-Enable logging in MSAL.js (JavaScript) by passing a logger object during the configuration for creating a `UserAgentApplication` instance. This logger object has the following properties:

-function loggerCallback(logLevel, message, containsPii) {

- console.log(message);

-}

-var msalConfig = {

- clientId: "<Enter your client id>",

- logger: new Msal.Logger(

- loggerCallback , {

- level: Msal.LogLevel.Verbose,

- piiLoggingEnabled: false,

- correlationId: '1234'

- }

- )

- }

-var UserAgentApplication = new Msal.UserAgentApplication(msalConfig);

-| **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md) | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](../../active-directory-b2c/index.yml) |

-One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for another authentication whenever necessary. Users will be prompted primarily when they authenticate using a new device from a new location, or when doing critical roles and tasks. This functionality protects all applications registered with Azure AD including SaaS applications.

-

-# Tutorial: Configure the log analytics wizard

-> [Monitoring](overview-monitoring.md)

-5. Under the **Admin Credentials** section, click on **Authorize**. You'll be redirected to Workplace by Facebook's authorization page. Input your Workplace by Facebook username and click on the **Continue** button. Click **Test Connection** to ensure Azure AD can connect to Workplace by Facebook. If the connection fails, ensure your Workplace by Facebook account has Admin permissions and try again.

-To configure or directly access a control plane, deploy your own Kubernetes cluster using [aks-engine][aks-engine].

-Deploy your own Kubernetes cluster with [aks-engine][aks-engine] if using a different host OS, container runtime, or including different custom packages. The upstream `aks-engine` releases features and provides configuration options ahead of support in AKS clusters. So, if you wish to use a container runtime other than `containerd` or Docker, you can run `aks-engine` to configure and deploy a Kubernetes cluster that meets your current needs.

-As the entry point for the Supply Chain it is important to conduct static analysis of image builds before they are promoted down the pipeline. This includes vulnerability and compliance assessment. It is not about failing off a build because it has a high vulnerability, as that will break development, it is about looking at the "Vendor Status" to segment based on vulnerabilities that are actionable by the development teams. Also leverage "Grace Periods" to allow developers time to remediate identified issues.

-After creating and connecting to the cluster, install the [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator/tree/master/deploy/releases/0.7.1) by running the following commands.

-OPERATOR_NAMESPACE=default

-WATCH_NAMESPACE='""'

-# Install Custom Resource Definitions (CRDs) for OpenLibertyApplication

-kubectl apply -f https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/master/deploy/releases/0.7.1/openliberty-app-crd.yaml

-# Install cluster-level role-based access

-curl -L https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/master/deploy/releases/0.7.1/openliberty-app-cluster-rbac.yaml \

- | sed -e "s/OPEN_LIBERTY_OPERATOR_NAMESPACE/${OPERATOR_NAMESPACE}/" \

- | kubectl apply -f -

-# Install the operator

-curl -L https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/master/deploy/releases/0.7.1/openliberty-app-operator.yaml \

- | sed -e "s/OPEN_LIBERTY_WATCH_NAMESPACE/${WATCH_NAMESPACE}/" \

- | kubectl apply -n ${OPERATOR_NAMESPACE} -f -

-## Kubernetes Alias Minor Version

-The sample manifest file from the git repo cloned in the first tutorial uses the login server name of *microsoft*. Make sure that you're in the cloned *azure-voting-app-redis* directory, then open the manifest file with a text editor, such as `vi`:

-Replace *microsoft* with your ACR login server name. The image name is found on line 60 of the manifest file. The following example shows the default image name:

-[gitops-flux-tutorial]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md

-[gitops-flux-tutorial-aks]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md#for-azure-kubernetes-service-clusters

-[control-plane-ip-address]: api-management-using-with-vnet.md#control-plane-ip-addresses

-If your API Management service is inside a virtual network, it will have two types of IP addresses - public and private.

-Public IP addresses are used for internal communication on port `3443` - for managing configuration (for example, through Azure Resource Manager). In the external VNet configuration, they are also used for runtime API traffic.

-Private virtual IP (VIP) addresses, available **only** in the [internal VNet mode](api-management-using-with-internal-vnet.md), are used to connect from within the network to API Management endpoints - gateways, the developer portal, and the management plane for direct API access. You can use them for setting up DNS records within the network.

-When API management is deployed in the [internal VNet configuration](api-management-using-with-internal-vnet.md) and API management connects to private (intranet-facing) backends, internal IP addresses from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request. Therefore in this configuration, if a requirement exists to restrict traffic between API Management and an internal backend, it is better to use the whole API Management subnet prefix with an IP rule and not just the private IP address associated with the API Management resource.

-In the Developer, Basic, Standard, and Premium tiers of API Management, the public IP addresses (VIP) are static for the lifetime of a service, with the following exceptions:

-* Learn more about how to [Deploy a self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)

-With Azure virtual networks (VNETs), Azure API Management can manage internet-inaccessible APIs using several VPN technologies to make the connection. You can deploy API Management either via [external](./api-management-using-with-vnet.md) or internal modes. For VNET connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).

-In this article, you'll learn how to deploy API Management in internal VNET mode. In this mode, you can only view the following service endpoints within a VNET whose access you control.

-> None of the service endpoints are registered on the public DNS. The service endpoints remain inaccessible until you [configure DNS](#dns-configuration) for the VNET.

-## Prerequisites

-Some prerequisites differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) for your API Management instance.

-> [!TIP]

-> When you use the portal to create or update the network connection of an existing API Management instance, the instance is hosted on the `stv2` compute platform.

-### [stv2](#tab/stv2)

-+ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).

-* **A virtual network and subnet** in the same region and subscription as your API Management instance. The subnet may contain other Azure resources.

-* **A network security group** attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic.

- > [!NOTE]

- > When you deploy an API Management service in an internal virtual network on the `stv2` platform, it's hosted behind an internal load balancer in the [Standard SKU](../load-balancer/skus.md), using the public IP address resource.

-### [stv1](#tab/stv1)

-+ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).

-* **A virtual network and subnet** in the same region and subscription as your API Management instance.

- The subnet must be dedicated to API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.

- > [!NOTE]

- > When you deploy an API Management service in an internal virtual network on the `stv1` platform, it's hosted behind an internal load balancer in the [Basic SKU](../load-balancer/skus.md).

-## Enable VNET connection

-### Enable VNET connectivity using the Azure portal (`stv2` platform)

- * The VNET list is populated with Resource Manager VNETs available in your Azure subscriptions, set up in the region you are configuring.

-1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new VNET and subnet choices.

- :::image type="content" source="media/api-management-using-with-internal-vnet/api-management-using-with-internal-vnet.png" alt-text="Set up internal VNET in Azure portal":::

-1. Continue configuring VNET settings for the remaining locations of your API Management instance.

-> Since the gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for an **Internal** VNET deployed service. Instead, use the test console provided on the **Developer portal**.

-### Enable connectivity using a Resource Manager template

-#### API version 2021-01-01-preview (`stv2` platform)

-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip)

-#### API version 2020-12-01 (`stv1` platform)

-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet)

- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet%2Fazuredeploy.json)

-[Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET.

-In external VNET mode, Azure manages the DNS. For internal VNET mode, you have to manage your own DNS to enable inbound access to your API Management service endpoints.

-1. Link the Azure DNS private zone to the VNET into which you've deployed your API Management service.

-To access these API Management service endpoints, you can create a virtual machine in a subnet connected to the VNET in which API Management is deployed. Assuming the [private virtual IP address](#routing) for your service is 10.1.0.5, you can map the hosts file as follows. On Windows, this file is at `%SystemDrive%\drivers\etc\hosts`.

-2. Create records in your DNS server to access the endpoints accessible from within your VNET. Map the endpoint records to the [private virtual IP address](#routing) for your service.

-The following virtual IP addresses are configured for an API Management instance in an internal virtual network. Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).

-| **Private virtual IP address** | A load balanced IP address from within the API Management instance's subnet range (DIP), over which you can access the API gateway, developer portal, management, and Git endpoints.<br/><br/>Register this address with the DNS servers used by the VNET. |

-> * The VNET is enabled or disabled.

-> You may need to update DNS registrations, routing rules, and IP restriction lists within the VNET.

-Dynamic IP (DIP) addresses will be assigned to each underlying virtual machine in the service and used to access resources *within* the VNET. The API Management service's public virtual IP (VIP) address will be used to access resources *outside* the VNET. If IP restriction lists secure resources within the VNET, you must specify the entire subnet range where the API Management service is deployed to grant or restrict access from the service.

-if you deploy 1 [capacity unit](api-management-capacity.md) of API Management in the Premium tier in an internal VNET, 3 IP addresses will be used: 1 for the private VIP and one each for the DIPs for two VMs. If you scale out to 4 units, more IPs will be consumed for additional DIPs from the subnet.

-* [Network configuration when setting up Azure API Management in a VNET][Common network configuration problems]

-* [VNET FAQs](../virtual-network/virtual-networks-faq.md)

-[Common network configuration problems]: api-management-using-with-vnet.md#network-configuration-issues

-description: Learn how to set up a connection to a virtual network in Azure API Management and access web services through it.

-Azure API Management can be deployed inside an Azure virtual network (VNET) to access backend services within the network. For VNET connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).

-This article explains how to set up VNET connectivity for your API Management instance in the *external* mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet. For configurations specific to the *internal* mode, where the endpoints are accessible only within the VNET, see [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).

-## Prerequisites

-Some prerequisites differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

-> [!TIP]

-> When you use the portal to create or update the network connection of an existing API Management instance, the instance is hosted on the `stv2` compute platform.

-### [stv2](#tab/stv2)

-+ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).

-* **A virtual network and subnet** in the same region and subscription as your API Management instance. The subnet may contain other Azure resources.

-* **A network security group** attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic. For more strict configuration refer to **Required ports** below.

-### [stv1](#tab/stv1)

-+ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).

-* **A virtual network and subnet** in the same region and subscription as your API Management instance.

- The subnet must be dedicated to API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.

-## Enable VNET connection

-### Enable VNET connectivity using the Azure portal (`stv2` compute platform)

- :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNET in Azure portal.":::

- * The VNET list is populated with Resource Manager VNETs available in your Azure subscriptions, set up in the region you are configuring.

- :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="VNET settings in the portal.":::

-1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new VNET and subnet choices.

-1. Continue configuring VNET settings for the remaining locations of your API Management instance.

-### Enable connectivity using a Resource Manager template

-Use the following templates to deploy an API Management instance and connect to a VNET. The templates differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

-### [stv2](#tab/stv2)

-#### API version 2021-01-01-preview

-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip)

-### [stv1](#tab/stv1)

-#### API version 2020-12-01

-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet)

- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet%2Fazuredeploy.json)

-### Enable connectivity using Azure PowerShell cmdlets

-[Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a VNET.

-Once you've connected your API Management service to the VNET, you can access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNET) of your web service into the **Web service URL** field.

-## <a name="network-configuration-issues"> </a>Common Network Configuration Issues

-Review the following sections for more network configuration settings.

-These settings address common misconfiguration issues that can occur while deploying API Management service into a VNET.

-### Custom DNS server setup

-In external VNET mode, Azure manages the DNS by default. You can optionally configure a custom DNS server. The API Management service depends on several Azure services. When API Management is hosted in a VNET with a custom DNS server, it needs to resolve the hostnames of those Azure services.

-* For reference, see the [required ports](#required-ports) and network requirements.

-> [!IMPORTANT]

-> If you plan to use a custom DNS server(s) for the VNET, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates).

-### Required ports

-You can control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security group][NetworkSecurityGroups] rules. If certain ports are unavailable, API Management may not operate properly and may become inaccessible.

-When an API Management service instance is hosted in a VNET, the ports in the following table are used. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

->[!IMPORTANT]

-> **Bold** items in the *Purpose* column indicate port configurations required for successful deployment and operation of the API Management service. Configurations labeled "optional" are only needed to enable specific features, as noted. They are not required for the overall health of the service.

-#### [stv2](#tab/stv2)

-| Source / Destination Port(s) | Direction | Transport protocol | [Service Tags](../virtual-network/network-security-groups-overview.md#service-tags) <br> Source / Destination | Purpose (\*) | VNET type |

-||--|--||-|-|

-| * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | Client communication to API Management (optional) | External |

-| * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | Management endpoint for Azure portal and PowerShell (optional) | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |

-| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureKeyVault | **Access to Azure Key Vault** | External & Internal |

-| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent (optional) | External & Internal |

-| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) (optional) | External & Internal |

-| * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension (optional) | External & Internal |

-| * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) (optional) | External & Internal |

-| * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines (optional) | External & Internal |

-| * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines (optional) | External & Internal |

-| * / 6390 | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | **Azure Infrastructure Load Balancer** | External & Internal |

-#### [stv1](#tab/stv1)

-| Source / Destination Port(s) | Direction | Transport protocol | [Service Tags](../virtual-network/network-security-groups-overview.md#service-tags) <br> Source / Destination | Purpose (\*) | VNET type |

-||--|--||-|-|

-| * / [80], 443 | Inbound | TCP | INTERNET / VIRTUAL_NETWORK | Client communication to API Management (optional) | External |

-| * / 3443 | Inbound | TCP | ApiManagement / VIRTUAL_NETWORK | Management endpoint for Azure portal and PowerShell (optional) | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / Storage | **Dependency on Azure Storage** | External & Internal |

-| * / 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) dependency (optional) | External & Internal |

-| * / 1433 | Outbound | TCP | VIRTUAL_NETWORK / SQL | **Access to Azure SQL endpoints** | External & Internal |

-| * / 5671, 5672, 443 | Outbound | TCP | VIRTUAL_NETWORK / Event Hub | Dependency for [Log to Event Hub policy](api-management-howto-log-event-hubs.md) and monitoring agent (optional)| External & Internal |

-| * / 445 | Outbound | TCP | VIRTUAL_NETWORK / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) (optional) | External & Internal |

-| * / 443, 12000 | Outbound | TCP | VIRTUAL_NETWORK / AzureCloud | Health and Monitoring Extension & Dependency on Event Grid (if events notification activated) (optional) | External & Internal |

-| * / 1886, 443 | Outbound | TCP | VIRTUAL_NETWORK / AzureMonitor | Publish [Diagnostics Logs and Metrics](api-management-howto-use-azure-monitor.md), [Resource Health](../service-health/resource-health-overview.md), and [Application Insights](api-management-howto-app-insights.md) (optional) | External & Internal |

-| * / 25, 587, 25028 | Outbound | TCP | VIRTUAL_NETWORK / INTERNET | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 6381 - 6383 | Inbound & Outbound | TCP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines (optional) | External & Internal |

-| * / 4290 | Inbound & Outbound | UDP | VIRTUAL_NETWORK / VIRTUAL_NETWORK | Sync Counters for [Rate Limit](api-management-access-restriction-policies.md#LimitCallRateByKey) policies between machines (optional) | External & Internal |

-| * / * | Inbound | TCP | AZURE_LOAD_BALANCER / VIRTUAL_NETWORK | **Azure Infrastructure Load Balancer** (required for Premium SKU, optional for other SKUs) | External & Internal |

-### TLS functionality

- To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity to `ocsp.msocsp.com`, `mscrl.microsoft.com`, and `crl.microsoft.com`. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root.

-### DNS access

- Outbound access on `port 53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management.

-### Metrics and health monitoring

-Outbound network connectivity to Azure Monitoring endpoints, which resolve under the following domains, are represented under the AzureMonitor service tag for use with Network Security Groups.

-| Azure Environment | Endpoints |

- |-||

-| Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> |

-| Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> |

-| Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> |

-

-### Regional service tags

-NSG rules allowing outbound connectivity to Storage, SQL, and Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, Storage.WestUS for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.

-> Enable publishing the [developer portal](api-management-howto-developer-portal.md) for an API Management instance in a VNET by allowing outbound connectivity to blob storage in the West US region. For example, use the **Storage.WestUS** service tag in an NSG rule. Currently, connectivity to blob storage in the West US region is required to publish the developer portal for any API Management instance.

-### SMTP relay

-

-Allow outbound network connectivity for the SMTP Relay, which resolves under the host `smtpi-co1.msn.com`, `smtpi-ch1.msn.com`, `smtpi-db3.msn.com`, `smtpi-sin.msn.com`, and `ies.global.microsoft.com`

-> [!NOTE]

-> Only the SMTP relay provided in API Management may be used to send email from your instance.

-### Developer portal CAPTCHA

-Allow outbound network connectivity for the developer portal's CAPTCHA, which resolves under the hosts `client.hip.live.com` and `partner.hip.live.com`.

-### Azure portal diagnostics

- When using the API Management extension from inside a VNET, outbound access to `dc.services.visualstudio.com` on `port 443` is required to enable the flow of diagnostic logs from Azure portal. This access helps in troubleshooting issues you might face when using extension.

-### Azure load balancer

- You're not required to allow inbound requests from service tag `AZURE_LOAD_BALANCER` for the `Developer` SKU, since only one compute unit is deployed behind it. But inbound from `AZURE_LOAD_BALANCER` becomes **critical** when scaling to a higher SKU, like `Premium`, as failure of health probe from load balancer then blocks all Inbound access to control plane and data plane.

-### Application Insights

- If you've enabled [Azure Application Insights](api-management-howto-app-insights.md) monitoring on API Management, allow outbound connectivity to the [telemetry endpoint](../azure-monitor/app/ip-addresses.md#outgoing-ports) from the VNET.

-### KMS endpoint

-When adding virtual machines running Windows to the VNET, allow outbound connectivity on port 1688 to the [KMS endpoint](/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation#solution) in your cloud. This configuration routes Windows VM traffic to the Azure Key Management Services (KMS) server to complete Windows activation.

-### Force tunneling traffic to on-premises firewall Using ExpressRoute or Network Virtual Appliance

- Commonly, you configure and define your own default route (0.0.0.0/0), forcing all traffic from the API Management-delegated subnet to flow through an on-premises firewall or to a network virtual appliance. This traffic flow breaks connectivity with Azure API Management, since outbound traffic is either blocked on-premises, or NAT'd to an unrecognizable set of addresses no longer working with various Azure endpoints. You can solve this issue via a couple of methods:

- * Enable [service endpoints][ServiceEndpoints] on the subnet in which the API Management service is deployed for:

- * Azure SQL

- * Azure Storage

- * Azure Event Hub

- * Azure Key Vault (v2 platform)

-

- By enabling endpoints directly from API Management subnet to these services, you can use the Microsoft Azure backbone network, providing optimal routing for service traffic. If you use service endpoints with a force tunneled API Management, the above Azure services traffic isn't force tunneled. The other API Management service dependency traffic is force tunneled and can't be lost. If lost, the API Management service would not function properly.

- * All the control plane traffic from the internet to the management endpoint of your API Management service is routed through a specific set of inbound IPs, hosted by API Management. When the traffic is force tunneled, the responses will not symmetrically map back to these inbound source IPs. To overcome the limitation, set the destination of the following user-defined routes ([UDRs][UDRs]) to the "Internet", to steer traffic back to Azure. Find the set of inbound IPs for control plane traffic documented in [Control Plane IP Addresses](#control-plane-ip-addresses).

- * For other force tunneled API Management service dependencies, resolve the hostname and reach out to the endpoint. These include:

- - Metrics and Health Monitoring

- - Azure portal Diagnostics

- - SMTP Relay

- - Developer portal CAPTCHA

- - Azure KMS server

-## Routing

-+ A load-balanced public IP address (VIP) is reserved to provide access to all service endpoints and resources outside the VNET.

- + Load balanced public IP addresses can be found on the **Overview/Essentials** blade in the Azure portal.

-+ An IP address from a subnet IP range (DIP) is used to access resources within the VNET.

-> [!NOTE]

-> The VIP address(es) of the API Management instance will change when:

-> * The VNET is enabled or disabled.

-> * API Management is moved from **External** to **Internal** virtual network mode, or vice versa.

-> * [Zone redundancy](zone-redundancy.md) settings are enabled, updated, or disabled in a location for your instance (Premium SKU only).

-## Control plane IP addresses

-The following IP addresses are divided by **Azure Environment**. When allowing inbound requests, IP addresses marked with **Global** must be permitted, along with the **Region**-specific IP address. In some cases, two IP addresses are listed. Permit both IP addresses.

-| **Azure Environment**| **Region**| **IP address**|

-|--|-||

-| Azure Public| South Central US (Global)| 104.214.19.224|

-| Azure Public| North Central US (Global)| 52.162.110.80|

-| Azure Public| Australia Central| 20.37.52.67|

-| Azure Public| Australia Central 2| 20.39.99.81|

-| Azure Public| Australia East| 20.40.125.155|

-| Azure Public| Australia Southeast| 20.40.160.107|

-| Azure Public| Brazil South| 191.233.24.179, 191.238.73.14|

-| Azure Public| Brazil Southeast| 191.232.18.181|

-| Azure Public| Canada Central| 52.139.20.34, 20.48.201.76|

-| Azure Public| Canada East| 52.139.80.117|

-| Azure Public| Central India| 13.71.49.1, 20.192.45.112|

-| Azure Public| Central US| 13.86.102.66|

-| Azure Public| Central US EUAP| 52.253.159.160|

-| Azure Public| East Asia| 52.139.152.27|

-| Azure Public| East US| 52.224.186.99|

-| Azure Public| East US 2| 20.44.72.3|

-| Azure Public| East US 2 EUAP| 52.253.229.253|

-| Azure Public| France Central| 40.66.60.111|

-| Azure Public| France South| 20.39.80.2|

-| Azure Public| Germany North| 51.116.0.0|

-| Azure Public| Germany West Central| 51.116.96.0, 20.52.94.112|

-| Azure Public| Japan East| 52.140.238.179|

-| Azure Public| Japan West| 40.81.185.8|

-| Azure Public| India Central| 20.192.234.160|

-| Azure Public| India West| 20.193.202.160|

-| Azure Public| Korea Central| 40.82.157.167, 20.194.74.240|

-| Azure Public| Korea South| 40.80.232.185|

-| Azure Public| North Central US| 40.81.47.216|

-| Azure Public| North Europe| 52.142.95.35|

-| Azure Public| Norway East| 51.120.2.185|

-| Azure Public| Norway West| 51.120.130.134|

-| Azure Public| South Africa North| 102.133.130.197, 102.37.166.220|

-| Azure Public| South Africa West| 102.133.0.79|

-| Azure Public| South Central US| 20.188.77.119, 20.97.32.190|

-| Azure Public| South India| 20.44.33.246|

-| Azure Public| Southeast Asia| 40.90.185.46|

-| Azure Public| Switzerland North| 51.107.0.91|

-| Azure Public| Switzerland West| 51.107.96.8|

-| Azure Public| UAE Central| 20.37.81.41|

-| Azure Public| UAE North| 20.46.144.85|

-| Azure Public| UK South| 51.145.56.125|

-| Azure Public| UK West| 51.137.136.0|

-| Azure Public| West Central US| 52.253.135.58|

-| Azure Public| West Europe| 51.145.179.78|

-| Azure Public| West India| 40.81.89.24|

-| Azure Public| West US| 13.64.39.16|

-| Azure Public| West US 2| 51.143.127.203|

-| Azure Public| West US 3| 20.150.167.160|

-| Azure China 21Vianet| China North (Global)| 139.217.51.16|

-| Azure China 21Vianet| China East (Global)| 139.217.171.176|

-| Azure China 21Vianet| China North| 40.125.137.220|

-| Azure China 21Vianet| China East| 40.126.120.30|

-| Azure China 21Vianet| China North 2| 40.73.41.178|

-| Azure China 21Vianet| China East 2| 40.73.104.4|

-| Azure Government| USGov Virginia (Global)| 52.127.42.160|

-| Azure Government| USGov Texas (Global)| 52.127.34.192|

-| Azure Government| USGov Virginia| 52.227.222.92|

-| Azure Government| USGov Iowa| 13.73.72.21|

-| Azure Government| USGov Arizona| 52.244.32.39|

-| Azure Government| USGov Texas| 52.243.154.118|

-| Azure Government| USDoD Central| 52.182.32.132|

-| Azure Government| USDoD East| 52.181.32.192|

-## Troubleshooting

-* **Unsuccessful initial deployment of API Management service into a subnet**

- * Deploy a virtual machine into the same subnet.

- * Connect to the virtual machine and validate connectivity to one of each of the following resources in your Azure subscription:

- * Azure Storage blob

- * Azure SQL Database

- * Azure Storage Table

- * Azure Key Vault (for an API Management instance hosted on the [`stv2` platform](compute-infrastructure.md))

- > [!IMPORTANT]

- > After validating the connectivity, remove all the resources in the subnet before deploying API Management into the subnet (required when API Management is hosted on the `stv1` platform).

-* **Verify network connectivity status**

- * After deploying API Management into the subnet, use the portal to check the connectivity of your instance to dependencies, such as Azure Storage.

- * In the portal, in the left-hand menu, under **Deployment and infrastructure**, select **Network connectivity status**.

- :::image type="content" source="media/api-management-using-with-vnet/verify-network-connectivity-status.png" alt-text="Verify network connectivity status in the portal":::

- | Filter | Description |

- | -- | -- |

- | **Required** | Select to review the required Azure services connectivity for API Management. Failure indicates that the instance is unable to perform core operations to manage APIs. |

- | **Optional** | Select to review the optional services connectivity. Failure indicates only that the specific functionality will not work (for example, SMTP). Failure may lead to degradation in using and monitoring the API Management instance and providing the committed SLA. |

- To address connectivity issues, review [network configuration settings](#network-configuration-issues) and fix required network settings.

-* **Incremental updates**

- When making changes to your network, refer to [NetworkStatus API](/rest/api/apimanagement/current-ga/network-status) to verify that the API Management service has not lost access to critical resources. The connectivity status should be updated every 15 minutes.

-* **Resource navigation links**

- An APIM instance hosted on the [`stv1` compute platform](compute-infrastructure.md), when deployed into a Resource Manager VNET subnet, reserves the subnet by creating a resource navigation link. If the subnet already contains a resource from a different provider, deployment will **fail**. Similarly, when you delete an API Management service, or move it to a different subnet, the resource navigation link will be removed.

-This article provides the steps for deploying self-hosted gateway component of Azure API Management to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/). For deploying self-hosted gateway to a Kubernetes cluster, see the [how-to article](how-to-deploy-self-hosted-gateway-kubernetes.md).

-> Hosting self-hosted gateway in Docker is best suited for evaluation and development use cases. Kubernetes is recommended for production use. See [this](how-to-deploy-self-hosted-gateway-kubernetes.md) document to learn how to deploy self-hosted gateway to Kubernetes.

-description: Learn how to deploy a self-hosted gateway component of Azure API Management to Kubernetes

-# Deploy a self-hosted gateway to Kubernetes

-With Azure Virtual Networks (VNETs), you can place your Azure resources in a non-internet-routable network to which you control access. You can then connect VNETs to your on-premises networks using various VPN technologies. To learn more about Azure VNETs, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md).

-This article explains VNET connectivity options, requirements, and considerations for your API Management instance. You can use the Azure portal, Azure CLI, Azure Resource Manager templates, or other tools for the deployment. You control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups][NetworkSecurityGroups].

-When created, an API Management instance must be accessible from the internet. Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the VNET (internal mode).

-* **External** - The API Management endpoints are accessible from the public internet via an external load balancer. The gateway can access resources within the VNET.

- :::image type="content" source="media/virtual-network-concepts/api-management-vnet-external.png" alt-text="Connect to external VNET":::

-* **Internal** - The API Management endpoints are accessible only from within the VNET via an internal load balancer. The gateway can access resources within the VNET.

- :::image type="content" source="media/virtual-network-concepts/api-management-vnet-internal.png" alt-text="Connect to internal VNET":::

-* For multi-region API Management deployments, you configure virtual network resources separately for each location.

-The minimum size of the subnet in which API Management can be deployed is /29, which gives three usable IP addresses. Each extra scale unit of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:

-* In addition to the IP addresses used by the Azure VNET infrastructure, each API Management instance in the subnet uses:

-* Each instance reserves an extra IP address for the external load balancer. When deploying into an [internal VNET](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.

-See the Routing guidance when deploying your API Management instance into an [external VNET](./api-management-using-with-vnet.md#routing) or [internal VNET](./api-management-using-with-internal-vnet.md#routing).

-In external mode, the VNET enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) for your API Management endpoints and other Azure resources. It does not provide name resolution for on-premises resources.

-In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md).

-> If you plan to use a custom DNS solution for the VNET, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates).

-* For multi-region API Management deployments configured in internal VNET mode, users own the routing and are responsible for managing the load balancing across multiple regions.

-* For multi-region API Management deployments configured in internal VNET mode, users own the routing and are responsible for managing the load balancing across multiple regions.

-* Due to platform limitations, connectivity between a resource in a globally peered VNET in another region and an API Management service in internal mode will not work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).

-The recommended way to authenticate with Azure App Services for GitHub Actions is with a publish profile. You can also authenticate with a service principal but the process requires more steps.

-The recommended way to authenticate with Azure App Services for GitHub Actions is with a publish profile. You can also authenticate with a service principal but the process requires more steps.

-mvn com.microsoft.azure:azure-webapp-maven-plugin:2.2.3:config

-1. When prompted with **webcontainer** option, select **Tomcat 8.5** by entering `3`.

-| `WEBSITE_LOCAL_CACHE_READWRITE_OPTION` | Read-write options of the local cache. Available options are: <br/>- `ReadOnly`: Cache is read-only.<br/>- `WriteWithCopyBack`: Allow writes to local cache and copy periodically to shared storage. Applicable only for single instance apps as the SCM site points to local cache.<br/>- `WriteButDiscardChanges`: Allow writes to local cache but discard changes made locally. |

-|[🆕 **General document model**](concept-general-document.md)|Extract text, tables, structure, key-value pairs and, named entities.|<ul ><li>[**Form Recognizer Studio**](quickstarts/try-v3-form-recognizer-studio.md#prebuilt-models)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md#try-it-general-document-model)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#general-document-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#general-document-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#try-it-general-document-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#general-document-model)</li></ul> |

-|[**Layout model**](concept-layout.md) | Extract text, selection marks, and tables structures, along with their bounding box coordinates, from forms and documents.</br></br> Layout API has been updated to a prebuilt model. | <ul><li>[**Form Recognizer Studio**](quickstarts/try-v3-form-recognizer-studio.md#layout)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md#try-it-layout-model)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#layout-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#layout-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#try-it-layout-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#layout-model)</li></ul>|

-|[**Receipt model (updated)**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.</br></br>Receipt model v3.0 supports processing of **single-page hotel receipts**.| <ul><li>[**Form Recognizer Studio**](quickstarts/try-v3-form-recognizer-studio.md#prebuilt-models)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#try-it-prebuilt-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul>|

-|[**ID document model (updated)**](concept-id-document.md) |Automated data processing and extraction of key information from US driver's licenses and international passports.</br></br>Prebuilt ID document API supports the **extraction of endorsements, restrictions, and vehicle classifications from US driver's licenses**. |<ul><li> [**Form Recognizer Studio**](quickstarts/try-v3-form-recognizer-studio.md#prebuilt-models)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#try-it-prebuilt-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul>|

-|[**Business card model**](concept-business-card.md) |Automated data processing and extraction of key information from business cards.| <ul><li>[**Form Recognizer Studio**](quickstarts/try-v3-form-recognizer-studio.md#prebuilt-models)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#try-it-prebuilt-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul>|

-#### Try the prebuilt invoice sample

-> * For this example, we wll analyze an invoice document using a prebuilt model. You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

-* [🆕 **General document**](#try-it-general-document-model)—Analyze and extract text, tables, structure, key-value pairs and named entities.

-* [**Layout**](#try-it-layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in forms documents, without the need to train a model.

-* [**Prebuilt Invoice**](#try-it-prebuilt-model)ΓÇöAnalyze and extract common fields from specific document types using a pre-trained model.

-* A [Java Development Kit (JDK)](/java/azure/jdk/?view=azure-java-stable&preserve-view=true

-), version 8 or later

-> [!TIP]

-> Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'lll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

-* After your resource deploys, click **Go to resource**. You need the key and endpoint from the resource you create to connect your application to the Form Recognizer API. You'll paste your key and endpoint into the code below later in the quickstart:

-### Create a new Gradle project

-In a console window (such as cmd, PowerShell, or Bash), create a new directory for your app called **form-recognizer-app**, and navigate to it.

-```console

-mkdir form-recognizer-app && form-recognizer-app

-```

-Run the `gradle init` command from your working directory. This command will create essential build files for Gradle, including *build.gradle.kts*, which is used at runtime to create and configure your application.

-```console

-gradle init --type basic

-```

-### Install the client library

-In your project's *build.gradle.kts* file, include the client library as an `implementation` statement, along with the required plugins and settings.

-```kotlin

-plugins {

- java

- application

-}

-application {

- mainClass.set("FormRecognizer")

-}

-repositories {

- mavenCentral()

-}

-dependencies {

- implementation(group = "com.azure", name = "azure-ai-formrecognizer", version = "4.0.0-beta.1")

-}

-```

-### Create a Java file

-From your working directory, run the following command:

-```console

-mkdir -p src/main/java

-```

-You will create the following directory structure:

-Navigate to the new folder and create a file called *FormRecognizer.java* (created during the `gradle init` command). Open it in your preferred editor or IDE and add the following package declaration and `import` statements:

-package com.azure.ai.formrecognizer;

-import com.azure.ai.formrecognizer.models.AnalyzeDocumentOptions;

-import com.azure.ai.formrecognizer.models.AnalyzedDocument;

-import com.azure.core.credential.AzureKeyCredential;

-import com.azure.core.http.HttpPipeline;

-import com.azure.core.http.HttpPipelineBuilder;

-import com.azure.core.util.Context;

-import java.io.ByteArrayInputStream;

-import java.io.File;

-import java.io.IOException;

-import java.io.InputStream;

-import java.nio.file.Files;

-import java.util.Arrays;

-### Select a code sample to copy and paste into your application's main method:

-* [**General document**](#try-it-general-document-model)

-* [**Layout**](#try-it-layout-model)

-* [**Prebuilt Invoice**](#try-it-prebuilt-model)

-> Remember to remove the key from your code when you're done, and never post it publicly. For production, use secure methods to store and access your credentials. See the Cognitive Services [security](../../../cognitive-services/cognitive-services-security.md) article for more information.

-## **Try it**: General document model

-Update your application's **FormRecognizer** class, with the following code (be certain to update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal):

-public class FormRecognizer {

- static final String key = "PASTE_YOUR_FORM_RECOGNIZER_SUBSCRIPTION_KEY_HERE";

- static final String endpoint = "PASTE_YOUR_FORM_RECOGNIZER_ENDPOINT_HERE";

- DocumentAnalysisClient documentAnalysisClient = new DocumentAnalysisClientBuilder()

- .credential(new AzureKeyCredential("{key}"))

- .endpoint("{endpoint}")

- SyncPoller < DocumentOperationResult, AnalyzeResult > analyzeDocumentPoller =

- documentAnalysisClient.beginAnalyzeDocumentFromUrl(modelId, documentUrl);

- for (int i = 0; i < analyzeResult.getDocuments().size(); i++) {

- final AnalyzedDocument analyzedDocument = analyzeResult.getDocuments().get(i);

- System.out.printf("-- Analyzing document %d --%n", i);

- System.out.printf("Analyzed document has doc type %s with confidence : %.2f%n",

- analyzedDocument.getDocType(), analyzedDocument.getConfidence());

- }

- analyzeResult.getPages().forEach(documentPage - > {

- System.out.printf("Page has width: %.2f and height: %.2f, measured with unit: %s%n",

- documentPage.getWidth(),

- documentPage.getHeight(),

- documentPage.getUnit());

- documentPage.getLines().forEach(documentLine - >

- documentPage.getWords().forEach(documentWord - >

- List < DocumentTable > tables = analyzeResult.getTables();

- documentTable.getCells().forEach(documentTableCell - > {

- analyzeResult.getEntities().forEach(documentEntity - > {

- // Key-value

- analyzeResult.getKeyValuePairs().forEach(documentKeyValuePair - > {

- System.out.printf("Value content: %s%n", documentKeyValuePair.getValue().getContent());

- System.out.printf("Value content bounding region: %s%n", documentKeyValuePair.getValue().getBoundingRegions().toString());

- });

- Build a custom document analysis model

- In 3. x.x, creating a custom model required specifying useTrainingLabels to indicate whether to use labeled data when creating the custom model with the beginTraining method.

- In 4. x.x, we introduced the new general document model(prebuilt - document) to replace the train without labels functionality from 3. x.x which extracts entities, key - value pairs, and layout from a document with the beginBuildModel method.In 4. x.x the beginBuildModel always returns labeled data otherwise.

- Train a custom model using 3. x.x beginTraining:

- String trainingFilesUrl = "{SAS_URL_of_your_container_in_blob_storage}";

- SyncPoller < FormRecognizerOperationResult, CustomFormModel > trainingPoller =

- formTrainingClient.beginTraining(trainingFilesUrl,

- false,

- new TrainingOptions()

- .setModelName("my model trained without labels"),

- Context.NONE);

- CustomFormModel customFormModel = trainingPoller.getFinalResult();

- // Model Info

- System.out.printf("Model Id: %s%n", customFormModel.getModelId());

- System.out.printf("Model name given by user: %s%n", customFormModel.getModelName());

- System.out.printf("Model Status: %s%n", customFormModel.getModelStatus());

- System.out.printf("Training started on: %s%n", customFormModel.getTrainingStartedOn());

- System.out.printf("Training completed on: %s%n%n", customFormModel.getTrainingCompletedOn());

- System.out.println("Recognized Fields:");

- // looping through the subModels, which contains the fields they were trained on

- // Since the given training documents are unlabeled we still group them but, they do not have a label.

- customFormModel.getSubmodels().forEach(customFormSubmodel - > {

- System.out.printf("Submodel Id: %s%n: ", customFormSubmodel.getModelId());

- // Since the training data is unlabeled, we are unable to return the accuracy of this model

- customFormSubmodel.getFields().forEach((field, customFormModelField) - >

- System.out.printf("Field: %s Field Label: %s%n",

- field, customFormModelField.getLabel()));

- });

- System.out.println();

- customFormModel.getTrainingDocuments().forEach(trainingDocumentInfo - > {

- System.out.printf("Document name: %s%n", trainingDocumentInfo.getName());

- System.out.printf("Document status: %s%n", trainingDocumentInfo.getStatus());

- System.out.printf("Document page count: %d%n", trainingDocumentInfo.getPageCount());

- if (!trainingDocumentInfo.getErrors().isEmpty()) {

- System.out.println("Document Errors:");

- trainingDocumentInfo.getErrors().forEach(formRecognizerError - >

- System.out.printf("Error code %s, Error message: %s%n", formRecognizerError.getErrorCode(),

- formRecognizerError.getMessage()));

-## **Try it**: Layout model

-Extract text, selection marks, text styles, and table structures, along with their bounding region coordinates from documents.

-Update your application's **FormRecognizer** class, with the following code (be certain to update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal):

-```java

-public class FormRecognizer {

- static final String key = "PASTE_YOUR_FORM_RECOGNIZER_SUBSCRIPTION_KEY_HERE";

- static final String endpoint = "PASTE_YOUR_FORM_RECOGNIZER_ENDPOINT_HERE";

- public static void main(String[] args) {

- DocumentAnalysisClient documentAnalysisClient = new DocumentAnalysisClientBuilder()

- .credential(new AzureKeyCredential("{key}"))

- .endpoint("{endpoint}")

- String documentUrl = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-layout.pdf"

- documentAnalysisClient.beginAnalyzeDocument(modelId, documentUrl);

- // pages

- analyzeLayoutResult.getPages().forEach(documentPage - > {

- System.out.printf("Page has width: %.2f and height: %.2f, measured with unit: %s%n",

- documentPage.getWidth(),

- documentPage.getHeight(),

- documentPage.getUnit());

- documentPage.getLines().forEach(documentLine - >

- documentPage.getSelectionMarks().forEach(documentSelectionMark - >

- documentTable.getCells().forEach(documentTableCell - > {

-## **Try it**: Prebuilt model

-You are not limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. Here are the model IDs for the prebuilt models currently supported by the Form Recognizer service:

-#### Try the prebuilt invoice sample

-> * You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

-Update your application's **FormRecognizer** class, with the following code (be certain to update the key and endpoint variables with values from your Form Recognizer instance in the Azure portal):

-Congratulations! In this quickstart, you used the Form Recognizer Java SDK to analyze various forms and documents in different ways. Next, explore the reference documentation to learn about Form Recognizer API in more depth.

-#### Try the prebuilt invoice sample

-> * You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

-#### Try the prebuilt invoice sample

-> * You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

-kubectl get datacontrollers -n -o custom-columns=BUILD:.spec.docker.imageTag

-If you encounter any troubles with upgrading, see the [troubleshooting guide](troubleshoot-guide.md).

-> and preview services in the [Release Notes](/release-notes).

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/service-account.yaml":::

- <!-- https://github.com/microsoft/azure_arc/blob/main/arc_data_services/upgrade/yaml/service-account.yaml-->

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/cluster-role.yaml":::

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/cluster-role-binding.yaml":::

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/job.yaml":::

-> The Azure CLI is in the process of being updated to leverage the latest preview version of alert processing rules. Until then, you can use existing CLI capabilities under the **action rule** command to create alert processing rules. That CLI does not support some of the newer alert processing rules features.

-> The Azure CLI is in the process of being updated to leverage the latest preview version of alert processing rules. Until then, you can use existing CLI capabilies under the **action rule** command to create alert processing rules. That CLI does not support some of the newer alert processing rules features.

-Data stored in Log Analytics is available for the retention period defined in your workspace and used in Azure Monitor and Azure experiences, where more capabilities can be met using export:

-* Temper protected store compliance -- data can't be altered in Log Analytics once ingested, but can be purged. Export to storage account set with [immutability policies](../../storage/blobs/immutable-policy-configure-version-scope.md) to protect data from changes.

-* Integration with Azure services and other tools -- export to event hub in near-real-time lets you integrate with services and tools of your choice.

-* Keep data for long time for compliance and in low cost -- export to storage account in the same region as your workspace, replicate data to other storage accounts in other regions using any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.

-Currently, there are no other charges for the data export feature. Pricing for data export will be announced in the future and a notice period provided prior to the start of billing. If you choose to continue using data export after the notice period, you will be billed at the applicable rate.

-

-Use the following command to create a data export rule to an event hub using CLI. When specific event hub name isn't provided, a separate container is created for each table.

-$eventHubsNamespacesResourceId = '/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.EventHub/namespaces/namespaces-name'

-az monitor log-analytics workspace data-export create --resource-group resourceGroupName --workspace-name workspaceName --name ruleName --tables SecurityEvent Heartbeat --destination $eventHubsNamespacesResourceId

-Use the following command to create a data export rule to a specific event hub using CLI. All tables are exported to the provided event hub name.

-$eventHubResourceId = '/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.EventHub/namespaces/namespaces-name/eventhubs/eventhub-name'

-az monitor log-analytics workspace data-export create --resource-group resourceGroupName --workspace-name workspaceName --name ruleName --tables SecurityEvent Heartbeat --destination $eventHubResourceId

-Export rules can be disabled to let you stop the export for a certain period such as when testing is being held. Use the following command to disable a data export rule using PowerShell.

-Update-AzOperationalInsightsDataExport -ResourceGroupName resourceGroupName -WorkspaceName workspaceName -DataExportName 'ruleName' -Enable: $false

-Export rules can be disabled to let you stop the export for a certain period such as when testing is being held. Use the following command to disable a data export rule using CLI.

-Export rules can be disabled to let you stop the export when you donΓÇÖt need to retain data for a certain period such as when testing is being performed. Use the following request to disable a data export rule using the REST API. The request should use bearer token authorization.

-## Supported regions

-## Credentials for restoring modules

-To [restore](bicep-cli.md#restore) external modules to the local cache, the account must have the correct permissions to access the registry. You can configure the credential precedence for authenticating to the registry. By default, Bicep uses the credentials from the user authenticated in Azure CLI or Azure PowerShell. To customize the credential precedence, add `cloud` and `credentialPrecedence` elements to the config file.

-* AzureCLI

-* AzurePowerShell

-* Environment

-* ManagedIdentity

-* VisualStudio

-* VisualStudioCode

-* [Configure your Bicep environment](bicep-config.md)

-* [Add linter settings to Bicep config](bicep-config-linter.md)

-* Learn about [modules](modules.md)

-1. Get the login server name. You need this name when linking to the registry from your Bicep files.

- # [PowerShell](#tab/azure-powershell)

- To get the login server name, use [Get-AzContainerRegistry](/powershell/module/az.containerregistry/get-azcontainerregistry).

- ```azurepowershell

- Get-AzContainerRegistry -ResourceGroupName "<resource-group-name>" -Name "<registry-name>" | Select-Object LoginServer

- ```

- # [Azure CLI](#tab/azure-cli)

- To get the login server name, use [az acr show](/cli/azure/acr#az_acr_show).

- ```azurecli

- az acr show --resource-group <resource-group-name> --name <registry-name> --query loginServer

- ```

-

- The format of the login server name is: `<registry-name>.azurecr.io`.

-#### [SQL Database](#tab/managed-instance)

-

-# [Azure SQL Database](#tab/single-database)

-The following table includes links to Azure CLI script examples to manage single and pooled databases in Azure SQL Database.

-|**Create databases in Azure SQL Database**||

-| [Create a single database and configure a firewall rule](scripts/create-and-configure-database-cli.md) | Creates an SQL Database and configures a server-level firewall rule. |

-| [Create elastic pools and move pooled databases](scripts/move-database-between-elastic-pools-cli.md) | Creates elastic pools, moves pooled databases, and changes compute sizes. |

-|**Scale databases in Azure SQL Database**||

-| [Scale a single database](scripts/monitor-and-scale-database-cli.md) | Scales a database in SQL Database to a different compute size after querying the size information for the database. |

-| [Scale an elastic pool](scripts/scale-pool-cli.md) | Scales a SQL elastic pool to a different compute size. |

-|**Configure geo-replication and failover**||

-| [Add a single database to a failover group](scripts/add-database-to-failover-group-cli.md)| Creates a database and a failover group, adds the database to the failover group, then tests failover to the secondary server. |

-| [Configure a failover group for an elastic pool](../../sql-database/scripts/sql-database-add-elastic-pool-to-failover-group-cli.md) | Creates a database, adds it to an elastic pool, adds the elastic pool to the failover group, then tests failover to the secondary server. |

-| [Configure and fail over a single database by using active geo-replication](../../sql-database/scripts/sql-database-setup-geodr-and-failover-database-cli.md)| Configures active geo-replication for a database in Azure SQL Database and fails it over to the secondary replica. |

-| [Configure and fail over a pooled database by using active geo-replication](../../sql-database/scripts/sql-database-setup-geodr-and-failover-pool-cli.md)| Configures active geo-replication for a database in an elastic pool, then fails it over to the secondary replica. |

-| [Configure auditing and threat-detection](../../sql-database/scripts/sql-database-auditing-and-threat-detection-cli.md)| Configures auditing and threat detection policies for a database in Azure SQL Database. |

-| [Back up a database](../../sql-database/scripts/sql-database-backup-database-cli.md)| Backs up a database in SQL Database to an Azure storage backup. |

-| [Restore a database](../../sql-database/scripts/sql-database-restore-database-cli.md)| Restores a database in SQL Database from a geo-redundant backup and restores a deleted database to the latest backup. |

-| [Copy a database to a new server](../../sql-database/scripts/sql-database-copy-database-to-new-server-cli.md) | Creates a copy of an existing database in SQL Database in a new server. |

-| [Import a database from a BACPAC file](../../sql-database/scripts/sql-database-import-from-bacpac-cli.md)| Imports a database to SQL Database from a BACPAC file. |

-Learn more about the [single-database Azure CLI API](single-database-manage.md#the-azure-cli).

-# [Azure SQL Managed Instance](#tab/managed-instance)

-| **Create a SQL Managed Instance**||

-| [Create a SQL Managed Instance](../../sql-database/scripts/sql-database-create-configure-managed-instance-cli.md)| Creates a SQL Managed Instance. |

-| **Configure Transparent Data Encryption (TDE)**||

-| [Manage Transparent Data Encryption in a SQL Managed Instance by using Azure Key Vault](../../sql-database/scripts/transparent-data-encryption-byok-sql-managed-instance-cli.md)| Configures Transparent Data Encryption (TDE) in SQL Managed Instance by using Azure Key Vault with various key scenarios. |

-|**Configure a failover group**||

-| [Configure a failover group for SQL Managed Instance](../../sql-database/scripts/sql-database-add-managed-instance-to-failover-group-cli.md) | Creates two instances of SQL Managed Instance, adds them to a failover group, and then tests failover from the primary SQL Managed Instance to the secondary SQL Managed Instance. |

-To create and manage SQL Database elastic pools with the [Azure CLI](/cli/azure), use the following [Azure CLI SQL Database](/cli/azure/sql/db) commands. Use the [Cloud Shell](../../cloud-shell/overview.md) to run the CLI in your browser, or [install](/cli/azure/install-azure-cli) it on macOS, Linux, or Windows.

-# [Portal](#tab/azure-portal)

-# [Portal](#tab/azure-portal)

-1. Select **Databases within the group** then select the elastic pool you created in section 2. A warning should appear, prompting you to create an elastic pool on the secondary server. Select the warning, and then select **OK** to create the elastic pool on the secondary server.

-# [Portal](#tab/azure-portal)

-# [Portal](#tab/azure-portal)

-# [Portal](#tab/azure-portal)

-description: Add a database in Azure SQL Database to an autofailover group using the Azure portal, PowerShell, or the Azure CLI.

-# [The portal](#tab/azure-portal)

-# [The Azure CLI](#tab/azure-cli)

-# [The portal](#tab/azure-portal)

-# [The Azure CLI](#tab/azure-cli)

-Create your failover group and add your database to it using the Azure CLI.

- > [!NOTE]

- > The server login and firewall settings must match that of your primary server.

- ```azurecli-interactive

- #!/bin/bash

- # set variables

- $failoverLocation = "West US"

- $failoverServer = "failoverServer-$randomIdentifier"

- $failoverGroup = "failoverGroup-$randomIdentifier"

- echo "Creating a secondary server in the DR region..."

- az sql server create --name $failoverServer --resource-group $resourceGroup --location $failoverLocation --admin-user $login --admin-password $password

- echo "Creating a failover group between the two servers..."

- az sql failover-group create --name $failoverGroup --partner-server $failoverServer --resource-group $resourceGroup --server $server --add-db $database --failover-policy Automatic

- ```

-| [az sql server firewall-rule create](/cli/azure/sql/server/firewall-rule) | Creates a server's firewall rules. |

-In this step, you'll fail your failover group over to the secondary server, and then fail back using the Azure portal.

-# [The portal](#tab/azure-portal)

-# [The Azure CLI](#tab/azure-cli)

-Verify which server is the secondary:

- ```azurecli-interactive

- echo "Verifying which server is in the secondary role..."

- az sql failover-group list --server $server --resource-group $resourceGroup

- ```

-Fail over to the secondary server:

- ```azurecli-interactive

- echo "Failing over group to the secondary server..."

- az sql failover-group set-primary --name $failoverGroup --resource-group $resourceGroup --server $failoverServer

- echo "Successfully failed failover group over to" $failoverServer

- ```

-Revert failover group back to the primary server:

- ```azurecli-interactive

- echo "Failing over group back to the primary server..."

- az sql failover-group set-primary --name $failoverGroup --resource-group $resourceGroup --server $server

- echo "Successfully failed failover group back to" $server

- ```

-| [az sql failover-group list](/cli/azure/sql/failover-group#az_sql_failover_group_list) | Lists the failover groups in a server. |

-# [The portal](#tab/azure-portal)

-# [The Azure CLI](#tab/azure-cli)

-Delete the resource group by using the Azure CLI.

- ```azurecli-interactive

- az group delete --name $resourceGroup

- echo "Successfully removed resource group" $resourceGroup

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh "Add database to a failover group")]

-| [az sql failover-group list](/cli/azure/sql/failover-group#az_sql_failover_group_list) | Lists the failover groups in a server in Azure SQL Database. |

-# [The portal](#tab/azure-portal)

-You can find other Azure SQL Database scripts here: [Azure PowerShell](powershell-script-content-guide.md) and [Azure CLI](az-cli-script-samples-content-guide.md).

-> [Tutorial: Add an Azure SQL Database elastic pool to a failover group](failover-group-add-elastic-pool-tutorial.md)

-As Azure infrastructure improves, Microsoft will periodically refresh hardware to ensure we provide the best possible customer experience. In the coming months, we plan to add gateways built on newer hardware generations, migrate traffic to them, and eventually decommission gateways built on older hardware in some regions.

-Customers will be notified via service health notifications well in advance of any change to gateways available in each region. Customers can [use the Azure portal to set up activity log alerts](../../service-health/alerts-activity-log-service-notifications-portal.md).

-The most up-to-date information will be maintained in the [Azure SQL Database gateway IP addresses](connectivity-architecture.md#gateway-ip-addresses) table.

-> For an Azure CLI quickstart, see [Create a database in Azure SQL Database using the Azure CLI](az-cli-script-samples-content-guide.md). For Azure CLI example scripts, see [Use the CLI to create a database in Azure SQL Database and configure a firewall rule](scripts/create-and-configure-database-cli.md) and [Use the CLI to monitor and scale a database in Azure SQL Database](scripts/monitor-and-scale-database-cli.md).

-If you modify the above policy and set W=0 (no weekly backups), the cadence of backup copies will change as shown in the above table by the highlighted dates. The storage amount needed to keep these backups would reduce accordingly.

-Configure the [maintenance window (Preview)](maintenance-window.md) for an Azure SQL database, elastic pool, or Azure SQL Managed Instance database during resource creation, or anytime after a resource is created.

-## Configure maintenance window during database creation

-To configure the maintenance window when you create a database, elastic pool, or managed instance, set the desired **Maintenance window** on the **Additional settings** page.

-## Set the maintenance window while creating a single database or elastic pool

-## Set the maintenance window while creating a managed instance

-## Launch Azure Cloud Shell

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/powershell](https://shell.azure.com/powershell). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

-## Discover available maintenance windows

-When setting the maintenance window, each region has its own maintenance window options that correspond to the timezone for the region the database or pool is located.

-### Discover SQL Database and elastic pool maintenance windows

-### Discover SQL Managed Instance maintenance windows

-## Set the maintenance window while creating a single database

-## Set the maintenance window while creating an elastic pool

-## Set the maintenance window while creating a managed instance

-The following examples show how to configure the maintenance window using Azure CLI. You can [install the Azure CLI](/cli/azure/install-azure-cli), or use the Azure Cloud Shell.

-Configuring the maintenance window with the Azure CLI is only available for SQL Managed Instance.

-## Launch Azure Cloud Shell

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/cli](https://shell.azure.com/cli). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

-## Discover available maintenance windows

-### Discover SQL Database and elastic pool maintenance windows

-### Discover SQL Managed Instance maintenance windows

-## Set the maintenance window while creating a single database

-## Set the maintenance window while creating an elastic pool

-## Set the maintenance window while creating a managed instance

-## Set the maintenance window for an existing database or elastic pool

-## Set the maintenance window for an existing managed instance

-## Set the maintenance window for an existing database

-## Set the maintenance window on an existing elastic pool

-## Set the maintenance window on an existing managed instance

-The following examples show how to configure the maintenance window using Azure CLI. You can [install the Azure CLI](/cli/azure/install-azure-cli), or use the Azure Cloud Shell.

-## Set the maintenance window for an existing database

-## Set the maintenance window on an existing elastic pool

-## Set the maintenance window on an existing managed instance

-[Introduction to Azure SQL Database and Azure SQL Managed Instance](sql-database-paas-overview.md)

-* [Azure CLI](single-database-manage.md#the-azure-cli)

-* [Azure CLI](single-database-manage.md#the-azure-cli)

-description: Use the Azure CLI example script to create a database in Azure SQL Database, add it to an auto-failover group, and test failover.

-# Use the Azure CLI to add a database to a failover group

-If you choose to install and use the CLI locally, this topic requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-$subscription = "<subscriptionId>" # add subscription here

-[!code-azurecli-interactive[main](../../../../cli_scripts/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh "Add Azure SQL Database to failover group")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-# Use the Azure CLI to create a single database and configure a firewall rule

-If you choose to install and use the CLI locally, this topic requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../../cli_scripts/sql-database/create-and-configure-database/create-and-configure-database.sh "Create SQL Database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-$subscription = "<subscriptionId>" # add subscription here

-[!code-azurecli-interactive[main](../../../../cli_scripts/sql-database/monitor-and-scale-database/monitor-and-scale-database.sh "Monitor and scale a database in Azure SQL Database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-description: Use an Azure CLI example script to create two elastic pools and move a database in SQL Database from one elastic pool to another.

-# Use the Azure CLI to move a database in SQL Database in a SQL elastic pool

-If you choose to install and use the CLI locally, this topic requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../../cli_scripts/sql-database/move-database-between-pools/move-database-between-pools.sh "Move database between pools")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-[!code-azurecli-interactive[main](../../../../cli_scripts/sql-database/scale-pool/scale-pool.sh "Move database between pools")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-1. This quickstart uses a serverless database, so select **Serverless**, and then select **Apply**.

-## Launch Azure Cloud Shell

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com](https://shell.azure.com). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press **Enter** to run it.

-## Set parameter values

-The following values are used in subsequent commands to create the database and required resources. Server names need to be globally unique across all of Azure so the $RANDOM function is used to create the server name. Replace the 0.0.0.0 values in the ip address range to match your specific environment.

-```azurecli-interactive

-# Set the resource group name and location for your server

-resourceGroupName=myResourceGroup

-location=eastus

-# Set an admin login and password for your database

-adminlogin=azureuser

-password=Azure1234567!

-# Set a server name that is unique to Azure DNS (<server_name>.database.windows.net)

-serverName=server-$RANDOM

-# Set the ip address range that can access your database

-startip=0.0.0.0

-endip=0.0.0.0

-## Create a resource group

-Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named *myResourceGroup* in the *eastus* location:

-```azurecli-interactive

-az group create --name $resourceGroupName --location $location

-```

-## Create a server

-Create a server with the [az sql server create](/cli/azure/sql/server) command.

-```azurecli-interactive

-az sql server create \

- --name $serverName \

- --resource-group $resourceGroupName \

- --location $location \

- --admin-user $adminlogin \

- --admin-password $password

-```

-## Configure a firewall rule for the server

-Create a firewall rule with the [az sql server firewall-rule create](/cli/azure/sql/server/firewall-rule) command.

-```azurecli-interactive

-az sql server firewall-rule create \

- --resource-group $resourceGroupName \

- --server $serverName \

- -n AllowYourIp \

- --start-ip-address $startip \

- --end-ip-address $endip

-```

-## Create a single database with Azure CLI

-Create a database with the [az sql db create](/cli/azure/sql/db) command.

-```azurecli-interactive

- --resource-group $resourceGroupName \

- --server $serverName \

- --name mySampleDatabase \

-## Use Azure Cloud Shell

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com](https://shell.azure.com). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press **Enter** to run it.

-## Set parameter values

-The following values are used in subsequent commands to create the database and required resources. Server names need to be globally unique across all of Azure so the $RANDOM function is used to create the server name. Replace the 0.0.0.0 values in the ip address range to match your specific environment.

-```azurecli-interactive

-# Set the resource group name and location for your server

-resourceGroupName=myResourceGroup

-location=eastus

-# Set an admin login and password for your database

-adminlogin=azureuser

-password=Azure1234567!

-# Set a server name that is unique to Azure DNS (<server_name>.database.windows.net)

-serverName=server-$RANDOM

-# Set the ip address range that can access your database

-startip=0.0.0.0

-endip=0.0.0.0

-## Create a database and resources

-The [az sql up](/cli/azure/sql#az_sql_up) command simplifies the database creation process. With it, you can create a database and all of its associated resources with a single command. This includes the resource group, server name, server location, database name, and login information. The database is created with a default pricing tier of General Purpose, Provisioned, Gen5, 2 vCores.

-> When running the `az sql up` command for the first time, the Azure CLI prompts you to install the `db-up` extension. This extension is currently in preview. Accept the installation to continue. For more information about extensions, see [Use extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

- ```azurecli-interactive

- --resource-group $resourceGroupName \

- --server-name $serverName \

- --database-name mySampleDatabase \

- --admin-user $adminlogin \

-2. A server firewall rule is automatically created. If the server declines your IP address, create a new firewall rule using the `az sql server firewall-rule create` command.

- ```azurecli-interactive

- --resource-group $resourceGroupName \

- --server $serverName \

- --start-ip-address $startip \

- --end-ip-address $endip

-## Launch Azure Cloud Shell

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

-To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com](https://shell.azure.com). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press **Enter** to run it.

-## Set parameter values

-## Create resource group

-## Create a server

-## Create a firewall rule

-## Create a single database with PowerShell

-### [Portal](#tab/azure-portal)

-### [Azure CLI](#tab/azure-cli)

-To delete the resource group and all its resources, run the following Azure CLI command, using the name of your resource group:

-```azurecli-interactive

-az group delete --name $resourceGroupName

-### [Azure CLI (sql up)](#tab/azure-cli-sql-up)

-To delete the resource group and all its resources, run the following Azure CLI command, using the name of your resource group:

-```azurecli-interactive

-az group delete --name $resourceGroupName

-### [PowerShell](#tab/azure-powershell)

-## The Azure CLI

-To create and manage the servers, databases, and firewalls with [the Azure CLI](/cli/azure), use the following [Azure CLI](/cli/azure/sql/db) commands. Use the [Cloud Shell](../../cloud-shell/overview.md) to run the CLI in your browser, or [install](/cli/azure/install-azure-cli) it on macOS, Linux, or Windows. For creating and managing elastic pools, see [Elastic pools](elastic-pool-overview.md).

-> For an Azure CLI quickstart, see [Create a single Azure SQL Database using the Azure CLI](az-cli-script-samples-content-guide.md). For Azure CLI example scripts, see [Use CLI to create a database in Azure SQL Database and configure a SQL Database firewall rule](scripts/create-and-configure-database-cli.md) and [Use CLI to monitor and scale a database in Azure SQL Database](scripts/monitor-and-scale-database-cli.md).

-description: "Learn how to configure an Azure SQL Database and Azure Synapse Analytics to start using Transparent Data Encryption (TDE) for encryption-at-rest using PowerShell or the Azure CLI."

-# PowerShell and the Azure CLI: Enable Transparent Data Encryption with customer-managed key from Azure Key Vault

-This article walks through how to use a key from Azure Key Vault for Transparent Data Encryption (TDE) on Azure SQL Database or Azure Synapse Analytics. To learn more about the TDE with Azure Key Vault integration - Bring Your Own Key (BYOK) Support, visit [TDE with customer-managed keys in Azure Key Vault](transparent-data-encryption-byok-overview.md).

-To install the required version of the Azure CLI (version 2.0 or later) and connect to your Azure subscription, see [Install and Configure the Azure Cross-Platform Command-Line Interface 2.0](/cli/azure/install-azure-cli).

-For specifics on Key Vault, see [Manage Key Vault using the CLI 2.0](../../key-vault/general/manage-with-cli2.md) and [How to use Key Vault soft-delete with the CLI](../../key-vault/general/key-vault-recovery.md).

-# [The Azure CLI](#tab/azure-cli)

- # [The Azure CLI](#tab/azure-cli)

- - The key should not have an expiration date

- - The key must have the *get*, *wrap key*, and *unwrap key* operations enabled.

-## Learn more

-## See also

-* [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](database/configure-max-degree-of-parallelism.md)

-* [Understand and resolve Azure SQL Database blocking problems in Azure SQL Database](database/understand-resolve-blocking.md)

-* [SQL Database monitoring and tuning overview](database/monitor-tune-overview.md)

-To create and configure managed instances with [Azure CLI](/cli/azure), use the following [Azure CLI commands for SQL Managed Instance](/cli/azure/sql/mi). Use [Azure Cloud Shell](../../cloud-shell/overview.md) to run the CLI in your browser, or [install](/cli/azure/install-azure-cli) it on macOS, Linux, or Windows.

-```azurecli-interactive

-This article explains how to manually configure database migration from SQL Server 2008-2019 to Azure SQL Managed Instance by using Log Replay Service (LRS), currently in public preview. LRS is a cloud service enabled for SQL Managed Instance based on SQL Server log-shipping technology.

-2. Copy the second part of the token, starting from the question mark (`?`) all the way until the end of the string. Use it as the `StorageContainerSasToken` parameter in PowerShell or the Azure CLI for starting LRS.

-> Don't include the question mark when you copy either part of the token.

-Last updated: 11/24/2021

-| East US | Yes | |

-| South Central US | Yes | |

-| UK South | Yes | Yes |

- > - Refer Configuration and deployment section in [FAQs](https://github.com/MicrosoftDocs/azure-docs-pr/pull/edge/faq.yml) on how to add sample video files to rtsp simulator. Once added, edit `rtspUrl` value to point to the new video file.

-## December 2021

-Azure Backup's new Data Protection platform provides enhanced capabilities for backup and restore for newer workloads such as blobs in storage accounts, managed disk and PostGre SQL server's PaaS platform. It aims to minimize management overhead while making it easy for organizing backups. A 'Backup vault' is the cornerstone of the Data protection platform and this is different from the 'Recovery Services' vault.

-| | Virtual Machine Contributor | VM resource | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Contributor | Resource group in which VM will be deployed | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.DomainRegistration/domains/write, Microsoft.Compute/virtualMachines/write Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/join/action |

-| | Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | VM resource where DB is installed | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-| | Virtual Machine Contributor | Target VM in which DB will be restored or files are created | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write |

-You may encounter scenarios where someone tries to breach into your system and maliciously turn off the security mechanisms, such as disabling Soft= Delete or attempts to perform destructive operations, such as deleting the backup resources.

-1. Provide the necessary information for the trigger. On the **Parameters** tab, add the **Blob Path** for the blob that you want to monitor.

- 1. To find your blob path, open your storage account in the Azure portal.

- 1. Select your blob container. On the container navigation menu, under **Settings**, select **Properties**.

- 1. Copy the **URL** value, which is the path to the blob. The path resembles `https://<storage-container-name>/<folder-name>/{name}`. Provide your container name and folder name instead, but keep the `{name}` literal string.

-[Connectors overview for Azure Logic Apps](apis-list.md)

- "Failed loading Emulator secrets certificate. Error: 0x8009000f or similar, a new policy might have been added to your host that prevents an application such as Azure Cosmos DB emulator from creating and adding self signed certificate files into your certificate store."

-// Create a container with a partition key and provision 1000 RU/s throughput.

-DocumentCollection myCollection = new DocumentCollection();

-myCollection.Id = "myContainerName";

-myCollection.PartitionKey.Paths.Add("/myPartitionKey");

-await client.CreateDocumentCollectionAsync(

- UriFactory.CreateDatabaseUri("myDatabaseName"),

- myCollection,

- new RequestOptions { OfferThroughput = 1000 });

-### <a name="managed-identity"></a> Managed identities for Azure resources authentication

->Currently, the managed identity authentication is not supported in data flow.

-A data factory or Synapse pipeline can be associated with a [managed identity for Azure resources](data-factory-service-identity.md), which represents this specific service instance. You can directly use this managed identity for Cosmos DB authentication, similar to using your own service principal. It allows this designated resource to access and copy data to or from your Cosmos DB.

-To use managed identities for Azure resource authentication, follow these steps.

-1. [Retrieve the managed identity information](data-factory-service-identity.md#retrieve-managed-identity) by copying the value of the **managed identity object ID** generated along with your service.

-2. Grant the managed identity proper permission. See examples on how permission works in Cosmos DB from [Access control lists on files and directories](../cosmos-db/how-to-setup-rbac.md). More specifically, create a role definition, and assign the role to the managed identity.

-### <a name="managed-identity"></a> Managed identities for Azure resources authentication

-A data factory or Synapse workspace can be associated with a [managed identity for Azure resources](data-factory-service-identity.md) that represents the resource. You can use this managed identity for Azure Synapse Analytics authentication. The designated resource can access and copy data from or to your data warehouse by using this identity.

-To use managed identity authentication, follow these steps:

-1. **[Provision an Azure Active Directory administrator](../azure-sql/database/authentication-aad-configure.md#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.

-2. **[Create contained database users](../azure-sql/database/authentication-aad-configure.md#create-contained-users-mapped-to-azure-ad-identities)** for the Managed Identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL.

-3. **Grant the Managed Identity needed permissions** as you normally do for SQL users and others. Run the following code, or refer to more options [here](/sql/relational-databases/system-stored-procedures/sp-addrolemember-transact-sql). If you want to use PolyBase to load the data, learn the [required database permission](#required-database-permission).

-3. [Create logins](/sql/t-sql/statements/create-login-transact-sql) for the managed identity. In SQL Server Management Studio (SSMS), connect to your managed instance using a SQL Server account that is a **sysadmin**. In **master** database, run the following T-SQL:

-4. [Create contained database users](../azure-sql/database/authentication-aad-configure.md#create-contained-users-mapped-to-azure-ad-identities) for the managed identity. Connect to the database from or to which you want to copy data, run the following T-SQL:

-5. Grant the managed identity needed permissions as you normally do for SQL users and others. Run the following code. For more options, see [this document](/sql/t-sql/statements/alter-role-transact-sql).

-### <a name="managed-identity"></a> Managed identities for Azure resources authentication

-A data factory or Synapse workspace can be associated with a [managed identity for Azure resources](data-factory-service-identity.md) that represents the service for authentication to other Azure services. You can use this managed identity for SQL Managed Instance authentication. The designated service can access and copy data from or to your database by using this identity.

-To use managed identity authentication, follow these steps.

-2. [Create logins](/sql/t-sql/statements/create-login-transact-sql) for the managed identity. In SQL Server Management Studio (SSMS), connect to your managed instance using a SQL Server account that is a **sysadmin**. In **master** database, run the following T-SQL:

-3. [Create contained database users](../azure-sql/database/authentication-aad-configure.md#create-contained-users-mapped-to-azure-ad-identities) for the managed identity. Connect to the database from or to which you want to copy data, run the following T-SQL:

-4. Grant the managed identity needed permissions as you normally do for SQL users and others. Run the following code. For more options, see [this document](/sql/t-sql/statements/alter-role-transact-sql).

-**Example: uses managed identity authentication**

-| authenticationType | The authentication type to connect to a Dynamics server. Valid values are "AADServicePrincipal" and "Office365". | Yes |

- <dependency>

- <groupId>com.microsoft.azure</groupId>

- <artifactId>azure-data-lake-store-sdk</artifactId>

- <version>2.1.5</version>

- </dependency>

- <dependency>

- <groupId>org.slf4j</groupId>

- <artifactId>slf4j-nop</artifactId>

- <version>1.7.21</version>

- </dependency>

- The first dependency is to use the Data Lake Storage Gen1 SDK (`azure-data-lake-store-sdk`) from the maven repository. The second dependency is to specify the logging framework (`slf4j-nop`) to use for this application. The Data Lake Storage Gen1 SDK uses [SLF4J](https://www.slf4j.org/) logging façade, which lets you choose from a number of popular logging frameworks, like Log4j, Java logging, Logback, etc., or no logging. For this example, we disable logging, hence we use the **slf4j-nop** binding. To use other logging options in your app, see [here](https://www.slf4j.org/manual.html#projectDep).

- import com.microsoft.azure.datalake.store.ADLException;

- import com.microsoft.azure.datalake.store.ADLStoreClient;

- import com.microsoft.azure.datalake.store.DirectoryEntry;

- import com.microsoft.azure.datalake.store.IfExists;

- import com.microsoft.azure.datalake.store.oauth2.AccessTokenProvider;

- import com.microsoft.azure.datalake.store.oauth2.ClientCredsTokenProvider;

-* For end-user authentication for your application, see [End-user-authentication with Data Lake Storage Gen1 using Java](data-lake-store-end-user-authenticate-java-sdk.md).

-* For service-to-service authentication for your application, see [Service-to-service authentication with Data Lake Storage Gen1 using Java](data-lake-store-service-to-service-authenticate-java.md).

-## Create a Data Lake Storage Gen1 client

-Creating an [ADLStoreClient](https://azure.github.io/azure-data-lake-store-java/javadoc/) object requires you to specify the Data Lake Storage Gen1 account name and the token provider you generated when you authenticated with Data Lake Storage Gen1 (see [Authentication](#authentication) section). The Data Lake Storage Gen1 account name needs to be a fully qualified domain name. For example, replace **FILL-IN-HERE** with something like **mydatalakestoragegen1.azuredatalakestore.net**.

-private static String accountFQDN = "FILL-IN-HERE"; // full account FQDN, not just the account name

-ADLStoreClient client = ADLStoreClient.createClient(accountFQDN, provider);

-The code snippets in the following sections contain examples of some common filesystem operations. You can look at the full [Data Lake Storage Gen1 Java SDK API docs](https://azure.github.io/azure-data-lake-store-java/javadoc/) of the **ADLStoreClient** object to see other operations.

-The following snippet creates a directory structure in the root of the Data Lake Storage Gen1 account you specified.

-client.createDirectory("/a/b/w");

-String filename = "/a/b/c.txt";

-OutputStream stream = client.createFile(filename, IfExists.OVERWRITE );

-PrintStream out = new PrintStream(stream);

-for (int i = 1; i <= 10; i++) {

- out.println("This is line #" + i);

- out.format("This is the same line (%d), but using formatted output. %n", i);

-out.close();

-stream = client.createFile("/a/b/d.txt", IfExists.OVERWRITE);

-stream.write(buf);

-stream.close();

-stream = client.getAppendStream(filename);

-stream.write(getSampleContent());

-stream.close();

-System.out.println("File appended.");

-InputStream in = client.getReadStream(filename);

-BufferedReader reader = new BufferedReader(new InputStreamReader(in));

-String line;

-while ( (line = reader.readLine()) != null) {

-The following snippet concatenates two files in a Data Lake Storage Gen1 account. If successful, the concatenated file replaces the two existing files.

-client.concatenateFiles("/a/b/f.txt", fileList);

-client.rename("/a/b/f.txt", "/a/b/g.txt");

-DirectoryEntry ent = client.getDirectoryEntry(filename);

-printDirectoryInfo(ent);

-client.setPermission(filename, "744");

-List<DirectoryEntry> list = client.enumerateDirectory("/a/b", 2000);

-System.out.println("Directory listing for directory /a/b:");

-for (DirectoryEntry entry : list) {

- printDirectoryInfo(entry);

-}

-client.deleteRecursive("/a");

-* [Explore JavaDoc for the Java SDK](https://azure.github.io/azure-data-lake-store-java/javadoc/)

-* [Secure data in Data Lake Storage Gen1](data-lake-store-secure-data.md)

-For example, if you're also using Azure Maps and want to correlate location with your Azure Digital Twins [twin graph](concepts-twins-graph.md), you can use Azure Functions with Event Grid to establish communication between all the services in your deployment. For more information on integrating Azure Maps, see [Use Azure Digital Twins to update an Azure Maps indoor map](how-to-integrate-maps.md)

-You can also learn how to route data in a similar way to Time Series Insights, in [Integrate with Time Series Insights](how-to-integrate-time-series-insights.md).

-* [Floor.json](https://raw.githubusercontent.com/Azure-Samples/digital-twins-explorer/main/client/examples/Floor.json): This is a model file representing a floor in a building. Navigate to the link, right-click anywhere on the screen, and select **Save as** in your browser's right-click menu. Use the following Save As window to save the file to the same location as **Room.json**, under the name **Floor.json**.

-* [buildingScenario.xlsx](https://github.com/Azure-Samples/digital-twins-explorer/blob/main/client/examples/buildingScenario.xlsx): This file contains a graph of room and floor twins, and relationships between them. Navigate to the link and select the **Download** button. This will download the file to your default download location.

- :::image type="content" source="media/quickstart-azure-digital-twins-explorer/download-building-scenario.png" alt-text="Screenshot of the digital-twins-explorer/client/examples/buildingScenario.xlsx file in GitHub. The Download button is highlighted." lightbox="media/quickstart-azure-digital-twins-explorer/download-building-scenario.png":::

-Next, select the **Open Azure Digital Twins Explorer (preview)** button.

-This will open an Azure Digital Twins Explorer window connected to your instance.

-## Create an Azure Database Migration Service instance

-1. In the Azure portal menu or on the **Home** page, select **Create a resource**. Search for and select **Azure Database Migration Service**.

- 

-2. On the **Azure Database Migration Service** screen, select **Create**.

- 

-3. On the **Create Migration Service** basics screen:

- - Select the subscription.

- - Create a new resource group or choose an existing one.

- - Specify a name for the instance of the Azure Database Migration Service.

- - Select the location in which you want to create the instance of Azure Database Migration Service.

- - Choose **Azure** as the service mode.

- - Select an SKU from the Premium pricing tier.

-

- > [!NOTE]

- > Online migrations are supported only when using the Premium tier.

- - For more information on costs and pricing tiers, see the [pricing page](https://aka.ms/dms-pricing).

- 

- - Select **Next: Networking**.

-4. On the **Create Migration Service** networking screen:

- - Select an existing virtual network or create a new one. The virtual network provides Azure Database Migration Service with access to the source SQL Server and the target Azure SQL Managed Instance.

-

- - For more information about how to create a virtual network in the Azure portal, see the article [Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).

-

- - For additional detail, see the article [Network topologies for Azure SQL Managed Instance migrations using Azure Database Migration Service](./resource-network-topologies.md).

- 

- - Select **Review + Create** to review the details and then select **Create** to create the service.

-## Create an Azure Database Migration Service instance

-1. In the Azure portal menu or on the **Home** page, select **Create a resource**. Search for and select **Azure Database Migration Service**.

- 

-2. On the **Azure Database Migration Service** screen, select **Create**.

- 

-

-3. On the **Create Migration Service** basics screen:

- - Select the subscription.

- - Create a new resource group or choose an existing one.

- - Specify a name for the instance of the Azure Database Migration Service.

- - Select the location in which you want to create the instance of Azure Database Migration Service.

- - Choose **Azure** as the service mode.

- - Select a pricing tier. For more information on costs and pricing tiers, see the [pricing page](https://aka.ms/dms-pricing).

- 

- - Select **Next: Networking**.

-4. On the **Create Migration Service** networking screen:

- - Select an existing virtual network or create a new one. The virtual network provides Azure Database Migration Service with access to the source SQL Server and the target Azure SQL Database instance. For more information about how to create a virtual network in the Azure portal, see the article [Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).

- 

- - Select **Review + Create** to review the details and then select **Create** to create the service.

-## Create an Azure Database Migration Service instance

-1. In the Azure portal menu or on the **Home** page, select **Create a resource**. Search for and select **Azure Database Migration Service**.

- 

-2. On the **Azure Database Migration Service** screen, select **Create**.

- 

-3. On the **Create Migration Service** basics screen:

- - Select the subscription.

- - Create a new resource group or choose an existing one.

- - Specify a name for the instance of the Azure Database Migration Service.

- - Select the location in which you want to create the instance of Azure Database Migration Service.

- - Choose **Azure** as the service mode.

- - Select a pricing tier. For more information on costs and pricing tiers, see the [pricing page](https://aka.ms/dms-pricing).

- 

- - Select **Next: Networking**.

-4. On the **Create Migration Service** networking screen:

- - Select an existing virtual network or create a new one. The virtual network provides Azure Database Migration Service with access to the source SQL Server and the target Azure SQL Managed Instance.

-

- - For more information about how to create a virtual network in the Azure portal, see the article [Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).

- - For additional detail, see the article [Network topologies for Azure SQL Managed Instance migrations using Azure Database Migration Service](./resource-network-topologies.md).

- 

- - Select **Review + Create** to review the details and then select **Create** to create the service.

- "subjectBeginsWith": "/blobServices/default/containers/mycontainer/log",

- "subjectBeginsWith": "/blobServices/default/containers/mycontainer/log",

-Follow steps from the [Get connection string from the portal](event-hubs-get-connection-string.md#get-connection-string-from-the-portal) article. And, note down the connection string for later use.

-* **Create an Event Hubs namespace and an event hub**. Use the [Azure portal](https://portal.azure.com) to create a namespace of type Event Hubs, and obtain the management credentials your application needs to communicate with the event hub. To create a namespace and an event hub, follow the procedure in [this article](event-hubs-create.md). Get the value of access key for the event hub by following instructions from the article: [Get connection string](event-hubs-get-connection-string.md#get-connection-string-from-the-portal). You use the access key in the code you write later in this tutorial. The default key name is: **RootManageSharedAccessKey**.

-[Create an Event Hubs namespace and an event hub in the namespace](event-hubs-create.md). Record the name of the Event Hubs namespace, the name of the event hub, and the primary access key for the namespace. To get the access key, see [Get an Event Hubs connection string](event-hubs-get-connection-string.md#get-connection-string-from-the-portal). The default key name is *RootManageSharedAccessKey*. For this quickstart, you need only the primary key. You don't need the connection string.

-To use Event Hubs, you need to create an Event Hubs namespace. A namespace is a scoping container for multiple event hubs or Kafka topics. This namespace gives you a unique [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name). Once a namespace is created, you can obtain the connection string required to communicate with Event Hubs.

-The connection string for Azure Event Hubs has the following components embedded within it,

-* FQDN = the FQDN of the EventHubs namespace you created (it includes the EventHubs namespace name followed by servicebus.windows.net)

-The connection string template looks like

-Endpoint=sb://<FQDN>/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>

-An example connection string might look like

-`Endpoint=sb://dummynamespace.servicebus.windows.net/;SharedAccessKeyName=DummyAccessKeyName;SharedAccessKey=5dOntTRytoC24opYThisAsit3is2B+OGY1US/fuL3ly=`

-This article walks you through various ways of obtaining the connection string.

-## Get connection string from the portal

-7. Select a **shared access policy** in the list of policies. The default one is named: **RootManageSharedAccessPolicy**. You can add a policy with appropriate permissions (read, write), and use that policy.

-## Getting the connection string with Azure PowerShell

-You can use the [Get-AzEventHubKey](/powershell/module/az.eventhub/get-azeventhubkey) to get the connection string for the specific policy/rule name as shown below:

-Get-AzEventHubKey -ResourceGroupName MYRESOURCEGROUP -NamespaceName MYEHUBNAMESPACE -AuthorizationRuleName RootManageSharedAccessKey

-## Getting the connection string with Azure CLI

-You can use the following to get the connection string for the namespace:

-az eventhubs namespace authorization-rule keys list --resource-group MYRESOURCEGROUP --namespace-name MYEHUBNAMESPACE --name RootManageSharedAccessKey

-Or you can use the following to get the connection string for an EventHub entity:

-az eventhubs eventhub authorization-rule keys list --resource-group MYRESOURCEGROUP --namespace-name MYEHUBNAMESPACE --eventhub-name MYEHUB --name RootManageSharedAccessKey

-* [Create an Event Hub](event-hubs-create.md)

- 1. To get the connection string for your Event Hub namespace, follow the instructions in [Get connection string](event-hubs-get-connection-string.md#get-connection-string-from-the-portal). Record the connection string to use later in this quickstart.

-1. On the *Add Global Reach* configuration page, give a name to this configuration. Select the *ExpressRoute circuit* you want to connect this circuit to and enter in a **/29 IPv4** for the *Global Reach subnet*. We use IP addresses in this subnet to establish connectivity between the two ExpressRoute circuits. DonΓÇÖt use the addresses in this subnet in your Azure virtual networks, or in your on-premises network. Select **Add** to add the circuit to the private peering configuration.

-|Custom DNS doesn't work with forced tunneling|If force tunneling is enabled, custom DNS doesn't work.|A fix is being investigated.|

-5. Select **OK**.

- Azure Front Door can now access this Key Vault and the certificates that are stored in this Key Vault.

-HDInsight Spark cluster is created with Anaconda installation. There are two Python installations in the cluster, Anaconda Python 2.7 and Python 3.5. The table below shows the default Python settings for Spark, Livy, and Jupyter.

- - `--prefix` specifies a path where a conda virtual environment lives. There are several configs that need to be changed further based on the path specified here. In this example, we use the py35new, as the cluster has an existing virtual environment called py35 already.

- - `python=` specifies the Python version for the virtual environment. In this example, we use version 3.5, the same version as the cluster built in one. You can also use other Python versions to create the virtual environment.

- - `anaconda` specifies the package_spec as anaconda to install Anaconda packages in the virtual environment.

-

- - `seaborn` is the package name that you would like to install.

- - `-n py35new` specify the virtual environment name that just gets created. Make sure to change the name correspondingly based on your virtual environment creation.

- ```bash

- sudo /usr/bin/anaconda/bin/conda install seaborn -n py35new --yes

- ```

- ```bash

- sudo /usr/bin/anaconda/envs/py35new/bin/pip install seaborn

- ```

- Use below command if you would like to install a library with a specific version:

- - `numpy=1.16.1` is the package name and version that you would like to install.

- - `-n py35new` specify the virtual environment name that just gets created. Make sure to change the name correspondingly based on your virtual environment creation.

- ```bash

- sudo /usr/bin/anaconda/bin/conda install numpy=1.16.1 -n py35new --yes

- ```

- ```bash

- sudo /usr/bin/anaconda/envs/py35new/bin/pip install numpy==1.16.1

- ```

- if you don't know the virtual environment name, you can SSH to the head node of the cluster and run `/usr/bin/anaconda/bin/conda info -e` to show all virtual environments.

- ΓÇ£confΓÇ¥ : {

- ΓÇ£spark.yarn.appMasterEnv.PYSPARK_PYTHONΓÇ¥:ΓÇ¥/usr/bin/anaconda/envs/py35/bin/pythonΓÇ¥,

- ΓÇ£spark.yarn.appMasterEnv.PYSPARK_DRIVER_PYTHONΓÇ¥:ΓÇ¥/usr/bin/anaconda/envs/py35/bin/pythonΓÇ¥

-> The script takes at least 10 minutes to run.

-# Crete a database in the cluster

-As well as a digital twin, Azure IoT Hub also maintains a *device twin* for every connected device. A device twin is similar to a digital twin in that it's a representation of a device's properties. The Azure IoT service SDKs include APIs for interacting with device twins.

-An IoT hub initializes a digital twin and a device twin the first time an IoT Plug and Play device connects.

-Device twins are JSON documents that store device state information including metadata, configurations, and conditions. To learn more, see [IoT Hub service client examples](concepts-developer-guide-service.md#iot-hub-service-client-examples). Both device and solution builders can continue to use the same set of Device Twin APIs and SDKs to implement devices and solutions using IoT Plug and Play conventions.

-The digital twin APIs operate on high-level DTDL constructs such as components, properties, and commands. The digital twin APIs make it easier for solution builders to create IoT Plug and Play solutions.

-In a device twin, the state of a writable property is split across the *desired properties* and *reported properties* sections. All read-only properties are available within the reported properties section.

-In a digital twin, there's a unified view of the current and desired state of the property. The synchronization state for a given property is stored in the corresponding default component `$metadata` section.

-To make IoT Plug and Play work with [Azure Digital Twins](../digital-twins/overview.md), you define models and interfaces using the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl). IoT Plug and Play and the DTDL are open to the community, and Microsoft welcomes collaboration with customers, partners, and the industry. Both are based on open W3C standards such as JSON-LD and RDF, which enables easier adoption across services and tooling.

-The web UI in IoT Central lets you monitor device conditions, create rules, and manage millions of devices and their data throughout their life cycle. IoT Plug and Play devices connect directly to an IoT Central application where you can use customizable dashboards to monitor and control your devices. You can also use device templates in the IoT Central web UI to create and edit DTDL models.

-1. Author device software or firmware in a way that their telemetry, properties, and commands follow the [IoT Plug and Play conventions](concepts-convention.md). If you are connecting existing sensors attached to a Windows or Linux gateway, the [IoT Plug and Play bridge](./concepts-iot-pnp-bridge.md) can simplify this step.

-In this quickstart, you use the Azure FreeRTOS middleware to connect the ESPRESSIF ESP32-Azure IoT Kit (hereafter, the ESP32 DevKit) to Azure IoT.

-You will complete the following tasks:

-To set up your development environment, first you install the ESPRESSIF ESP-IDF build environment. The installer includes all the tools required to clone, build, flash and monitor your device.

-In this section, you use the ESP-IDF tools to build, flash and monitor the ESP32 DevKit as it connects to Azure IoT.

-1. After the build completes, confirm that the binary image file was created in the build path you specified previously.

- :::image type="content" source="media/quickstart-devkit-espressif-esp32/esp-telemetry.png" alt-text="Screenshot of ESP32 DevKit device sending telemetry to IoT Central.":::

-In this quickstart you built a custom image that contains the Azure FreeRTOS middleware sample code, and then flashed the image to the ESP32 DevKit device. You also used the IoT Central portal to create Azure resources, connect the ESP32 DevKit securely to Azure, view telemetry, and send messages.

-In this quickstart, you use Azure RTOS to connect the Microchip ATSAME54-XPro (hereafter, the Microchip E54) to Azure IoT.

-You will complete the following tasks:

-If you have the Weather Click sensor and the mikroBUS Xplained Pro adapter, follow the steps in this section; otherwise, skip to [Build the image](#build-the-image). You can complete this quickstart even if you don't have a sensor. The sample code for the device returns simulated data if a real sensor is not present.

-1. Select **Project > Batch Build**. Then select **build_all** and **Make** to build all projects. You will see build output in the **Build** pane. Confirm the successful compilation and linking of all sample projects.

-1. Before you can build the sample, you must build the **sample_azure_iot_embedded_pnp** project's dependent libraries: **threadx**, **netxduo**, and **same54_lib**. To build each library right-click its project in the **Projects** pane and select **Build**. Wait for each build to complete before moving to the next library.

-You can also use IoT Central to call a direct method that you have implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that enables you to turn an LED on or off.

-For help debugging the application, see the selections under **Help** in **IAR EW for ARM**.

-For help debugging the application, see the selections under **Help** in **MPLAB X IDE**.

-In this quickstart, you built a custom image that contains Azure RTOS sample code, and then flashed the image to the Microchip E54 device device. You also used the IoT Central portal to create Azure resources, connect the Microchip E54 securely to Azure, view telemetry, and send messages.

-In this quickstart, you use Azure RTOS to connect an MXCHIP AZ3166 IoT DevKit (hereafter, MXCHIP DevKit) to Azure IoT.

-In this section, you create a new device instance and register it with the IoT hub you created. You will use the connection information for the newly registered device to securely connect your physical device in a later section.

-You can use Azure IoT Explorer to view and manage the properties of your devices. In this section and the following sections, you'll use the Plug and Play capabilities surfaced in IoT Explorer to manage and interact with the MXCHIP DevKit. These capabilities rely on the device model published for the MXCHIP DevKit in the public model repository. You configured IoT Explorer to search this repository for device models earlier in this quickstart. In many cases, you can perform the same action without using plug and play by selecting the same action from the left side menu of your device pane in IoT Explorer; however, using plug and play often provides an enhanced experience. This is because IoT Explorer can read the device model specified by a plug and play device and present information specific to that device.

-With Azure IoT Explorer, you can view the flow of telemetry from your device to the cloud. Optionally, you can perform the same task using Azure CLI.

-You can also use Azure IoT Explorer to call a direct method that you've implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that turns an LED on or off. Optionally, you can perform the same task using Azure CLI.

-In this quickstart, you use Azure RTOS to connect an MXCHIP AZ3166 IoT DevKit (hereafter, MXCHIP DevKit) to Azure IoT.

-In this quickstart, you use Azure RTOS to connect the NXP MIMXRT1060-EVK Evaluation kit (hereafter, the NXP EVK) to Azure IoT.

-You will complete the following tasks:

-In this section you use IAR EW IDE to modify a configuration file for Azure IoT settings, build the sample client application, then download and run it on the device.

-1. Select **Project > Batch Build**. Then select **build_all** and **Make** to build all projects. You will see build output in the **Build** pane. Confirm the successful compilation and linking of all sample projects.

-In this section you prepare your environment, and use MCUXpresso to build and run the sample application on the device.

-1. In the **State** dropdown, select **True**, and then select **Run**. There will be no change on the device as there isn't an available LED to toggle; however, you can view the output in Termite to monitor the status of the methods.

-For help debugging the application, see the selections under **Help** in **IAR EW for ARM**.

-For help debugging the application, in MCUXpresso open the **Help > MCUXPresso IDE User Guide** and see the content on Azure RTOS debugging.

-In this quickstart, you use Azure RTOS to connect the Renesas RX65N Cloud Kit (hereafter, the Renesas RX65N) to Azure IoT.

-You will complete the following tasks:

- * 2 USB 2.0 A male to Mini USB male cables

-1. Run the following commands to confirm that CMake version 3.14 or later is installed and the RX compiler path is set up correctly.

-When virtual machine scale sets with [public IPs per instance](../virtual-network/ip-services/public-ip-address-prefix.md) are created with a load balancer in front, the SKU of the instance IPs is determined by the SKU of the Load Balancer (i.e. Basic or Standard). Note that when using a Standard Load Balancer, the individual instance IPs are all of type Standard "no-zone" (though the Load Balancer frontend could be zonal or zone-redundant).

-## Create load balancer frontend configuration and place in variable. ##

-$feip = New-AzLoadBalancerFrontendIpConfig -Name 'myFrontEnd' -PublicIpAddress $publicIp

-Azure Load Testing integrates with Azure Monitor to capture server-side resource metrics for Azure-hosted applications. You can specify which Azure components and resource metrics to monitor for your load test run.

-In this section, you'll update an existing load test to configure the Azure application components to capture server-side resource metrics.

- * [Azure API Management Control Plane IP addresses](../api-management/api-management-using-with-vnet.md#control-plane-ip-addresses)

- * [Azure API Management Dependencies](../api-management/api-management-using-with-vnet.md#network-configuration-issues)

-| *Solution/offer one-pager (Required)* | Drive awareness among potential customers with a professionally designed one-pager that showcases the value proposition of your solution.<br><br>You can use one of the relevant templates to provide a customer-ready description of your offering:<br><ul><li> [Microsoft Azure one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftAzure)</li><li>[Microsoft Dynamics 365 one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftDynamics365)</li> <li>[Microsoft 365 one-pager template](https://aka.ms/Customer-One-Pager_MicrosoftOffice365) </li><li>[Windows 10 one-pager template](https://aka.ms/Customer-One-Pager_Windows)</li></ul> <br> Microsoft sales teams may share this information with customers to help determine if your offering may be a good fit, and to ensure that it is customer ready. |

-| *Solution/offer pitch deck (Required)* | You can use the [Customer presentation template](https://aka.ms/GTMServices_CustomerPresentation) to create your pitch deck. This deck should reference the [Reference architecture diagram](reference-architecture-diagram.md). The purpose of this slide deck is to pitch your offer and its value proposition. After ensuring that your offer is customer ready, Microsoft sales teams may share this presentation with customers to articulate the value that your company and Microsoft bring when deploying a joint solution. The presentation should cover what your offer does, how it can help customers, what industries the offer is relevant for, and how it compares with competing solutions. |

-| *Customer case study* (Optional)| Use the [Case study template](https://aka.ms/GTM_Case_Study_Template) to create your customer case study. This information shows a potential customer how you and Microsoft have successfully deployed your offer in prior cases. |

-List and trial offers receive one-time use benefits. Transact offers are eligible for evergreen benefit engagement. As transacting partners, as you grow your billed sales through the commercial marketplace, you unlock greater benefits per per billed sales (or seats sold) tier.

- import com.microsoft.azure.AzureEnvironment;

- import com.microsoft.azure.credentials.ApplicationTokenCredentials;

- import com.microsoft.azure.management.mediaservices.v2018_07_01.implementation.MediaManager;

- import com.microsoft.rest.LogLevel;

- final String clientId = "00000000-0000-0000-0000-000000000000";

- final String tenantId = "00000000-0000-0000-0000-000000000000";

- final String clientSecret = "00000000-0000-0000-0000-000000000000";

- final String subscriptionId = "00000000-0000-0000-0000-000000000000";

- ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(clientId, tenantId, clientSecret, AzureEnvironment.AZURE);

- credentials.withDefaultSubscriptionId(subscriptionId);

- MediaManager manager = MediaManager

- .configure()

- .withLogLevel(LogLevel.BODY_AND_HEADERS)

- .authenticate(credentials, credentials.defaultSubscriptionId());

- System.out.println("signed in");

-You can now include `import com.microsoft.azure.management.mediaservices.v2018_07_01.*;` and start manipulating entities.

-description: This page explains how to manage Network Security Group Flow logs in Azure Network Watcher with PowerShell

-# Configuring Network Security Group Flow logs with PowerShell

-Azure Red Hat OpenShift provides an integrated container image registry called [OpenShift Container Registry (OCR)](https://docs.openshift.com/container-platform/4.6/registry/architecture-component-imageregistry.html) that adds the ability to automatically provision new image repositories on demand. This provides users with a built-in location for their application builds to push the resulting images.

-Now that you've set up the built-in container image registry, you can get started by deploying an application on OpenShift. For Java applications, check out [Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift 4 cluster](howto-deploy-java-liberty-app.md).

-### Restoring a Timescale database

-In the portal page of your Azure Database for PostgreSQL server, select **Query performance Insight** under the **Intelligent Performance** section of the menu bar.

-This view returns all the data in Query Store. There is one row for each distinct database ID, user ID, and query ID.

-This view returns wait events data in Query Store. There is one row for each distinct database ID, user ID, query ID, and event.

-|Data Map Storage |2 GB for each Capacity Unit | 200 GB for for 100 CU (Contact Support for more storage) |

-## Create Azure Key Vaults connections in your Azure Purview account

-Before you can create a Credential, first associate one or more of your existing Azure Key Vault instances with your Azure Purview account.

-1. From the [Azure portal](https://portal.azure.com), select your Azure Purview account and open the [Purview Studio](https://web.purview.azure.com/resource/). Navigate to the **Management Center** in the studio and then navigate to **credentials**.

-2. From the **Credentials** page, select **Manage Key Vault connections**.

- :::image type="content" source="media/manage-credentials/manage-kv-connections.png" alt-text="Manage Azure Key Vault connections":::

-3. Select **+ New** from the Manage Key Vault connections page.

-4. Provide the required information, then select **Create**.

-5. Confirm that your Key Vault has been successfully associated with your Azure Purview account as shown in this example:

- :::image type="content" source="media/manage-credentials/view-kv-connections.png" alt-text="View Azure Key Vault connections to confirm.":::

-## Person

-Person bloom filter has been prepared using the below two datasets.

- + Set the value of the **Certificate** key to the **thumbprint** of the TLS/SSL certificate you imported to the VM.

-> [!NOTE]

-> You can use the [trusted Microsoft service approach](../storage/common/storage-network-security.md#trusted-microsoft-services) to bypass virtual network or IP restrictions on a storage account. You can also enable the search service to access data in the storage account. To do so, see [Indexer access to Azure Storage with the trusted service exception](search-indexer-howto-access-trusted-service-exception.md).

->

-> However, when you use this approach, communication between Azure Cognitive Search and your storage account happens via the public IP address of the storage account, over the secure Microsoft backbone network.

-## Shared Private Link Resources Management APIs

-Private endpoints of secured resources that are created through Azure Cognitive Search APIs are referred to as *shared private link resources*. This is because you're "sharing" access to a resource, such as a storage account, that has been integrated with the [Azure Private Link service](https://azure.microsoft.com/services/private-link/).

-> There are Azure Cognitive Search data sources and other configurations that require creating more than one shared private link to work appropriately. Here is a list of the configurations with this requirement and which group IDs are necessary for each:

-> * **Azure Data Lake Storage Gen2 data source** - Create two shared private links: One shared private link with the groupID 'dfs' and another shared private link with the groupID 'blob'.

-> * **Skillset with Knowledge store configured** - One or two shared private links are necessary, depending on the projections set for Knowledge store:

-> * If using blob and/or file projections, create one shared private link with the groupID 'blob'.

-> * If using table projections, create one shared private link with the groupID 'table'.

-> * In case blob/file and also table projections are used, create two shared private links: one with groupID 'blob' and one with groupID 'table'.

-> * **Indexer with cache enabled** - Create two shared private links: One shared private link with the groupID 'table' and another shared private link with the groupID 'blob'.

-Use the following instructions to set up an indexer connection through a private endpoint to a secure Azure resource.

-The examples in this article are based on the following assumptions:

-* The name of the search service is _contoso-search_, which exists in the _contoso_ resource group of a subscription with subscription ID _00000000-0000-0000-0000-000000000000_.

-* The resource ID of this search service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.Search/searchServices/contoso-search_.

-### Step 1: Secure your Azure resource

-The steps for restricting access varies by resource. The following scenarios show three of the more common types of resources.

- The following is an example of how to configure an Azure storage account firewall. If you select this option and leave the page empty, it means that no traffic from virtual networks is allowed.

- 

- The following is an example of how to configure Azure Key Vault firewall.

-

- 

-

- No network setting changes are needed for Azure Functions firewalls. Later in the following steps, when you create the shared private endpoint, the Function will automatically only allow access through private link after the creation of a shared private endpoint to the Function.

-### Step 2: Create a shared private link resource to the Azure resource

-> The portal only supports creating a shared private endpoint using group ID values that are GA. For MySQL and Azure Functions, use the Azure CLI steps described in option 2, which follows.

-To request Azure Cognitive Search to create an outbound private endpoint connection, via the Shared Private Access blade, click on "Add Shared Private Access". On the blade that opens on the right, you can choose to "Connect to an Azure resource in my directory" or "Connect to an Azure resource by resource ID or alias".

-When using the first option (recommended), the blade will help guide you to pick the appropriate Azure resource and will autofill in other properties such as the group ID of the resource and the resource type.

-When using the second option, you can enter the Azure resource ID manually and choose the appropriate group ID. The group IDs are listed at the beginning of this article.

-Alternatively, you can make the following API call with the [Azure CLI](/cli/azure/). Use the 2020-08-01-preview API version if you're using a group ID that is in preview. For example, group IDs *sites* and *mysqlServer* and in preview and require you to use the preview API.

-+ A private DNS zone for the type of resource, based on the `groupId`. By deploying this resource, you ensure that any DNS lookup to the private resource utilizes the IP address that's associated with the private endpoint.

-Be sure to specify the correct `groupId` for the type of resource for which you're creating the private endpoint. Any mismatch will result in a non-successful response message.

-### Step 3: Check the status of the private endpoint creation

-> The provisioning state will be visible in the portal for both GA and group IDs that are in preview.

-### Step 4: Approve the private endpoint connection

-> In this section, you use the Azure portal to walk through the approval flow for a private endpoint to the Azure resource you're connecting to. Alternately, you could use the [REST API](/rest/api/storagerp/privateendpointconnections) that's available via the storage resource provider.

-> Other providers, such as Azure Cosmos DB or Azure SQL Server, offer similar storage resource provider APIs for managing private endpoint connections.

-### Step 5: Query the status of the shared private link resource

-Alternatively you can also obtain the "Connection state" by using the [GET API](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/get).

-> You can perform this step before the private endpoint connection is approved. Until the private endpoint connection is approved, any indexer that tries to communicate with a secure resource (such as the storage account) will end up in a transient failure state. New indexers will fail to be created. As soon as the private endpoint connection is approved, indexers can access the private storage account.

-[Quotas and limits](search-limits-quotas-capacity.md) determine how many shared private link resources can be created and depend on the SKU of the search service.

-Learn more about private endpoints:

-+ [DNS configurations needed for private endpoints](../private-link/private-endpoint-dns.md)

-A search service initiates the request to create a shared private link, but Azure Resource Manager performs the actual work. You can [check the deployment's status](search-indexer-howto-access-private.md#step-3-check-the-status-of-the-private-endpoint-creation) in the portal or by query, and address any errors that might occur.

-2.3.x | Hoxton.SR8+

-### Dependencies for Spring Boot version 2.3

-For Spring Boot version 2.3 add the following dependencies to the application POM file.

- <version>2.3.4.RELEASE</version>

- <version>Hoxton.SR8</version>

-### Dependencies for Spring Boot version 2.4/2.5

-For Spring Boot version 2.4/2.5 add the following dependencies to the application POM file.

- <version>2.4.8</version>

- <version>2020.0.2</version>

-description: Azure CLI example script to create an Azure SQL Database elastic pool, add it to a failover group, and test failover.

-# Use CLI to add an Azure SQL Database elastic pool to a failover group

-This Azure CLI script example creates a single database, adds it to an elastic pool, creates a failover group, and tests failover.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/failover-groups/add-elastic-pool-to-failover-group-az-cli.sh "Add elastic pool to a failover group")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql elastic-pool](/cli/azure/sql/elastic-pool) | Elastic pool commands. |

-| [az sql failover-group ](/cli/azure/sql/failover-group) | Failover group commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure/overview).

-Additional SQL Database Azure CLI script samples can be found in the [Azure SQL Database Azure CLI scripts](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to create an Azure SQL Managed Instance, add it to a failover group, and test failover.

-# Use CLI to add an Azure SQL Managed Instance to a failover group

-This Azure CLI example creates two managed instances, adds them to a failover group, and then tests failover from the primary managed instance to the secondary managed instance.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh "Add managed instance to a failover group")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it. You will need to remove the resource group twice. Removing the resource group the first time will remove the managed instance and virtual clusters but will then fail with the error message `az group delete : Long running operation failed with status 'Conflict'.`. Run the az group delete command a second time to remove any residual resources as well as the resource group.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az network vnet](/cli/azure/network/vnet) | Virtual network commands. |

-| [az network vnet subnet](/cli/azure/network/vnet/subnet) | Virtual network subnet commands. |

-| [az network nsg](/cli/azure/network/nsg) | Network security group commands. |

-| [az network route-table](/cli/azure/network/route-table) | Route table commands. |

-| [az sql mi](/cli/azure/sql/mi) | SQL Managed Instance commands. |

-| [az network public-ip](/cli/azure/network/public-ip) | Network public IP address commands. |

-| [az network vnet-gateway](/cli/azure/network/vnet-gateway) | Virtual Network Gateway commands. |

-| [az sql instance-failover-group](/cli/azure/sql/instance-failover-group) | SQL Managed Instance failover group commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to configure auditing and Advanced Threat Protection in an Azure SQL Database

-# Use CLI to configure SQL Database auditing and Advanced Threat Protection

-This Azure CLI script example configures SQL Database auditing and Advanced Threat Protection.

-If you choose to install and use the CLI locally, this topic requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-```azurecli-interactive

-#!/bin/bash

-location="East US"

-randomIdentifier=random123

-resource="resource-$randomIdentifier"

-server="server-$randomIdentifier"

-database="database-$randomIdentifier"

-storage="storage$randomIdentifier"

-notification="changeto@your.email;changeto@your.email"

-login="sampleLogin"

-password="samplePassword123!"

-echo "Using resource group $resource with login: $login, password: $password..."

-echo "Creating $resource..."

-az group create --name $resource --location "$location"

-echo "Creating $server in $location..."

-az sql server create --name $server --resource-group $resource --location "$location" --admin-user $login --admin-password $password

-echo "Creating $database on $server..."

-az sql db create --name $database --resource-group $resource --server $server --service-objective S0

-echo "Creating $storage..."

-az storage account create --name $storage --resource-group $resource --location "$location" --sku Standard_LRS

-echo "Setting access policy on $storage..."

-az sql db audit-policy update --resource-group $resource --server $server --name $database --state Enabled --blob-storage-target-state Enabled --storage-account $storage

-echo "Setting threat detection policy on $storage..."

-az sql db threat-policy update --email-account-admins Disabled --email-addresses $notification --name $database --resource-group $resource --server $server --state Enabled --storage-account $storage

-```

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql db audit-policy](/cli/azure/sql/db/audit-policy) | Sets the auditing policy for a database. |

-| [az sql db threat-policy](/cli/azure/sql/db/threat-policy) | Sets an Advanced Threat Protection policy on a database. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to backup an Azure SQL single database to an Azure storage container

-# Use CLI to backup an Azure SQL single database to an Azure storage container

-This Azure CLI example backs up a database in SQL Database to an Azure storage container.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/backup-database/backup-database.sh "Restore SQL Database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [az sql server](/cli/azure/sql/server) | Server commands. |

-| [az sql db](/cli/azure/sql/db) | Database commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to copy a database in Azure SQL Database to a new server

-# Use CLI to copy a database in Azure SQL Database to a new server

-This Azure CLI script example creates a copy of an existing database in a new server.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/copy-database-to-new-server/copy-database-to-new-server.sh "Copy database to new server")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-az group delete --name $targetResource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql db copy](/cli/azure/sql/db#az_sql_db_copy) | Creates a copy of a database that uses the snapshot at the current time. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to create a managed instance in Azure SQL Managed Instance

-# Use CLI to create an Azure SQL Managed Instance

-This Azure CLI script example creates an Azure SQL Managed Instance in a dedicated subnet within a new virtual network. It also configures a route table and a network security group for the virtual network. Once the script has been successfully run, the managed instance can be accessed from within the virtual network or from an on-premises environment. See [Configure Azure VM to connect to an Azure SQL Managed Instance]../../azure-sql/managed-instance/connect-vm-instance-configure.md) and [Configure a point-to-site connection to an Azure SQL Managed Instance from on-premises](../../azure-sql/managed-instance/point-to-site-p2s-configure.md).

-> [!IMPORTANT]

-> For limitations, see [supported regions](../../azure-sql/managed-instance/resource-limits.md#supported-regions) and [supported subscription types](../../azure-sql/managed-instance/resource-limits.md#supported-subscription-types).

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/managed-instance/create-managed-instance.sh "Create managed instance")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az network vnet](/cli/azure/network/vnet) | Virtual network commands. |

-| [az network vnet subnet](/cli/azure/network/vnet/subnet) | Virtual network subnet commands. |

-| [az network route-table](/cli/azure/network/route-table) | Network route table commands. |

-| [az sql mi](/cli/azure/sql/mi) | SQL Managed Instance commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Learn how to create two managed instances, add them to a failover group, and then test the failover.

-# Use CLI to create an Azure SQL Managed Instance to a failover group

-This Azure CLI example creates two managed instances, adds them to a failover group, and then tests failover from the primary managed instance to the secondary managed instance.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample scripts

-### Sign in to Azure

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh "Add managed instance to a failover group")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it. You will need to remove the resource group twice. Removing the resource group the first time will remove the managed instance and virtual clusters but will then fail with the error message `az group delete : Long running operation failed with status 'Conflict'.`. Run the az group delete command a second time to remove any residual resources as well as the resource group.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az network vnet](/cli/azure/network/vnet) | Virtual network commands. |

-| [az network vnet subnet](/cli/azure/network/vnet/subnet) | Virtual network subnet commands. |

-| [az network nsg](/cli/azure/network/nsg) | Network security group commands. |

-| [az network nsg rule](/cli/azure/network/nsg/rule)| Network security rule commands. |

-| [az network route-table](/cli/azure/network/route-table) | Route table commands. |

-| [az sql mi](/cli/azure/sql/mi) | SQL Managed Instance commands. |

-| [az network public-ip](/cli/azure/network/public-ip) | Network public IP address commands. |

-| [az network vnet-gateway](/cli/azure/network/vnet-gateway) | Virtual Network Gateway commands |

-| [az sql instance-failover-group](/cli/azure/sql/instance-failover-group) | SQL Managed Instance failover group commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to import a BACPAC file into a database in Azure SQL Database

-# Use CLI to import a BACPAC file into a database in SQL Database

-This Azure CLI script example imports a database from a *.bacpac* file into a database in SQL Database.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/import-from-bacpac/import-from-bacpac.sh "Create SQL Database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql server](/cli/azure/sql/server) | Server commands. |

-| [az sql db import](/cli/azure/sql/db#az_sql_db_import) | Database import command. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to restore a database in Azure SQL Database to an earlier point in time from automatic backups.

-# Use CLI to restore a single database in Azure SQL Database to an earlier point in time

-This Azure CLI example restores a single database in Azure SQL Database to a specific point in time.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/restore-database/restore-database.sh "Restore SQL Database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql db restore](/cli/azure/sql/db#az_sql_db_restore) | Restore database command. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to set up active geo-replication for a single database in Azure SQL Database and fail it over.

-# Use CLI to configure active geo-replication for a single database in Azure SQL Database

-This Azure CLI script example configures active geo-replication for a single database and fails it over to a secondary replica of the database.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-single-database.sh "Set up active geo-replication for single database")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql db replica](/cli/azure/sql/db/replica) | Database replica commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to set up active geo-replication for a pooled database in Azure SQL Database and fail it over.

-# Use CLI to configure active geo-replication for a pooled database in Azure SQL Database

-This Azure CLI script example configures active geo-replication for a pooled database in Azure SQL Database and fails it over to the secondary replica of the database.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-elastic-pool.sh "Set up active geo-replication for elastic pool")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-az group delete --name $secondaryResource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql elastic-pool](/cli/azure/sql/elastic-pool) | Elastic pool commands |

-| [az sql db replica](/cli/azure/sql/db/replica) | Database replication commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: Azure CLI example script to restore an Azure SQL Managed Instance Database from a geo-redundant backup.

-# Use CLI to restore a Managed Instance database to another geo-region

-This Azure CLI script example restores an Azure SQL Managed Instance database from a remote geo-region (geo-restore).

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Prerequisites

-An existing pair of managed instances, see [Use Azure CLI to create an Azure SQL Managed Instance](sql-database-create-configure-managed-instance-cli.md).

-### Sign in to Azure

-### Run the script

-```azurepowershell-interactive

-#!/bin/bash

-$instance = "<instanceId>" # add instance here

-$targetInstance = "<targetInstanceId>" # add target instance here

-$resource = "<resourceId>" # add resource here

-$randomIdentifier = $(Get-Random)

-$managedDatabase = "managedDatabase-$randomIdentifier"

-echo "Creating $($managedDatabase) on $($instance)..."

-az sql midb create -g $resource --mi $instance -n $managedDatabase

-echo "Restoring $($managedDatabase) to $($targetInstance)..."

-az sql midb restore -g $resource --mi $instance -n $managedDatabase --dest-name $targetInstance --time "2018-05-20T05:34:22"

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Script | Description |

-|||

-| [az sql midb](/cli/azure/sql/midb) | Managed Instance Database commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

-description: "Learn how to configure an Azure SQL Managed Instance to start using BYOK Transparent Data Encryption (TDE) for encryption-at-rest using PowerShell."

-# Manage Transparent Data Encryption in a Managed Instance using your own key from Azure Key Vault

-This Azure CLI script example configures Transparent Data Encryption (TDE) with customer-managed key for Azure SQL Managed Instance, using a key from Azure Key Vault. This is often referred to as a Bring Your Own Key scenario for TDE. To learn more about the TDE with customer-managed key, see [TDE Bring Your Own Key to Azure SQL](../../azure-sql/database/transparent-data-encryption-byok-overview.md).

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-## Sample script

-### Prerequisites

-An existing Managed Instance, see [Use Azure CLI to create an Azure SQL Managed Instance](sql-database-create-configure-managed-instance-cli.md).

-### Sign in to Azure

-```azurecli-interactive

-$subscription = "<subscriptionId>" # add subscription here

-az account set -s $subscription # ...or use 'az login'

-```

-### Run the script

-[!code-azurecli-interactive[main](../../../cli_scripts/sql-database/transparent-data-encryption/setup-tde-byok-sqlmi.sh "Set up BYOK TDE for SQL Managed Instance")]

-### Clean up deployment

-Use the following command to remove the resource group and all resources associated with it.

-```azurecli-interactive

-az group delete --name $resource

-```

-## Sample reference

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Description |

-|||

-| [az sql db](/cli/azure/sql/db) | Database commands. |

-| [az sql failover-group](/cli/azure/sql/failover-group) | Failover group commands. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](../../azure-sql/database/az-cli-script-samples-content-guide.md).

- repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)

- repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)

-2. In the **Storage account** drop-down list, select the storage account that you want to archive your logs to, click the **OK** button, and then select the **Save** button.

- - Customer's subscription needs to be signed up for the preview. See this.

-Before you can create a key expiration policy, you may need to rotate each of your account access keys at least once.

-The following table indicates the boundaries of Microsoft's testing and also indicates which targets are hard limits:

-1. If you get this error ΓÇ£There was a network connectivity issue when fetching the results. Please check your network and firewall settings.ΓÇ¥, follow the steps below:

- * To check the connection to the service, open [https://queryruntime.azurestreamanalytics.com/api/home/index](https://queryruntime.azurestreamanalytics.com/api/home/index) in a browser. If you cannot open this link, then update your firewall settings.

-

-2. If you get this error "The request size is too big. Please reduce the input data size and try again.", follow the steps below:

-| **User defined functions** | [Yes](/sql/t-sql/statements/create-function-sql-data-warehouse?view=azure-sqldw-latest&preserve-view=true) | Yes, only inline table-valued functions. Scalar user defined functions are not supported. |

-| **[Table partitions](../sql-data-warehouse/sql-data-warehouse-tables-partition.md?context=/azure/synapse-analytics/context/context)** | Yes | No, only external tables that are synchronized from the Apache Spark pools can be partitioned per folders. |

-| **[Statistics](develop-tables-statistics.md)** | Yes | Yes |

-| **Azure SQL (remote)** | No | No, serverless SQL pool cannot reference Azure SQL database. You can reference serverless SQL pools from Azure SQL using [elastic queries](https://devblogs.microsoft.com/azure-sql/read-azure-storage-files-using-synapse-sql-external-tables/) or [linked servers](https://devblogs.microsoft.com/azure-sql/linked-server-to-synapse-sql-to-implement-polybase-like-scenarios-in-managed-instance) |