+AKS also initiates auto-upgrades for unsupported clusters. When a cluster in an n-3 version (where n is the latest supported AKS GA minor version) is about to drop to n-4, AKS automatically upgrades the cluster to n-2 to remain in an AKS support [policy][supported-kubernetes-versions]. Automatically upgrading a platform supported cluster to a supported version is enabled by default. Stopped node pools will be upgraded during an auto-upgrade operation. The upgrade will apply to nodes when the node pool is started. To minimize disruptions, set up [maintenance windows][planned-maintenance].

+If using the `node-image` cluster auto-upgrade channel or the `NodeImage` node image auto-upgrade channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.

+| `node-image`| automatically upgrades the node image to the latest version available.| Microsoft provides patches and new images for image nodes frequently (usually weekly), but your running nodes don't get the new images unless you do a node image upgrade. Turning on the node-image channel automatically updates your node images whenever a new version is available. If you use this channel, Linux [unattended upgrades] are disabled by default. Node image upgrades work on patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|

+For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+| `Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially. The OS's infrastructure patches them at some point.|Ubuntu and Azure Linux (CPU node pools) apply security patches through unattended upgrade/dnf-automatic roughly once per day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. You'll need to manage the reboot process by using a tool like [kured][kured].|

+> [!NOTE]

+> While Windows security updates are released on a monthly basis, using the `Unmanaged` channel will not automatically apply these updates to Windows nodes. If you choose the `Unmanaged` channel, you need to manage the reboot process by using a tool like [kured][kured] in order to properly apply security patches.

+- If using Azure CLI, the `aks-preview` CLI extension version `0.5.166` or later must be installed

+Among the returned labels, you should see a line similar to the following output:

+Here, the base node image version is `AKSUbuntu-2204gen2containerd`. If applicable, the security patch version typically follows. In the above example, it's `202311.07.0`.

+The same details also be looked up in the Azure portal under the node label view:

+## Next steps

+For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+Azure Kubernetes Service (AKS) regularly provides new node images, so it's beneficial to upgrade your node images frequently to use the latest AKS features. Linux node images are updated weekly, and Windows node images are updated monthly. Image upgrade announcements are included in the [AKS release notes](https://github.com/Azure/AKS/releases), and it can take up to a week for these updates to be rolled out across all regions. Node image upgrades can also be performed automatically and scheduled using planned maintenance. For more information, see [Automatically upgrade node images][auto-upgrade-node-image].

+The output shows the `latestNodeImageVersion`, like in the following example:

+> This command may differ slightly depending on the shell you use. For more information on Windows and PowerShell environments, see the [Kubernetes JSONPath documentation][kubernetes-json-path].

+> This command may differ slightly depending on the shell you use. For more information on Windows and PowerShell environments, see the [Kubernetes JSONPath documentation][kubernetes-json-path].

+To speed up the node image upgrade process, you can upgrade your node images using a customizable node surge value. By default, AKS uses one extra node to configure upgrades.

+- For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+When one of the replicas in the DaemonSet detects that a node reboot is required, a lock is placed on the node through the Kubernetes API. This lock prevents more pods from being scheduled on the node. The lock also indicates that only one node should be rebooted at a time. With the node cordoned off, running pods are drained from the node, and the node is rebooted.

+For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+The above JSON file specifies maintenance windows every Tuesday at 1:00am - 3:00am and every Wednesday at 1:00am - 2:00am and at 6:00am - 7:00am in the `UTC` timezone. There's also an exception from `2021-05-26T03:00:00Z` to `2021-05-30T12:00:00Z` where maintenance isn't allowed even if it overlaps with a maintenance window.

+The above JSON file specifies maintenance windows every three months on the first of the month between 9:00 AM - 1:00 PM in the `UTC-08` timezone. There's also an exception from `2023-12-23` to `2024-01-05` where maintenance isn't allowed even if it overlaps with a maintenance window.

+- How can I check the existing maintenance configurations in my cluster?

+- Can reactive, unplanned maintenance happen during the `notAllowedTime` or `notAllowedDates` periods too?

+- How can you tell if a maintenance event occurred?

+- Can you use more than one maintenance configuration at the same time?

+- I configured a maintenance window, but upgrade didn't happen - why?

+ AKS auto-upgrade needs a certain amount of time to take the maintenance window into consideration. We recommend at least 24 hours between the creation or update of a maintenance configuration the scheduled start time.

+ Also, ensure your cluster is started when the planned maintenance window is starting. If the cluster is stopped, then its control plane is deallocated and no operations can be performed.

+- AKS auto-upgrade didn't upgrade all my agent pools - or one of the pools was upgraded outside of the maintenance window?

+ If an agent pool fails to upgrade (for example, because of Pod Disruption Budgets preventing it to upgrade) or is in a Failed state, then it might be upgraded later outside of the maintenance window. This scenario is called "catch-up upgrade" and avoids letting Agent pools with a different version than the AKS control plane.

+- Are there any best practices for the maintenance configurations?

+ We recommend setting the [Node OS security updates][node-image-auto-upgrade] schedule to a weekly cadence if you're using `NodeImage` channel since a new node image gets shipped every week and daily if you opt in for `SecurityPatch` channel to receive daily security updates. Set the [auto-upgrade][auto-upgrade] schedule to a monthly cadence to stay on top of the kubernetes N-2 [support policy][aks-support-policy]. For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+If no upgrades are available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. AKS does not support upgrading a cluster to a newer Kubernetes version when `az aks get-upgrades` shows that no upgrades are available.

+If no upgrades are available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. AKS does not support upgrading a cluster to a newer Kubernetes version when `Get-AzAksUpgradeProfile` shows that no upgrades are available.

+If no upgrades are available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. AKS does not support upgrading a cluster to a newer Kubernetes version when no upgrades are available.

+* This process repeats until all nodes in the cluster are upgraded.

+At times, you may have a long running workload on a certain pod and it can't be rescheduled to another node during runtime, for example, a memory intensive stateful workload that must finish running. In these cases, you can configure a node drain timeout that AKS will respect in the upgrade workflow. If no node drain timeout value is specified, the default is 30 minutes. If the drain timeout value elapses and pods are still running, then the upgrade operation is stopped. Any subsequent PUT operation shall resume the stopped upgrade.

+> [!NOTE]

+To learn how to configure automatic upgrades, see [Configure automatic upgrades for an AKS cluster][configure-automatic-aks-upgrades].

+For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+* [Planned Maintenance Window][planned-maintenance] enables service teams to schedule auto-upgrade during a predefined window, typically a low-traffic period, to minimize workload impact. We recommend a window duration of at least *four hours*.

+This article listed different upgrade options for AKS clusters. For a detailed discussion of upgrade best practices and other considerations, see [AKS patch and upgrade guidance][upgrade-operators-guide].

+[upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+An Azure Kubernetes Service (AKS) cluster needs to be periodically updated to ensure security and compatibility with the latest features. There are two components of an AKS cluster that are necessary to maintain:

+|Cluster Kubernetes version (minor) upgrade|Roughly every three months|Yes|Automatic, Manual|[Upgrade an AKS cluster][upgrade-cluster]|

+ [Planned maintenance][planned-maintenance] allows you to schedule weekly maintenance windows that will update your control plane and your kube-system pods, helping to minimize workload impact.

+For more information what cluster operations may trigger specific upgrade events, upgrade best practices, and other considerations, see the [AKS operator's guide on patching][operator-guide-patching].

+[operator-guide-patching]: /azure/architecture/operator-guides/aks/aks-upgrade-practices

+ Title: Import APIs from Azure API Management - Azure API Center

+description: Add APIs to your Azure API center inventory from your API Management instance.

+# Customer intent: As an API program manager, I want to add APIs that are managed in my Azure API Management instance to my API center.

+# Import APIs to your API center from Azure API Management

+This article shows how to import (add) APIs from an Azure API Management instance to your [API center](overview.md) using the Azure CLI. Adding APIs from API Management to your API inventory helps make them discoverable and accessible to developers, API program managers, and other stakeholders in your organization.

+When you add an API from an API Management instance to your API center:

+* The API's [versions](key-concepts.md#api-version), [definitions](key-concepts.md#api-definition), and [deployment](key-concepts.md#deployment) information are copied to your API center.

+* The API receives a system-generated API name in your API center. It retains its display name (title) from API Management.

+* The **Lifecycle stage** of the API is set to *Design*.

+* Azure API Management is added as an [environment](key-concepts.md#environment).

+After adding an API from API Management, you can add metadata and documentation in your API center to help stakeholders discover, understand, and consume the API.

+## Prerequisites

+* An API center in your Azure subscription. If you haven't created one, see [Quickstart: Create your API center](set-up-api-center.md).

+* One or more instances of Azure API Management, in the same or a different subscription in your directory. If you haven't created one, see [Create an Azure API Management instance](../api-management/get-started-create-service-instance.md).

+* One or more APIs managed in your API Management instance that you want to add to your API center.

+* For Azure CLI:

+ [!INCLUDE [include](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+ > [!NOTE]

+ > `az apic` commands require the `apic-extension` Azure CLI extension. If you haven't used `az apic` commands, the extension is installed dynamically when you run your first `az apic` command. Learn more about [Azure CLI extensions](/cli/azure/azure-cli-extensions-overview).

+ > [!NOTE]

+ > Azure CLI command examples in this article can run in PowerShell or a bash shell. Where needed because of different variable syntax, separate command examples are provided for the two shells.

+## Add a managed identity in your API center

+For this scenario, your API center uses a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to access APIs in your API Management instance. You can use either a system-assigned or user-assigned managed identity. If you haven't added a managed identity in your API center, you can add it in the Azure portal or by using the Azure CLI.

+### Add a system-assigned identity

+#### [Portal](#tab/portal)

+1. In the [portal](https://azure.microsoft.com), navigate to your API center.

+1. In the left menu, select **Managed identities**.

+1. Select **System assigned**, and set the status to **On**.

+1. Select **Save**.

+#### [Azure CLI](#tab/cli)

+Set the system-assigned identity in your API center using the following [az apic service update](/cli/azure/apic/service#az-apic-service-update) command. Substitute the names of your API center and resource group:

+```azurecli

+az apic service update --name <api-center-name> --resource-group <resource-group-name> --identity '{"type": "SystemAssigned"}'

+```

+### Add a user-assigned identity

+To add a user-assigned identity, you need to create a user-assigned identity resource, and then add it to your API center.

+#### [Portal](#tab/portal)

+1. Create a user-assigned identity according to [these instructions](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity).

+1. In the [portal](https://azure.microsoft.com), navigate to your API center.

+1. In the left menu, select **Managed identities**.

+1. Select **User assigned** > **+ Add**.

+1. Search for the identity you created earlier, select it, and select **Add**.

+#### [Azure CLI](#tab/cli)

+1. Create a user-assigned identity.

+ ```azurecli

+ az identity create --resource-group <resource-group-name> --name <identity-name>

+ ```

+ In the command output, note the value of the identity's `id` property. The `id` property should look something like this:

+ ```json

+ {

+ [...]

+ "id": "/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>"

+ [...]

+ }

+ ```

+1. Create a JSON file with the following content, substituting the value of the `id` property from the previous step.

+ ```json

+ {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<identity-id>": {}

+ }

+ }

+ ```

+1. Add the user-assigned identity to your API center using the following [az apic service update](/cli/azure/apic/service#az-apic-service-update) command. Substitute the names of your API center and resource group, and pass the JSON file as the value of the `--identity` parameter. Here, the JSON file is named `identity.json`.

+ ```azurecli

+ az apic service update --name <api-center-name> --resource-group <resource-group-name> --identity "@identity.json"

+ ```

+## Assign the managed identity the API Management Service Reader role

+To allow import of APIs, assign your API center's managed identity the **API Management Service Reader** role in your API Management instance. You can use the [portal](../role-based-access-control/role-assignments-portal-managed-identity.md) or the Azure CLI.

+#### [Portal](#tab/portal)

+1. In the [portal](https://azure.microsoft.com), navigate to your API Management instance.

+1. In the left menu, select **Access control (IAM)**.

+1. Select **+ Add role assignment**.

+1. On the **Add role assignment** page, set the values as follows:

+ 1. On the **Role** tab - Select **API Management Service Reader**.

+ 1. On the **Members** tab, in **Assign access to** - Select **Managed identity** > **+ Select members**.

+ 1. On the **Select managed identities** page - Select the system-assigned or user-assigned managed identity of your API center that you added in the previous section. Click **Select**.

+ 1. Select **Review + assign**.

+#### [Azure CLI](#tab/cli)

+1. Get the principal ID of the identity. If you're configuring a system-assigned identity, use the [az apic service show](/cli/azure/apic/service#az-apic-service-show) command. For a user-assigned identity, use [az identity show](/cli/azure/identity#az-identity-show).

+ **System-assigned identity**

+ ```azurecli

+ #! /bin/bash

+ apicObjID=$(az apic service show --name <api-center-name> \

+ --resource-group <resource-group-name> \

+ --query "identity.principalId" --output tsv)

+ ```

+ ```azurecli

+ # PowerShell syntax

+ $apicObjID=$(az apic service show --name <api-center-name> `

+ --resource-group <resource-group-name> `

+ --query "identity.principalId" --output tsv)

+ ```

+ **User-assigned identity**

+ ```azurecli

+ #! /bin/bash

+ apicObjID=$(az identity show --name <identity-name> --resource-group <resource-group-name> --query "principalId" --output tsv)

+ ```

+

+ ```azurecli

+ # PowerShell syntax

+ $apicObjID=$(az identity show --name <identity-name> --resource-group <resource-group-name> --query "principalId" --output tsv)

+ ```

+1. Get the resource ID of your API Management instance using the [az apim show](/cli/azure/apim#az-apim-show) command.

+

+ ```azurecli

+ #! /bin/bash

+ apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query "id" --output tsv)

+ ```

+ ```azurecli

+ # PowerShell syntax

+ $apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query "id" --output tsv)

+ ```

+1. Assign the managed identity the **API Management Service Reader** role in your API Management instance using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command.

+ ```azurecli

+ #! /bin/bash

+ scope="${apimID:1}"

+ az role assignment create \

+ --role "API Management Service Reader Role" \

+ --assignee-object-id $apicObjID \

+ --assignee-principal-type ServicePrincipal \

+ --scope $scope

+ ```

+

+ ```azurecli

+ #! PowerShell syntax

+ $scope=$apimID.substring(1)

+ az role assignment create `

+ --role "API Management Service Reader Role" `

+ --assignee-object-id $apicObjID `

+ --assignee-principal-type ServicePrincipal `

+ --scope $scope

+## Import APIs from your API Management instance

+Use the [az apic service import-from-apim](/cli/azure/apic/service#az-apic-service-import-from-apim) command to import one or more APIs from your API Management instance to your API center.

+> [!NOTE]

+> * This command depends on a managed identity configured in your API center that has read permissions to the API Management instance. If you haven't added or configured a managed identity, see [Add a managed identity in your API center](#add-a-managed-identity-in-your-api-center) earlier in this article.

+>

+> * If your API center has multiple managed identities, the command searches first for a system-assigned identity. If none is found, it picks the first user-assigned identity in the list.

+### Import all APIs from an API Management instance

+Use a wildcard (`*`) to specify all APIs from the API Management instance.

+1. Get the resource ID of your API Management instance using the [az apim show](/cli/azure/apim#az-apim-show) command.

+ ```azurecli

+ #! /bin/bash

+ apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query id --output tsv)

+ ```

+ ```azurecli

+ # PowerShell syntax

+ $apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query id --output tsv)

+ ```

+

+1. Use the `az apic service import-from-apim` command to import the APIs. Substitute the names of your API center and resource group, and use `*` to specify all APIs from the API Management instance.

+ ```azurecli

+ #! /bin/bash

+ apiIDs="$apimID/apis/*"

+ az apic service import-from-apim --service-name <api-center-name> --resource-group <resource-group-name> --source-resource-ids $apiIDs

+ ```

+

+ ```azurecli

+ # PowerShell syntax

+ $apiIDs=$apimID + "/apis/*"

+ az apic service import-from-apim --service-name <api-center-name> --resource-group <resource-group-name> --source-resource-ids $apiIDs

+ ```

+ > [!NOTE]

+ > If your API Management instance has a large number of APIs, import to your API center might take some time.

+

+### Import a specific API from an API Management instance

+Specify an API to import using its name from the API Management instance.

+1. Get the resource ID of your API Management instance using the [az apim show](/cli/azure/apim#az-apim-show) command.

+ ```azurecli

+ #! /bin/bash

+ apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query id --output tsv)

+ ```

+ ```azurecli

+ # PowerShell syntax

+ $apimID=$(az apim show --name <apim-name> --resource-group <resource-group-name> --query id --output tsv)

+ ```

+

+1. Use the `az apic service import-from-apim` command to import the API. Substitute the names of your API center and resource group, and specify an API name from the API Management instance.

+ ```azurecli

+ #! /bin/bash

+ apiIDs="$apimID/apis/<api-name>"

+ az apic service import-from-apim --service-name <api-center-name> --resource-group <resource-group-name> --source-resource-ids $apiIDs

+ ```

+

+ ```azurecli

+ # PowerShell syntax

+ $apiIDs=$apimID + "/apis/<api-name>"

+ az apic service import-from-apim --service-name <api-center-name> --resource-group <resource-group-name> --source-resource-ids $apiIDs

+ ```

+ > [!NOTE]

+ > Specify `<api-name>` using the API resource name in the API Management instance, not the display name. Example: `petstore-api` instead of `Petstore API`.

+

+After importing APIs from API Management, you can view and manage the imported APIs in your API center.

+## Related content

+* [Azure CLI reference for API Center](/cli/azure/apic)

+* [Manage API inventory with Azure CLI commands](manage-apis-azure-cli.md)

+* [Assign Azure roles to a managed identity](../role-based-access-control/role-assignments-portal-managed-identity.md)

+* [Azure API Management documentation](../api-management/index.yml)

+* See the [Azure CLI reference for API Center](/cli/azure/apic) for a complete command list, including commands to manage [environments](/cli/azure/apic/environment), [deployments](/cli/azure/apic/api/deployment), [metadata schemas](/cli/azure/apic/metadata-schema), and [API Center services](/cli/azure/apic/service).

+* [Import APIs to your API center from API Management](import-api-management-apis.md)

+- Open communication with the management machine.

+This article describes how Arc resource bridge is upgraded, and the two ways upgrade can be performed: cloud-managed upgrade or manual upgrade. Currently, some private cloud providers differ in how they handle Arc resource bridge upgrades.

+## Private cloud providers

+Currently, private cloud providers differ in how they perform Arc resource bridge upgrades. Review the following information to see how to upgrade your Arc resource bridge for a specific provider.

+For **Arc-enabled VMware vSphere**, manual upgrade is available, but appliances on version 1.0.15 and higher automatically receive cloud-managed upgrade as the default experience. Appliances that are earlier than version 1.0.15 must be manually upgraded. A manual upgrade only upgrades the appliance to the next version, not the latest version. If you have multiple versions to upgrade, another option is to review the steps for [performing a recovery](/azure/azure-arc/vmware-vsphere/recover-from-resource-bridge-deletion), then delete the appliance VM and perform the recovery steps. This deploys a new Arc resource bridge using the latest version and reconnects pre-existing Azure resources.

+For **Azure Arc VM management (preview) on Azure Stack HCI**, to use appliance version 1.0.15 or higher, you must be on Azure Stack HCI, version 23H2 (preview). In version 23H2 (preview), the LCM tool manages upgrades across all HCI, Arc resource bridge, and extension components as a "validated recipe" package. Attempting to upgrade Arc resource bridge independent of other HCI environment components by using the `az arcappliance upgrade` command may cause problems in your environment that could result in a disaster recovery scenario. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq). Customers on Azure Stack HCI, version 22H2 will receive limited support.

+For **Arc-enabled System Center Virtual Machine Manager (SCVMM)**, the manual upgrade feature is available for appliance version 1.0.14 and higher. Appliances below version 1.0.14 need to perform the recovery option to get to version 1.0.15 or higher. Review the steps for [performing the recovery operation](/azure/azure-arc/system-center-virtual-machine-manager/disaster-recovery), then delete the appliance VM from SCVMM and perform the recovery steps. This deploys a new resource bridge and reconnects pre-existing Azure resources.

+Before upgrading an Arc resource bridge, the following prerequisites must be met:

+- The appliance VM must be online, its status is "Running" and the [credentials in the appliance VM](maintenance.md#update-credentials-in-the-appliance-vm) must be valid.

+- There must be sufficient space on the management machine (~3.5 GB) and appliance VM (35 GB) to download required images. For VMware, a new template is created.

+- The outbound connection from the Appliance VM IPs (`k8snodeippoolstart/end`, VM IP 1/2) to `msk8s.sb.tlu.dl.delivery.mp.microsoft.com`, port 443 must be enabled. Be sure the full list of [required endpoints for Arc resource bridge](network-requirements.md) are also enabled.

+- If you are performing a manual upgrade, the upgrade command should be run from the management machine used to initially deploy the Arc resource bridge and still contains the [appliance configuration files](system-requirements.md#configuration-files) or one that meets the [management machine requirements](system-requirements.md#management-machine-requirements) and also contains the appliance configuration files.

+- Arc resource bridge configured with DHCP can't be upgraded and aren't supported in a production environment. Instead, a new Arc resource bridge should be deployed using [static IP configuration](system-requirements.md#static-ip-configuration).

+> [!IMPORTANT]

+> This article uses tabs to support multiple versions of the Python programming model. The v2 model is generally available and is designed to provide a more code-centric way for authoring functions through decorators. For more details about how the v2 model works, refer to the [Azure Functions Python developer guide](../functions-reference-python.md).

+If you're currently using the Log Analytics agent with Azure Monitor or [other supported features and services](#migrate-additional-services-and-features), start planning your migration to Azure Monitor Agent by using the information in this article. If you are using the Log Analytics Agent for SCOM you will need to [migrate to the SCOM Agent](../vm/scom-managed-instance-overview.md)

+The Log Analytics agent will be [retired on **August 31, 2024**](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). You can expect the following when you use the MMA or OMS agent after this date.

+> - **Data upload**: You can still upload data. At some point when major customer have finished migrating and data volumes significantly drop, upload will be suspended. You can expect this to take at least 6 to 9 months. You will not receive a breaking change notification of the suspension.

+> - **Install or reinstall**: You can still install and reinstall the legacy agents. You will not be able to get support for installing or reinstalling issues.

+> - **Customer Support**: You can expect support for MMA/OMS for security issues.

+> [!NOTE]

+> With Spring Boot Native Image applications, use the [Azure Monitor OpenTelemetry Distro / Application Insights in Spring Boot native image Java application](https://aka.ms/AzMonSpringNative) project instead of the Application Insights Java agent solution described below.

+> [!NOTE]

+> With Spring Boot Native Image applications, use the [Azure Monitor OpenTelemetry Distro / Application Insights in Spring Boot native image Java application](https://aka.ms/AzMonSpringNative) project instead of the Application Insights Java agent.

+> [!NOTE]

+> See [Azure Monitor billing meter names](cost-meters.md) for a reference of the billing meter names used by Azure Monitor in Azure Cost Management + Billing.

+There are several approaches to view the benefits a workspace receives from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/).

+### View benefits in a usage export

+Since a usage export has both the number of units of usage and their cost, you can use this export to see the amount of benefits you are receiving. In the usage export, to see the benefits, filter the *Instance ID* column to your workspace. (To select all of your workspaces in the spreadsheet, filter the *Instance ID* column to "contains /workspaces/".) Then filter on the Meter to either of the following two meters:

+### View benefits in Usage and estimated costs

+### Query benefits from the Operation table

+The [Operation](/azure/azure-monitor/reference/tables/operation) table contains daily events which given the amount of benefit used from the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). The `Detail` column for these events are all of the format `Benefit amount used 1.234 GB`, and the type of benefit is in the `OperationKey` column. Here is a query that charts the benefits used in the last 31-days:

+```kusto

+Operation

+| where TimeGenerated >= ago(31d)

+| where Detail startswith "Benefit amount used"

+| parse Detail with "Benefit amount used: " BenefitUsedGB " GB"

+| extend BenefitUsedGB = toreal(BenefitUsedGB)

+| parse OperationKey with "Benefit type used: " BenefitType

+| project BillingDay=TimeGenerated, BenefitType, BenefitUsedGB

+| sort by BillingDay asc, BenefitType asc

+| render columnchart

+```

+(This functionality of reporting the benefits used in the `Operation` table came online in January 2024.)

+There are several types of tables in Log Analytics and the delete experience is different for each:

+- [Azure table](../logs/manage-logs-tables.md#table-type-and-schema) -- Can't be deleted. Tables that are part of a solution are removed from workspace when [deleting the solution](/cli/azure/monitor/log-analytics/solution#az-monitor-log-analytics-solution-delete), but data remains in workspace for the duration of the retention policy defined for the tables, or if not exist, for the duration of the retention policy defined in workspace. If the [solution is re-created](/cli/azure/monitor/log-analytics/solution#az-monitor-log-analytics-solution-create) in the workspace, these tables and previously ingested data become visible again. To avoid charges, define [retention policy for tables in solutions](https://learn.microsoft.com/rest/api/loganalytics/tables/update) to minimum (4-days) before deleting the solution.

+ - [Restored table](./restore.md) (table_RST) -- Deletes the hot cache provisioned for the restore, but source table data isn't deleted.

+ - [Search results table](./search-jobs.md) (table_SRCH) -- Deletes the table and data immediately and permanently.

+ - [Custom log table](./create-custom-table.md#create-a-custom-table) (table_CL) -- Deletes the table definition immediately, but data remains in workspace for the duration of the retention policy defined for the table, or workspace. The retention policy for table is removed in 14-days and workspace retention governs. If custom log table is created with the same name and schema, the table and previously ingested data become visible again. To avoid charges and remove data from table, define [retention policy for table](https://learn.microsoft.com/rest/api/loganalytics/tables/update) to minimum (4-days) before deleting the table.

+* Python 3.8 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/)

+* Python 3.8 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/)

+* Update your development libraries and frameworks to their latest versions. For example, Python 3.8 supports TLS 1.2.

+- **Agent Service Tags** Currently we don't have service tags available for our Agent-based faults.

+- **Chaos Studio Private Accesses (CSPA)** - For the CSPA resource type, there is a **strict 1:1 mapping of Chaos Target:CSPA Resource (abstraction for private endpoint).** We only allow **5 CSPA resources to be created per Subscription** to maintain the expected experience for all of our customers.

+- The **Chaos Studio Private Accesses (CSPA)** resource type has a **strict 1:1 mapping of Chaos Target:CSPA Resource (abstraction for private endpoint).**.** We only allow **5 CSPA resources to be created per Subscription** to maintain the expected experience for all of our customers.

+- An identity provider (OpenID connect)

+1. Microsoft Defender for Cloud CSPM service acquires a Microsoft Entra token with a validity life time of 1 hour that is signed by the Microsoft Entra ID using the RS256 algorithm.

+ - token digital signature validation

+1. The Microsoft Defender for Cloud CSPM role is assumed only after the validation conditions defined at the trust relationship have been met. The conditions defined for the role level are used for validation within AWS and allows only the Microsoft Defender for Cloud CSPM application (validated audience) access to the specific role (and not any other Microsoft token).

+ - (Recommended) Use the auto provisioning process to install Azure Arc on all of your existing and future EC2 instances.

+ Auto provisioning managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent preinstalled. If you already have the SSM agent preinstalled, the AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you need to install it using either of the following relevant instructions from Amazon:

+ - [Install SSM Agent for a hybrid environment (Windows)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html)

+ > [!NOTE]

+ > To enable the Azure Arc auto-provisioning, you'll need **Owner** permission on the relevant Azure subscription.

+ - Microsoft Defender for Endpoint

+ - VA solution (TVM/Qualys)

+ - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

+ Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription inherit the subscription settings for the LA agent and AMA.

+ Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.

+- Azure Arc for servers installed on your EC2 instances.

+ - (Recommended) Use the auto provisioning process to install Azure Arc on all of your existing and future EC2 instances.

+ Auto provisioning managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent preinstalled. If that is the case, their AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you need to install it using either of the following relevant instructions from Amazon:

+ - [Install SSM Agent for a hybrid environment (Windows)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html)

+ - [Install SSM Agent for a hybrid environment (Linux)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html)

+ > [!NOTE]

+ > To enable the Azure Arc auto-provisioning, you'll need an **Owner** permission on the relevant Azure subscription.

+ - If you want to manually install Azure Arc on your existing and future EC2 instances, use the [EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) recommendation to identify instances that don't have Azure Arc installed.

+ - Microsoft Defender for Endpoint

+ - VA solution (TVM/Qualys)

+ - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

+ Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription inherit the subscription settings for the LA agent and AMA.

+ Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.

+ > [!NOTE]

+ > Defender for Servers assigns tags to your AWS resources to manage the auto-provisioning process. You must have these tags properly assigned to your resources so that Defender for Cloud can manage your resources:

+ **AccountId**, **Cloud**, **InstanceId**, **MDFCSecurityConnector**

+ Title: Agentless malware detection | Defender for Cloud in the field

+description: Learn about agentless malware detection in Defender for Cloud

+# Agentless malware detection

+**Episode description**: In this episode of Defender for Cloud in the Field, Gal Fenigshtein joins Yuri Diogenes to talk about the new agentless malware detection for virtual machines in Microsoft Defender for Cloud. Gal explains the use case scenario for this feature, how this feature works, and the prerequisites to enable this feature. Gal also demonstrates the user experience when a new malware is detected, using the security alert dashboard in Defender for Cloud.

+> [!VIDEO https://aka.ms/docs/player?id=44105e9d-8165-44c9-9763-16c1bd0736d4]

+- [01:28](/shows/mdc-in-the-field/agentless-malware#time=01m28s) - Understanding the value of agentless malware detection

+- [03:51](/shows/mdc-in-the-field/agentless-malware#time=03m51s) - Which Microsoft Defender for Cloud plan enables this feature?

+- [04:38](/shows/mdc-in-the-field/agentless-malware#time=04m38s) - How does agentless malware detection work?

+- [07:58](/shows/mdc-in-the-field/agentless-malware#time=07m58s) - Scan frequency

+- [08:17](/shows/mdc-in-the-field/agentless-malware#time=08m17s) - Demonstration

+## Recommended resources

+- Learn more about [agentless machine scanning](concept-agentless-data-collection.md).

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY).

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS).

+- Follow us on social media:

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity).

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+> [Agentless malware detection](episode-forty-four.md)

+Messages emitted by data history are metered under the [Message pricing dimension](https://azure.microsoft.com/pricing/details/digital-twins/#pricing).

+## Prerequisites: Resources and permissions

+### Required permissions

+In order to set up a data history connection, your Azure Digital Twins instance must have the following permissions to access the Event Hubs and Azure Data Explorer resources. These roles enable Azure Digital Twins to configure the event hub and Azure Data Explorer database on your behalf (for example, creating a table in the database). These permissions can optionally be removed after data history is set up.

+* Event Hubs resource: **Azure Event Hubs Data Owner**

+* Azure Data Explorer cluster: **Contributor** (scoped to either the entire cluster or specific database)

+* Azure Data Explorer database principal assignment: **Admin** (scoped to the database being used)

+Later, your Azure Digital Twins instance must have the following permission on the Event Hubs resource while data history is being used: **Azure Event Hubs Data Sender** (you can also opt instead to keep **Azure Event Hubs Data Owner** from data history setup).

+These permissions can be assigned using the Azure CLI or Azure portal.

+If you'd like to restrict network access to the resources involved in data history (your Azure Digital Twins instance, event hub, or Azure Data Explorer cluster), you should set those restrictions *after* setting up the data history connection. For more information about this process, see [Restrict network access to data history resources](how-to-create-data-history-connection.md#restrict-network-access-to-data-history-resources).

+## Create and manage data history connection

+This section contains information for creating, updating, and deleting a data history connection.

+### Create a data history connection

+Once all the [resources](#prerequisites-resources-and-permissions) and [permissions](#required-permissions) are set up, you can use the [Azure CLI](/cli/azure/what-is-azure-cli), [Azure portal](https://portal.azure.com), or the [Azure Digital Twins SDK](concepts-apis-sdks.md) to create the data history connection between them. The CLI command set is [az dt data-history](/cli/azure/dt/data-history).

+#### History from multiple Azure Digital Twins instances

+If you'd like, you can have multiple Azure Digital Twins instances historize updates to the same Azure Data Explorer cluster.

+Each Azure Digital Twins instance will have its own data history connection targeting the same Azure Data Explorer cluster. Within the cluster, instances can send their twin data to either...

+* **a separate set of tables** in the Azure Data Explorer cluster.

+* **the same set of tables** in the Azure Data Explorer cluster. To do this, specify the same Azure Data Explorer table names while [creating the data history connections](how-to-create-data-history-connection.md#set-up-data-history-connection). In the [data history table schemas](#data-types-and-schemas), the `ServiceId` column in each table will contain the URL of the source Azure Digital Twins instance, so you can use this field to resolve which Azure Digital Twins instance emitted each record in shared tables.

+### Update a properties-only data history connection

+**If you want to use all new tables:** First, [delete your original data history connection](#delete-a-data-history-connection). Then, use the instructions in [Create a data history connection](how-to-create-data-history-connection.md) to create a new data history connection with the new capabilities. The data history connection name can be the same as the original one, or a different name. Use the parameter options to provide new names for all three event type tables.

+### Delete a data history connection

+You can use the [Azure CLI](/cli/azure/what-is-azure-cli), [Azure portal](https://portal.azure.com), or [Azure Digital Twins APIs and SDKs](concepts-apis-sdks.md) to delete a data history connection. The CLI command is [az dt data-history connection delete](/cli/azure/dt/data-history/connection#az-dt-data-history-connection-delete).

+Deleting a connection also gives the option to clean up resources associated with the data history connection (for the CLI command, the optional parameter to add is `--clean true`). If you use this option, the command will delete the resources within Azure Data Explorer that are used to link your cluster to your event hub, including data connections for the database and the ingestion mappings associated with your table. The "clean up resources" option will **not** delete the actual event hub and Azure Data Explorer cluster used for the data history connection.

+The cleanup is a best-effort attempt, and requires the account running the command to have delete permission for these resources.

+>[!NOTE]

+> If you have multiple data history connections that share the same event hub or Azure Data Explorer cluster, using the "clean up resources" option while deleting one of these connections may disrupt your other data history connections that rely on these resources.

+| OsloFactory_contains_Relationship0 | contains | Delete | 2022-12-15 07:16:13.1780 | dairyadtinstance.api.wcus.digitaltwins.azure.net | OsloFactory | SaltMachine_C0 |

+## Visualize historized properties

+[Azure Digital Twins Explorer](concepts-azure-digital-twins-explorer.md), a developer tool for visualizing and interacting with Azure Digital Twins data, offers a **Data history explorer** feature for viewing historized properties over time in a chart or a table. This feature is also available in [3D Scenes Studio](concepts-3d-scenes-studio.md), an immersive 3D environment for giving Azure Digital Twins the visual context of 3D assets.

+For more detailed information about using the data history explorer, see [Validate and explore historized properties](how-to-use-azure-digital-twins-explorer.md#validate-and-explore-historized-properties).

+>[!NOTE]

+> If you encounter issues selecting a property in the visual data history explorer experience, this might mean there's an error in some model in your instance. For example, having non-unique enum values in the attributes of a model will break this visualization feature. If this happens, [review your model definitions](how-to-use-azure-digital-twins-explorer.md#view-model-definition) and make sure all properties are valid.

+ [!INCLUDE [digital-twins-visual-property-error-note.md](../../includes/digital-twins-visual-property-error-note.md)]

+* **Link**: For including externally referenced content via a linked URL

+ Enter a **Display name** and select a **Property expression** that you want to display. This can be a **Single property** of the primary twin, or a **Custom (advanced)** property expression. Custom expressions should be JavaScript expressions using one or more properties of the twin, and you'll select which outcome type the expression will produce. If your custom property expression outputs a string, you can also use JavaScript's template literal syntax to include a dynamic expression in the string output. Format the dynamic expression with this syntax: `${<calculation-expression>}`. Then, wrap the whole string output with backticks (`` ` ``). For more information about writing custom expressions, see [Use custom (advanced) expressions](#use-custom-advanced-expressions).

+ [!INCLUDE [digital-twins-visual-property-error-note.md](../../includes/digital-twins-visual-property-error-note.md)]

+ [!INCLUDE [digital-twins-visual-property-error-note.md](../../includes/digital-twins-visual-property-error-note.md)]

+Or, visualize your Azure Digital Twins graph differently using [Azure Digital Twins Explorer](how-to-use-azure-digital-twins-explorer.md).

+ [!INCLUDE [digital-twins-visual-property-error-note.md](../../includes/digital-twins-visual-property-error-note.md)]

+[Deep learning](https://www.microsoft.com/research/group/dltc/) is a branch of machine learning that uses *deep neural networks* (DNNs), inspired by the biological processes of the human brain. Many researchers see deep learning as a promising approach to artificial intelligence. Some examples of deep learning are spoken language translators, image recognition systems, and machine reasoning. To help advance its own work in deep learning, Microsoft has developed the free, easy-to-use, open-source [Microsoft Cognitive Toolkit](/cognitive-toolkit/). The toolkit is being used extensively by a wide variety of Microsoft products, by companies worldwide with a need to deploy deep learning at scale, and by students interested in the latest algorithms and techniques.

+|\includeAssociatedData | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as '_history' to export history/ non latest versioned resources. Include value as '_deleted' to export soft deleted resources. |

+## Performance consideration with Conditional operations

+Conditional interactions can be complex and performance-intensive. To enhance the latency of queries involving conditional interactions, you have the option to utilize the request header **x-conditionalquery-processing-logic** . Setting this header to **parallel** allows concurrent execution of queries with conditional interactions.

+|`includeAssociatedData` | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as '_history' to export history/ non latest versioned resources. Include value as '_deleted' to export soft deleted resources. |

+ - update-code

+ For this quickstart, we recommend starting with smaller files so that you can conserve [vector storage](vector-search-index-size.md) and [Azure OpenAI quota](/azure/ai-services/openai/quotas-limits) for other work.

+ Deploy more *chat* models if you want to compare them using your data. *Fine-tuning* models like Text-Davinci-002 aren't supported for this scenario.

+1. In Data Management, choose **Hybrid + semantic** if [semantic ranking is enabled](semantic-how-to-enable-disable.md) on your search service. If semantic ranking is disabled, choose **Hybrid (vector + keyword)**. [Hybrid](hybrid-search-overview.md) is a better choice because vector (similarity) search and keyword search execute the same query input in parallel, which can produce a more relevant response.

+1. Review advanced settings that determine how much flexibility the chat model has in supplementing the grounding data, and how many chunks are provided to the model to generate its response.

+ Strictness determines whether the model supplements the query with its own information. Level of 5 is no supplementation. Only your grounding data is used, which means the search engine plays a large role in the quality of the response. Semantic ranking can be helpful in this scenario because the ranking models do a better job of inferring the intent of the query.

+ + Verify the **Limit responses to your data content** option is selected.

+ + Strictness set to 3 or 4.

+ Queries that require deeper analysis or language understanding, such as "how many speeches are in the vector store" or "what's in this vector store", will probably fail to return a response. In RAG pattern chat scenarios, information retrieval is keyword and similarity search against the query string, where the search engine looks for chunks having exact or similar terms, phrases, or construction. The return payload might be insufficient for handling an open-ended question.

+ Finally, chats are constrained by the number of documents (chunks) returned in the response (limited to 3-20 in Azure OpenAI Studio playground). As you can imagine, posing a question about "all of the titles" requires a full scan of the entire vector store, which means adopting an approach that allows more than 20 chunks. You could modify the generated code (assuming you [deploy the solution](/azure/ai-services/openai/use-your-data-quickstart#deploy-your-model)) to allow for [exhaustive search](vector-search-how-to-create-index.md#add-a-vector-search-configuration) on your queries.

+In the playground, it's easy to start over with different data and configurations and compare the results. If you didn't try **Hybrid + semantic** the first time, perhaps try again with [semantic ranking enabled](semantic-how-to-enable-disable.md).

+We also provide code samples that demonstrate the full range of APIs for RAG applications. Samples are available in [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), and [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript).

+

+

+

+- *Readiness probes* determine when an app instance is ready to start accepting traffic. For example, readiness probes can control which app instances are used as backends for the application. When an app instance isn't ready, it's removed from Kubernetes service discovery. For more information, see [Discover and register your Spring Boot applications](how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md).

+Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token).

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-3.png" alt-text="Screenshot of the Azure portal that shows the Add Backend setting page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-3.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-1.png" alt-text="Screenshot of the Azure portal that shows the Add an origin group page with the Add an origin button highlighted." lightbox="media/how-to-integrate-azure-load-balancers/front-door-1.png":::

+ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-2.png" alt-text="Screenshot of the Azure portal that shows the Add an origin page." lightbox="media/how-to-integrate-azure-load-balancers/front-door-2.png":::

+ :::image type="content" source="media/how-to-permissions/permissions.png" alt-text="Screenshot that shows the results of searching for Microsoft.app." lightbox="media/how-to-permissions/permissions.png":::

+The `scope` property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to as permissions. Identity platform supports several OpenID Connect scopes, such as `openid`, `email`, and `profile`. For more information, see the [OpenID Connect scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes) section of [Scopes and permissions in the Microsoft identity platform](/entra/identity-platform/scopes-oidc).

+ :::image type="content" source="media/how-to-use-tls-certificate/grant-key-vault-permission.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Permission pane showing and Get and List permissions highlighted." lightbox="media/how-to-use-tls-certificate/grant-key-vault-permission.png":::

+ :::image type="content" source="media/how-to-use-tls-certificate/select-service-principal.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Principal pane showing and Azure Spring Apps Resource Provider highlighted." lightbox="media/how-to-use-tls-certificate/select-service-principal.png":::

+ :::image type="content" source="media/quickstart-automate-deployments-github-actions-enterprise/actions1.png" alt-text="Screenshot showing GitHub Settings Add new secret." lightbox="media/quickstart-automate-deployments-github-actions-enterprise/actions1.png":::

+ :::image type="content" source="media/quickstart-automate-deployments-github-actions-enterprise/actions2.png" alt-text="Screenshot showing GitHub Settings Set secret data." lightbox="media/quickstart-automate-deployments-github-actions-enterprise/actions2.png":::

+- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).

+- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).

+> [Quickstart: Deploy an event-driven application to Azure Spring Apps](quickstart-deploy-event-driven-app.md)

+> [Quickstart: Deploy microservice applications to Azure Spring Apps](quickstart-deploy-microservice-apps.md)

+> [Structured application log for Azure Spring Apps](structured-app-log.md)

+> [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md)

+> [Use Azure Spring Apps CI/CD with GitHub Actions](how-to-github-actions.md)

+> [Automate application deployments to Azure Spring Apps](how-to-cicd.md)

+ :::image type="content" source="media/quickstart-integrate-azure-database-mysql/create-service-connection.png" alt-text="Screenshot of the Azure portal, in the Azure Spring Apps instance, create a connection with Service Connector.":::

+ :::image type="content" source="media/quickstart-integrate-azure-database-mysql/basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the basics tab in Service Connector.":::

+You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the [Outgoing ports](../azure-monitor/ip-addresses.md#outgoing-ports) section of [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md).

+When following the below steps, make sure that you select * for the environments section. It may appear the default value is all but you need to click the dropdown and manually select *.

+For encryption in transit, Azure provides a layer of encryption for all data in transit between Azure datacenters using [MACSec](https://en.wikipedia.org/wiki/IEEE_802.1AE). Through this, encryption exists when data is transferred between Azure data centers.

+| [Azure file share snapshots](storage-snapshots-files.md)| ✔️ |

+# What's new in Azure Files and Azure File Sync

+Azure Files and Azure File Sync are updated regularly to offer new features and enhancements. This article provides detailed information about what's new in Azure Files and Azure File Sync.

+## What's new in 2024

+### 2024 quarter 1 (January, February, March)

+#### Snapshot support for NFS Azure premium file shares is generally available

+Customers using NFS Azure file shares can now take point-in-time snapshots of file shares. This enables users to roll back their entire filesystem to a previous point in time, or restore specific files that were accidentally deleted or corrupted. Customers using this feature can perform share-level Snapshot management operations via REST API, PowerShell, and Azure CLI. This feature is now available in all Azure public cloud regions. [Learn more](storage-files-how-to-mount-nfs-shares.md#nfs-file-share-snapshots).

+#### Sync upload performance improvements for Azure File Sync

+Sync upload performance has improved, and performance numbers will be posted when they are available. This improvement will mainly benefit file share migrations (initial upload) and high churn events on the server in which a large number of files need to be uploaded.

+#### Expanded character support for Azure File Sync

+Azure File Sync now supports an expanded list of characters. This expansion allows users to create and sync SMB file shares with file and directory names on par with NTFS file system, for valid Unicode characters. For more information on unsupported characters, refer to the documentation [here](/troubleshoot/azure/azure-storage/file-sync-troubleshoot-sync-errors?toc=%2Fazure%2Fstorage%2Ffile-sync%2Ftoc.json&tabs=portal1%2Cazure-portal#handling-unsupported-characters).

+#### New cloud tiering low disk space mode metric for Azure File Sync

+You can now configure an alert to let you know if a server is in low disk space mode. To learn more, see [Monitor Azure File Sync](../file-sync/file-sync-monitoring.md).

+## What's new in 2023

+### 2023 quarter 4 (October, November, December)

+#### Support for Azure Files REST API with OAuth authentication is in public preview

+ Backing up your data on NFS shares can either be orchestrated using familiar tooling like rsync or products from one of our third-party backup partners. Multiple backup partners including [Commvault](https://documentation.commvault.com/https://docsupdatetracker.net/index.html), [Veeam](https://www.veeam.com/blog/?p=123438), and [Veritas](https://players.brightcove.net/4396107486001/default_default/https://docsupdatetracker.net/index.html?videoId=6189967101001) have extended their solutions to work with both SMB 3.x and NFS 4.1 for Azure Files. You can also use [NFS Azure file share snapshots](storage-files-how-to-mount-nfs-shares.md#nfs-file-share-snapshots).

+## NFS file share snapshots

+Customers using NFS Azure file shares can create, list, and delete NFS Azure file share snapshots. This capability allows users to roll back entire file systems or recover files that were accidentally deleted or corrupted. This feature is now available in all Azure public cloud regions.

+Only file management APIs (`AzRmStorageShare`) are supported for NFS Azure file share snapshots. File data plane APIs (`AzStorageShare`) aren't supported.

+### Create a snapshot

+You can create a snapshot of an NFS Azure file share using the Azure portal, Azure PowerShell, or Azure CLI. A share can support the creation of up to 200 share snapshots.

+# [Azure portal](#tab/portal)

+To create a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the FileStorage storage account that contains the NFS Azure file share that you want to take a snapshot of.

+1. Select **Data storage** > **File shares**.

+1. Select the file share that you want to snapshot, then select **Operations** > **Snapshots**.

+1. Select **+ Add snapshot**. Add an optional comment, and select **OK**.

+ :::image type="content" source="media/storage-files-how-to-mount-nfs-shares/add-file-share-snapshot.png" alt-text="Screenshot of adding a file share snapshot.":::

+### List file share snapshots

+You can list all the snapshots for a file share using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To list all the snapshots for an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the FileStorage storage account that contains the NFS Azure file share that you want to list the snapshots of.

+1. Select **Data storage** > **File shares**.

+1. Select the file share for which you want to list the snapshots.

+1. Select **Operations** > **Snapshots**, and any existing snapshots for the file share will be listed.

+Existing share snapshots are never overwritten. They must be deleted explicitly. You can delete share snapshots using the Azure portal, Azure PowerShell, or Azure CLI.

+# [Azure portal](#tab/portal)

+To delete a snapshot of an existing file share, sign in to the Azure portal and follow these steps.

+1. In the search box at the top of the Azure portal, type and select *storage accounts*.

+1. Select the FileStorage storage account that contains the NFS Azure file share for which you want to delete snapshots.

+1. Select **Data storage** > **File shares**.

+1. Select the file share for which you want to delete one or more snapshots, then select **Operations** > **Snapshots**. Any existing snapshots for the file share will be listed.

+1. Select the snapshot(s) that you want to delete, and then select **Delete**.

+ :::image type="content" source="media/storage-files-how-to-mount-nfs-shares/delete-file-share-snapshot.png" alt-text="Screenshot of deleting file share snapshots.":::

+Azure Files provides the capability to take snapshots of file shares. Share snapshots capture the share state at that point in time. This article describes the capabilities that file share snapshots provide and how you can take advantage of them in your use case.

+Applications that use file shares perform operations such as writing, reading, storage, transmission, and processing. If an application is misconfigured or an unintentional bug is introduced, accidental overwrite or damage can happen to a few blocks. To help protect against these scenarios, you can take a share snapshot before you deploy new application code. If a bug or application error is introduced with the new deployment, you can go back to a previous version of your data on that file share.

+A share snapshot is a point-in-time, read-only copy of your data. Share snapshot capability is provided at the file share level. Retrieval is provided at the individual file level, to allow for restoring individual files. You can restore a complete file share by using SMB, NFS, REST API, the Azure portal, the client library, or PowerShell/CLI.

+You can view snapshots of a share by using the REST API, SMB, or NFS. You can retrieve the list of versions of the directory or file, and you can mount a specific version directly as a drive (only available on Windows - see [Limits](#limits)).

+The maximum number of share snapshots that Azure Files allows is 200 per share. After 200 share snapshots, you must delete older share snapshots in order to create new ones. You can retain snapshots for up to 10 years.

+Only file management APIs (`AzRmStorageShare`) are supported for NFS Azure file share snapshots. File data plane APIs (`AzStorageShare`) aren't supported.

+You can copy individual files in a file share snapshot over to its base share or any other location. You can restore an earlier version of a file or restore the complete file share by copying file by file from the share snapshot. The share snapshot isn't promoted to base share.

+| :::image type="content" source="./media/business-intelligence/microstrategy_logo.png" alt-text="The logo of Microstrategy."::: |**MicroStrategy**<br>The MicroStrategy platform offers a complete set of business intelligence and analytics capabilities that enable organizations to get value from their business data. MicroStrategy's powerful analytical engine, comprehensive toolsets, variety of data connectors, and open architecture ensure you have everything you need to extend access to analytics across every team.|[MicroStrategy](https://www.microstrategy.com/enterprise-analytics)<br> [MicroStrategy Cloud in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/microstrategy.microstrategy_cloud)<br> |

+If the virtual network was integrated with a web app in the past, then the web app was deleted without disconnecting the VNet integration, see [Deleting the App Service plan or web app before disconnecting the VNet integration](../azure-functions/functions-networking-options.md#troubleshooting).

+The following section focuses on metric-based alerts. In addition to the alerts described below, which focus on the gateway component, we recommend that you use the available metrics, logs, and tools to monitor the ExpressRoute circuit. To learn more about ExpressRoute monitoring, see [ExpressRoute monitoring, metrics, and alerts](../expressroute/expressroute-monitoring-metrics-alerts.md). To learn about how you can use the ExpressRoute Traffic Collector tool, see [Configure ExpressRoute Traffic Collector for ExpressRoute Direct](../expressroute/how-to-configure-traffic-collector.md).

+* Create alert rule for bits received per second.

+* Create alert rule for packets per second.

+The following section focuses on metrics-based alerts for virtual hubs.

+**Design checklist - metric alerts**

+* Create alert rule for BGP peer status

+|Recommendation | Description|

+|||

+|Create alert rule to monitor BGP peer status.| Select the **BGP Peer Status** metric when creating the alert rule. Using a **static** threshold, choose the **Average** aggregation type and configure the alert to be triggered whenever the value is **less than 1**.<br><br> This will allow you to identify when the virtual hub router is having connectivity issues with ExpressRoute, Site-to-Site VPN, and Point-to-Site VPN gateways deployed in the hub.|

+* If your hub is connected to a large number of spoke virtual networks (60 or more), then you may notice that 1 or more spoke VNet peerings will enter a failed state after the upgrade. To restore these VNet peerings to a successful state after the upgrade, you can configure the virtual network connections to propagate to a dummy label, or you can delete and recreate these respective VNet connections.