-|dateTime|Represents an instant in time, typically expressed as a date and time of day. The value of the date follows ISO 8601 convention.|

- 1. In the **User input type** drop-down, select **DropdownSingleSelect**. Optional: Use the "Move up/down" buttons to arrange the text order on the sign-up page.

- After the domain is verified, **delete** the DNS TXT record you created.

-1. Open the *SocialAndLocalAccounts/**TrustFrameworkExtensions.xml*** file.

-

-

- // Get the scopes from the configuration (appsettings.json)

- var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

- {

-> Get notified of updates to this page by pasting this URL into your RSS feed reader:<br/>`https://docs.microsoft.com/api/search/rss?search=%22whats%20new%20for%20authentication%22&locale=en-us`

->[!NOTE]

->The group-based licensing feature currently is in public preview. During the preview, the feature is available with any paid Azure Active Directory (Azure AD) license plan or trial.

-Or you can start [creating groups](../fundamentals/active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context), [assigning licenses](../fundamentals/license-users-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context), [assigning app access](../manage-apps/assign-user-or-group-access-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) or [assigning administrator roles](../roles/permissions-reference.md).

-If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](../../active-directory/hybrid/plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../fundamentals/active-directory-deployment-plans.md) or consider using the new [Staged Rollout](../../active-directory/hybrid/how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach.

-For more information on how to get started on this journey, see the Azure AD deployment plans, located at <https://aka.ms/deploymentplans>. They provide end-to-end guidance about how to deploy Azure Active Directory (Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the deployment plans with best practices learned from customer deployments and other feedback when we add new capabilities to managing from the cloud with Azure AD.

-|Managed Service Account|Custom, 2017 April and later|If you use a remote SQL Server, then we recommend using a group Managed Service Account. |

-The Virtual Service Account is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use remote SQL, then we recommend using a group Managed Service Account instead.

-If you use a remote SQL Server, then we recommend to using a group Managed Service Account. For more information on how to prepare your Active Directory for group Managed Service account, see [Group Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-* [Azure AD Connect sync: Functions Reference](reference-connect-sync-functions-reference.md)

-* [Configure / Disable device writeback](how-to-connect-device-writeback.md)

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-Learn more about [user sign-in options](plan-connect-user-signin.md).

-For more information on Token Signing certificates in AD FS see [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs)

-The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions are applicable to all audiences.

-This article is designed to help you keep track of the versions that have been released, and to understand what the changes are in the latest version.

-This table is a list of related topics:

-Required permissions | For permissions required to apply an update, see [accounts and permissions](reference-connect-accounts-permissions.md#upgrade).

-> **On 31 August 2022, all 1.x versions of Azure Active Directory (Azure AD) Connect will be retired because they include SQL Server 2012 components that will no longer be supported.** Either upgrade to the most recent version of Azure AD Connect (2.x version) by that date, or [evaluate and switch to Azure AD cloud sync](../cloud-sync/what-is-cloud-sync.md).

->

-> You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience.

->

-> If you run a retired version of Azure AD Connect it may unexpectedly stop working and you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements. Moreover, if you require support we may not be able to provide you with the level of service your organization needs.

->

-> Go to this article to learn more about [Azure Active Directory Connect V2.0](whatis-azure-ad-connect-v2.md), what has changed in V2.0 and how this change impacts you.

->

-> Please refer to [this article](./how-to-upgrade-previous-version.md) to learn more about how to upgrade Azure AD Connect to the latest version.

->

-> For version history information on retired versions, see [Azure AD Connect version release history archive](reference-connect-version-history-archive.md)

-> Releasing a new version of Azure AD Connect is a process that requires several quality control step to ensure the operation functionality of the service, and while we go through this process the version number of a new release as well as the release status will be updated to reflect the most recent state.

->

-> Not all releases of Azure AD Connect will be made available for auto upgrade. The release status will indicate whether a release is made available for auto upgrade or for download only. If auto upgrade was enabled on your Azure AD Connect server then that server will automatically upgrade to the latest version of Azure AD Connect that is released for auto upgrade. Note that not all Azure AD Connect configurations are eligible for auto upgrade.

->

-> To clarify the use of Auto Upgrade, it is meant to push all important updates and critical fixes to you. This is not necessarily the latest version because not all versions will require/include a fix to a critical security issue (just one example of many). Critical issues would usually be addressed with a new version provided via Auto Upgrade. If there are no such issues, there are no updates pushed out using Auto Upgrade, and in general if you are using the latest auto upgrade version you should be good.

->

-> However, if you'd like all the latest features and updates, the best way to see if there are any is to check this page and install them as you see fit.

->

-> Please follow this link to read more about [auto upgrade](how-to-connect-install-automatic-upgrade.md).

-12/22/2021: Released for download only, not available for auto upgrade.

-> [!NOTE]

-> This release requires Windows Server 2016 or newer. It fixes a vulnerability that is present in version 2.0 of Azure AD Connect, as well as some other bug fixes and minor feature updates.

-12/15/2021: Released for download only, not available for auto upgrade.

-> This is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer at this time. You cannot use this version to update an Azure AD Connect V2.0 server.

-> This release should not be installed on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31st 2022. You will need to upgrade your Server OS and Azure AD Connect version before that date.

-> There is an issue where upgrading to this v1.6 build or any newer builds resets the group membership limit to 50k. When a server is upgraded to this build, or any newer 1.6 builds, then the customer should reapply the rules changes they applied when initially increasing the group membership limit to 250k before they enable sync for the server.

-10/13/2021: Released for download and auto upgrade.

-### Known Issues

-> This is a maintenance update release of Azure AD Connect. This release requires Windows Server 2016 or newer.

-9/30/2021: Released for download only, not available for auto upgrade.

-Note: A phantom object is a placeholder for an object which is not there or has not been seen yet, for example if a source object has a reference for a target object which is not there then we create the target object as a phantom.

-> This is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer at this time. You cannot use this version to update an Azure AD Connect V2.0 server.

-> We will begin auto upgrading eligible tenants when this version is available for download, autoupgrade will take a few weeks to complete.

-> There is an issue where upgrading to this v1.6 build or any newer builds resets the group membership limit to 50k. When a server is upgraded to this build, or any newer 1.6 builds, then the customer should reapply the rules changes they applied when initially increasing the group membership limit to 250k before they enable sync for the server.

-9/21/2021: Released for download and auto upgrade.

-> This is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer and fixes a security issue that is present in version 2.0 of Azure AD Connect, as well as some other bug fixes.

-9/14/2021: Released for download only, not available for auto upgrade.

-8/19/2021: Released for download only, not available for auto upgrade.

-> This is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. This hotfix addresses an issue that is present in version 2.0 as well as in Azure AD Connect version 1.6. If you are running Azure AD Connect on an older Windows Server you should install the [1.6.13.0](#16130) build instead.

-8/19/2021: Released for download only, not available for auto upgrade.

-> This is a hotfix update release of Azure AD Connect. This release is intended for customers who are running Azure AD Connect on a server with Windows Server 2012 or 2012 R2.

-8/19/2021: Released for download only, not available for auto upgrade.

-There are no functional changes in this release

-8/17/2021: Released for download only, not available for auto upgrade.

-> This is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. This release addresses an issue that is present in version 2.0.8.0, this issue is not present in Azure AD Connect version 1.6.

-> This is a security update release of Azure AD Connect. This release requires Windows Server 2016 or newer. If you are using an older version of Windows Server, please use [version 1.6.11.3](#16113).

-> This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability please refer to the CVE.

-> You can download the latest version of Azure AD Connect 2.0 using [this link](https://www.microsoft.com/download/details.aspx?id=47594).

-8/10/2021: Released for download only, not available for auto upgrade.

-There are no functional changes in this release

-> This is security update release of Azure AD Connect. This version is intended to be used by customers are running an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer as this time. You cannot use this version to update an Azure AD Connect V2.0 server.

-> This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability please refer to the CVE.

-> You can download the latest version of Azure AD Connect 1.6 using [this link](https://www.microsoft.com/download/details.aspx?id=103336).

-8/10/2021: Released for download only, not available for auto upgrade.

-There are no functional changes in this release

-> This is a major release of Azure AD Connect. Please refer to the [Azure Active Directory V2.0 article](whatis-azure-ad-connect-v2.md) for more details.

-7/20/2021: Released for download only, not available for auto upgrade

-To sync an expired password from Active Directory to Azure Active Directory please use the [Synchronizing temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon) feature in Azure AD Connect. Note that you will need to enable password writeback to use this feature, so the password the user updates is written back to Active Directory too.

- - Get-ADSyncToolsTls12

- - Set-ADSyncToolsTls12

-You can use these cmdlets to retrieve the TLS 1.2 enablement status, or set it as needed. Note that TLS 1.2 must be enabled on the server for the installation or Azure AD Connect to succeed.

- The following cmdlets have been added or updated

- - Clear-ADSyncToolsMsDsConsistencyGuid

- - ConvertFrom-ADSyncToolsAadDistinguishedName

- - ConvertFrom-ADSyncToolsImmutableID

- - ConvertTo-ADSyncToolsAadDistinguishedName

- - ConvertTo-ADSyncToolsCloudAnchor

- - ConvertTo-ADSyncToolsImmutableID

- - Export-ADSyncToolsAadDisconnectors

- - Export-ADSyncToolsObjects

- - Export-ADSyncToolsRunHistory

- - Get-ADSyncToolsAadObject

- - Get-ADSyncToolsMsDsConsistencyGuid

- - Import-ADSyncToolsObjects

- - Import-ADSyncToolsRunHistory

- - Remove-ADSyncToolsAadObject

- - Search-ADSyncToolsADobject

- - Set-ADSyncToolsMsDsConsistencyGuid

- - Trace-ADSyncToolsADImport

- - Trace-ADSyncToolsLdapQuery

- - employeeType

- - employeeHireDate

- - [Generic LDAP Connector reference documentation](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap)

- - [Generic SQL Connector reference documentation](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql)

-> - This release will not be made available in the Azure German cloud

-3/31/2021: Released for download only, not available for auto upgrade

-> Update per March 30, 2021: we have discovered an issue in this build. After installation of this build, the Health services are not registered. We recommend not installing this build. We will release a hotfix shortly.

-> If you already installed this build, you can manually register the Health services by using the cmdlet as shown in [this article](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync).

-> [!NOTE]

-> - This release will be made available for download only.

-> - The upgrade to this release will require a full synchronization due to sync rule changes.

-> - This release defaults the Azure AD Connect server to the new V2 end point.

-3/19/2021: Released for download, not available for auto upgrade

- - Added new default sync rules for limiting membership count in group writeback (Out to AD - Group Writeback Member Limit) and group sync to Azure Active Directory (Out to AAD - Group Writeup Member Limit) groups.

- - Added member attribute to the 'Out to AD - Group SOAInAAD - Exchange' rule to limit members in written back groups to 50k.

- -If the "In from AAD - Group SOAInAAD" rule is cloned and Azure AD Connect is upgraded.

- - The updated rule will be disabled by default and so the targetWritebackType will be null.

- - Azure AD Connect will writeback all Cloud Groups (including Azure Active Directory Security Groups enabled for writeback) as Distribution Groups.

- -If the "Out to AD - Group SOAInAAD" rule is cloned and Azure AD Connect is upgraded.

- - The updated rule will be disabled by default. However, a new sync rule "Out to AD - Group SOAInAAD - Exchange" which is added will be enabled.

- - Depending on the Cloned Custom Sync Rule's precedence, Azure AD Connect will flow the Mail and Exchange attributes.

- - If the Cloned Custom Sync Rule does not flow some Mail and Exchange attributes, then new Exchange Sync Rule will add those attributes.

- - Clear-ADSyncToolsMsDsConsistencyGuid

- - ConvertFrom-ADSyncToolsAadDistinguishedName

- - ConvertFrom-ADSyncToolsImmutableID

- - ConvertTo-ADSyncToolsAadDistinguishedName

- - ConvertTo-ADSyncToolsCloudAnchor

- - ConvertTo-ADSyncToolsImmutableID

- - Export-ADSyncToolsAadDisconnectors

- - Export-ADSyncToolsObjects

- - Export-ADSyncToolsRunHistory

- - Get-ADSyncToolsAadObject

- - Get-ADSyncToolsMsDsConsistencyGuid

- - Import-ADSyncToolsObjects

- - Import-ADSyncToolsRunHistory

- - Remove-ADSyncToolsAadObject

- - Search-ADSyncToolsADobject

- - Set-ADSyncToolsMsDsConsistencyGuid

- - Trace-ADSyncToolsADImport

- - Trace-ADSyncToolsLdapQuery

- - Set-ADSyncAADCompanyFeature

- - Get-ADSyncAADCompanyFeature

- - Get-ADSyncAADConnectorImportApiVersion - to get import AWS API version

- - Get-ADSyncAADConnectorExportApiVersion - to get export AWS API version

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-## Deployment scenarios

-The following tutorials provide detailed guidance on implementing some of the more common patterns for BIG-IP and Azure AD SHA:

-description: Learn how to implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to Kerberos applications using F5ΓÇÖs BIG-IP advanced configuration.

-In this tutorial, youΓÇÖll learn how to implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to Kerberos applications using F5ΓÇÖs BIG-IP advanced configuration.

-Integrating a BIG-IP with Azure AD provides many benefits, including:

-* Improved zero-trust governance through Azure AD pre-authentication and authorization

-* Full Single Sign-on (SSO) between Azure AD and BIG-IP published services

-* Manage Identities and access from a single control plane - [The Azure portal](https://portal.azure.com/)

-To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

-For this scenario, you will configure a critical line of business (LOB) application for **Kerberos authentication**, also known as **Integrated Windows Authentication (IWA)**.

-To integrate the application directly with Azure AD, itΓÇÖd need to support some form of federation-based protocol such as Security Assertion Markup Language (SAML), or better. But as modernizing the application introduces risk of potential downtime, there are other options. While using Kerberos Constrained Delegation (KCD) for SSO, you can use [Azure AD Application Proxy](../app-proxy/application-proxy.md) to access the application remotely.

-In this arrangement, you can achieve the protocol transitioning required to bridge the legacy application to the modern identity control plane. Another approach is to use an F5 BIG-IP Application Delivery Controller (ADC). This enables overlay of the application with Azure AD pre-authentication and KCD SSO, and significantly improves the overall Zero Trust posture of the application.

-The secure hybrid access solution for this scenario is made up of the following:

-**Application:** The backend Kerberos-based service that gets externally published by the BIG-IP and is protected by SHA.

-**BIG-IP:** Reverse proxy functionality enables publishing backend applications. The APM then overlays published applications with SAML Service Provider (SP) and SSO functionality.

-**Azure AD:** Identity Provider (IdP) responsible for verifying user credentials, Conditional Access (CA), and SSO to the BIG-IP APM through SAML.

-**KDC:** Key Distribution Center role on a Domain Controller (DC), issuing Kerberos tickets.

-The following image illustrates the SAML SP initiated flow for this scenario, but IdP initiated flow is also supported.

-

-| Steps| Description |

-| 1| User connects to application endpoint (BIG-IP) |

-| 2| BIG-IP access policy redirects user to Azure AD (SAML IdP) |

-| 3| Azure AD pre-authenticates user and applies any enforced CA policies |

-| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |

-| 5| BIG-IP authenticates user and requests Kerberos ticket from KDC |

-| 6| BIG-IP sends request to backend application, along with Kerberos ticket for SSO |

-| 7| Application authorizes request and returns payload |

-Prior BIG-IP experience isnΓÇÖt necessary, but you will need:

-* An Azure AD free subscription or above

-* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](../manage-apps/f5-bigip-deployment-guide.md)

-* Any of the following F5 BIG-IP license offers

- * F5 BIG-IP® Best bundle

- * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php).

-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD or created directly within Azure AD and flowed back to your on-premises directory

-* An account with Azure AD Application admin [permissions](../users-groups-roles/directory-assign-admin-roles.md)

-* Web server [certificate](../manage-apps/f5-bigip-deployment-guide.md) for publishing services over HTTPS or use default BIG-IP certs while testing

-* An existing Kerberos application or [setup an IIS (Internet Information Services) app](https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html) for KCD SSO

-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the advanced approach that provides a more flexible way of implementing SHA by manually creating all BIG-IP configuration objects. You would also use this approach for scenarios not covered by the guided configuration templates.

-> All example strings or values referenced throughout this guide should be replaced with those for your actual environment.

-Before a BIG-IP can hand off pre-authentication to Azure AD, it must be registered in your tenant. This is the first step in establishing SSO between both entities and is no different to making any IDP aware of a SAML Relying Party (RP). In this case, the app you create from the F5 BIG-IP gallery template is the RP representing the SAML SP for the BIG-IP published application.

-1. Sign-in to the [Azure AD portal](https://portal.azure.com) using an account with Application Admin rights.

-2. From the left navigation pane, select the **Azure Active Directory** service

-3. In the left menu, select **Enterprise applications.** The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.

-4. In the **Enterprise applications** pane, select **New application**.

-5. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for **F5** in the Azure gallery and select **F5 BIG-IP APM Azure AD integration**

-## Enable SSO to the F5 BIG-IP

-Next, configure the BIG-IP registration to fulfill SAML tokens requested by the BIG-IP APM.

-2. On the **Select a single sign-on method** page, select **SAML** followed by **No, IΓÇÖll save later** to skip the prompt.

- 1. Replace the pre-defined **Identifier** with the full URL for the BIG-IP published application

- 2. Replace the **Reply URL** but retain the path for the applicationΓÇÖs SAML SP endpoint.

- In this configuration, the SAML flow would operate in IdP initiated mode, where Azure AD issues a SAML assertion before the user is redirected to the BIG-IP endpoint for the application.

- 3. To use SP initiated mode, populate the **Sign on URL** with the application URL.

- 4. For the **Logout URI**, enter the BIG-IP APM single logout (SLO) endpoint pre-pended by the host header of the service being published. It ensures the userΓÇÖs BIG-IP APM session is also terminated after being signed out of Azure AD.

- 

- > From TMOS v16 the SAML SLO endpoint has changed to **/saml/sp/profile/redirect/slo**

-4. Select **Save** before exiting the SAML configuration pane and skip the SSO test prompt.

-5. Note the properties of the **User Attributes & Claims** section, as these are what Azure AD will issue users for BIG-IP APM authentication and SSO to the backend application.

-6. In the **SAML Signing Certificate** pane, select the **Download** button to save the **Federation Metadata XML** file to your computer.

- 

-SAML signing certificates created by Azure AD have a lifespan of 3 years. For more information, see [Managed certificates for federated single sign-on](./manage-certificates-for-federated-single-sign-on.md).

-By default, Azure AD will issue tokens only for users that have been granted access to an application. To provide specific users and groups access to the application:

-1. In the **F5 BIG-IP applicationΓÇÖs overview** blade, select **Assign Users and groups**

- 

-2. Select **+ Add user/group** to add the groups authorized to access the internal application followed by **Select > Assign** to assign the users/ groups to your application

-## Active Directory KCD configurations

-For the BIG-IP APM to perform SSO to the backend application on behalf of users, KCD must be configured in the target AD domain. Delegating authentication also requires that the BIG-IP APM be provisioned with a domain service account.

-For our scenario, the application is hosted on server **APP-VM-01** and is running in the context of a service account named **web_svc_account**, not the computerΓÇÖs identity. The delegating service account assigned to the APM will be called **F5-BIG-IP**.

-As the BIG-IP doesnΓÇÖt support group managed service accounts (gMSA), create a standard user account to use as the APM service account:

-1. Replace the **UserPrincipalName** and **SamAccountName** values with those for your environment in these PowerShell commands:

- ```New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName host/f5-big-ip.contoso.com@contoso.com SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ```

-2. Create a **Service Principal Name (SPN)** for the APM service account to use when performing delegation to the web applicationΓÇÖs service account.

- ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @Add="host/f5-big-ip.contoso.com"} ```

-3. Ensure the SPN now shows against the APM service account.

- ```Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

- 4. Before specifying the target SPN that the APM service account should delegate to for the web application, you need to view its existing SPN config. Check whether your web application is running in the computer context or a dedicated service account. Next, query that account object in AD to see its defined SPNs. Replace <name_of_account> with the account for your environment.

- ```Get-ADUser -identity <name_of _account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

-5. You can use any SPN you see defined against a web applicationΓÇÖs service account, but in the interest of security itΓÇÖs best to use a dedicated SPN matching the host header of the application. For example, as our web application host header is myexpenses.contoso.com we would add HTTP/myexpenses.contoso.com to the application's service account object in AD.

- ```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

- Or if the app ran in the machine context, we would add the SPN to the object of the computer account in AD.

-With the SPNs defined, the APM service account now needs trusting to delegate to that service. The configuration will vary depending on the topology of your BIG-IP and application server.

-### Configure BIG-IP and target application in same domain

-1. Set trust for the APM service account to delegate authentication

- ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ```

-2. The APM service account then needs to know which target SPN itΓÇÖs trusted to delegate to, Or in other words which service is it allowed to request a Kerberos ticket for. Set target SPN to the service account running your web application.

- ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ```

-If preferred, you can also complete these tasks through the Active Directory Users and Computers Microsoft Management Console (MMC) on a domain controller.

-### BIG-IP and application in different domains

-Starting with Windows Server 2012, cross domain KCD uses Resource-based constrained delegation (RCD). The constraints for a service have been transferred from the domain administrator to the service administrator. This allows the back-end service administrator to allow or deny SSO. This also introduces a different approach at configuration delegation, which is only possible using either PowerShell or ADSIEdit.

-The PrincipalsAllowedToDelegateToAccount property of the applications service account (computer or dedicated service account) can be used to grant delegation from the BIG-IP. For this scenario, use the following PowerShell command on a Domain Controller DC (2012 R2+) within the same domain as the application.

-If the **web_svc_account** service runs in context of a user account:

-If the **web_svc_account** service runs in context of a computer account:

-## BIG-IP advanced configuration

-Now we can proceed with setting up the BIG-IP configurations.

-### Configure SAML Service Provider settings

-These settings define the SAML SP properties that the APM will use for overlaying the legacy application with SAML pre-authentication.

-1. From a browser, sign-in to the F5 BIG-IP management console

-2. Select **Access > Federation > SAML Service Provider > Local SP Services > Create**

- 

-3. Provide a **Name** and the **Entity ID** saved when you configured SSO for Azure AD earlier.

- 

-4. You need not specify **SP Name Settings** if the SAML entity ID is an exact match with the URL for the published application. For example, if the entity ID were urn:myexpenses:contosoonline then you would need to provide the **Scheme** and **Host** as https myexpenses.contoso.com. Whereas if the entity ID was `https://myexpenses.contoso.com` then not.

-### Configure external IdP connector

-A SAML IdP connector defines the settings required for the BIG-IP APM to trust Azure AD as its SAML IdP. These settings will map the SAML SP to a SAML IdP, establishing the federation trust between the APM and Azure AD.

-1. Scroll down to select the new SAML SP object and select **Bind/Unbind IdP Connectors**

- 

-2. Select **Create New IdP Connector**, choose **From Metadata**

- 

-3. Browse to the federation metadata XML file you downloaded earlier and provide an **Identity Provider Name** for the APM object thatΓÇÖll represent the external SAML IdP. For example, MyExpenses_AzureAD

- 

-4. Select **Add New Row** to choose the new **SAML IdP Connector**, and then select **Update**

- 

-5. Select **OK** to save the settings

-In this section, you create an APM SSO object for performing KCD SSO to backend applications. You will need the APM delegation account created earlier to complete this step.

-Select **Access > Single Sign-on > Kerberos > Create** and provide the following:

-* **Name:** You can use a descriptive name. Once created, the Kerberos SSO APM object can be used by other published applications as well. For example, *Contoso_KCD_sso* can be used for multiple published applications for the entire Contoso domain, whereas *MyExpenses_KCD_sso* can be used for a single application only.

-* **Username Source:** Specifies the preferred source of user ID. You can specify any APM session variable as the source, but *session.saml.last.identity* is typically best as it contains the logged in user ID derived from the Azure AD claim.

-* **User Realm Source:** Required in scenarios where the user domain is different to the Kerberos realm that will be used for KCD. If users were in a separate trusted domain, then you make the APM aware by specifying the APM session variable containing the logged-in user domain. For example, session.saml.last.attr.name.domain. You would also do this in scenarios where UPN of users is based on an alternative suffix.

-* **Kerberos Realm:** Enter users domain suffix in uppercase

-* **KDC:** IP of a Domain Controller (Or FQDN if DNS is configured and efficient)

-* **UPN Support:** Enable if specified source of username is in UPN format, such as if using session.saml.last.identity variable

-* **Account Name and Account Password:** APM service account credentials to perform KCD

-* **SPN Pattern:** If you use HTTP/%h, APM then uses the host header of the client request to build the SPN that itΓÇÖs requesting a Kerberos token for

-* **Send Authorization:** Disable for applications that prefer negotiating authentication, instead of receiving the Kerberos token in the first request. For example, *Tomcat*.

- 

-You can leave *KDC* undefined if the user realm is different to the backend server realm. This applies for multi-domain realm scenarios as well. When left blank, BIG-IP will attempt to discover a Kerberos realm through a DNS lookup of SRV records for the backend serverΓÇÖs domain, so it expects the domain name to be the same as the realm name. If the domain name is different from the realm name, it must be specified in the [/etc/krb5.conf](https://support.f5.com/csp/article/K17976428) file.

-Kerberos SSO processing is fastest when a KDC is specified by IP, slower when specified by host name, and due to additional DNS queries, even slower when left undefined. For this reason, you should ensure your DNS is performing optimally before moving a proofs of concept (POC) into production. Note that if backend servers are in multiple realms, you must create a separate SSO configuration object for each realm.

-You can inject headers as part of the SSO request to the backend application. Simply change **General Properties** setting from **Basic** to **Advanced**.

-For more information on configuring an APM for KCD SSO, refer to the F5 article on [Overview of Kerberos constrained delegation](https://support.f5.com/csp/article/K17976428).

-### Configure Access Profile

-An *Access Profile* binds many APM elements managing access to BIG-IP virtual servers, including access policies, SSO configuration, and UI settings.

-1. Select **Access > Profiles / Policies > Access Profiles (Per-Session Policies) > Create** and provide these general properties:

- * **Name:** For example, MyExpenses

- * **Profile Type:** All

- * **SSO Configuration:** The KCD SSO configuration object you just created

- * **Accepted Language:** Add at least one language

- 

-2. Select **Edit** for the per-session profile you just created

- 

-3. Once the Visual Policy Editor (VPE) has launched, select the **+** sign next to the fallback

- 

-4. In the pop-up select **Authentication > SAML Auth > Add Item**

- 

-5. In the **SAML authentication SP** configuration, set the **AAA Server** option to use the SAML SP object you created earlier

- 

-6. Select the link in the upper **Deny** box to change the **Successful** branch to **Allow**

- 

-### Configure Attribute Mappings

-Although optional, adding a *LogonID_Mapping configuration* enables the BIG-IP active sessions list to display the UPN of the logged-in user instead of a session number. This is useful when you analyze logs, or while troubleshooting.

-1. Click the **+** symbol for the SAML Auth Successful branch

-2. In the pop-up select **Assignment > Variable Assign > Add Item**

- 

-4. In the **Variable Assign** pane, select **Add new entry > change.** For example, *LogonID_Mapping*

- 

-5. Set both variables.

- * **Custom Variable:** session.logon.last.username

- * **Session Variable:** session.saml.last.identity

-6. Select **Finished > Save:**

-7. Select the **Deny** terminal of the Access PolicyΓÇÖs **Successful** branch and change it to **Allow,** followed by **Save**

-8. Commit those settings by selecting **Apply Access Policy** and close the visual policy editor

- 

-### Configure Backend Pool

-For the BIG-IP to know where to forward client traffic, you need to create a BIG-IP node object representing the backend server hosting your application, and place that node in a BIG-IP server pool.

-1. Select **Local Traffic > Pools > Pool List > Create** and provide a name for a server pool object. For example *MyApps_VMs*

- 

- * **Node Name:** Optional display name for the server hosting the backend web application

- * **Address:** IP address of the server hosting the application

- * **Service Port:** The HTTP/S port the application is listening on

- 

-> The Health Monitors require [additional configuration](https://support.f5.com/csp/article/K13397) that is not covered in this tutorial.

-### Configure Virtual Server

-A *Virtual Server* is a BIG-IP data plane object represented by a virtual IP address listening for client requests to the application. Any received traffic is processed and evaluated against the APM access profile associated with the virtual server, before being directed according to the policy results and settings. To configure a Virtual Server:

-1. Select **Local Traffic > Virtual Servers > Virtual Server List > Create**

-2. Provide the virtual server with a **Name** and IP IPv4/IPv6 that isnΓÇÖt already allocated to an existing BIG-IP object or device on the connected network. The IP will be dedicated to receiving client traffic for the published backend application. Then set the **Service Port** to **443**

- 

-3. Set the HTTP Profile: to **http**

-4. Enable a virtual server for Transport Layer Security (TLS), allowing services to be published over HTTPS. Select the **client SSL profile** you created as part of the prerequisites or leave the default if testing

- 

-5. Change the **Source Address Translation** to **Auto Map**

- 

-6. Under **Access Policy**, set the **Access Profile** created earlier. This binds the Azure AD SAML pre-authentication profile & KCD SSO policy to the virtual server.

- 

-7. Finally, set the **Default Pool** to use the backend pool objects created in the previous section, then select **Finished**.

- 

-### Configure Session Management settings

-BIG-IP's session management settings define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. You can create your own policy here. Navigate to **Access Policy > Access Profiles > Access Profile** and select your application from the list.

-If you have defined a **Single Log-out URI** in Azure AD, itΓÇÖll ensure an IdP initiated sign-out from the MyApps portal also terminates the session between the client and the BIG-IP APM. The imported applicationΓÇÖs federation metadata.xml provides the APM with the Azure AD SAML log-out endpoint for SP initiated sign-outs. But for this to be truly effective, the APM needs to know exactly when a user signs-out.

-Consider a scenario where a BIG-IP web portal is not used. The user has no way of instructing the APM to sign-out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this, so the application session could easily be re-instated through SSO. For this reason, SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required.

-One way to achieve this will be by adding an SLO function to your applications sign-out button. It can redirect your client to the Azure AD SAML sign-out endpoint. You can find this SAML sign-out endpoint at **App Registrations > Endpoints.**

-If unable to change the app, consider having the BIG-IP listen for the app's sign-out call, and upon detecting the request, it should trigger SLO.

-For more details, see this F5 article on [Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145) and [Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).

-Your application should now be published and accessible via SHA, either directly via its URL or through MicrosoftΓÇÖs application portals. The application should also be visible as a target resource in [Azure AD Conditional Access](../conditional-access/concept-conditional-access-policies.md).

-For increased security, organizations using this pattern could also consider blocking all direct access to the application, forcing a strict path through the BIG-IP.

-As a user, launch a browser and connect to the applicationΓÇÖs external URL. You can also select the applicationΓÇÖs icon from the [Microsoft MyApps portal](https://myapps.microsoft.com/). Once you authenticate against your Azure AD tenant, you will be redirected to the BIG-IP endpoint for the application and automatically signed in via SSO.

- 

-SHA also supports [Azure AD B2B guest access](../external-identities/hybrid-cloud-to-on-premises.md). Guest identities are synchronized from your Azure AD tenant to your target Kerberos domain. It is necessary to have a local representation of guest objects for BIG-IP to perform KCD SSO to the backend application.

-## Troubleshooting

-There can be many reasons for failure to access a SHA protected application, including a misconfiguration. Consider the following points while troubleshooting any issue.

-* Kerberos is time sensitive, so requires that servers and clients be set to the correct time and where possible synchronized to a reliable time source

-* Ensure the hostnames for the domain controller and web application are resolvable in DNS

-* Ensure there are no duplicate SPNs in your environment by executing the following query at the command line: setspn -q HTTP/my_target_SPN

-> You can refer to our [App Proxy guidance to validate an IIS application ](../app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md)is configured appropriately for KCD. F5ΓÇÖs article on [how the APM handles Kerberos SSO](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html) is also a valuable resource.

-### Authentication and SSO issues

-1. Navigate to **Access Policy > Overview > Event Logs > Settings**

-2. Select the row for your published application, then **Edit > Access System Logs**

-3. Select **Debug** from the SSO list, and then select OK. Reproduce your issue before looking at the logs but remember to switch this back when finished.

-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

-1. Navigate to **Access > Overview > Access reports**

-2. Run the report for the last hour to see logs provide any clues. The **View session variables** link for your session will also help understand if the APM is receiving the expected claims from Azure AD.

-If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.

-1. Navigate to **Access Policy > Overview > Active Sessions**

-2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers.

-F5 provides a great BIG-IP specific paper to help diagnose KCD related issues, see the deployment guide on [Configuring Kerberos Constrained Delegation](https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf).

-* [BIG-IP Advanced configuration](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html)

-* [The end of passwords, go password-less](https://www.microsoft.com/security/business/identity/passwordless)

-* [Microsoft Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

-This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. For information about how to assign roles, see [Assign Azure AD roles to users](manage-roles-portal.md).

- * Leaving the **Authentication** field with **System-assinged managed identity**, or

-Each node in an AKS cluster contains a fixed amount of compute resources such as vCPU and memory. If an AKS node contains insufficient compute resources, pods might fail to run correctly. To ensure the required *kube-system* pods and your applications can be reliably scheduled, AKS requires nodes use VM sizes with > 2 CPUs.

-Before you select a service mesh, ensure that you understand your requirements and the reasons for installing a service mesh. Ask the following questions.

-* Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.

-* Set a value for `CREDENTIAL-NAME` to reference later.

-* Set the `subject`. The value of this is defined by GitHub depending on your workflow:

- * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`

- * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.

- * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.

-```azurecli

-az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

-```

-To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).

-* Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.

-* Set a value for `CREDENTIAL-NAME` to reference later.

-* Set the `subject`. The value of this is defined by GitHub depending on your workflow:

- * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`

- * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.

- * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.

-```azurecli

-az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

-```

-> [!NOTE]

-> This article is about the App Service Environment v3 which is used with Isolated v2 App Service plans

->

-The [App Service Environment (ASE)][Intro] is a single tenant deployment of the App Service that injects into your Azure Virtual Network (VNet). A deployment of an ASE will require use of one subnet. This subnet can't be used for anything else other than the ASE.

-## Before you create your ASE

-After your ASE is created, you can't change:

-The subnet needs to be large enough to hold the maximum size that you'll scale your ASE. Pick a large enough subnet to support your maximum scale needs since it can't be changed after creation. The recommended size is a /24 with 256 addresses.

-There are two important things that need to be thought out before you deploy your ASE.

-There are two different VIP types, internal and external. With an internal VIP, your apps will be reached on the ASE at an address in your ASE subnet and your apps are not on public DNS. During creation in the portal, there is an option to create an Azure private DNS zone for your ASE. With an external VIP, your apps will be on a public internet facing address and your apps are in public DNS.

-There are three different deployment types;

-The single zone ASE is available in all regions where ASEv3 is available. When you have a single zone ASE, you have a minimum App Service plan instance charge of one instance of Windows Isolated v2. As soon as you have one or more instances, then that charge goes away. It is not an additive charge.

-In a zone redundant ASE, your apps spread across three zones in the same region. The zone redundant ASE is available in a subset of ASE capable regions primarily limited by the regions that support availability zones. When you have zone redundant ASE, the smallest size for your App Service plan is three instances. That ensures that there is an instance in each availability zone. App Service plans can be scaled up one or more instances at a time. Scaling does not need to be in units of three, but the app is only balanced across all availability zones when the total instances are multiples of three. A zone redundant ASE has triple the infrastructure and is made with zone redundant components so that if even two of the three zones go down for whatever reason, your workloads remain available. Due to the increased system need, the minimum charge for a zone redundant ASE is nine instances. If you have less than nine total App Service plan instances in your ASEv3, the difference will be charged as Windows I1v2. If you have nine or more instances, there is no added charge to have a zone redundant ASE. To learn more about zone redundancy, read [Regions and Availability zones](./overview-zone-redundancy.md).

-In a host group deployment, your apps are deployed onto a dedicated host group. The dedicated host group is not zone redundant. Dedicated host group deployment enables your ASE to be deployed on dedicated hardware. There is no minimum instance charge for use of an ASE on a dedicated host group, but you do have to pay for the host group when provisioning the ASE. On top of that you pay a discounted App Service plan rate as you create your plans and scale out. There are a finite number of cores available with a dedicated host deployment that are used by both the App Service plans and the infrastructure roles. Dedicated host deployments of the ASE can't reach the 200 total instance count normally available in an ASE. The number of total instances possible is related to the total number of App Service plan instances plus the load based number of infrastructure roles.

-## Creating an ASE in the portal

-1. To create an ASE, search the marketplace for **App Service Environment v3**.

-2. Basics: Select the Subscription, select or create the Resource Group, and enter the name of your ASE. Select the type of Virtual IP type. If you select Internal, your inbound ASE address will be an address in your ASE subnet. If you select External, your inbound ASE address will be a public internet facing address. The ASE name will be also used for the domain suffix of your ASE. If your ASE name is *contoso* and you have an Internal VIP ASE, then the domain suffix will be *contoso.appserviceenvironment.net*. If your ASE name is *contoso* and you have an external VIP, the domain suffix will be *contoso.p.azurewebsites.net*.

- 

-3. Hosting: Select *Enabled* or *Disabled* for Host Group deployment. Host Group deployment is used to select dedicated hardware deployment. If you select Enabled, your ASE will be deployed onto dedicated hardware. When you deploy onto dedicated hardware, you are charged for the entire dedicated host during ASE creation and then a reduced price for your App Service plan instances.

- 

-4. Networking: Select or create your Virtual Network, select or create your subnet. If you are creating an internal VIP ASE, you can configure Azure DNS private zones to point your domain suffix to your ASE. Details on how to manually configure DNS are in the DNS section under [Using an App Service Environment][UsingASE].

- 

-5. Review and Create: Check that your configuration is correct and select create. Your ASE can take up to nearly two hours to create.

-After your ASE creation completes, you can select it as a location when creating your apps. To learn more about creating apps in your new ASE or managing your ASE, read [Using an App Service Environment][UsingASE]

-## Dedicated hosts

-The ASE is normally deployed on VMs that are provisioned on a multi-tenant hypervisor. If you need to deploy on dedicated systems, including the hardware, you can provision your ASE onto dedicated hosts. Dedicated hosts come in a pair to ensure redundancy. Dedicated host-based ASE deployments are priced differently than normal. There is a charge for the dedicated host and then another charge for each App Service plan instance. Deployments on host groups are not zone redundant. To deploy onto dedicated hosts, select **enable** for host group deployment on the Hosting tab.

-description: Learn about the ASE network traffic and how to set network security groups and user defined routes with your ASE.

-# Networking considerations for an App Service Environment v2

-> [!NOTE]

-> This article is about the App Service Environment v2 which is used with Isolated App Service plans

->

-## Overview

- Azure [App Service Environment][Intro] is a deployment of Azure App Service into a subnet in your Azure virtual network. There are two deployment types for an App Service environment (ASE):

-All ASEs, External, and ILB, have a public VIP that is used for inbound management traffic and as the from address when making calls from the ASE to the internet. The calls from an ASE that go to the internet leave the virtual network through the VIP assigned for the ASE. The public IP of this VIP is the source IP for all calls from the ASE that go to the internet. If the apps in your ASE make calls to resources in your virtual network or across a VPN, the source IP is one of the IPs in the subnet used by your ASE. Because the ASE is within the virtual network, it can also access resources within the virtual network without any additional configuration. If the virtual network is connected to your on-premises network, apps in your ASE also have access to resources there without additional configuration.

-![External ASE][1] 

-If you have an External ASE, the public VIP is also the endpoint that your ASE apps resolve to for:

-![ILB ASE][2]

-If you have an ILB ASE, the address of the ILB address is the endpoint for HTTP/S, FTP/S, web deployment, and remote debugging.

-## ASE subnet size

-The size of the subnet used to host an ASE cannot be altered after the ASE is deployed. The ASE uses an address for each infrastructure role as well as for each Isolated App Service plan instance. Additionally, there are five addresses used by Azure Networking for every subnet that is created. An ASE with no App Service plans at all will use 12 addresses before you create an app. If it is an ILB ASE, then it will use 13 addresses before you create an app in that ASE. As you scale out your ASE, infrastructure roles are added every multiple of 15 and 20 of your App Service plan instances.

- > [!NOTE]

- > Nothing else can be in the subnet but the ASE. Be sure to choose an address space that allows for future growth. You can't change this setting later. We recommend a size of `/24` with 256 addresses.

-When you scale up or down, new roles of the appropriate size are added and then your workloads are migrated from the current size to the target size. The original VMs are removed only after the workloads have been migrated. If you had an ASE with 100 ASP instances, there would be a period where you need double the number of VMs. It is for this reason that we recommend the use of a '/24' to accommodate any changes you might require.

-## ASE dependencies

-### ASE inbound dependencies

-Just for the ASE to operate, the ASE requires the following ports to be open:

-| Management | App Service management addresses | ASE subnet: 454, 455 |

-| ASE internal communication | ASE subnet: All ports | ASE subnet: All ports

-| Allow Azure load balancer inbound | Azure load balancer | ASE subnet: 16001

-There are 2 other ports that can show as open on a port scan, 7654 and 1221. They reply with an IP address and nothing more. They can be blocked if desired.

-The inbound management traffic provides command and control of the ASE in addition to system monitoring. The source addresses for this traffic are listed in the [ASE Management addresses][ASEManagement] document. The network security configuration needs to allow access from the ASE management addresses on ports 454 and 455. If you block access from those addresses, your ASE will become unhealthy and then become suspended. The TCP traffic that comes in on ports 454 and 455 must go back out from the same VIP or you will have an asymmetric routing problem.

-Within the ASE subnet, there are many ports used for internal component communication and they can change. This requires all of the ports in the ASE subnet to be accessible from the ASE subnet.

-For the communication between the Azure load balancer and the ASE subnet the minimum ports that need to be open are 454, 455 and 16001. The 16001 port is used for keep alive traffic between the load balancer and the ASE. If you are using an ILB ASE, then you can lock traffic down to just the 454, 455, 16001 ports. If you are using an External ASE, then you need to take into account the normal app access ports.

-The other ports you need to concern yourself with are the application ports:

-| Web Deploy service | 8172 |

-If you block the application ports, your ASE can still function but your app might not. If you are using app assigned IP addresses with an External ASE, you will need to allow traffic from the IPs assigned to your apps to the ASE subnet on the ports shown in the ASE portal > IP Addresses page.

-### ASE outbound dependencies

-For outbound access, an ASE depends on multiple external systems. Many of those system dependencies are defined with DNS names and don't map to a fixed set of IP addresses. Thus, the ASE requires outbound access from the ASE subnet to all external IPs across a variety of ports.

-The ASE communicates out to internet accessible addresses on the following ports:

-The outbound dependencies are listed in the document that describes [Locking down App Service Environment outbound traffic](./firewall-integration.md). If the ASE loses access to its dependencies, it stops working. When that happens long enough, the ASE is suspended.

-### Customer DNS ###

-If the virtual network is configured with a customer-defined DNS server, the tenant workloads use it. The ASE uses Azure DNS for management purposes. If the virtual network is configured with a customer-selected DNS server, the DNS server must be reachable from the subnet that contains the ASE.

- > [!NOTE]

- > Storage mounts or container images pulls in ASEv2 will not be able to use customer DNS defined in the virtual network or through the `WEBSITE_DNS_SERVER` app setting.

-To test DNS resolution from your web app, you can use the console command *nameresolver*. Go to the debug window in your scm site for your app or go to the app in the portal and select console. From the shell prompt you can issue the command *nameresolver* along with the DNS name you wish to look up. The result you get back is the same as what your app would get while making the same lookup. If you use nslookup, you will do a lookup using Azure DNS instead.

-If you change the DNS setting of the virtual network that your ASE is in, you will need to reboot your ASE. To avoid rebooting your ASE, it is highly recommended that you configure your DNS settings for your virtual network before you create your ASE.

-In addition to the ASE functional dependencies, there are a few extra items related to the portal experience. Some of the capabilities in the Azure portal depend on direct access to _SCM site_. For every app in Azure App Service, there are two URLs. The first URL is to access your app. The second URL is to access the SCM site, which is also called the _Kudu console_. Features that use the SCM site include:

-When you use an ILB ASE, the SCM site isn't accessible from outside the virtual network. Some capabilities will not work from the app portal because they require access to the SCM site of an app. You can connect to the SCM site directly instead of using the portal.

-If your ILB ASE is the domain name *contoso.appserviceenvironment.net* and your app name is *testapp*, the app is reached at *testapp.contoso.appserviceenvironment.net*. The SCM site that goes with it is reached at *testapp.scm.contoso.appserviceenvironment.net*.

-## ASE IP addresses ##

-An ASE has a few IP addresses to be aware of. They are:

-All these IP addresses are visible in the Azure portal from the ASE UI. If you have an ILB ASE, the IP for the ILB is listed.

- > [!NOTE]

- > These IP addresses will not change so long as your ASE stays up and running. If your ASE becomes suspended and restored, the addresses used by your ASE will change. The normal cause for an ASE to become suspended is if you block inbound management access or block access to an ASE dependency.

-![IP addresses][3]

-### App-assigned IP addresses ###

-With an External ASE, you can assign IP addresses to individual apps. You can't do that with an ILB ASE. For more information on how to configure your app to have its own IP address, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](../configure-ssl-bindings.md).

-When an app has its own IP-based SSL address, the ASE reserves two ports to map to that IP address. One port is for HTTP traffic, and the other port is for HTTPS. Those ports are listed in the ASE UI in the IP addresses section. Traffic must be able to reach those ports from the VIP or the apps are inaccessible. This requirement is important to remember when you configure Network Security Groups (NSGs).

-## Network Security Groups ##

-[Network Security Groups][NSGs] provide the ability to control network access within a virtual network. When you use the portal, there's an implicit deny rule at the lowest priority to deny everything. What you build are your allow rules.

-In an ASE, you don't have access to the VMs used to host the ASE itself. They're in a Microsoft-managed subscription. If you want to restrict access to the apps on the ASE, set NSGs on the ASE subnet. In doing so, pay careful attention to the ASE dependencies. If you block any dependencies, the ASE stops working.

-NSGs can be configured through the Azure portal or via PowerShell. The information here shows the Azure portal. You create and manage NSGs in the portal as a top-level resource under **Networking**.

-The required entries in an NSG, for an ASE to function, are to allow traffic:

-* TCP from the IP service tag AppServiceManagement on ports 454,455

-* from the ASE subnet to the ASE subnet on all ports

-* TCP to the IP service tag `Sql` on ports 1433

-* to the ASE subnet on all ports

-These ports do not include the ports that your apps require for successful use. As an example, your app may need to call a MySQL server on port 3306. Network Time Protocol (NTP) on port 123 is the time synchronization protocol used by the operating system. The NTP endpoints are not specific to App Services, can vary with the operating system, and are not in a well defined list of addresses. To prevent time synchronization issues, you then need to allow UDP traffic to all addresses on port 123. The outbound TCP to port 12000 traffic is for system support and analysis. The endpoints are dynamic and are not in a well defined set of addresses.

-When the inbound and outbound requirements are taken into account, the NSGs should look similar to the NSGs shown in this example.

-![Inbound security rules][4]

-A default rule enables the IPs in the virtual network to talk to the ASE subnet. Another default rule enables the load balancer, also known as the public VIP, to communicate with the ASE. To see the default rules, select **Default rules** next to the **Add** icon. If you put a deny everything else rule before the default rules, you prevent traffic between the VIP and the ASE. To prevent traffic coming from inside the virtual network, add your own rule to allow inbound. Use a source equal to AzureLoadBalancer with a destination of **Any** and a port range of **\***. Because the NSG rule is applied to the ASE subnet, you don't need to be specific in the destination.

-All the items shown in the following outbound rules are needed, except for the last item. They enable network access to the ASE dependencies that were noted earlier in this article. If you block any of them, your ASE stops working. The last item in the list enables your ASE to communicate with other resources in your virtual network.

-![Outbound security rules][5]

-After your NSGs are defined, assign them to the subnet that your ASE is on. If you donΓÇÖt remember the ASE virtual network or subnet, you can see it from the ASE portal page. To assign the NSG to your subnet, go to the subnet UI and select the NSG.

-## Routes ##

-Forced tunneling is when you set routes in your virtual network so the outbound traffic doesn't go directly to the internet but somewhere else like an ExpressRoute gateway or a virtual appliance. If you need to configure your ASE in such a manner, then read the document on [Configuring your App Service Environment with Forced Tunneling][forcedtunnel]. This document will tell you the options available to work with ExpressRoute and forced tunneling.

-When you create an ASE in the portal we also create a set of route tables on the subnet that is created with the ASE. Those routes simply say to send outbound traffic directly to the internet.

-1. Go to the Azure portal. Select **Networking** > **Route Tables**.

-4. Set the **Next hop type** to **Internet** and the **Address prefix** to **0.0.0.0/0**. Select **Save**.

- ![Functional routes][6]

-5. After you create the new route table, go to the subnet that contains your ASE. Select your route table from the list in the portal. After you save the change, you should then see the NSGs and routes noted with your subnet.

- ![NSGs and routes][7]

-## Service Endpoints ##

-Service Endpoints enable you to restrict access to multi-tenant services to a set of Azure virtual networks and subnets. You can read more about Service Endpoints in the [Virtual Network Service Endpoints][serviceendpoints] documentation.

-When you enable Service Endpoints on a resource, there are routes created with higher priority than all other routes. If you use Service Endpoints on any Azure service, with a forced tunneled ASE, the traffic to those services will not be forced tunneled.

-When Service Endpoints is enabled on a subnet with an Azure SQL instance, all Azure SQL instances connected to from that subnet must have Service Endpoints enabled. if you want to access multiple Azure SQL instances from the same subnet, you can't enable Service Endpoints on one Azure SQL instance and not on another. No other Azure service behaves like Azure SQL with respect to Service Endpoints. When you enable Service Endpoints with Azure Storage, you lock access to that resource from your subnet but can still access other Azure Storage accounts even if they do not have Service Endpoints enabled.

-![Service Endpoints][8]

-> [!NOTE]

-> This article is about the App Service Environment v3 which is used with Isolated v2 App Service plans

->

-The App Service Environment (ASE) is a single tenant deployment of the Azure App Service that hosts Windows and Linux containers, web apps, api apps, logic apps, and function apps. When you install an ASE, you pick the Azure Virtual Network that you want it to be deployed in. All of the inbound and outbound application traffic will be inside the virtual network you specify. The ASE is deployed into a single subnet in your virtual network. Nothing else can be deployed into that same subnet.

-The subnet must be delegated to Microsoft.Web/hostingEnvironments and must be empty.

-The size of the subnet can affect the scaling limits of the App Service plan instances within the ASE. We recommend using a `/24` address space (256 addresses) for your subnet to ensure enough addresses to support production scale.

-To use a smaller subnet, you should be aware of the following details of the ASE and network setup.

-Any given subnet has five addresses reserved for management purposes. On top of the management addresses, ASE will dynamically scale the supporting infrastructure and will use between 4 and 27 addresses depending on configuration and load. The remaining addresses can be used for instances in the App Service plan. The minimal size of your subnet is a `/27` address space (32 addresses).

-If you run out of addresses within your subnet, you can be restricted from scaling out your App Service plans in the ASE or you can experience increased latency during intensive traffic load if we are not able scale the supporting infrastructure.

-The ASE has the following network information at creation:

-| Address type | description |

-| ASE virtual network | The virtual network the ASE is deployed into |

-| ASE subnet | The subnet that the ASE is deployed into |

-| Domain suffix | The domain suffix that is used by the apps made in this ASE |

-| Virtual IP | This setting is the VIP type used by the ASE. The two possible values are internal and external |

-| Inbound address | The inbound address is the address your apps on this ASE are reached at. If you have an internal VIP, it is an address in your ASE subnet. If the address is external, it will be a public facing address |

-| Default outbound addresses | The apps in this ASE will use this address, by default, when making outbound calls to the internet. |

-The ASEv3 has details on the addresses used by the ASE in the **IP Addresses** portion of the ASE portal.

-

-As you scale your App Service plans in your ASE, you'll use more addresses out of your ASE subnet. The number of addresses used will vary based on the number of App Service plan instances you have, and how much traffic your ASE is receiving. Apps in the ASE don't have dedicated addresses in the ASE subnet. The specific addresses used by an app in the ASE subnet by an app will change over time.

-For your app to receive traffic, you need to ensure that inbound Network Security Groups (NSGs) rules allow the ASE subnet to receive traffic from the required ports. In addition to any ports you'd like to receive traffic on, you should ensure the AzureLoadBalancer is able to connect to the ASE subnet on port 80. This is used for internal VM health checks. You can still control port 80 traffic from the virtual network to you ASE subnet.

-The general recommendation is to configure the following inbound NSG rule:

-|80,443|VirtualNetwork|ASE subnet range|

-The minimal requirement for ASE to be operational is:

-|80|AzureLoadBalancer|ASE subnet range|

-If you use the minimum required rule you may need one or more rules for your application traffic, and if you are using any of the deployment or debugging options, you will also have to allow this traffic to the ASE subnet. The source of these rules can be VirtualNetwork or one or more specific client IPs or IP ranges. The destination will always be the ASE subnet range.

-The normal app access ports are:

-You can set Route Tables (UDRs) without restriction. You can force tunnel all of the outbound application traffic from your ASE to an egress firewall device, such as the Azure Firewall, and not have to worry about anything other than your application dependencies. You can put WAF devices, such as the Application Gateway, in front of inbound traffic to your ASE to expose specific apps on that ASE. If you'd like to customize the outbound address of your applications on an ASE, you can add a NAT Gateway to your ASE subnet.

-The following sections describe the DNS considerations and configuration inbound to your ASE and outbound from your ASE.

-### DNS configuration to your ASE

-If your ASE is made with an external VIP, your apps are automatically put into public DNS. If your ASE is made with an internal VIP, you may need to configure DNS for it. If you selected having Azure DNS private zones configured automatically during ASE creation, then DNS is configured in your ASE virtual network. If you selected Manually configuring DNS, you need to either use your own DNS server or configure Azure DNS private zones. To find the inbound address of your ASE, go to the **ASE portal > IP Addresses** UI.

-If you want to use your own DNS server, you need to add the following records:

-1. create a zone for `<ASE-name>.appserviceenvironment.net`

-1. create an A record in that zone that points * to the inbound IP address used by your ASE

-1. create an A record in that zone that points @ to the inbound IP address used by your ASE

-1. create a zone in `<ASE-name>.appserviceenvironment.net` named scm

-1. create an A record in the scm zone that points * to the IP address used by your ASE private endpoint

-To configure DNS in Azure DNS Private zones:

-1. create an Azure DNS private zone named `<ASE-name>.appserviceenvironment.net`

-1. create an A record in that zone that points * to the inbound IP address

-1. create an A record in that zone that points @ to the inbound IP address

-1. create an A record in that zone that points *.scm to the inbound IP address

-In addition to the default domain provided when an app is created, you can also add a custom domain to your app. You can set a custom domain name without any validation on your apps in an ILB ASE. If you are using custom domains, you will need to ensure they have DNS records configured. You can follow the guidance above to configure DNS zones and records for a custom domain name by replacing the default domain name with the custom domain name. The custom domain name works for app requests but doesn't for the scm site. The scm site is only available at *&lt;appname&gt;.scm.&lt;asename&gt;.appserviceenvironment.net*.

-### DNS configuration from your ASE

-The apps in your ASE will use the DNS that your virtual network is configured with. If you want some apps to use a different DNS server than what your virtual network is configured with, you can manually set it on a per app basis with the app settings WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER. The app setting WEBSITE_DNS_ALT_SERVER configures the secondary DNS server. The secondary DNS server is only used when there is no response from the primary DNS server.

-While the ASE does deploy into a customer virtual network, there are a few networking features that aren't available with ASE:

-* Send SMTP traffic. You can still have email triggered alerts but your app can't send outbound traffic on port 25

-* Use of Network Watcher or NSG Flow to monitor outbound traffic

-# Availability Zone support for App Service Environments

-> This article is about the App Service Environment v3 which is used with Isolated v2 App Service plans

->

-App Service Environment (ASE) can be deployed across [Availability Zones (AZ)](../../availability-zones/az-overview.md). This architecture is also known as zone redundancy. When an ASE is configured to be zone redundant, the platform automatically spreads the App Service plan instances in the ASE across all three zones in the selected region. If a capacity larger than three is specified and the number of instances is divisible by three, the instances will be spread evenly. Otherwise, instance counts beyond 3*N will get spread across the remaining one or two zones.

-You configure zone redundancy when you create your ASE and all App Service plans created in that ASE will be zone redundant. Zone redundancy can only be specified when creating a *new* App Service Environment. Zone redundancy is only supported in a [subset of regions](./overview.md#regions).

-In the case when a zone goes down, the App Service platform will detect lost instances and automatically attempt to find new replacement instances. If you also have autoscale configured, and if it decides more instances are needed, autoscale will also issue a request to App Service to add more instances (autoscale behavior is independent of App Service platform behavior). It's important to note there's no guarantee that requests for instances in a zone-down scenario will succeed since back filling lost instances occur on a best-effort basis. The recommended solution is to scale your App Service plans to account for losing a zone.

-Applications deployed in a zone redundant ASE will continue to run and serve traffic even if other zones in the same region suffer an outage. However it's possible that non-runtime behaviors including App Service plan scaling, application creation, application configuration, and application publishing may still be impacted from an outage in other Availability Zones. Zone redundancy for App Service Environment only ensures continued uptime for deployed applications.

-When the App Service platform allocates instances to a zone redundant App Service plan in an ASE, it uses [best effort zone balancing offered by the underlying Azure Virtual Machine Scale Sets](../../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md#zone-balancing). An App Service plan will be "balanced" if each zone has either the same number of instances, or +/- 1 instance in all of the other zones used by the App Service plan.

- There is a minimum charge of nine App Service plan instances in a zone redundant ASE. There is no added charge for availability zone support if you have nine or more App Service plan instances. If you have less than nine instances (of any size) across App Service plans in the zone redundant ASE, the difference between nine and the running instance count is charged as additional Windows I1v2 instances.

-* Read more about [Availability Zones](../../availability-zones/az-overview.md)

-# Use an App Service Environment

-# Using an App Service Environment

-> This article is about the App Service Environment v3 which is used with Isolated v2 App Service plans

->

-The App Service Environment (ASE) is a single tenant deployment of the Azure App Service that injects directly into an Azure Virtual Network (VNet) of your choosing. It's a system that is only used by one customer. Apps deployed into the ASE are subject to the networking features that are applied to the ASE subnet. There aren't any additional features that need to be enabled on your apps to be subject to those networking features.

-## Create an app in an ASE

-To create an app in an ASE, you use the same process as when you normally create an app, but with a few small differences. When you create a new App Service plan:

-If you don't have an ASE, you can create one by following the instructions in [Create an App Service Environment][MakeASE].

-To create an app in an ASE:

-1. Enter a name for a new resource group, or select **Use existing** and select one from the drop-down list.

-1. Enter a name for the app. If you already selected an App Service plan in an ASE, the domain name for the app reflects the domain name of the ASE

-1. Select your Publish type, Stack, and Operating System.

-1. Select region. Here you need to select a pre-existing App Service Environment v3. You can't make an ASEv3 during app creation:

-![create an app in an ASE][1]

-1. Select an existing App Service plan in your ASE, or create a new one. If creating a new app, select the size that you want for your App Service plan. The only SKU you can select for your app is an Isolated v2 pricing SKU. Making a new App Service plan will normally take less than 20 minutes.

-![Isolated v2 pricing tiers][2]

-1. Select **Next: Monitoring** If you want to enable App Insights with your app, you can do it here during the creation flow.

-1. Select **Next: Tags** Add any tags you want to the app

-1. Select **Review + create**, make sure the information is correct, and then select **Create**.

-Windows and Linux apps can be in the same ASE but cannot be in the same App Service plan.

-When you scale an App Service plan, the needed infrastructure is added automatically. There's a time delay to scale operations while the infrastructure is being added. When you scale an App Service plan, and you have another scale operation of the same OS and size running, there might be a slight delay of a few minutes until the requested scale starts. A scale operation on one size and OS won't affect scaling of the other combinations of size and OS. For example, if you are scaling a Windows I2v2 App Service plan then, any other requests to scale Windows I2v2 might be slightly delayed, but a scale operation to a Windows I3v2 App Service plan will start immediately. Scaling will normally take less than 20 minutes.

-In the multitenant App Service, scaling is immediate because a pool of *shared* resources is readily available to support it. ASE is a single-tenant service, so there's no shared buffer, and resources are allocated based on need.

-## App access

-In an ASE with an internal VIP, the domain suffix used for app creation is *.&lt;asename&gt;.appserviceenvironment.net*. If your ASE is named _my-ase_ and you host an app called _contoso_ in that ASE, you reach it at these URLs:

-The apps that are hosted on an ASE that uses an internal VIP will only be accessible if you are in the same virtual network as the ASE or are connected somehow to that virtual network. Publishing is also restricted to being only possible if you are in the same virtual network or are connected somehow to that virtual network.

-In an ASE with an external VIP, the domain suffix used for app creation is *.&lt;asename&gt;.p.azurewebsites.net*. If your ASE is named _my-ase_ and you host an app called _contoso_ in that ASE, you reach it at these URLs:

-For information about how to create an ASE, see [Create an App Service Environment][MakeASE].

-The SCM URL is used to access the Kudu console or for publishing your app by using Web Deploy. For information on the Kudu console, see [Kudu console for Azure App Service][Kudu]. The Kudu console gives you a web UI for debugging, uploading files, editing files, and much more.

-If your ASE is made with an external VIP, your apps are automatically put into public DNS. If your ASE is made with an internal VIP, you may need to configure DNS for it. If you selected having Azure DNS private zones configured automatically during ASE creation then DNS is configured in your ASE VNet. If you selected Manually configuring DNS, you need to either use your own DNS server or configure Azure DNS private zones. To find the inbound address of your ASE, go to the **ASE portal > IP Addresses** UI.

-![IP addresses UI][6]

-If you want to use your own DNS server, you need to add the following records:

-1. create a zone for &lt;ASE name&gt;.appserviceenvironment.net

-1. create an A record in that zone that points * to the inbound IP address used by your ASE

-1. create an A record in that zone that points @ to the inbound IP address used by your ASE

-1. create a zone in &lt;ASE name&gt;.appserviceenvironment.net named scm

-1. create an A record in the scm zone that points * to the inbound address used by your ASE

-To configure DNS in Azure DNS Private zones:

-1. create an Azure DNS private zone named &lt;ASE name&gt;.appserviceenvironment.net

-1. create an A record in that zone that points * to the inbound IP address

-1. create an A record in that zone that points @ to the inbound IP address

-1. create an A record in that zone that points *.scm to the inbound IP address

-The DNS settings for your ASE default domain suffix don't restrict your apps to only being accessible by those names. You can set a custom domain name without any validation on your apps in an ASE. If you then want to create a zone named *contoso.net*, you could do so and point it to the inbound IP address. The custom domain name works for app requests but doesn't for the scm site. The scm site is only available at *&lt;appname&gt;.scm.&lt;asename&gt;.appserviceenvironment.net*.

-In an ASE, as with the multitenant App Service, you can publish by these methods:

-With an internal VIP ASE, the publishing endpoints are only available through the inbound address. If you don't have network access to the inbound address, you can't publish any apps on that ASE. Your IDEs must also have network access to the inbound address on the ASE to publish directly to it.

-Without additional changes, internet-based CI systems like GitHub and Azure DevOps don't work with an internal VIP ASE because the publishing endpoint isn't internet accessible. You can enable publishing to an internal VIP ASE from Azure DevOps by installing a self-hosted release agent in the virtual network that contains the ASE.

-An ASE has 1 TB of storage for all the apps in the ASE. An App Service plan in the Isolated pricing SKU has a limit of 250 GB. In an ASE, 250 GB of storage is added per App Service plan up to the 1 TB limit. You can have more App Service plans than just four, but there is no more storage added beyond the 1 TB limit.

-You can integrate your ASE with Azure Monitor to send logs about the ASE to Azure Storage, Azure Event Hubs, or Log Analytics. These items are logged today:

-|ASE subnet is almost out of space | The specified ASE is in a subnet that is almost out of space. There are {0} remaining addresses. Once these addresses are exhausted, the ASE will not be able to scale. |

-|ASE is approaching total instance limit | The specified ASE is approaching the total instance limit of the ASE. It currently contains {0} App Service Plan instances of a maximum 200 instances. |

-|ASE is suspended | The specified ASE is suspended. The ASE suspension may be due to an account shortfall or an invalid virtual network configuration. Resolve the root cause and resume the ASE to continue serving traffic. |

-|ASE upgrade has started | A platform upgrade to the specified ASE has begun. Expect delays in scaling operations. |

-|ASE upgrade has completed | A platform upgrade to the specified ASE has finished. |

-|App Service plan creation has started | An App Service plan ({0}) creation has started. Desired state: {1} I{2}v2 workers.

-|Scale operations have completed | An App Service plan ({0}) creation has finished. Current state: {1} I{2}v2 workers. |

-|Scale operations have failed | An App Service plan ({0}) creation has failed. This may be due to the ASE operating at peak number of instances, or run out of subnet addresses. |

-|Scale operations have started | An App Service plan ({0}) has begun scaling. Current state: {1} I(2)v2. Desired state: {3} I{4}v2 workers.|

-|Scale operations have completed | An App Service plan ({0}) has finished scaling. Current state: {1} I{2}v2 workers. |

-|Scale operations were interrupted | An App Service plan ({0}) was interrupted while scaling. Previous desired state: {1} I{2}v2 workers. New desired state: {3} I{4}v2 workers. |

-|Scale operations have failed | An App Service plan ({0}) has failed to scale. Current state: {1} I{2}v2 workers. |

-To enable logging on your ASE:

-1. In the portal, go to **Diagnostics settings**.

-![ASE diagnostic log settings][4]

-If you integrate with Log Analytics, you can see the logs by selecting **Logs** from the ASE portal and creating a query against **AppServiceEnvironmentPlatformLogs**. Logs are only emitted when your ASE has an event that will trigger it. If your ASE doesn't have such an event, there won't be any logs. To quickly see an example of logs in your Log Analytics workspace, perform a scale operation with an App Service plan in your ASE. You can then run a query against **AppServiceEnvironmentPlatformLogs** to see those logs.

-### Creating an alert

-To create an alert against your logs, follow the instructions in [Create, view, and manage log alerts using Azure Monitor](../../azure-monitor/alerts/alerts-log.md). In brief:

-* Open the Alerts page in your ASE portal

-* Select **New alert rule**

-* Select your Resource to be your Log Analytics workspace

-* Set your condition with a custom log search to use a query like, "AppServiceEnvironmentPlatformLogs | where ResultDescription contains "has begun scaling" or whatever you want. Set the threshold as appropriate.

-* Add or create an action group as desired. The action group is where you define the response to the alert such as sending an email or an SMS message

-* Name your alert and save it.

-## Internal Encryption

-The App Service Environment operates as a black box system where you cannot see the internal components or the communication within the system. To enable higher throughput, encryption is not enabled by default between internal components. The system is secure as the traffic is inaccessible to being monitored or accessed. If you have a compliance requirement though that requires complete encryption of the data path from end to end encryption, you can enable this in the ASE **Configuration** UI.

-![Enable internal encryption][5]

-This will encrypt internal network traffic in your ASE between the front ends and workers, encrypt the pagefile and also encrypt the worker disks. After the InternalEncryption clusterSetting is enabled, there can be an impact to your system performance. When you make the change to enable InternalEncryption, your ASE will be in an unstable state until the change is fully propagated. Complete propagation of the change can take a few hours to complete, depending on how many instances you have in your ASE. We highly recommend that you do not enable this on an ASE while it is in use. If you need to enable this on an actively used ASE, we highly recommend that you divert traffic to a backup environment until the operation completes.

-If you have multiple ASEs, you might want some ASEs to be upgraded before others. This behavior can be enabled through your ASE portal. Under **Configuration** you have the option to set **Upgrade preference**. The three possible values are:

-Select the value desired and select **Save**. The default for any ASE is **None**.

-![ASE configuration portal][5]

-The **upgradePreferences** feature makes the most sense when you have multiple ASEs because your "Early" ASEs will be upgraded before your "Late" ASEs. When you have multiple ASEs, you should set your development and test ASEs to be "Early" and your production ASEs to be "Late".

-## Delete an ASE

-To delete an ASE:

-1. Select **Delete** at the top of the **App Service Environment** pane.

-1. Enter the name of your ASE to confirm that you want to delete it. When you delete an ASE, you also delete all the content within it.

-![ASE deletion][3]

-[logalerts]: ../../azure-monitor/alerts/alerts-log.md

-See more information at [Nodes and tables in Azure Database for PostgreSQL ΓÇô Hyperscale (Citus)](../../postgresql/concepts-hyperscale-nodes.md).

-See details at [Determining application type](../../postgresql/concepts-hyperscale-app-type.md).

-See details at [Choose distribution columns](../../postgresql/concepts-hyperscale-choose-distribution-column.md).

-See details at [Table colocation](../../postgresql/concepts-hyperscale-colocation.md).

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

- * [Nodes and tables](../../postgresql/concepts-hyperscale-nodes.md)

- * [Determine application type](../../postgresql/concepts-hyperscale-app-type.md)

- * [Choose a distribution column](../../postgresql/concepts-hyperscale-choose-distribution-column.md)

- * [Table colocation](../../postgresql/concepts-hyperscale-colocation.md)

- * [Distribute and modify tables](../../postgresql/howto-hyperscale-modify-distributed-tables.md)

- * [Design a multi-tenant database](../../postgresql/tutorial-design-database-hyperscale-multi-tenant.md)*

- * [Design a real-time analytics dashboard](../../postgresql/tutorial-design-database-hyperscale-realtime.md)*

-## June 2021

-Version 1.7

-## May 2021

-Version 1.6

-## April 2021

-Version 1.5

-## March 2021

-Version 1.4

-## December 2020

-Version: 1.3

-## November 2020

-Version: 1.2

-## October 2020

-Version: 1.1

-## September 2020

-Version: 1.0 (General Availability)

-## August 2020

-Version: 0.11

-### Known issues

-If you are using an older version of the Linux agent and it's configured to use a proxy server, you need to reconfigure the proxy server setting after the upgrade. To do this, run `sudo azcmagent_proxy add http://proxyserver.local:83`.

-## November 2021

-Version 1.13

-## October 2021

-Version 1.12

-## September 2021

-Version 1.11

-## August 2021

-Version 1.10

-## July 2021

-Version 1.9

-## New features

-Added support for the Indonesian language

-### Fixed

-Fixed a bug that prevented extension management in the West US 3 region

-Version 1.8

-### New features

- - Added support for PowerShell-based Guest Configuration policies on Linux operating systems

- - Added support for multiple assignments of the same Guest Configuration policy on the same server

- - Upgraded PowerShell Core to version 7.1 on Windows operating systems

-### Fixed

- 

- 

- 

-Azure Cache for Redis' Enterprise tiers provide fully integrated and managed [Redis Enterprise](https://redislabs.com/redis-enterprise/) on Azure. These new tiers are:

-1. Select **Next: Advanced** and set **Clustering policy** to **Enterprise** for a non-clustered cache. Enable **Non-TLS access only** if you plan to connect to the new cache without using TLS. Disabling TLS is **not** recommended, however.

- > Redis Enterprise supports two clustering policies. Use the **Enterprise** policy to access

- > your cache using the regular Redis API, and **OSS** the OSS Cluster API.

-The following code is an example of a .NET orchestrator function. The function makes authenticated calls to restart a virtual machine by using the Azure Resource Manager [virtual machines REST API](/rest/api/compute/virtualmachines).

-Power Automate empowers any office worker to perform simple integrations (for example, an approval process on a SharePoint Document Library) without going through developers or IT. Logic Apps can also enable advanced integrations (for example, B2B processes) where enterprise-level Azure DevOps and security practices are required. It's typical for a business workflow to grow in complexity over time. Accordingly, you can start with a flow at first, and then convert it to a logic app as needed.

-| **Design tool** |In-browser and mobile app, UI only |In-browser and [Visual Studio](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md), [Code view](../logic-apps/logic-apps-author-definitions.md) available |

-| **Connectivity** | [About a dozen built-in binding types](functions-triggers-bindings.md#supported-bindings), write code for custom bindings | [Large collection of connectors](../connectors/apis-list.md), [Enterprise Integration Pack for B2B scenarios](../logic-apps/logic-apps-enterprise-integration-overview.md), [build custom connectors](../logic-apps/custom-connector-overview.md) |

-| **Actions** | Each activity is an Azure function; write code for activity functions |[Large collection of ready-made actions](../logic-apps/logic-apps-workflow-actions-triggers.md)|

-| **Monitoring** | [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) | [Azure portal](../logic-apps/quickstart-create-first-logic-app-workflow.md), [Azure Monitor logs](../logic-apps/monitor-logic-apps.md)|

-For full control over the IP addresses, both inbound and outbound, we recommend [App Service Environments](../app-service/environment/intro.md) (the [Isolated tier](https://azure.microsoft.com/pricing/details/app-service/) of App Service plans). For more information, see [App Service Environment IP addresses](../app-service/environment/network-info.md#ase-ip-addresses) and [How to control inbound traffic to an App Service Environment](../app-service/environment/app-service-app-service-environment-control-inbound-traffic.md).

-Azure Maps supports two ways to authenticate requests: Shared Key authentication and [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) authentication. This article explains both authentication methods to help guide your implementation of Azure Maps services.

- Primary and secondary keys are generated after the Azure Maps account is created. You're encouraged to use the primary key as the subscription key when calling Azure Maps with shared key authentication. Shared Key authentication passes a key generated by an Azure Maps account to an Azure Maps service. For each request to Azure Maps services, add the *subscription key* as a parameter to the URL. The secondary key can be used in scenarios like rolling key changes.

-Example using the *subscription key* as a parameter in your URL:

-```

-For information about viewing your keys in the Azure portal, see [Manage authentication](./how-to-manage-authentication.md#view-authentication-details).

-> [!NOTE]

-> Primary and Secondary keys should be treated as sensitive data. The shared key is used to authenticate all Azure Maps REST APIs. Users who use a shared key should abstract the API key away, either through environment variables or secure secret storage, where it can be managed centrally.

-* Azure AD users

-* Partner applications that use permissions delegated by users

-* Managed identities for Azure resources

-Azure Maps generates a *unique identifier (client ID)* for each Azure Maps account. You can request tokens from Azure AD when you combine this client ID with additional parameters.

-For general information about authenticating with Azure AD, see [What is authentication?](../active-directory/develop/authentication-vs-authorization.md).

-### Managed identities for Azure resources and Azure Maps

-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) provide Azure services with an automatically managed application based security principal that can authenticate with Azure AD. With Azure role-based access control (Azure RBAC), the managed identity security principal can be authorized to access Azure Maps services. Some examples of managed identities include: Azure App Service, Azure Functions, and Azure Virtual Machines. For a list of managed identities, see [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).

-### Configuring application Azure AD authentication

-> [!NOTE]

-Azure Maps supports access to all principal types for [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) including: individual Azure AD users, groups, applications, Azure resources, and Azure Managed identities. Principal types are granted a set of permissions, also known as a role definition. A role definition provides permissions to REST API actions. Applying access to one or more Azure Maps accounts is known as a scope. When applying a principal, role definition, and scope then a role assignment is created.

-| Azure Role Definition | Description |

-| :-- | :- |

-| Azure Maps Data Reader | Provides access to immutable Azure Maps REST APIs. |

-| Azure Maps Data Contributor | Provides access to mutable Azure Maps REST APIs. Mutability is defined by the actions: write and delete. |

-| Custom Role Definition | Create a crafted role to enable flexible restricted access to Azure Maps REST APIs. |

-| Azure Maps Service | Azure Maps Role Definition |

-| :-- | :-- |

-| Data | Azure Maps Data Contributor |

-| Creator | Azure Maps Data Contributor |

-| Spatial | Azure Maps Data Contributor |

-| Scenario | Custom Role Data Action(s) |

-| :-- | : |

-| A public facing or interactive sign-in web page with base map tiles and no other REST APIs. | `Microsoft.Maps/accounts/services/render/read` |

-| An application, which only requires reverse geocoding and no other REST APIs. | `Microsoft.Maps/accounts/services/search/read` |

-| A role for a security principal, which requests reading of Azure Maps Creator based map data and base map tile REST APIs. | `Microsoft.Maps/accounts/services/data/read`, `Microsoft.Maps/accounts/services/render/read` |

-### Understanding scope

-## Next steps

-To learn more about Azure RBAC, see

-> [!div class="nextstepaction"]

-> [Azure role-based access control](../role-based-access-control/overview.md)

-> [!div class="nextstepaction"]

-> [!div class="nextstepaction"]

-> [Use the Azure Maps Map Control](./how-to-use-map-control.md)

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-When you create an Azure Maps account, keys and a client ID are generated. The keys and client ID are used to support Azure Active Directory (Azure AD) authentication and Shared Key authentication.

- > [!IMPORTANT]

- > We recommend that you use the primary key as the subscription key when you use [Shared Key authentication](./azure-maps-authentication.md#shared-key-authentication) to call Azure Maps. It's best to use the secondary key in scenarios like rolling key changes. For more information, see [Authentication with Azure Maps](./azure-maps-authentication.md).

-2. Navigate to the Azure portal menu. Select **All resources**, and then select your Azure Maps account.

- :::image type="content" border="true" source="./media/how-to-manage-authentication/select-all-resources.png" alt-text="Select Azure Maps account.":::

-3. Under **Settings** in the left pane, select **Authentication**.

- :::image type="content" border="true" source="./media/how-to-manage-authentication/view-authentication-keys.png" alt-text="Authentication details.":::

-> Even if you use shared key authentication, understanding categories and scenarios helps you to secure the application.

-This table outlines common authentication and authorization scenarios in Azure Maps. Use the links to learn detailed configuration information for each scenario.

-| Scenario | Authentication | Authorization | Development effort | Operational effort |

-| - | -- | - | | |

-| [Trusted daemon / non-interactive client application](./how-to-secure-daemon-app.md) | Shared Key | N/A | Medium | High |

-| [Trusted daemon / non-interactive client application](./how-to-secure-daemon-app.md) | Azure AD | High | Low | Medium |

-| [Web single page application with interactive single-sign-on](./how-to-secure-spa-users.md) | Azure AD | High | Medium | Medium |

-| [Web single page application with non-interactive sign-on](./how-to-secure-spa-app.md) | Azure AD | High | Medium | Medium |

-| [Web application with interactive single-sign-on](./how-to-secure-webapp-users.md) | Azure AD | High | High | Medium |

-| [IoT device / input constrained device](./how-to-secure-device-code.md) | Azure AD | High | Medium | Medium |

-For more information about requesting access tokens from Azure AD for users and service principals, see [Authentication scenarios for Azure AD](../active-directory/develop/authentication-vs-authorization.md). To view specific scenarios, see [the table of scenarios](./how-to-manage-authentication.md#choose-an-authentication-and-authorization-scenario).

-This tutorial guides you through the process of creating a simple store locator using Azure Maps. In this tutorial, you'll learn how to:

-1. [Make an Azure Maps account in Gen 1 (S1) or Gen 2 pricing tier](quick-demo-map-app.md#create-an-azure-maps-account).

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-For more information about Azure Maps authentication, see [manage authentication in Azure Maps](how-to-manage-authentication.md).

-This tutorial uses the [Visual Studio Code](https://code.visualstudio.com/) application, but you can use a different coding environment.

-In this tutorial, we'll create a store locator for a fictional company called Contoso Coffee. Also, the tutorial includes some tips to help you learn about extending the store locator with other optional functionalities.

-You can view the [Live store locator sample here](https://azuremapscodesamples.azurewebsites.net/?sample=Simple%20Store%20Locator).

-* [Full source code for simple store locator sample](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator)

-* [Store location data to import into the store locator dataset](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator/data)

-* [Map images](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator/images)

-This section lists the features that are supported in the Contoso Coffee store locator application.

-* Store logo on the header

-* Map supports panning and zooming

-* A My Location button to search over the user's current location.

-* Page layout adjusts based on the width of the device screen

-* When the map moves, the distance to each location from the center of the map calculates. The results list updates to display the closest locations at the top of the map.

-The following figure shows a wireframe of the general layout of our store locator. You can view the live wireframe [here](https://azuremapscodesamples.azurewebsites.net/?sample=Simple%20Store%20Locator).

-To maximize the usefulness of this store locator, we include a responsive layout that adjusts when a user's screen width is smaller than 700 pixels wide. A responsive layout makes it easy to use the store locator on a small screen, like on a mobile device. Here's a wireframe of the small-screen layout:

-To view the full dataset, [download the Excel workbook here](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator/data).

-Looking at the screenshot of the data, we can make the following observations:

-* Location information is stored by using the **AddressLine**, **City**, **Municipality** (county), **AdminDivision** (state/province), **PostCode** (postal code), and **Country** columns.

-* The **Latitude** and **Longitude** columns contain the coordinates for each Contoso Coffee location. If you don't have coordinates information, you can use the Search services in Azure Maps to determine the location coordinates.

-> Azure Maps renders data in the spherical Mercator projection "EPSG:3857" but reads data in "EPSG:4326" that use the WGS84 datum.

-## Load the store location dataset

- >[!TIP]

->If your dataset is too large for client download, or is updated frequently, you might consider storing your dataset in a database. After your data is loaded into a database, you can then set up a web service that accepts queries for the data, and then sends the results to the user's browser.

-To convert the Contoso Coffee shop location data from an Excel workbook into a flat text file:

-1. [Download the Excel workbook](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator/data).

-2. Save the workbook to your hard drive.

-3. Load the Excel app.

-4. Open the downloaded workbook.

-5. Select **Save As**.

-6. In the **Save as type** drop-down list, select **Text (Tab delimited)(*.txt)**.

-7. Name the file *ContosoCoffee*.

-1. Open the Visual Studio Code app.

-2. Select **File**, and then select **Open Workspace...**.

-3. Create a new folder and name it "ContosoCoffee".

-4. Select **CONTOSOCOFFEE** in the explorer.

-7. Add *ContosoCoffee.txt* to the *data* folder.

-9. If you haven't already, [download these 10 images](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator/images).

-10. Add the downloaded images to the *images* folder.

- :::image type="content" source="./media/tutorial-create-store-locator/store-locator-workspace.png" alt-text="Screenshot of the Simple Store Locator workspace folder.":::

-3. Add a reference to the Azure Maps Services module. The module is a JavaScript library that wraps the Azure Maps REST services and makes them easy to use in JavaScript. The module is useful for powering search functionality.

-## Define the CSS Styles

-Run the application. You'll see the header, search box, and search button. However, the map isn't visible because it hasn't been loaded yet. If you try to do a search, nothing happens. We need to set up the JavaScript logic, which is described in the next section. This logic accesses all the functionality of the store locator.

-2. When the user selects the search button, or types a location in the search box then presses enter, a fuzzy search against the user's query is started. The code passes in an array of country/region ISO 2 values to the `countrySet` option to limit the search results to those countries/regions. Limiting the countries/regions to search helps increase the accuracy of the results that are returned.

-3. Once the search is finished, the first location result is used as the center focus of the map camera. When the user selects the My Location button, the code retrieves the user's location using the *HTML5 Geolocation API* that's built into the browser. After retrieving the location, the code centers the map over the user's location.

- //The URL to the icon image.

- //Use SubscriptionKeyCredential with a subscription key

- const subscriptionKeyCredential = new atlas.service.SubscriptionKeyCredential(atlas.getSubscriptionKey());

- //Use subscriptionKeyCredential to create a pipeline

- const pipeline = atlas.service.MapsURL.newPipeline(subscriptionKeyCredential, {

- retryOptions: { maxTries: 4 } // Retry options

- });

- //If the user selects the My Location button, use the Geolocation API (Preview) to get the user's location. Center and zoom the map on that location.

- //Add your post-map load functionality.

- //Create an array of country/region ISO 2 values to limit searches to.

- var countrySet = ['US', 'CA', 'GB', 'FR','DE','IT','ES','NL','DK'];

- countrySet: countrySet

- //Convert the Geolocation API (Preview) position to a longitude and latitude position value that the map can interpret and center the map over it.

- //If an error occurs when the API tries to access the user's position information, display an error message.

-4. In the map's `ready` event listener, add a zoom control and an HTML marker to display the center of a search area.

-5. In the map's `ready` event listener, add a data source. Then, make a call to load and parse the dataset. Enable clustering on the data source. Clustering on the data source groups overlapping points together in a cluster. As the user zooms in, the clusters separate into individual points. This behavior provides a better user experience and improves performance.

- //Load all the store data now that the data source is defined.

-6. After the dataset loads in the map's `ready` event listener, define a set of layers to render the data. A bubble layer renders clustered data points. A symbol layer renders the number of points in each cluster above the bubble layer. A second symbol layer renders a custom icon for individual locations on the map.

- //Add an event to monitor when the map is finished rendering the map after it has moved.

-7. When the coffee shop dataset is loaded, it must first be downloaded. Then, the text file must be split into lines. The first line contains the header information. To make the code easier to follow, we parse the header into an object, which we can then use to look up the cell index of each property. After the first line, loop through the remaining lines and create a point feature. Add the point feature to the data source. Finally, update the list panel.

- //Check to see whether the user is zoomed out a substantial distance. If they are, tell the user to zoom in and to perform a search or select the My Location button.

-Now, you have a fully functional store locator. In a web browser, open the *https://docsupdatetracker.net/index.html* file for the store locator. When the clusters appear on the map, you can search for a location by using the search box, by selecting the My Location button, by selecting a cluster, or by zooming in on the map to see individual locations.

-In this tutorial, you learned how to create a basic store locator by using Azure Maps. The store locator you create in this tutorial might have all the functionality you need. You can add features to your store locator or use more advance features for a more custom user experience:

- * Enable [suggestions as you type](https://azuremapscodesamples.azurewebsites.net/?sample=Search%20Autosuggest%20and%20JQuery%20UI) in the search box.

- * Add [support for multiple languages](https://azuremapscodesamples.azurewebsites.net/?sample=Map%20Localization).

- * Allow the user to [filter locations along a route](https://azuremapscodesamples.azurewebsites.net/?sample=Filter%20Data%20Along%20Route).

- * Add the ability to [set filters](https://azuremapscodesamples.azurewebsites.net/?sample=Filter%20Symbols%20by%20Property).

- * Add support to specify an initial search value by using a query string. When you include this option in your store locator, users are then able to bookmark and share searches. It also provides an easy method for you to pass searches to this page from another page.

- * Deploy your store locator as an [Azure App Service Web App](../app-service/quickstart-html.md).

- * Store your data in a database and search for nearby locations. To learn more, see the [SQL Server spatial data types overview](/sql/relational-databases/spatial/spatial-data-types-overview?preserve-view=true&view=sql-server-2017) and [Query spatial data for the nearest neighbor](/sql/relational-databases/spatial/query-spatial-data-for-nearest-neighbor?preserve-view=true&view=sql-server-2017).

-You can [view full source code here](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator). [View the live sample](https://azuremapscodesamples.azurewebsites.net/https://docsupdatetracker.net/index.html?sample=Simple%20Store%20Locator) and learn more about the coverage and capabilities of Azure Maps by using [Zoom levels and tile grid](zoom-levels-and-tile-grid.md). You can also [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) to apply to your business logic.

-## Clean up resources

-There are no resources that require cleanup.

- Azure Monitor's Log Analytics agent is retiring on 31 August 2024. The current agents will be supported for several years after deprecation begins.

-| [Microsoft Sentinel](../../sentinel/overview.md) | <ul><li>Windows Event Forwarding (WEF): Private preview</li><li>Windows Security Events: [Public preview](../../sentinel/connect-windows-security-events.md?tabs=AMA)</li></ul> | <ul><li>[Sign-up link](https://aka.ms/AMAgent) </li><li>No sign-up needed</li></ul> |

-1. `resourceProvider`: For more information, see [Azure resource providers and types](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Fmanagement%2Fresource-providers-and-types&data=02%7C01%7CNoga.Lavi%40microsoft.com%7C90b7c2308c0647c0347908d7c9a2918d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199572373543634&sdata=4RjpTkO5jsdOgPdt%2F%2FDOlYjIFE2%2B%2BuoHq5%2F7lHpCwQw%3D&reserved=0). For a list that maps resource providers to Azure services, see [Resource providers for Azure services](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Fmanagement%2Fazure-services-resource-providers&data=02%7C01%7CNoga.Lavi%40microsoft.com%7C90b7c2308c0647c0347908d7c9a2918d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199572373553639&sdata=0ZgJPK7BYuJsRifBKFytqphMOxMrkfkEwDqgVH1g8lw%3D&reserved=0).

-|Microsoft.Aadiam/azureADMetrics | Yes | No | [Azure AD](../essentials/metrics-supported.md#microsoftaadiamazureadmetrics) |

-## microsoft.aadiam/azureADMetrics

-|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

-||||||||

-|ThrottledRequests|No|ThrottledRequests|Count|Average|azureADMetrics type metric|No Dimensions|

-|AmlComputeClusterNodeEvent|AmlComputeClusterNodeEvent|No|

-* [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace)

-| IBM QRadar | No | The Microsoft Azure DSM and Microsoft Azure Event Hub Protocol are available for download from [the IBM support website](https://www.ibm.com/support). You can learn more about the integration with Azure at [QRadar DSM configuration](https://www.ibm.com/docs/en/dsm?topic=options-configuring-microsoft-azure-event-hubs-communicate-qradar). |

-### Create or update data export rule

-A data export rule defines the tables for which data is exported and destination. You can have 10 enabled rules in your workspace, more rules can be added in 'disable' state. Storage account must be unique across all export rules in workspace, but you can use the same event hub namespace in multiple rules.

-> [!NOTE]

-> - If export rule includes unsupported tables, no data will be exported for that tables until the tables becomes supported.

-> - A separate container is created for tables in storage account export.

-> - If event hub name isn't provided in rule, a separate event hub is created for tables in event hub namespace. The [number of supported event hubs in 'Basic' and 'Standard' namespaces tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). When exporting more than 10 tables to these tiers, either split the tables between several export rules to different event hub namespaces, or provide an event hub name in the rule to export all tables to that event hub.

-#### Monitoring storage account

-1. Configure alert on the metric below:

-1. Alert remediation actions

-#### Monitoring event hub

-1. Alert remediation actions

-$storageAccountResourceId = 'subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/storage-account-name'

-New-AzOperationalInsightsDataExport -ResourceGroupName resourceGroupName -WorkspaceName workspaceName -DataExportName 'ruleName' -TableName 'SecurityEvent, Heartbeat' -ResourceId $storageAccountResourceId

-$eventHubResourceId = 'subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.EventHub/namespaces/namespaces-name/eventhubs/eventhub-name'

-New-AzOperationalInsightsDataExport -ResourceGroupName resourceGroupName -WorkspaceName workspaceName -DataExportName 'ruleName' -TableName 'SecurityEvent, Heartbeat' -ResourceId $eventHubResourceId -EventHubName EventhubName

-$eventHubResourceId = 'subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.EventHub/namespaces/namespaces-name'

-New-AzOperationalInsightsDataExport -ResourceGroupName resourceGroupName -WorkspaceName workspaceName -DataExportName 'ruleName' -TableName 'SecurityEvent, Heartbeat' -ResourceId $eventHubResourceId

-Update-AzOperationalInsightsDataExport -ResourceGroupName resourceGroupName -WorkspaceName workspaceName -DataExportName 'ruleName' -TableName 'SecurityEvent, Heartbeat' -Enable: $false

- | [Azure Active Directory](../active-directory/index.yml) | Microsoft.Aadiam/azureADMetrics | [**Yes**](./essentials/metrics-supported.md#microsoftaadiamazureadmetrics) | No | [Azure Monitor Workbooks for Azure Active Directory](../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | |

- * For a daily snapshot configuration, specify the time of the day when you want the snapshot created.

- * For a weekly snapshot configuration, specify the day of the week and time of the day when you want the snapshot created.

- * For a monthly snapshot configuration, specify the day of the month and time of the day when you want the snapshot created.

- For example, if you want to have daily backups, you must configure a snapshot policy with a daily snapshot schedule and snapshot count, and then apply that daily snapshot policy to the volume. If you change the snapshot policy or delete the daily snapshot configuration, new daily snapshots will not be created, resulting in daily backups not taking place. The same process and behavior apply to weekly, and monthly backups.

-* [Learn more about snapshots](snapshots-introduction.md)

-Bicep provides concise syntax, reliable type safety, and support for code reuse. We believe Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

-| Microsoft.Network | [Application Gateway](../../application-gateway/index.yml)<br />[Azure Bastion](../../bastion/index.yml)<br />[Azure DDoS Protection](../../ddos-protection/ddos-protection-overview.md)<br />[Azure DNS](../../dns/index.yml)<br />[Azure ExpressRoute](../../expressroute/index.yml)<br />[Azure Firewall](../../firewall/index.yml)<br />[Azure Front Door Service](../../frontdoor/index.yml)<br />[Azure Private Link](../../private-link/index.yml)<br />[Load Balancer](../../load-balancer/index.yml)<br />[Network Watcher](../../network-watcher/index.yml)<br />[Traffic Manager](../../traffic-manager/index.yml)<br />[Virtual Network](../../virtual-network/index.yml)<br />[Virtual WAN](../../virtual-wan/index.yml)<br />[VPN Gateway](../../vpn-gateway/index.yml)<br /> |

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> Auto-failover groups are not currently supported in the [Hyperscale](service-tier-hyperscale.md) service tier. For geographic failover of a Hyperscale database, use [active geo-replication](active-geo-replication-overview.md).

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-| Geo-replication | [Geo-replication](active-geo-replication-overview.md) on Hyperscale is now in public preview. |

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

-| **Hosting SSRS catalog databases** | SQL Managed Instance can now host catalog databases for all supported versions of SQL Server Reporting Services (SSRS). |

-> [!div class="nextstepaction"]

-> [Survey to improve Azure SQL!](https://aka.ms/AzureSQLSurveyNov2021)

- dotnet user-secrets init

- dotnet user-secrets set Azure:WebPubSub:ConnectionString "<connection-string>"

- builder.AddWebPubSubServiceClient(Configuration["Azure:WebPubSub:ConnectionString"], "chat");

- var serviceClient = context.RequestServices.GetRequiredService<WebPubSubServiceClient>();

- var serviceClient = context.RequestServices.GetRequiredService<WebPubSubServiceClient>();

-**Zone-redundant storage (ZRS)** | Supported in preview in UK South, South East Asia, Australia East, North Europe, Central US, East US 2, Brazil South, South Central US, Korea Central, Norway East, France Central, West Europe, East Asia, Sweden Central, Canada Central and Japan East.

-**Supported operating systems** | Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2 SP1 <br/><br/> Linux isn't currently supported.

-* The latest version of the CLI commands (version 2.30 or later) is installed. For information about installing the CLI commands, see [Install the Azure CLI](/cli/azure/install-azure-cli) and [Get Started with Azure CLI](/cli/azure/get-started-with-azure-cli).

-This quickstart article shows you how to configure Azure Bastion based on your VM settings in the Azure portal, and then connect to a VM via private IP address. Once the service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network. The VM doesn't need a public IP address, client software, agent, or a special configuration. If you don't need the public IP address on your VM for anything else, you can remove it. You then connect to your VM through the portal using the private IP address. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

- "duration": "PT10M",

-This guide assumes you have already <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="created a Computer Vision resource" target="_blank">create a Computer Vision resource </a> and obtained a subscription key and endpoint URL. If you haven't, follow a [quickstart](../quickstarts-sdk/image-analysis-client-library.md) to get started.

-||`Brands` | detects various brands within an image, including the approximate location. The Brands argument is only available in English.|

-||`Categories` | categorizes image content according to a taxonomy defined in documentation. This is the default value of `visualFeatures`.|

-||`Color` | determines the accent color, dominant color, and whether an image is black&white.|

-||`Description` | describes the image content with a complete sentence in supported languages.|

-||`Faces` | detects if faces are present. If present, generate coordinates, gender and age.|

-||`ImageType` | detects if image is clip art or a line drawing.|

-||`Objects` | detects various objects within an image, including the approximate location. The Objects argument is only available in English.|

-||`Tags` | tags the image with a detailed list of words related to the image content.|

-||`Landmarks` |identifies landmarks if detected in the image.|

-||`es` | Spanish|

-||`ja` | Japanese|

-||`pt` | Portuguese|

-||`zh` | Simplified Chinese|

- * InvalidImageUrl - Image URL is badly formatted or not accessible.

- * InvalidImageFormat - Input data is not a valid image.

- * InvalidImageSize - Input image is too large.

- * NotSupportedVisualFeature - Specified feature type is not valid.

- * NotSupportedImage - Unsupported image, e.g. child pornography.

- * InvalidDetails - Unsupported `detail` parameter value.

- * NotSupportedLanguage - The requested operation is not supported in the language specified.

- * BadArgument - Additional details are provided in the error message.

- * For an image URL: Content-Type should be application/json

- * For a binary image data: Content-Type should be application/octet-stream or multipart/form-data

- * FailedToProcess

- * Timeout - Image processing timed out.

- * InternalServerError

-The Computer Vision service detects whether there are brand logos in a given image; if so, it returns the brand name, a confidence score, and the coordinates of a bounding box around the logo.

-The built-in logo database covers popular brands in consumer electronics, clothing, and more. If you find that the brand you're looking for is not detected by the Computer Vision service, you may be better served creating and training your own logo detector using the [Custom Vision](../custom-vision-service/index.yml) service.

-Computer Vision can analyze an image and generate a human-readable sentence that describes its contents. The algorithm actually returns several descriptions based on different visual features, and each description is given a confidence score. The final output is a list of descriptions ordered from highest to lowest confidence.

-Computer Vision can detect human faces within an image and generate the age, gender, and rectangle for each detected face.

-> This feature is also offered by the Azure [Face](../face/index.yml) service. See this alternative for more detailed face analysis, including face identification and pose detection.

-# Applying content tags to images

-Computer Vision returns tags based on thousands of recognizable objects, living beings, scenery, and actions. When tags are ambiguous or not common knowledge, the API response provides 'hints' to clarify the meaning of the tag in context of a known setting. Tags are not organized as a taxonomy and no inheritance hierarchies exist. A collection of content tags forms the foundation for an image 'description' displayed as human readable language formatted in complete sentences. Note, that at this point English is the only supported language for image description.

-After uploading an image or specifying an image URL, Computer Vision algorithms output tags based on the objects, living beings, and actions identified in the image. Tagging is not limited to the main subject, such as a person in the foreground, but also includes the setting (indoor or outdoor), furniture, tools, plants, animals, accessories, gadgets etc.

-# Tutorial: Run TensorFlow model in Python

-To use the tutorial, you need to do the following:

-The downloaded .zip file contains a _model.pb_ and a _labels.txt_ file. These files represent the trained model and the classification labels. The first step is to load the model into your project. Add the following code to a new Python script.

-There are a few steps you need to take to prepare the image for prediction. These steps mimic the image manipulation performed during training:

-Once the image is prepared as a tensor, we can send it through the model for a prediction:

-### Supported browsers for Custom Vision website

-From the settings tab of your Custom Vision project, you can select a domain for your project. Choose the domain that is closest to your scenario. If you're accessing Custom Vision through a client library or REST API, you'll need to specify a domain ID when creating the project. You can get a list of domain IDs with [Get Domains](https://westus2.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Training_3.3/operations/5eb0bcc6548b571998fddeab), or use the table below.

- We support only CUDA 9.0 at this stage. For example, you can use the following base images for your Dockerfile:

- * [nvidia/cuda:9.0-base-ubuntu16.04](https://hub.docker.com/r/nvidia/cuda/)

- * [tensorflow/tensorflow: 1.12.0-gpu-py3](https://hub.docker.com/r/tensorflow/tensorflow)

-apiVersion: '2019-12-01'

- "apiVersion": "2019-12-01",

-description: This article discusses the different possible reasons for having a NoHostException and ways to handle it.

-# Troubleshooting NoHostAvailableException and NoNodeAvailableException

-The NoHostAvailableException is a top-level wrapper exception with many possible causes and inner exceptions, many of which can be client-related. This exception tends to occur if there are some issues with cluster, connection settings or one or more Cassandra nodes is unavailable. Here we explore possible reasons for this exception along with details specific to the client driver being used.

-## Driver Settings

-One of the most common causes of a NoHostAvailableException is because of the default driver settings. We advised the following [settings](#code-sample).

-## Exception Messages

-If exception still persists after the recommended settings, review the exception messages below. Follow the recommendation, if your error log contains any of these messages.

-This client-side error indicates that the maximum number of request connections for a host has been reached. If unable to remove, request from the queue, you might see this error. If the connection per host has been set to minimum of 10, this could be caused by high server-side latency.

-Java driver v3 exception:

-Instead of tuning the `max requests per connection`, we advise making sure the `connections per host` is set to a minimum of 10. See the [code sample section](#code-sample).

-OverloadException is thrown when the request rate is too large. Which may be because of insufficient throughput being provisioned for the table and the RU budget being exceeded. Learn more about [large request](../sql/troubleshoot-request-rate-too-large.md#request-rate-is-large) and [server-side retry](prevent-rate-limiting-errors.md)

-We recommend using either of the following options:

-When the client is set to connect to a different region other than the primary contact point region, you will get below exception during the initial a few seconds upon start-up.

-Exception message with a Java driver 3: `Exception in thread "main" com.datastax.driver.core.exceptions.NoHostAvailableException: All host(s) tried for query failed (no host was tried)at cassandra.driver.core@3.10.2/com.datastax.driver.core.exceptions.NoHostAvailableException.copy(NoHostAvailableException.java:83)`

-Exception message with a Java driver 4: `No node was available to execute the query`

-Exception message with a C# driver 3: `System.ArgumentException: Datacenter West US does not match any of the nodes, available datacenters: West US 2`

-We advise using the CosmosLoadBalancingPolicy in [Java driver 3](https://github.com/Azure/azure-cosmos-cassandra-extensions) and [Java driver 4](https://github.com/Azure/azure-cosmos-cassandra-extensions/tree/release/java-driver-4/1.0.1). This policy falls back to the ContactPoint of the primary write region where the specified local data is unavailable.

-> Please reach out to Azure Cosmos DB support with details around - exception message, exception stacktrace, datastax driver log, universal time of failure, consistent or intermittent failures, failing keyspace and table, request type that failed, SDK version if none of the above recommendations help resolve your issue.

-## Code Sample

-#### Java Driver 3 Settings

-#### Java Driver 4 Settings

-#### C# v3 Driver Settings

-* [Server-side diagnostics](error-codes-solution.md) to understand different error codes and their meaning.

-* [Diagnose and troubleshoot](../sql/troubleshoot-dot-net-sdk.md) issues when you use the Azure Cosmos DB .NET SDK.

-* [Diagnose and troubleshoot](../sql/troubleshoot-java-sdk-v4-sql.md) issues when you use the Azure Cosmos DB Java v4 SDK.

-* Learn about performance guidelines for [Java v4 SDK](../sql/performance-tips-java-sdk-v4-sql.md).

-## Node

-|Download SDK | [NPM](https://www.npmjs.com/package/@azure/cosmos)

-|SDK installation instructions | [Installation instructions](https://github.com/Azure/azure-sdk-for-js)

-|Contribute to SDK | [GitHub](https://github.com/Azure/azure-sdk-for-js/tree/main)

-| Current supported platform | [Node.js v12.x](https://nodejs.org/en/blog/release/v12.7.0/) - SDK Version 3.x.x<br/>[Node.js v10.x](https://nodejs.org/en/blog/release/v10.6.0/) - SDK Version 3.x.x<br/>[Node.js v8.x](https://nodejs.org/en/blog/release/v8.16.0/) - SDK Version 3.x.x<br/>[Node.js v6.x](https://nodejs.org/en/blog/release/v6.10.3/) - SDK Version 2.x.x<br/>[Node.js v4.2.0](https://nodejs.org/en/blog/release/v4.2.0/)- SDK Version 1.x.x<br/> [Node.js v0.12](https://nodejs.org/en/blog/release/v0.12.0/)- SDK Version 1.x.x<br/> [Node.js v0.10](https://nodejs.org/en/blog/release/v0.10.0/)- SDK Version 1.x.x

-Microsoft provides notification at least **12 months** in advance of retiring an SDK in order to smooth the transition to a newer/supported version. New features and functionality and optimizations are only added to the current SDK, as such it is recommended that you always upgrade to the latest SDK version as early as possible.

-| 3.4.2 | November 7, 2019 | |

-| 3.4.1 | November 5, 2019 | |

-| 3.4.0 | October 28, 2019 | |

-| 3.3.6 | October 14, 2019 | |

-| 3.3.5 | October 14, 2019 | |

-| 3.3.4 | October 14, 2019 | |

-| 3.3.3 | October 3, 2019 | |

-| 3.3.2 | October 3, 2019 | |

-| 3.3.1 | October 1, 2019 | |

-| 3.3.0 | September 24, 2019 | |

-| 3.2.0 | August 26, 2019 | |

-| 3.1.1 | August 7, 2019 | |

-| 3.1.0 |July 26, 2019 | |

-| 3.0.4 |July 22, 2019 | |

-| 3.0.3 |July 17, 2019 | |

-| 3.0.2 |July 9, 2019 | |

-| 3.0.0 |June 28, 2019 | |

-| 2.1.5 |March 20, 2019 | |

-| 2.1.4 |March 15, 2019 | |

-| 2.1.3 |March 8, 2019 | |

-| 2.1.2 |January 28, 2019 | |

-| 2.1.1 |December 5, 2018 | |

-| 2.1.0 |December 4, 2018 | |

-| 2.0.5 |November 7, 2018 | |

-| 2.0.4 |October 30, 2018 | |

-| 2.0.3 |October 30, 2018 | |

-| 2.0.2 |October 10, 2018 | |

-| 2.0.1 |September 25, 2018 | |

-| 2.0.0 |September 24, 2018 | |

-| 2.0.0-3 (RC) |August 2, 2018 | |

-| 1.14.4 |May 03, 2018 |August 30, 2020 |

-| 1.14.3 |May 03, 2018 |August 30, 2020 |

-| 1.14.2 |December 21, 2017 |August 30, 2020 |

-| 1.14.1 |November 10, 2017 |August 30, 2020 |

-| 1.14.0 |November 9, 2017 |August 30, 2020 |

-| 1.13.0 |October 11, 2017 |August 30, 2020 |

-| 1.12.2 |August 10, 2017 |August 30, 2020 |

-| 1.12.1 |August 10, 2017 |August 30, 2020 |

-| 1.12.0 |May 10, 2017 |August 30, 2020 |

-| 1.11.0 |March 16, 2017 |August 30, 2020 |

-| 1.10.2 |January 27, 2017 |August 30, 2020 |

-| 1.10.1 |December 22, 2016 |August 30, 2020 |

-| 1.10.0 |October 03, 2016 |August 30, 2020 |

-| 1.9.0 |July 07, 2016 |August 30, 2020 |

-| 1.8.0 |June 14, 2016 |August 30, 2020 |

-| 1.7.0 |April 26, 2016 |August 30, 2020 |

-| 1.6.0 |March 29, 2016 |August 30, 2020 |

-| 1.5.6 |March 08, 2016 |August 30, 2020 |

-| 1.5.5 |February 02, 2016 |August 30, 2020 |

-| 1.5.4 |February 01, 2016 |August 30, 2020 |

-| 1.5.2 |January 26, 2016 |August 30, 2020 |

-| 1.5.2 |January 22, 2016 |August 30, 2020 |

-| 1.5.1 |January 4, 2016 |August 30, 2020 |

-| 1.5.0 |December 31, 2015 |August 30, 2020 |

-| 1.4.0 |October 06, 2015 |August 30, 2020 |

-| 1.3.0 |October 06, 2015 |August 30, 2020 |

-| 1.2.2 |September 10, 2015 |August 30, 2020 |

-| 1.2.1 |August 15, 2015 |August 30, 2020 |

-| 1.2.0 |August 05, 2015 |August 30, 2020 |

-| 1.1.0 |July 09, 2015 |August 30, 2020 |

-| 1.0.3 |June 04, 2015 |August 30, 2020 |

-| 1.0.2 |May 23, 2015 |August 30, 2020 |

-| 1.0.1 |May 15, 2015 |August 30, 2020 |

-| 1.0.0 |April 08, 2015 |August 30, 2020 |

-To learn how to start sharing data, continue to the [share your data](share-your-data.md) tutorial.

-Learn more about how to [add recipients to an existing data share](how-to-add-recipients.md).

-Learn more about how to [revoke a share subscription](how-to-revoke-share-subscription.md).

-Learn more about [Azure Data Share terminology](terminology.md)

-Learn more about how to [monitor your data shares](how-to-monitor.md).

- 

-description: Describes Azure Stack Edge Pro R devices, a storage solution that uses a physical device for network-based transfer into Azure and the solution can deployed in harsh environments.

-|Double encryption | Use of self-encrypting drives provides the first layer of encryption. VPN provides the second layer of encryption. BitLocker support to locally encrypt data and secure data transfer to cloud over *https* . <br> For more information, see [Configure VPN on your Azure Stack Edge Pro R device](azure-stack-edge-mini-r-configure-vpn-powershell.md).|

-| Error category* | Description | Recommended action |

-| Container or share names | The container or share names do not follow the Azure naming rules. |Download the error lists. <br> Rename the containers or shares. [Learn more](#container-or-share-name-errors). |

-| Container or share size limit | The total data in containers or shares exceeds the Azure limit. |Download the error lists. <br> Reduce the overall data in the container or share. [Learn more](#container-or-share-size-limit-errors).|

-| Object or file size limit | The object or files in containers or shares exceeds the Azure limit.|Download the error lists. <br> Reduce the file size in the container or share. [Learn more](#object-or-file-size-limit-errors). |

-| Data or file type | The data format or the file type is not supported. |Download the error lists. <br> For page blobs or managed disks, ensure the data is 512-bytes aligned and copied to the pre-created folders. [Learn more](#data-or-file-type-errors). |

-| Folder or file internal errors | The file or folder have an internal error. |Download the error lists. <br> Remove the file and copy again. For a folder, modify it by renaming or adding or deleting a file. The error should go away in 30 minutes. [Learn more](#folder-or-file-internal-errors). |

-\* The first five error categories are critical errors and must be fixed before you can proceed to prepare to ship.

-These are errors related to container and share names.

-### ERROR_CONTAINER_OR_SHARE_NAME_LENGTH

-These are errors related to data exceeding the size of data allowed in a container or a share.

-These are errors related to data exceeding the maximum size of object or the file that is allowed in Azure.

-These are errors related to unsupported file type or data type found in the container or share.

- 

-| [Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses](#deprecating-a-preview-alert-armmcas_activityfromanonymousipaddresses) | December 2021 |

-| [Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013](#legacy-implementation-of-iso-27001-is-being-replaced-with-new-iso-270012013) | December 2021 |

-| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) | December 2021 |

-**Estimated date for change:** December 2021

-**Estimated date for change:** November 2021

-**Estimated date for change:** December 2021

-

- - [A connected device](quickstart-standalone-agent-binary-installation.md).

- - [A micro agent module twin](quickstart-create-micro-agent-module-twin.md).

-To view and update the micro agent twin configuration:

-> If you donΓÇÖt take one of these actions, your Azure subscription will be disabled at the time specified in your email notification. If the subscription is disabled, you can reenable it as a pay-as-you-go subscription by following [these steps](/azure/cost-management-billing/manage/switch-azure-offer.md).

-* [Create an Azure Database for PostgreSQL server](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server](../postgresql/quickstart-create-hyperscale-portal.md) as the target database server to migrate data into.

- For details on how to connect and create a database, see the article [Create an Azure Database for PostgreSQL server in the Azure portal](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server in the Azure portal](../postgresql/quickstart-create-hyperscale-portal.md).

-* [Create an Azure Database for PostgreSQL server](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server](../postgresql/quickstart-create-hyperscale-portal.md).

- For details on how to connect and create a database, see the article [Create an Azure Database for PostgreSQL server in the Azure portal](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server in the Azure portal](../postgresql/quickstart-create-hyperscale-portal.md).

-* [Create an instance in Azure Database for PostgreSQL](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server](../postgresql/quickstart-create-hyperscale-portal.md).

- For details on how to connect and create a database, see the article [Create an Azure Database for PostgreSQL server in the Azure portal](../postgresql/quickstart-create-server-database-portal.md) or [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server in the Azure portal](../postgresql/quickstart-create-hyperscale-portal.md).

-* For information about Azure Database for PostgreSQL, see the article [What is Azure Database for PostgreSQL?](../postgresql/overview.md).

-* Create an instance of [Azure Database for PostgreSQL](../postgresql/quickstart-create-server-database-portal.md) or [Azure Database for PostgreSQL - Hyperscale (Citus)](../postgresql/quickstart-create-hyperscale-portal.md). Refer to this [section](../postgresql/quickstart-create-server-database-portal.md#connect-to-the-server-with-psql) of the document for detail on how to connect to the PostgreSQL Server using pgAdmin.

- * [Create an Azure Database for PostgreSQL - Hyperscale (Citus) server using the Azure portal](../postgresql/quickstart-create-hyperscale-portal.md)

-# Authentication and authorization with Azure Active Directory (Preview)

-To send events to a topic, domain, or partner namespace, you can build the client in the following way. The api version that first provided support for Azure AD authentication is ``2021-06-01-preview``. Use that API version or a more recent version in your application.

-```java

- DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();

- EventGridPublisherClient cloudEventClient = new EventGridPublisherClientBuilder()

- .endpoint("<your-event-grid-topic-domain-or-partner-namespace-endpoint>?api-version=2021-06-01-preview")

- .credential(credential)

- .buildCloudEventPublisherClient();

-```

-If you're using a security principal associated with a client publishing application, you have to configure environmental variables as shown in the [Java SDK readme article](/java/api/overview/azure/identity-readme#environment-variables). The `DefaultCredentialBuilder` reads those environment variables to use the right identity. For more information, see [Java API overview](/java/api/overview/azure/identity-readme#defaultazurecredential).

-## Authenticate using Azure Active Directory (preview)

-> Azure AD authentication support by Azure Event Grid has been released as preview.

-| Diagnostic setting | Event Grid topics | Event Grid system topics | Event Grid domains |

-| - | | -- | -- |

-| [DeliveryFailures](diagnostic-logs.md#schema-for-publishdelivery-failure-logs) | Yes | Yes | Yes |

-| [PublishFailures](diagnostic-logs.md#schema-for-publishdelivery-failure-logs) | Yes | No | Yes |

-| [DataPlaneRequests](diagnostic-logs.md#schema-for-data-plane-requests) | Yes | No | Yes |

-The audit trace can be used to ensure that data access is allowed only for authorized purposes. It collects information about security control such as resource name, operation type, network access, level, region and more. For more information about how to enable the diagnostic setting, see [Diagnostic logs in Event Grid topics and Event Grid domains](enable-diagnostic-logs-topic.md#enable-diagnostic-logs-for-event-grid-topics-and-domains).

-This tutorial creates a logic app resource that runs in [*multi-tenant* Azure Logic Apps](../logic-apps/logic-apps-overview.md) and is based on the [Consumption pricing model](../logic-apps/logic-apps-pricing.md#consumption-pricing). Using this logic app resource, you create a workflow that monitors changes to a virtual machine, and sends emails about those changes. When you create a workflow that has an event subscription to an Azure resource, events flow from that resource through an event grid to the workflow. For more information about multi-tenant versus single-tenant Azure Logic Apps, review [Single-tenant versus multi-tenant and integration service environment](../logic-apps/single-tenant-overview-compare.md).

-1. From the main Azure menu, select **Create a resource** > **Integration** > **Logic App**.

-1. Under **Logic App**, provide information about your logic app resource. When you're done, select **Create**.

- | **Name** | Yes | <*logic-app-name*> | Provide a unique name for your logic app. |

- | **Resource group** | Yes | <*Azure-resource-group*> | The Azure resource group name for your logic app, which you can select for all the services in this tutorial. |

- | **Location** | Yes | <*Azure-region*> | Select the same region for all services in this tutorial. |

- |||

-1. After Azure deploys your logic app, the workflow designer shows a page with an introduction video and commonly used triggers. Scroll past the video and triggers.

-For a description of these properties, see [Azure Event Grid event schema](event-schema.md). When posting events to an event grid topic, the array can have a total size of up to 1 MB. The maximum allowed size for an event is also 1 MB. Events over 64 KB are charged in 64-KB increments.

- > [!WARNING]

- > If you select the **Selected networks** option and don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed via **public internet** (using the access key).

- :::image type="content" source="./media/event-hubs-firewall/selected-networks.png" alt-text="Networks tab - selected networks option" lightbox="./media/event-hubs-firewall/selected-networks.png":::

- If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

- 

-1. To restrict access to specific IP addresses, confirm that the **Selected networks** option is selected. In the **Firewall** section, follow these steps:

- 1. Select **Add your client IP address** option to give your current client IP the access to the namespace.

- 2. For **address range**, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.

- >[!WARNING]

- > If you select the **Selected networks** option and don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

-1. Specify whether you want to **allow trusted Microsoft services to bypass this firewall**. See [Trusted Microsoft services](#trusted-microsoft-services) for details.

- 

-The result is a private and isolated relationship between the workloads bound to the subnet and the respective Event Hubs namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range. There's an exception to this behavior. Enabling a service endpoint, by default, enables the `denyall` rule in the [IP firewall](event-hubs-ip-filtering.md) associated with the virtual network. You can add specific IP addresses in the IP firewall to enable access to the Event Hub public endpoint.

- > [!WARNING]

- > If you select the **Selected networks** option and don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed via **public internet** (using the access key).

- :::image type="content" source="./media/event-hubs-firewall/selected-networks.png" alt-text="Networks tab - selected networks option" lightbox="./media/event-hubs-firewall/selected-networks.png":::

- If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

- 

-1. To restrict access to specific networks, select the **Selected Networks** option at the top of the page if it isn't already selected.

-2. In the **Virtual Network** section of the page, select **+Add existing virtual network***. Select **+ Create new virtual network** if you want to create a new VNet.

- 

- >[!WARNING]

- > If you select the **Selected networks** option and don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

- 

- 

- 

-4. Select **Networking** under **Settings** on the left menu.

- :::image type="content" source="./media/private-link-service/selected-networks-page.png" alt-text="Networks tab - selected networks option" lightbox="./media/private-link-service/selected-networks-page.png":::

- > [!WARNING]

- > By default, the **Selected networks** option is selected. If you don't specify an IP firewall rule or add a virtual network, the namespace can be accessed via public internet (using the access key).

-1. Select the **Private endpoint connections** tab at the top of the page.

- :::image type="content" source="./media/private-link-service/private-link-service-3.png" alt-text="Networking page - Private endpoint connections tab - Add private endpoint link":::

-# get subnet object that you will use later

-1. If there are any connections that are pending, you will see a connection listed with **Pending** in the provisioning state.

-1. If there are any private endpoint connections you want to reject, whether it is a pending request or existing connection, select the connection and click the **Reject** button.

-3. You should see the status changed to **Disconnected**. Then, you will see the endpoint disappear from the list.

-| **[Nianet](https://nianet.dk/produkter/internet/microsoft-expressroute)** |Equinix | Amsterdam, Frankfurt |

-[Desired State Configuration (DSC)](/powershell/dsc/overview/overview)

-|Windows|[PowerShell Desired State Configuration](/powershell/dsc/overview/overview) v3| Side-loaded to a folder only used by Azure Policy. Won't conflict with Windows PowerShell DSC. PowerShell Core isn't added to system path.|

-|Linux|[PowerShell Desired State Configuration](/powershell/dsc/overview/overview) v3| Side-loaded to a folder only used by Azure Policy. PowerShell Core isn't added to system path.|

-In this quickstart, you use Azure RTOS to connect an NXP MIMXRT1050-EVKB Evaluation kit (hereafter, NXP EVK) to Azure IoT.

-You will complete the following tasks:

-* [Schedule and broadcast jobs](iot-hub-node-node-schedule-jobs.md)

- "rotateTimeAfterCreation": {

- "timeAfterCreate": "[parameters('rotateTimeAfterCreation')]",

-In this section, you'll create a load test by using an existing Apache JMeter test script.

-The sample application's source repo includes an Apache JMeter script named *SampleApp.jmx*. This script makes three API calls on each test iteration:

-In this section, you'll update the Apache JMeter script with the URL of the sample web app that you just deployed.

-1. [Download and install the latest SAP client library](#sap-client-library-prerequisites) on your local computer. You should have the following assembly files:

-* Copy the assembly files from the default installation folder to another location, based on your scenario as follows.

- * For a logic app workflow that runs in multi-tenant Azure and uses your on-premises data gateway, copy the assembly files to the data gateway installation folder.

- > make sure you copied the assembly files to the data gateway installation folder.

-> * If you use an on-premises data gateway, also copy these same binary files to the installation folder there.

-1. Add the downloaded file to your on-premises data gateway installation directory.

-+ [Azure Application Insights](https://azure.microsoft.com/services/application-insights/): Stores monitoring information about your models.

-# Connect to storage services on Azure

-Use one of the following methods to remove a private endpoint from a workspace:

-> [!IMPORTANT]

-> Public access is not enabled when you delete a private endpoint for a workspace. To enable public access, see the [Enable public access section](how-to-configure-private-link.md#enable-public-access).

-Use [Workspace.delete_private_endpoint_connection](/python/api/azureml-core/azureml.core.workspace(class)#delete-private-endpoint-connection-private-endpoint-connection-name-) to remove a private endpoint.

-From the Azure Machine Learning workspace in the portal, select __Private endpoint connections__, and then select the endpoint you want to remove. Finally, select __Remove__.

-## Enable public access

-In some situations, you may want to allow someone to connect to your secured workspace over a public endpoint, instead of through the VNet. After configuring a workspace with a private endpoint, you can optionally enable public access to the workspace. Doing so does not remove the private endpoint. All communications between components behind the VNet is still secured. It enables public access only to the workspace, in addition to the private access through the VNet.

-> [!WARNING]

-> When connecting over the public endpoint:

-> * __Some features of studio will fail to access your data__. This problem happens when the _data is stored on a service that is secured behind the VNet_. For example, an Azure Storage Account.

-> * Using Jupyter, JupyterLab, and RStudio on a compute instance, including running notebooks, __is not supported__.

-To enable public access to a private endpoint-enabled workspace, use the following steps:

-# [Python](#tab/python)

-Use [Workspace.delete_private_endpoint_connection](/python/api/azureml-core/azureml.core.workspace(class)#delete-private-endpoint-connection-private-endpoint-connection-name-) to remove a private endpoint.

-```python

-from azureml.core import Workspace

-ws = Workspace.from_config()

-ws.update(allow_public_access_when_behind_vnet=True)

-```

-# [Azure CLI](#tab/azure-cli)

-The Azure CLI [extension 1.0 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml/workspace#az_ml_workspace_update) command. To enable public access to the workspace, add the parameter `--allow-public-access true`.

-# [Portal](#tab/azure-portal)

-Currently there is no way to enable this functionality using the portal.

-Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Create a resource** in the upper left-hand corner of the portal.

-2. In the search box, enter **Contact profile**. Select **Contact profile** in the search results.

-3. In the **Contact profile** page, select **Create**.

-4. In **Create contact profile resource**, enter or select this information in the **Basics** tab:

- | Name | Enter contact profile name. Specify the antenna provider and mission information here. *i.e. Microsoft_Aqua_Uplink+Downlink_1* |

- | Minimum viable contact duration | Define the minimum duration of the contact as a prerequisite to show you available time slots to communicate with your spacecraft. If an available time window is less than this time, it won't show in the list of available options. Provide minimum contact duration in ISO 8601 format. *i.e. PT1M* |

- | Event Hubs Namespace | Select an Event Hubs Namespace to which you will send telemetry data of your contacts. Select a Subscription before you can select an Event Hubs Namespace. |

-5. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page.

-6. In the **Links** page, select **Add new Link**

-7. In the **Add Link** page, enter, or select this information per link direction:

-8. Select the **Submit** button

-9. Select the **Review + create** tab or select the **Review + create** button

-10. Select the **Create** button

-Sign in to the [Azure portal](https://portal.azure.com).

-Azure Orbital is now on preview, to get access an Azure subscription must be onboarded. Without this onboarding process, the Azure Orbital resources won't be available in the Azure portal.

-Sign in to the [Azure portal](https://portal.azure.com).

-Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Create a resource** in the upper left-hand corner of the portal.

-2. In the search box, enter **Spacecrafts*. Select **Spacecrafts** in the search results.

-3. In the **Spacecrafts** page, select Create.

-4. In **Create spacecraft resource**, enter or select this information in the Basics tab:

-5. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page.

-6. In the **Links** page, enter or select this information:

-7. Select the **Review + create** tab, or select the **Review + create** button.

-8. Select **Create**

-Sign in to the [Azure portal](https://portal.azure.com).

-Sign in to the [Azure portal](https://portal.azure.com).

-> Reserved capacity pricing is available for the Azure Database for PostgreSQL in [Single server](./overview.md#azure-database-for-postgresqlsingle-server), [Flexible Server](flexible-server/overview.md), and [Hyperscale Citus](./overview.md#azure-database-for-postgresql--hyperscale-citus) deployment options. For information about RI pricing on Hyperscale (Citus), see [this page](concepts-hyperscale-reserved-pricing.md).

-* [Azure Reservations in Partner Center Cloud Solution Provider (CSP) program](/partner-center/azure-reservations)

-For more details on restore method wiith Timescae enabled database see [Timescale documentation](https://docs.timescale.com/timescaledb/latest/how-to-guides/backup-and-restore/pg-dump-and-restore/#restore-your-entire-database-from-backup)

- More details on hese utilities can be found [here](https://github.com/timescale/timescaledb-backup).