offerID> --extension-type <extensionType> --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type connectedClusters --plan-name <planId> --plan-product <offerID> --plan-publisher <publisherId>

+```

+## Verify the deployment

+Deploying an offer from Azure Marketplace creates a new extension instance on your Arc-enabled Kubernetes cluster. You can verify that the deployment was successful by confirming the extension is running successfully.

+### [Azure portal](#tab/azure-portal)

+Verify the deployment navigating to the cluster you recently installed the extension on, then navigate to **Extensions**, where you'll see the extension status.

+If the deployment was successful, the **Status** will be **Succeeded**. If the status is **Creating**, the deployment is still in progress. Wait a few minutes then check again.

+If the deployment fails, see [Troubleshoot the failed deployment of a Kubernetes application offer](/troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer).

+### [Azure CLI](#tab/azure-cli)

+Verify the deployment by using the following command to list the extensions that are already running or being deployed on your cluster:

+```azurecli-interactive

+az k8s-extension list --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type connectedClusters

+```

+If the deployment was successful, `provisioningState` is `Succeeded`. If `provisioningState` is `Creating`, the deployment is still in progress. Wait a few minutes then check again.

+If the deployment fails, see [Troubleshoot the failed deployment of a Kubernetes application offer](/troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer).

+To view the extension instance from the cluster, run the following command:

+```azurecli-interactive

+az k8s-extension show --name <extension-name> --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type connectedClusters

+```

+## Monitor billing and usage information

+You can monitor billing and usage information for a deployed extension in the Azure portal.

+1. In the Azure portal, navigate to your cluster's resource group.

+1. Select **Cost Management** > **Cost analysis**. Under **Product**, you can see a cost breakdown for the plan that you selected.

+ :::image type="content" source="media/deploy-marketplace/extension-cost-analysis.png" alt-text="Screenshot of the Azure portal page for a resource group, with billing information broken down by offer plan." lightbox="media/deploy-marketplace/extension-cost-analysis.png":::

+## Remove an application

+You can delete a purchased plan for a Kubernetes offer by deleting the extension instance on the cluster.

+### [Azure portal](#tab/azure-portal)

+To delete the extension instance in the Azure portal, select **Extensions** within your cluster. Select the application you want to remove, then select **Uninstall**.

+### [Azure CLI](#tab/azure-cli)

+The following command deletes an extension from the cluster:

+```azurecli-interactive

+az k8s-extension delete --name <extension-name> --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type connectedClusters

+```

+## Troubleshooting

+For help with resolving issues, see [Troubleshoot the failed deployment of a Kubernetes application offer](/troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer).

+## Next steps

+- Learn about [extensions for Arc-enabled Kubernetes](conceptual-extensions.md).

+- Use our quickstart to [connect a Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md).

+To write to an output binding, you must apply an output binding attribute to the function method, which defines how to write to the bound service. The value returned by the method is written to the output binding. For example, the following example writes a string value to a message queue named `output-queue` by using an output binding:

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask" Version="1.1.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" OutputItemType="Analyzer" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask" Version="1.1.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" OutputItemType="Analyzer" />

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage.Queues

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Tables

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.CosmosDB" Version="4.5.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.15.0" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" />

+**Firewall exceptions** ΓÇô Application Insights uses several IP addresses. You might need to know these addresses if the app that you're monitoring is hosted behind a firewall. For more information, see [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md) from where you can download Azure Government IP addresses.

+The Azure Maps JavaScript/TypeScript REST SDK (JavaScript SDK) supports searching using the Azure Maps [Search service], like searching for an address, searching for boundary of a city or country, and searching by coordinates. This article helps you get started building location-aware applications that incorporate the power of Azure Maps.

+### Using a Shared Access Signature (SAS) Token Credential

+Shared access signature (SAS) tokens are authentication tokens created using the JSON Web token (JWT) format and are cryptographically signed to prove authentication for an application to the Azure Maps REST API.

+You can get the SAS token using [`AzureMapsManagementClient.accounts.listSas`][listSas] package. Follow the section [Create and authenticate a `AzureMapsManagementClient`][azureMapsManagementClient] to setup first.

+Second, follow [Managed identities for Azure Maps][managedIdentity] to create a managed identity for your Azure Maps account. Copy the principal ID (object ID) of the managed identity.

+Next, install [Azure Core Authentication Package] package to use `AzureSASCredential`:

+```bash

+npm install @azure/core-auth

+Finally, you can use the SAS token to authenticate the client:

+```javascript

+ const MapsSearch = require("@azure-rest/maps-search").default;

+ const { AzureSASCredential } = require("@azure/core-auth");

+ const { DefaultAzureCredential } = require("@azure/identity");

+ const { AzureMapsManagementClient } = require("@azure/arm-maps");

+ const subscriptionId = "<subscription ID of the map account>"

+ const resourceGroupName = "<resource group name of the map account>";

+ const accountName = "<name of the map account>";

+ const mapsAccountSasParameters = {

+ start: "<start time in ISO format>", // e.g. "2023-11-24T03:51:53.161Z"

+ expiry: "<expiry time in ISO format>", // maximum value to start + 1 day

+ maxRatePerSecond: 500,

+ principalId: "<principle ID (object ID) of the managed identity>",

+ signingKey: "primaryKey",

+ };

+ const credential = new DefaultAzureCredential();

+ const managementClient = new AzureMapsManagementClient(credential, subscriptionId);

+ const {accountSasToken} = await managementClient.accounts.listSas(

+ resourceGroupName,

+ accountName,

+ mapsAccountSasParameters

+ );

+ if (accountSasToken === undefined) {

+ throw new Error("No accountSasToken was found for the Maps Account.");

+ }

+ const sasCredential = new AzureSASCredential(accountSasToken);

+ const client = MapsSearch(sasCredential);

+## Geocoding

+The following code snippet demonstrates how, in a simple console application, to import the `@azure-rest/maps-search` package and get the coordinates of an address using [GetGeocoding] query:

+ const response = await client.path("/geocode", "json").get({

+ const [ lon, lat ] = response.body.features[0].geometry.coordinates;

+This code snippet shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Microsoft Entra credential](#using-a-microsoft-entra-credential). The `path` parameter specifies the API endpoint, which in this case is "/geocode". The `get` method sends an HTTP GET request with the query parameters. The query searches for the coordinate of "1301 Alaskan Way, Seattle, WA 98101, US". The SDK returns the results as a [GeocodingResponseOutput] object and writes them to the console. The results are ordered by confidence score in this example and only the first result is displayed to the screen. For more information, see [GetGeocoding].

+Run `search.js` with Node.js:

+```powershell

+node search.js

+## Batch reverse geocoding

+Azure Maps Search also provides some batch query methods. The following example demonstrates how to call batched reverse search method:

+ const batchItems = [

+ // This is an invalid query

+ { coordinates: [2.294911, 148.858561] },

+ {

+ coordinates: [-122.34255, 47.6101],

+ },

+ { coordinates: [-122.33817, 47.6155] },

+ ];

+ const response = await client.path("/reverseGeocode:batch").post({

+ body: { batchItems },

+In this example, three coordinates are included in the `batchItems` of the request body. The first item is invalid, see [Handling failed requests](#handling-failed-requests) for an example showing how to handle the invalid item.

+ response.features.forEach((feature) => {

+ console.log(` ${feature.properties.address.freeformAddress}`);

+### Handling failed requests

+ { isUnexpected } = require("@azure-rest/maps-search");

+ const batchItems = [

+ { coordinates: [2.294911, 148.858561] },

+ coordinates: [-122.34255, 47.6101],

+ { coordinates: [-122.33817, 47.6155] },

+ ];

+ const response = await client.path("/reverseGeocode:batch").post({

+ if (isUnexpected(response)) {

+ throw response.body.error;

+ }

+ response.features.forEach((feature) => {

+ console.log(` ${feature.properties.address.freeformAddress}`);

+}

+## Use V1 SDK

+We are working to make all V1 features available in V2, until then, install the following V1 SDK packages if needed:

+```bash

+npm install @azure-rest/map-search-v1@npm:@azure-rest/map-search@^1.0.0

+npm install @azure-rest/map-search-v2@npm:@azure-rest/map-search@^2.0.0

+```

+Then, you can import the two packages:

+```javascript

+const MapsSearchV1 = require("@azure-rest/map-search-v1").default;

+const MapsSearchV2 = require("@azure-rest/map-search-v2").default;

+```

+The following example demonstrates creating a function that accepts an address and search POIs around it. Use V2 SDK to get the coordinates of the address(/geocode) and V1 SDK to search POIs around it(/search/nearby).

+```javascript

+const MapsSearchV1 = require("@azure-rest/map-search-v1").default;

+const MapsSearchV2 = require("@azure-rest/map-search-v2").default;

+const { AzureKeyCredential } = require("@azure/core-auth");

+const { isUnexpected: isUnexpectedV1 } = require("@azure-rest/maps-search-v1");

+const { isUnexpected: isUnexpectedV2 } = require("@azure-rest/maps-search-v2");

+require("dotenv").config();

+/** Initialize the MapsSearchClient */

+const clientV1 = MapsSearchV1(new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY));

+const clientV2 = MapsSearchV2(new AzureKeyCredential(process.env.MAPS_SUBSCRIPTION_KEY));

+async function searchNearby(address) {

+ /** Make a request to the geocoding API */

+ const geocodeResponse = await clientV2

+ .path("/geocode")

+ .get({ queryParameters: { query: address } });

+ /** Handle error response */

+ if (isUnexpectedV2(geocodeResponse)) {

+ throw geocodeResponse.body.error;

+ }

+ const [lon, lat] = geocodeResponse.body.features[0].geometry.coordinates;

+

+ /** Make a request to the search nearby API */

+ const nearByResponse = await clientV1.path("/search/nearby/{format}", "json").get({

+ queryParameters: { lat, lon },

+ });

+ /** Handle error response */

+ if (isUnexpectedV1(nearByResponse)) {

+ throw nearByResponse.body.error;

+ }

+ /** Log response body */

+ for(const results of nearByResponse.body.results) {

+ console.log(

+ `${result.poi ? result.poi.name + ":" : ""} ${result.address.freeformAddress}. (${

+ result.position.lat

+ }, ${result.position.lon})\n`

+ );

+ }

+}

+async function main(){

+ searchNearBy("15127 NE 24th Street, Redmond, WA 98052");

+}

+main().catch((err) => {

+ console.log(err);

+})

+```

+[DefaultAzureCredential]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity#defaultazurecredential

+[azureMapsManagementClient]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/arm-maps#create-and-authenticate-a-azuremapsmanagementclient

+[GetGeocoding]: /javascript/api/@azure-rest/maps-search/getgeocoding

+[GeocodingResponseOutput]: /javascript/api/@azure-rest/maps-search/geocodingresponseoutput

+[js geolocation sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-geolocation-rest/samples/

+[js render sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-render-rest/samples/

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/

+[listSas]: /javascript/api/%40azure/arm-maps/accounts#@azure-arm-maps-accounts-listsas

+[managedIdentity]: https://techcommunity.microsoft.com/t5/azure-maps-blog/managed-identities-for-azure-maps/ba-p/3666312

+[search sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-search-rest/samples/

+[Search service]: /rest/api/maps/search

+### [3.1.1] (January 26, 2024)

+#### New features (3.1.1)

+- Added a new option, `enableAccessibilityLocationFallback`, to enable or disable reverse-geocoding API fallback for accessibility (screen reader).

+#### Bug fixes (3.1.1)

+- Resolved an issue where ApplicationInsights v3.0.5 was potentially sending a large number of requests.

+[3.1.1]: https://www.npmjs.com/package/azure-maps-control/v/3.1.1

+ - Copy and paste this URL into the browser: [https://api.loganalytics.io/v1/version](https://api.loganalytics.io/v1/version). If you get an error, contact your IT administrator to allow the IP addresses associated with **api.loganalytics.io** listed [here](../ip-addresses.md#application-insights-and-log-analytics-apis).

+ Add the [IP addresses](../ip-addresses.md) that the webhook is called from to your allowlist.

+> [!NOTE]

+> Azure Action Groups doesn't support the use of private links today. It is reccomended that customers use public network access to avoid any issues. For other networking issues ensure you are properly using the [Action Group Service Tag](./../../virtual-network/service-tags-overview.md).

+|HTTP 400: The \<action\> couldn't be triggered because the payload is empty or invalid. | Check if the payload is valid, and included as part of the request.

+|HTTP 400: The \<action\> couldn't be triggered because Microsoft Entra auth is enabled but no auth context provided in the request. | 1. Check your Secure Webhook action settings.</br>2. Check your Microsoft Entra configuration. For more information, see [action groups](action-groups.md). |

+|</br>HTTP 403: The \<action\> returned a "Forbidden" response.</br>HTTP 403: Couldn't trigger the \<action\>. Make sure you have the required authorization.</br>HTTP 403: The \<action\> returned a 'Forbidden' response. Make sure you have the proper permissions to access it.</br>HTTP 403: The \<action\> is "Forbidden".</br>HTTP 403: Couldn't access the ITSM system. Make sure you have the required authorization. | 1. Check if the credential in the request is present, and valid.</br>2. Check if your endpoint correctly validates the credentials.</br>3. If it's Secure Webhook, make sure the Microsoft Entra authentication is set up correctly. For more information, see [action groups](action-groups.md).|

+|HTTP 404: The \<action\> wasn't found.</br>HTTP 404: The \<action\> target workflow wasn't found.</br>HTTP 404: The \<action\> target wasn't found.</br>HTTP 404: The \<action\> endpoint couldn't be found.</br>HTTP 404: The \<action\> was deleted. | 1. Check if the endpoints included in the requests are valid, up and running and accepting the requests.</br>2. For ITSM, check if the ITSM connector is still active.|

+|HTTP 429: The \<action\> couldn't be triggered because it is handling too many requests right now. |Check if your endpoint can handle the requests.</br>2. Wait a few minutes and retry. |

+|HTTP 500: The \<action\> encountered an internal server error.</br>HTTP 500: Couldn't reach the Azure \<action\> server.</br>HTTP 500: The \<action\> returned an 'internal server' error.</br>HTTP 500: The ServiceNow endpoint returned an 'Unexpected' response.</li></ul> |Check the alert payload received on your endpoint, and make sure the endpoint and its downstream service(s) can process the request successfully. |

+|HTTP 503: The \<action\> host isn't running.</br>HTTP 503: The service providing the \<action\> endpoint is temporarily unavailable.</br>HTTP 503: The ServiceNow returned Service Unavailable|Check if your endpoint is up and running and is accepting requests. |

+| The \<action\> couldn't be triggered because the \<action\> didn't succeeded after XXX retries. Calls to the \<action\> will be blocked for up to XXX minutes. Try again in XXX minutes. |Check the alert payload received on your endpoint, and make sure the endpoint and its downstream service(s) can process the request successfully.|

+| The email couldn't be sent because the recipient address wasn't found.</br> The email couldn't be sent because the email domain is invalid, or the MX resource record doesn't exist on the Domain Name Server (DNS). |Verify the email address(es) is/are valid and try again. |

+|</br>The email was sent but the delivery status couldn't be verified.</br> The email couldn't be sent because of a permanent error. |Wait a few minutes and retry. If the issue persists, file a support ticket. |

+|</br>Invalid destination number.</br> Invalid source address.</br> Invalid phone number. | Verify that the phone number is valid and retry.

+| The message couldn't be sent because it was blocked by the recipient's provider. | 1. Verify if you can receive SMS from other sources.</br>2. Check with your service provider. |

+|</br>The message couldn't be sent because the delivery timed out.</br> The message couldn't be delivered to the recipient. |Wait a few minutes and retry. If the issue still persists, file a support ticket. |

+|The call couldn't go through because the recipient's line was busy. | 1. Make sure your device is on, and service is available, and not busy.</br>2. Wait for a few minutes and retry. |

+| The call went through, but the recipient did not select any response. The call might have been picked up by a voice mail service. |Make sure your device is on, the line isn't busy, your service isn't interrupted, and call doesn't go into voice mail. |

+| HTTP 500: There was a problem connecting the call. Contact Azure support for assistance. | Wait a few minutes and retry. If the issue still persists, file a support ticket. |

+> Firewall settings must be adjusted for data to reach ingestion endpoints. For more information, see [IP addresses used by Azure Monitor](../ip-addresses.md).

+* **Firewall door**: Allow requests to your server from [the long and changeable list of web test agents](../ip-addresses.md).

+If your application is behind a firewall and can't connect directly to Application Insights, refer to [IP addresses used by Application Insights](../ip-addresses.md).

+Live Metrics uses different IP addresses than other Application Insights telemetry. Make sure [those IP addresses](../ip-addresses.md) are open in your firewall. Also check that [outgoing ports for Live Metrics](../ip-addresses.md#outgoing-ports) are open in the firewall of your servers.

+* Verify that [required outgoing ports](../ip-addresses.md) are open.

+ In cases where monitoring for intranet web server is required, our earlier solution asked you to add individual service endpoints to your configuration. For more information, see the [Can I monitor an intranet web server?](../ip-addresses.md#can-i-monitor-an-intranet-web-server). Connection strings offer a better alternative by reducing this effort to a single setting. A simple prefix, suffix amendment, allows automatic population and redirection of all endpoints to the right services.

+ Title: Set up Prometheus remote write by using Microsoft Entra authentication

+description: Learn how to set up remote write in Azure Monitor managed service for Prometheus. Use Microsoft Entra authentication to send data from a self-managed Prometheus server running in your Azure Kubernetes Server (AKS) cluster or Azure Arc-enabled Kubernetes cluster on-premises or in a different cloud.

+# Send Prometheus data to Azure Monitor by using Microsoft Entra authentication

+This article describes how to set up [remote write](prometheus-remote-write.md) to send data from a self-managed Prometheus server running in your Azure Kubernetes Service (AKS) cluster or Azure Arc-enabled Kubernetes cluster by using Microsoft Entra authentication.

+- Azure Kubernetes Service cluster

+- Kubernetes cluster running in a different cloud or on-premises

+> For an AKS cluster or an Azure Arc-enabled Kubernetes cluster, we recommend that you use managed identity authentication. For more information, see [Azure Monitor managed service for Prometheus remote write for managed identity](prometheus-remote-write-managed-identity.md).

+The prerequisites that are described in [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#prerequisites) apply to the processes that are described in this article.

+## Set up an application for Microsoft Entra ID

+The process to set up Prometheus remote write for an application by using Microsoft Entra authentication involves completing the following tasks:

+1. Register an application with Microsoft Entra ID.

+1. Get the client ID of the Microsoft Entra application.

+1. Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the application.

+1. Create an Azure key vault and generate a certificate.

+1. Add a certificate to the Microsoft Entra application.

+1. Add a CSI driver and storage for the cluster.

+1. Deploy a sidecar container to set up remote write.

+The tasks are described in the following sections.

+### Register an application with Microsoft Entra ID

+Complete the steps to [register an application with Microsoft Entra ID](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and create a service principal.

+### Get the client ID of the Microsoft Entra application

+1. In the Azure portal, go to the **Microsoft Entra ID** menu and select **App registrations**.

+1. In the list of applications, copy the value for **Application (client) ID** for the registered application.

+### Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the application

+The application must be assigned the Monitoring Metrics Publisher role on the data collection rule that is associated with your Azure Monitor workspace.

+1. On the resource menu for your Azure Monitor workspace, select **Overview**. For **Data collection rule**, select the link.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png" alt-text="Screenshot that shows the data collection rule that's used by Azure Monitor workspace." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png":::

+1. On the resource menu for the data collection rule, select **Access control (IAM)**.

+1. Select **Add**, and then select **Add role assignment**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment on Access control pages." lightbox="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png":::

+1. Select the **Monitoring Metrics Publisher** role, and then select **Next**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/add-role-assignment.png" alt-text="Screenshot that shows a list of role assignments." lightbox="media/prometheus-remote-write-managed-identity/add-role-assignment.png":::

+1. Select **User, group, or service principal**, and then choose **Select members**. Select the application that you created, and then choose **Select**.

+ :::image type="content" source="media/prometheus-remote-write-active-directory/select-application.png" alt-text="Screenshot that shows selecting the application." lightbox="media/prometheus-remote-write-active-directory/select-application.png":::

+1. To complete the role assignment, select **Review + assign**.

+### Create an Azure key vault and generate a certificate

+1. If you don't already have an Azure key vault, [create a vault](../../key-vault/general/quick-create-portal.md#create-a-vault).

+1. Create a certificate by using the guidance in [Add a certificate to Key Vault](../../key-vault/certificates/quick-create-portal.md#add-a-certificate-to-key-vault).

+1. Download the certificate in CER format by using the guidance in [Export a certificate from Key Vault](../../key-vault/certificates/quick-create-portal.md#export-certificate-from-key-vault).

+### Add a certificate to the Microsoft Entra application

+1. On the resource menu for your Microsoft Entra application, select **Certificates & secrets**.

+1. On the **Certificates** tab, select **Upload certificate** and select the certificate that you downloaded.

+ :::image type="content" source="media/prometheus-remote-write-active-directory/upload-certificate.png" alt-text="Screenshot that shows uploading a certificate for a Microsoft Entra application." lightbox="media/prometheus-remote-write-active-directory/upload-certificate.png":::

+> Certificates have an expiration date. It's the responsibility of the user to keep certificates valid.

+### Add a CSI driver and storage for the cluster

+> Azure Key Vault CSI driver configuration is only one of the ways to get a certificate mounted on a pod. The remote write container needs a local path to a certificate in the pod only for the `<AZURE_CLIENT_CERTIFICATE_PATH>` value in the step [Deploy a sidecar container to set up remote write](#deploy-a-sidecar-container-to-set-up-remote-write).

+This step is required only if you didn't turn on Azure Key Vault Provider for Secrets Store CSI Driver when you created your cluster.

+1. To turn on Azure Key Vault Provider for Secrets Store CSI Driver for your cluster, run the following Azure CLI command:

+1. To give the identity access to the key vault, run these commands:

+1. Create `SecretProviderClass` by saving the following YAML to a file named *secretproviderclass.yml*. Replace the values for `userAssignedIdentityID`, `keyvaultName`, `tenantId`, and the objects to retrieve from your key vault. For information about what values to use, see [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver](../../aks/csi-secrets-store-identity-access.md).

+1. Apply `SecretProviderClass` by running the following command on your cluster:

+ ```bash

+### Deploy a sidecar container to set up remote write

+1. Copy the following YAML and save it to a file. The YAML uses port 8081 as the listening port. If you use a different port, modify that value in the YAML.

+1. Replace the following values in the YAML file:

+ | `<CLUSTER-NAME>` | The name of your AKS cluster. |

+ | `<INGESTION-URL>` | The value for **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace. |

+ | `<APP-REGISTRATION -CLIENT-ID>` | The client ID of your application. |

+ | `<TENANT-ID>` | The tenant ID of the Microsoft Entra application. |

+ | `<CERT-NAME>` | The name of the certificate. |

+ | `<CLUSTER-NAME>` | The name of the cluster that Prometheus is running on. |

+1. Open Azure Cloud Shell and upload the YAML file.

+1. Use Helm to apply the YAML file and update your Prometheus configuration:

+ # set the context to your cluster

+ # use Helm to update your remote write config

+For verification and troubleshooting information, see [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+## Related content

+- [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md)

+- [Remote write in Azure Monitor managed service for Prometheus](prometheus-remote-write.md)

+- [Send Prometheus data to Azure Monitor by using managed identity authentication](./prometheus-remote-write-managed-identity.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra Workload ID (preview) authentication](./prometheus-remote-write-azure-workload-identity.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra pod-managed identity (preview) authentication](./prometheus-remote-write-azure-ad-pod-identity.md)

+ Title: Set up Prometheus remote write by using Microsoft Entra pod-managed identity authentication

+description: Learn how to set up remote write for Azure Monitor managed service for Prometheus by using Microsoft Entra pod-managed identity (preview) authentication.

+# Send Prometheus data to Azure Monitor by using Microsoft Entra pod-managed identity (preview) authentication

+This article describes how to set up remote write for Azure Monitor managed service for Prometheus by using Microsoft Entra pod-managed identity (preview) authentication.

+> [!NOTE]

+> The remote write sidecar container that's described in this article should be set up only by using the following steps, and only if the Azure Kubernetes Service (AKS) cluster already has a Microsoft Entra pod enabled. Microsoft Entra pod-managed identities have been deprecated to be replaced by [Microsoft Entra Workload ID](/azure/active-directory/workload-identities/workload-identities-overview). We recommend that you use Microsoft Entra Workload ID authentication.

+## Prerequisites

+The prerequisites that are described in [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#prerequisites) apply to the processes that are described in this article.

+## Set up an application for Microsoft Entra pod-managed identity

+The process to set up Prometheus remote write for an application by using Microsoft Entra pod-managed identity authentication involves completing the following tasks:

+1. Register a user-assigned managed identity with Microsoft Entra ID.

+1. Assign the Managed Identity Operator and Virtual Machine Contributor roles to the managed identity.

+1. Assign the Monitoring Metrics Publisher role to the user-assigned managed identity.

+1. Create an Azure identity binding.

+1. Add the aadpodidbinding label to the Prometheus pod.

+1. Deploy a sidecar container to set up remote write.

+The tasks are described in the following sections.

+### Register a managed identity with Microsoft Entra ID

+Create a user-assigned managed identity or register an existing user-assigned managed identity.

+For information about creating a managed identity, see [Set up remote write for Azure Monitor managed service for Prometheus by using managed identity authentication](./prometheus-remote-write-managed-identity.md#get-the-client-id-of-the-user-assigned-managed-identity).

+### Assign the Managed Identity Operator and Virtual Machine Contributor roles to the managed identity

+```azurecli

+az role assignment create --role "Managed Identity Operator" --assignee <managed identity clientID> --scope <NodeResourceGroupResourceId>

+az role assignment create --role "Virtual Machine Contributor" --assignee <managed identity clientID> --scope <Node ResourceGroup Id>

+```

+The node resource group of the AKS cluster contains resources that you use in other steps in this process. This resource group has the name `MC_<AKS-RESOURCE-GROUP>_<AKS-CLUSTER-NAME>_<REGION>`. You can find the resource group name by using the **Resource groups** menu in the Azure portal.

+### Assign the Monitoring Metrics Publisher role to the managed identity

+```azurecli

+az role assignment create --role "Monitoring Metrics Publisher" --assignee <managed identity clientID> --scope <NodeResourceGroupResourceId>

+```

+### Create an Azure identity binding

+The user-assigned managed identity requires an identity binding for the identity to be used as a pod-managed identity.

+Copy the following YAML to the *aadpodidentitybinding.yaml* file:

+```yaml

+apiVersion: "aadpodidentity.k8s.io/v1"

+kind: AzureIdentityBinding

+metadata:

+name: demo1-azure-identity-binding

+spec:

+AzureIdentity: ΓÇ£<AzureIdentityName>ΓÇ¥

+Selector: ΓÇ£<AzureIdentityBindingSelector>ΓÇ¥

+```

+Run the following command:

+```azurecli

+kubectl create -f aadpodidentitybinding.yaml

+```

+### Add the aadpodidbinding label to the Prometheus pod

+The `aadpodidbinding` label must be added to the Prometheus pod for the pod-managed identity to take effect. You can add the label by updating the *deployment.yaml* file or by injecting labels when you deploy the sidecar container as described in the next section.

+### Deploy a sidecar container to set up remote write

+1. Copy the following YAML and save it to a file. The YAML uses port 8081 as the listening port. If you use a different port, modify that value in the YAML.

+ [!INCLUDE[pod-identity-yaml](../includes/prometheus-sidecar-remote-write-pod-identity-yaml.md)]

+1. Use Helm to apply the YAML file and update your Prometheus configuration:

+ ```azurecli

+ # set the context to your cluster

+ az aks get-credentials -g <aks-rg-name> -n <aks-cluster-name>

+ # use Helm to update your remote write config

+ helm upgrade -f <YAML-FILENAME>.yml prometheus prometheus-community/kube-prometheus-stack --namespace <namespace where Prometheus pod resides>

+ ```

+## Verification and troubleshooting

+For verification and troubleshooting information, see [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+## Related content

+- [Remote write in Azure Monitor managed service for Prometheus](prometheus-remote-write.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra authentication](./prometheus-remote-write-active-directory.md)

+- [Send Prometheus data to Azure Monitor by using managed identity authentication](./prometheus-remote-write-managed-identity.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra Workload ID (preview) authentication](./prometheus-remote-write-azure-workload-identity.md)

+ Title: Set up Prometheus remote write by using Microsoft Entra Workload ID authentication

+description: Learn how to set up remote write in Azure Monitor managed service for Prometheus. Use Microsoft Entra Workload ID (preview) authentication to send data from a self-managed Prometheus server to your Azure Monitor workspace.

+# Send Prometheus data to Azure Monitor by using Microsoft Entra Workload ID (preview) authentication

+This article describes how to set up [remote write](prometheus-remote-write.md) to send data from your Azure Monitor managed Prometheus cluster by using Microsoft Entra Workload ID authentication.

+To send data from a Prometheus server by using remote write with Microsoft Entra Workload ID authentication, you need:

+- A cluster that has feature flags that are specific to OpenID Connect (OIDC) and an OIDC issuer URL:

+ - For managed clusters (Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine), see [Managed Clusters - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html).

+ - For self-managed clusters, see [Self-Managed Clusters - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters.html).

+- An installed mutating admission webhook. For more information, see [Mutating Admission Webhook - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html).

+- Prometheus running in the cluster. This article assumes that the Prometheus cluster is set up by using the [kube-prometheus stack](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html), but you can set up Prometheus by using other methods.

+## Set up a workload for Microsoft Entra Workload ID

+The process to set up Prometheus remote write for a workload by using Microsoft Entra Workload ID authentication involves completing the following tasks:

+1. Set up the workload identity.

+1. Create a Microsoft Entra application or user-assigned managed identity and grant permissions.

+1. Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the application.

+1. Create or update your Kubernetes service account Prometheus pod.

+1. Establish federated identity credentials between the identity and the service account issuer and subject.

+1. Deploy a sidecar container to set up remote write.

+The tasks are described in the following sections.

+### Set up the workload identity

+To set up the workload identity, export the following environment variables:

+```bash

+# [OPTIONAL] Set this if you're using a Microsoft Entra application

+export APPLICATION_NAME="<your application name>"

+# [OPTIONAL] Set this only if you're using a user-assigned managed identity

+export USER_ASSIGNED_IDENTITY_NAME="<your user-assigned managed identity name>"

+# Environment variables for the Kubernetes service account and federated identity credential

+export SERVICE_ACCOUNT_NAMESPACE="<namespace of Prometheus pod>"

+export SERVICE_ACCOUNT_NAME="<name of service account associated with Prometheus pod>"

+export SERVICE_ACCOUNT_ISSUER="<your service account issuer URL>"

+```

+For `SERVICE_ACCOUNT_NAME`, check to see whether a service account (separate from the *default* service account) is already associated with the Prometheus pod. Look for the value of `serviceaccountName` or `serviceAccount` (deprecated) in the `spec` of your Prometheus pod. Use this value if it exists. If `serviceaccountName` and `serviceAccount` don't exist, enter the name of the service account you want to associate with your Prometheus pod.

+### Create a Microsoft Entra application or user-assigned managed identity and grant permissions

+Create a Microsoft Entra application or a user-assigned managed identity and grant permission to publish metrics to Azure Monitor workspace:

+```azurecli

+# create a Microsoft Entra application

+az ad sp create-for-rbac --name "${APPLICATION_NAME}"

+# create a user-assigned managed identity if you use a user-assigned managed identity for this article

+az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}"

+```

+### Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the application or managed identity

+For information about assigning the role, see [Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the managed identity](prometheus-remote-write-managed-identity.md#assign-the-monitoring-metrics-publisher-role-on-the-workspace-data-collection-rule-to-the-managed-identity).

+### Create or update your Kubernetes service account Prometheus pod

+Often, a Kubernetes service account is created and associated with the pod running the Prometheus container. If you're using the kube-prometheus stack, the code automatically creates the prometheus-kube-prometheus-prometheus service account.

+If no Kubernetes service account except the default service account is associated with Prometheus, create a new service account specifically for the pod running Prometheus.

+To create the service account, run the following kubectl command:

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: service account

+metadata:

+ annotations:

+ azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID:-$USER_ASSIGNED_IDENTITY_CLIENT_ID}

+ name: ${SERVICE_ACCOUNT_NAME}

+ namespace: ${SERVICE_ACCOUNT_NAMESPACE}

+EOF

+```

+If a Kubernetes service account other than default service account is associated with your pod, add the following annotation to your service account:

+```bash

+kubectl annotate sa ${SERVICE_ACCOUNT_NAME} -n ${SERVICE_ACCOUNT_NAMESPACE} azure.workload.identity/client-id="${APPLICATION_OR_USER_ASSIGNED_IDENTITY_CLIENT_ID}" ΓÇôoverwrite

+```

+If your Microsoft Entra application or user-assigned managed identity isn't in the same tenant as your cluster, add the following annotation to your service account:

+```bash

+kubectl annotate sa ${SERVICE_ACCOUNT_NAME} -n ${SERVICE_ACCOUNT_NAMESPACE} azure.workload.identity/tenant-id="${APPLICATION_OR_USER_ASSIGNED_IDENTITY_TENANT_ID}" ΓÇôoverwrite

+```

+### Establish federated identity credentials between the identity and the service account issuer and subject

+Create federated credentials by using the Azure CLI.

+#### User-assigned managed identity

+```cli

+az identity federated-credential create \

+ --name "kubernetes-federated-credential" \

+ --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \

+ --resource-group "${RESOURCE_GROUP}" \

+ --issuer "${SERVICE_ACCOUNT_ISSUER}" \

+ --subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}"

+```

+#### Microsoft Entra application

+```cli

+# Get the ObjectID of the Microsoft Entra app.

+export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query id -otsv)"

+# Add a federated identity credential.

+cat <<EOF > params.json

+{

+ "name": "kubernetes-federated-credential",

+ "issuer": "${SERVICE_ACCOUNT_ISSUER}",

+ "subject": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}",

+ "description": "Kubernetes service account federated credential",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+}

+EOF

+az ad app federated-credential create --id ${APPLICATION_OBJECT_ID} --parameters @params.json

+```

+### Deploy a sidecar container to set up remote write

+>

+>The Prometheus pod must have the following label: `azure.workload.identity/use: "true"`

+>

+> The remote write sidecar container requires the following environment values:

+>

+> - `INGESTION_URL`: The metrics ingestion endpoint that's shown on the **Overview** page for the Azure Monitor workspace

+> - `LISTENING_PORT`: `8081` (any port is supported)

+> - `IDENTITY_TYPE`: `workloadIdentity`

+1. Copy the following YAML and save it to a file. The YAML uses port 8081 as the listening port. If you use a different port, modify that value in the YAML.

+ [!INCLUDE [prometheus-sidecar-remote-write-workload-identity-yaml](../includes/prometheus-sidecar-remote-write-workload-identity-yaml.md)]

+1. Replace the following values in the YAML:

+ | `<CLUSTER-NAME>` | The name of your AKS cluster. |

+ | `<INGESTION-URL>` | The value for **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace. |

+1. Use Helm to apply the YAML file and update your Prometheus configuration:

+ # set a context to your cluster

+ # use Helm to update your remote write config

+## Verification and troubleshooting

+For verification and troubleshooting information, see [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+## Related content

+- [Collect Prometheus metrics from an AKS cluster](../containers/kubernetes-monitoring-enable.md#enable-prometheus-and-grafana)

+- [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md)

+- [Remote write in Azure Monitor managed service for Prometheus](prometheus-remote-write.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra authentication](./prometheus-remote-write-active-directory.md)

+- [Send Prometheus data to Azure Monitor by using managed identity authentication](./prometheus-remote-write-managed-identity.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra pod-managed identity (preview) authentication](./prometheus-remote-write-azure-ad-pod-identity.md)

+ Title: Set up Prometheus remote write by using managed identity authentication

+description: Learn how to set up remote write in Azure Monitor managed service for Prometheus. Use managed identity authentication to send data from a self-managed Prometheus server running in your Azure Kubernetes Server (AKS) cluster or Azure Arc-enabled Kubernetes cluster.

+# Send Prometheus data to Azure Monitor by using managed identity authentication

+This article describes how to set up [remote write](prometheus-remote-write.md) to send data from a self-managed Prometheus server running in your Azure Kubernetes Service (AKS) cluster or Azure Arc-enabled Kubernetes cluster by using managed identity authentication. You can either use an existing identity that's created by AKS or [create your own](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Both options are described here.

+- Azure Kubernetes Service cluster

+> For information about setting up remote write for a Kubernetes cluster running in a different cloud or on-premises, see [Send Prometheus data to Azure Monitor by using Microsoft Entra authentication](prometheus-remote-write-active-directory.md).

+The prerequisites that are described in [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#prerequisites) apply to the processes that are described in this article.

+## Set up an application for managed identity

+The process to set up Prometheus remote write for an application by using managed identity authentication involves completing the following tasks:

+1. Get the name of the AKS node resource group.

+1. Get the client ID of the user-assigned managed identity.

+1. Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the managed identity.

+1. Give the AKS cluster access to the managed identity.

+1. Deploy a sidecar container to set up remote write.

+The tasks are described in the following sections.

+### Get the name of the AKS node resource group

+The node resource group of the AKS cluster contains resources that you use in other steps in this process. This resource group has the name `MC_<AKS-RESOURCE-GROUP>_<AKS-CLUSTER-NAME>_<REGION>`. You can find the resource group name by using the **Resource groups** menu in the Azure portal.

+### Get the client ID of the user-assigned managed identity

+You must get the client ID of the identity that you're going to use. Copy the client ID to use later in the process.

+Instead of creating your own client ID, you can use one of the identities that are created by AKS. To learn more about the identities, see [Use a managed identity in Azure Kubernetes Service](../../aks/use-managed-identity.md).

+This article uses the kubelet identity. The name of this identity is `<AKS-CLUSTER-NAME>-agentpool`, and it's in the node resource group of the AKS cluster.

+Select the `<AKS-CLUSTER-NAME>-agentpool` managed identity. On the **Overview** page, copy the value for **Client ID**. For more information, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+### Assign the Monitoring Metrics Publisher role on the workspace data collection rule to the managed identity

+The managed identity must be assigned the Monitoring Metrics Publisher role on the data collection rule that is associated with your Azure Monitor workspace.

+1. On the resource menu for your Azure Monitor workspace, select **Overview**. For **Data collection rule**, select the link.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png" alt-text="Screenshot that shows the data collection rule that's associated with an Azure Monitor workspace." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png":::

+1. On the resource menu for the data collection rule, select **Access control (IAM)**.

+1. Select **Add**, and then select **Add role assignment**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment on Access control pages." lightbox="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png":::

+1. Select the **Monitoring Metrics Publisher** role, and then select **Next**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/add-role-assignment.png" alt-text="Screenshot that shows a list of role assignments." lightbox="media/prometheus-remote-write-managed-identity/add-role-assignment.png":::

+1. Select **Managed Identity**, and then choose **Select members**. Select the subscription that contains the user-assigned identity, and then select **User-assigned managed identity**. Select the user-assigned identity that you want to use, and then choose **Select**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/select-managed-identity.png" alt-text="Screenshot that shows selecting a user-assigned managed identity." lightbox="media/prometheus-remote-write-managed-identity/select-managed-identity.png":::

+1. To complete the role assignment, select **Review + assign**.

+### Give the AKS cluster access to the managed identity

+This step isn't required if you're using an AKS identity. An AKS identity already has access to the cluster.

+> To complete the steps in this section, you must have owner or user access administrator permissions for the cluster.

+1. Identify the virtual machine scale sets in the [node resource group](#get-the-name-of-the-aks-node-resource-group) for your AKS cluster.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/resource-group-details-virtual-machine-scale-sets.png" alt-text="Screenshot that shows virtual machine scale sets in the node resource group." lightbox="media/prometheus-remote-write-managed-identity/resource-group-details-virtual-machine-scale-sets.png":::

+2. For each virtual machine scale set, run the following command in the Azure CLI:

+### Deploy a sidecar container to set up remote write

+1. Copy the following YAML and save it to a file. The YAML uses port 8081 as the listening port. If you use a different port, modify the port in the YAML.

+1. Replace the following values in the YAML:

+ | `<AKS-CLUSTER-NAME>` | The name of your AKS cluster. |

+ | `<INGESTION-URL>` | The value for **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace. |

+ | `<MANAGED-IDENTITY-CLIENT-ID>` | The value for **Client ID** from the **Overview** page for the managed identity. |

+ | `<CLUSTER-NAME>` | Name of the cluster that Prometheus is running on. |

+ > [!IMPORTANT]

+ > For Azure Government cloud, add the following environment variables in the `env` section of the YAML file:

+ >

+ > `- name: INGESTION_AAD_AUDIENCE value: https://monitor.azure.us/`

+1. Open Azure Cloud Shell and upload the YAML file.

+1. Use Helm to apply the YAML file and update your Prometheus configuration:

+ # use Helm to update your remote write config

+For verification and troubleshooting information, see [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+## Related content

+- [Remote write in Azure Monitor managed service for Prometheus](prometheus-remote-write.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra authentication](./prometheus-remote-write-active-directory.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra Workload ID (preview) authentication](./prometheus-remote-write-azure-workload-identity.md)

+- [Send Prometheus data to Azure Monitor by using Microsoft Entra pod-managed identity (preview) authentication](./prometheus-remote-write-azure-ad-pod-identity.md)

+## View data allocation benefits

+Since the usage export has both the number of units of usage and their cost, you can use this export to see the amount of benefits you are receiving from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). In the usage export, to see the benefits, filter the *Instance ID* column to your workspace. (To select all of your workspaces in the spreadsheet, filter the *Instance ID* column to "contains /workspaces/".) Then filter on the Meter to either of the following two meters:

+- **Standard Data Included per Node**: this meter is under the service "Insight and Analytics" and tracks the benefits received when a workspace in either in Log Analytics [Per Node tier](logs/cost-logs.md#per-node-pricing-tier) data allowance and/or has [Defender for Servers](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) enabled. Each of these provide a 500 MB/server/day data allowance.

+You can also see these data benefits in the Log Analytics Usage and estimated costs page. If the workspace is receiving these benefits, there will be a sentence below the cost estimate table that gives the data volume of the benefits used over the last 31 days.

+ Title: IP addresses used by Azure Monitor | Microsoft Docs

+description: This article discusses server firewall exceptions that are required by Azure Monitor

+ms.servce: azure-monitor

+# IP addresses used by Azure Monitor

+[Azure Monitor](.\overview.md) uses several IP addresses. Azure Monitor is made up of core platform metrics and logs in addition to Log Analytics and Application Insights. You might need to know IP addresses if the app or infrastructure that you're monitoring is hosted behind a firewall.

+> [!NOTE]

+> Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhook action groups, which also require inbound firewall rules.

+You can use Azure [network service tags](../virtual-network/service-tags-overview.md) to manage access if you're using Azure network security groups. If you're managing access for hybrid/on-premises resources, you can download the equivalent IP address lists as [JSON files](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files), which are updated each week. To cover all the exceptions in this article, use the service tags `ActionGroup`, `ApplicationInsightsAvailability`, and `AzureMonitor`.

+## Outgoing ports

+You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Application Insights Agent to send data to the portal.

+> [!NOTE]

+> These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like `51.144.56.112/28` is equivalent to 16 IPs that start at `51.144.56.112` and end at `51.144.56.127`.

+| Purpose | URL | Type | IP | Ports |

+| | | | | |

+| Telemetry | dc.applicationinsights.azure.com<br/>dc.applicationinsights.microsoft.com<br/>dc.services.visualstudio.com<br/>\*.in.applicationinsights.azure.com<br/><br/> |Global<br/>Global<br/>Global<br/>Regional<br/>|| 443 |

+| Live Metrics | live.applicationinsights.azure.com<br/>rt.applicationinsights.microsoft.com<br/>rt.services.visualstudio.com<br/><br/>{region}.livediagnostics.monitor.azure.com<br/><br/>*Example for {region}: westus2<br/>Find all supported regions in [this table](#addresses-grouped-by-region-azure-public-cloud).*|Global<br/>Global<br/>Global<br/><br/>Regional<br/>|20.49.111.32/29<br/>13.73.253.112/29| 443 |

+> [!NOTE]

+> Application Insights ingestion endpoints are IPv4 only.

+> [!IMPORTANT]

+> For Live Metrics, it is *required* to add the list of [IPs for the respective region](#addresses-grouped-by-region-azure-public-cloud) aside from global IPs.

+## Application Insights Agent

+Application Insights Agent configuration is needed only when you're making changes.

+| Purpose | URL | Ports |

+| | | |

+| Configuration |`management.core.windows.net` |`443` |

+| Configuration |`management.azure.com` |`443` |

+| Configuration |`login.windows.net` |`443` |

+| Configuration |`login.microsoftonline.com` |`443` |

+| Configuration |`secure.aadcdn.microsoftonline-p.com` |`443` |

+| Configuration |`auth.gfx.ms` |`443` |

+| Configuration |`login.live.com` |`443` |

+| Installation | `globalcdn.nuget.org`, `packages.nuget.org` ,`api.nuget.org/v3/index.json` `nuget.org`, `api.nuget.org`, `dc.services.vsallin.net` |`443` |

+## Availability tests

+This is the list of addresses from which [availability web tests](./app/availability-overview.md) are run. If you want to run web tests on your app but your web server is restricted to serving specific clients, you'll have to permit incoming traffic from our availability test servers.

+> [!NOTE]

+> For resources located inside private virtual networks that can't allow direct inbound communication with the availability test agents in public Azure, the only option is to [create and host your own custom availability tests](app/availability-azure-functions.md#review-trackavailability-test-results).

+### Service tag

+If you're using Azure network security groups, add an *inbound port rule* to allow traffic from Application Insights availability tests. Select **Service Tag** as the **Source** and **ApplicationInsightsAvailability** as the **Source service tag**.

+>[!div class="mx-imgBorder"]

+>:::image type="content" source="./app/media/ip-addresses/add-inbound-security-rule.png" lightbox="./app/media/ip-addresses/add-inbound-security-rule.png" alt-text="Screenshot that shows selecting Inbound security rules and then selecting Add.":::

+>[!div class="mx-imgBorder"]

+>:::image type="content" source="./app/media/ip-addresses/add-inbound-security-rule2.png" lightbox="./app/media/ip-addresses/add-inbound-security-rule2.png" alt-text="Screenshot that shows the Add inbound security rule tab.":::

+Open port 80 (HTTP) and port 443 (HTTPS) for incoming traffic from these addresses. IP addresses are grouped by location.

+### IP addresses

+If you're looking for the actual IP addresses so that you can add them to the list of allowed IPs in your firewall, download the JSON file that describes Azure IP ranges. These files contain the most up-to-date information. After you download the appropriate file, open it by using your favorite text editor. Search for **ApplicationInsightsAvailability** to go straight to the section of the file that describes the service tag for availability tests.

+For Azure public cloud, you need to allow both the global IP ranges and the ones specific for the region of your Application Insights resource which receives live data. You can find the global IP ranges in the [Outgoing ports](#outgoing-ports) table at the top of this document, and the regional IP ranges in the [Addresses grouped by region](#addresses-grouped-by-region-azure-public-cloud) table below.

+#### Azure public cloud

+Download [public cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=56519).

+#### Azure US Government cloud

+Download [US Government cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=57063).

+#### Microsoft Azure operated by 21Vianet cloud

+Download [China cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=57062).

+#### Addresses grouped by region (Azure public cloud)

+Add the subdomain of the corresponding region to the Live Metrics URL from the [Outgoing ports](#outgoing-ports) table.

+> [!NOTE]

+> As described in the [Azure TLS 1.2 migration announcement](https://azure.microsoft.com/updates/azuretls12/), Application Insights connection-string based regional telemetry endpoints only support TLS 1.2. Global telemetry endpoints continue to support TLS 1.0 and TLS 1.1.

+>

+> If you're using an older version of TLS, Application Insights will not ingest any telemetry. For applications based on .NET Framework see [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) to support the newer TLS version.

+| Continent/Country | Region | Subdomain | IP |

+| | | | |

+|Asia|East Asia|eastasia|52.229.216.48/28<br/>20.189.111.16/29|

+||Southeast Asia|southeastasia|52.139.250.96/28<br/>23.98.106.152/29|

+|Australia|Australia Central|australiacentral|20.37.227.104/29<br/><br/>|

+||Australia Central 2|australiacentral2|20.53.60.224/31<br/><br/>|

+||Australia East|australiaeast|20.40.124.176/28<br/>20.37.198.232/29|

+||Australia Southeast|australiasoutheast|20.42.230.224/29<br/><br/>|

+|Brazil|Brazil South|brazilsouth|191.233.26.176/28<br/>191.234.137.40/29|

+||Brazil Southeast|brazilsoutheast|20.206.0.196/31<br/><br/>|

+|Canada|Canada Central|canadacentral|52.228.86.152/29<br/><br/>|

+|Europe|North Europe|northeurope|52.158.28.64/28<br/>20.50.68.128/29|

+||West Europe|westeurope|51.144.56.96/28<br/>40.113.178.32/29|

+|France|France Central|francecentral|20.40.129.32/28<br/>20.43.44.216/29|

+||France South|francesouth|20.40.129.96/28<br/>52.136.191.12/31|

+|Germany|Germany West Central|germanywestcentral|20.52.95.50/31<br/><br/>|

+|India|Central India|centralindia|52.140.108.216/29<br/><br/>|

+||South India|southindia|20.192.153.106/31<br/><br/>|

+|Japan|Japan East|japaneast|52.140.232.160/28<br/>20.43.70.224/29|

+||Japan West|japanwest|20.189.194.102/31<br/><br/>|

+|Korea|Korea Central|koreacentral|20.41.69.24/29<br/><br/>|

+|Norway|Norway East|norwayeast|51.120.235.248/29<br/><br/>|

+||Norway West|norwaywest|51.13.143.48/31<br/><br/>|

+|Qatar|Qatar Central|qatarcentral|20.21.39.224/29<br/><br/>|

+|South Africa|South Africa North|southafricanorth|102.133.219.136/29<br/><br/>|

+|Switzerland|Switzerland North|switzerlandnorth|51.107.52.200/29<br/><br/>|

+||Switzerland West|switzerlandwest|51.107.148.8/29<br/><br/>|

+|United Arab Emirates|UAE North|uaenorth|20.38.143.44/31<br/>40.120.87.204/31|

+|United Kingdom|UK South|uksouth|51.105.9.128/28<br/>51.104.30.160/29|

+||UK West|ukwest|20.40.104.96/28<br/>51.137.164.200/29|

+|United States|Central US|centralus|13.86.97.224/28<br/>20.40.206.232/29|

+||East US|eastus|20.42.35.32/28<br/>20.49.111.32/29|

+||East US 2|eastus2|20.49.102.24/29<br/><br/>|

+||North Central US|northcentralus|23.100.224.16/28<br/>20.49.114.40/29|

+||South Central US|southcentralus|20.45.5.160/28<br/>13.73.253.112/29|

+||West US|westus|40.91.82.48/28<br/>52.250.228.8/29|

+||West US 2|westus2|40.64.134.128/29<br/><br/>|

+||West US 3|westus3|20.150.241.64/29<br/><br/>|

+#### Upcoming regions (Azure public cloud)

+> [!NOTE]

+> The following regions are not supported yet, but will be added in the near future.

+| Continent/Country | Region | Subdomain | IP |

+| | | | |

+|Canada|Canada East|TBD|52.242.40.208/31<br/><br/>|

+|Germany|Germany North|TBD|51.116.75.92/31<br/><br/>|

+|India|West India|TBD|20.192.84.164/31<br/><br/>|

+||Jio India Central|TBD|20.192.50.200/29<br/><br/>|

+||Jio India West|TBD|20.193.194.32/29<br/><br/>|

+|Israel|Israel Central|TBD|20.217.44.250/31<br/><br/>|

+|Poland|Poland Central|TBD|20.215.4.250/31<br/><br/>|

+|South Africa|South Africa West|TBD|102.37.86.196/31<br/><br/>|

+|Sweden|Sweden Central|TBD|51.12.25.192/29<br/><br/>|

+||Sweden South|TBD|51.12.17.128/29<br/><br/>|

+|Taiwan|Taiwan North|TBD|51.53.28.214/31<br/><br/>|

+||Taiwan Northwest|TBD|51.53.172.214/31<br/><br/>|

+|United Arab Emirates|UAE Central|TBD|20.45.95.68/31<br/><br/>|

+|United States|West Central US|TBD|52.150.154.24/29<br/><br/>|

+### Discovery API

+You might also want to [programmatically retrieve](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) the current list of service tags together with IP address range details.

+## Application Insights and Log Analytics APIs

+| Purpose | URI | IP | Ports |

+| | | | |

+| API |`api.applicationinsights.io`<br/>`api1.applicationinsights.io`<br/>`api2.applicationinsights.io`<br/>`api3.applicationinsights.io`<br/>`api4.applicationinsights.io`<br/>`api5.applicationinsights.io`<br/>`dev.applicationinsights.io`<br/>`dev.applicationinsights.microsoft.com`<br/>`dev.aisvc.visualstudio.com`<br/>`www.applicationinsights.io`<br/>`www.applicationinsights.microsoft.com`<br/>`www.aisvc.visualstudio.com`<br/>`api.loganalytics.io`<br/>`*.api.loganalytics.io`<br/>`dev.loganalytics.io`<br>`docs.loganalytics.io`<br/>`www.loganalytics.io` |20.37.52.188 <br/> 20.37.53.231 <br/> 20.36.47.130 <br/> 20.40.124.0 <br/> 20.43.99.158 <br/> 20.43.98.234 <br/> 13.70.127.61 <br/> 40.81.58.225 <br/> 20.40.160.120 <br/> 23.101.225.155 <br/> 52.139.8.32 <br/> 13.88.230.43 <br/> 52.230.224.237 <br/> 52.242.230.209 <br/> 52.173.249.138 <br/> 52.229.218.221 <br/> 52.229.225.6 <br/> 23.100.94.221 <br/> 52.188.179.229 <br/> 52.226.151.250 <br/> 52.150.36.187 <br/> 40.121.135.131 <br/> 20.44.73.196 <br/> 20.41.49.208 <br/> 40.70.23.205 <br/> 20.40.137.91 <br/> 20.40.140.212 <br/> 40.89.189.61 <br/> 52.155.118.97 <br/> 52.156.40.142 <br/> 23.102.66.132 <br/> 52.231.111.52 <br/> 52.231.108.46 <br/> 52.231.64.72 <br/> 52.162.87.50 <br/> 23.100.228.32 <br/> 40.127.144.141 <br/> 52.155.162.238 <br/> 137.116.226.81 <br/> 52.185.215.171 <br/> 40.119.4.128 <br/> 52.171.56.178 <br/> 20.43.152.45 <br/> 20.44.192.217 <br/> 13.67.77.233 <br/> 51.104.255.249 <br/> 51.104.252.13 <br/> 51.143.165.22 <br/> 13.78.151.158 <br/> 51.105.248.23 <br/> 40.74.36.208 <br/> 40.74.59.40 <br/> 13.93.233.49 <br/> 52.247.202.90 |80,443 |

+| Azure Pipeline annotations extension | aigs1.aisvc.visualstudio.com |dynamic|443 |

+## Application Insights analytics

+| Purpose | URI | IP | Ports |

+| | | | |

+| Analytics portal | analytics.applicationinsights.io | dynamic | 80,443 |

+| CDN | applicationanalytics.azureedge.net | dynamic | 80,443 |

+| Media CDN | applicationanalyticsmedia.azureedge.net | dynamic | 80,443 |

+The *.applicationinsights.io domain is owned by the Application Insights team.

+## Log Analytics portal

+| Purpose | URI | IP | Ports |

+| | | | |

+| Portal | portal.loganalytics.io | dynamic | 80,443 |

+| CDN | applicationanalytics.azureedge.net | dynamic | 80,443 |

+The *.loganalytics.io domain is owned by the Log Analytics team.

+## Application Insights Azure portal extension

+| Purpose | URI | IP | Ports |

+| | | | |

+| Application Insights extension | stamp2.app.insightsportal.visualstudio.com | dynamic | 80,443 |

+| Application Insights extension CDN | insightsportal-prod2-cdn.aisvc.visualstudio.com<br/>insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com<br/>insightsportal-cdn-aimon.applicationinsights.io | dynamic | 80,443 |

+## Application Insights SDKs

+| Purpose | URI | IP | Ports |

+| | | | |

+| Application Insights JS SDK CDN | az416426.vo.msecnd.net<br/>js.monitor.azure.com | dynamic | 80,443 |

+## Action group webhooks

+You can query the list of IP addresses used by action groups by using the [Get-AzNetworkServiceTag PowerShell command](/powershell/module/az.network/Get-AzNetworkServiceTag).

+### Action group service tag

+Managing changes to source IP addresses can be time consuming. Using *service tags* eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a specific Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, which eliminates the need to update network security rules for an action group.

+1. In the Azure portal under **Azure Services**, search for **Network Security Group**.

+1. Select **Add** and create a network security group:

+ 1. Add the resource group name, and then enter **Instance details** information.

+ 1. Select **Review + Create**, and then select **Create**.

+

+ :::image type="content" source="alerts/media/action-groups/action-group-create-security-group.png" alt-text="Screenshot that shows how to create a network security group."border="true":::

+1. Go to **Resource Group**, and then select the network security group you created:

+ 1. Select **Inbound security rules**.

+ 1. Select **Add**.

+

+ :::image type="content" source="alerts/media/action-groups/action-group-add-service-tag.png" alt-text="Screenshot that shows how to add inbound security rules." border="true":::

+1. A new window opens in the right pane:

+ 1. Under **Source**, enter **Service Tag**.

+ 1. Under **Source service tag**, enter **ActionGroup**.

+ 1. Select **Add**.

+

+ :::image type="content" source="alerts/media/action-groups/action-group-service-tag.png" alt-text="Screenshot that shows how to add a service tag." border="true":::

+## Profiler

+| Purpose | URI | IP | Ports |

+| | | | |

+| Agent | agent.azureserviceprofiler.net<br/>*.agent.azureserviceprofiler.net | 20.190.60.38<br/>20.190.60.32<br/>52.173.196.230<br/>52.173.196.209<br/>23.102.44.211<br/>23.102.45.216<br/>13.69.51.218<br/>13.69.51.175<br/>138.91.32.98<br/>138.91.37.93<br/>40.121.61.208<br/>40.121.57.2<br/>51.140.60.235<br/>51.140.180.52<br/>52.138.31.112<br/>52.138.31.127<br/>104.211.90.234<br/>104.211.91.254<br/>13.70.124.27<br/>13.75.195.15<br/>52.185.132.101<br/>52.185.132.170<br/>20.188.36.28<br/>40.89.153.171<br/>52.141.22.239<br/>52.141.22.149<br/>102.133.162.233<br/>102.133.161.73<br/>191.232.214.6<br/>191.232.213.239 | 443

+| Portal | gateway.azureserviceprofiler.net | dynamic | 443

+| Storage | *.core.windows.net | dynamic | 443

+## Snapshot Debugger

+> [!NOTE]

+> Profiler and Snapshot Debugger share the same set of IP addresses.

+| Purpose | URI | IP | Ports |

+| | | | |

+| Agent | agent.azureserviceprofiler.net<br/>*.agent.azureserviceprofiler.net | 20.190.60.38<br/>20.190.60.32<br/>52.173.196.230<br/>52.173.196.209<br/>23.102.44.211<br/>23.102.45.216<br/>13.69.51.218<br/>13.69.51.175<br/>138.91.32.98<br/>138.91.37.93<br/>40.121.61.208<br/>40.121.57.2<br/>51.140.60.235<br/>51.140.180.52<br/>52.138.31.112<br/>52.138.31.127<br/>104.211.90.234<br/>104.211.91.254<br/>13.70.124.27<br/>13.75.195.15<br/>52.185.132.101<br/>52.185.132.170<br/>20.188.36.28<br/>40.89.153.171<br/>52.141.22.239<br/>52.141.22.149<br/>102.133.162.233<br/>102.133.161.73<br/>191.232.214.6<br/>191.232.213.239 | 443

+| Portal | gateway.azureserviceprofiler.net | dynamic | 443

+| Storage | *.core.windows.net | dynamic | 443

+## Frequently asked questions

+This section provides answers to common questions.

+### Can I monitor an intranet web server?

+Yes, but you need to allow traffic to our services by either firewall exceptions or proxy redirects:

+- QuickPulse `https://rt.services.visualstudio.com:443`

+- ApplicationIdProvider `https://dc.services.visualstudio.com:443`

+- TelemetryChannel `https://dc.services.visualstudio.com:443`

+

+See [IP addresses used by Azure Monitor](./ip-addresses.md) to review our full list of services and IP addresses.

+

+### How do I reroute traffic from my server to a gateway on my intranet?

+

+Route traffic from your server to a gateway on your intranet by overwriting endpoints in your configuration. If the `Endpoint` properties aren't present in your config, these classes use the default values shown in the following ApplicationInsights.config example.

+

+Your gateway should route traffic to our endpoint's base address. In your configuration, replace the default values with `http://<your.gateway.address>/<relative path>`.

+

+#### Example ApplicationInsights.config with default endpoints:

+

+```xml

+<ApplicationInsights>

+...

+<TelemetryModules>

+ <Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector">

+ <QuickPulseServiceEndpoint>https://rt.services.visualstudio.com/QuickPulseService.svc</QuickPulseServiceEndpoint>

+ </Add>

+</TelemetryModules>

+ ...

+<TelemetryChannel>

+ <EndpointAddress>https://dc.services.visualstudio.com/v2/track</EndpointAddress>

+</TelemetryChannel>

+...

+<ApplicationIdProvider Type="Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId.ApplicationInsightsApplicationIdProvider, Microsoft.ApplicationInsights">

+ <ProfileQueryEndpoint>https://dc.services.visualstudio.com/api/profiles/{0}/appId</ProfileQueryEndpoint>

+</ApplicationIdProvider>

+...

+</ApplicationInsights>

+```

+> [!NOTE]

+> `ApplicationIdProvider` is available starting in v2.6.0.

+ | Central US | North Europe | Israel Central | | Japan East |

+ | | Poland Central | | | |

+ | | Italy North | | | |

+Log Analytics Dedicated Clusters [pricing model](./logs-dedicated-clusters.md#cluster-pricing-model) requires commitment Tier starting at 100 GB per day.

+> If you are using connection strings to send data to Application Insights using [regional ingestion endpoints](../ip-addresses.md#outgoing-ports), then the Application Insights and Log Analytics daily cap settings are effective per region. If you are using only instrumentation key (ikey) to send data to Application Insights using the [global ingestion endpoint](../ip-addresses.md#outgoing-ports), then the Application Insights daily cap setting may not be effective across regions, but the Log Analytics daily cap setting will still apply.

+- Dedicated clusters require a minimum ingestion commitment of 100 GB per day.

+If you can commit to daily ingestion of at least 100 GB per day, you should implement a [dedicated cluster](../logs/cost-logs.md#dedicated-clusters) that provides extra functionality and performance. Dedicated clusters also allow you to combine the data from multiple workspaces in the cluster to reach the level of a commitment tier.

+- **If you'll ingest at least 100 GB per day across all resources:** Create a dedicated cluster and set the appropriate commitment tier.

+ Title: Troubleshoot data recovery from Microsoft Azure Backup Server by using Azure Backup

+description: Learn how to troubleshoot data recovery from Microsoft Azure Backup Server.

+# Troubleshoot data recovery from Microsoft Azure Backup Server

+This article provides troubleshooting steps that help you resolve error massages caused during data recovery from Microsoft Azure Backup Server.

+## Troubleshoot error messages

+| Error Message | Cause | Resolution |

+|: |: |: |

+|This server is not registered to the vault specified by the vault credential. | This error appears when the vault credential file selected doesn't belong to the Recovery Services vault associated with Azure Backup Server on which the recovery is attempted. | Download the vault credential file from the Recovery Services vault to which the Azure Backup Server is registered. |

+|Either the recoverable data isn't available or the selected server isn't a DPM server. | There are no other Azure Backup Servers registered to the Recovery Services vault, or the servers haven't yet uploaded the metadata, or the selected server isn't an Azure Backup Server (using Windows Server or Windows Client). | If there are other Azure Backup Servers registered to the Recovery Services vault, ensure that the latest Azure Backup agent is installed. <br>If there are other Azure Backup Servers registered to the Recovery Services vault, wait for a day after installation to start the recovery process. The nightly job will upload the metadata for all the protected backups to cloud. The data will be available for recovery. |

+|No other DPM server is registered to this vault. | There are no other Azure Backup Servers that are registered to the vault from which the recovery is being attempted. | If there are other Azure Backup Servers registered to the Recovery Services vault, ensure that the latest Azure Backup agent is installed.<br>If there are other Azure Backup Servers registered to the Recovery Services vault, wait for a day after installation to start the recovery process. The nightly job uploads the metadata for all protected backups to cloud. The data will be available for recovery. |

+|The encryption passphrase provided does not match with passphrase associated with the following server: **\<server name>** | The encryption passphrase used in the process of encrypting the data from the Azure Backup ServerΓÇÖs data that's being recovered doesn't match the encryption passphrase provided. The agent is unable to decrypt the data, and so the recovery fails. | Provide the exact same encryption passphrase associated with the Azure Backup Server whose data is being recovered. |

+## Next steps

+- [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.

+- [Common questions](backup-azure-file-folder-backup-faq.yml) about the Azure Backup agent.

+- [Recover data from Azure Backup Server](backup-azure-alternate-dpm-server.md).

+ Title: Recover data from an Azure Backup Server by using Azure Backup

+- [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.

+- [Common questions](backup-azure-file-folder-backup-faq.yml) about the Azure Backup agent.

+- [Troubleshoot error messages](backup-azure-alternate-dpm-server-troubleshoot.md) caused during data recovery from Microsoft Azure Backup Server.

+## Offline-seeding flow

+The Azure Backup offline-seeding process is tightly integrated with the [Azure Import/Export service](../import-export/storage-import-export-service.md). You can use this service to transfer initial backup data to Azure by using disks. If you have terabytes (TBs) of initial backup data that need to be transferred over a high-latency and low-bandwidth network, you can use the offline-seeding workflow to ship the initial backup copy, on one or more hard drives to an Azure datacenter.

+To perform the offline backup:

+The following diagram provides an overview of the offline-seeding flow:

+ :::image type="content" source="./media/backup-azure-backup-import-export/offlinebackupworkflowoverview.png" alt-text="Diagram shows the overview of offline import workflow process.":::

+## Backup flow for SQL Server database

+ * Prefer secondary - Backups should occur on a secondary replica except when the primary replica is the only replica online. If there are multiple secondary replicas available, then the node with the highest backup priority will be selected for backup. If only the primary replica is available, then the backup should occur on the primary replica.

+ >[!Note]

+ >- Backups can happen from any readable replica - that is, primary, synchronous secondary, asynchronous secondary.

+ >- If any replica is excluded from backup, for example **Exclude Replica** is enabled or is marked as not readable, then that replica won't be selected for backup under any of the options.

+ >- If multiple replicas are available and readable, then the node with the highest backup priority will be selected for backup.

+ >- If the backup fails on the selected node, then the backup operation fails.

+ >- Recovery to the original location isn't supported.

+Azure Import/Export now uses Azure Data Box APIs for offline seeding on customer-owned disks. The Azure portal also lists the Import/Export jobs created using the new API under [Azure Data Box jobs](../import-export/storage-import-export-view-drive-status.md?tabs=azure-portal-preview) with the Model column as Import/Export.

+The workload backup extension gets installed on the node when it's registered with the Azure Backup service. When an AG database is configured for backup, the backup schedules are pushed to all the registered nodes of the AG. The schedules fire on all the AG nodes and the workload backup extensions on these nodes synchronize between themselves to decide which node will perform the backup. The node selection depends on the backup type and the backup preference as explained in section 1.

+- Similarly, while VM4 could be registered to vault 4 in region 2, configuring backups would fail since the primary node isn't registered in vault 4.

+ - If the backup preference isn't secondary-only, backups can be configured now in Vault 4, because the primary node is registered in this vault. But this can lead to conflicts/backup failures. More about this in [Configure backups for a multi-region AG](#configure-backups-for-a-multi-region-ag).

+- Evaluate if you really need to enable backups from all nodes. If one region/subscription has most of the AG nodes and failover to other nodes happens very rarely, setting up the backup in that first region may be enough. If the failovers to other region/subscription happen frequently and for prolonged duration, then you may want to set up backups proactively in the other region as well.

+- Log backups will keep working in the previous vault till a log backup runs in the new vault (that's, in the vault where the new primary node is present) and _breaks_ the log chain for old vault.

+After this, the new node syncs the AG backup schedule information from the Azure Backup service and starts participating in the synchronized backup process. If the new node isn't able to sync the backup schedules and participate in backups, triggering a re-registration on the node forces reconfiguration of the node for AG backups as well. Similarly, node addition, the workload extensions detect the AG topology change in this case and inform the Azure Backup service. The service starts a node _un-configuration_ workflow in the removed node to clear the backup schedules for AG databases and delete the AG related metadata.

+Restore a database from Azure Backup to an AG SQL Availability Groups don't support directly restoring a database into AG. The database needs to be restored to a standalone SQL instance and then needs to be joined to an AG.

+## Availability group re-creation scenarios for the SQL database server

+Re-creation of Availability group (AG), duplicate AGs, and the backup items get listed as *protectable items* or *protected items* in the following scenarios:

+- Re-creating AGs that are already protected appear as duplicate AGs on the **Configure Backup** page and in the **Protected items** list. If you want to retain the backup data that is already present in the older AG, then stop the backup by using the **Stop protection and retain data** option before re-creating and scheduling backups on the new AG items.

+ By design, Azure Backup lists the duplicate items on the **Protected items list**, and the **Configure Backup** page or **Protectable item list** and displays these items until you want to retain the backup data.

+- If you don't want the backup data from the older AG, then stop the backup operation by using the **Stop protection and delete data** option for the older item before re-creating and scheduling backups on the new AG.

+ >[!Caution]

+ >Stop protection and delete data is a destructive operation.

+- You can recreate the AG after performing one of the above Stop protection process to avoid backup failures.

+ - If you're sending telemetry data to Application Insights, the IPs in [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md) are also required.

+ Title: Teams calling interoperability

+description: Teams calling interoperability

+# Teams Interoperability: Calling

+As part of this preview, the Azure Communication Services SDKs can be used to build applications that enable bring your own identity (BYOI) users to start 1:1 calls with Teams users. [Standard Azure Communication Services pricing](https://azure.microsoft.com/pricing/details/communication-services/) applies to these users, but there's no extra fee for the interoperability capability. Custom applications built with Azure Communication Services to connect and communicate with Teams users or Teams voice applications can be used by end users or by bots, and there's no differentiation in how they appear to Teams users in Teams applications unless explicitly indicated by the developer of the application with a display name.

+To enable calling between your Communication Services users and Teams tenant, allow your tenant via the [form](https://forms.office.com/r/F3WLqPjw0D) and enable the connection between the tenant and Communication Services resource.

+To start a call with a Teams user or Teams Voice application, you need an identifier of the target. You have the following options to retrieve the ID:

+Interoperability between Azure Communication Services and Microsoft Teams enables your applications and users to participate in Teams calls and meetings. It is your responsibility to ensure that the users of your application are notified when recording or transcription are enabled in a Teams call or meeting.

+| Toll-Free |- | - | - | General Availability\* |

+| Local |- | - | General Availability | General Availability\* |

+### Compliance Recording

+Compliance recording is Teams policy based recording that could be enabled using this tutorial: [Introduction to Teams policy-based recording for callings](/microsoftteams/teams-recording-policy).<br>

+Policy based recording will be started automatically when user with this policy will join a call. To get notification from Azure Communication Service about recording - we can use Cloud Recording section from this article.

+```js

+const callRecordingApi = call.feature(Features.Recording);

+const isComplianceRecordingActive = callRecordingApi.isRecordingActive;

+const isComplianceRecordingActiveChangedHandler = () => {

+ console.log(callRecordingApi.isRecordingActive);

+};

+callRecordingApi.on('isRecordingActiveChanged', isComplianceRecordingActiveChangedHandler);

+```

+Compliance recording could be implemented by using custom recording bot [GitHub Example](https://github.com/microsoftgraph/microsoft-graph-comms-samples/tree/a3943bafd73ce0df780c0e1ac3428e3de13a101f/Samples/BetaSamples/LocalMediaSamples/ComplianceRecordingBot).<br>

+To hide this bot from participant roster we need to add specific metadata information, it will be used by Azure Communication SDK and Teams client:

+```json

+ "metadata": {"__platform":{"ui":{"hidden":true}

+```

+- Complete the Teams tenant setup in [Teams Call Queues](../../quickstarts/voice-video-calling/get-started-teams-call-queue.md)

+ Title: 'Tutorial: Proxy your Azure Communication Services calling traffic across your own servers'

+description: Learn how to have your media and signaling traffic proxied to servers that you can control.

+# Force calling traffic to be proxied across your own server

+In this tutorial, you learn how to proxy your Azure Communication Services calling traffic across your own servers.

+In certain situations, it might be useful to have all your client traffic proxied to a server that you can control. When the SDK is initializing, you can provide the details of your servers that you want the traffic to route to. Once enabled, all the media traffic (audio/video/screen sharing) travels through the provided TURN servers instead of the Azure Communication Services defaults.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Set up a TURN server.

+> * Set up a signaling proxy server.

+## Prerequisites

+None

+You have several options available as you develop and deploy your apps to Azure Container Apps. As you evaluate your goals and the needs of your team, consider the following questions.

+- Are you new to containers?

+- Is your focus more on your application or your infrastructure?

+- Are you innovating rapidly or in a stable steady state with your application?

+Your answers to these questions affect your preferred development and deployment strategies. This article helps you select the most appropriate option for how you develop and deploy your applications to Azure Container Apps.

+Depending on your situation, you might want to deploy from a [code editor](#code-editor), through the [Azure portal](#azure-portal), with a hosted [code repository](#code-repository), or via [infrastructure as code](#infrastructure-as-code). However, if you're new to containers, you can [learn more](#new-to-containers) about how containers can help your development process.

+## New to containers

+You can simplify the development and deployment of your application by packaging your app into a "container". Containers allow you to wrap up your application and all its dependencies into a single unit that is portal and can be run easily on any container platform.

+If you're interested in deploying your application to Azure Container Apps, but don't want to define a container ahead of time, Container Apps can create a container. The Container Apps cloud build feature automatically identifies your application stack and uses [CNCF Buildpacks](https://buildpacks.io/) to generate a container image for you.

+Defining containers ahead of time often requires using Docker and publishing your container on a container registry. When you use the Container Apps cloud build, you don't have to worry about special container tooling or registries.

+If your application currently doesn't use a container, consider using the Container Apps cloud build to deploy your application.

+### Resources

+- [Build and deploy your app to Azure Container Apps](tutorial-code-to-cloud.md)

+- [Deploy an artifact file (JAR) to Azure Container Apps](deploy-artifact.md)

+If you spend most your time editing code and favor rapid iteration of your applications, then you might want to use [Visual Studio](https://visualstudio.microsoft.com/) or [Visual Studio Code](https://code.visualstudio.com/). These editors allow you to easily build Docker files a deploy your applications directly to Azure Container Apps.

+ - [Deploy your first container app using the command line](get-started.md)

+ Title: "Quickstart: Build and deploy your app from your local filesystem to Azure Container Apps"

+description: Build your container app from local source and deploy in Azure Container Apps using az containerapp up.

+zone_pivot_groups: container-apps-code-to-cloud-segmemts

+# Quickstart: Build and deploy from local source code to Azure Container Apps

+This article demonstrates how to build and deploy a microservice to Azure Container Apps from local source code using the programming language of your choice. In this quickstart, you create a backend web API service that returns a static collection of music albums.

+> This sample application is available in two versions. One version where the source contains a Dockerfile. The other version has no Dockerfile. Select the version that best reflects your source code. If you are new to containers, select the **No Dockerfile** option at the top.

+export RESOURCE_GROUP="album-containerapps"

+export LOCATION="canadacentral"

+export ENVIRONMENT="env-album-containerapps"

+export API_NAME="album-api"

+## Get the sample code

+Download and extract the API sample application in the language of your choice.

+# [C#](#tab/csharp)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-csharp/zip/refs/heads/main) to your machine.

+Extract the download and change into the *containerapps-albumapi-csharp-main/src* folder.

+# [Java](#tab/java)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-java/zip/refs/heads/main) to your machine.

+Extract the download and change into the *containerapps-albumapi-java-main/src* folder.

+# [JavaScript](#tab/javascript)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-javascript/zip/refs/heads/main) to your machine.

+Extract the download and change into the *containerapps-albumapi-javascript-main/src* folder.

+# [Python](#tab/python)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-python/zip/refs/heads/main) to your machine.

+Extract the download and change into the *containerapps-albumapi-python-main/src* folder.

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-go/zip/refs/heads/main) to your machine.

+Extract the download and navigate into the *containerapps-albumapi-go-main/src* folder.

+# [C#](#tab/csharp)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-csharp/zip/refs/heads/buildpack) to your machine.

+Extract the download and change into the *containerapps-albumapi-csharp-buildpack/src* folder.

+# [Java](#tab/java)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-java/zip/refs/heads/buildpack) to your machine.

+Extract the download and change into the *containerapps-albumapi-java-buildpack/src* folder.

+> [!NOTE]

+> The Java Builpack currently supports the [Maven tool](https://maven.apache.org/what-is-maven.html) to build your application.

+# [JavaScript](#tab/javascript)

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-javascript/zip/refs/heads/buildpack) to your machine.

+Extract the download and change into the *containerapps-albumapi-javascript-buildpack/src* folder.

+[Download the source code](https://codeload.github.com/azure-samples/containerapps-albumapi-python/zip/refs/heads/buildpack) to your machine.

+Extract the download and change into the *containerapps-albumapi-python-buildpack/src* folder.

+# [Go](#tab/go)

+Azure Container Apps cloud build doesn't currently support Buildpacks for Go.

+Build and deploy your first container app with the `containerapp up` command. This command will:

+- Create and deploy the container app using the built container image

+- Create the resource group

+- Create a default registry as part of your environment

+- Detect the language and runtime of your application and build the image using the appropriate Buildpack

+- Push the image into the Azure Container Apps default registry

+- Create the Container Apps environment with a Log Analytics workspace

+- Create and deploy the container app using the built container image

+The `up` command uses the Dockerfile in the root of the repository to build the container image. The `EXPOSE` instruction in the Dockerfile defined the target port, which is the port used to send ingress traffic to the container.

+If the `up` command doesn't find a Dockerfile, it automatically uses Buildpacks to turn your application source into a runnable container. Since the Buildpack is trying to run the build on your behalf, you need to tell the `up` command which port to send ingress traffic to.

+In the following code example, the `.` (dot) tells `containerapp up` to run in the `src` directory of the extracted sample API application.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp up \

+ --name $API_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION \

+ --environment $ENVIRONMENT \

+ --source .

+```

+ --ingress external \

+ --target-port 8080 \

+ --source .

+ --source .

+```powershell

+az containerapp up `

+ --name $API_NAME `

+ --resource-group $RESOURCE_GROUP `

+ --location $LOCATION `

+ --environment $ENVIRONMENT `

+ --ingress external `

+ --target-port 8080 `

+ --source .

+```

+After completing this quickstart, you can continue to [Tutorial: Communication between microservices in Azure Container Apps](communicate-between-microservices.md) to learn how to deploy a front end application that calls the API.

+ Title: "Quickstart: Build and deploy from a repository to Azure Container Apps"

+description: Build your container app from a code repository and deploy in Azure Container Apps using az containerapp up.

+ - devx-track-azurecli

+ - ignite-2023

+zone_pivot_groups: container-apps-code-to-cloud-segmemts

+# Quickstart: Build and deploy from a repository to Azure Container Apps

+This article demonstrates how to build and deploy a microservice to Azure Container Apps from a GitHub repository using the programming language of your choice. In this quickstart, you create a sample microservice, which represents a backend web API service that returns a static collection of music albums.

+This sample application is available in two versions. One version includes a container, where the source contains a Dockerfile. The other version has no Dockerfile. Select the version that best reflects your source code. If you're new to containers, select the **No Dockerfile** option at the top.

+> [!NOTE]

+> You can also build and deploy this sample application from your local filesystem. For more information, see [Build from local source code and deploy your application in Azure Container Apps](quickstart-code-to-cloud.md).

+The following screenshot shows the output from the album API service you deploy.

+## Prerequisites

+To complete this project, you need the following items:

+| Requirement | Instructions |

+|--|--|

+| Azure account | If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). You need the *Contributor* or *Owner* permission on the Azure subscription to proceed. <br><br>Refer to [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md?tabs=current) for details. |

+| GitHub Account | Get one for [free](https://github.com/join). |

+| git | [Install git](https://git-scm.com/downloads) |

+| Azure CLI | Install the [Azure CLI](/cli/azure/install-azure-cli).|

+## Setup

+To sign in to Azure from the CLI, run the following command and follow the prompts to complete the authentication process.

+# [Bash](#tab/bash)

+```azurecli

+az login

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+az login

+```

+Ensure you're running the latest version of the CLI via the upgrade command.

+# [Bash](#tab/bash)

+```azurecli

+az upgrade

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+az upgrade

+```

+Next, install or update the Azure Container Apps extension for the CLI.

+# [Bash](#tab/bash)

+```azurecli

+az extension add --name containerapp --upgrade

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+az extension add --name containerapp --upgrade

+```

+Register the `Microsoft.App` and `Microsoft.OperationalInsights` namespaces in your Azure subscription.

+# [Bash](#tab/bash)

+```azurecli

+az provider register --namespace Microsoft.App

+```

+```azurecli

+az provider register --namespace Microsoft.OperationalInsights

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+az provider register --namespace Microsoft.App

+```

+```azurepowershell

+az provider register --namespace Microsoft.OperationalInsights

+```

+Now that your Azure CLI setup is complete, you can define the environment variables that are used throughout this article.

+# [Bash](#tab/bash)

+Define the following variables in your bash shell.

+```azurecli

+export RESOURCE_GROUP="album-containerapps"

+export LOCATION="canadacentral"

+export ENVIRONMENT="env-album-containerapps"

+export API_NAME="album-api"

+export GITHUB_USERNAME="<YOUR_GITHUB_USERNAME>"

+```

+Before you run this command, make sure to replace `<YOUR_GITHUB_USERNAME>` with your GitHub username.

+Next, define a container registry name unique to you.

+```azurecli

+export ACR_NAME="acaalbums"$GITHUB_USERNAME

+```

+# [Azure PowerShell](#tab/azure-powershell)

+Define the following variables in your PowerShell console.

+```powershell

+$RESOURCE_GROUP="album-containerapps"

+$LOCATION="canadacentral"

+$ENVIRONMENT="env-album-containerapps"

+$API_NAME="album-api"

+$GITHUB_USERNAME="<YOUR_GITHUB_USERNAME>"

+```

+Before you run this command, make sure to replace `<YOUR_GITHUB_USERNAME>` with your GitHub username.

+Next, define a container registry name unique to you.

+```powershell

+$ACR_NAME="acaalbums"+$GITHUB_USERNAME

+```

+## Prepare the GitHub repository

+In a browser window, go to the GitHub repository for your preferred language and fork the repository.

+# [C#](#tab/csharp)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-csharp) to fork the repo to your account. Then copy the repo URL to use it

+in the next step.

+# [Java](#tab/java)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-java) to fork the repo to your account. Then copy the repo URL to use it

+in the next step.

+# [JavaScript](#tab/javascript)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-javascript) to fork the repo to your account. Then copy the repo URL to use it

+in the next step.

+# [Python](#tab/python)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-python) to fork the repo to your account. Then copy the repo URL to use it

+in the next step.

+# [Go](#tab/go)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-go) to fork the repo to your account. Then copy the repo URL to use it

+in the next step.

+In a browser window, go to the GitHub repository for your preferred language and fork the repository **including branches**.

+# [C#](#tab/csharp)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-csharp) to fork the repo to your account. Uncheck "Copy the `main` branch only"

+to also fork the `buildpack` branch.

+# [Java](#tab/java)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-java) to fork the repo to your account. Uncheck "Copy the `main` branch only"

+to also fork the `buildpack` branch.

+# [JavaScript](#tab/javascript)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-javascript) to fork the repo to your account. Uncheck "Copy the `main` branch only"

+to also fork the `buildpack` branch.

+# [Python](#tab/python)

+Select the **Fork** button at the top of the [album API repo](https://github.com/azure-samples/containerapps-albumapi-python) to fork the repo to your account. Uncheck "Copy the `main` branch only"

+to also fork the `buildpack` branch.

+# [Go](#tab/go)

+Azure Container Apps cloud build doesn't currently support Buildpacks for Go.

+## Build and deploy the container app

+Build and deploy your first container app from your forked GitHub repository with the `containerapp up` command. This command will:

+- Create the resource group

+- Create the Container Apps environment with a Log Analytics workspace

+- Create an Azure Container Registry

+- Create a GitHub Action workflow to build and deploy the container app

+- Create the resource group

+- Create the Container Apps environment with a Log Analytics workspace

+- Automatically create a default registry as part of your environment

+- Create a GitHub Action workflow to build and deploy the container app

+When you push new code to the repository, the GitHub Action will:

+- Build the container image and push it to the Azure Container Registry

+- Deploy the container image to the created container app

+The `up` command uses the Dockerfile in the root of the repository to build the container image. The `EXPOSE` instruction in the Dockerfile defines the target port. A Docker file isn't required to build a container app.

+- Automatically detect the language and runtime

+- Build the image using the appropriate Buildpack

+- Push the image into the Azure Container Apps default registry

+The container app needs to be accessible to ingress traffic. Ensure to expose port 8080 to listen for incoming requests.

+In the following command, replace the `<YOUR_GITHUB_REPOSITORY_NAME>` with your GitHub repository name in the form of `https://github.com/<OWNER>/<REPOSITORY-NAME>` or `<OWNER>/<REPOSITORY-NAME>`.

+In the following command, replace the `<YOUR_GITHUB_REPOSITORY_NAME>` with your GitHub repository name in the form of `https://github.com/<OWNER>/<REPOSITORY-NAME>` or `<OWNER>/<REPOSITORY-NAME>`. Use the `--branch buildpack` option to point to the sample source without a Dockerfile.

+# [Bash](#tab/bash)

+```azurecli

+az containerapp up \

+ --name $API_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION \

+ --environment $ENVIRONMENT \

+ --context-path ./src \

+ --repo <YOUR_GITHUB_REPOSITORY_NAME>

+```

+```azurecli

+az containerapp up \

+ --name $API_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION \

+ --environment $ENVIRONMENT \

+ --context-path ./src \

+ --ingress external \

+ --target-port 8080 \

+ --repo <YOUR_GITHUB_REPOSITORY_NAME>

+ --branch buildpack

+ --

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```powershell

+az containerapp up `

+ --name $API_NAME `

+ --resource-group $RESOURCE_GROUP `

+ --location $LOCATION `

+ --environment $ENVIRONMENT `

+ --context-path ./src `

+ --repo <YOUR_GITHUB_REPOSITORY_NAME>

+```

+```powershell

+az containerapp up `

+ --name $API_NAME `

+ --resource-group $RESOURCE_GROUP `

+ --location $LOCATION `

+ --environment $ENVIRONMENT `

+ --context-path ./src `

+ --ingress external `

+ --target-port 8080 `

+ --repo <YOUR_GITHUB_REPOSITORY_NAME>

+ --branch buildpack

+```

+Using the URL and the user code displayed in the terminal, go to the GitHub device activation page in a browser and enter the user code to the page. Follow the prompts to authorize the Azure CLI to access your GitHub repository.

+The `up` command creates a GitHub Action workflow in your repository's *.github/workflows* folder. The workflow is triggered to build and deploy your container app when you push changes to the repository.

+## Verify deployment

+Copy the domain name returned by the `containerapp up` to a web browser. From your web browser, go to the `/albums` endpoint of the URL.

+## Clean up resources

+If you're not going to continue on to the [Deploy a frontend](communicate-between-microservices.md) tutorial, you can remove the Azure resources created during this quickstart with the following command.

+>[!CAUTION]

+> The following command deletes the specified resource group and all resources contained within it. If the group contains resources outside the scope of this quickstart, they are also deleted.

+# [Bash](#tab/bash)

+```azurecli

+az group delete --name $RESOURCE_GROUP

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```powershell

+az group delete --name $RESOURCE_GROUP

+```

+> [!TIP]

+> Having issues? Let us know on GitHub by opening an issue in the [Azure Container Apps repo](https://github.com/microsoft/azure-container-apps).

+## Next steps

+After completing this quickstart, you can continue to [Tutorial: Communication between microservices in Azure Container Apps](communicate-between-microservices.md) to learn how to deploy a front end application that calls the API.

+> [!div class="nextstepaction"]

+> [Tutorial: Communication between microservices](communicate-between-microservices.md)

+|--|--|--|--|--|

+| Cores | Subscription | 2000 | Yes | Maximum number of dedicated workload profile cores within one subscription |

+To enable Azure Files storage in your container, you need to set up your container as follows:

+* The Azure Files storage account used must be accessible from your container app's virtual network. For more information, see [Grant access from a virtual network](/azure/storage/common/storage-network-security#grant-access-from-a-virtual-network).

+ IMAGE=$REGISTRY/${REPO}:$TAG

+>[!NOTE]

+> After you enable **Exports (preview)** in Cost Management Labs, you might have to refresh your browser to see the new **Export** menu item in the Cost Management menu.

+#customer intent: As a developer, I want to be able to create an enviroment by using AZD so that I can create my coding environment.

+# [Visual Studio](#tab/visual-studio)

+In Visual Studio 2022 17.3 Preview 2 or later, you can enable integration with azd as a preview feature.

+To enable the azd feature, go to **Tools** > **Options** > **Environment** > **Preview Features** and select **Integration with azd, the Azure Developer CLI**.

+When the feature is enabled, you can use the Azure Developer CLI from your terminal of choice on Windows, Linux, or macOS.

+# [Visual Studio](#tab/visual-studio)

+Access your Azure resources by logging in. When you initiate a log in, a browser window opens and prompts you to log in to Azure. After you sign in, the terminal displays a message that you're signed in to Azure.

+To open the Developer Command prompt:

+1. From the Tools menu, select **Terminal**.

+1. In the **Terminal** window, select **Developer Command Prompt**.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-developer-command-prompt.png" alt-text="Screenshot showing the terminal window menu with Developer Command Prompt highlighted." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-developer-command-prompt.png":::

+Sign in to AZD using the Developer Command Terminal:

+```bash

+ azd auth login

+```

+# [Visual Studio](#tab/visual-studio)

+```bash

+ azd config set platform.type devcenter

+```

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-services.png" alt-text="Screenshot showing the AZD init prompt to confirm and continue, remove a service, or add a service." lightbox="media/how-to-create-environment-with-azure-developer/initialize-services.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-app-services.png" alt-text="Screenshot showing the azd init prompt for a database name." lightbox="media/how-to-create-environment-with-azure-developer/initialize-app-services.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-new-environment-name.png" alt-text="Screenshot showing azd init prompt Enter a new environment name." lightbox="media/how-to-create-environment-with-azure-developer/initialize-new-environment-name.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-select-project.png" alt-text="Screenshot showing azd init prompt Select project." lightbox="media/how-to-create-environment-with-azure-developer/initialize-select-project.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-folder.png" alt-text="Screenshot showing the az init command and the prompt How do you want to initialize your app." lightbox="media/how-to-create-environment-with-azure-developer/initialize-folder.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-services.png" alt-text="Screenshot showing the AZD init prompt to confirm and continue, remove a service, or add a service." lightbox="media/how-to-create-environment-with-azure-developer/initialize-services.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-app-services.png" alt-text="Screenshot showing the azd init prompt for a database name." lightbox="media/how-to-create-environment-with-azure-developer/initialize-app-services.png":::

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-new-environment-name.png" alt-text="Screenshot showing azd init prompt Enter a new environment name." lightbox="media/how-to-create-environment-with-azure-developer/initialize-new-environment-name.png":::

+1. `azd init` displays a list of the projects you have access to. Select the project for your environment.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/initialize-select-project.png" alt-text="Screenshot showing azd init prompt Select project." lightbox="media/how-to-create-environment-with-azure-developer/initialize-select-project.png":::

+# [Visual Studio](#tab/visual-studio)

+1. At the CLI, navigate to the folder that contains your application code.

+

+1. Run the following command to initialize your application and supply information when prompted:

+ ```bash

+ azd init

+ ```

+1. In the AZD terminal, select ***Use code in the current directory***.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-folder.png" alt-text="Screenshot showing the az init command and the prompt How do you want to initialize your app." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-folder.png":::

+ AZD scans the current directory and gathers more information depending on the type of app you're building. Follow the prompts to configure your AZD environment.

+1. `azd init` identifies the services defined in your app code and prompts you to confirm and continue, remove a service, or add a service. Select ***Confirm and continue initializing my app***.

+

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-services.png" alt-text="Screenshot showing the AZD init prompt to confirm and continue, remove a service, or add a service." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-services.png":::

+

+1. `azd init` continues to gather information to configure your app. For this example application, you're prompted for the name of your MongoDB database instance, and ports that the services listen on.

+

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-app-services.png" alt-text="Screenshot showing the azd init prompt for a database name." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-app-services.png":::

+

+1. Enter a name for your local AZD environment.

+

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-new-environment-name.png" alt-text="Screenshot showing azd init prompt Enter a new environment name." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-new-environment-name.png":::

+

+1. `azd init` displays a list of the projects you have access to. Select the project for your environment.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-select-project.png" alt-text="Screenshot showing azd init prompt Select project." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-initialize-select-project.png":::

+

+1. `azd init` displays a list of environment definitions in the project. Select an environment definition.

+ AZD creates the project resources, including an *azure.yaml* file in the root of your project.

+# [Visual Studio](#tab/visual-studio)

+Provision your application to Azure using the following command:

+```bash

+azd provision

+```

+1. 'azd provision' provides a list of projects that you have access to. Select the project that you want to provision your application to.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-select-project.png" alt-text="Screenshot showing the azd init prompt to select a project." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-select-project.png":::

+1. 'azd provision' provides a list of environment definitions in the selected project. Select the environment definition that you want to use to provision your application.

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/visual-studio-select-environment-type.png" alt-text="Screenshot showing the azd init prompt to select an environment type." lightbox="media/how-to-create-environment-with-azure-developer/visual-studio-select-environment-type.png":::

+1. 'azd provision' provides a list of environment types in the selected project. Select the environment type that you want to use to provision your application.

+1. AZD instructs ADE to create a new environment based on the information you gave in the previous step.

+

+1. You can view the resources created in the Azure portal or in the [developer portal](https://devportal.microsoft.com).

+# [Visual Studio](#tab/visual-studio)

+Use the following command to view the environments that you have access to: the local AZD environment and the remote Azure Deployment Environments environment.

+```bash

+azd env list

+```

+`azd env list` prompts you to select a project and an environment definition.

+# [Visual Studio](#tab/visual-studio)

+Deploy your application code to the remote Azure Deployment Environments environment you provisioned using the following command:

+```bash

+azd env deploy

+```

+Deploying your code to the remote environment can take several minutes.

+You can view the progress of the deployment in the Azure portal:

+When deployment completes, you can view the resources that were provisioned in the Azure portal:

+You can verify that your code is deployed by selecting the end point URLs listed in the AZD terminal.

+# [Visual Studio](#tab/visual-studio)

+Delete your Azure resources by using the following command:

+```bash

+azd down --environment <environmentName>

+```

+## Virtual network gateway limitations and performance

+The following table shows the features supported across each gateway types and max number of ExpressRoute circuit connections supported by each gateway SKU.

+| Gateway SKU | VPN Gateway and ExpressRoute coexistence | FastPath | Max Number of Circuit Connections |

+|--|--|--|--|

+| **Standard SKU/ERGw1Az** | Yes | No | 4 |

+| **High Perf SKU/ERGw2Az** | Yes | No | 8 |

+| **Ultra Performance SKU/ErGw3Az** | Yes | Yes | 16 |

+| **ErGwScale (Preview)** | Yes | Yes - minimum 10 of scale units | 4 - minimum 1 of scale unit<br>8 - minimum of 2 scale units<br>16 - minimum of 10 scale units |

+| **Phoenix2** | [PhoenixNAP](https://phoenixnap.com/) | 1 | West US 3 | Supported | n/a |

+| **Silicon Valley** | [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) | 1 | West US | Supported | Aryaka Networks<br/>AT&T Dynamic Exchange<br/>AT&T NetBond<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>Comcast<br/>Coresite<br/>Cox Business Cloud Port<br/>Equinix<br/>InterCloud<br/>Internet2<br/>IX Reach<br/>Packet<br/>PacketFabric<br/>Level 3 Communications<br/>Megaport<br/>Momentum Telecom<br/>Orange<br/>Sprint<br/>Tata Communications<br/>Telia Carrier<br/>Verizon<br/>Vodafone<br/>Zayo |

+| **Warsaw** | [Equinix WA1](https://www.equinix.com/data-centers/europe-colocation/poland-colocation/warsaw-data-centers/wa1) | 1 | Poland Central | Supported | Equinix<br/>Orange Poland<br/>T-mobile Poland |

+ * [Momentum Telecom](https://gomomentum.com/)

+| **[Momentum Telecom](https://gomomentum.com/)** | Supported | Supported | Chicago<br/>New York<br/>Washington DC2<br/>Silicon Valley |

+ * [Momentum Telecom](https://gomomentum.com/)

+| **Rogers** | Cologix<br/>Equinix | Montreal<br/>Toronto |

+| **[Tamares Telecom](https://www.tamarestelecom.com/services/)** | Equinix | London |

+|\includeAssociatedData | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as 'history' to export history/ non latest versioned resources. Include value as 'deleted' to export soft deleted resources. |

+|`includeAssociatedData` | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as 'history' to export history/ non latest versioned resources. Include value as 'deleted' to export soft deleted resources. |

+- Deploying Azure Industrial IoT Platform microservices into an existing Kubernetes cluster using [Helm](/azure/api-management/how-to-deploy-self-hosted-gateway-kubernetes-helm).

+ cd c:\dev\iotedgesolution

+# [C\#](#tab/csharp)

+The target architecture is set when you create the container image in a later step.

+# [C, Java, Node.js, Python](#tab/c+java+node+python)

+1. Find the `SetupCallbacksForModule` function. Replace the function with the following code that adds an **else if** statement to check if the module twin is updated.

+1. Add the following definition into class **App**. This variable sets a temperature threshold. The measured machine temperature isn't reported to IoT Hub until it goes over this value.

+In this section, add the code that expands the *filtermodule* to analyze the messages before sending them. You add code that filters messages where the reported machine temperature is within the acceptable limits.

+You updated the module code and the deployment template to help understand some key deployment concepts. Now, you're ready to build your module container image and push it to your container registry.

+Open the Visual Studio Code integrated terminal by selecting **Terminal** > **New Terminal**.

+# [C\#](#tab/csharp)

+Use the `dotnet publish` command to build the container image for Linux and amd64 architecture. Change directory to the *filtermodule* directory in your project and run the *dotnet publish* command.

+```bash

+dotnet publish --os linux --arch x64 /t:PublishContainer

+```

+Currently, the *iotedgedev* tool template targets .NET 7.0. If you want to target a different version of .NET, you can edit the *filtermodule.csproj* file and change the *TargetFramework* and *PackageReference* values. For example to target .NET 8.0, your *filtermodule.csproj* file should look like this:

+```xml

+<Project Sdk="Microsoft.NET.Sdk.Worker">

+ <PropertyGroup>

+ <TargetFramework>net8.0</TargetFramework>

+ <Nullable>enable</Nullable>

+ <ImplicitUsings>enable</ImplicitUsings>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.Azure.Devices.Client" Version="1.42.0" />

+ <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.0" />

+ <PackageReference Include="Microsoft.NET.Build.Containers" Version="8.0.101" />

+ </ItemGroup>

+</Project>

+```

+Tag the docker image with your container registry information, version, and architecture. Replace **myacr** with your own registry name.

+```bash

+docker tag filtermodule myacr.azurecr.io/filtermodule:0.0.1-amd64

+```

+# [C, Java, Node.js, Python](#tab/c+java+node+python)

+Use the module's Dockerfile to [build](https://docs.docker.com/engine/reference/commandline/build/) and tag the module Docker image.

+# Build and tag the image for the local registry

+# Or build and tag the image for an Azure Container Registry. Replace myacr with your own registry name.

+Provide your container registry credentials to Docker so that it can push your container image to storage in the registry.

+1. Sign in to Docker with the Azure Container Registry (ACR) credentials.

+ ```bash

+ docker login -u <ACR username> -p <ACR password> <ACR login server>

+ ```

+ You might receive a security warning recommending the use of `--password-stdin`. While that's a recommended best practice for production scenarios, it's outside the scope of this tutorial. For more information, see the [docker login](https://docs.docker.com/engine/reference/commandline/login/#provide-a-password-using-stdin) reference.

+1. Sign in to the Azure Container Registry. You need to [Install Azure CLI](/cli/azure/install-azure-cli) to use the `az` command. This command asks for your user name and password found in your container registry in **Settings** > **Access keys**.

+ ```azurecli

+ az acr login -n <ACR registry name>

+ ```

+ >[!TIP]

+ >If you get logged out at any point in this tutorial, repeat the Docker and Azure Container Registry sign in steps to continue.

+1. [Push](https://docs.docker.com/engine/reference/commandline/push/) your module image to the local registry or a container registry.

+ ```bash

+ docker push <ImageName>

+ ```

+

+ For example:

+

+ ```bash

+ # Push the Docker image to the local registry

+

+ docker push localhost:5000/filtermodule:0.0.1-amd64

+

+ # Or push the Docker image to an Azure Container Registry. Replace myacr with your Azure Container Registry name.

+ az acr login --name myacr

+ docker push myacr.azurecr.io/filtermodule:0.0.1-amd64

+ ```

+

+#### Optional: Update the module and image

+If you make changes to your module code, you need to rebuild and push the module image to your container registry. Use the steps in this section to update the build and container image. You can skip this section if you didn't make any changes to your module code.

+Build and push the updated image with a *0.0.2* version tag. For example, to build and push the image for the local registry or an Azure container registry, use the following commands:

+# [C\#](#tab/csharp)

+```bash

+# Build the container image for Linux and amd64 architecture.

+dotnet publish --os linux --arch x64

+# For local registry:

+# Tag the image with version 0.0.2, x64 architecture, and the local registry.

+docker tag filtermodule localhost:5000/filtermodule:0.0.2-amd64

+# For Azure Container Registry:

+# Tag the image with version 0.0.2, x64 architecture, and your container registry information. Replace **myacr** with your own registry name.

+docker tag filtermodule myacr.azurecr.io/filtermodule:0.0.2-amd64

+```

+# [C, Java, Node.js, Python](#tab/c+java+node+python)

+# Or build and push the 0.0.2 image for an Azure Container Registry. Replace myacr with your own registry name.

+ It might take a few minutes for the modules to start. The IoT Edge runtime needs to receive its new deployment manifest, pull down the module images from the container runtime, then start each new module.

+ Title: Import and export device identities

+description: Use the Azure IoT service SDK to import and export device identities so that you can create, update, and delete device identities in bulk.

+Each IoT hub has an identity registry that you can use to create device resources in the service. The identity registry also enables you to control access to the device-facing endpoints. This article describes how to import and export device identities in bulk to and from an identity registry, using the ImportExportDeviceSample sample included with the [Microsoft Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main). For more information about how you can use this capability when migrating an IoT hub to a different region, see [How to manually migrate an Azure IoT hub using an Azure Resource Manager template](migrate-hub-arm.md).

+> IoT Hub recently added virtual network support in a limited number of regions. This feature secures import and export operations and eliminates the need to pass keys for authentication. Currently, virtual network support is available only in these regions: *WestUS2*, *EastUS*, and *SouthCentralUS*. To learn more about virtual network support and the API calls to implement it, see [IoT Hub Support for virtual networks](virtual-network-support.md).

+Import and export operations take place in the context of *jobs* that enable you to execute bulk service operations against an IoT hub.

+This article discusses using the **RegistryManager** class and **Job** system to perform bulk imports and exports of devices to and from an IoT hub's identity registry. You can also use the Azure IoT Hub Device Provisioning Service to enable zero-touch, just-in-time provisioning to one or more IoT hubs. To learn more, see the [provisioning service documentation](../iot-dps/index.yml).

+Identity registry operations use the job system when the operation:

+Instead of a single API call waiting or blocking on the result of the operation, the operation asynchronously creates a job for that IoT hub. The operation then immediately returns a **JobProperties** object.

+// Call an export job on the IoT hub to retrieve all devices

+1. Navigate to your IoT hub.

+1. Select **Shared access policies**.

+1. Select a policy, taking into account the permissions you need.

+1. Copy the connection string for that policy.

+Use the **ExportDevicesAsync** method to export the entirety of an IoT hub identity registry to an Azure Storage blob container using a shared access signature (SAS). This method enables you to create reliable backups of your device information in a blob container that you control.

+ "reported":{}

+If you need access to this data in code, you can deserialize this data using the **ExportImportDevice** class. The following C# code snippet, from the **ReadFromBlobAsync** method in the SDK sample, shows how to read device information that was previously exported from **ExportImportDevice** into a **BlobClient** instance:

+* A *string* that contains a URI of an Azure Storage blob container to use as *input* to the job. This URI must contain a SAS token that grants read access to the container. This container must contain a blob with the name **devices.txt** that contains the serialized device data to import into your identity registry. The import data must contain device information in the same JSON format that the **ExportImportDevice** job uses when it creates a **devices.txt** blob. The SAS token must include these permissions:

+* A *string* that contains a URI of an Azure Storage blob container to use as *output* from the job. The job creates a block blob in this container to store any error information from the completed import job. The SAS token must include these permissions:

+This method can also be used to import the data for the device twin. The format for the data input is the same as the format shown in the **ExportDevicesAsync** section. In this way, you can reimport the exported data.

+* **Create**

+* **CreateOrUpdate** (default)

+* **CreateOrUpdateIfMatchETag**

+* **Delete**

+* **DeleteIfMatchETag**

+* **Update**

+* **UpdateIfMatchETag**

+* **UpdateTwin**

+* **UpdateTwinIfMatchETag**

+For details about each of these import mode options, see [ImportMode](/dotnet/api/microsoft.azure.devices.importmode)

+## Troubleshoot import jobs

+Using an import job to create devices might fail with a quota issue when it's close to the device count limit of the IoT hub. This failure can happen even if the total device count is still lower than the quota limit. The **IotHubQuotaExceeded (403002)** error is returned with the following error message: "Total number of devices on IotHub exceeded the allocated quota.ΓÇ¥

+If there's still quota available, you can examine the job output blob for devices that failed with the **IotHubQuotaExceeded (403002)** error. You can then try adding these devices individually to the IoT hub. For example, you can use the **AddDeviceAsync** or **AddDeviceWithTwinAsync** methods. Don't try to add the devices using another job as you might encounter the same error.

+This error may also be returned by a bulk import job when the number of devices registered to your IoT hub approaches or exceeds the quota limit for an IoT hub. To learn more, see [Troubleshoot import jobs](iot-hub-bulk-identity-mgmt.md#troubleshoot-import-jobs).

+| File path¹ | [Template](../process-dat#templates) | The file path for where to write the parquet file to. | No | `{{{instanceId}}}/{{{pipelineId}}}/{{{partitionId}}}/{{{YYYY}}}/{{{MM}}}/{{{DD}}}/{{{HH}}}/{{{mm}}}/{{{fileNumber}}}` | |

+| openTelemetryTracesCollectorAddr | false | String | `null` | Endpoint URL of the OpenTelemetry collector |

+|Managed HSM Crypto Service Release User| Grants permissions to release a key to a trusted execution environment. |21dbd100-6940-42c2-9190-5d6cb909625c|

+|Data action | Administrator | Crypto Officer | Crypto User | Policy Administrator | Crypto Service Encryption User | Backup | Crypto Auditor| Crypto Service Released User|

+||::|::|::|::|::|::|::|::|

+|**Security domain management**|||||||||

+|/securitydomain/download/action|X||||||||

+|/securitydomain/upload/action|X||||||||

+|/securitydomain/upload/read|X||||||||

+|/securitydomain/transferkey/read|X||||||||

+|**Key management**|||||||||

+|/keys/read/action|||X||X||X||

+|/keys/write/action|||X||||||

+|/keys/rotate/action|||X||||||

+|/keys/create|||X||||||

+|/keys/delete|||X||||||

+|/keys/deletedKeys/read/action||X|||||||

+|/keys/deletedKeys/recover/action||X|||||||

+|/keys/deletedKeys/delete||X|||||X||

+|/keys/backup/action|||X|||X|||

+|/keys/restore/action|||X||||||

+|/keys/release/action|||X|||||X |

+|/keys/import/action|||X||||||

+|**Key cryptographic operations**|||||||||

+|/keys/encrypt/action|||X||||||

+|/keys/decrypt/action|||X||||||

+|/keys/wrap/action|||X||X||||

+|/keys/unwrap/action|||X||X||||

+|/keys/sign/action|||X||||||

+|/keys/verify/action|||X||||||

+|**Role management**|||||||||

+|/roleAssignments/read/action|X|X|X|X|||X||

+|/roleAssignments/write/action|X|X||X|||||

+|/roleAssignments/delete/action|X|X||X|||||

+|/roleDefinitions/read/action|X|X|X|X|||X||

+|/roleDefinitions/write/action|X|X||X|||||

+|/roleDefinitions/delete/action|X|X||X|||||

+|**Backup and restore management**|||||||||

+|/backup/start/action|X|||||X|||

+|/backup/status/action|X|||||X|||

+|/restore/start/action|X||||||||

+|/restore/status/action|X||||||||

+ >Bandwidth-related metrics such as SYN packet, byte count, and packet count will not capture any traffic to an internal load balancer via a UDR (eg. from an NVA or firewall).

+ Title: Understand compute targets

+Azure Machine Learning has varying support across different compute targets. In a typical model development lifecycle, you might:

+As you scale up your training on larger datasets or perform [distributed training](how-to-train-distributed-gpu.md), use Azure Machine Learning compute to create a single- or multi-node cluster that autoscales each time you submit a job. You can also attach your own compute resource, although support for different scenarios might vary.

+The compute target you use to host your model affects the cost and availability of your deployed endpoint. Use this table to choose an appropriate compute target.

+| -- | -- | -- | -- |

+| [Azure Machine Learning endpoints](~/articles/machine-learning/concept-endpoints.md) | Real-time inference <br><br>Batch inference | Yes | Fully managed computes for real-time (managed online endpoints) and batch scoring (batch endpoints) on serverless compute. |

+| [Azure Machine Learning Kubernetes](~/articles/machine-learning/how-to-attach-kubernetes-anywhere.md) | Real-time inference <br><br> Batch inference | Yes | Run inference workloads on on-premises, cloud, and edge Kubernetes clusters. |

+| -- | -- | -- | -- |

+| [Local web service](~/articles/machine-learning/v1/how-to-deploy-local-container-notebook-vm.md) | Testing/debugging | &nbsp; | Use for limited testing and troubleshooting. Hardware acceleration depends on use of libraries in the local system. |

+| [Azure Machine Learning Kubernetes](~/articles/machine-learning/v1/how-to-deploy-azure-kubernetes-service.md) | Real-time inference | Yes | Run inference workloads in the cloud. |

+| [Azure Container Instances](~/articles/machine-learning/v1/how-to-deploy-azure-container-instance.md) | Real-time inference <br><br> Recommended for dev/test purposes only.| &nbsp; | Use for low-scale CPU-based workloads that require less than 48 GB of RAM. Doesn't require you to manage a cluster.<br><br> Only suitable for models less than 1 GB in size.<br><br> Supported in the designer. |

+[Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md).

+[Deploy machine learning models to Azure](./v1/how-to-deploy-and-where.md).

+* [Azure Machine Learning studio](how-to-create-attach-compute-studio.md)

+ * [Compute instance](how-to-create-compute-instance.md)

+ * [Compute cluster](how-to-create-attach-compute-cluster.md)

+> * For a compute *cluster*, make sure the minimum number of nodes is set to 0, or use [serverless compute](./how-to-use-serverless-compute.md).

+> Azure Machine Learning doesn't support all VM sizes that Azure Compute supports. To list the available VM sizes, use the following method:

+> [!NOTE]

+> Azure Machine Learning doesn't support all VM sizes that Azure Compute supports. To list the available VM sizes, use one of the following methods:

+> * [REST API](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/machinelearningservices/resource-manager/Microsoft.MachineLearningServices/stable/2020-08-01/examples/ListVMSizesResult.json)

+If you use the GPU-enabled compute targets, it's important to ensure that the correct CUDA drivers are installed in the training environment. Use the following table to determine the correct CUDA version to use:

+| **GPU Architecture** | **Azure VM series** | **Supported CUDA versions** |

+In addition to ensuring the CUDA version and hardware are compatible, also ensure that the CUDA version is compatible with the version of the machine learning framework you're using:

+- For PyTorch, you can check the compatibility by visiting [Pytorch's previous versions page](https://pytorch.org/get-started/previous-versions/).

+Azure Machine Learning compute offers VM sizes that are isolated to a specific hardware type and dedicated to a single customer. Isolated VM sizes are best suited for workloads that require a high degree of isolation from other customers' workloads for reasons that include meeting compliance and regulatory requirements. Utilizing an isolated size guarantees that your VM is the only one running on that specific server instance.

+* Standard_NC24rs_v3 (RDMA capable)

+Azure Machine Learning doesn't manage an *unmanaged* compute target. You create this type of compute target outside Azure Machine Learning and then attach it to your workspace. Unmanaged compute resources can require extra steps for you to maintain or to improve performance for machine learning workloads.

+* [Azure Kubernetes Service](./v1/how-to-create-attach-kubernetes.md)

+* [Azure Synapse Spark pool](v1/how-to-link-synapse-ml-workspaces.md) (deprecated)

+## Next step

+* [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md)

+* [Deploy machine learning models to Azure](./v1/how-to-deploy-and-where.md)

+For a list of IP addresses for these hosts, see [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md).

+ curl --request POST "127.0.0.1:5001/score" --header "Content-Type:application/json" --data @sample-request.json

+| Component | 10 million|

+### Azure Machine Learning job schedules

+[Azure Machine Learning job schedules](how-to-schedule-pipeline-job.md) have the following limits.

+| **Resource** | **Limit** |

+| | |

+| Schedules per region | 100 |

+# Troubleshoot private endpoint connection problems

+When you connect to an Azure Machine Learning workspace that's configured with a private endpoint, you might encounter a *403* error or a message saying that access is forbidden. This article explains how you can check for common configuration problems that cause this error.

+The troubleshooting steps for DNS configuration differ based on whether you use Azure DNS or a custom DNS. Use the following steps to determine which one you're using:

+1. From the **Overview** page, select the **Network Interface** link.

+ :::image type="content" source="media/how-to-troubleshoot-secure-connection-workspace/private-endpoint-overview.png" alt-text="Screenshot of the private endpoint overview with network interface link highlighted." lightbox="media/how-to-troubleshoot-secure-connection-workspace/private-endpoint-overview.png":::

+1. Under **Settings**, select **IP Configurations** and then select the **Virtual network** link.

+ :::image type="content" source="media/how-to-troubleshoot-secure-connection-workspace/network-interface-ip-configurations.png" alt-text="Screenshot of the IP configuration with virtual network link highlighted." lightbox="media/how-to-troubleshoot-secure-connection-workspace/network-interface-ip-configurations.png":::

+1. From the **Settings** section on the left of the page, select the **DNS servers** entry.

+ * If this value is **Default (Azure-provided)** or **168.63.129.16**, then the virtual network is using Azure DNS. Skip to the [Azure DNS troubleshooting](#azure-dns-troubleshooting) section.

+ * If there's a different IP address listed, then the virtual network is using a custom DNS solution. Skip to the [Custom DNS troubleshooting](#custom-dns-troubleshooting) section.

+ | Azure Government | <https://portal.azure.us/?feature.privateendpointmanagedns=false> |

+ | Microsoft Azure operated by 21Vianet | <https://portal.azure.cn/?feature.privateendpointmanagedns=false> |

+ | All other regions | <https://portal.azure.com/?feature.privateendpointmanagedns=false> |

+ :::image type="content" source="media/how-to-troubleshoot-secure-connection-workspace/custom-dns-settings.png" alt-text="Screenshot of the private endpoint with custom DNS settings highlighted." lightbox="media/how-to-troubleshoot-secure-connection-workspace/custom-dns-settings.png":::

+1. Open a command prompt, PowerShell, or other command line and run the following command for each FQDN returned from the previous step. Each time you run the command, verify that the IP address returned matches the IP address listed in the portal for the FQDN:

+ For example, running the command `nslookup 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms` returns a value similar to the following text:

+ ```output

+ Name: 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms

+1. If the `nslookup` command returns an error, or returns a different IP address than displayed in the portal, then the custom DNS solution isn't configured correctly. For more information, see [How to use your workspace with a custom DNS server](how-to-custom-dns.md).

+1. On the Private Endpoint, select **DNS configuration**. For each entry in the **Private DNS zone** column, there should also be an entry in the **DNS zone group** column.

+ :::image type="content" source="media/how-to-troubleshoot-secure-connection-workspace/dns-zone-group.png" alt-text="Screenshot of the DNS configuration with Private DNS zone and group highlighted." lightbox="media/how-to-troubleshoot-secure-connection-workspace/dns-zone-group.png":::

+ * If there's a **Private DNS zone** entry, but no **DNS zone group** entry, delete and recreate the Private Endpoint. When recreating the private endpoint, enable **Private DNS zone integration**.

+ * If **DNS zone group** isn't empty, select the link for the **Private DNS zone** entry.

+ From the Private DNS zone, select **Virtual network links**. There should be a link to the virtual network. If there isn't one, then delete and recreate the private endpoint. When recreating it, select a Private DNS Zone linked to the virtual network or create a new one that is linked to it.

+ 1. Select **...** in the top right corner, then select **Settings**.

+ 1. From settings, search for **DNS** and then disable **Use secure DNS to specify how to look up the network address for websites**.

+If you use a proxy, it might prevent communication with a secured workspace. To test, use one of the following options:

+### Where to find the serverless instance used by automatic runtime?

+Automatic runtime is running on a serverless instance, you can find the serverless instance under compute quota page, [View your usage and quotas in the Azure portal](../../how-to-manage-quotas.md#view-your-usage-and-quotas-in-the-azure-portal). The serverless instances with have with name like this `sessionxxxxyyyy`.

+Less than 2000 files & can't use a datastore| Override snapshot size limit with <br> `azureml._restclient.snapshots_client.SNAPSHOT_MAX_SIZE_BYTES = 'insert_desired_size'` and `azureml._restclient.constants.SNAPSHOT_MAX_SIZE_BYTES = 'insert_desired_size'`<br> This may take several minutes depending on the number and size of files.

+* Learn more about [Create compute targets for model training and deployment](../how-to-create-attach-compute-studio.md)

+| Single to Flexible Server (Azure CLI) | Azure Database for MySQL Import CLI | [Tutorial: Azure Database for MySQL Import](../migrate/migrate-single-flexible-mysql-import-cli.md) | **Recommended** - Suitable for all sizes of workloads, extremely performant for > 500 GB workloads.|

+ Title: "Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server using Azure Database for MySQL Import CLI"

+description: This tutorial describes how to use the Azure Database for MySQL Import CLI to migrate MySQL on-premises or VM workload to Azure Database for MySQL - Flexible Server.

+# Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server using Azure Database for MySQL Import CLI

+Azure Database for MySQL Import enables you to migrate your MySQL on-premises or Virtual Machine (VM) workload seamlessly to Azure Database for MySQL - Flexible Server. It uses a user-provided physical backup file and restores the source server's physical data files to the target server offering a simple and fast migration path. Post Import operation, you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows.

+This tutorial shows how to use the Azure Database for MySQL Import CLI command to migrate your Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server.

+* Users and privileges aren't migrated as part of Azure Database for MySQL Import. You must take a manual dump of users and privileges before initiating Azure Database for MySQL Import to migrate logins post import operation by restoring them on the target Flexible Server.

+ * Setting Burstable SKU for target isn't recommended in order to optimize migration time when running the Azure Database for MySQL Import operation. We recommend scaling to General Purpose/ Business Critical for the course of the import operation, post, which you can scale down to Burstable SKU.

+## Trigger an Azure Database for MySQL Import operation to migrate from Azure Database for MySQL -Flexible Server

+Trigger an Azure Database for MySQL Import operation with the `az mysql flexible-server import create` command. The following command creates a target Flexible Server and performs instance-level import from backup file to target destination using your Azure CLI's local context:

+data-source-type | azure_blob | The type of data source that serves as the source destination for triggering Azure Database for MySQL Import. Accepted values: [azure_blob]. Description of accepted values- azure_blob: Azure Blob storage.

+mode | Offline | The mode of Azure Database for MySQL import. Accepted values: [Offline]; Default value: Offline.

+In order to perform an online migration after completing the initial seeding from backup file using Azure Database for MySQL import, you can configure data-in replication between the source and target by following steps [here](../flexible-server/how-to-data-in-replication.md?tabs=bash%2Ccommand-line). You can use the bin-log position captured while taking the backup file using Percona XtraBackup to set up Bin-log position based replication.

+## How long does Azure Database for MySQL Import take to migrate my MySQL instance?

+ | Backup file Storage Size | Import time |

+ Title: "Migrate Azure Database for MySQL - Single Server to Flexible Server using Azure Database for MySQL Import CLI"

+description: This tutorial describes how to use the Azure Database for MySQL Import CLI to migrate an Azure Database for MySQL Single Server to Flexible Server.

+# Migrate Azure Database for MySQL - Single Server to Flexible Server using Azure Database for MySQL Import CLI

+Azure Database for MySQL Import CLI (Generally Available) enables you to migrate your Azure Database for MySQL seamlessly - Single Server to Flexible Server. It uses snapshot backup and restores technology to offer a simple and fast migration path to restore the source server's physical data files to the target server. Post import operation, you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows.

+Azure Database for MySQL Import CLI supports a near-zero downtime migration by first performing an offline import operation and consequently users can set up data-in replication between source and target to perform an online migration.

+This tutorial shows how to use the Azure Database for MySQL Import CLI command to migrate your Azure Database for MySQL Single Server to Flexible Server.

+- The source Azure Database for MySQL - Single Server and the target Azure Database for MySQL - Flexible Server must be in the same subscription, resource group, region, and on the same MySQL version. Import across subscriptions, resource groups, regions, and versions isn't possible.

+- MySQL versions supported by Azure Database for MySQL Import CLI are 5.7 and 8.0. If you are on a different major MySQL version on Single Server, make sure to upgrade your version on your Single Server instance before triggering the import command.

+- If the Azure Database for MySQL - Single Server instance has server parameter 'lower_case_table_names' set to 2 and your application used partition tables, Import operation will result in corrupted partition tables. The recommendation is to set 'lower_case_table_names' to 1 for your Azure Database for MySQL - Single Server instance in order to proceed with corruption-free MySQL Import operation.

+- Import operation for Single Servers with Legacy Storage architecture (General Purpose storage V1) isn't supported. You must upgrade your storage to the latest storage architecture (General Purpose storage V2) to trigger an Import operation. Find your storage type and upgrade steps by following directions [here](../single-server/concepts-pricing-tiers.md#how-can-i-determine-which-storage-type-my-server-is-running-on).

+- Import to an existing Azure MySQL Flexible Server isn't supported. The CLI command initiates the import of a new Azure MySQL Flexible Server.

+- For CMK enabled Single Server instances, Azure Database for MySQL Import command requires you to provide mandatory input parameters for enabling CMK on target Flexible Server.

+- If the Single Server instance has ' Infrastructure Double Encryption' enabled, enabling Customer Managed Key (CMK) on target Flexible Server instance is recommended to support similar functionality. You can choose to enable CMK on target server with Azure Database for MySQL Import CLI input parameters or post migration as well.

+- Below items should be copied from source to target by the user post the Import operation:

+## Trigger an Azure Database for MySQL Import operation to migrate from Azure Database for MySQL - Single Server to Flexible Server

+Trigger an Azure Database for MySQL Import operation with the `az mysql flexible-server import create` command. The following command creates a target Flexible Server and performs instance-level import from source to target destination using service defaults and values from your Azure CLI's local context:

+The following example takes in the data source information for Single Server named 'test-single-server' and target Flexible Server information, creates a target Flexible Server named `test-flexible-server` in the `westus` location (same location as that of the source Single Server) and performs an import from source to target. Azure Database MySQL Import command maps over the corresponding tier, version, sku-name, storage-size, location, geo-redundant-backup, public-access, tags, auto grow, backup-retention-days, admin-user and admin-password properties from Single Server to Flexible Server as smart defaults if no inputs are provided to the CLI command. You can chose to override the smart defaults by providing inputs for these optional parameters.

+The following example takes in the data source information for Single Server named 'test-single-server' with Customer Managed Key (CMK) enabled and target Flexible Server information, creates a target Flexible Server named `test-flexible-server` and performs an import from source to target. For CMK enabled Single Server instances, Azure Database for MySQL Import command requires you to provide mandatory input parameters for enabling CMK : --key keyIdentifierOfTestKey --identity testIdentity.

+# trigger azure database for mysql import for CMK enabled single server

+data-source-type | mysql_single | The type of data source that serves as the source destination for triggering Azure Database for MySQL Import. Accepted values: [mysql_single]. Description of accepted values- mysql_single: Azure Database for MySQL Single Server.

+mode | Offline | The mode of Azure Database for MySQL import. Accepted values: [Offline]; Default value: Offline.

+After completing the above-stated Azure Database for MySQL Import operation :

+- Log in to the target Azure Database for MySQL Flexible Server and run the following command to get the bin-log filename and position corresponding to the backup snapshot used by Azure Database for MySQL Import CLI to restore to the target server.

+## Best practices for configuring Azure Database for MySQL Import CLI command parameters

+ Before you trigger the Azure Database for MySQL Import CLI command, consider the following parameter configuration guidance to help ensure faster data loads using Azure Database for MySQL Import CLI.

+- If the Single Server instance has ' Infrastructure Double Encryption' enabled, enabling Customer Managed Key (CMK) on target Flexible Server instance is recommended to support similar functionality. You can choose to enable CMK on target server with Azure Database for MySQL Import CLI input parameters or post migration as well.

+## How long does Azure Database for MySQL Import take to migrate my Single Server instance?

+ | Single Server Storage Size | Import time |

+ | Number of tables in Single Server instance | Import time |

+ As the number of files increases, each file/table in the database may become very small. This will result in a consistent amount of data being transferred, but there will be more frequent file-related operations, which may impact the performance of Azure Database for Mysql Import.

+- Copy the following properties from the source Single Server to target Flexible Server post Azure Database for MySQL Import operation is completed successfully:

+| Offline | Azure Database for MySQL Import and the Azure CLI | [Tutorial: Azure Database for MySQL Import with the Azure CLI (offline)](../migrate/migrate-single-flexible-mysql-import-cli.md) |

+> In-place auto-migration from Azure Database for MySQL ΓÇô Single Server to Flexible Server is a service-initiated in-place migration during planned maintenance window for Single Server database workloads with Basic or General Purpose SKU, data storage used <= 20 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled. The eligible servers are identified by the service and are sent an advance notification detailing steps to review migration details. All other Single Server workloads are recommended to use user-initiated migration tooling offered by Azure - Azure DMS, Azure Database for MySQL Import to migrate. Learn more about in-place auto-migration [here](../migrate/migrate-single-flexible-in-place-auto-migration.md).

+ Title: Manage packet captures for VMs - Azure portal

+description: Learn how to start, stop, download, and delete Azure virtual machines packet captures with the packet capture feature of Network Watcher using the Azure portal.

+# CustomerIntent: As an administrator, I want to capture IP packets to and from a virtual machine (VM) so I can review and analyze the data to help diagnose and solve network problems.

+# Manage packet captures for virtual machines with Azure Network Watcher using the Azure portal

+The Network Watcher packet capture tool allows you to create capture sessions to record network traffic to and from an Azure virtual machine (VM). Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps in diagnosing network anomalies both reactively and proactively. Its applications extend beyond anomaly detection to include gathering network statistics, acquiring insights into network intrusions, debugging client-server communication, and addressing various other networking challenges. Network Watcher packet capture enables you to initiate packet captures remotely, alleviating the need for manual execution on a specific virtual machine.

+In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using the Azure portal. To learn how to manage packet captures using PowerShell or Azure CLI, see [Manage packet captures for virtual machines using PowerShell](network-watcher-packet-capture-manage-powershell.md) or [Manage packet captures for virtual machines using the Azure CLI](network-watcher-packet-capture-manage-cli.md).

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+ - to the storage account over port 443

+> - Azure creates a Network Watcher instance in the the virtual machine's region if Network Watcher wasn't enabled for that region. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).

+> - Network Watcher packet capture requires Network Watcher agent VM extension to be installed on the target virtual machine. Whenever you use Network Watcher packet capture, Azure installs the agent on the target VM or scale set if it wasn't previously installed. To update an already installed agent, see [Update Azure Network Watcher extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json). To manually install the agent, see [Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md) or [Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md).

+> - The last two IP addresses and ports listed in the **Prerequisites** are common across all Network Watcher tools that use the Network Watcher agent and might occasionally change.

+1. In the search box at the top of the portal, enter *Network Watcher*. Select **Network Watcher** from the search results.

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/portal-search.png" alt-text="Screenshot shows how to search for Network Watcher in the Azure portal." lightbox="./media/network-watcher-packet-capture-manage-portal/portal-search.png":::

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/packet-capture.png" alt-text="Screenshot shows Network Watcher packet capture in the Azure portal." lightbox="./media/network-watcher-packet-capture-manage-portal/packet-capture.png":::

+ | Setting | Value |

+ | | |

+ | **Basic Details** | |

+ | Subscription | Select the Azure subscription of the virtual machine. |

+ | Resource group | Select the resource group of the virtual machine. |

+ | Target type | Select **Virtual machine**. |

+ | Target instance | Select the virtual machine. |

+ | Packet capture name | Enter a name or leave the default name. |

+ | **Packet capture configuration** | |

+ | Capture location | Select **Storage account**, **File**, or **Both**. |

+ | Storage account | Select your **Standard** storage account<sup>1</sup>. <br> This option is available if you selected **Storage account** or **Both** as a capture location. |

+ | Local file path | Enter a valid local file path where you want the capture to be saved in the target virtual machine. If you're using a Linux machine, the path must start with */var/captures*. <br> This option is available if you selected **File** or **Both** as a capture location. |

+ | Maximum bytes per packet | Enter the maximum number of bytes to be captured per each packet. All bytes are captured if left blank or 0 entered. |

+ | Maximum bytes per session | Enter the total number of bytes that are captured. Once the value is reached the packet capture stops. Up to 1 GB is captured if left blank. |

+ | Time limit (seconds) | Enter the time limit of the packet capture session in seconds. Once the value is reached the packet capture stops. Up to 5 hours (18,000 seconds) is captured if left blank. |

+ | **Filtering (optional)** | |

+ | Add filter criteria | Select **Add filter criteria** to add a new filter. You can define as many filters as you need. |

+ | Protocol | Filters the packet capture based on the selected protocol. Available values are **TCP**, **UDP**, or **Any**. |

+ | Local IP address<sup>2</sup> | Filters the packet capture for packets where the local IP address matches this value. |

+ | Local port<sup>2</sup> | Filters the packet capture for packets where the local port matches this value. |

+ | Remote IP address<sup>2</sup> | Filters the packet capture for packets where the remote IP address matches this value. |

+ | Remote port<sup>2</sup> | Filters the packet capture for packets where the remote port matches this value. |

+ <sup>1</sup> Premium storage accounts are currently not supported for storing packet captures.

+

+ <sup>2</sup> Port and IP address values can be a single value, a range such as 80-1024, or multiple values such as 80, 443.

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/add-packet-capture.png" alt-text="Screenshot of Add packet capture in the Azure portal showing available options.":::

+1. Once the time limit set on the packet capture is reached, the packet capture stops and can be reviewed. To manually stop a packet capture session before it reaches its time limit, select the **...** on the right-side of the packet capture, or right-click it, then select **Stop**.

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/stop-packet-capture.png" alt-text="Screenshot that shows how to stop a packet capture in the Azure portal.":::

+## Download a packet capture

+After concluding your packet capture session, the resulting capture file is saved to Azure storage, a local file on the target virtual machine or both. The storage destination for the packet capture is specified during its creation. For more information, see [Start a packet capture](#start-a-packet-capture).

+To download a packet capture file saved to Azure storage, follow these steps:

+1. In the **Packet capture** page, select the packet capture that you want to download its file.

+1. In the **Details** section, select the packet capture file link.

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/packet-capture-file.png" alt-text="Screenshot that shows how to select the packet capture file in the Azure portal.":::

+1. In the blob page, select **Download**.

+> You can also download the capture file from the storage account container using the Azure portal or Storage Explorer<sup>1</sup> at the following path:

+> ```

+> https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{virtualMachineName}/{year}/{month}/{day}/packetcapture_{UTCcreationTime}.cap

+> ```

+> <sup>1</sup> Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).

+To download a packet capture file saved to the virtual machine (VM), connect to the VM and download the file from the local path specified during the packet capture creation.

+## Delete a packet capture

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter *Network Watcher*, then select **Network Watcher** from the search results.

+1. Select **Packet capture** under **Network diagnostic tools**.

+1. In the **Packet capture** page, select **...** on the right-side of the packet capture that you want to delete, or right-click it, then select **Delete**.

+ :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/delete-packet-capture.png" alt-text="Screenshot that shows how to delete a packet capture from Network Watcher in Azure portal.":::

+1. Select **Yes**.

+> [!IMPORTANT]

+> Deleting a packet capture in Network Watcher doesn't delete the capture file from the storage account or the virtual machine. If you don't need the capture file anymore, you must manually delete it from the storage account to avoid incurring storage costs.

+## Related content

+ Title: Set up remote write for Azure Monitor managed service for Prometheus

+description: Learn how to set up remote write to send data from the default Prometheus server running in your Azure Red Hat OpenShift cluster to your Azure Monitor workspace.

+# Send data to an Azure Monitor workspace from your Prometheus server

+Azure Red Hat OpenShift is preinstalled with a default Prometheus server. As detailed in the Azure Red Hat OpenShift [support policy](support-policies-v4.md), this default Prometheus server shouldn't be removed.

+In some scenarios, you might want to centralize data from self-managed Prometheus clusters for long-term data retention to create a centralized view across your clusters. You can use Azure Monitor managed service for Prometheus to collect and analyze metrics at scale by using a Prometheus-compatible monitoring solution that's based on the [Prometheus](https://aka.ms/azureprometheus-promio) project from the Cloud Native Computing Foundation. You can use [remote write](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage) to send data from Prometheus servers in your cluster to the Azure managed service.

+To send data from a Prometheus server by using remote write, you need:

+- An [Azure Monitor workspace](../azure-monitor/essentials/azure-monitor-workspace-overview.md). If you don't already have a workspace, you must [create a new workspace](../azure-monitor/essentials/azure-monitor-workspace-manage.md#create-an-azure-monitor-workspace).

+## Register an application with Microsoft Entra ID

+1. Complete the steps to [register an application with Microsoft Entra ID](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and create a service principal.

+1. Copy the tenant ID and client ID of the service principal:

+ 1. In the [Microsoft Entra admin center](https://entra.microsoft.com), go to **Identity** > **Applications** > **App registrations**, and then select your application.

+ 1. Go to the **Overview** page for the app.

+ 1. Copy and retain the **Directory (tenant) ID** value.

+ 1. Copy and retain the **Application (client) ID** value.

+1. Create a [new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret). Copy and retain the value of the secret.

+1. In your application code, set the values of the tenant ID, client ID, and client secret that you copied:

+ ```bash

+ export TENANT_ID=<tenant-id>

+ export CLIENT_ID=<client-id>

+ export CLIENT_SECRET=<client-secret>

+ ```

+## Assign the Monitoring Metrics Publisher role to the application

+The application must have the Monitoring Metrics Publisher role for the data collection rule that is associated with your Azure Monitor workspace.

+1. In the Azure portal, go to the instance of Azure Monitor for your subscription.

+1. On the resource menu, select **Data Collection Rules**.

+1. Select the data collection rule that is associated with your Azure Monitor workspace.

+1. On the **Overview** page for the data collection rule, select **Access control (IAM)**.

+1. Select **Add**, and then select **Add role assignment**.

+1. Select the **Monitoring Metrics Publisher** role, and then select **Next**.

+1. Select **User, group, or service principal**, and then choose **Select members**. Select the application that you registered, and then choose **Select**.

+1. To complete the role assignment, select **Review + assign**.

+## Create a secret in your Azure Red Hat OpenShift cluster

+To authenticate by using a remote write endpoint, you use the OAuth 2.0 authentication method from the [supported remote write authentication settings](https://docs.openshift.com/container-platform/4.11/monitoring/configuring-the-monitoring-stack.html#supported_remote_write_authentication_settings_configuring-the-monitoring-stack).

+To begin, create a secret by using the client ID and client secret:

+```yaml

+## Set up remote write

+To [set up remote write](https://docs.openshift.com/container-platform/4.11/monitoring/configuring-the-monitoring-stack.html#configuring_remote_write_storage_configuring-the-monitoring-stack) for the default platform monitoring, update the *cluster-monitoring-config* config map YAML file in the openshift-monitoring namespace.

+1. Open the config map file for editing:

+ ```bash

+ ```yaml

+1. Update the config map file:

+ 1. Replace `INGESTION-URL` in the config map file with the value for **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace.

+ 1. Replace `TENANT_ID` in the config map file with the tenant ID of the service principal.

+## Visualize metrics by using Azure Managed Grafana

+You can use community Grafana dashboards to visualize the captured metrics, or you can create contextual dashboards.

+1. [Link the Azure Managed Grafana workspace](../azure-monitor/essentials/azure-monitor-workspace-manage.md?tabs=azure-portal#link-a-grafana-workspace) to your Azure Monitor workspace.

+1. [Import](../managed-grafan?tabs=azure-portal#import-a-grafana-dashboard) the community Grafana dashboard [Openshift/K8 Cluster Overview](https://grafana.com/grafana/dashboards/3870-openshift-k8-cluster-overview/) (ID 3870) to the Grafana workspace.

+1. For the data source, use your Azure Monitor workspace.

+To access the dashboard, in your Azure Managed Grafana workspace, go to **Home** > **Dashboards**, and then select the dashboard.

+## Troubleshoot

+For troubleshooting information, see [Azure Monitor managed service for Prometheus remote write](../azure-monitor/containers/prometheus-remote-write.md#hitting-your-ingestion-quota-limit).

+## Related content

+- [Learn more about Azure Monitor managed service for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md)

+## Monitor virtual machine scale sets by using the New Relic agent

+You can install New Relic agent on virtual machine scale sets as an extension. Select **Virtual Machine Scale Sets** under **New Relic account config** in the Resource menu. In the working pane, you see a list of all virtual machine scale sets in the subscription.

+Virtual Machine Scale Sets (VMSS) is an Azure Compute resource which can be used to deploy and manage a set of identical VMs. Please familiarize yourself with the Azure resource [here](../../virtual-machine-scale-sets/overview.md) and the orchestration modes available [here](../../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md).

+The native integration can be used to install agent on both the uniform and flexible scale-sets. The new instances (VMs) of a scale set, in any mode, will receive the agent extension in the event of a scale-up scenario. VMSS resources in a uniform orchestration mode supports Automatic, Rolling, and Manual upgrade policy while resources in Flexible orchestration mode only supports manual upgrade today. In case, a manual upgrade policy is set for a resource, please upgrade the instances manually by installing the agent extension for the already scaled up instances. The auto-scaling and instance orchestration guide can be found [here](../../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#autoscaling-and-instance-orchestration)

+> [!NOTE]

+> In manual upgrade policy, pre-existing VM instances will not receive the extension automatically. This will show the agent status as **Partially Installed**. Please upgrade the VM instances by manually installing extension on them from the VM extensions blade or by going to ΓÇÿVMSS resource/InstancesΓÇÖ view.

+> [!NOTE]

+> The agent installation dashboard will support the automatic and rolling upgrade policy for Flex orchestration mode in the next release when similar support is available from VMSS Flex resources.

+- When the storage usage reaches 95% or if the available capacity is less than 5 GiB whichever is more, the server is automatically switched to **read-only mode** to avoid errors associated with disk-full situations. In rare cases, if the rate of data growth outpaces the time it takes to switch to read-only mode, your Server may still run out of storage. You can enable storage autogrow to avoid these issues and automatically scale your storage based on your workload demands.

+- We recommend setting alert rules for `storage used` or `storage percent` when they exceed certain thresholds so that you can proactively take action such as increasing the storage size. For example, you can set an alert if the storage percentage exceeds 80% usage.

+- If you're using logical replication, then you must drop the logical replication slot in the primary server if the corresponding subscriber no longer exists. Otherwise, the WAL files accumulate in the primary filling up the storage. If the storage threshold exceeds certain threshold and if the logical replication slot isn't in use (due to a non-available subscriber), Azure Database for PostgreSQL flexible server automatically drops that unused logical replication slot. That action releases accumulated WAL files and avoids your server becoming unavailable due to storage getting filled situation.

+- Public access database servers can connect to the public internet, for example through `postgres_fdw`, and this access can't be restricted. VNET-based servers can have restricted outbound access using Network Security Groups.

+- Manually moving servers to a different availability zone is currently not supported. However, using the preferred AZ as the standby zone, you can enable HA. Once established, you can fail over to the standby and then disable HA.

+> Azure Database for PostgreSQL flexible server supports managed identities and service principals as group members.

+| Southeast Asia | :heavy_check_mark:| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+ Title: Approve private endpoint connections across subscriptions

+description: Get started learning how to approve and manage private endpoint connections across subscriptions by using Azure Private Link.

+#customer intent: As a network administrator, I want to approve Private Link connections across Azure subscriptions.

+# Approve Private Link connections across subscriptions

+- Two active Azure subscriptions:

+| **storage1** *(This name is unique. Replace with the name you create.)* | subscription-1 | test-rg | East US 2 |

+For the private endpoint connection to complete successfully, the `Microsoft.Storage` and `Microsoft.Network` resource providers must be registered in **subscription-1**. Use the following steps to register the resource providers. If the `Microsoft.Storage` and `Microsoft.Network` resource providers are already registered, skip this step.

+1. Repeat the previous steps to register the `Microsoft.Network` resource provider.

+1. On the **Basics** tab of **Create a resource group**, enter or select the following information:

+## Obtain the storage account resource ID

+For the private endpoint connection to complete successfully, the `Microsoft.Storage` and `Microsoft.Network` resource providers must be registered in **subscription-2**. Use the following steps to register the resource providers. If the `Microsoft.Storage` and `Microsoft.Network` resource providers are already registered, skip this step.

+1. Repeat the previous steps to register the `Microsoft.Network` resource provider.

+1. On the **Basics** tab of **Create a private endpoint**, enter or select the following information:

+ | Resource group | Select **test-rg**. |

+- [Azure private endpoint overview](private-endpoint-overview.md)

+description: Describes how to remove or change the Azure Co-Administrator and Service Administrator roles, and how to view the Account Administrator.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For information about how to migrate your resources from classic deployment to Resource Manager deployment, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/management/deployment-models.md).

+This article describes how to remove or change the Co-Administrator and Service Administrator roles, and how to view the Account Administrator.

+## Frequently asked questions

+Will Co-Administrators lose access after August 31, 2024?

+- Starting on August 31, 2024, Microsoft will start the process to remove access for Co-Administrators.

+What is the equivalent Azure role I should assign for Co-Administrators?

+- [Owner](built-in-roles.md#owner) role at subscription scope has the equivalent access. However, Owner is a [privileged administrator role](role-assignments-steps.md#privileged-administrator-roles) and grants full access to manage Azure resources. You should consider another Azure role with fewer permissions or reduce the scope.

+What should I do if I have a strong dependency on Co-Administrators?

+- Email ACARDeprecation@microsoft.com and describe your scenario.

+## View Co-Administrators

+Follow these steps to view the Co-Administrators for a subscription using the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.

+1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.

+1. Click **Access control (IAM)**.

+1. Click the **Classic administrators** tab to view a list of the Co-Administrators.

+ 

+## Assess Co-Administrators

+Use the following table to assess how to remove or re-assign Co-Administrators.

+| Assessment | Next steps|

+| | |

+| User no longer needs access | Follow steps to [remove Co-Administrator](#remove-a-co-administrator). |

+| User still needs some access, but not full access | 1. Determine the Azure role the user needs.<br/>2. Determine the scope the user needs.<br/>3. Follow steps to [assign an Azure role to user](role-assignments-portal.md).<br/>4. [Remove Co-Administrator](#remove-a-co-administrator). |

+| User needs the same access as a Co-Administrator | 1. Assign the [Owner role at subscription scope](role-assignments-portal-subscription-admin.md).<br/>2. [Remove Co-Administrator](#remove-a-co-administrator). |

+## Remove a Co-Administrator

+> [!IMPORTANT]

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+Follow these steps to remove a Co-Administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.

+1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.

+1. Click **Access control (IAM)**.

+1. Click the **Classic administrators** tab to view a list of the Co-Administrators.

+1. Add a check mark next to the Co-Administrator you want to remove.

+1. Click **Remove**.

+1. In the message box that appears, click **Yes**.

+ 

+> [!IMPORTANT]

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+>

+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+>

+> For more information, see [Azure classic subscription administrators](classic-administrators.md).

+ You can either run the playbook using the configuration menu or directly from the command line.

+ ```bash

+

+ cd ${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES/SYSTEM/BOMS/

+

+ export ANSIBLE_PRIVATE_KEY_FILE=sshkey

+

+ playbook_options=(

+ --inventory-file="${sap_sid}_hosts.yaml"

+ --private-key=${ANSIBLE_PRIVATE_KEY_FILE}

+ --extra-vars="_workspace_directory=`pwd`"

+ --extra-vars="@sap-parameters.yaml"

+ --extra-vars="bom_processing=true"

+ "${@}"

+ )

+

+ # Run the playbook to retrieve the ssh key from the Azure key vault

+ ansible-playbook "${playbook_options[@]}" ~/Azure_SAP_Automated_Deployment/sap-automation/deploy/ansible/pb_get-sshkey.yaml

+

+ # Run the playbook to perform the Operating System configuration

+ ansible-playbook "${playbook_options[@]}" ~/Azure_SAP_Automated_Deployment/sap-automation/deploy/ansible/playbook_bom_downloader.yaml

+

+ ```

+ if you want you can also pass the SAP User credentials as parameters

+ ```bash

+

+ cd ${HOME}/Azure_SAP_Automated_Deployment/WORKSPACES/SYSTEM/BOMS/

+ sap_username=<sap-username>

+ sap_user_password='<sap-password>'

+

+ export ANSIBLE_PRIVATE_KEY_FILE=sshkey

+

+ playbook_options=(

+ --inventory-file="${sap_sid}_hosts.yaml"

+ --private-key=${ANSIBLE_PRIVATE_KEY_FILE}

+ --extra-vars="_workspace_directory=`pwd`"

+ --extra-vars="@sap-parameters.yaml"

+ --extra-vars="s_user=${sap_username}"

+ --extra-vars="s_password=${sap_user_password}"

+ --extra-vars="bom_processing=true"

+ "${@}"

+ )

+

+ # Run the playbook to retrieve the ssh key from the Azure key vault

+ ansible-playbook "${playbook_options[@]}" ~/Azure_SAP_Automated_Deployment/sap-automation/deploy/ansible/pb_get-sshkey.yaml

+

+ # Run the playbook to perform the Operating System configuration

+ ansible-playbook "${playbook_options[@]}" ~/Azure_SAP_Automated_Deployment/sap-automation/deploy/ansible/playbook_bom_downloader.yaml

+

+ ```

+ Title: 'Quickstart: RAG app'

+description: Use Azure OpenAI Studio to chat with a search index on Azure AI Search. Explore the Retrieval Augmented Generation (RAG) pattern for your search solution.

+# Quickstart: Chat with your search index in Azure OpenAI Studio

+Get started with generative search using Azure OpenAI Studio's **Add your own data** option to implement a Retrieval Augmented Generation (RAG) experience powered by Azure AI Search.

+**Add your own data** gives you built-in data preprocessing (text extraction and clean up), data chunking, embedding, and indexing. You can stand up a chat experience quickly, experiment with prompts over your own data, and gain important insights as to how your content performs before writing any code.

+In this quickstart:

+> [!div class="checklist"]

+> + Deploy Azure OpenAI models

+> + Download sample PDFs

+> + Configure data processing

+> + Chat with your data in the Azure OpenAI Studio playground

+> + Test your index with different chat models, configurations, and history

+## Prerequisites

+## Set up model deployments

+1. Start [Azure OpenAI Studio](https://oai.azure.com/portal).

+1. Sign in, select your Azure subscription and Azure OpenAI resource, and then select **Use resource**.

+1. Under **Management > Deployments**, find or create a deployment for each of the following models:

+ + [text-embedding-ada-002](/azure/ai-services/openai/concepts/models#embeddings)

+ + [gpt-35-turbo](/azure/ai-services/openai/concepts/models#gpt-35)

+ Deploy more chat models if you want to test them with your data. Note that Text-Davinci-002 isn't supported.

+ If you create new deployments, the default configurations are suited for this tutorial. It's helpful to name each deployment after the model. For example, "text-embedding-ada-002" as the deployment name of the text-embedding-ada-002 model.

+## Generate a vector store for the playground

+1. Download the sample famous-speeches-pdf PDFs in [azure-search-sample-data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/famous-speeches-pdf).

+1. Sign in to the [Azure OpenAI Studio](https://oai.azure.com/portal).

+1. On the **Chat** page under **Playground**, select **Add your data (preview)**.

+1. Select **Add data source**.

+1. From the dropdown list, select **Upload files**.

+ :::image type="content" source="media/search-get-started-rag/azure-openai-data-source.png" lightbox="media/search-get-started-rag/azure-openai-data-source.png" alt-text="Screenshot of the upload files option.":::

+1. In Data source, select your Azure Blob storage resource. Enable cross-origin scripting if prompted.

+1. Select your Azure AI Search resource.

+1. Provide an index name that's unique in your search service.

+1. Check **Add vector search to this search index.**

+1. Select **Azure OpenaI - text-embedding-ada-002**.

+1. Check the acknowledgment that Azure AI Search is a billable service. If you're using an existing search service, there's no extra charge for vector store unless you add semantic ranking. If you're creating a new service, Azure AI Search becomes billable upon service creation.

+1. Select **Next**.

+1. In Upload files, select the four files and then select **Upload**.

+1. Select **Next**.

+1. In Data Management, choose **Hybrid + semantic** if [semantic ranking is enabled](semantic-how-to-enable-disable.md) on your search service. If semantic ranking is disabled, choose **Hybrid (vector + keyword)**. Hybrid is a better choice because vector (similarity) search and keyword search execute the same query input in parallel, which can produce a more relevant response.

+ :::image type="content" source="media/search-get-started-rag/azure-openai-data-manage.png" lightbox="media/search-get-started-rag/azure-openai-data-manage.png" alt-text="Screenshot of the data management options.":::

+1. Acknowledge that vectorization of the sample data is billed at the usage rate of the Azure OpenAI embedding model.

+1. Select **Next**, and then select **Review and Finish**.

+## Chat with your data

+1. Review advanced settings that determine how much flexibility the chat model has in supplementing the grounding data, and how many chunks are returned from the query to the vector store.

+ Strictness determines whether the model supplements the query with its own information. A level of 5 is no supplementation. Only your grounding data is used, which means the search engine plays a large role in the quality of the response. Semantic ranking can be helpful in this scenario because the ranking models do a better job of interpreting the intent of the query.

+ Lower levels of strictness produce more verbose answers, but might also include information that isn't in your index.

+ :::image type="content" source="media/search-get-started-rag/azure-openai-studio-advanced-settings.png" alt-text="Screenshot of the advanced settings.":::

+1. Start with these settings:

+ + Check the **Limit responses to your data content** option.

+ + Strictness set to 3.

+ + Retrieved documents set to 20. Given chunk sizes of 1024 tokens, a setting of 20 gives you roughly 20,000 tokens to use for generating responses. The tradeoff is query latency, but you can experiment with chat replay to find the right balance.

+1. Send your first query. The chat models perform best in question and answer exercises. For example, "who gave the Gettysburg speech" or "when was the Gettysburg speech delivered".

+ More complex queries, such as "why was Gettysburg important", perform better if the model has some latitude to answer (lower levels of strictness) or if semantic ranking is enabled.

+ Queries that require deeper analysis, such as "how many speeches are in the vector store", might fail to return a response. In RAG pattern chat scenarios, information retrieval is keyword and similarity search against the query string, where the search engine looks for chunks having exact or similar terms, phrases, or construction. The payload might have insufficient data for the model to work with.

+ Finally, chats are constrained by the number of documents (chunks) returned in the response (limited to 3-20 in Azure OpenAI Studio playground). As you can imagine, posing a question about "all of the titles" requires a full scan of the entire vector store, which means a different approach, or modifying the generated code to allow for [exhaustive search](vector-search-how-to-create-index.md#add-a-vector-search-configuration) in the vector search configuration.

+ :::image type="content" source="media/search-get-started-rag/chat-results.png" lightbox="media/search-get-started-rag/chat-results.png" alt-text="Screenshot of a chat session.":::

+## Next steps

+Now that you're familiar with the benefits of Azure OpenAI Studio for scenario testing, review code samples that demonstrate the full range of APIs for RAG applications. Samples are available in [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), and [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript).

+## Clean up

+Azure AI Search is a billable resource for as long as the service exists. If it's no longer needed, delete it from your subscription to avoid charges.

+For clusters running on Azure, Microsoft Entra ID is recommended to secure access to management endpoints. This article describes how to set up Microsoft Entra ID to authenticate clients for a Service Fabric cluster.

+In this article, the term "application" refers to [Microsoft Entra applications](../active-directory/develop/developer-glossary.md#client-application), not Service Fabric applications; the distinction is made where necessary. Microsoft Entra ID enables organizations (known as tenants) to manage user access to applications.

+A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, you'll create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After the applications are created, you'll assign users to read-only and admin roles.

+> It's a [known issue](https://github.com/microsoft/service-fabric/issues/399) that applications and nodes on Linux Microsoft Entra ID-enabled clusters cannot be viewed in Azure Portal.

+> Microsoft Entra ID now requires an application (app registration) publishers domain to be verified or use of default scheme. See [Configure an application's publisher domain](../active-directory/develop/howto-configure-publisher-domain.md) and [AppId Uri in single tenant applications requires use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains) for additional information.

+> Starting in Service Fabric 11.0, Service Fabric Explorer requires a Single-page application Redirect URI instead of a Web Redirect URI.

+In this article, we assume that you have already created a tenant. If you haven't, start by reading [How to get a Microsoft Entra tenant][active-directory-howto-tenant].

+To simplify some of the steps involved in configuring Microsoft Entra ID with a Service Fabric cluster, we have created a set of Windows PowerShell scripts. Some actions require administrative level access to Microsoft Entra ID. If the script experiences a 401 or 403 'Authorization_RequestDenied' error, an administrator needs to execute script.

+Run `SetupApplications.ps1` and provide the tenant ID, cluster name, web application URI, and web application reply URL as parameters. Use -remove to remove the app registrations. Using -logFile `<log file path>` generates a transcript log. See script help (help .\setupApplications.ps1 -full) for additional information. The script creates the web and native applications to represent your Service Fabric cluster. The two new app registration entries are in the following format:

+- **clusterName:** *ClusterName* is used to prefix the Microsoft Entra applications that are created by the script. It doesn't need to match the actual cluster name exactly. It's intended only to make it easier to map Microsoft Entra artifacts to the Service Fabric cluster that they're being used with.

+- **SpaApplicationReplyUrl:** *SpaApplicationReplyUrl* is the default endpoint that Microsoft Entra ID returns to your users after they finish signing in. Set this endpoint as the Service Fabric Explorer endpoint for your cluster. If you're creating Microsoft Entra applications to represent an existing cluster, make sure this URL matches your existing cluster's endpoint. If you're creating applications for a new cluster, plan the endpoint for your cluster and make sure not to use the endpoint of an existing cluster. By default the Service Fabric Explorer endpoint is: `https://<cluster_domain>:19080/Explorer/https://docsupdatetracker.net/index.html`

+- **webApplicationUri:** *WebApplicationUri* is either the URI of a 'verified domain' or URI using API scheme format of API://{{tenant Id}}/{{cluster name}}. See [AppId Uri in single tenant applications requires use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains) for additional information.

+ Example API scheme: API://0e3d2646-78b3-4711-b8be-74a381d9890c/mysftestcluster

+$webApplicationUri = "API://$tenantId/$clusterName" # < doesn't have to be verified domain

+SetupUser.ps1 is used to add user accounts to the newly created app registration using $configObj output variable from above. Specify username for user account to be configured with app registration and specify 'isAdmin' for administrative permissions. If the user account is new, provide the temporary password for the new user as well. The password needs to be changed on first logon. If you use '-remove', you'll remove the user account, not just the app registration.

+[](https://shell.azure.com/powershell)

+Response status code doesn't indicate success: 400 (Bad Request).

+Configuration changes haven't propagated. Scripts retry on certain requests with HTTP status codes 400 and 404.

+Scripts retry on certain requests with HTTP status codes 400 and 404 upto provided '-timeoutMin' which is by default 5 minutes. Script can be re-executed as needed.

+The user isn't assigned a role in the Microsoft Entra ID cluster application. Thus, Microsoft Entra authentication fails on Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication.

+When you try to sign in to Microsoft Entra ID in Service Fabric Explorer, the page returns a failure: "AADSTS50011: The reply address &lt;url&gt; doesn't match the reply addresses configured for the application: &lt;guid&gt;."

+![SFX reply address doesn't match][sfx-reply-address-not-match]

+The cluster (web) application that represents Service Fabric Explorer attempts to authenticate against Microsoft Entra ID, and as part of the request it provides the redirect return URL. But the URL isn't listed in the Microsoft Entra application **REPLY URL** list.

+When you try to connect to a Service Fabric cluster using Microsoft Entra ID via PowerShell, the sign-in page returns a failure: "AADSTS50011: The reply url specified in the request doesn't match the reply urls configured for the application: &lt;guid&gt;."

+Work with an Administrator of Azure tenant or Microsoft Entra ID to complete all remaining actions. The scripts provided are idempotent, so they can be re-executed to complete the process.

+> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md)

+description: This article describes the version support for Java, Spring Boot, and Spring Cloud, and the customer responsibilities when developing Azure Spring Apps.

+

+

+

+

+

+

+

+

+

+

+>

+> With Spring Boot Native Image applications, use the [Azure Monitor OpenTelemetry Distro / Application Insights in Spring Boot native image Java application](https://aka.ms/AzMonSpringNative) project instead of the Application Insights Java agent.

+ :::image type="content" source="media/how-to-cicd/pipeline-task-setting.jpg" alt-text="Screenshot of pipeline settings." lightbox="media/how-to-cicd/pipeline-task-setting.jpg":::

+ :::image type="content" source="media/how-to-cicd/create-new-job.jpg" alt-text="Screenshot of where to select to add a task to a job." lightbox="media/how-to-cicd/create-new-job.jpg":::

+ :::image type="content" source="media/how-to-cicd/change-artifact-path.jpg" alt-text="Screenshot of the 'Select a file or folder' dialog box." lightbox="media/how-to-cicd/change-artifact-path.jpg":::

+1. Change the action to **Set Production Deployment**.

+1. Select **Save**, then **Create release** to automatically start the deployment.

+#### [Azure CLI](#tab/Azure-CLI)

+- Use liveness and readiness probes together. Azure Spring Apps provides two approaches for service discovery at the same time. When the readiness probe fails, the app instance is removed only from Kubernetes service discovery. A properly configured liveness probe can remove the issued app instance from Eureka service discovery to avoid unexpected cases. For more information about service discovery, see [Discover and register your Spring Boot applications](how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md).

+Name the third file *AzureMonitorAddresses.csv*. This file should contain all addresses and IP ranges to be made available for metrics and monitoring via Azure Monitor, if you're using Azure monitor. The values in the following example are for demonstration purposes only. For up-to-date values, see [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md).

+- A Spring app deployed to Azure Spring Apps.

+| Managed identity | ✔️ | ✔️ | |

+1. The secure communication between the ingress controller and the applications in Azure Spring Apps are controlled by the ingress-to-app TLS. You can also control the communication through the portal or CLI, which will be explained later in this article. If ingress-to-app TLS is disabled, the communication between the ingress controller and the apps in Azure Spring Apps is HTTP. If ingress-to-app TLS is enabled, the communication will be HTTPS and has no relation to the communication between the clients and the ingress controller. The ingress controller won't verify the certificate returned from the apps because the ingress-to-app TLS encrypts the communication.

+1. Communication between the apps and the Azure Spring Apps services is always HTTPS and handled by Azure Spring Apps. Such services include config server, service registry, and Eureka server.

+1. You manage the communication between the applications. You can also take advantage of Azure Spring Apps features to load certificates into the application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md).

+1. You manage the communication between applications and external services. To reduce your development effort, Azure Spring Apps helps you manage your public certificates and loads them into your application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md).

+[Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md)

+### Supported APM types

+1. To view or edit an APM configuration, select the ellipsis (**...**) button for the configuration, then select **Edit APM**.

+ --service <Azure-Spring-Apps-instance-name>

+ --service <Azure-Spring-Apps-instance-name>

+ --name <app-name> \

+ --name <app-name> \

+| Managed identity | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ️ | ✔️ |

+| Feature description | Comment | Environment variable | Usage |

+|||-||

+| Integrate with Bellsoft OpenJDK. | Configures the JDK version. Currently supported: JDK 8, 11, 17, and 20. | `BP_JVM_VERSION` | `--build-env BP_JVM_VERSION=17` |

+| Configure arguments for the `native-image` command. | Arguments to pass directly to the native-image command. These arguments must be valid and correctly formed or the native-image command fails. | `BP_NATIVE_IMAGE_BUILD_ARGUMENTS` | `--build-env BP_NATIVE_IMAGE_BUILD_ARGUMENTS="--no-fallback"` |

+| Add CA certificates to the system trust store at build and runtime. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | Not applicable. | Not applicable. |

+| Enable configuration of labels on the created image | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Support building Maven-based applications from source. | Used for a multi-module project. Indicates the module to find the application artifact in. Defaults to the root module (empty). | `BP_MAVEN_BUILT_MODULE` | `--build-env BP_MAVEN_BUILT_MODULE=./gateway` |

+- One or more applications running in Azure Spring Apps.

+- An Azure Spring Apps service instance.

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with an eastus FQDN with Priority 1." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with a westus FQDN with Priority 2." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-1.png" alt-text="Screenshot of the Azure portal that shows the Add backend pool page with the Backend targets values highlighted." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-1.png":::

+1. The key point is to select **No** for **Pick host name from backend HTTP settings** option and explicitly specify the host name. For more information, see [Application Gateway configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation#application-gateway).

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-2.png" alt-text="Screenshot of the Azure portal that shows the probe page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-2.png":::

+1. **Override with new host name:** select **No**.

+1. **Use custom probe**: select **Yes** and pick the custom probe created above.

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-3.png" alt-text="Screenshot of the Azure portal that shows the Add Backend setting page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-3.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-1.png" alt-text="Screenshot of the Azure portal that shows the Add an origin group page with the Add an origin button highlighted." lightbox="media/how-to-integrate-azure-load-balancers/front-door-1.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-2.png" alt-text="Screenshot of the Azure portal that shows the Add an origin page." lightbox="media/how-to-integrate-azure-load-balancers/front-door-2.png":::

+1. Open **Access control (IAM)**.

+1. Select **Add**.

+1. Select **Add custom role**.

+1. Select **Next**:

+ :::image type="content" source="media/how-to-permissions/create-custom-role.png" alt-text="Screenshot that shows the Basics tab of the Create a custom role window." lightbox="media/how-to-permissions/create-custom-role.png":::

+1. Select **Add permissions**:

+ :::image type="content" source="media/how-to-permissions/add-permissions.png" alt-text="Screenshot that shows the Add permissions button." lightbox="media/how-to-permissions/add-permissions.png":::

+1. In the search box, search for **Microsoft.app**. Select **Microsoft Azure Spring Apps**:

+ :::image type="content" source="media/how-to-permissions/spring-cloud-permissions.png" alt-text="Screenshot that shows the results of searching for Microsoft.app." lightbox="media/how-to-permissions/spring-cloud-permissions.png":::

+1. Select the permissions for the Developer role.

+ :::image type="content" source="media/how-to-permissions/developer-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Developer permissions." lightbox="media/how-to-permissions/developer-permissions-box.png":::

+1. Select **Add**.

+1. Review the permissions.

+1. Select **Review and create**.

+1. Open **Access control (IAM)**.

+1. Select **Add**.

+1. Select **Add custom role**.

+1. Select **Next**.

+1. Select the **JSON** tab.

+1. Select **Edit**, and then delete the default text:

+ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png":::

+1. Paste in the following JSON to define the Developer role:

+ :::image type="content" source="media/how-to-permissions/create-custom-role-json.png" alt-text="Screenshot that shows the JSON for the Developer role." lightbox="media/how-to-permissions/create-custom-role-json.png":::

+1. Select **Save**.

+1. Review the permissions.

+1. Select **Review and create**.

+1. Select the permissions for the DevOps Engineer role:

+ :::image type="content" source="media/how-to-permissions/dev-ops-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for DevOps permissions." lightbox="media/how-to-permissions/dev-ops-permissions.png":::

+1. Select **Add**.

+1. Review the permissions.

+1. Select **Review and create**.

+1. Select **Next**.

+1. Select the **JSON** tab.

+1. Select **Edit**, and then delete the default text:

+ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png":::

+1. Paste in the following JSON to define the DevOps Engineer role:

+1. Review the permissions.

+1. Select **Review and create**.

+1. Select the permissions for the Ops - Site Reliability Engineering role:

+ :::image type="content" source="media/how-to-permissions/ops-sre-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for Ops - Site Reliability Engineering permissions." lightbox="media/how-to-permissions/ops-sre-permissions.png":::

+1. Select **Add**.

+1. Review the permissions.

+1. Select **Review and create**.

+1. Select **Next**.

+1. Select the **JSON** tab.

+1. Select **Edit**, and then delete the default text:

+ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png":::

+1. Paste in the following JSON to define the Ops - Site Reliability Engineering role:

+1. Review the permissions.

+1. Select **Review and create**.

+1. Open the **Permissions** options.

+1. Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role:

+ :::image type="content" source="media/how-to-permissions/pipelines-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Azure Pipelines / Jenkins / GitHub Actions permissions." lightbox="media/how-to-permissions/pipelines-permissions-box.png":::

+1. Select **Add**.

+1. Review the permissions.

+1. Select **Review and create**.

+1. Select **Next**.

+1. Select the **JSON** tab.

+1. Select **Edit**, and then delete the default text:

+ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png":::

+1. Paste in the following JSON to define the Azure Pipelines / Jenkins / GitHub Actions role:

+1. Select **Add**.

+1. Review the permissions.

+ :::image type="content" source="media/how-to-use-tls-certificates/grant-key-vault-permission.png" alt-text="Screenshot of Azure portal 'Create an access policy' page with Permission pane showing and Get and List permissions highlighted." lightbox="media/how-to-use-tls-certificates/grant-key-vault-permission.png":::

+ :::image type="content" source="media/how-to-use-tls-certificates/select-service-principal.png" alt-text="Screenshot of Azure portal 'Create an access policy' page with Principal pane showing and Azure Spring Apps Resource Provider highlighted." lightbox="media/how-to-use-tls-certificates/select-service-principal.png":::

+- A Spring app deployed to Azure Spring Apps.

+- A Spring app deployed to Azure Spring Apps.

+> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md)

+> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md)

+> [!div class="nextstepaction"]

+> [Monitor your Spring Boot Native Image application](https://aka.ms/AzMonSpringNative)

+> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md)

+ :::image type="content" source="./media/quickstart-integrate-azure-database-mysql/create-service-connection.png" alt-text="Screenshot of the Azure portal, in the Azure Spring Apps instance, create a connection with Service Connector.":::

+ :::image type="content" source="./media/quickstart-integrate-azure-database-mysql/basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the basics tab in Service Connector.":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png" alt-text="Screenshot of the Azure portal showing Azure Spring Apps in search results, with Azure Spring Apps highlighted in the search bar and in the results." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps page with the Create button highlighted." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with Consumption and Dedicated workload profiles selected for the plan." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Basics tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png" alt-text="Screenshot of the Azure portal showing the Create Workload Profiles tab." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png":::

+ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Networking tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png":::

+- A Spring app deployed to Azure Spring Apps.

+ :::image type="content" source="media/structured-app-log/json-log-query.png" alt-text="Screenshot of the Azure portal showing the log Results pane." lightbox="media/structured-app-log/json-log-query.png":::

+The following sections describe metrics that cover issues including high memory usage, heap memory that's too large, and abnormal garbage collection abnormal (too frequent or not frequent enough). For more information, see [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](quickstart-logs-metrics-tracing.md?pivots=programming-language-java).

+* The configuration items have their expected values. For more information, see [Set up a Spring Cloud Config Server instance for your service](./how-to-config-server.md). For the Enterprise plan, see [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md).

+You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the [outgoing ports](../azure-monitor/ip-addresses.md#outgoing-ports) section of [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md).

+| | [Blob index tags [Keys]](#blob-index-tags-keys) | Index tags on a blob resource (keys); available only for storage accounts where hierarchical namespace is not enabled |

+| | [Blob index tags [Values in key]](#blob-index-tags-values-in-key) | Index tags on a blob resource (values in key); available only for storage accounts where hierarchical namespace is not enabled |

+| | [Snapshot](#snapshot) | The Snapshot identifier for the Blob snapshot |

+| | [Version ID](#version-id) | The version ID of the versioned blob; available only for storage accounts where hierarchical namespace is not enabled |

+> | **Description** | Index tags on a blob resource.<br/>Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags.<br/>*Available only for storage accounts where hierarchical namespace is not enabled.* |

+> | **Description** | Index tags on a blob resource.<br/>Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags.<br/>*Available only for storage accounts where hierarchical namespace is not enabled.* |

+> | **Description** | Name of the encryption scope used to encrypt data. |

+Currently, Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access only to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, and `principal` attributes in the standard storage account performance tier. It's either not available or in PREVIEW for other storage account performance tiers, resource types, and attributes.

+> [!NOTE]

+> Some storage features aren't supported for Data Lake Storage Gen2 storage accounts, which use a hierarchical namespace (HNS). To learn more, see [Blob storage feature support](storage-feature-support-in-storage-accounts.md).

+>

+>The following ABAC attributes aren't supported when hierarchical namespace is enabled for a storage account:

+>

+> - [Blob index tags [Keys]](storage-auth-abac-attributes.md#blob-index-tags-keys)

+> - [Blob index tags [Values in key]](storage-auth-abac-attributes.md#blob-index-tags-values-in-key)

+> - [Version ID](storage-auth-abac-attributes.md#version-id)

+| Availability for read requests | At least 99.9% (99% for cool/cold/archive access tiers) | At least 99.9% (99% for cool/cold access tier) | At least 99.9% (99% for cool/cold/archive access tiers) for GRS<br/><br/>At least 99.99% (99.9% for cool/cold/archive access tiers) for RA-GRS | At least 99.9% (99% for cool/cold access tier) for GZRS<br/><br/>At least 99.99% (99.9% for cool/cold access tier) for RA-GZRS |

+| Availability for write requests | At least 99.9% (99% for cool/cold/archive access tiers) | At least 99.9% (99% for cool/cold access tier) | At least 99.9% (99% for cool/cold/archive access tiers) | At least 99.9% (99% for cool/cold access tier) |

+`--include-directory-stub` False by default to ignore directory stubs. Directory stubs are blobs with metadata `hdi_isfolder:true`. Setting value to true will preserve directory stubs during transfers. Including this flag with no value defaults to true (*e.g,* `azcopy copy --include-directory-stub` is the same as `azcopy copy --include-directory-stub=true`).

+Azurite is automatically available with [Visual Studio 2022](https://visualstudio.microsoft.com/vs/). The Azurite executable is updated as part of Visual Studio new version releases. If you're running an earlier version of Visual Studio, you can install Azurite by using either Node Package Manager (npm), DockerHub, or by cloning the Azurite GitHub repository.

+In Visual Studio Code, select the **Extensions** icon and search for **Azurite**. Select the **Install** button to install the Azurite extension.

+#### Configure Azurite extension settings

+To configure Azurite settings within Visual Studio Code, select the **Extensions** icon. Select the **Manage** gear button for the **Azurite** entry. Select **Extension Settings**.

+> Azurite cannot be run from the command line if you only installed the Visual Studio Code extension. Instead, use the Visual Studio Code command palette to run commands. Configuration settings are detailed at [Configure Azurite extension settings](#configure-azurite-extension-settings).

+The Azurite extension supports the following Visual Studio Code commands. To open the command palette, press **F1** in Visual Studio Code.

+Azure Stream Analytics is Microsoft's proprietary technology and is only available on Azure. If you need your solution to be portable across Clouds or on-premises, consider open-source technologies such as Spark Structured Streaming or [Apache Flink](/azure/hdinsight-aks/flink/flink-overview).

+ Title: Azure Synapse Runtime for Apache Spark 3.1 (unsupported)

+# Azure Synapse Runtime for Apache Spark 3.1 (unsupported)

+> * End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.1 has been announced January 26, 2023.

+> * Effective January 26, 2024, the Azure Synapse has stopped official support for Spark 3.1 Runtimes.

+> * Post January 26, 2024, we will not be addressing any support tickets related to Spark 3.1. There will be no release pipeline in place for bug or security fixes for Spark 3.1. Utilizing Spark 3.1 post the support cutoff date is undertaken at one's own risk. We strongly discourage its continued use due to potential security and functionality concerns.

+> * Recognizing that certain customers may need additional time to transition to a higher runtime version, we are temporarily extending the usage option for Spark 3.1, but we will not provide any official support for it.

+> * We strongly advise to proactively upgrade their workloads to a more recent version of the runtime (e.g., [Azure Synapse Runtime for Apache Spark 3.3 (GA)](./apache-spark-33-runtime.md)).

+> End of Support Notification for Azure Synapse Runtime for Apache Spark 2.4 and Apache Spark 3.1.

+> * Effective September 29, 2023, the Azure Synapse will discontinue official support for Spark 2.4 Runtimes.

+> * Effective January 26, 2024, the Azure Synapse will discontinue official support for Spark 3.1 Runtimes.

+> * Post these dates, we will not be addressing any support tickets related to Spark 2.4 or 3.1. There will be no release pipeline in place for bug or security fixes for Spark 2.4 and 3.1. Utilizing Spark 2.4 or 3.1 post the support cutoff dates is undertaken at one's own risk. We strongly discourage its continued use due to potential security and functionality concerns.

+| [Azure Synapse Runtime for Apache Spark 3.1](./apache-spark-3-runtime.md) | May 26, 2021 | __End of Life (EOL) unsupported__ | January 26, 2023 | January 26, 2024 |

+| [Azure Synapse Runtime for Apache Spark 2.4](./apache-spark-24-runtime.md) | December 15, 2020 | __End of Life (EOL) unsupported__ | __July 29, 2022__ | __September 29, 2023__ |

+- If you are using PowerShell to create and assign your scaling plan, you will need module [Az.DesktopVirtualization](https://www.powershellgallery.com/packages/Az.DesktopVirtualization/) version 4.2.0 or later.

+### [Portal](#tab/portal)

+Now that you've assigned the *Desktop Virtualization Power On Off Contributor* role to the service principal on your subscriptions, you can create a scaling plan. To create a scaling plan using the portal:

+ #### Pooled host pools

+ #### Personal host pools

+1. Once you're done, go to the **Review + create** tab and select **Create** to create and assign your scaling plan to the host pools you selected.

+### [PowerShell](#tab/powershell)

+Here's how to create a scaling plan using the Az.DesktopVirtualization PowerShell module. The following examples show you how to create a scaling plan and scaling plan schedule.

+> [!IMPORTANT]

+> In the following examples, you'll need to change the `<placeholder>` values for your own.

+2. Create a scaling plan for your pooled or personal host pool(s) using the [New-AzWvdScalingPlan](/powershell/module/az.desktopvirtualization/new-azwvdscalingplan) cmdlet:

+

+ ```azurepowershell

+ $scalingPlanParams = @{

+ ResourceGroupName = '<resourceGroup>'

+ Name = '<scalingPlanName>'

+ Location = '<AzureRegion>'

+ Description = '<Scaling plan description>'

+ FriendlyName = '<Scaling plan friendly name>'

+ HostPoolType = '<Pooled or personal>'

+ TimeZone = '<Time zone, such as Pacific Standard Time>'

+ HostPoolReference = @(@{'hostPoolArmPath' = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<resourceGroup/providers/Microsoft.DesktopVirtualization/hostPools/<hostPoolName>'; 'scalingPlanEnabled' = $true;})

+ }

+ $scalingPlan = New-AzWvdScalingPlan @scalingPlanParams

+ ```

+

+3. Create a scaling plan schedule.

+ * For pooled host pools, use the [New-AzWvdScalingPlanPooledSchedule](/powershell/module/az.desktopvirtualization/new-azwvdscalingplanpooledschedule) cmdlet. This example creates a pooled scaling plan that runs on Monday through Friday, ramps up at 6:30 AM, starts peak hours at 8:30 AM, ramps down at 4:00 PM, and starts off-peak hours at 10:45 PM.

+ ```azurepowershell

+ $scalingPlanPooledScheduleParams = @{

+ ResourceGroupName = 'resourceGroup'

+ ScalingPlanName = 'scalingPlanPooled'

+ ScalingPlanScheduleName = 'pooledSchedule1'

+ DaysOfWeek = 'Monday','Tuesday','Wednesday','Thursday','Friday'

+ RampUpStartTimeHour = '6'

+ RampUpStartTimeMinute = '30'

+ RampUpLoadBalancingAlgorithm = 'BreadthFirst'

+ RampUpMinimumHostsPct = '20'

+ RampUpCapacityThresholdPct = '20'

+ PeakStartTimeHour = '8'

+ PeakStartTimeMinute = '30'

+ PeakLoadBalancingAlgorithm = 'DepthFirst'

+ RampDownStartTimeHour = '16'

+ RampDownStartTimeMinute = '0'

+ RampDownLoadBalancingAlgorithm = 'BreadthFirst'

+ RampDownMinimumHostsPct = '20'

+ RampDownCapacityThresholdPct = '20'

+ RampDownForceLogoffUser:$true

+ RampDownWaitTimeMinute = '30'

+ RampDownNotificationMessage = '"Log out now, please."'

+ RampDownStopHostsWhen = 'ZeroSessions'

+ OffPeakStartTimeHour = '22'

+ OffPeakStartTimeMinute = '45'

+ OffPeakLoadBalancingAlgorithm = 'DepthFirst'

+ }

+

+ $scalingPlanPooledSchedule = New-AzWvdScalingPlanPooledSchedule @scalingPlanPooledScheduleParams

+ ```

+

+ * For personal host pools, use the [New-AzWvdScalingPlanPersonalSchedule](/powershell/module/az.desktopvirtualization/new-azwvdscalingplanpersonalschedule) cmdlet. The following example creates a personal scaling plan that runs on Monday, Tuesday, and Wednesday, ramps up at 6:00 AM, starts peak hours at 8:15 AM, ramps down at 4:30 PM, and starts off-peak hours at 6:45 PM.

+ ```azurepowershell

+ $scalingPlanPersonalScheduleParams = @{

+ ResourceGroupName = 'resourceGroup'

+ ScalingPlanName = 'scalingPlanPersonal'

+ ScalingPlanScheduleName = 'personalSchedule1'

+ DaysOfWeek = 'Monday','Tuesday','Wednesday'

+ RampUpStartTimeHour = '6'

+ RampUpStartTimeMinute = '0'

+ RampUpAutoStartHost = 'WithAssignedUser'

+ RampUpStartVMOnConnect = 'Enable'

+ RampUpMinutesToWaitOnDisconnect = '30'

+ RampUpActionOnDisconnect = 'Deallocate'

+ RampUpMinutesToWaitOnLogoff = '3'

+ RampUpActionOnLogoff = 'Deallocate'

+ PeakStartTimeHour = '8'

+ PeakStartTimeMinute = '15'

+ PeakStartVMOnConnect = 'Enable'

+ PeakMinutesToWaitOnDisconnect = '10'

+ PeakActionOnDisconnect = 'Hibernate'

+ PeakMinutesToWaitOnLogoff = '15'

+ PeakActionOnLogoff = 'Deallocate'

+ RampDownStartTimeHour = '16'

+ RampDownStartTimeMinute = '30'

+ RampDownStartVMOnConnect = 'Disable'

+ RampDownMinutesToWaitOnDisconnect = '10'

+ RampDownActionOnDisconnect = 'None'

+ RampDownMinutesToWaitOnLogoff = '15'

+ RampDownActionOnLogoff = 'Hibernate'

+ OffPeakStartTimeHour = '18'

+ OffPeakStartTimeMinute = '45'

+ OffPeakStartVMOnConnect = 'Disable'

+ OffPeakMinutesToWaitOnDisconnect = '10'

+ OffPeakActionOnDisconnect = 'Deallocate'

+ OffPeakMinutesToWaitOnLogoff = '15'

+ OffPeakActionOnLogoff = 'Deallocate'

+ }

+

+ $scalingPlanPersonalSchedule = New-AzWvdScalingPlanPersonalSchedule @scalingPlanPersonalScheduleParams

+ ```

+ >[!NOTE]

+ > We recommended that `RampUpStartVMOnConnect` is enabled for the ramp up phase of the schedule if you opt out of having autoscale start session host VMs. For more information, see [Start VM on Connect](start-virtual-machine-connect.md).

+4. Use [Get-AzWvdScalingPlan](/powershell/module/az.desktopvirtualization/get-azwvdscalingplan) to get the host pool(s) that your scaling plan is assigned to.

+ ```azurepowershell

+ $params = @{

+ ResourceGroupName = 'resourceGroup'

+ Name = 'scalingPlanPersonal'

+ }

+

+ (Get-AzWvdScalingPlan @params).HostPoolReference | FL HostPoolArmPath,ScalingPlanEnabled

+ ```

+

+ You have now created a new scaling plan, 1 or more schedules, assigned it to your pooled or personal host pool(s), and enabled autoscale.

+### [Portal](#tab/portal)

+### [PowerShell](#tab/powershell)

+Here's how to update a scaling plan using the Az.DesktopVirtualization PowerShell module. The following examples show you how to update a scaling plan and scaling plan schedule.

+* Update a scaling plan using [Update-AzWvdScalingPlan](/powershell/module/az.desktopvirtualization/update-azwvdscalingplan). This example updates the scaling plan's timezone.

+ ```azurepowershell

+ $scalingPlanParams = @{

+ ResourceGroupName = 'resourceGroup'

+ Name = 'scalingPlanPersonal'

+ Timezone = 'Eastern Standard Time'

+ }

+

+ Update-AzWvdScalingPlan @scalingPlanParams

+ ```

+* Update a scaling plan schedule using [Update-AzWvdScalingPlanPersonalSchedule](/powershell/module/az.desktopvirtualization/update-azwvdscalingplanpersonalschedule). This example updates the ramp up start time.

+ ```azurepowershell

+ $scalingPlanPersonalScheduleParams = @{

+ ResourceGroupName = 'resourceGroup'

+ ScalingPlanName = 'scalingPlanPersonal'

+ ScalingPlanScheduleName = 'personalSchedule1'

+ RampUpStartTimeHour = '5'

+ RampUpStartTimeMinute = '30'

+ }

+

+ Update-AzWvdScalingPlanPersonalSchedule @scalingPlanPersonalScheduleParams

+ ```

+* Update a pooled scaling plan schedule using [Update-AzWvdScalingPlanPooledSchedule](/powershell/module/az.desktopvirtualization/update-azwvdscalingplanpooledschedule). This example updates the peak hours start time.

+ ```azurepowershell

+ $scalingPlanPooledScheduleParams = @{

+ ResourceGroupName = 'resourceGroup'

+ ScalingPlanName = 'scalingPlanPooled'

+ ScalingPlanScheduleName = 'pooledSchedule1'

+ PeakStartTimeHour = '9'

+ PeakStartTimeMinute = '15'

+ }

+

+ Update-AzWvdScalingPlanPooledSchedule @scalingPlanPooledScheduleParams

+ ```

+You can assign a scaling plan to any existing host pools of the same type in your deployment. When you assign a scaling plan to your host pool, the plan will apply to all session hosts within that host pool. The scaling plan also automatically applies to any new session hosts you create in the assigned host pool.

+### [Portal](#tab/portal)

+To assign a scaling plan to existing host pools:

+1. Select **Scaling plans**, and select the scaling plan you want to assign to host pools.

+1. Under the **Manage** heading, select **Host pool assignments**, and then select **+ Assign**. Select the host pools you want to assign the scaling plan to and select **Assign**. The host pools must be in the same Azure region as the scaling plan and the scaling plan's host pool type must match the type of host pools you're trying to assign it to.

+### [PowerShell](#tab/powershell)

+1. Assign a scaling plan to existing host pools using [Update-AzWvdScalingPlan](/powershell/module/az.desktopvirtualization/update-azwvdscalingplan). The following example assigns a personal scaling plan to two existing personal host pools.

+ ```azurepowershell

+ $scalingPlanParams = @{

+ ResourceGroupName = 'resourceGroup'

+ Name = 'scalingPlanPersonal'

+ HostPoolReference = @(

+ @{

+ 'hostPoolArmPath' = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.DesktopVirtualization/hostPools/scalingPlanPersonal';

+ 'scalingPlanEnabled' = $true;

+ },

+ @{

+ 'hostPoolArmPath' = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup/providers/Microsoft.DesktopVirtualization/hostPools/scalingPlanPersonal2';

+ 'scalingPlanEnabled' = $true;

+ }

+ )

+ }

+

+ $scalingPlan = Update-AzWvdScalingPlan @scalingPlanParams

+ ```

+2. Use [Get-AzWvdScalingPlan](/powershell/module/az.desktopvirtualization/get-azwvdscalingplan) to get the host pool(s) that your scaling plan is assigned to.

+ ```azurepowershell

+ $params = @{

+ ResourceGroupName = 'resourceGroup'

+ Name = 'scalingPlanPersonal'

+ }

+

+ (Get-AzWvdScalingPlan @params).HostPoolReference | FL HostPoolArmPath,ScalingPlanEnabled

+ ```

+If you'd like to learn more about terms used in this article, check out our [autoscale glossary](autoscale-glossary.md). For examples of how autoscale works, see [Autoscale example scenarios](autoscale-scenarios.md). You can also look at our [Autoscale FAQ](autoscale-faq.yml) if you have other questions.

+ | Build timeout (minutes) | Enter the [maximum duration to wait](../virtual-machines/linux/image-builder-json.md#properties-buildtimeoutinminutes) while building the image template (includes all customizations, validations, and distributions). <br /><br />Customizations like Language Pack installation or Configure Windows Optimization require Windows Update and we recommend a higher build timeout. Windows Update is automatically triggered for those built-in scripts. |

+## Known issues and limitations

+- Using both Private Link and [RDP Shortpath](./shortpath.md) has the following limitations:

+ - Using Private Link and [RDP Shortpath for public networks](rdp-shortpath.md?tabs=public-networks) isn't supported.

+ - Using Private Link and [RDP Shortpath for managed networks](rdp-shortpath.md?tabs=managed-networks) isn't supported, but they can work together. You can use Private Link and RDP Shortpath for managed networks at your own risk. You can follow the steps to [Disable RDP Shortpath for managed networks](configure-rdp-shortpath.md?tabs=managed-networks#disable-rdp-shortpath).

+ - [Azure Monitor Outgoing ports](../azure-monitor/ip-addresses.md)

+- Detach of VMs created by the scale set is currently not supported in UK South and North Europe.

+| Standard_B1ls2 | 1 | 0.5 | 4 | 5 | 30 | 3 | 72 | 2 | 160/10 | 4000/100 | 2 |

+| Standard_B1s | 1 | 1 | 4 | 10 | 30 | 6 | 144 | 2 | 320/10 | 4000/100 | 2 |

+| Standard_B1ms | 1 | 2 | 4 | 20 | 30 | 12 | 288 | 2 | 640/10 | 4000/100 | 2 |

+| Standard_B2s | 2 | 4 | 8 | 20 | 60 | 24 | 576 | 4 | 1280/15 | 4000/100 | 3 |

+| Standard_B2ms | 2 | 8 | 16 | 30 | 60 | 36 | 864 | 4 | 1920/22.5 | 4000/100 | 3 |

+| Standard_B4ms | 4 | 16 | 32 | 20 | 120 | 54 | 1296 | 8 | 2880/35 | 8000/200 | 4 |

+| Standard_B8ms | 8 | 32 | 64 | 17 | 240 | 81 | 1994 | 16 | 4320/50 | 8000/200 | 4 |

+| Standard_B12ms | 12 | 48 | 96 | 17 | 360 | 121 | 2908 | 16 | 4320/50 | 16000/400 | 6 |

+| Standard_B16ms | 16 | 64 | 128 | 17 | 480 | 162 | 3888 | 32 | 4320/50 | 16000/400 | 8 |

+| Standard_B20ms | 20 | 80 | 160 | 17 | 600 | 202 | 4867 | 32 | 4320/50 | 16000/400 | 8 |

+|CLI|[az network custom-ip prefix update](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-update) with `--state` flag set to decommission |

+|PowerShell|[Update-AzCustomIpPrefix](/powershell/module/az.network/update-azcustomipprefix) with the flag to `-Decommission` |

+|CLI|[az network custom-ip prefix update](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-update) with the `--state` flag set to deprovision <br>[az network custom-ip prefix delete](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-delete) to remove|

+|PowerShell|[Update-AzCustomIpPrefix](/powershell/module/az.network/update-azcustomipprefix)with the flag to `-Deprovision` <br>[Remove-AzCustomIpPrefix](/powershell/module/az.network/remove-azcustomipprefix) to remove|

+### When there's an ExpressRoute circuit connected as a bow-tie to a Virtual WAN hub and a standalone VNet, what is the path for the standalone VNet to reach the Virtual WAN hub?

+The current behavior is to prefer the ExpressRoute circuit path for standalone (non-Virtual WAN) VNet to Virtual WAN connectivity. It's recommended that the customer [create a Virtual Network connection](howto-connect-vnet-hub.md) to directly connect the standalone VNet to the Virtual WAN hub. Afterwards, VNet to VNet traffic will traverse through the Virtual WAN hub router instead of the ExpressRoute path (which traverses through the Microsoft Enterprise Edge routers/MSEE).

+In Azure portal, the **Allow traffic from remote Virtual WAN networks** and **Allow traffic from non Virtual WAN networks** toggles allow connectivity between the standalone virtual network (VNet 4) and the spoke virtual networks directly connected to the Virtual WAN hub (VNet 2 and VNet 3). To allow this connectivity, both toggles need to be enabled: the **Allow traffic from remote Virtual WAN networks** toggle for the ExpressRoute gateway in the standalone virtual network and the **Allow traffic from non Virtual WAN networks** for the ExpressRoute gateway in the Virtual WAN hub. In the diagram below, if both of these toggles are enabled, then connectivity would be allowed between the standalone VNet 4 and the VNets directly connected to hub 2 (VNet 2 and VNet 3). If an Azure Route Server is deployed in standalone VNet 4, and the Route Server has [branch-to-branch](../route-server/quickstart-configure-route-server-portal.md#configure-route-exchange) enabled, then connectivity will be blocked between VNet 1 and standalone VNet 4.

+The Azure Web Application Firewall (WAF) on Azure Application Gateway actively safeguards your web applications against common exploits and vulnerabilities. As web applications become more frequent targets for malicious attacks, these attacks often exploit well-known vulnerabilities such as SQL injection and cross-site scripting.

+All of the following WAF features exist inside of a WAF policy. You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. This way, you can have separate policies for each site behind your Application Gateway if needed. For more information on WAF policies, see [Create a WAF Policy](create-waf-policy-ag.md).

+Application Gateway enhances security through TLS policy management and end-to-end TLS support. By integrating WAF into Application Gateway, it fortifies application security. This combination actively defends your web applications against common vulnerabilities and offers a centrally manageable, easy-to-configure location.

+- Managed rule sets that are a collection of Azure-managed preconfigured set of rules

+ Bad bots include bots from malicious IP addresses and bots that falsify their identities. Bad bots with malicious IPs are sourced from the Microsoft Threat Intelligence feedΓÇÖs high confidence IP Indicators of Compromise.

+ Unknown bots are classified via published user agents without more validation. For example, market analyzer, feed fetchers, and data collection agents. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feedΓÇÖs medium confidence IP Indicators of Compromise.

+The WAF platform actively manages and dynamically updates bot signatures.

+You can assign Microsoft_BotManagerRuleSet_1.0 by using the **Assign** option under **Managed Rulesets**:

+When Bot protection is enabled, it blocks, allows, or logs incoming requests that match bot rules based on the action you've configured. It blocks malicious bots, allows verified search engine crawlers, blocks unknown search engine crawlers, and logs unknown bots by default. You have the option to set custom actions to block, allow, or log different types of bots.

+The Azure web application firewall (WAF) engine is the component that inspects traffic and determines whether a request includes a signature that represents a potential attack. When you use CRS 3.2 or later, your WAF runs the new [WAF engine](waf-engine.md), which gives you higher performance and an improved set of features. When you use earlier versions of the CRS, your WAF runs on an older engine. New features are only available on the new Azure WAF engine.

+You can choose which action is run when a request matches a rule condition. The following actions are supported:

+* Allow: Request passes through the WAF and is forwarded to back-end. No further lower priority rules can block this request. Allow actions are only applicable to the Bot Manager ruleset, and aren't applicable to the Core Rule Set.

+* Anomaly score: This is the default action for CRS ruleset where total anomaly score is incremented when a rule with this action is matched. Anomaly scoring isn't applicable for the Bot Manager ruleset.

+It's important to monitor the health of your application gateway. You can support this by integrating your WAF and the applications it protects with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs.

+With the built-in Azure WAF firewall events workbook, you can get an overview of the security events on your WAF. This includes events, matched and blocked rules, and everything else that gets logged in the firewall logs. More information on logging follows.

+The pricing models are different for the WAF_v1 and WAF_v2 SKUs. See the [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway/) page to learn more.